SRC-VRA, TAG C.S.S.B. 405 78(R)BILL ANALYSIS Senate Research CenterC.S.S.B. 405 78R9226 KCR/RCJ-DBy: Hinojosa Criminal Justice 3/21/2003 Committee Report (Substituted) DIGEST AND PURPOSE Currently, identity theft is one of the fastest growing crimes in the United States. In 2001, the Federal Trade Commission (FTC) ranked Texas outside the top ten states; in 2002, however, Texas rose to number three. C.S.S.B. 405 improves the ability of law enforcement to combat identity theft, provides prevention measures, and assists victims in recovering from identity theft. RULEMAKING AUTHORITY Rulemaking authority is expressly granted to the Texas Department of Public Safety in SECTION 2.04 (Section 411.364, Government Code), the Attorney General in SECTION 3.01 (Section 561.051, Government Code), and the Department of Information Resources in SECTION 3.01 (561.055, Government Code) of this bill. SECTION BY SECTION ANALYSIS ARTICLE 1 SECTION 1.01. Amends Chapter 20, Business & Commerce Code, by adding Section 20.051,as follows: Sec. 20.051. PROTECTION OF CONSUMER INFORMATION. (a) Prohibits a consumer reporting agency, notwithstanding any other provision of this chapter, from furnishing a consumer report unless the person to whom the report is furnished provides the consumer reporting agency at least four separate items of identification regarding the consumer to whom the report relates that match certain applicable forms of identification. (b) Requires a consumer reporting agency to follow reasonable procedures in preparing or disseminating information to assure maximum possible accuracy of the information about the consumer to whom the information relates. (c) Prohibits a consumer reporting agency from recording a requested change of a consumer's address in a consumer file until the consumer credit agency verifies the change with the consumer. SECTION 1.02. (a) Amends Title 4, Business & Commerce Code, by adding Chapter 48 as follows: CHAPTER 48. IDENTITY THEFT AND PROTECTION SUBCHAPTER A. GENERAL PROVISIONS Sec. 48.001 SHORT TITLE. Authorizes this chapter to be cited as the Identity Theft Enforcement and Protection Act. Sec. 48.002. DEFINITIONS. Defines "peace officer," "personal identifying information," "personal representative," "required identifying information," and "telecommunication access device." Sec. 48.003. LIBERAL CONSTRUCTION AND APPLICATION. Requires this chapter to be liberally construed and applied to promote certain underlying purposes. [Reserves Sections 48.04-48.100 for expansion.] SUBCHAPTER B. IDENTITY THEFT Sec. 48.101. UNAUTHORIZED USE OR POSSESSION OF PERSONAL IDENTIFYING INFORMATION. (a) Prohibits a person from obtaining, possessing, transferring, or using personal identifying information of another person without the other person's consent and with intent to obtain a good, service, insurance, an extension of credit, or any other thing of value in the other person's name. (b) Provides that a person who obtains, possesses, transfers, or uses the personal identifying information of six or more persons without the other persons' consent is presumed to have had the intent to obtain a good, service, insurance, an extension of credit, or any other thing of value in the other persons' names. Sec. 48.102. SALE OF PERSONAL IDENTIFYING INFORMATION. Prohibits a person from selling or otherwise providing to another person in exchange for consideration the personal identifying information of a resident of this state without the resident's consent and with intent to harm or defraud the resident. Sec. 48.103. BUSINESS DUTY TO PROTECT AND SAFEGUARD PERSONAL IDENTIFYING INFORMATION. (a) Requires a business to protect and safeguard any personal identifying information collected or maintained by the business in the regular course of business. (b) Requires a business to implement and maintain reasonable procedures, including taking any appropriate corrective action, to prevent the unlawful use of any personal identifying information collected or maintained by the business. Sec. 48.104. REFERENCE SERVICES PROVIDER OR MARKETING LIST BROKER-ACCURACY OF INFORMATION. Requires a person in the business of providing reference services or brokering marketing lists to implement and maintain reasonable procedures in preparing or disseminating information to assure maximum possible accuracy of the information. Sec. 48.105. DUTY TO PROVIDE INFORMATION TO CONSUMER. (a) Requires a person that engages in business with another person who allegedly used the consumer's personal identifying information, on a request and with required identifying information provided by a consumer, to disclose without charge to the consumer or a peace officer, not later than the 10th business day after the date on which the person receives the request, certain information. (b) Authorizes the person, before a person is required to disclose information under Subsection (a) to a peace officer, to require the consumer to submit a written statement dated and signed by the consumer. Requires the statement to include certain information. (c) Prohibits a person from being held liable under this section if the person does not make a disclosure to a peace officer because a consumer fails to provide the authorization requested by the person as permitted by Subsection (b). Sec. 48.106. CREDIT CARD ADDRESS CHANGE. Provides that a credit card issuer who receives a request for a change of a cardholder's billing address and receives, before the 11th day after the date of the requested address change, a request for an additional credit card on the same account may not mail the