BILL ANALYSIS
Senate Research Center H.B. 2004
By: McCall (Ellis)
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Texans are under an increasing threat of identity theft and other types of fraud, with more than 35 million records containing personal information being compromised in 2008. Between January 2005 and December 2008, Texas-based public and private sector organizations reported 92 incidences involving the exposure of privacy data. This affected the records of approximately three million individuals, over 12 percent of the state’s population, with the cost estimated at an all-time high of $202 per record exposed. In Texas, almost 75 percent of computer intrusions originate from outside of the United States. There are literally millions of attacks launched against state information systems every day. Although most of these attacks are blocked, prevented, or result in minor disruptions, state entities report a daily average of almost 300 security incidents, including malicious code execution, unauthorized access to data, and service disruptions. Some of the public entities affected by such activities include universities and city government websites.
H.B. 2004 requires state and local agencies to notify individuals when their sensitive personal information has been acquired as a result of an unauthorized breach. Agencies must contact persons through various mediums including written communication or electronic communication. In certain instances, an agency may use other methods for notifying effected parties of breaches of security. The bill also expands the definition of business to include nonprofit athletic associations.
H.B. 2004 amends current law relating to a breach of computer security involving sensitive personal information and to the protection of sensitive personal information and certain protected health information.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 521.002(a)(2), Business & Commerce Code, as effective April 1, 2009, to redefine "sensitive personal information."
SECTION 2. Amends Section 521.052, Business & Commerce Code, by adding Subsection (d), to define "business."
SECTION 3. Amends Section 521.053(a), Business & Commerce Code, as effective April 1, 2009, to redefine "breach of system security."
SECTION 4. Amends Subchapter F, Chapter 2054, Government Code, by adding Section 2054.1125, as follows:
Sec. 2054.1125. SECURITY BREACH NOTIFICATION BY STATE AGENCY. (a) Defines "breach of system security" and "sensitive personal information."
(b) Requires a state agency that owns, licenses, or maintains computerized data that includes sensitive personal information to comply, in event of a breach of system security, with the notification requirements of Section 521.053 (Notification Required Following Breach of Security of Computerized Data), Business & Commerce Code, to the same extent as a person who conducts business in this state.
SECTION 5. Amends Subchapter A, Chapter 181, Health and Safety Code, by adding Section 181.006, as follows:
Sec. 181.006. PROTECTED HEALTH INFORMATION NOT PUBLIC. Provides that an individual's protected health information, for a covered entity that is a governmental unit, includes any information that reflects that an individual received health care from the covered entity, and is not public information and is not subject to disclosure under Chapter 552 (Public Information), Government Code.
SECTION 6. Amends Chapter 205, Local Government Code, by adding Section 205.010, as follows:
Sec. 205.010. SECURITY BREACH NOTIFICATION BY LOCAL GOVERNMENT. (a) Defines "breach of system security" and "sensitive personal information."
(b) Requires a local government that owns, licenses, or maintains computerized data that includes sensitive personal information to comply, in the event of a breach of system security, with the notification requirements of Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state.
SECTION 7. Makes application of this Act prospective.
SECTION 8. Effective date: September 1, 2009.