BILL ANALYSIS
Senate Research Center C.S.H.B. 698
79R18686 E By: McCall (Averitt)
Committee Report (Substituted)
AUTHOR'S/SPONSOR'S STATEMENT OF INTENT
Identity theft is one of the fastest growing crimes in the nation. Last year alone, around 10 million Americans were victims of the crime, and those victimized spend on average of 600 hours and $1,500 in order to try and clear their names. Not surprisingly, with a population of over 22 million, Texas has one of the highest rates of identity theft.
Although the rate of Internet-related identity theft scams are on the rise, 68 percent of identity theft crimes are still committed through traditional means. One of these traditional means is termed "dumpster diving," whereby identity thieves fish receipts and records containing personal information out of trash receptacles.
Currently, no Texas statute addresses how a business must dispose of a business record containing personal identifying information. C.S.H.B. 698 requires that when a business disposes of records containing consumer personal information, it must destroy or modify the record through shredding or other means that renders the information unreadable. C.S.H.B. 698 also sets out a civil penalty.
RULEMAKING AUTHORITY
SECTION BY SECTION ANALYSIS
SECTION 1. Amends the heading to Section 35.48, Business & Commerce Code, to read as follows:
Sec. 35.48. RETENTION AND DISPOSAL OF BUSINESS RECORDS.
SECTION 2. Amends Section 35.48(a), Business & Commerce Code, by adding Subdivisions (1-a) and (3), to define "personal identifying information" and "telecommunication access device."
SECTION 3. Amends Section 35.48, Business & Commerce Code, by adding Subsections (d)-(i), as follows:
(d) Requires a business, when the business disposes of a business record that contains personal identifying information of a customer of the business, to modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.
(e) Provides that a business is considered to comply with Subsection (d) if the business contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with Subsection (d)
(f) Provides that a business that does not dispose of a business record of a customer in the manner required by Subsection (d) is liable for a civil penalty of up to $500 for each record. Authorizes the attorney general to bring an action against the business to recover the civil penalty, obtain any other remedy, including injunctive relief, and recover costs and reasonable attorney's fees incurred in bringing the action.
(g) Provides that a business that modifies a record as required by Subsection (d) in good faith is not liable for a civil penalty under Subsection (f) if the record is reconstructed, in whole or in part, through extraordinary means.
(h) Provides that Subsection (d) does not require a business to modify a record if the business is required to retain the record under other law or the record is historically significant and there is no potential for identity theft or fraud while the record is in the custody of the business or the record is transferred to a professionally managed historical repository.
(i) Provides that Subsection (d) does not apply to a financial institution as defined by 15 U.S.C. Section 6809 or a covered entity as defined by Section 601.001 or 602.001, Insurance Code.
SECTION 4. Amends Section 35.58(a), Business & Commerce Code, to prohibit a person, other than a governmental subdivision or entity from printing an individual's social security number on any materials that are sent by mail to the individual, with certain exceptions.
SECTION 5. Makes application of this Act prospective.
SECTION 6. Effective date: September 1, 2005.