Texas AG Reminds Everyone about Document Security

Today, it is being reported that Texas Attorney General Greg Abbot has sued CVS Corp for mishandling sensitive customer information including credit card numbers and medical information. Though I have not yet read the complaint in its entirety, the AG appears to be pursuing two primary causes of action, one being the violation of the 2005 Identity Theft Enforcement and Protection Act (enacted as Chapter 48 of the Texas Business and Commerce Code), and the second being violations of Chapter 35.48 of the Texas Business and Commerce Code, which governs the retention and disposal of business records in Texas.

The suit against CVS apparently marks the fourth suit in Texas under the Identity Theft statute. Radio Shack got tagged a few weeks ago with similar issues. A brief, and incomplete, Google search indicates that other states have, or are considering bills similar to the Identity Theft statute. I would not be surprised to discover that a number of states also have some form of retention and disposal statute.

For those of us accustomed to practicing in bankruptcy courts, these types of state law requirements add yet another layer of responsibility, especially on debtor's counsel. I will be the first to admit that I only learned of these two statutes this morning, and dare say that no other bankruptcy practitioner in Texas has ever mentioned either in my presence. Not only do state law requirements of this type reinforce the need to be prepared, and to educate and prepare the client before filing, but such statutes may also add weight to the suggestion that First Day motions include a damn good document retention policy where none existed pre-petition.


Will do my best to look more deeply at these issues over the weekend and will update before Monday. There are some interesting issues here that warrant a few more electrons out on the Internet!