78(R) SB 405 Senate committee report

SRC-VRA, TAG C.S.S.B. 405 78(R)BILL ANALYSIS


Senate Research CenterC.S.S.B. 405
78R9226 KCR/RCJ-DBy: Hinojosa
Criminal Justice
3/21/2003
Committee Report (Substituted)


DIGEST AND PURPOSE 

Currently, identity theft is one of the fastest growing crimes in the
United States.  In 2001, the Federal Trade Commission (FTC)  ranked Texas
outside the top ten states; in 2002, however, Texas rose to number three.
C.S.S.B. 405 improves the ability of law enforcement to combat identity
theft, provides prevention measures, and assists victims in recovering
from identity theft.  

RULEMAKING AUTHORITY

Rulemaking authority is expressly granted to the Texas Department of
Public Safety in SECTION 2.04 (Section 411.364, Government Code), the
Attorney General in SECTION 3.01 (Section 561.051, Government Code), and
the Department of Information Resources in SECTION 3.01 (561.055,
Government Code) of this bill.  

SECTION BY SECTION ANALYSIS

ARTICLE 1

SECTION 1.01.  Amends Chapter 20, Business & Commerce Code, by adding
Section 20.051,as follows: 

Sec.  20.051.  PROTECTION OF CONSUMER INFORMATION.  (a)  Prohibits a
consumer reporting agency, notwithstanding any other provision of this
chapter, from furnishing a consumer report unless the person to whom the
report is furnished provides the consumer reporting agency at least four
separate  items of identification regarding the consumer to whom the
report relates that match certain applicable forms of identification. 

(b)  Requires a consumer reporting agency to follow reasonable procedures
in preparing or disseminating information to assure maximum possible
accuracy of the information about the consumer to whom the information
relates.  

(c)  Prohibits a consumer reporting agency from recording a requested
change of a consumer's address in a consumer file until the consumer
credit agency verifies the change with the consumer. 

SECTION 1.02.  (a)  Amends Title 4, Business & Commerce Code, by adding
Chapter 48 as follows:  

CHAPTER 48.  IDENTITY THEFT AND PROTECTION
SUBCHAPTER  A.  GENERAL PROVISIONS

Sec. 48.001  SHORT TITLE.  Authorizes this chapter to be cited as the
Identity Theft Enforcement and Protection Act. 

Sec. 48.002.  DEFINITIONS.  Defines "peace officer," "personal identifying
information,"  "personal representative," "required identifying
information,"  and "telecommunication access device." 

Sec. 48.003.  LIBERAL CONSTRUCTION AND APPLICATION.  Requires this chapter
to be liberally construed and applied to promote certain underlying
purposes. 

[Reserves Sections 48.04-48.100 for expansion.]  

SUBCHAPTER B.  IDENTITY THEFT

Sec. 48.101.  UNAUTHORIZED USE OR POSSESSION OF PERSONAL IDENTIFYING
INFORMATION.  (a)  Prohibits a person from obtaining, possessing,
transferring, or using personal identifying information of another person
without the other person's consent and with intent to obtain a good,
service, insurance, an extension of credit, or any other thing of value in
the other person's name. 

(b)  Provides that a person who obtains, possesses, transfers, or uses the
personal identifying information of six or more persons without the other
persons' consent is presumed to have had the intent to obtain a good,
service, insurance, an extension of credit, or any other thing of value in
the other persons' names. 

Sec.  48.102.  SALE OF PERSONAL IDENTIFYING INFORMATION.  Prohibits a
person from selling or otherwise providing to another person in exchange
for consideration the personal identifying information of a resident of
this state without the resident's consent and with intent to harm or
defraud the resident. 

Sec.  48.103.  BUSINESS DUTY TO PROTECT AND SAFEGUARD PERSONAL IDENTIFYING
INFORMATION.  (a)  Requires a business to protect and safeguard any
personal identifying information collected or maintained by the business
in the regular course of business. 

(b)  Requires a business to implement and maintain reasonable procedures,
including taking any appropriate corrective action, to prevent the
unlawful use of any personal identifying information collected or
maintained by the business. 