requested card to the new address or activate the requested card unless the credit card issuer verifies the change of address. Sec. 48.107. BUSINESS RECEIPT CONTAINING DEBIT OR CREDIT CARD INFORMATION. (a) Provides that this section does not apply to a transaction in which the sole means of recording a person's debit or credit card account number on a receipt or other document evidencing the transaction is by handwriting or by an imprint or copy of the debit or credit card. (b) Prohibits a person that accepts a debit or credit card for the transaction of business from using a cash register or other machine to print a receipt or other document that evidences the transaction if the cash register or other machine prints certain identifying information. (c) Provides that a person who violates Subsection (b) is liable to the state for a civil penalty in an amount not to exceed $500 for each calendar month during which a violation occurs. Prohibits the civil penalty from being imposed for more than one violation that occurs in a month. (d) Authorizes the attorney general or the prosecuting attorney in the county in which the violation occurs to bring suit to recover the civil penalty imposed under Subsection (c). (e) Requires a person who provides, leases, or sells a cash register or other machine used to print receipts or other documents evidencing credit card or debit card transactions to give notice of the requirements of this section to the recipient, lessee, or buyer, as applicable, of the cash register or other machine. (f) Prohibits a court from certifying an action brought under this section as a class action. Sec. 48.108. IDENTITY THEFT BY ELECTRONIC DEVICE. (a) Defines "payment card," "re-encoder," and "scanning device." (b) Provides that a person commits an offense if the person uses a scanning device or reencoder to access, read, scan, store, or transfer information encoded on the magnetic strip of a payment card without the consent of an authorized user of the payment card and with intent to harm or defraud another. [Reserves Sections 48.109-48.200 for expansion] SUBCHAPTER C. REMEDIES AND OFFENSES Sec. 48.201. CIVIL PENALTY; INJUNCTION. (a) Provides that a person who violates this chapter, other than Section 48.107, is liable to the state for a civil penalty of at least $2,000 but not more than $50,000 for each violation. Authorizes the attorney general to bring suit to recover the civil penalty imposed by this subsection. (b) Authorizes the attorney general, if it appears to the attorney general that a person is engaging in, has engaged in, or is about to engage in conduct that violates this chapter, to bring an action in the names of this state against the person to restrain the violation by a temporary restraining order or a permanent or temporary injunction. (c) Requires an inaction brought under Subsection (b) to be filed in a district court in Travis County or in certain counties. (d) Provides that the plaintiff in an action under this section is not required to give a bond. Authorizes the court to also grant any other equitable relief that the court considers appropriate to prevent any additional harm to a victim of identity theft or a further violation of this chapter or to satisfy any judgment entered against the defendant, including the issuance of an order to appoint a receiver, sequester assets, correct a public or private record, or prevent the dissipation of a victim's assets. (e) Provides that the attorney general is entitled to recover reasonable expenses incurred in obtaining injunctive relief, civil penalties, or both, under this section, including reasonable attorney's fees, court costs, and investigatory costs. Requires amounts collected by the attorney general under this section to be deposited in the general revenue fund and authorizes the amounts to be appropriated only for the investigation and proseuction of other cases under this chapter. Sec. 48.202. PRIVATE CAUSE OF ACTION. (a) Authorizes a person injured by a violation of this chapter, other than Section 48.103 or 48.104, to bring an action to perform certain tasks. (b) provides that a person who prevails in an action filed under this section is entitled to recover court costs and reasonable attorney's fees. (c) Requires a person to bring an action under this section not later than fourth anniversary of the date on which the person becomes aware of the violation. (d) Requires an heir or personal representative of a person or decedent injured by a violation of this chapter, other than Section 48.103 or 48.104, to bring an action under this section not later than the second anniversary of the date on which the personal representative or heir becomes aware of the violation. Sec. 48.203. COURT ORDER TO DECLARE INDIVIDUAL AS A VICTIM OF IDENTITY THEFT. (a) Authorizes a person who is injured by a violation of this chapter, or who has filed a criminal complaint alleging commission of an offense under Section 32.51, Penal Code, to file an application with a district court for the issuance of a court order declaring that the person is a victim of identity theft. Authorizes a person to file an application under this section regardless of whether the person is able to identify each person who allegedly transferred or used the prerson's identifying information in an unlawful manner. (b) Provides that a person is presumed to be a victim of identity theft under this section if certain criteria are met. (c) Requires the court, after notice and hearing, if the court is satisfied by a preponderance of the evidence that the applicant has been injured by