79R8290 CLG-F
By: McCall H.B. No. 1682
A BILL TO BE ENTITLED
AN ACT
relating to a breach in the security of a computerized data system
that includes another person's identifying information; providing
a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Title 4, Business & Commerce Code, is amended by
adding Chapter 50 to read as follows:
CHAPTER 50. DISCLOSURES RELATING TO MAINTENANCE OF ANOTHER
PERSON'S IDENTIFYING INFORMATION
Sec. 50.001. DEFINITION. In this chapter, "identifying
information" has the meaning assigned by Section 32.51, Penal Code.
Sec. 50.002. BREACH OF SECURITY OF COMPUTERIZED DATA
SYSTEM. (a) For purposes of this chapter, a breach in the security
of a person's computerized data system is considered to have
occurred when there is unauthorized access to data electronically
stored in the system that compromises the security,
confidentiality, or integrity of identifying information
maintained by the person.
(b) Good faith acquisition of identifying information by an
employee or agent of the person is not considered to be a breach in
the security of the person's system for purposes of this chapter if
the identifying information is not used or subject to further
unauthorized disclosure.
Sec. 50.003. NOTIFICATION OF SECURITY BREACH. (a) A person
that owns or licenses computerized data that includes identifying
information of a resident of this state must notify the resident of
any breach of the security of the person's computerized data system
if the resident's unencrypted identifying information was, or is
reasonably believed to have been, obtained by an unauthorized
person. Notification must be made within a reasonable period after
the date the person discovers the security breach, taking into
consideration any law enforcement agency requests as provided by
Subsection (f) or any measures necessary to determine the scope of
the breach or restore the reasonable integrity of the data system.
(b) A person maintaining computerized data that includes
identifying information that the person does not own shall
immediately notify the owner or licensee of the information of any
breach of the security of the person's system if identifying
information was, or is reasonably believed to have been, obtained
by an unauthorized person.
(c) Except as provided by Subsection (d) or (e), the person
must provide the notification required by this section in writing
or by electronic notice, if the electronic notice complies with the
requirements regarding electronic records and signatures set forth
in 15 U.S.C. Section 7001.
(d) A person that provides notice under this section in
accordance with notification procedures developed and maintained
by the person pursuant to a security policy for the handling of
identifying information the person maintains is considered to have
complied with the notice requirements of this section if the
procedures are not inconsistent with the timing requirements of
this section.
(e) If the cost of providing written notice under this
section to all affected individuals would exceed $250,000, the
number of affected individuals is more than 500,000, or the person
does not have sufficient contact information, the person may
provide for that notification by:
(1) sending an electronic mail message to an
individual's electronic mail address;
(2) posting a conspicuous statement of the occurrence
of the breach on the person's website; or
(3) notifying print or electronic media statewide that
a breach in the security of the person's computerized data system
has occurred.
(f) The notification required by this section may be delayed
at the request of a law enforcement agency conducting a criminal
investigation until the time that the law enforcement agency
determines that providing the notice will not impede the criminal
investigation.
Sec. 50.004. APPLICABILITY. This chapter does not apply to
a person who maintains federal, state, or local government records
containing identifying information that are made available to the
public.
Sec. 50.005. CIVIL PENALTY. (a) A person who violates this
chapter is liable to the state for a civil penalty in an amount not
to exceed $1 million for each violation.
(b) The attorney general or the prosecuting attorney in the
county in which a violation occurs may bring suit to recover the
civil penalty imposed under Subsection (a).
(c) The attorney general or the prosecuting attorney may
recover reasonable expenses incurred in obtaining a civil penalty
under this section, including court costs and reasonable attorney's
fees.
Sec. 50.006. REMEDIES CUMULATIVE. The remedies provided by
this chapter are cumulative of any other remedy provided by law.
SECTION 2. This Act takes effect September 1, 2005.