2013 Texas Leg Watch: Retracting the defamation and notification after a data breach
While the second special session is winding down (thank goodness), we will take a look at a couple more new laws impacting online media and technology in Texas. While most of the attention was on social media password protections, service via social media and online “compelled prostitution” legislation, two additional bills made it through to become law.
The Defamation Mitigation Act
The first was HB 1759 called the Defamation Mitigation Act, often referred to as the Retraction Statute, which became law as of June 14, 2013. The purpose of the law is to encourage people who feel they have been defamed to demand a retraction and allow publishers to do it.
Here ‘s how it works. A plaintiff has to notify a publisher about an allegedly defamatory statement within 90 days of learning about it. If a plaintiff fails to do so, they may not be able to seek punitive damages or bring suit until this process takes place. The statute lays out the specifics about what needs to be in the notice including a particular statement identifying the defamatory statement and when and where the publication was made. The publisher then has 30 days to correct the mistake by publishing a correction, an apology or the prospective plaintiff’s own statement.
The retraction must be ”published in the same manner and medium as the original publication or, if that is not possible, with a prominence and in a manner and medium reasonably likely to reach substantially the same audience as the publication complained of.” There is a detailed process about challenging the sufficiency of the correction.
If the plaintiff fails to follow this procedure, or the publisher takes corrective action within 30 days, the plaintiff can still sue, but can no longer seek punitive damages unless the plaintiff can show actual malice. If the plaintiff files suit without sending the notification, there is also a process that would allow the defendant to abate the case and allow for the process to take place.
The law is codified at Texas Civil Practice & Remedies Code, § 73.051–.062.
Data Breach Notification
The Legislature also amended the Texas data breach notification law with SB 1610 so that companies have to notify consumers regardless of state of residence and regardless of whether the state of the consumer has their own breach notification law.
Texas law already required all Texas businesses to notify any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person pursuant to the state law of the individuals. The amendment makes it easier for businesses to follow the Texas law or to make the notification pursuant to the law of the individual’s state — as long as the business does one or the other. This closed the hole that allowed businesses to avoid the notifications for residents of states who don’t have notification laws and business concerns that they would have to follow and know the laws of 50 states.
To be safe, businesses should make their best effort to comply with the Texas notification requirement for all individuals regardless of residence.
This new law, called the “Notification Required Following Breach of Security of Computerized Data,” is codified at Section 521.053(b-1) of the Texas Business and Commerce Code.