78R17427 E
By: Hinojosa S.B. No. 405
Substitute the following for S.B. No. 405:
By: Keel C.S.S.B. No. 405
A BILL TO BE ENTITLED
AN ACT
relating to the prevention of, prosecution of, and punishment of
identity theft and to assistance to certain victims of identity
theft; providing penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
ARTICLE 1
SECTION 1.01. Chapter 20, Business & Commerce Code, is
amended by adding Section 20.051 to read as follows:
Sec. 20.051. PROTECTION OF CONSUMER INFORMATION. (a) A
consumer reporting agency shall follow reasonable procedures in
preparing or disseminating information to ensure maximum possible
accuracy of the information about the consumer to whom the
information relates.
(b) If a person requests a consumer report from a consumer
reporting agency and if the request includes an address for the
consumer that substantially differs from the address shown in the
consumer file, the consumer reporting agency shall notify the
requestor that the addresses are different. The notification must
occur before or at the time the consumer report is provided to the
requestor.
(c) Subsection (b) applies only to a consumer reporting
agency that maintains a database to produce consumer reports that
include:
(1) public record information; and
(2) credit account information compiled from
information furnished by persons regularly and in the ordinary
course of business.
SECTION 1.02. (a) Title 4, Business & Commerce Code, is
amended by adding Chapter 48 to read as follows:
CHAPTER 48. IDENTITY THEFT AND PROTECTION
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 48.001. SHORT TITLE. This chapter may be cited as the
Identity Theft Enforcement and Protection Act.
Sec. 48.002. DEFINITIONS. In this chapter:
(1) "Peace officer" has the meaning assigned by
Section 1.07, Penal Code.
(2) "Personal identifying information" means
information that alone or in conjunction with other information
identifies an individual, living or dead, including an
individual's:
(A) name, social security number, date of birth,
or government-issued identification number;
(B) mother's maiden name;
(C) unique biometric data, including the
individual's fingerprint, voice print, and retina or iris image;
(D) unique electronic identification number,
address, or routing code; and
(E) telecommunication identifying information or
access device.
(3) "Personal representative" means an executor or
administrator of a decedent's estate or a person's legal guardian.
(4) "Required identifying information" means a copy
of:
(A) a police report evidencing the filing of a
criminal complaint alleging commission of an offense under Section
32.51, Penal Code, or a copy of a record created under Section
411.0421, Government Code; and
(B) personal identifying information used by the
alleged perpetrator of an offense under Section 32.51, Penal Code.
(5) "Telecommunication access device" has the meaning
assigned by Section 32.51, Penal Code.
(6) "Transactional information" means a record of a
transaction or charge associated with an application or account,
including a complete monthly billing statement prepared in the
regular course of business by a financial institution.
[Sections 48.003-48.100 reserved for expansion]
SUBCHAPTER B. IDENTITY THEFT
Sec. 48.101. UNAUTHORIZED USE OR POSSESSION OF PERSONAL
IDENTIFYING INFORMATION. A person may not obtain, possess,
transfer, or use personal identifying information of another person
without the other person's consent and with fraudulent intent to
obtain a good, service, insurance, an extension of credit, or any
other thing of value in the other person's name.
Sec. 48.102. BUSINESS PROCEDURES TO PROTECT AND SAFEGUARD
PERSONAL IDENTIFYING INFORMATION. (a) A business shall implement
and maintain reasonable procedures, including taking any
appropriate corrective action, to prevent the unlawful use of any
personal identifying information collected or maintained by the
business.
(b) This section does not apply to a financial institution
as defined by 15 U.S.C. Section 6809(3), as amended.
Sec. 48.103. DUTY TO PROVIDE INFORMATION TO CONSUMER.
(a) On a request and with required identifying information
provided by a consumer, a person that engages in business with
another person who allegedly used the consumer's personal
identifying information shall disclose without charge to the
consumer or a peace officer, not later than the 30th business day
after the date on which the person receives the request:
(1) a copy of any application or transactional
information related to an alleged violation of Section 32.51, Penal
Code; and
(2) to the extent available, the personal identifying
information of the consumer that the person who allegedly
impersonated the consumer used to participate in the transaction or
complete the application or information related to the use of that
information.
(b) Before a person is required to disclose information
under Subsection (a) to a peace officer, the person may require the
consumer to submit a written statement dated and signed by the
consumer. The statement must:
(1) state that the consumer may revoke authorization
of the disclosure at any time before the disclosure is made;
(2) authorize the disclosure for a certain period of
time;
(3) specify the name of the agency or department to
which the disclosure is authorized; and
(4) identify the information that is requested to be
disclosed.
(c) A person may not be held liable under this section if the
person does not make a disclosure to a peace officer because a
consumer fails to provide the authorization requested by the person
as permitted by Subsection (b).
Sec. 48.104. CREDIT CARD ADDRESS CHANGE. A credit card
issuer who receives a request for a change of a cardholder's billing
address and receives, before the 11th day after the date of the
requested address change, a request for an additional credit card
on the same account may not mail the requested card to the new
address or activate the requested card unless the credit card
issuer verifies the change of address.
Sec. 48.105. BUSINESS RECEIPT CONTAINING CREDIT CARD OR
DEBIT CARD INFORMATION. (a) This section does not apply to a
transaction in which the sole means of recording a person's credit
card or debit card account number on a receipt or other document
evidencing the transaction is by handwriting or by an imprint or
copy of the credit card or debit card.
