79(R) HB 698 - Senate Committee Report version


                                                                                


By:  McCall (Senate Sponsor - Averitt)                            H.B. No. 698
	(In the Senate - Received from the House April 25, 2005; 
April 26, 2005, read first time and referred to Committee on 
Business and Commerce; May 21, 2005, reported adversely, with 
favorable Committee Substitute by the following vote:  Yeas 7, 
Nays 0; May 21, 2005, sent to printer.)


COMMITTEE SUBSTITUTE FOR H.B. No. 698                                    By:  Averitt


A BILL TO BE ENTITLED

AN ACT


relating to the creation and disposal of certain materials that 
contain personal identifying information; providing a civil 
penalty.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:                        
	SECTION 1.  The heading to Section 35.48, Business &
Commerce Code, is amended to read as follows:
	Sec. 35.48.  RETENTION AND DISPOSAL OF BUSINESS RECORDS.                
	SECTION 2.  Section 35.48(a), Business & Commerce Code, is 
amended by adding Subdivisions (1-a) and (3) to read as follows:
		(1-a)  "Personal identifying information" means an 
individual's first name or initial and last name in combination 
with any one or more of the following items:
			(A)  date of birth;                                                   
			(B)  social security number or other 
government-issued identification number;
			(C)  mother's maiden name;                                            
			(D)  unique biometric data, including the 
individual's fingerprint, voice print, and retina or iris image;
			(E)  unique electronic identification number, 
address, or routing code;
			(F)  telecommunication access device, including 
debit and credit card information; or
			(G)  financial institution account number or any 
other financial information.
		(3)  "Telecommunication access device" has the meaning 
assigned by Section 32.51, Penal Code.
	SECTION 3.  Section 35.48, Business & Commerce Code, is 
amended by adding Subsections (d)-(i) to read as follows:
	(d)  When a business disposes of a business record that 
contains personal identifying information of a customer of the 
business, the business shall modify, by shredding, erasing, or 
other means, the personal identifying information to make it 
unreadable or undecipherable.
	(e)  A business is considered to comply with Subsection (d) 
if the business contracts with a person engaged in the business of 
disposing of records for the modification of personal identifying 
information on behalf of the business in accordance with Subsection 
(d).
	(f)  A business that does not dispose of a business record of 
a customer in the manner required by Subsection (d) is liable for a 
civil penalty of up to $500 for each record. The attorney general 
may bring an action against the business to:
		(1)  recover the civil penalty;                                        
		(2)  obtain any other remedy, including injunctive 
relief; and       
		(3)  recover costs and reasonable attorney's fees 
incurred in bringing the action.
	(g)  A business that modifies a record as required by 
Subsection (d) in good faith is not liable for a civil penalty under 
Subsection (f) if the record is reconstructed, in whole or in part, 
through extraordinary means.
	(h)  Subsection (d) does not require a business to modify a 
record if:
		(1)  the business is required to retain the record 
under other law; or
		(2)  the record is historically significant and:                       
			(A)  there is no potential for identify theft or 
fraud while the record is in the custody of the business; or
			(B)  the record is transferred to a professionally 
managed historical repository.
	(i)  Subsection (d) does not apply to:                                  
		(1)  a financial institution as defined by 15 U.S.C. 
Section 6809; or
		(2)  a covered entity as defined by Section 601.001 or 
602.001, Insurance Code.
	SECTION 4.  Section 35.58(a), Business & Commerce Code, is 
amended to read as follows:
	(a)  A person, other than government or a governmental 
subdivision or agency, may not:
		(1)  intentionally communicate or otherwise make 
available to the general public an individual's social security 
number;
		(2)  display an individual's social security number on 
a card or other device required to access a product or service 
provided by the person;
		(3)  require an individual to transmit the individual's 
social security number over the Internet unless the connection with 
the Internet is secure or the number is encrypted;
		(4)  require an individual's social security number for 
access to an Internet website, unless a password or unique personal 
identification number or other authentication device is also 
required for access; or
		(5)  print an individual's social security number on 
any materials, except as provided by Subsection (f), that are sent 
by mail to the individual, unless state or federal law requires that 
the individual's social security number be included in the 
materials.
	SECTION 5.  This Act applies to the disposal of business 
records without regard to whether the records were created before, 
on, or after the effective date of this Act.
	SECTION 6.  This Act takes effect September 1, 2005.                           



* * * * *