Breaking News
More () »

After millions hacked, new Texas law requires businesses to report data breaches

Law breakers could face up to a $250,000 fine, plus $2,000 to $50,000 for every person impacted.

Chinasa Emenaha never thought her banking information would be stolen.

Then one day Emenaha, a college student who uses a prepaid card, noticed she was getting charged for purchases she didn’t make.

“It would be like $91, $100, $50, and I was like, ‘What is going on? This is scary,” she said.

Emenaha had a good reason to be worried. The identities of millions of Texans are compromised every year, and many of them are left in the dark.

That is in large part because, in Texas, businesses are not required to report those incidents. High-profile hackers continue to find ways to steal personal information and use it to rip people off.

“Sometimes you use your card and you don't check and then two weeks later you're like, ‘Wow, I didn't authorize this,’” Emenaha said.

Credit: KHOU
Chelsea Emenaha said it was a scary feeling when she realized her banking information was stolen by hackers.

Texas Assistant Attorney General Rick Berlin said it’s scary and not easy to stop or prosecute. Evolving technology also makes it a challenge.

“Every day it seems there's some new threat that we need to respond to or a new risk that needs to be addressed,” Berlin said.

The non-profit agency Privacy Rights Clearinghouse maintains a website that keeps track of hacks and data breaches.

KHOU 11 Investigates reviewed complaints filed by Texas businesses over the last five years and found the personal information from an estimated 75 million people was subject to data breaches.

READ MORE: Former Cardinals exec pleads guilty to hacking Astros

There were some well-known businesses on the list: Neiman Marcus, Bank of America, Delta Airlines and the Houston Astros.

The Houston baseball team was so hot in 2016, a hacker hit up their playbook. A former employee of the St. Louis Cardinals baseball organization was sentenced to four years in prison for hacking into computers to get stats, scouting reports and personal information on players.

Grinches tried to steal Christmas from Neiman Marcus online shoppers back in 2015. The company reported login credentials and passwords were stolen from at least 5,200 customers.

Pizza Hut warned 60,000 of its customers in 2017 that hackers broke into its website and app putting their credit cards at risk.

Overall, we noticed businesses were hit the hardest with nearly 70 million stolen records. Roughly 5 million were compromised at medical offices. Universities and colleges reported 50,000.

“It could potentially be very damaging,” Berlin said. “For example, a criminal can use that information to commit their own crimes.”

Businesses can voluntarily report data breaches to the Texas Attorney General's Office. But we found that not many do. In the last five years, the AG received only 25 complaints.

“We expect after Jan. 1 we will receive a lot more,” Berlin said.

Credit: KHOU
Texas lawmakers passed a new law this past legislative session that requires businesses affected by a data breach must contact the attorney general's office within 60 days if 250 or more people are affected.

RELATED: Data breaches, cyberattacks became even more common – and more personal – in 2018

After recent data breaches like Equifax, the Texas legislature passed a law requiring businesses to notify the AG's office of a data breach within 60 days if it affects more than 250 people.

“If we find out by consumers that there's been a breach that, that's a significant violation of the statute,” Berlin said.

Law breakers could face fines up to $250,000, plus $2,000 to $50,000 for every person impacted.

Emenaha believes if the law had been in place when she was exposed, it could have prevented the skimmers from striking again.

“I'm glad there is going to be a change because we definitely need it,” she said.

What To Do If Your Information Is Hacked 

Monitoring your accounts and getting a free credit report at least once a year could save you a huge hassle.

The AG’s Office also recommends using a different password for every website you visit and resetting them often. Use two-factor authentication. Also, when possible, use credit cards instead of debit cards when shopping online. That allows extra time to dispute the charge before the money is withdrawn.