(b) A person who accepts a credit card or debit card for the
transaction of business may not print more than the last four digits
of the credit card or debit card account number or the month and
year of the credit card's or debit card's expiration date on a
receipt or other document that evidences the transaction and that
is provided to a cardholder.
(c) A person who provides, leases, or sells a cash register
or other machine used to print receipts or other documents
evidencing credit card or debit card transactions shall provide
notice of the requirements of this section to the recipient,
lessee, or buyer, as applicable, of the machine.
(d) A court may not certify an action brought under this
section as a class action.
(e) A person who violates Subsection (b) is liable to the
state for a civil penalty in an amount not to exceed $500 for each
calendar month during which a violation occurs. The civil penalty
may not be imposed for more than one violation that occurs in a
month. The attorney general or the prosecuting attorney in the
county in which the violation occurs may bring suit to recover the
civil penalty imposed under this section.
(f) The attorney general may bring an action in the name of
the state to restrain or enjoin a person from violating Subsection
(b).
Sec. 48.106. IDENTITY THEFT BY ELECTRONIC DEVICE. (a) In
this section:
(1) "Payment card" means a credit card, a debit card, a
check card, or any other card that is issued to an authorized user
to purchase or obtain goods, services, money, or any other thing of
value.
(2) "Re-encoder" means an electronic device that can
be used to transfer encoded information from a magnetic strip on a
payment card onto the magnetic strip of a different payment card.
(3) "Scanning device" means an electronic device used
to access, read, scan, or store information encoded on the magnetic
strip of a payment card.
(b) A person commits an offense if the person uses a
scanning device or re-encoder to access, read, scan, store, or
transfer information encoded on the magnetic strip of a payment
card without the consent of an authorized user of the payment card
and with intent to harm the authorized user.
[Sections 48.107-48.200 reserved for expansion]
SUBCHAPTER C. REMEDIES AND OFFENSES
Sec. 48.201. CIVIL PENALTY; INJUNCTION. (a) A person who
violates this chapter, other than Section 48.105, is liable to the
state for a civil penalty of at least $2,000 but not more than
$50,000 for each violation. The attorney general may bring suit to
recover the civil penalty imposed by this subsection.
(b) If it appears to the attorney general that a person is
engaging in, has engaged in, or is about to engage in conduct that
violates this chapter, the attorney general may bring an action in
the name of this state against the person to restrain the violation
by a temporary restraining order or a permanent or temporary
injunction.
(c) An action brought under Subsection (b) shall be filed in
a district court in Travis County or:
(1) in any county in which the violation occurred; or
(2) in the county in which the victim resides,
regardless of whether the alleged violator has resided, worked, or
done business in the county in which the victim resides.
(d) The plaintiff in an action under this section is not
required to give a bond. The court may also grant any other
equitable relief that the court considers appropriate to prevent
any additional harm to a victim of identity theft or a further
violation of this chapter or to satisfy any judgment entered
against the defendant, including the issuance of an order to
appoint a receiver, sequester assets, correct a public or private
record, or prevent the dissipation of a victim's assets.
(e) The attorney general is entitled to recover reasonable
expenses incurred in obtaining injunctive relief or civil
penalties, or both, under this section, including reasonable
attorney's fees, court costs, and investigatory costs. Penalties
collected by the attorney general under this section shall be
deposited in the general revenue fund and may be appropriated only
for the investigation and prosecution of other cases under this
chapter.
(f) The attorney general may in an action under this section
seek restitution for a person who suffers a loss as a result of a
violation of this chapter, other than a violation of Section
48.105.
Sec. 48.202. COURT ORDER TO DECLARE INDIVIDUAL AS A VICTIM
OF IDENTITY THEFT. (a) A person who is injured by a violation of
this chapter, other than Section 48.103, or who has filed a criminal
complaint alleging commission of an offense under Section 32.51,
Penal Code, may file an application with a district court for the
issuance of a court order declaring that the person is a victim of
identity theft. A person may file an application under this section
regardless of whether the person is able to identify each person who
allegedly transferred or used the person's identifying information
in an unlawful manner.
(b) A person is presumed to be a victim of identity theft
under this section if the person charged with an offense under
Section 32.51, Penal Code, is convicted of the offense.
(c) After notice and hearing, if the court is satisfied by a
preponderance of the evidence that the applicant has been injured
by a violation of this chapter, other than Section 48.103, or is the
victim of the commission of an offense under Section 32.51, Penal
Code, the court shall enter an order containing:
(1) a declaration that the person filing the
application is a victim of identity theft resulting from a
violation of this chapter, other than Section 48.103, or the
commission of an offense under Section 32.51, Penal Code, as
appropriate;
(2) any known information identifying the violator or
person charged with the offense;
(3) the specific personal identifying information and
any related document used to commit the alleged violation or
offense; and
(4) information identifying any financial account or
transaction affected by the alleged violation or offense,
including:
(A) the name of the financial institution in
which the account is established or of the merchant involved in the
transaction, as appropriate;
(B) any relevant account numbers;
(C) the dollar amount of the account or
transaction affected by the alleged violation or offense; and
(D) the date of the alleged violation or offense.
