Texas Identity Theft Enforcement and Protection Act Explained
The Texas Identity Theft Enforcement and Protection Act establishes the state's primary statutory framework for criminalizing identity theft conduct, defining protected categories of personal identifying information, and authorizing civil enforcement by the Texas Office of the Attorney General. This page covers the Act's legal definitions, its operational mechanisms, the categories of conduct it addresses, and the boundaries that distinguish its scope from adjacent state and federal frameworks. Practitioners, compliance officers, and researchers navigating Texas cybersecurity laws and statutes will find this Act foundational to understanding how Texas approaches consumer identity protection at the enforcement level.
Definition and scope
The Texas Identity Theft Enforcement and Protection Act is codified in Texas Business and Commerce Code, Chapter 521 (Texas B&C Code §521). The Act defines "sensitive personal information" to include an individual's name combined with at least one data element — Social Security number, driver's license number, financial account credentials, or health information — that could enable identity fraud or unauthorized access to financial resources.
The Act covers any person or business that conducts business in Texas and handles sensitive personal information as defined by §521.002. Coverage extends to entities that store, process, or transmit such data on behalf of Texas residents, even when those entities are domiciled outside the state. The statute imposes both security requirements and breach notification obligations, making it a dual-function law rather than a pure enforcement statute.
Scope limitations: The Act applies specifically to private sector entities and individuals. State agencies are governed separately under Texas Government Code, Chapter 2054, administered by the Texas Department of Information Resources (DIR). The Act does not displace federal obligations — HIPAA-covered healthcare entities must satisfy HIPAA breach notification requirements irrespective of the Act's provisions, and federal financial institutions remain subject to Gramm-Leach-Bliley Act rules. Multi-state data flows involving residents of other states fall outside the Act's direct enforcement reach. The regulatory context for Texas cybersecurity provides a fuller treatment of how the Act fits within the broader statutory and regulatory architecture.
How it works
The Act operates across three discrete functional layers: security obligations, breach notification, and civil enforcement.
1. Security obligations (§521.052)
Entities holding sensitive personal information must implement and maintain "reasonable procedures" to protect that data from unauthorized acquisition. The statute does not prescribe a specific technical standard, but enforcement practice by the Texas Office of the Attorney General (OAG) treats alignment with recognized frameworks — such as the NIST Cybersecurity Framework or ISO/IEC 27001 — as evidence of reasonable compliance.
2. Breach notification (§521.053)
When unauthorized acquisition of sensitive personal information occurs, the affected entity must notify each Texas resident whose data was compromised. The notification window is no more than 60 days after discovery of the breach (Texas B&C Code §521.053). If the breach affects 10,000 or more Texas residents, the entity must also notify major consumer reporting agencies as defined in the Fair Credit Reporting Act.
3. Civil enforcement
The Texas Attorney General holds exclusive civil enforcement authority under the Act. Penalties for violations are set at up to $2,000 per violation under the general consumer protection provisions of the Texas Deceptive Trade Practices Act, with separate injunctive relief available. The OAG may also seek restitution for affected consumers. Private individuals do not hold a direct right of action under Chapter 521 itself, distinguishing the Act from some other state privacy statutes.
Notification method requirements under §521.053 specify that notification may be delivered by written letter, electronic mail (where the resident has consented to electronic communication), telephone, or substitute notice (website posting plus media notification) when direct notification costs would exceed $250,000 or the affected population exceeds 500,000 individuals.
Common scenarios
The Act's enforcement record and statutory text identify four recurring scenario categories:
Credential exposure through data breach: A retailer operating in Texas suffers a network intrusion that exposes payment card numbers combined with cardholder names. This triggers both the reasonable-security obligation (was the data adequately protected?) and the 60-day notification clock under §521.053.
Third-party processor failures: A Texas-based company contracts a third-party payment processor that suffers a breach affecting Texas residents. The Act's obligations attach to the entity that collected the data from residents, not solely the processor. Contractual indemnification arrangements between parties do not extinguish statutory obligations to consumers.
Insider misuse of personal data: An employee of a financial services firm accesses customer records without authorization and uses them to open fraudulent accounts. This scenario implicates the criminal provisions of Texas Penal Code, Chapter 32 (fraud statutes) alongside the civil enforcement framework of Chapter 521. The Texas privacy law and cybersecurity reference addresses the interaction between civil and criminal tracks.
Small business noncompliance: A small business storing customer records on an unencrypted server without access controls suffers a ransomware event that exposes data for 3,500 Texas residents. The OAG's enforcement authority applies regardless of business size; the statute contains no small-business exemption. Resources on Texas cybersecurity for small business document practical compliance considerations in this segment.
Decision boundaries
Understanding what the Act covers — and what it does not — determines which compliance obligations apply to a given entity or incident.
| Dimension | Covered by Act | Not Covered by Act |
|---|---|---|
| Entity type | Private businesses, individuals | Texas state agencies (Gov. Code Ch. 2054) |
| Data type | Sensitive personal information as defined in §521.002 | Publicly available information, anonymized data |
| Notification trigger | Unauthorized acquisition of sensitive data | Internal access with no external disclosure |
| Enforcement | Texas Attorney General (civil) | Federal regulators (FTC, HHS, OCC) |
| Resident scope | Texas residents' data | Non-Texas residents' data |
The Act does not require notification when an investigation determines that acquisition by an unauthorized person is not reasonably likely to result in harm to the individuals whose information was acquired — a "harm likelihood" exception codified at §521.053(b). This exception distinguishes Texas's standard from stricter "any unauthorized access" triggers used in states such as California under the California Consumer Privacy Act.
Entities subject to both the Act and the Texas data breach notification requirements under overlapping statutory provisions must satisfy whichever standard is more stringent. The broader Texas consumer data protection framework should be consulted when determining whether a given data category falls within the Act's definitional scope or is addressed separately under Texas's more recent privacy legislation.
The main site index maps the full reference landscape for Texas cybersecurity law, including the Act's relationship to sector-specific frameworks governing healthcare, energy, and financial institutions.
References
- Texas Business and Commerce Code, Chapter 521 — Protection of Sensitive Personal Information
- Texas Government Code, Chapter 2054 — Information Resources
- Texas Office of the Attorney General — Data Security Breaches
- Texas Department of Information Resources — Information Security
- NIST Cybersecurity Framework (CSF)
- CISA — Cybersecurity and Infrastructure Security Agency
- Texas Legislature Online — Statutes Portal