Dear Sheila,

Our HR department inadvertently placed some sensitive personnel information on a shared drive accessible to all employees in our organization. As soon as we discovered this, we took it down. Is there anything we are required to do now?

Signed,Oops


Dear Oops,

Under Texas Law, you are required to notify, as soon as possible, those employees and former employees whose “sensitive personal information” was subject to a data breach, unless you have solid evidence that no unauthorized access of the shared files occurred.

There is currently no federal notification requirement, other than for financial institutions dealing with customer information.

Under Texas state law (Tex. Bus. & Com. Code § 521.053), both private companies and governmental entities are required to notify affected individuals of security breaches. State agencies are also covered by this requirement (Tex. Gov’t Code § 2054.1125). An unintentional upload of confidential employee files meets the definition of a security breach.

You must disclose the breach as quickly as possible to any individual whose sensitive personal information is reasonably believed to have been acquired by an unauthorized person. You can delay giving notice, however, for the limited purpose of determining the scope of the breach or restoring the data system following the discovery of the breach. You do not have to send the notice to all employees, but you might have to notify former employees.

First, you have to determine whether sensitive personal information was in the shared file, and whose it is. Sensitive personal information is defined as:

-an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:

• social security number;

• driver’s license number or government-issued identification number; or

• account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or

-information that identifies an individual and relates to:

• the physical or mental health or condition of the individual;

• the provision of health care to the individual; or

• payment for the provision of health care to the individual.

Next, you must provide the affected individuals with notice. For current employees, you can send each an individual email or hard copy letter; for former employees, you can mail the letter to their last known address. The notice does not need to be detailed or specifically outline the disclosed information individually for each recipient, but you should be prepared to answer such questions should the recipient contact you.

This law is enforced by the Office of the Texas Attorney General. Failure to abide by these requirements may result in the AG’s Office bringing an enforcement action to recover significant penalties.


“Ask Sheila” is prepared by Sheila Gladstone, Chair of the Firm’s Employment Practice Group. If you would like additional information or have questions related to this article or other matters, please contact Sheila at 512.322.5863 or sgladstone@lglawfirm.com .

* required