(d) An order rendered under this section must be sealed
because of the confidential nature of the information required to
be included in the order. The order may be opened and the order or a
copy of the order may be released only:
(1) to the proper officials in a civil proceeding
brought by or against the victim arising or resulting from a
violation of this chapter, including a proceeding to set aside a
judgment obtained against the victim;
(2) to the victim for the purpose of submitting the
copy of the order to a governmental entity or private business:
(A) to prove that a financial transaction or
account of the victim was directly affected by a violation of this
chapter or the commission of an offense under Section 32.51, Penal
Code; or
(B) to correct any record of the entity or
business that contains inaccurate or false information as a result
of the violation or offense;
(3) on order of the judge; or
(4) as otherwise required or provided by law.
(e) A court at any time may vacate an order issued under this
section if the court finds that the application or any information
submitted to the court by the applicant contains a fraudulent
misrepresentation or a material misrepresentation of fact.
(f) A copy of an order provided to a person under Subsection
(d)(1) must remain sealed throughout and after the civil
proceeding. Information contained in a copy of an order provided to
a governmental entity or business under Subsection (d)(2) is
confidential and may not be released to another person except as
otherwise required or provided by law.
Sec. 48.203. DECEPTIVE TRADE PRACTICE. A violation of this
chapter, other than Section 48.103, is a deceptive trade practice
actionable under Subchapter E, Chapter 17.
Sec. 48.204. CRIMINAL PENALTY. An offense under Section
48.106 is a state jail felony.
Sec. 48.205. AFFIRMATIVE DEFENSE. Good faith reliance on a
consumer report as defined by Section 20.01 by a financial
institution as defined by 31 U.S.C. Section 5312, as amended, is an
affirmative defense to an action brought against the financial
institution under this chapter.
(b) Subsections (a), (b), (e), (f), and (g), Article 18.18,
Code of Criminal Procedure, are amended to read as follows:
(a) Following the final conviction of a person for
possession of a gambling device or equipment, altered gambling
equipment, or gambling paraphernalia, for an offense involving a
criminal instrument, for an offense involving an obscene device or
material, or for an offense involving a scanning device or
re-encoder, the court entering the judgment of conviction shall
order that the machine, device, gambling equipment or gambling
paraphernalia, instrument, obscene device or material, or scanning
device or re-encoder be destroyed or forfeited to the state. Not
later than the 30th day after the final conviction of a person for
an offense involving a prohibited weapon, the court entering the
judgment of conviction on its own motion, on the motion of the
prosecuting attorney in the case, or on the motion of the law
enforcement agency initiating the complaint on notice to the
prosecuting attorney in the case if the prosecutor fails to move for
the order shall order that the prohibited weapon be destroyed or
forfeited to the law enforcement agency that initiated the
complaint. If the court fails to enter the order within the time
required by this subsection, any magistrate in the county in which
the offense occurred may enter the order. Following the final
conviction of a person for an offense involving dog fighting, the
court entering the judgment of conviction shall order that any
dog-fighting equipment be destroyed or forfeited to the state.
Destruction of dogs, if necessary, must be carried out by a
veterinarian licensed in this state or, if one is not available, by
trained personnel of a humane society or an animal shelter. If
forfeited, the court shall order the contraband delivered to the
state, any political subdivision of the state, or to any state
institution or agency. If gambling proceeds were seized, the court
shall order them forfeited to the state and shall transmit them to
the grand jury of the county in which they were seized for use in
investigating alleged violations of the Penal Code, or to the
state, any political subdivision of the state, or to any state
institution or agency.
(b) If there is no prosecution or conviction following
seizure, the magistrate to whom the return was made shall notify in
writing the person found in possession of the alleged gambling
device or equipment, altered gambling equipment or gambling
paraphernalia, gambling proceeds, prohibited weapon, obscene
device or material, scanning device or re-encoder, criminal
instrument, or dog-fighting equipment to show cause why the
property seized should not be destroyed or the proceeds forfeited.
The magistrate, on the motion of the law enforcement agency seizing
a prohibited weapon, shall order the weapon destroyed or forfeited
to the law enforcement agency seizing the weapon, unless a person
shows cause as to why the prohibited weapon should not be destroyed
or forfeited. A law enforcement agency shall make a motion under
this section in a timely manner after the time at which the agency
is informed in writing by the attorney representing the state that
no prosecution will arise from the seizure.
(e) Any person interested in the alleged gambling device or
equipment, altered gambling equipment or gambling paraphernalia,
gambling proceeds, prohibited weapon, obscene device or material,
scanning device or re-encoder, criminal instrument, or
dog-fighting equipment seized must appear before the magistrate on
the 20th day following the date the notice was mailed or posted.
Failure to timely appear forfeits any interest the person may have
in the property or proceeds seized, and no person after failing to
timely appear may contest destruction or forfeiture.
(f) If a person timely appears to show cause why the
property or proceeds should not be destroyed or forfeited, the
magistrate shall conduct a hearing on the issue and determine the
nature of property or proceeds and the person's interest therein.
Unless the person proves by a preponderance of the evidence that the
property or proceeds is not gambling equipment, altered gambling
equipment, gambling paraphernalia, gambling device, gambling
proceeds, prohibited weapon, criminal instrument, scanning device
or re-encoder, or dog-fighting equipment and that he is entitled to
possession, the magistrate shall dispose of the property or
proceeds in accordance with Paragraph (a) of this article.
