BILL ANALYSIS

 

 

Senate Research Center                                                                                                        S.B. 223

80R1022 TAD-D                                                                                                                  By: Ellis

                                                                                                                        Business & Commerce

                                                                                                                                              2/9/2007

                                                                                                                                              As Filed

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

Current law requires notification of affected parties upon the breach of a security system containing the personal information of a consumer or customer. Consumer information is compromised through incidences of privacy invasion and identity theft by third parties into security systems that cause  negative financial and credit consequences for Texas residents.

 

As proposed, S.B. 223 requires notification of affected parties following the breach of a security system or loss of certain computerized data, and requires the attorney general to establish and maintain a central registry of persons, available to the public, to provide notice of a breach of a security system or loss of certain computerized data.

 

RULEMAKING AUTHORITY

 

Rulemaking authority is expressly granted to the attorney general of Texas in SECTION 3 (Section 48.104, Business & Commerce Code) of this bill.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1.  Amends the heading to Section 48.103, Business & Commerce Code, as added by Chapter 294, Acts of the 79th Legislature, Regular Session, 2005, to read as follows:

 

Sec. 48.103. NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OR LOSS OF CERTAIN COMPUTERIZED DATA.

 

SECTION 2. Amends Section 48.103, Business & Commerce Code, as added by Chapter 294, Acts of the 79th Legislature, Regular Session, 2005,  by amending Subsection (b), (c), (d), (g), and (h), and adding Subsection (i), as follows:

 

(b) Requires any state or local government entity that owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security or loss of the information after discovery of the loss to any resident whose information was lost. Requires the disclosure to be made as quickly as possible except as necessary to determine the scope of the loss and restore the data or data system, or when such disclosure will impeded a criminal investigation.

 

(c) Requires a state or local government that maintains certain sensitive information to notify the owner or license holder of the information of any breach of system security or the loss of sensitive personal information immediately after discovering the loss.

 

(d) Makes a conforming change.

 

(g) Provides that a person that maintains its own notification procedures as part of an information security policy for the treatment of sensitive personal information that complies with the timing requirements for notice under this section complies with the notice requirements of this section other than Subsection (i) if the person notifies affected persons in accordance with that policy.

 

(h) Requires a person to notify all consumer reporting agencies that maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices of a loss of sensitive personal information, if the person is required to notify at time more than 10,000 persons.

 

(i) Requires a person required to provide notice under Subsection (b) or (c) to notify, without unreasonable delay, the attorney general in writing of each incident involving a breach of security or loss of data loss. Requires the notice to contain certain information.

 

SECTION 3. Amends Subchapter B, Chapter 48, Business & Commerce Code, as added by Chapter 294, Acts of the 79th Legislature, Regular Session, 2005, by adding Section 48.104, as follows:

 

Sec. 48.104. REGISTRY OF PERSONS REPORTING BREACH OF SECURITY OR LOSS OF CERTAIN COMPUTERIZED DATA. (a) Requires the attorney general to establish and maintain a central registry (registry) of persons required to provide notice under Section 48.103(b) or (c) of a security breach or loss of sensitive personal information.

 

(b) Sets forth certain conditions which the registry must meet.

 

(c) Authorizes the registry to include other information the attorney general considers necessary, and appropriate for purposes of notification.

 

(d) Requires the attorney general to publish the registry information on the attorney general's website and to update the registry at least semimonthly.

 

(e) Provides that sensitive personal information received by or in connection with the registry is confidential and not subject to disclosure under Chapter 552 (Public Information), Government Code.

 

(f) Authorizes the attorney general to adopt rules necessary to implement this section.

 

SECTION 4. Makes application of this Act prospective.

 

SECTION 5. Requires the attorney general to establish the registry no later than January 1, 2008.

 

SECTION6. Effective date: September 1, 2007.