Sec.  48.104.  REFERENCE SERVICES PROVIDER OR MARKETING LIST
BROKER-ACCURACY OF INFORMATION.  Requires a person in the business of
providing reference services or brokering marketing lists to implement and
maintain reasonable procedures in preparing or disseminating information
to assure maximum possible accuracy of the information. 

Sec.  48.105.  DUTY TO PROVIDE INFORMATION TO CONSUMER.  (a)  Requires a
person that engages in business with another person who allegedly used the
consumer's personal identifying information, on a request and with
required identifying information provided by a consumer, to disclose
without charge to the consumer or a peace officer, not later than the 10th
business day after the date on which the person receives the request,
certain information. 

(b)  Authorizes the person, before a person is required to disclose
information under Subsection (a) to a peace officer, to require the
consumer to submit a written statement dated and signed by the consumer.
Requires the statement to include certain information. 

(c)  Prohibits a person from being held liable under this section if the
person does not make a disclosure to a peace officer because a consumer
fails to provide the authorization requested by the person as permitted by
Subsection (b).   
 
Sec.  48.106.  CREDIT CARD ADDRESS CHANGE.  Provides that a credit card
issuer who receives a request for a change of a cardholder's billing
address and receives, before the 11th day after the date of the requested
address change, a request for an additional credit card on the same
account may not mail the requested card to the new address or activate the
requested card unless the credit card issuer verifies the change of
address. 

Sec.  48.107.  BUSINESS RECEIPT CONTAINING DEBIT OR CREDIT CARD
INFORMATION.  (a)  Provides that this section does not apply to a
transaction in which the sole  means of recording a person's debit or
credit card account number on a receipt or other document evidencing the
transaction is by handwriting or by an imprint or copy of the debit or
credit card. 

(b)  Prohibits a person that accepts a debit or credit card for the
transaction of business from using a cash register or other machine to
print a receipt or other document that evidences the transaction if the
cash register or other machine prints certain identifying information. 

(c)  Provides that a person who violates Subsection (b) is liable to the
state for a civil penalty in an amount not to exceed $500 for each
calendar month during which a violation occurs. Prohibits the civil
penalty from being imposed for more than one violation that occurs in a
month. 

(d)  Authorizes the attorney general or the prosecuting attorney in the
county in which the violation occurs to bring suit to recover the civil
penalty imposed under Subsection (c). 

(e)  Requires a person who provides, leases, or sells a cash register or
other machine used to print receipts or other documents evidencing credit
card or debit card transactions to give notice of the requirements of this
section to the recipient, lessee, or buyer, as applicable, of the cash
register or other machine. 

 (f)  Prohibits a court from certifying an action brought under this
section as a class action. 

 Sec.  48.108.  IDENTITY THEFT BY ELECTRONIC DEVICE.  (a)  Defines
"payment card," "re-encoder," and "scanning device." 

(b)  Provides that a person commits an offense if the person uses a
scanning device or reencoder to access, read, scan, store, or transfer
information encoded on the magnetic strip of a payment card without the
consent of an authorized user of the payment card and with intent to harm
or defraud another. 

[Reserves Sections 48.109-48.200 for expansion]

SUBCHAPTER C.  REMEDIES AND OFFENSES

Sec.  48.201.  CIVIL PENALTY; INJUNCTION.  (a)  Provides that a person who
violates this chapter, other than Section 48.107, is liable to the state
for a civil penalty of at least $2,000 but not more than $50,000 for each
violation.  Authorizes the attorney general to bring suit to recover the
civil penalty imposed by this subsection.   

(b)  Authorizes the attorney general, if it appears to the attorney
general that a person is engaging in, has engaged in, or is about to
engage in conduct that violates this chapter, to bring an action in the
names of this state against the person to restrain the violation by a
temporary restraining order or a permanent or temporary injunction. 

(c)  Requires an inaction brought under Subsection (b) to be filed in a
district court in Travis County or in certain counties. 
 
(d)  Provides that the plaintiff in an action under this section is not
required to give a bond. Authorizes the court to also grant any other
equitable relief that the court considers appropriate to prevent any
additional harm to a victim of identity theft or a further violation of
this chapter or to satisfy any judgment entered against the defendant,
including the issuance of an order to appoint a receiver, sequester
assets, correct a public or private record, or prevent the dissipation of
a victim's assets. 

