The bill would amend the Business and Commerce Code relating to a business’s duty to protect personal information in customer records.  The bill would provide that a business that uses an access device to protect sensitive personal information must comply with payment card industry data security standards.  Also, a financial institution may bring an action against a business and obtain damages and attorney fees.  To the extent the bill would amend court procedures relating to litigation of cases involving business’s protection of customer records, no significant fiscal implication to the state is anticipated.  The bill would take effect January 1, 2009.