The Texas Attorney General has charged CVS with violating the “2005 Identity Theft Enforcement and Protection Act,” and with violating “Chapter 35” of the “Business and Commerce Code,” which requires businesses to develop retention and disposal procedures for their clients’ personal information. Investigators with the Office of the Attorney General (OAG) discovered that a CVS store near Houston exposed hundreds of its customers to identity theft by failing to properly dispose of records that contained sensitive information. The investigation was launched after reports indicated that bulk customer records were tossed in a dumpster behind the store. The documents obtained by OAG investigators also contained hundreds of active debit and credit card numbers, complete with expiration dates. Under the law, the OAG has the authority to seek penalties of up to $50,000 per violation. AG investigators are also working to determine if any exposed data has been used illegally.