By: McCall (Senate Sponsor - Averitt) H.B. No. 698
(In the Senate - Received from the House April 25, 2005;
April 26, 2005, read first time and referred to Committee on
Business and Commerce; May 21, 2005, reported adversely, with
favorable Committee Substitute by the following vote: Yeas 7,
Nays 0; May 21, 2005, sent to printer.)
COMMITTEE SUBSTITUTE FOR H.B. No. 698 By: Averitt
A BILL TO BE ENTITLED
AN ACT
relating to the creation and disposal of certain materials that
contain personal identifying information; providing a civil
penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. The heading to Section 35.48, Business &
Commerce Code, is amended to read as follows:
Sec. 35.48. RETENTION AND DISPOSAL OF BUSINESS RECORDS.
SECTION 2. Section 35.48(a), Business & Commerce Code, is
amended by adding Subdivisions (1-a) and (3) to read as follows:
(1-a) "Personal identifying information" means an
individual's first name or initial and last name in combination
with any one or more of the following items:
(A) date of birth;
(B) social security number or other
government-issued identification number;
(C) mother's maiden name;
(D) unique biometric data, including the
individual's fingerprint, voice print, and retina or iris image;
(E) unique electronic identification number,
address, or routing code;
(F) telecommunication access device, including
debit and credit card information; or
(G) financial institution account number or any
other financial information.
(3) "Telecommunication access device" has the meaning
assigned by Section 32.51, Penal Code.
SECTION 3. Section 35.48, Business & Commerce Code, is
amended by adding Subsections (d)-(i) to read as follows:
(d) When a business disposes of a business record that
contains personal identifying information of a customer of the
business, the business shall modify, by shredding, erasing, or
other means, the personal identifying information to make it
unreadable or undecipherable.
(e) A business is considered to comply with Subsection (d)
if the business contracts with a person engaged in the business of
disposing of records for the modification of personal identifying
information on behalf of the business in accordance with Subsection
(d).
(f) A business that does not dispose of a business record of
a customer in the manner required by Subsection (d) is liable for a
civil penalty of up to $500 for each record. The attorney general
may bring an action against the business to:
(1) recover the civil penalty;
(2) obtain any other remedy, including injunctive
relief; and
(3) recover costs and reasonable attorney's fees
incurred in bringing the action.
(g) A business that modifies a record as required by
Subsection (d) in good faith is not liable for a civil penalty under
Subsection (f) if the record is reconstructed, in whole or in part,
through extraordinary means.
(h) Subsection (d) does not require a business to modify a
record if:
(1) the business is required to retain the record
under other law; or
(2) the record is historically significant and:
(A) there is no potential for identify theft or
fraud while the record is in the custody of the business; or
(B) the record is transferred to a professionally
managed historical repository.
(i) Subsection (d) does not apply to:
(1) a financial institution as defined by 15 U.S.C.
Section 6809; or
(2) a covered entity as defined by Section 601.001 or
602.001, Insurance Code.
SECTION 4. Section 35.58(a), Business & Commerce Code, is
amended to read as follows:
(a) A person, other than government or a governmental
subdivision or agency, may not:
(1) intentionally communicate or otherwise make
available to the general public an individual's social security
number;
(2) display an individual's social security number on
a card or other device required to access a product or service
provided by the person;
(3) require an individual to transmit the individual's
social security number over the Internet unless the connection with
the Internet is secure or the number is encrypted;
(4) require an individual's social security number for
access to an Internet website, unless a password or unique personal
identification number or other authentication device is also
required for access; or
(5) print an individual's social security number on
any materials, except as provided by Subsection (f), that are sent
by mail to the individual, unless state or federal law requires that
the individual's social security number be included in the
materials.
SECTION 5. This Act applies to the disposal of business
records without regard to whether the records were created before,
on, or after the effective date of this Act.
SECTION 6. This Act takes effect September 1, 2005.
* * * * *