79(R) HB 1682 - Introduced version


                                                                                

79R8290 CLG-F

By:  McCall                                                       H.B. No. 1682



A BILL TO BE ENTITLED

AN ACT

relating to a breach in the security of a computerized data system 
that includes another person's identifying information; providing 
a civil penalty.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:                        
	SECTION 1.  Title 4, Business & Commerce Code, is amended by 
adding Chapter 50 to read as follows:

CHAPTER 50.  DISCLOSURES RELATING TO MAINTENANCE OF ANOTHER 
PERSON'S IDENTIFYING INFORMATION
	Sec. 50.001.  DEFINITION.  In this chapter, "identifying 
information" has the meaning assigned by Section 32.51, Penal Code.
	Sec. 50.002.  BREACH OF SECURITY OF COMPUTERIZED DATA 
SYSTEM.  (a)  For purposes of this chapter, a breach in the security 
of a person's computerized data system is considered to have 
occurred when there is unauthorized access to data electronically 
stored in the system that compromises the security, 
confidentiality, or integrity of identifying information 
maintained by the person.
	(b)  Good faith acquisition of identifying information by an 
employee or agent of the person is not considered to be a breach in 
the security of the person's system for purposes of this chapter if 
the identifying information is not used or subject to further 
unauthorized disclosure.
	Sec. 50.003.  NOTIFICATION OF SECURITY BREACH.  (a)  A person 
that owns or licenses computerized data that includes identifying 
information of a resident of this state must notify the resident of 
any breach of the security of the person's computerized data system 
if the resident's unencrypted identifying information was, or is 
reasonably believed to have been, obtained by an unauthorized 
person.  Notification must be made within a reasonable period after 
the date the person discovers the security breach, taking into 
consideration any law enforcement agency requests as provided by 
Subsection (f) or any measures necessary to determine the scope of 
the breach or restore the reasonable integrity of the data system.
	(b)  A person maintaining computerized data that includes 
identifying information that the person does not own shall 
immediately notify the owner or licensee of the information of any 
breach of the security of the person's system if identifying 
information was, or is reasonably believed to have been, obtained 
by an unauthorized person.
	(c)  Except as provided by Subsection (d) or (e), the person 
must provide the notification required by this section in writing 
or by electronic notice, if the electronic notice complies with the 
requirements regarding electronic records and signatures set forth 
in 15 U.S.C. Section 7001.
	(d)  A person that provides notice under this section in 
accordance with notification procedures developed and maintained 
by the person pursuant to a security policy for the handling of 
identifying information the person maintains is considered to have 
complied with the notice requirements of this section if the 
procedures are not inconsistent with the timing requirements of 
this section.
	(e)  If the cost of providing written notice under this 
section to all affected individuals would exceed $250,000, the 
number of affected individuals is more than 500,000, or the person 
does not have sufficient contact information, the person may 
provide for that notification by:
		(1)  sending an electronic mail message to an 
individual's electronic mail address;
		(2)  posting a conspicuous statement of the occurrence 
of the breach on the person's website; or
		(3)  notifying print or electronic media statewide that 
a breach in the security of the person's computerized data system 
has occurred.
	(f)  The notification required by this section may be delayed 
at the request of a law enforcement agency conducting a criminal 
investigation until the time that the law enforcement agency 
determines that providing the notice will not impede the criminal 
investigation.
	Sec. 50.004.  APPLICABILITY.  This chapter does not apply to 
a person who maintains federal, state, or local government records 
containing identifying information that are made available to the 
public.
	Sec. 50.005.  CIVIL PENALTY.  (a)  A person who violates this 
chapter is liable to the state for a civil penalty in an amount not 
to exceed $1 million for each violation.
	(b)  The attorney general or the prosecuting attorney in the 
county in which a violation occurs may bring suit to recover the 
civil penalty imposed under Subsection (a).
	(c)  The attorney general or the prosecuting attorney may 
recover reasonable expenses incurred in obtaining a civil penalty 
under this section, including court costs and reasonable attorney's 
fees.
	Sec. 50.006.  REMEDIES CUMULATIVE.  The remedies provided by 
this chapter are cumulative of any other remedy provided by law.
	SECTION 2.  This Act takes effect September 1, 2005.