Texas law requires businesses to implement and maintain reasonable cybersecurity, which they should do so with a written program for managing cyber risk and protecting sensitive customer information. This warning came from the state’s Attorney General following his office’s $1.5 Million settlement with Neiman Marcus over its 2013 data breach.
The law referenced is the Texas Identity Theft Enforcement and Protection Act which specifically states, “[a] business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” While this language is short, determining what are “reasonable procedures” is not a simple task that must be made on a case-by-case by each business.
As a condition of settlement, the parties’ Assurance of Voluntary Compliance (i.e., settlement agreement) requires Neiman Marcus to do several things to improve its cybersecurity and protection of consumer data, including the following key components:
- Implement a written cyber risk management program;
- Obtain a security risk assessment;
- Implement appropriate safeguards to monitor its network activity;
- Keep current on software security updates;
- Implement appropriate administrative, technical, and physical safeguards; and
- Ensure that such safeguards as well as its written cyber risk management program are appropriate considering,
- Its size and complexity,
- The nature and scope of its activities, and
- The sensitivity of the personal information it maintains.
The foregoing requirements are similar to those that Spencer Fane has identified on its Cyber Hygiene Checklist. The process that is required by Neiman Marcus is quite similar to the process Spencer Fane uses to help its clients develop, implement, and mature their own cyber risk management programs which are critical for maintaining reasonable cybersecurity for their unique businesses.