(e)  Provides that the attorney general is entitled to recover reasonable
expenses incurred in obtaining injunctive relief, civil penalties, or
both, under this section, including reasonable attorney's fees, court
costs, and investigatory costs.  Requires amounts collected by the
attorney general under this section to be deposited in the general revenue
fund and authorizes the amounts to be appropriated only for the
investigation and proseuction of other cases under this chapter. 

Sec.  48.202.  PRIVATE CAUSE OF ACTION.  (a)  Authorizes a person injured
by a violation of this chapter, other than Section 48.103 or 48.104, to
bring an action to perform certain tasks. 

(b)  provides that a person who prevails in an action filed under this
section is entitled to recover court costs and reasonable attorney's fees. 

(c)  Requires a person to bring an action under this section not later
than fourth anniversary of the date on which the person becomes aware of
the violation. 

(d)  Requires an heir or personal representative of a person or decedent
injured by a violation of this chapter, other than Section 48.103 or
48.104, to bring an action under this section not later than the second
anniversary of the date on which the personal representative or heir
becomes aware of the violation. 

Sec.  48.203.  COURT ORDER TO DECLARE INDIVIDUAL AS A VICTIM OF IDENTITY
THEFT.  (a)  Authorizes a person who is injured by a violation of this
chapter, or who has filed a criminal complaint alleging commission of an
offense under Section 32.51, Penal Code, to file an application with a
district court for the issuance of a court order declaring that the person
is a victim of identity theft.  Authorizes a person to file an application
under this section regardless of whether the person is able to identify
each person who allegedly transferred or used the prerson's identifying
information in an unlawful manner.   

(b)  Provides that a person is presumed to be a victim of identity theft
under this section if certain criteria are met. 

(c)  Requires the court, after notice and hearing, if the court is
satisfied by a preponderance of the evidence that the applicant has been
injured by a violation of this chapter, other than Section 48.103 or
48.104, or is the victim of the commission of an offense under Section
32.51, Penal Code, to enter an order containing certain information. 

(d)  Requires an order rendered under this section to be sealed because of
the confidential nature of the information required to be included in the
order.  Authorizes the order to be opened and the order or a copy of the
order to be released only to certain individuals.   

(e)  Authorizes a court at any time to vacate an order issued under this
section if the court finds that the application or any information
submitted to the court by the applicant contains a fraudulent
misrepresentation or a material misrepresentation of fact. 
 
(f)  Requires a copy of an order provided to a person under Subsection
(d)(1) to remain sealed throughout and after the civil proceeding.
Provides that information contained in a copy of an order provided to a
governmental entity or business under Subsection (d)(2) is confidential
and may not be released to another person except as otherwise required or
provided by law. 

Sec.  48.204.  DECEPTIVE TRADE PRACTICE.  Provides that a violation of
this chapter, other than Section 48.103 or 48.104, is a deceptive trade
practice actionable under Chapter 17E. 

Sec.  48.205.  CRIMINAL PENALTY.  Provides that an offense under Section
48.108 is a Class B misdemeanor. 

(b)  Amends Articles 18.18(a), (b), (e), (f), and (g), Code of Criminal
Procedure, to make conforming changes. 

SECTION 1.03.  Provides that for the purposes of Section 48.107, Business
and Commerce Code: 

(1)  Application of this Act is prospective to August 31, 2004, with
respect to a cash register or other machine that is initially installed
and in operation after August 31, 2003; and 

(2)  Application of this Act is prospective to December 31, 2005, with
respect to a cash register or other machine that is in operation before
September 1, 2003.    

ARTICLE 2

SECTION 2.01. (a)  Amends Chapter 2, Code of Criminal Procedure, by adding
Article 2.28, as follows: 

Art.  2.28.  REPORT REQUIRED IN CONNECTION WITH FRAUDULENT USE OR
POSSESSION OF IDENTIFYING INFORMATION.  (a)  Requires a peace officer to
whom an alleged violation of Section 32.51, Penal Code, is reported to
make a written report that includes certain information. 

(b)  Requires a peace officer, upon a victim's request, to provide the
victim with the report created under Subsection (a).  Requires the police
officer providing the report, to redact any otherwise confidential
information that is included in the report, other than the information
described by Subsection (a). 

