Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
July 31, 2023
As of June 18, 2023, Texas is now the 10th state to join the rapidly growing list of states with state-level data privacy legislation. The Texas Data Privacy and Security Act (TDPSA) is similar to the Virginia Consumer Data Protection Act (VCDPA), but it offers several novel approaches to privacy not seen in other state-level legislation.
When considering the impact of this new legislation, it is essential to remember that out of all states, Texas has the second-largest gross domestic product (GDP) at $2.1 trillion and the second-largest population at 29.5 million. The technology, energy and agriculture industries significantly contribute to Texas’s economy. The impact of the TDSPA could be on par with the California Consumer Privacy Act (CCPA) passed in 2018 by the U.S. state with the largest GDP and population.
The TDPSA applies to a person that:
The application of the TDPSA differs from other legislation in notable ways. It defines its scope in terms of “products or services consumed by residents” instead of “products or services targeted to residents.” This difference could be seen as a stricter definition, as it relies on a resident’s actual use of products or services instead of the business’ actions toward the resident. In addition, the law ties the “small business” threshold to the SBA, which uses an industry-specific method that includes revenue and the number of employees to define “small business.” This method for determining a “small business” differs from other state legislation, which often limits the “small business” threshold by a company’s revenue or by the number of state residents that a company process data on.
The TDPSA shares terms and definitions with many other state legislations, but there are some noteworthy differences. The term, “personal data,” includes pseudonymous data when used “in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” The TDPSA is the first state law to explicitly include pseudonymous data in the scope of what is deemed personal data.
The “sale of personal data” includes personal data exchanged for monetary or “other valuable consideration.” This definition is more like the state legislation of California and Colorado, rather than Virginia state legislation, which does not include the sale of data for “other valuable consideration.” “Sensitive data” includes all of the standard items except for the use of “sexuality” instead of “sexual life” or “sexual orientation.” The TDPSA defines a “known child” as a person under 13 years of age whom the business has actual knowledge of or “willfully disregards” the child’s age.
Similar to other privacy legislation, the TDPSA includes several consumer rights relating to their personal data. The consumer rights represented include:
A controller has 45 days to respond to a request from the day it is received. Under certain circumstances, a controller may extend this deadline an additional 45 days, but they must notify the consumer of the extension and the reason for the extension before the original deadline ends.
The TDPSA requires consent for the processing of sensitive personal data and the processing of personal data for secondary purposes. Consent for a “known child” (under the age of 13) must comply with the federal requirements found in the Children’s Online Privacy Protection Act (COPPA).
The TDPSA requires small businesses to collect consent from consumers before selling their sensitive personal data. This requirement applies to all small businesses, even if they were found out of scope and exempt from other aspects of the TDPSA.
Under the TDPSA, controllers must publish privacy notices that include the following information:
Most other privacy laws share these privacy notice requirements. The TDPSA differentiates itself from others by requiring controllers, where applicable, to include a separate notice to consumers when selling specific personal data. A controller that sells sensitive personal data must post: "NOTICE: We may sell your sensitive personal data." A controller that sells biometric personal data must post: "NOTICE: We may sell your biometric personal data." These notices must be alongside the privacy notice.
The Texas attorney general has exclusive authority to enforce the TDPSA. The attorney general may issue a civil investigative demand when there is reasonable cause to believe that a person has engaged in a violation of the TDSPA. The attorney general may also request that a controller disclose any data protection assessments related to the investigation. A person who violates the TDPSA is liable for a penalty not exceeding $7,500 per violation and any injunctive relief.
The TDPSA includes a 30-day period allowing a person to address and cure the violated identified by the attorney general. The person must cure the identified violation within the 30-day period and provide the attorney general with a written statement that the person:
Most provisions under the TDPSA take effect on July 1, 2024. Controllers must begin recognizing universal opt-out methods on January 1, 2025.
Although the TDPSA begins enforcement about a year from now, companies can take several steps to prepare and position themselves for compliance:
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
June 05, 2023
Four U.S. states passed new consumer privacy laws in April and May of 2023. Learn key trends and distinctions in these laws.
January 13, 2023
Read up on building trust around personal data usage by providing individuals more transparency, choice and control.
May 10, 2023
The amended Safeguards Rule developed by the Federal Trade Commission (FTC) takes effect in June 2023. See how your business can ensure compliance.
Let us know what you need, and we will have an Optiv professional contact you shortly.