(g) For purposes of this article:
(1) "criminal instrument" has the meaning defined in
the Penal Code;
(2) "gambling device or equipment, altered gambling
equipment or gambling paraphernalia" has the meaning defined in the
Penal Code;
(3) "prohibited weapon" has the meaning defined in the
Penal Code; [and]
(4) "dog-fighting equipment" means:
(A) equipment used for training or handling a
fighting dog, including a harness, treadmill, cage, decoy, pen,
house for keeping a fighting dog, feeding apparatus, or training
pen;
(B) equipment used for transporting a fighting
dog, including any automobile, or other vehicle, and its
appurtenances which are intended to be used as a vehicle for
transporting a fighting dog;
(C) equipment used to promote or advertise an
exhibition of dog fighting, including a printing press or similar
equipment, paper, ink, or photography equipment; or
(D) a dog trained, being trained, or intended to
be used to fight with another dog;[.]
(5) [(6)] "obscene device or material" means a device
or material introduced into evidence and thereafter found obscene
by virtue of a final judgment after all appellate remedies have been
exhausted;
(6) "re-encoder" has the meaning assigned by Section
48.106, Business & Commerce Code; and
(7) "scanning device" has the meaning assigned by
Section 48.106, Business & Commerce Code.
(c) Subdivision (2), Article 59.01, Code of Criminal
Procedure, is amended to read as follows:
(2) "Contraband" means property of any nature,
including real, personal, tangible, or intangible, that is:
(A) used in the commission of:
(i) any first or second degree felony under
the Penal Code;
(ii) any felony under Section 15.031(b),
21.11, 38.04, 43.25, or 43.26 or Chapter 29, 30, 31, 32, 33, 33A, or
35, Penal Code; or
(iii) any felony under The Securities Act
(Article 581-1 et seq., Vernon's Texas Civil Statutes);
(B) used or intended to be used in the commission
of:
(i) any felony under Chapter 481, Health
and Safety Code (Texas Controlled Substances Act);
(ii) any felony under Chapter 483, Health
and Safety Code;
(iii) a felony under Chapter 153, Finance
Code;
(iv) any felony under Chapter 34, Penal
Code;
(v) a Class A misdemeanor under Subchapter
B, Chapter 365, Health and Safety Code, if the defendant has been
previously convicted twice of an offense under that subchapter;
[or]
(vi) any felony under Chapter 152, Finance
Code; or
(vii) a state jail felony under Section
48.106, Business & Commerce Code;
(C) the proceeds gained from the commission of a
felony listed in Paragraph (A) or (B) of this subdivision or a crime
of violence; or
(D) acquired with proceeds gained from the
commission of a felony listed in Paragraph (A) or (B) of this
subdivision or a crime of violence.
SECTION 1.03. For purposes of Section 48.105, Business &
Commerce Code, as added by this article:
(1) with respect to a cash register or other machine
that is initially installed and in operation after August 31, 2003,
Section 48.105, Business & Commerce Code, applies only to a receipt
or other document evidencing a credit card or debit card
transaction that is electronically printed by the cash register or
other machine after August 31, 2004; and
(2) with respect to a cash register or other machine
that is in operation before September 1, 2003, Section 48.105,
Business & Commerce Code, applies only to a receipt or other
document evidencing a credit card or debit card transaction that is
electronically printed by the cash register or other machine after
December 31, 2005.
ARTICLE 2
SECTION 2.01. (a) Chapter 2, Code of Criminal Procedure,
is amended by adding Article 2.28 to read as follows:
Art. 2.28. REPORT REQUIRED IN CONNECTION WITH FRAUDULENT
USE OR POSSESSION OF IDENTIFYING INFORMATION. (a) A peace officer
to whom an alleged violation of Section 32.51, Penal Code, is
reported shall make a written report that includes the following
information:
(1) the name of the victim;
(2) the name of the suspect, if known;
(3) the type of identifying information obtained,
possessed, transferred, or used in violation of Section 32.51; and
(4) the results of the investigation.
(b) On the victim's request, the peace officer shall provide
the report created under Subsection (a) to the victim. In providing
the report, the peace officer shall redact any otherwise
confidential information that is included in the report, other than
the information described by Subsection (a).
(b) The change in law made by this section applies only to
the investigation of an offense committed on or after September 1,
2003. The investigation of an offense committed before September
1, 2003, is covered by the law in effect when the offense was
committed, and the former law is continued in effect for that
purpose. For purposes of this subsection, an offense is committed
before September 1, 2003, if any element of the offense occurs
before that date.
SECTION 2.02. (a) Chapter 13, Code of Criminal Procedure,
is amended by adding Article 13.28 to read as follows:
Art. 13.28. FRAUDULENT USE OR POSSESSION OF IDENTIFYING
INFORMATION. An offense under Section 32.51, Penal Code, may be
prosecuted in:
(1) any county in which the identifying information
was obtained, possessed, transferred, or used; or
(2) the county of residence of the person whose
identifying information was fraudulently obtained, possessed,
transferred, or used.
(b) The change in law made by this section applies only to
the prosecution of an offense commenced by the filing of an
indictment or information on or after September 1, 2003. A
prosecution commenced before September 1, 2003, is controlled by
the law in effect at the time the prosecution was commenced, and the
former law is continued in effect for that purpose.