 (b)  Makes application of this Act prospective to September 1, 2003.

SECTION 2.02.  (a)  Amends Chapter 13, Code of Criminal Procedure, by
adding Article 13.28, as follows: 

Art.  13.28.  FRAUDULENT USE OR POSSESSION OF IDENTIFYING INFORMATION.
Authorizes an offense under Section 32.51, Penal Code to be prosecuted in
any county in which the offense was committed; or the county of residence
for the person whose identifying information was fraudulently obtained,
possessed, transferred, or used. 

 (b)  Makes application of this Act prospective to September 1, 2003. 

SECTION 2.03. Amends Article 56.01(3), Code of Criminal Procedure to
redefine "victim."  

SECTION 2.04.  Amends Chapter 411, Government Code, by adding Subchapter
L, as follows: 

 SUBCHAPTER L.  IDENTITY THEFT UNIT

Sec.  411.361.  DEFINITIONS.  Defines "attorney representing the state"
and "identity theft." 

Sec.  411.362.  IDENTITY THEFT UNIT.  (a)  Requires the director to create
an identity theft operated by the Department of Public Safety (DPS). 

(b)  Requires the director to employ commissioned peace officers and
noncommissioned employees to perform duties required by the unit. 

Sec.  411.363.  DUTIES.  Requires the identity theft to unit to encourage,
assist, and initiate investigation regarding to identity theft. 

Sec.  411.364.  RULES.  Requires DPS to adopt the necessary rules to
implement this subchapter. 

SECTION 2.05.  (a)  Amends Section 1701.253, Occupations Code, by adding
Subsection (i), as follows: 

(i)  Requires TCLEOSE, as part of the minimum curriculum requirements, to
establish a statewide comprehensive education and training program on
identity theft under Section 32.51, Penal Code, for officers licensed
under this chapter.  Requires an officer to complete a program established
under this subsection not later than the second anniversary of the date
the officer is licensed under this chapter or the date the officer applies
for an intermediate proficiency certificate, whichever date is earlier. 

 (b)  Amends Section 1701.402, Occupations Code, by adding Subsection (f),
as follows: 

(f)  Requires an officer, as a requirement for an intermediate proficiency
certificate, to complete an education and training program on identity
theft established by TCLEOSE under Section 1701.253(i). 

(c)  Requires, not later than January 1, 2004, TCLEOSE, to establish the
education and training programs on identity theft required under Sections
1701.253(i) and 1701.402(f), Occupations Code, as added by this Act. 

(d)  Requires a person who, on the effective date of this Act, holds an
intermediate proficiency certificate issued under Section 1701.402,
Occupations Code, or has held a peace officer license issued by TCLEOSE
for more than two years to complete an educational training program on
identity theft established under Section 1701.253 (i), Occupations Code,
as added by this Act, not later than September 1, 2005.   

 SECTION 2.06.  (a)  Amends Section 32.51(a)(1), Penal Code, to redefine
"identifying information." 

(b)  Amends Section 32.51, Penal Code, by amending Subsection (d) and
adding Subsections (f) and (g), as follows: 

(d)  Authorizes the court to order the defendant to reimburse the victim
for lost income or other expenses, including attorney's fee, rather than
other attorneys' fees, incurred as a result of the offense, if it orders a
defendant convicted of an offense under this section to make restitution
to the victim of the offense. 

(f)  Provides that for the purposes of this section, intent to harm or
defraud another is presumed if the actor obtains, possesses, transfers, or
uses the identifying information of six or more persons without the
consent of those persons. 
 
(g)  Provides that it is an exception to the application of this section
that the actor obtained, possessed, transferred, or used another person's
identifying information for the sole purpose of misrepresenting the
actor's age.   

 (c)  Makes application of this Act prospective to September 1, 2003.

ARTICLE 3

SECTION  3.01.   Amends Title 5A, Government Code, by adding Chapter 561,
as follows: 

CHAPTER 561.  PROTECTION OF PERSONAL INFORMATION.
SUBCHAPTER A.  GENERAL PROVISIONS

Sec.  561.001.  DEFINITIONS.  Defines "personal information" and
"governmental entity." 

 Sec.  561.002.  APPLICABILITY.  Provides that this chapter does not apply
to information held by or for a court other than a commissioners court.   

