79R5519 CLG-D
By: Rodriguez H.B. No. 1527
A BILL TO BE ENTITLED
AN ACT
relating to a breach in the security of a data system that includes
another person's identifying information.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Title 4, Business & Commerce Code, is amended by
adding Chapter 50 to read as follows:
CHAPTER 50. DISCLOSURES RELATING TO MAINTENANCE OF ANOTHER PERSON'S
IDENTIFYING INFORMATION
Sec. 50.001. DEFINITIONS. In this chapter, "identifying
information" has the meaning assigned by Section 32.51, Penal Code.
Sec. 50.002. BREACH OF SECURITY OF DATA SYSTEM. (a) For
purposes of this chapter, a breach in the security of a person's
data system is considered to have occurred when there is
unauthorized access to data stored in the system, in electronic
storage or otherwise, that compromises the security,
confidentiality, or integrity of identifying information
maintained by the person.
(b) Good faith acquisition of identifying information by an
employee or agent of the person is not considered to be a breach in
the security of the person's data system for purposes of this
chapter if the identifying information is not used or subject to
further unauthorized disclosure.
Sec. 50.003. NOTIFICATION OF SECURITY BREACH. (a) A person
that owns or licenses data, in computerized form or otherwise, that
includes identifying information of a resident of this state must
promptly notify the resident of any alleged breach of the security
of the person's data system, regardless of whether the resident's
identifying information has been accessed by an unauthorized
person.
(b) A person maintaining computerized data that includes
identifying information that the person does not own shall promptly
notify the owner or licensee of the information of any breach of the
security of the person's data system.
(c) The person must provide the notification required by
this section in writing except as provided by Subsection (d) or (e).
(d) A person that provides notice under this section in
accordance with notification procedures developed and maintained
by the person pursuant to a security policy for the handling of
identifying information the person maintains is considered to have
complied with the notice requirements of this section if the
procedures are not inconsistent with the timing requirements of
this section.
(e) If the cost of providing written notice under this
section to all affected individuals would exceed $250,000 or the
number of affected individuals is more than 500,000, the person may
provide for that notification by:
(1) sending an electronic mail message to an
individual's electronic mail address;
(2) posting a conspicuous statement of the occurrence
of the breach on the person's website; or
(3) notifying print or electronic media statewide that
a breach in the security of the person's data system has occurred.
(f) The notification required by this section may be delayed
at the request of a law enforcement agency conducting a criminal
investigation until the time that the law enforcement agency
determines that providing the notice will not impede the criminal
investigation.
Sec. 50.004. APPLICABILITY. This chapter does not apply to
a person who maintains federal, state, or local government records
containing identifying information that are made available to the
public.
Sec. 50.005. PRIVATE CAUSE OF ACTION. (a) A person injured
by a violation of this chapter may bring an action to:
(1) recover actual damages; or
(2) enjoin a continued violation of this chapter.
(b) A person who prevails in an action filed under this
section is entitled to recover court costs and reasonable
attorney's fees.
Sec. 50.006. REMEDIES CUMULATIVE. The remedies provided by
this chapter are cumulative of any other remedy provided by law.
SECTION 2. This Act takes effect September 1, 2005.