SECTION 2.03. Subdivision (3), Article 56.01, Code of
Criminal Procedure, is amended to read as follows:
(3) "Victim" means a person:
(A) who is the victim of sexual assault,
kidnapping, [or] aggravated robbery, or fraudulent use or
possession of identifying information; or
(B) who has suffered bodily injury or death as a
result of the criminal conduct of another.
SECTION 2.04. Chapter 411, Government Code, is amended by
adding Subchapter L to read as follows:
SUBCHAPTER L. IDENTITY THEFT UNIT
Sec. 411.361. DEFINITIONS. In this subchapter:
(1) "Attorney representing the state" has the meaning
assigned by Section 411.261.
(2) "Identity theft" means an offense under Section
32.51, Penal Code, or any offense that includes the elements of an
offense under that section.
Sec. 411.362. IDENTITY THEFT UNIT. (a) The director shall
create an identity theft unit to be operated by the department.
(b) The director shall employ commissioned peace officers
and noncommissioned employees to perform duties required of the
unit.
Sec. 411.363. DUTIES. The identity theft unit shall:
(1) encourage local law enforcement agencies to file a
report with the department immediately on receipt of a complaint
alleging identity theft;
(2) on the request of a local law enforcement agency,
assist the agency in the investigation of a complaint alleging
identity theft; and
(3) initiate an investigation on receipt of reports
from two or more local law enforcement agencies that appear to
involve the same offender.
Sec. 411.364. RULES. The department may adopt rules as
necessary to implement this subchapter.
SECTION 2.05. (a) Section 1701.253, Occupations Code, is
amended by adding Subsection (i) to read as follows:
(i) As part of the minimum curriculum requirements, the
commission shall establish a statewide comprehensive education and
training program on identity theft under Section 32.51, Penal Code,
for officers licensed under this chapter. An officer shall
complete a program established under this subsection not later than
the second anniversary of the date the officer is licensed under
this chapter or the date the officer applies for an intermediate
proficiency certificate, whichever date is earlier.
(b) Section 1701.402, Occupations Code, is amended by
adding Subsection (f) to read as follows:
(f) As a requirement for an intermediate proficiency
certificate, an officer must complete an education and training
program on identity theft established by the commission under
Section 1701.253(i).
(c) Not later than January 1, 2004, the Commission on Law
Enforcement Officer Standards and Education shall establish the
education and training programs on identity theft required under
Subsection (i), Section 1701.253, and Subsection (f), Section
1701.402, Occupations Code, as added by this Act.
(d) A person who, on the effective date of this Act, holds an
intermediate proficiency certificate issued under Section
1701.402, Occupations Code, or has held a peace officer license
issued by the Commission on Law Enforcement Officer Standards and
Education for more than two years shall complete an educational
training program on identity theft established under Subsection
(i), Section 1701.253, Occupations Code, as added by this Act, not
later than September 1, 2005.
SECTION 2.06. (a) Subdivision (1), Subsection (a),
Section 32.51, Penal Code, is amended to read as follows:
(1) "Identifying information" means information that
alone or in conjunction with other information identifies an
individual, living or dead, including an individual's:
(A) name, social security number, date of birth,
and government-issued identification number;
(B) unique biometric data, including the
individual's fingerprint, voice print, and retina or iris image;
(C) unique electronic identification number,
address, and routing code; and
(D) telecommunication identifying information or
access device.
(b) Subsection (d), Section 32.51, Penal Code, is amended to
read as follows:
(d) If a court orders a defendant convicted of an offense
under this section to make restitution to the victim of the offense,
the court may order the defendant to reimburse the victim for lost
income or other expenses, including [other than] attorney's fees,
incurred as a result of the offense.
(c) The change in law made by this section applies only to an
offense committed on or after September 1, 2003. An offense
committed before September 1, 2003, is covered by the law in effect
when the offense was committed, and the former law is continued in
effect for that purpose. For the purposes of this subsection, an
offense was committed before September 1, 2003, if any element of
the offense was committed before that date.
ARTICLE 3
SECTION 3.01. Subtitle A, Title 5, Government Code, is
amended by adding Chapter 561 to read as follows:
CHAPTER 561. PROTECTION OF PERSONAL INFORMATION
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 561.001. DEFINITIONS. In this chapter:
(1) "Document" includes information created or
maintained in a paper, electronic, or other format.
(2) "Governmental entity" does not include a court
other than a commissioners court.
(3) "Personal information" means information about an
individual such as:
(A) the individual's home address, home
telephone number, social security number, date of birth, physical
characteristics, and similar information about the individual;
(B) information about an individual's marital
status or history, whether the individual has family members, and
information about the individual's family members; and
(C) personally identifiable information about
the individual's finances or financial history or purchases made
from government.
Sec. 561.002. APPLICABILITY. This chapter does not apply:
(1) to court records or other information held by or on
behalf of a court other than a commissioners court;
(2) in relation to a historical document, which for
purposes of this subdivision is a document held by or on behalf of a
state or local governmental entity if the state or local
governmental entity or its predecessor in function, or an agent of
the state or local governmental entity or its predecessor in
function, has held the document for 50 years or longer;
(3) to information collected by the Texas Department
of Criminal Justice about an offender;
(4) to information collected by the Texas Youth
Commission about an offender;
(5) to personal information that:
(A) relates to a motor vehicle accident and is
subject to Section 550.065, Transportation Code; or
(B) a state or local governmental entity obtains
from or in connection with a motor vehicle record subject to Chapter
730, Transportation Code;
(6) to a record that is subject to the federal Family
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
1232g), as amended; or
(7) in relation to information that is:
(A) filed with a county clerk under Chapter 192,
Local Government Code; or
(B) otherwise filed with a county clerk in the
clerk's capacity as county recorder.
