C.S.S.B. 405 78(R) BILL ANALYSIS C.S.S.B. 405 By: Hinojosa Criminal Jurisprudence Committee Report (Substituted) BACKGROUND AND PURPOSE Currently, identity theft is one of the fastest growing crimes in the United States. In 2001, the Federal Trade Commission (FTC) ranked Texas outside the top ten states; in 2002, however, Texas rose to number three. C.S.S.B. 405 improves the ability of law enforcement to combat identity theft, provides prevention measures, and assists victims in recovering from identity theft. RULEMAKING AUTHORITY It is the committee's opinion that rulemaking authority is expressly granted to the Department of Public Safety in SECTION 2.04 (Section 411.364, Government Code) and to the Department of Information Resources in SECTION 3.01 (Section 561.055, Government Code) of this bill. ANALYSIS ARTICLE 1 Article 1 begins by requiring a consumer reporting agency to follow reasonable procedures in preparing or disseminating information to ensure maximum possible accuracy of the information about the consumer to whom the information relates. Article 1 adds Chapter 48 to the Business and Commerce Code as the Identify Theft Enforcement and Protection Act and sets definitions, requirements for businesses, remedies and offenses on identity theft. The bill prevents the unauthorized use or possession of personal identifying information. It requires a person who engages in business with another person who allegedly used the consumer's personal identifying information, on a request and with required identifying information provided by a consumer, to disclose without charge to the consumer or a peace officer, not later than the 30th business day after the date on which the person receives the request, certain relevant information. Chapter 48 prohibits a credit card issuer who receives a request for a change of a cardholder's billing address and receives, before the 11th day after the date of the requested address change, a request for an additional credit card on the same account from mailing the requested card to the new address or activating the requested card unless the credit card issuer verifies the change of address. This chapter sets up requirements for businesses that use business receipts containing debit or credit card information. The receipts must not print out more than the last four digits of the cardholder's credit card account number or debit card. A person violates this provision and is liable to the state for a civil penalty in an amount not to exceed $500 for each calendar month during which the violation occurs. The attorney general or the prosecuting attorney in the county may bring suit to recover the civil penalty. This chapter sets up procedures for a court order to declare an individual a victim of identity theft. It also sets up an offense if a person uses a scanning devise or re-encoder to access, read, scan, store, or transfer information encoded on magnetic stripe. This chapter sets up civil and criminal penalties. With respect to a cash register or other machine that is initially installed and in operation after August 31, 2003, Section 48.105, Business and Commerce Code, applies to a receipt or other document evidencing a credit card or debit card transaction that is printed after August 31, 2004, and with respect to a cash register or other machine in operation before September 1, 2003, this section applies after December 31, 2005. ARTICLE II Article II amends the Criminal Procedure, Government Code, Occupations, and Penal codes. The article establishes requirements for peace officers in addressing reports of fraudulent use or possession of identifying information. An offense under 32.51 of the Penal Code may be prosecuted in any county in which the identifying information was obtained, possessed, transferred, or used or the county of residence of the victim. Article II requires the director of the Department of Public Safety (DPS) to create an identity theft unit and requires TCLEOSE, not later than January 1, 2004, to establish a statewide education program on identity theft. Article II amends Section 32.51 of the Penal Code by authorizing the court to order a convicted defendant to reimburse the victim for lost income or other expenses, incurred as a result of the offense. DPS may adopt rules to implement Subchapter L, Chapter 411, Government Code. ARTICLE III Article III amends the Government Code by establishing general privacy and security principles for governmental entities. The article prohibits disclosure by a governmental entity to a member of the public of information that reveals an individual's: social security number, bank account number, credit card or debit account number, or other financial account number, computer password or computer network location or identity, or passport number. It requires the governmental entity to only collect the personal information necessary to: implement a program; authenticate an individual's identity when necessary; ensure security; or accomplish another legitimate governmental purpose. This article does not apply to TDCJ, the Texas Youth Commission, information a governmental entity obtains from or in connection with a motor vehicle record or accident report, records subject to the federal Family Educational Rights and