Texas Bar Journal • December 2024
Cybersecurity and Data Privacy
Written by Shawn E. Tuma
A Watershed Moment in Texas Data Privacy Law— Texas OAG
Enforcement
This year will be remembered as a watershed moment in Texas data
privacy law. On July 1, 2024, Texas’ comprehensive data privacy
law, the Texas Data Privacy and Security Act1 (TDPSA) went
into effect, but that is not the reason.
The reason is the enforcement activity by the Texas Office of Attorney General (OAG). For many years, Texas has had statutory cybersecurity, data protection, and data breach notification requirements; however, they are only enforced by the OAG. There was limited enforcement activity from the OAG, which Texas organizations used to justify not prioritizing compliance with these requirements.
This has changed and the most important issue to address in this update concerns the activity of the OAG. The OAG began by building a team to focus on this area and launched a major data privacy and security initiative that was announced in June.2
The OAG’s enforcement activity quickly followed with an investigation into several car manufacturers’ collection and use of drivers’ data.3 In July, the OAG’s office announced that it reached a $1.4 billion settlement with Meta (formerly known as Facebook) over Meta’s alleged capturing and using Texas consumers’ personal biometric data without obtaining their informed consent. It was the largest privacy settlement ever obtained by an individual state’s attorney general.4
In September, the OAG announced a settlement with Pieces Technologies, a developer of generative artificial intelligence (Gen AI) products for analyzing patients’ healthcare data in real-time to summarize the patients’ condition. Pieces marketed the product as having a very low hallucination rate, but the OAG’s investigation found the marketing metrics were likely inaccurate and may have deceived hospitals about the product’s accuracy and safety. Misleading claims about the effectiveness of AI technologies are often called “AI washing,” which will be an area of focus for the OAG.
Unauthorized Access Case Developments
An allegation that a company hired to install a computer network
also installed a backdoor and later sabotaged the network was
sufficient to raise an unauthorized access claim under Texas’
Harmful Access by Computer Act (HACA)5 but not sufficient
under the “without authorization” prong of the federal
Computer Fraud and Abuse Act (CFAA)6 (though it may have been
under the “exceeds authorized access” prong).7
An employee’s signing of a company policy acknowledging that communications and information sent, received, or accessed over the company network are property of the company and users have no rights to, ownership in, or expectation of privacy or confidentiality in such communications, raised a material question as to the employee’s consent for alleged HACA violation where the employer accessed the former employee’s Gmail and LinkedIn accounts that were still logged-in on a company laptop the employee returned.8
Employees who agreed to company policy concerning access to company information on a “need to know” basis and not for personal benefit and then, after accepting employment from a competitor and prior to resigning, used access to the employer’s Salesforce to change information to benefit the competitor, took data, and deleted data for competitive reasons was sufficient to state claims under the CFAA and HACA.9 Another court addressing somewhat similar allegations, however, has stated that a HACA claim based on the same factual allegations of a Texas Uniform Trade Secrets Act (TUTSA)10 claim is preempted by TUTSA.11
SHAWN E. TUMA is an attorney widely recognized in cybersecurity, data, and privacy law, areas in which he has practiced since the late 90s. He is the managing partner in the Collin County office of Spencer Fane and is co-chair of the firm’s Cyber, Data, Privacy & AI Practice Group.