Sec. 561.003. CONSTRUCTION WITH OTHER LAW. This chapter
does not affect:
(1) the ability of a state or local governmental
entity to undertake a lawful investigation or to protect persons,
property, or the environment in the manner authorized by law;
(2) the duty of a state or local governmental entity to
comply with applicable law; or
(3) the ability of a private investigator regulated
under Chapter 1702, Occupations Code, to conduct a lawful
investigation.
[Sections 561.004-561.050 reserved for expansion]
SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
Sec. 561.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION.
(a) This section applies only to the disclosure by a governmental
entity of information that reveals an individual's:
(1) social security number;
(2) bank account number, credit card account number,
debit card number, or other financial account number, including an
access number related to a financial account;
(3) computer password or access code or computer
network location or identity; or
(4) passport number.
(b) Notwithstanding Section 552.022 or other law, a state or
local governmental entity may not disclose information described by
Subsection (a) to a member of the public and shall redact or
otherwise obscure information described by Subsection (a) from a
document that is made available to a member of the public.
(c) A governmental entity may disclose information
described by Subsection (a) only to:
(1) another state or local governmental entity in this
state;
(2) a federal governmental entity;
(3) the person or the authorized representative of the
person who is the subject of the information, subject to Section
552.023, if the governmental entity is also a governmental body
under Chapter 552;
(4) an entity described by 15 U.S.C. Section 6809(3);
or
(5) a private investigator regulated under Chapter
1702, Occupations Code.
(d) Section 552.022 does not apply in relation to
information described by Subsection (a).
(e) When a person requests a document that contains
information described by Subsection (a), the governmental entity
may charge the requestor a reasonable fee to recover the cost of
personnel time or programming or other costs incurred in redacting
or otherwise obscuring the information described by Subsection (a).
A governmental entity that is also a governmental body under
Chapter 552 shall comply with Subchapter F, Chapter 552, to the
extent Subchapter F is consistent with this subsection.
(f) A governmental entity that is also a governmental body
under Chapter 552 is not required to request a decision of the
attorney general under Subchapter G, Chapter 552, before refusing
to disclose information described by Subsection (a). In responding
to a request under Chapter 552 for a document that contains
information described by Subsection (a), the governmental body
shall promptly inform the requestor that the information described
by Subsection (a) is being redacted or otherwise obscured as
required by this chapter. The requestor may complain to the
attorney general if the requestor believes that the governmental
body, in response to the requestor's written request for
information under Chapter 552, redacted or otherwise withheld or
obscured information other than information described by
Subsection (a) without complying with the procedures prescribed by
Subchapter G, Chapter 552.
(g) If a person complains to the attorney general under
Subsection (f), the attorney general may review the matter to
determine whether the governmental body redacted or otherwise
obscured or withheld information other than information described
by Subsection (a) without complying with the procedures prescribed
by Subchapter G, Chapter 552. The governmental body shall, within
10 business days after the date of receiving a request for the
following information from the attorney general, submit to the
attorney general:
(1) a copy of the requestor's applicable written
request for information;
(2) a copy of the document at issue in unredacted and
unobscured form and in the form in which the document was provided
to the requestor; and
(3) a copy of the governmental body's correspondence
to the requestor, if possible, or a statement regarding the
governmental body's other form of communication to the requestor
that the information at issue was redacted or obscured as required
by this chapter because it was information described by Subsection
(a).
(h) If the attorney general determines under Subsection (g)
that the governmental body redacted or otherwise withheld or
obscured information other than information described by
Subsection (a) without complying with the procedures prescribed by
Subchapter G, Chapter 552:
(1) the attorney general shall promptly notify the
governmental body, the requestor, and other interested persons of
that determination; and
(2) Chapter 552 applies in relation to the information
that the attorney general determines to have been improperly
redacted or withheld or obscured under this chapter, except that:
(A) it is a defense to prosecution under Section
552.351 or 552.353 that the information at issue is information
described by Subsection (a);
(B) in any action under Subchapter H, Chapter
552, it is a ground for withholding the information at issue that
the information is information described by Subsection (a); and
(C) the information at issue may be withheld
under Section 552.302 only if there is a compelling reason to
withhold the information and the information is confidential under
law.
Sec. 561.052. COLLECTION OF PERSONAL INFORMATION. A state
or local governmental entity shall establish procedures to ensure
that the governmental entity collects personal information only to
the extent reasonably necessary to:
(1) implement a program;
(2) authenticate an individual's identity when
necessary;
(3) ensure security; or
(4) accomplish another legitimate governmental
purpose.
Sec. 561.053. RECORDS RETENTION SCHEDULES. (a) In
adopting or amending its records retention schedule, a state or
local governmental entity shall schedule the retention of personal
information only for the period necessary to accomplish the purpose
for which the information was collected or, if applicable, for the
minimum period specifically prescribed by statute.
(b) Subsection (a) does not apply to the retention of
personal information that has demonstrable historical or archival
value.
