TO:	Honorable Helen Giddings, Chair, House Committee on Business & Industry
FROM:	John S. O'Brien, Director, Legislative Budget Board
IN RE:	HB3222 by Elkins (Relating to a business's duty to protect and safeguard sensitive personal information contained in its customer records. ), Committee Report 1st House, Substituted

The bill would amend the Business and Commerce Code relating to a business’s duty to protect personal information in customer records.  The bill would add definitions for an “access device,” which includes credit cards, debit cards, and store gift cards and for “financial institution.”  The bill would require a business that collects sensitive personal information in connection with an access device to comply with payment card industry data security standards and would authorize a financial institution harmed by a breach of business system security to bring a private cause of action against the business for damages.  The bill sets standards for a business to certify compliance with industry data security standards in a court proceeding and guidelines for damages that may be awarded a financial institution.  According to the Office of Attorney General, the bill would not likely result in new cases for the consumer protection or public health divisions.   To the extent the bill would amend court procedures relating to litigation of cases involving business’s protection of customer records, no significant fiscal implication to the State is anticipated.  The bill would take effect September 1, 2007.

Local Government Impact

No significant fiscal implication to units of local government is anticipated.