BILL ANALYSIS
Senate Research Center C.S.S.B. 122
By: Hinojosa
Criminal Justice
Committee Report (Substituted)
AUTHOR'S/SPONSOR'S STATEMENT OF INTENT
Identity theft is the fastest growing crime in the country. In 2004, there were 635,173 consumer fraud and identity theft complaints in the United States. Texas has the fourth-highest rate of identity theft and ranks second, behind California, in the total number of identity thefts by state.
Victims spend an average of 600 hours over two to four years and $1,400 to clear their names. In 2002, the cost to businesses was almost $50 billion and the cost to consumers was $5 billion.
C.S.S.B. 122 prevents identity theft by protecting the consumer's personal information, helps victims recover from the offense, requires businesses to report to consumers breaches in security involving consumers' personal information, and authorizes the attorney general to bring suit for identity theft.
RULEMAKING AUTHORITY
SECTION BY SECTION ANALYSIS
SECTION 1. (a) Amends Chapter 2, Code of Criminal Procedure, by adding Article 2.29, as follows:
Art. 2.29. REPORT REQUIRED IN CONNECTION WITH FRAUDULENT USE OR POSSESSION OF IDENTIFYING INFORMATION. (a) Requires a peace officer to whom an alleged violation of Section 32.51 (Fraudulent Use or Possession of Identifying Information), Penal Code, is reported to make a written report to the law enforcement agency that employs the peace officer. Sets forth the information the report is required to include.
(b) Requires the law enforcement agency, on the victim's request, to provide the report to the victim. Requires the law enforcement agency, in providing the report, to redact any otherwise confidential information that is included in the report, except for the information set forth in Subsection (a).
(b) Makes application of the change in law made by this section prospective.
SECTION 2. Amends Title 4, Business & Commerce Code, by adding Chapter 48, as follows:
CHAPTER 48. UNAUTHORIZED USE OF IDENTIFYING INFORMATION
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 48.001. SHORT TITLE. Provides that this chapter may be cited as the Identity Theft Enforcement and Protection Act.
Sec. 48.002. DEFINITIONS. Defines "personal identifying information," "sensitive personal information," "telecommunication access device," and "victim."
[Reserves Sections 48.003-48.100 for expansion.]
SUBCHAPTER B. IDENTITY THEFT
Sec. 48.101. UNAUTHORIZED USE OR POSSESSION OF PERSONAL IDENTIFYING INFORMATION. (a) Prohibits a person from obtaining, possessing, transferring, or using the personal identifying information of another person without the other person's consent and with intent to obtain a good, service, insurance, an extension of credit, or any other thing of value in the other person's name.
(b) Sets forth affirmative defenses to prosecution under this section.
(c) Provides that this section does not apply to a financial institution as defined by 15 U.S.C. Section 6809, or a covered entity as defined by Section 601.001 or 602.001, Insurance Code.
Sec. 48.102. BUSINESS DUTY TO PROTECT AND SAFEGUARD SENSITIVE PERSONAL INFORMATION. (a) Requires a business to implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
(b) Requires a business to destroy or arrange for the destruction of customer records containing sensitive personal information within the business's custody or control that are not to be retained by the business.
(c) Provides that this section does not apply to a financial institution as defined by 15 U.S.C. Section 6809.
Sec. 48.103. NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OF COMPUTERIZED DATA. (a) Defines "breach of system security."
(b) Requires a person that conducts business in this state and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of this state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires this disclosure to be made as quickly as possible, except as provided by Subsection (d), or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(c) Requires any person that maintains computerized data that includes sensitive personal information that the person does not own to notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
(d) Authorizes a person to delay providing notice as required by Subsections (b) and (c) at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. Requires the notification to be made as soon as the law enforcement agency determines that it will not compromise the investigation.
(e) Sets forth the authorized methods of giving notice.
(f) Sets forth the authorized methods of giving notice if the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the person does not have sufficient contact information.
(g) Provides that a person that maintains its own notification procedures as part of an information security policy for the treatment of sensitive personal information that complies with the timing requirements for notice complies with this section if the person notifies the affected persons in accordance with that policy, notwithstanding Subsection (e).