Sec. 561.054. GENERAL PRIVACY POLICIES. (a) A state or
local governmental entity shall develop a privacy policy that
completely describes in plainly written language:
(1) the reasons that the governmental entity requires
or collects each category of personal information about individuals
that the entity requires or collects;
(2) the procedures used to require or collect the
information;
(3) the persons to whom the information may be
disclosed;
(4) the manner in which the information may be
disclosed, such as by placing the information in a public viewing
area or making the information available on the Internet;
(5) any current arrangement under which the
governmental entity sells personal information about individuals
or discloses the information under a contract or agreement or in
bulk; and
(6) the manner in which a member of the public may
protect private information that is described by Section 561.051(a)
by redacting or omitting the information from a document that will
be filed with the governmental entity.
(b) The state or local governmental entity shall promptly
amend the privacy policy whenever information in the policy becomes
incorrect or incomplete.
(c) The state or local governmental entity shall
prominently post its current privacy policy:
(1) through a prominent link on the main Internet site
maintained by or for the governmental entity; and
(2) if applicable, next to the sign that the
governmental entity posts under Section 552.205.
Sec. 561.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY.
(a) The Department of Information Resources shall adopt rules
prescribing minimum privacy standards with which an Internet site
or portal maintained by or for a state governmental entity must
comply. The rules must be designed to limit the collection of
personal information about users of the government Internet site or
portal to information:
(1) that the state governmental entity needs in order
to accomplish a legitimate government purpose;
(2) that the user of the site or portal knowingly and
intentionally transmits to the state governmental entity; or
(3) regarding the collection of which the user of the
site or portal has actively given informed consent.
(b) In adopting its rules under this section, the Department
of Information Resources shall consider policies adopted by other
states and the federal government in this regard.
(c) A state governmental entity that maintains an Internet
site or portal or for which an Internet site or portal is maintained
shall adopt a privacy policy regarding information collected
through the site or portal and provide a prominent link to the
policy for users of the site or portal. The policy must be
consistent with the rules adopted by the Department of Information
Resources under this section and must be included as a prominent
separate element of the general privacy policy that the entity is
required to develop and to which it must provide an Internet link
under Section 561.054.
Sec. 561.056. AUDITOR GUIDELINES; PRIVACY POLICY. (a) The
state auditor shall establish auditing guidelines to ensure that a
state or local governmental entity:
(1) does not routinely collect or retain more personal
information than the entity needs to accomplish a legitimate
governmental purpose of the entity; and
(2) establishes an information management system that
protects the privacy and security of information in accordance with
applicable state and federal law.
(b) Each state and local governmental entity shall
establish a policy binding on the entity, its contractors, and
subcontractors to protect the privacy of personal information and
establish an information management system that protects the
privacy and security of information in accordance with the
guidelines established by the state auditor under Subsection (a).
With regard to a governmental entity's contractors and
subcontractors, this subsection applies to information a
contractor or subcontractor receives in connection with a contract
with the governmental entity.
(c) During an audit otherwise authorized by law of a state
or local governmental entity, the state auditor may audit a state or
local governmental entity for compliance with the guidelines
established under Subsection (a) and the privacy policy established
under Subsection (b). An audit performed under this subsection is
subject to a risk assessment and the inclusion of the audit in the
audit plan recommended under Section 321.013(c).
[Sections 561.057-561.100 reserved for expansion]
SUBCHAPTER C. GUIDELINES
Sec. 561.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING
PRIVACY AND SECURITY ISSUES. (a) The attorney general shall
establish guidelines for state and local governmental entities to
follow when considering privacy and security issues that arise in
connection with requests for public information. The guidelines
shall address procedural safeguards, legal issues, and other issues
that in the opinion of the attorney general would help state and
local governmental entities comply with applicable law and
recommended information practices when handling personal
information or information related to security. The guidelines
shall balance the need for open government with respect for
personal privacy and with the security needs of this state.
(b) The attorney general shall establish guidelines for
sharing information for security purposes among state, local, and
federal governmental entities and with the private sector. The
guidelines must ensure the protection of personal privacy to the
extent feasible and must clarify and explain the legal consequences
of sharing the information.
(c) The guidelines do not create exceptions from required
disclosure under Chapter 552.
(d) The attorney general is not required to adopt formal
guidelines under this section to the extent that the attorney
general accomplishes the purposes of this section through other
education, training, and publication efforts of the office of the
attorney general.
Sec. 561.102. OPEN RECORDS STEERING COMMITTEE; RECORDS
MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records
steering committee established under Section 552.009 shall
periodically study and determine the implications for the personal
privacy of individuals and for the security of this state of putting
information held by government on the Internet and shall include
its findings and recommendations in reports the committee makes
under Section 552.009.
(b) The Records Management Interagency Coordinating Council
established under Section 441.203 shall provide guidance and policy
direction to state and local governmental entities in appropriately
incorporating developments in electronic management of information
into their information management systems in ways that protect
personal privacy and the security of this state and promote
appropriate public access to public information that is not
excepted from required public disclosure.
SECTION 3.02. Chapter 11, Property Code, is amended by
adding Section 11.008 to read as follows:
Sec. 11.008. CONFIDENTIAL INFORMATION IN REAL PROPERTY
RECORDS. (a) In this section, "instrument" means a deed, mortgage,
or deed of trust.
