Cybersecurity: Understanding a Texas Business’s Exposure to Liability (Part I)

With a number of recent cyber security events making the headlines, businesses across Texas are wondering what type of liability they could be subject to if such an event were to strike their business as well as what type of liability they may be subject to for inappropriately accessing electronic data.  This is the first in a two-part series that will help answer those questions.

In general, there are three potential types of liability that a Texas business is exposed to under either of these scenarios: statutory liability; contractual liability; and tort liability.  This post will focus on statutory liability with a subsequent post addressing contractual and tort liability issues.

There are both federal and state statutes regulating access to and use of electronic information.

The Federal Cybersecurity Laws

At the federal level, business owners and managers should be familiar with the Stored Communications Act (“SCA”), the Electronic Communications and Privacy Act (“ECPA”), as well as the Computer Fraud and Abuse Act (“CFAA”).

Stored Communications Act.  The Stored Communications Act prohibits an individual from willfully or intentionally accessing, without authorization, a facility through which an electronic communication services is provided or exceeding its authority to access that facility and thereby obtaining, altering, or preventing authorized access to an electronic communication while it is in electronic storage in such system.  The SCA most often impacts employers when accessing communications stored on company owned electronic devices or third-party service providers if the company is not a party to that communication.  For example, reading an employees personal email stored on his or her company issued phone.  There is a developing body of case law interpreting the SCA that identifies the circumstances under which  an employer may access these (and other) types of communications on an electronic device or a service provider’s server when the company is not a party to the communication.

Electronic Communications and Privacy Act. The Electronic Communications and Privacy Act prohibits the interception of electronic communications as well as the use or disclosure of intercepted communications without authorization.  The  ECPA also impacts employers attempting to monitor or investigate the activities of their employees.  This ECPA differs from the SCA in that it prohibits the interception of an electronic communication while the SCA prohibits accessing a communication in storage.  Companies should consider the ECPA’s prohibitions any time it considers implementing a monitoring program that will intercept emails or other electronic communications.

Computer Fraud and Abuse Act.  The Computer Fraud and Abuse Act makes the unauthorized access of a private computer system a criminal offense and allows an individual (or business) affected by such activity to bring a private cause of action.  For employers, the CFAA most often comes into play when an employee or former employee is found to have accessed information on the company’s computer system without authorization.  The CFAA clearly applies to the activities of former employees or other outsiders, however, the interpretation and application of the CFAA to current employees has varied widely across federal circuits.  In Texas, the focus in determining whether the CFAA applies to an employee’s activity generally looks at whether the access violated the company’s terms of use policies and whether the employee knew of that policy.

Texas Cybersecurity Law

At the state level, the Texas Business & Commerce Code imposes a duty upon businesses to implement reasonable procedures, including taking any appropriate corrective action, to protect the unlawful use or disclosure of any sensitive personal information collected or maintained by a company in the regular course of business.  This applies to information collected or maintained about customers as well as employees.  The TBCC also mandates specific procedures for the destruction of records that contain sensitive personal information.

The TBCC imposes a number of notification requirements and procedures upon businesses that are subject to a breach of system security if the breach is reasonably believed to have resulted in the disclosure of sensitive personal information.  Texas recently expanded the breach notification requirements to include notification to any individual whose information was potentially exposed, regardless of that person’s state of residency.

 

David B. Willis

David B. Willis

David Bryan Willis is a Tyler area business lawyer providing legal services to private companies, startups, and small businesses across Texas.
David B. Willis

Leave a reply