a violation of this chapter, other than Section 48.103 or 48.104, or is the victim of the commission of an offense under Section 32.51, Penal Code, to enter an order containing certain information. (d) Requires an order rendered under this section to be sealed because of the confidential nature of the information required to be included in the order. Authorizes the order to be opened and the order or a copy of the order to be released only to certain individuals. (e) Authorizes a court at any time to vacate an order issued under this section if the court finds that the application or any information submitted to the court by the applicant contains a fraudulent misrepresentation or a material misrepresentation of fact. (f) Requires a copy of an order provided to a person under Subsection (d)(1) to remain sealed throughout and after the civil proceeding. Provides that information contained in a copy of an order provided to a governmental entity or business under Subsection (d)(2) is confidential and may not be released to another person except as otherwise required or provided by law. Sec. 48.204. DECEPTIVE TRADE PRACTICE. Provides that a violation of this chapter, other than Section 48.103 or 48.104, is a deceptive trade practice actionable under Chapter 17E. Sec. 48.205. CRIMINAL PENALTY. Provides that an offense under Section 48.108 is a Class B misdemeanor. (b) Amends Articles 18.18(a), (b), (e), (f), and (g), Code of Criminal Procedure, to make conforming changes. SECTION 1.03. Provides that for the purposes of Section 48.107, Business and Commerce Code: (1) Application of this Act is prospective to August 31, 2004, with respect to a cash register or other machine that is initially installed and in operation after August 31, 2003; and (2) Application of this Act is prospective to December 31, 2005, with respect to a cash register or other machine that is in operation before September 1, 2003. ARTICLE 2 SECTION 2.01. (a) Amends Chapter 2, Code of Criminal Procedure, by adding Article 2.28, as follows: Art. 2.28. REPORT REQUIRED IN CONNECTION WITH FRAUDULENT USE OR POSSESSION OF IDENTIFYING INFORMATION. (a) Requires a peace officer to whom an alleged violation of Section 32.51, Penal Code, is reported to make a written report that includes certain information. (b) Requires a peace officer, upon a victim's request, to provide the victim with the report created under Subsection (a). Requires the police officer providing the report, to redact any otherwise confidential information that is included in the report, other than the information described by Subsection (a). (b) Makes application of this Act prospective to September 1, 2003. SECTION 2.02. (a) Amends Chapter 13, Code of Criminal Procedure, by adding Article 13.28, as follows: Art. 13.28. FRAUDULENT USE OR POSSESSION OF IDENTIFYING INFORMATION. Authorizes an offense under Section 32.51, Penal Code to be prosecuted in any county in which the offense was committed; or the county of residence for the person whose identifying information was fraudulently obtained, possessed, transferred, or used. (b) Makes application of this Act prospective to September 1, 2003. SECTION 2.03. Amends Article 56.01(3), Code of Criminal Procedure to redefine "victim." SECTION 2.04. Amends Chapter 411, Government Code, by adding Subchapter L, as follows: SUBCHAPTER L. IDENTITY THEFT UNIT Sec. 411.361. DEFINITIONS. Defines "attorney representing the state" and "identity theft." Sec. 411.362. IDENTITY THEFT UNIT. (a) Requires the director to create an identity theft operated by the Department of Public Safety (DPS). (b) Requires the director to employ commissioned peace officers and noncommissioned employees to perform duties required by the unit. Sec. 411.363. DUTIES. Requires the identity theft to unit to encourage, assist, and initiate investigation regarding to identity theft. Sec. 411.364. RULES. Requires DPS to adopt the necessary rules to implement this subchapter. SECTION 2.05. (a) Amends Section 1701.253, Occupations Code, by adding Subsection (i), as follows: (i) Requires TCLEOSE, as part of the minimum curriculum requirements, to establish a statewide comprehensive education and training program on identity theft under Section 32.51, Penal Code, for officers licensed under this chapter. Requires an officer to complete a program established under this subsection not later than the second anniversary of the date the officer is licensed under this chapter or the date the officer applies for an intermediate proficiency certificate, whichever date is earlier. (b) Amends Section 1701.402, Occupations Code, by adding Subsection (f), as follows: (f) Requires an officer, as a requirement for an intermediate proficiency certificate, to complete an education and training program on identity theft established by TCLEOSE under Section 1701.253(i). (c) Requires, not later than January 1, 2004, TCLEOSE, to establish the education and training programs on identity theft required under Sections 1701.253(i) and 1701.402(f), Occupations Code, as added by this Act. (d) Requires a person who, on the effective date of this Act, holds an intermediate proficiency certificate issued under Section 1701.402, Occupations Code, or has held a peace officer license issued by TCLEOSE for more than two years to complete an educational training program on identity theft established under Section 1701.253 (i), Occupations Code, as added by this Act, not later than September 1, 2005. SECTION 2.06. (a) Amends Section 32.51(a)(1), Penal Code, to redefine "identifying information." (b) Amends Section 32.51, Penal Code, by