Generally, an employer cannot use an employee’s personal information without the employee’s permission. Texas has enacted laws making it a civil offense for a person to use someone else’s “personal identifying information” (PII) without their authorization. The law requires businesses to safeguard sensitive personal information in their custody or control. Tex. Business & Commerce Code Sec. 48.001 et seq. PII is defined as information that alone or in conjunction with other information identifies an individual. This information includes a person’s name, social security number or other government issued identification number, and date of birth; a person’s maiden name; unique biometric data such as a voiceprint or fingerprint; unique electronic identification number, address or routing code; and telecommunication access devices. Distinct from PII is “sensitive personal information” which is defined as an individual’s first name or initial and last name in combination with specified types of personal identifying information. Businesses that store and maintain any sensitive personal information, even if it is within their employee’s personnel files, must implement and maintain reasonable procedures, including taking any appropriate corrective action to protect against unauthorized or illegal use of that information. Such reasonable safeguards for consumer information that is not to be maintained may include shredding, erasing or otherwise making consumer information unreadable. This requirement does not extend to financial institutions. In addition to protecting this information, persons conducting business in Texas are under an obligation to report any breaches of security to those persons whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Various notice mechanisms are considered appropriate, including email and local postings in popular media if the number of suspected breaches exceeds 50,000 people. The statutory language holds that a person is subject to civil penalties ranging from $2,000 to $50,000 per day, for violating this statute. In addition to civil penalties, a person who unlawfully uses another’s identity is subject to a private suit under the Texas Deceptive Trade Practices Act. The statute does not specify the remedy against businesses for any alleged failure to maintain the privacy of their information.