Sec.  561.003.  CONSTRUCTION WITH OTHER LAW.  Provides that this chapter
does not affect certain the state from performing certain actions. 

[Reserves Sections 561.004-561.050 reserved for expansion.]

SUBCHAPTER B.  SPECIFIC PRIVACY PROTECTIONS

Sec.  561.051.  DISCLOSURE OF CERTAIN PERSONAL INFORMATION; COMPELLING
INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT.  (a) Provides that this
section applies only to the disclosure by a governmental entity of
information that reveals an individual's personal information. 

(b)  Prohibits a state or local government entity from disclosing
information described by Subsection (a) under Chapter 552 or other law
unless the attorney general authorizes the disclosure after determining
that certain conditions have been met. 

(c)  Authorizes the requestor of the information or the state or local
governmental entity to request the attorney general to authorize the
disclosure of information described by Subsection (a). 

(d)  Provides that a state or local governmental entity is not required to
request a decision of the attorney general under Chapter 552G, before
refusing to disclose a social security number, bank account number, credit
card account number, other financial account number, computer password,
driver's license number, or computer network location or identity in
response to a request made under Chapter 552. Requires the state or local
governmental entity to inform the requestor that the requested information
is being withheld under this section and that the requestor is entitled to
request the attorney general to authorize the disclosure. 

(e)  Authorizes the attorney general to adopt rules to implement this
section, including rules that describe appropriate and clearly defined
circumstances under which a category of information described by
Subsection (a) is presumed to satisfy a requirement of Subsection (b) and
therefore to be disclosed without the necessity of obtaining specific
authorization for the disclosure from the attorney general.  Authorizes a
rule of the attorney general that describes circumstances under which
information presumptively to be disclosed to limit disclosure to specific
state, local, or federal authorities or to allow the information to be
generally disclosed under Chapter 552, as  appropriate. 

(f)  Requires the attorney general to develop procedures under which the
office of the attorney general will expedite a decision whether to
authorize disclosure of information described by Subsection (a) when
expedited consideration is warranted under the circumstances. 

(g)  Authorizes a decision of the attorney general under this section to
be challenged in court in the same manner that a decision of the attorney
general may be challenged under Chapter 552G. 

(h)  Provides that if information described by Subsection (a) is requested
under Chapter 552, Section 552.325 applies in relation to the individual
who is the subject of the information in the same manner as if the
individual were a requestor of the information, but requires the attorney
general to notify the individual under Section 552.325(c) if the attorney
general proposes to agree to the release of all or part of the
information. 

Sec.  561.052.  COLLECTION OF PERSONAL INFORMATION. Requires a state or
local government entity to establish procedures to ensure that the
governmental entity collects personal information only to the extent
reasonably necessary to perform certain functions. 

Sec.  561.053.  RECORDS RETENTION SCHEDULES.  (a)  Requires a state or
local government entity, in adopting or amending its records retention
schedule, to schedule the retention of personal information only for the
period necessary to accomplish the purpose for which the information was
collected or, if applicable, for the minimum period specifically
prescribed by statute. 

(b)  Provides that Subsection (a) does not apply to the retention of
personal information that has demonstrable historical or archival value. 

Sec.  561.054.  GENERAL PRIVACY POLICIES.  (a)  Requires a state or local
governmental entity to develop a privacy policy that completely describes
in plainly written language certain information.   

(b)  Requires the state or local governmental entity to promptly amend the
privacy policy whenever information in the policy becomes incorrect or
incomplete. 

(c)  Requires the state or local governmental entity to prominently post
its current privacy policy through certain means. 

Sec.  561.055.  GOVERNMENT INTERNET SITES:  PRIVACY POLICY.  Requires the
Department of Information Resources to adopt rules prescribing minimum
privacy standards with which an Internet site or portal maintained by or
for a state or local government entity must comply.  Requires the rules to
be designed to limit the collection of personal information about users of
the government Internet Site or portal to information for specific
purposes. 

(b)  Requires DIR, in adopting rules under this section, to consider
policies adopted by other states and the federal government in this
regard. 