amending Subsection (d) and adding Subsections (f) and (g), as follows: (d) Authorizes the court to order the defendant to reimburse the victim for lost income or other expenses, including attorney's fee, rather than other attorneys' fees, incurred as a result of the offense, if it orders a defendant convicted of an offense under this section to make restitution to the victim of the offense. (f) Provides that for the purposes of this section, intent to harm or defraud another is presumed if the actor obtains, possesses, transfers, or uses the identifying information of six or more persons without the consent of those persons. (g) Provides that it is an exception to the application of this section that the actor obtained, possessed, transferred, or used another person's identifying information for the sole purpose of misrepresenting the actor's age. (c) Makes application of this Act prospective to September 1, 2003. ARTICLE 3 SECTION 3.01. Amends Title 5A, Government Code, by adding Chapter 561, as follows: CHAPTER 561. PROTECTION OF PERSONAL INFORMATION. SUBCHAPTER A. GENERAL PROVISIONS Sec. 561.001. DEFINITIONS. Defines "personal information" and "governmental entity." Sec. 561.002. APPLICABILITY. Provides that this chapter does not apply to information held by or for a court other than a commissioners court. Sec. 561.003. CONSTRUCTION WITH OTHER LAW. Provides that this chapter does not affect certain the state from performing certain actions. [Reserves Sections 561.004-561.050 reserved for expansion.] SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS Sec. 561.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION; COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a) Provides that this section applies only to the disclosure by a governmental entity of information that reveals an individual's personal information. (b) Prohibits a state or local government entity from disclosing information described by Subsection (a) under Chapter 552 or other law unless the attorney general authorizes the disclosure after determining that certain conditions have been met. (c) Authorizes the requestor of the information or the state or local governmental entity to request the attorney general to authorize the disclosure of information described by Subsection (a). (d) Provides that a state or local governmental entity is not required to request a decision of the attorney general under Chapter 552G, before refusing to disclose a social security number, bank account number, credit card account number, other financial account number, computer password, driver's license number, or computer network location or identity in response to a request made under Chapter 552. Requires the state or local governmental entity to inform the requestor that the requested information is being withheld under this section and that the requestor is entitled to request the attorney general to authorize the disclosure. (e) Authorizes the attorney general to adopt rules to implement this section, including rules that describe appropriate and clearly defined circumstances under which a category of information described by Subsection (a) is presumed to satisfy a requirement of Subsection (b) and therefore to be disclosed without the necessity of obtaining specific authorization for the disclosure from the attorney general. Authorizes a rule of the attorney general that describes circumstances under which information presumptively to be disclosed to limit disclosure to specific state, local, or federal authorities or to allow the information to be generally disclosed under Chapter 552, as appropriate. (f) Requires the attorney general to develop procedures under which the office of the attorney general will expedite a decision whether to authorize disclosure of information described by Subsection (a) when expedited consideration is warranted under the circumstances. (g) Authorizes a decision of the attorney general under this section to be challenged in court in the same manner that a decision of the attorney general may be challenged under Chapter 552G. (h) Provides that if information described by Subsection (a) is requested under Chapter 552, Section 552.325 applies in relation to the individual who is the subject of the information in the same manner as if the individual were a requestor of the information, but requires the attorney general to notify the individual under Section 552.325(c) if the attorney general proposes to agree to the release of all or part of the information. Sec. 561.052. COLLECTION OF PERSONAL INFORMATION. Requires a state or local government entity to establish procedures to ensure that the governmental entity collects personal information only to the extent reasonably necessary to perform certain functions. Sec. 561.053. RECORDS RETENTION SCHEDULES. (a) Requires a state or local government entity, in adopting or amending its records retention schedule, to schedule the retention of personal information only for the period necessary to accomplish the purpose for which the information was collected or, if applicable, for the minimum period specifically prescribed by statute. (b) Provides that Subsection (a) does not apply to the retention of personal information that has demonstrable historical or archival value. Sec. 561.054. GENERAL PRIVACY POLICIES. (a) Requires a state or local governmental entity to develop a privacy policy that completely describes in plainly written language certain information. (b) Requires the state or local governmental entity to promptly amend the privacy policy whenever information in the policy becomes incorrect or incomplete. (c) Requires the state or local governmental entity to prominently post its current privacy policy through certain means. Sec. 561.