Privacy Act of 1974, information filed with a county clerk, court records, and historical documents. This chapter does not affect the ability of a governmental entity to undertake a lawful investigation, or to protect a person's property, or the environment, or for the governmental entity to comply with any applicable law, or the ability of a private investigator to conduct a lawful investigation. The entities may only disclose information to another federal, state, or local governmental entity and the person or authorized representative of the person who is the subject of the information. A governmental agency may charge a reasonable fee to recover costs for redacting information. A requestor of the information may complain to the attorney general if the requestor feels that the governmental entity redacted or otherwise withheld information not prescribed in this chapter. The attorney general can then review the provided information and take appropriate action. Article III requires the Department of Information Resources (DIR) to adopt rules for prescribing minimum privacy standards with which an Internet site or portal maintained by or for a state government entity must comply. Article III requires that the State Auditor establish auditing guidelines to ensure that a state or local governmental entity does not collect or retain more personal information than the entity needs to accomplish a legitimate governmental purpose of the entity and that protects this information. Article III requires the attorney general to establish guidelines for governmental entities to follow when considering privacy and security issues that arise in connection with requests for public information. The guidelines would balance the need for open government with respect for personal privacy and with the security needs of this state. Article III requires the open records steering committee to periodically study and determine the implications for the personal privacy of individuals and for the security of putting personal information held by the government on the Internet. The bill requires the records management interagency coordinating council to provide guidance and policy direction to state and local governmental entities. Article III amends the Property Code by setting up provisions for handling confidential information in real property information. The bill also requires the county clerk to provide notice of confidentiality rights for an instrument of real property and prohibits the clerk from rejecting an instrument that does not include the personal information. Section 11.008, Property Code, applies only to a deed, mortgage, or deed of trust executed on or after January 1, 2004. ARTICLE IV Article IV amends the Transportation Code to set up provisions and guidelines for the reading of electronically readable information. ARTICLE V Effective date EFFECTIVE DATE September 1, 2003, except that SECTION 2.04 takes effect September 1, 2005 and SECTION 3.01 takes effect January 1, 2004, as that section applies to a municipality with a population of less than 1.2 million. COMPARISON OF ORIGINAL TO SUBSTITUTE The substitute renames Section 20.051 as "Address Verification" and is modified accordingly. The substitute, under Section 48.002, includes the definition of "transactional information." The substitute deletes Sections 48.101 (b) 48.102(a). The substitute changes the disclosure time line under Section 48.103 from the 10th business day to the 30th business day. The substitute removes language from the engrossed bill, which prohibited the court from certifying an action brought under 48.105 as a class action. The substitute further adds Section 48.201(f), which allows the attorney general to, in an action under this section, seek restitution for a person who suffers a loss as a result of a violation of this chapter, other than a violation of Section 48.105. The substitute deletes Sections 32.51(f) and (g), Penal Code. The substitute modifies Section 561.002, Government Code, by adding Subdivisions (2)-(7). Section 561.003 of the substitute is amended by deleting within Subdivision (2) "including the administration of a program provided by statute." This section is further amended by adding a new Subdivision (3). Section 561.051(a) of the substitute is amended by adding "debit card number," "an access number related to financial account," and "passport number" and deleting "driver's license number." Section 561.051 of the substitute is amended by modifying Subsection (b) to remove the provision requiring the attorney general to approve the disclosure of information. The substitute further modifies the section as it relates to whom the governmental entity can disclose information to, charging a fee for redacting information and for individuals filing complaints with the attorney general if they feel too much information has been redacted. The substitute amends the Property Code by setting up provisions for handling confidential information in real property information. The bill also requires the county clerk to provide notice of confidentiality rights for an instrument of real property and prohibits the clerk from rejecting an instrument that does not include the personal information. The substitute also modifies the effective date.