(c)  Requires a state or local governmental entity that maintains an
Internet site or portal or for which an Internet site or portal is
maintained to adopt a privacy policy regarding information collected
through the site or portal and to provide a prominent link to the policy
for users of the site or portal.  Requires the policy to be consistent
with the rules adopted by DIR under this section and to be included as a
prominent separate element of the general privacy policy that the entity
is required to develop and to which it must  provide an Internet link
under Section 561.054. 

Sec.  561.056.  STATE AUDITOR.  (a)  Requires the state auditor to
establish auditing guidelines to ensure that state and local governmental
entities that the state auditor has authority to audit under other law
meet certain conditions. 

(b)  Authorizes the state auditor, during an appropriate type of audit, to
audit a state or local governmental entity for compliance with the
guidelines established under Subsection (a). 

[Reserves Sections 561.057-561.100 for expansion.]

SUBCHAPTER C.  GUIDELINES.

Sec.  561.101.  ATTORNEY GENERAL GUIDELINES FOR REVIEWING PRIVACY AND
SECURITY ISSUES.  (a)  Requires the attorney general to establish
guidelines for state and local governmental entities to follow when
considering privacy and security issues that arise in connection with
requests for public information.  Requires the guidelines to address
procedural safeguards, legal issues, and other issues that in the opinion
of the attorney general would help state and local governmental entities
comply with applicable law and recommended information practices when
handling personal information or information related to security.
Requires the guidelines to balance the need for open government with
respect for personal privacy and with the security needs of this state. 

(b)  Requires the attorney general to establish guidelines for sharing
information for security purposes among sate, local, and federal
governmental entities and with the private sector. Requires the guidelines
to ensure the protection of personal privacy to the extent feasible and to
clarify and explain the legal consequences of sharing the information. 

(c)  Provides that the guidelines do not create exceptions from required
disclosure under Chapter 552. 

Sec.  561.102.  OPEN RECORDS STEERING COMMITTEE; RECORDS MANAGEMENT
INTERAGENCY COORDINATING COUNCIL.  (a)  Requires the open records steering
committee established under Section 552.009 to periodically study and
determine the implications for the personal privacy of individuals and for
the security of this state of putting information held by government on
the Internet and to include its findings and recommendations in reports
the committee makes under Section 552.009. 

(b)  Requires the Records Management Interagency Coordinating Council
established under Section 441.203 to provide guidance and policy direction
to state and local governmental entities in appropriately incorporating
developments in electronic management of information into their
information management systems in ways that protect personal privacy and
the security of thi state and promote appropriate public access to
information that is not excepted from required public disclosure. 

SECTION 3.02.  Requires each state and local entity to examine its records
retention schedule and amend the schedule so that it complies with Section
561.053, Government Code, as added by this Act. 

ARTICLE 4.

SECTION 4.01  (a)  Amends Section 521.126, Transportation Code, as follows:

Sec.  521.126.  ELECTRONICALLY READABLE INFORMATION.  (a) Makes a
conforming change. 
 
(b)  Provides that a person commits an offense if the person knowingly
performs certain actions. 

  (c)  Provides that an offense under Subsection (b)(1) is a Class A
misdemeanor. 

  (d)  Provides that an offense under Subsection (b)(2) is a state jail
felony. 

(e)  Provides that the prohibition provided by Subsection (b) does not
apply to certain individuals. 

(b)  Makes application of this Act prospective.

ARTICLE 5.

SECTION 5.01.  Effective date:  September 1, 2003.         

SUMMARY OF COMMITTEE CHANGES

ARTICLE 1.  Differs from the original by replacing proposed ARTICLE 1 with
a new ARTICLE 1 in the committee substitute. 

ARTICLE 2.  SECTION 2.01.  Differs from the original by making
nonsubstantive changes to proposed language. 

SECTION 2.02.  No change.

SECTION 2.03.  Differs from the original by deleting proposed SECTION 2.03
and replacing it with proposed SECTION 2.04.  Renumbers SECTIONS
appropriately. 

SECTION 2.04.  Differs from the original by redesignating proposed SECTION
2.05 as SECTION 2.04. 

SECTION 2.05.  Differs from the original by creating new SECTION 2.05.

SECTION 2.06.  Differs from the original by deleting proposed SECTION 2.06
and replacing it with a new SECTION 2.06 

ARTICLES 3-5.  Differs from by the original by creating new ARTICLES.