BILL ANALYSIS
By: McCall
Committee Report (Substituted)
BACKGROUND AND PURPOSE
Currently, no law exists in Texas requiring businesses who own or license data containing consumer personal information to notify consumers when there has been a security breach. In this day and age, with identity theft as one of the fastest growing crimes in the nation, all have a responsibility in combating this crime.
The purpose of the bill is to ensure that consumers do receive notification thereby allowing them to take preventative measures before further damage occurs. In the wake of security breaches to (1) The University of Texas data system in 2002—exposing more than 55,000 students, staff, and faculty to identity theft, (2) The University of California data system in 2004—exposing more than 1.4 million California residents to identity theft, and most recently (3) ChoicePoint's data system in 2005—exposing more than 145,000 Americans to identity theft, consumers are in desperate need of this type of protection.
C.S.H.B. 1682 provides for procedures in a security breach of a computerized data system that includes personal identifying information; providing a civil penalty.
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS
C.S.H.B. 1682 amends Title 4, Business and Commerce Code, as follows:
The substitute creates a new chapter entitled, "Disclosures Relating to Maintenance of Another Person's Identifying Information" and includes definitions for "consumer reporting agency," "personal identifying information," and "service provider."
The substitute provides that a person who owns or licenses computerized data containing personal identifying information of a Texas resident must notify the resident if there has been a breach in security of the data system or if the resident's information may have been obtained by an unauthorized person. Notification must be done promptly after date of discovery either electronically or in writing. The substitute requires the service provider to notify and cooperate with the owner or licensee of the information, which includes sharing information relevant to the breach.
The substitute provides that if the cost of notice is more than $250,000, the number of affected individuals is more than $500,000, or the person does not have sufficient contact information, the person may send electronic mail message, post conspicuous statement of breach on person's website, and notify print or electronic media statewide that breach has occurred.
The substitute authorizes the delay of notification at the request of a law enforcement agency conducting a criminal investigation. The substitute requires that if a person becomes aware of circumstances that require the person to notify more than 1000 individuals, person must notify nationwide consumer reporting agencies.
The substitute provides that violation of this Act is considered false, misleading, or deceptive act or practice as defined by Section 17.46(b), Business & Commerce Code, and is actionable under Section 17.47, Business & Commerce Code. Such remedies are cumulative with any other remedy provided by law.
EFFECTIVE DATE
September 1, 2005
COMPARISON OF ORIGINAL TO SUBSTITUTE
C.S.H.B. 1682 modifies the original by adding language that defines "consumer reporting agency," "personal identifying information, " and "service provider." The substitute changes all references to "identifying information" to "personal identifying information."
The substitute modifies the original by adding language that provides that good faith access or acquisition of personal identifying information by an employee or agent of the person who owns or maintains the database is not considered to be a breach.
The substitute modifies the original by adding language that requires to the person to notify the consumer promptly after the consumer discovers the breach.
The substitute modifies the original by adding language that requires the service provider to notify and cooperate with the owner or licensee of the personal information of any breach including the sharing of all relevant information.
The substitute modifies the original by adding language that provides that if the number of individuals to be notified of the breach is more than 1,000 individuals, the person must notify a nationwide consumer reporting agency.
The substitute modifies the original by adding language that makes a violation of this Act is considered false, misleading, or deceptive act or practice as defined by Section 17.46(b), Business & Commerce Code, and is actionable under Section 17.47, Business & Commerce Code. The substitute provides that such remedies are cumulative with any other remedy provided by law.