79R13594 CLG-F
By: McCall, Rodriguez, Miller, Menendez, H.B. No. 1682
Bohac
A BILL TO BE ENTITLED
AN ACT
relating to a breach in the security of a computerized data system
that includes personal identifying information; providing a civil
penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Title 4, Business & Commerce Code, is amended by
adding Chapter 50 to read as follows:
CHAPTER 50. DISCLOSURES RELATING TO MAINTENANCE OF PERSONAL
IDENTIFYING INFORMATION
Sec. 50.001. DEFINITIONS. In this chapter:
(1) "Consumer reporting agency" has the meaning
assigned by Section 20.01.
(2) "Personal identifying information":
(A) means an individual's first name or first
initial in combination with last name and with one or more of the
following items of information:
(i) a social security number;
(ii) a driver's license number or other
government-issued identification number; or
(iii) an account number or a credit or debit
card number, in combination with any required security code, access
code, or password that permits access to an individual's financial
account; and
(B) does not include publicly available
information that is lawfully made available to the public from
federal, state, or local government records.
(3) "Service provider" means a person that is
authorized to hold or use a computerized database containing
personal identifying information on behalf of another person that
owns or licenses the database.
Sec. 50.002. BREACH OF SECURITY OF COMPUTERIZED DATA
SYSTEM. (a) For purposes of this chapter, a breach in the security
of a person's computerized data system is considered to have
occurred when there is unauthorized access to data electronically
stored in the system that compromises the security,
confidentiality, or integrity of personal identifying information
maintained by the person.
(b) Good faith access or acquisition of personal
identifying information by an employee or agent of the person is not
considered to be a breach in the security of the person's system for
purposes of this chapter if the personal identifying information is
not used or subject to further unauthorized disclosure.
Sec. 50.003. NOTIFICATION OF SECURITY BREACH. (a) A person
that owns or licenses computerized data that includes personal
identifying information of a resident of this state must notify the
resident of any breach of the security of the person's computerized
data system if the resident's unencrypted personal identifying
information was, or may have been, obtained by an unauthorized
person. Notification must be made promptly after the date the
person discovers the security breach, taking into consideration any
law enforcement agency requests as provided by Subsection (f) or
any measures necessary to determine the scope of the breach or
restore the reasonable integrity of the data system.
(b) A service provider holding or using computerized data
that includes unencrypted personal identifying information of a
resident of this state shall immediately notify and cooperate with
the owner or licensee of the information of any breach of the
security of the service provider's system if personal identifying
information was, or may have been, obtained by an unauthorized
person. In this subsection, the cooperation of a service provider
with the owner or licensee of the information includes sharing
information relevant to the breach.
(c) Except as provided by Subsection (d) or (e), the person
must provide the notification required by this section in writing
or by electronic notice, if the electronic notice complies with the
requirements regarding electronic records and signatures set forth
in 15 U.S.C. Section 7001.
(d) A person that provides notice under this section in
accordance with notification procedures developed and maintained
by the person pursuant to a security policy for the handling of
personal identifying information the person maintains is
considered to have complied with the notice requirements of this
section if the procedures are not inconsistent with the timing
requirements of this section.
(e) If the cost of providing written notice under this
section to all affected individuals would exceed $250,000, the
number of affected individuals is more than 500,000, or the person
does not have sufficient contact information, the person may
provide for that notification by:
(1) sending an electronic mail message to an
individual's electronic mail address;
(2) posting a conspicuous statement of the occurrence
of the breach on the person's website; and
(3) notifying print or electronic media statewide that
a breach in the security of the person's computerized data system
has occurred.
(f) The notification required by this section may be delayed
at the request of a law enforcement agency conducting a criminal
investigation until the time that the law enforcement agency
determines that providing the notice will not impede the criminal
investigation.
(g) If a person becomes aware of circumstances that require
the person to notify more than 1,000 persons at any one time under
this section, the person shall also notify, without unreasonable
delay, each consumer reporting agency that compiles and maintains
consumer files on a nationwide basis of the timing, distribution,
and content of the required notices.
Sec. 50.004. DECEPTIVE TRADE PRACTICES. A violation of
this chapter is a false, misleading, or deceptive act or practice as
defined by Section 17.46(b) and is actionable by the consumer
protection division in a suit brought under Section 17.47.
Sec. 50.005. REMEDIES CUMULATIVE. The remedies provided by
this chapter are cumulative of any other remedy provided by law.
SECTION 2. This Act takes effect September 1, 2005.