| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to a loss of computerized data or breach of computer |
|
|
security involving sensitive personal information. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. The heading to Section 48.103, Business & |
|
|
Commerce Code, as added by Chapter 294, Acts of the 79th |
|
|
Legislature, Regular Session, 2005, is amended to read as follows: |
|
|
Sec. 48.103. NOTIFICATION REQUIRED FOLLOWING BREACH OF |
|
|
SECURITY OR LOSS OF CERTAIN COMPUTERIZED DATA. |
|
|
SECTION 2. Section 48.103, Business & Commerce Code, as |
|
|
added by Chapter 294, Acts of the 79th Legislature, Regular |
|
|
Session, 2005, is amended by amending Subsections (b), (c), (d), |
|
|
(g), and (h) and adding Subsection (i) to read as follows: |
|
|
(b) A person that conducts business in this state, including |
|
|
any state or local governmental entity in this state, that [and] |
|
|
owns or licenses computerized data that includes sensitive personal |
|
|
information shall disclose any breach of system security or loss of |
|
|
the information, after discovering or receiving notification of the |
|
|
breach or after discovering the loss, to any resident of this state |
|
|
whose sensitive personal information was, or is reasonably believed |
|
|
to have been, acquired by an unauthorized person or was lost. A |
|
|
[The] disclosure required by this subsection shall be made as |
|
|
quickly as possible, except as provided by Subsection (d) or as |
|
|
necessary to determine the scope of the breach or loss and restore |
|
|
the reasonable integrity of the data or data system. |
|
|
(c) Any person, including a state or local governmental |
|
|
entity, that maintains computerized data that includes sensitive |
|
|
personal information that the person does not own shall notify the |
|
|
owner or license holder of the information of any breach of system |
|
|
security or loss of the sensitive personal information immediately |
|
|
after discovering the breach or loss, if the sensitive personal |
|
|
information was, or is reasonably believed to have been, acquired |
|
|
by an unauthorized person or was lost. |
|
|
(d) A person may delay providing notice as required by |
|
|
Subsections (b), [and] (c), and (i) at the request of a law |
|
|
enforcement agency that determines that the notification will |
|
|
impede a criminal investigation. The notification shall be made as |
|
|
soon as the law enforcement agency determines that it will not |
|
|
compromise the investigation. |
|
|
(g) Notwithstanding Subsection (e), a person that maintains |
|
|
its own notification procedures as part of an information security |
|
|
policy for the treatment of sensitive personal information that |
|
|
complies with the timing requirements for notice under this section |
|
|
complies with the notice requirements of this section other than |
|
|
Subsection (i) if the person notifies affected persons in |
|
|
accordance with that policy. |
|
|
(h) If a person is required by this section to notify at one |
|
|
time more than 10,000 persons of a breach of system security or loss |
|
|
of sensitive personal information, the person shall also notify, |
|
|
without unreasonable delay, all consumer reporting agencies, as |
|
|
defined by 15 U.S.C. Section 1681a, that maintain files on |
|
|
consumers on a nationwide basis, of the timing, distribution, and |
|
|
content of the notices. |
|
|
(i) A person required to provide notice under Subsection (b) |
|
|
or (c) shall, without unreasonable delay, also notify the attorney |
|
|
general in writing of each incident involving a breach of system |
|
|
security or loss of computerized data containing sensitive personal |
|
|
information. The notice must contain: |
|
|
(1) the person's name and address; |
|
|
(2) the date the breach or loss was discovered; |
|
|
(3) a summary of the circumstances surrounding the |
|
|
breach or loss; |
|
|
(4) the type of information that was lost, stolen, or |
|
|
compromised; |
|
|
(5) the number of persons whose sensitive personal |
|
|
information was lost, stolen, or compromised as a result of the |
|
|
incident; and |
|
|
(6) the name, mailing address, and telephone number of |
|
|
a contact person from whom a person affected by the incident may |
|
|
request additional information. |
|
|
SECTION 3. Subchapter B, Chapter 48, Business & Commerce |
|
|
Code, as added by Chapter 294, Acts of the 79th Legislature, Regular |
|
|
Session, 2005, is amended by adding Section 48.104 to read as |
|
|
follows: |
|
|
Sec. 48.104. REGISTRY OF PERSONS REPORTING BREACH OF |
|
|
SECURITY OR LOSS OF CERTAIN COMPUTERIZED DATA. (a) The attorney |
|
|
general shall establish and maintain a central registry of persons |
|
|
required to provide notice under Section 48.103(b) or (c) of a |
|
|
breach of system security or a loss of computerized data containing |
|
|
sensitive personal information. |
|
|
(b) The registry must include a record of each incident |
|
|
involving a breach of system security or loss of sensitive personal |
|
|
information reported under Section 48.103(i). The record must |
|
|
contain the required information listed under that section. |
|
|
(c) The registry may include other information the attorney |
|
|
general considers necessary and appropriate to assist persons |
|
|
receiving notice under Section 48.103 that their sensitive personal |
|
|
information was lost, stolen, or compromised. |
|
|
(d) The attorney general shall make the registry |
|
|
information available to the public on request and by publishing it |
|
|
on the attorney general's website. The attorney general shall |
|
|
update the registry information on the website at least twice |
|
|
monthly. |
|
|
(e) Any sensitive personal information received by or in |
|
|
connection with the operation of the registry by the attorney |
|
|
general is confidential and not subject to disclosure under Chapter |
|
|
552, Government Code. |
|
|
(f) The attorney general may adopt rules necessary to |
|
|
implement this section. |
|
|
SECTION 4. The changes in law made by this Act apply only to |
|
|
a breach of system security or loss of data containing sensitive |
|
|
personal information that occurs on or after the effective date of |
|
|
this Act. A breach of system security or loss of data containing |
|
|
sensitive personal information that occurs before the effective |
|
|
date of this Act is governed by the law in effect on the date the |
|
|
breach or loss occurred, and the former law is continued in effect |
|
|
for that purpose. |
|
|
SECTION 5. Not later than January 1, 2008, the attorney |
|
|
general shall establish the registry required by Section 48.104, |
|
|
Business & Commerce Code, as added by this Act. |
|
|
SECTION 6. This Act takes effect September 1, 2007. |