| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to a business's duty to protect and safeguard sensitive |
|
|
personal information contained in its customer records. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 48.102, Business & Commerce Code, is |
|
|
amended by amending Subsections (a) and (c) and adding Subsections |
|
|
(a-1), (a-2), (a-3), (a-4), and (a-5) to read as follows: |
|
|
(a) In this section, "breach of system security" has the |
|
|
meaning assigned by Section 48.103, including the exception |
|
|
provided by Section 48.103(a) for the good faith acquisition of |
|
|
sensitive personal information by an employee or agent of the |
|
|
person maintaining the information. |
|
|
(a-1) A business shall implement and maintain reasonable |
|
|
procedures, including taking any appropriate corrective action, to |
|
|
protect and safeguard from unlawful use or disclosure any sensitive |
|
|
personal information collected or maintained by the business in the |
|
|
regular course of business. |
|
|
(a-2) A business that collects sensitive personal |
|
|
information in the regular course of business shall encrypt, in |
|
|
conformity with current industry-standard encryption methods and |
|
|
capabilities, any sensitive personal information contained in |
|
|
customer records of the business that are maintained in a |
|
|
computerized database. |
|
|
(a-3) A person may bring an action against a business that |
|
|
maintains computerized data that includes sensitive personal |
|
|
information if, following any breach of system security of that |
|
|
data, the person's sensitive personal information was acquired by |
|
|
an unauthorized person or the person was otherwise injured by the |
|
|
breach. |
|
|
(a-4) A person who brings an action under Subsection (a-3) |
|
|
may obtain, subject to Subsection (a-5), actual damages arising |
|
|
from the violation. |
|
|
(a-5) The court may increase the amount of an award of |
|
|
actual damages in an action brought under this section to an amount |
|
|
not to exceed three times the actual damages sustained if the court |
|
|
finds that the business violated Subsection (a-2). |
|
|
(c) This section does not apply to a financial institution |
|
|
as defined by 15 U.S.C. Section 6809, except that a financial |
|
|
institution who is injured following a breach of system security of |
|
|
a business's computerized data may bring an action under Subsection |
|
|
(a-3). |
|
|
SECTION 2. This Act takes effect September 1, 2007. |