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY. Requires the Department of Information Resources to adopt rules prescribing minimum privacy standards with which an Internet site or portal maintained by or for a state or local government entity must comply. Requires the rules to be designed to limit the collection of personal information about users of the government Internet Site or portal to information for specific purposes. (b) Requires DIR, in adopting rules under this section, to consider policies adopted by other states and the federal government in this regard. (c) Requires a state or local governmental entity that maintains an Internet site or portal or for which an Internet site or portal is maintained to adopt a privacy policy regarding information collected through the site or portal and to provide a prominent link to the policy for users of the site or portal. Requires the policy to be consistent with the rules adopted by DIR under this section and to be included as a prominent separate element of the general privacy policy that the entity is required to develop and to which it must provide an Internet link under Section 561.054. Sec. 561.056. STATE AUDITOR. (a) Requires the state auditor to establish auditing guidelines to ensure that state and local governmental entities that the state auditor has authority to audit under other law meet certain conditions. (b) Authorizes the state auditor, during an appropriate type of audit, to audit a state or local governmental entity for compliance with the guidelines established under Subsection (a). [Reserves Sections 561.057-561.100 for expansion.] SUBCHAPTER C. GUIDELINES. Sec. 561.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING PRIVACY AND SECURITY ISSUES. (a) Requires the attorney general to establish guidelines for state and local governmental entities to follow when considering privacy and security issues that arise in connection with requests for public information. Requires the guidelines to address procedural safeguards, legal issues, and other issues that in the opinion of the attorney general would help state and local governmental entities comply with applicable law and recommended information practices when handling personal information or information related to security. Requires the guidelines to balance the need for open government with respect for personal privacy and with the security needs of this state. (b) Requires the attorney general to establish guidelines for sharing information for security purposes among sate, local, and federal governmental entities and with the private sector. Requires the guidelines to ensure the protection of personal privacy to the extent feasible and to clarify and explain the legal consequences of sharing the information. (c) Provides that the guidelines do not create exceptions from required disclosure under Chapter 552. Sec. 561.102. OPEN RECORDS STEERING COMMITTEE; RECORDS MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) Requires the open records steering committee established under Section 552.009 to periodically study and determine the implications for the personal privacy of individuals and for the security of this state of putting information held by government on the Internet and to include its findings and recommendations in reports the committee makes under Section 552.009. (b) Requires the Records Management Interagency Coordinating Council established under Section 441.203 to provide guidance and policy direction to state and local governmental entities in appropriately incorporating developments in electronic management of information into their information management systems in ways that protect personal privacy and the security of thi state and promote appropriate public access to information that is not excepted from required public disclosure. SECTION 3.02. Requires each state and local entity to examine its records retention schedule and amend the schedule so that it complies with Section 561.053, Government Code, as added by this Act. ARTICLE 4. SECTION 4.01 (a) Amends Section 521.126, Transportation Code, as follows: Sec. 521.126. ELECTRONICALLY READABLE INFORMATION. (a) Makes a conforming change. (b) Provides that a person commits an offense if the person knowingly performs certain actions. (c) Provides that an offense under Subsection (b)(1) is a Class A misdemeanor. (d) Provides that an offense under Subsection (b)(2) is a state jail felony. (e) Provides that the prohibition provided by Subsection (b) does not apply to certain individuals. (b) Makes application of this Act prospective. ARTICLE 5. SECTION 5.01. Effective date: September 1, 2003. SUMMARY OF COMMITTEE CHANGES ARTICLE 1. Differs from the original by replacing proposed ARTICLE 1 with a new ARTICLE 1 in the committee substitute. ARTICLE 2. SECTION 2.01. Differs from the original by making nonsubstantive changes to proposed language. SECTION 2.02. No change. SECTION 2.03. Differs from the original by deleting proposed SECTION 2.03 and replacing it with proposed SECTION 2.04. Renumbers SECTIONS appropriately. SECTION 2.04. Differs from the original by redesignating proposed SECTION 2.05 as SECTION 2.04. SECTION 2.05. Differs from the original by creating new SECTION 2.05. SECTION 2.06. Differs from the original by deleting proposed SECTION 2.06 and replacing it with a new SECTION 2.06 ARTICLES 3-5. Differs from by the original by creating new ARTICLES.