(b) An instrument executed on or after January 1, 2004,
transferring an interest in real property to or from an individual
may not be recorded unless a notice appears on the first page of the
instrument in 12-point boldfaced type or 12-point uppercase letters
and reads substantially as follows:
NOTICE OF CONFIDENTIALITY RIGHTS: IF YOU ARE A NATURAL
PERSON, YOU MAY REMOVE OR STRIKE ANY OF THE FOLLOWING
INFORMATION FROM THIS INSTRUMENT BEFORE IT IS FILED
FOR RECORD IN THE PUBLIC RECORDS: YOUR SOCIAL SECURITY
NUMBER OR YOUR DRIVER'S LICENSE NUMBER.
(c) The validity of an instrument as between the parties to
the instrument and the notice provided by the instrument are not
affected by a party's failure to include the notice required under
Subsection (b).
(d) The county clerk may not reject an instrument presented
for recording because the instrument contains or fails to contain a
social security number or driver's license number. If the county
clerk accepts an instrument for recording, the recording of the
instrument creates a conclusive presumption that the requirements
of this section have been met.
(e) The county clerk shall post a notice in the county
clerk's office stating that instruments recorded in the real
property or official public records or the equivalent of the real
property or official public records of the county and executed on or
after January 1, 2004:
(1) are not required to contain a social security
number or driver's license number; and
(2) are public records available for review by the
public.
(f) All instruments recorded under this section are subject
to inspection by the public.
(g) Unless this section is cited in a law enacted after
September 1, 2003, this section is the exclusive law governing the
confidentiality of personal information contained in the real
property or official public records or the equivalent of the real
property or official public records of a county.
(h) To the extent that federal law conflicts with this
section, an instrument must contain the information required by and
must be filed in a manner that complies with federal law.
SECTION 3.03. Section 13.002, Property Code, is amended to
read as follows:
Sec. 13.002. EFFECT OF RECORDED INSTRUMENT. An instrument
that is properly recorded in the proper county is:
(1) notice to all persons of the existence of the
instrument; and
(2) subject to inspection by the public.
SECTION 3.04. Each state and local governmental entity
shall examine its records retention schedule and amend the schedule
so that it complies with Section 561.053, Government Code, as added
by this Act.
SECTION 3.05. Section 11.008, Property Code, as added by
this Act, applies only to a deed, mortgage, or deed of trust
executed on or after January 1, 2004.
ARTICLE 4
SECTION 4.01. (a) Section 521.126, Transportation Code,
is amended to read as follows:
Sec. 521.126. ELECTRONICALLY READABLE INFORMATION.
(a) The department may not include any information on a driver's
license, commercial driver's license, or personal identification
certificate in an electronically readable form other than the
information printed on the license and a physical description of
the licensee.
(b) Except as provided by Subsection (e), a person commits
an offense if the person:
(1) accesses or uses electronically readable
information from a driver's license, commercial driver's license,
or personal identification certificate; or
(2) compiles or maintains a database of electronically
readable information derived from driver's licenses, commercial
driver's licenses, or personal identification certificates. [The
department shall take necessary steps to ensure that the
information is used only for law enforcement or governmental
purposes.]
(c) An offense under Subsection (b) [Unauthorized use of the
information] is a Class A misdemeanor.
(d) The prohibition provided by Subsection (b) does not
apply to:
(1) an officer or employee of the department who
accesses or uses the information for law enforcement or government
purposes;
(2) a peace officer, as defined by Article 2.12, Code
of Criminal Procedure, acting in the officer's official capacity;
(3) a license deputy, as defined by Section 12.702,
Parks and Wildlife Code, issuing a license, stamp, tag, permit, or
other similar item through use of a point-of-sale system under
Section 12.703, Parks and Wildlife Code; or
(4) a person acting as authorized by Section 109.61,
Alcoholic Beverage Code.
(e) The prohibition provided by Subsection (b)(1) does not
apply to a financial institution if the information is accessed or
used only for purposes of identification of an individual. The
prohibition provided by Subsection (b)(2) does not apply to a
financial institution if each license or certificate holder whose
information is included in the compilation or database consents to
the inclusion of the person's information in the compilation or
database. Consent under this subsection must be on a separate
document, signed by the license or certificate holder, that
explains in at least 14-point bold type the information that will be
included in the compilation or database. For the purposes of this
subsection, "financial institution" has the meaning assigned by 31
U.S.C. Section 5312(a)(2), as amended.
(f) A person may not use information derived from
electronically readable information from a driver's license,
commercial driver's license, or personal identification
certificate to engage in telephone solicitation to encourage the
purchase or rental of, or investment in, goods, other property, or
services.
(b) The change in law made by this section applies only to an
offense committed on or after the effective date of this Act. For
the purposes of this section, an offense is committed before the
effective date of this Act if any element of the offense occurs
before that date. An offense committed before the effective date of
this Act is governed by the law in effect when the offense was
committed, and the former law is continued in effect for that
purpose.
ARTICLE 5
SECTION 5.01. (a) Except as provided by Subsections (b)
and (c) of this section, this Act takes effect September 1, 2003.
(b) Section 2.04 of this Act takes effect September 1, 2005.
(c) Section 3.01 of this Act takes effect January 1, 2004,
as that section applies to a municipality with a population of less
than 1.2 million.