(h) Requires a person, if the person is required by this section to notify at one time more than 10,000 persons of a breach of system security, to also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.
[Reserves Sections 48.104-48.200 for expansion.]
SUBCHAPTER C. REMEDIES AND OFFENSES
Sec. 48.201. A CIVIL PENALTY; INJUNCTION. (a) Provides that a person who violates this chapter is liable to the state for a civil penalty within certain minimum and maximum limits. Authorizes the attorney general to bring suit to recover the civil penalty.
(b) Authorizes the attorney general, if it appears to the attorney general that a person is engaging in, has engaged in, or is about to engage in conduct that violates this chapter, to bring an action in the name of the state against the person to restrain the violation by a temporary restraining order, or a permanent or temporary injunction.
(c) Requires an action brought under Subsection (b) to be filed in district court and sets forth the counties in which the action may be filed.
(d) Provides that a plaintiff in an action under this section is not required to give a bond. Authorizes the court to grant any other equitable relief that the court considers appropriate to prevent any additional harm to a victim of identity theft or a further violation of this chapter or to satisfy any judgment entered against the defendant.
(e) Entitles the attorney general to recover reasonable expenses incurred in obtaining injunctive relief, civil penalties, or both, under this section. Sets forth in which fund the amounts collected under this section are required to be deposited, and the circumstances under which the penalties may be appropriated.
(f) Provides that the fees associated with an action under this section are the same as in a civil case, but the fees may be assessed only against the defendant.
Sec. 48.202. COURT ORDER TO DECLARE INDIVIDUAL A VICTIM OF IDENTITY THEFT. (a) Authorizes a person who is injured by a violation of Section 48.101, or who has filed a criminal complaint alleging commission of an offense under Section 32.51, Penal Code, to file an application with a district court for the issuance of a court order declaring that the person is a victim of identity theft. Authorizes a person to file an application under this section regardless of whether the person is able to identify each person who allegedly transferred or used the person's identifying information in an unlawful manner.
(b) Provides that a person is presumed to be a victim of identity theft under this section if the person charged with an offense under Section 32.51, Penal Code, is convicted of the offense.
(c) Requires the court, after notice and hearing, if the court is satisfied by a preponderance of the evidence that the applicant has been injured by a violation of Section 48.101 or is a victim of an offense under Section 32.51, Penal Code, to enter an order containing a declaration that the person filing the application is a victim of identity theft and containing certain other information about the violation or offense.
(d) Requires an order entered under this section to be sealed because of the confidential nature of the information required to be included in the order. Authorizes the order to be released to the proper officials in a civil proceeding brought by or against the victim arising or resulting from a violation of this chapter. Authorizes the order to be released to the victim for the purpose of submitting the copy of the order to a governmental entity or private business to prove that a transaction or account of the victim was directly affected by the violation of this chapter or offense under Section 32.51, Penal Code, or to correct any record of the entity or business that contains inaccurate or false information as a result of the violation or offense. Authorizes the order to be released on order of the judge or as otherwise required or provided by law.
(e) Authorizes a court to vacate an order issued under this section at any time if the court finds that the application or any information submitted to the court by the applicant contains a fraudulent misrepresentation or a material misrepresentation.
(f) Requires a copy of the order provided to the proper officials in a civil proceeding brought by or against the victim arising or resulting from a violation of this chapter to remain sealed throughout and after the civil proceeding. Provides that information contained in a copy of an order provided to a governmental entity or business by the person to prove that a transaction or account of the victim was directly affected by the violation of this chapter or offense under Section 32.51, Penal Code, or to correct any record of the entity or business that contains inaccurate or false information as a result of the violation or offense is confidential and may not be released except as required or provided by law.
Sec. 48.203. DECEPTIVE TRADE PRACTICE. Provides that a violation of this chapter, other than Section 48.103, is a deceptive trade practice actionable under Subchapter E (Deceptive Trace Practices and Consumer Protection), Chapter 17.
SECTION 3. Effective date: September 1, 2005.