As a follow up to last Thursday’s blog on privacy policies vis-a-vis collecting your customers’ SS#, today’s topic is your duty to destruct sensitive information when it is no longer needed.
Texas Business and Commerce Code section 521.052 outlines this duty, specifically it states that you have a duty to destroy or arrange for the destruction of sensitive data (see the list below) by (1) shredding, (2) erasing, or otherwise modifying the sensitive personal information to make it indecipherable or unreadable through any means. The only exemption listed in this section exempts financial institutions (as defined by 15 U.S.C. s. 6809).
Sensitive personal information includes any item that is not lawfully made public by the federal or state gov’t and includes a person’s first name or first initial and last name in combination with:
- DL#; or
- account number or credit/debit card number in combination with any required security code, access code, or password that permits access to the individual’s financial account.
Violations of this duty can be financially devastating with a minimum fine of $2,000 but not more than $50,000 for each violation (one violation=a single record). The Attorney General has actively and successfully pursued violators. See for the AG’s $1.5 million (combined) settlements with Radioshack ($630k) and Select Medical Corp. ($990k).