80(R) HB 3222 - 2nd reading 1 (H)



	Amend CSHB 3222 by striking all below the enacting clause and 
substituting the following:
	SECTION 1.  Section 48.102, Business & Commerce Code, as 
added by Chapter 294, Acts of the 79th Legislature, Regular 
Session, 2005, is amended to read as follows:
	Sec. 48.102.  BUSINESS DUTY TO PROTECT AND SAFEGUARD 
SENSITIVE PERSONAL INFORMATION.  (a)  In this section:
		(1)  "Access device" means a card or device issued by a 
financial institution that contains a magnetic stripe, 
microprocessor chip, or other means for storing information.  The 
term includes a credit card, debit card, or stored value card.
		(2)  "Breach of system security" has the meaning 
assigned by Section 48.103.
		(3)  "Financial institution" has the meaning assigned 
by 15 U.S.C. Section 6809.
	(b)  A business shall implement and maintain reasonable 
procedures, including taking any appropriate corrective action, to 
protect and safeguard from unlawful use or disclosure any sensitive 
personal information collected or maintained by the business in the 
regular course of business.
	(c)  A business that, in the regular course of business, 
collects, maintains, or stores sensitive personal information in 
connection with an access device must comply with payment card 
industry data security standards.
	(d) [(b)]  A business shall destroy or arrange for the 
destruction of customer records containing sensitive personal 
information within the business's custody or control that are not 
to be retained by the business by:
		(1)  shredding;                                                               
		(2)  erasing; or                                                              
		(3)  otherwise modifying the sensitive personal 
information in the records to make the information unreadable or 
undecipherable through any means.
	(e)  A financial institution may bring an action against a 
business that is subject to a breach of system security if, at the 
time of the breach, the business is in violation of Subsection (c).  
A court may not certify an action brought under this subsection as a 
class action.
	(f)  Before filing an action under Subsection (e), a 
financial institution must provide to the business written notice 
requesting that the business provide certification or an assessment 
of the business's compliance with payment card industry data 
security standards.  The certification or assessment must be issued 
by a payment card industry-approved auditor or another person 
authorized to issue that certification or assessment under payment 
card industry data security standards.  The court shall, on motion, 
dismiss an action brought under Subsection (e) with prejudice to 
the refiling of the action if the business provides to the financial 
institution the certification of compliance required under this 
subsection not later than the 30th day after receiving the notice.
	(g)  A presumption that a business has complied with 
Subsection (c) exists if:
		(1)  the business contracts for or otherwise uses the 
services of a third party to collect, maintain, or store sensitive 
personal information in connection with an access device;
		(2)  the business requires that the third party attest 
to or offer proof of compliance with payment card industry data 
security standards; and
		(3)  the business contractually requires the third 
party's continued compliance with payment card industry data 
security standards.
	(h)  A financial institution that brings an action under 
Subsection (e) may obtain actual damages arising from the 
violation.  Actual damages include any cost incurred by the 
financial institution in connection with:
		(1)  the cancellation or reissuance of an access device 
affected by the breach;
		(2)  the closing of a deposit, transaction, share 
draft, or other account affected by the breach and any action to 
stop payment or block a transaction with respect to the account;
		(3)  the opening or reopening of a deposit, 
transaction, share draft, or other account affected by the breach;
		(4)  a refund or credit made to an account holder to 
cover the cost of any unauthorized transaction related to the 
breach;  and
		(5)  the notification of account holders affected by 
the breach.     
	(i)  In an action brought under Subsection (e), the court 
shall award the prevailing party reasonable attorney's fees and 
costs, except that a business may not be awarded reasonable 
attorney's fees and costs unless the court is presented proof that 
the business provided the certification or assessment of compliance 
with security standards to the financial institution within the 
period prescribed by Subsection (f).
	(j) [(c)]  This section does not apply to a financial 
institution, except that a financial institution that is injured 
following a breach of system security of a business's computerized 
data may bring an action under Subsection (e) [as defined by 15 
U.S.C. Section 6809].
	SECTION 2.  This Act takes effect January 1, 2009.