BILL ANALYSIS

 

 

Senate Research Center                                                                                                      S.B. 1884

81R4365 EAH-F                                                                                                                   By: Ellis

                                                                                                                  Government Organization

                                                                                                                                            4/13/2009

                                                                                                                                              As Filed

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

Texans are under an increasing threat of identity theft and other types of fraud, with more than 35 million records with personal information being compromised in 2008. 

 

As proposed, S.B. 1884 requires all state and local agencies to notify individuals when their private information has been accessed without the appropriate authorization, through certain methods.  The bill authorizes public entities to post information on their websites or make announcements on state and national media when the cost of notifying individuals exceeds $50,000, the number of affected individuals exceeds 100,000, or there is not enough contact information to reach the appropriate individual.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1.  Amends Subtitle B, Title 10, Government Code, by adding Chapter 2061, as follows:

 

CHAPTER 2061.  SECURITY BREACH NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT

 

Sec. 2061.001.  DEFINITIONS.  (a)  Defines "breach of system security," "local government," "sensitive personal information," and "state agency."

 

(b)  Provides that for the purposes of this chapter, "sensitive personal information" does not include publicly available information that is lawfully made available to the public by the federal government or a state or local government.

 

Sec. 2061.002.  NOTIFICATION REQUIRED FOLLOWING BREACH OF SYSTEM SECURITY.  (a)  Requires a state agency or local government that owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired as a result of the breach by an unauthorized person who commits, or who the state agency or local government reasonably believes has committed or will commit, identity theft or other fraud against any individual.  Requires that the disclosure be made as quickly as possible, except as provided by Subsection (c) or as necessary to determine the scope of the breach and reasonably restore the integrity of the data system.

 

(b)  Requires a state agency or local government that maintains computerized data that includes sensitive personal information not owned or licensed by the state agency or local government to notify the owner of the information of any breach of system security as soon as practicable after discovering the breach.

 

(c)  Authorizes a state agency or local government to delay providing notice as required by Subsection (a) or (b) at the request of a law enforcement agency that determines that the notification will impede a civil or criminal investigation or jeopardize homeland security.  Requires that the investigation be made without unreasonable delay after the law enforcement agency determines that notification will not compromise the investigation or jeopardize homeland security.

 

(d)  Authorizes a state agency or local government to give notice as required by Subsection (a) or (b) by providing written notice sent by mail; telephone notice; electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001; or notice as provided by Subsection (e).

 

(e)  Authorizes that the notice, if the state agency or local government required to give notice under Subsection (a) or (b) demonstrates that the cost of providing notice would exceed $50,000, the number of affected persons exceeds 100,000, or the state agency or local government does not have sufficient contact information, be given by electronic mail, if the state agency or local government has electronic mail addresses for the affected persons; conspicuous posting of the notice on the Internet website of the state agency or local government; or notice published in or broadcast on major national media.

 

(f)  Provides that, notwithstanding any other provision of this chapter, a state agency or local government is not required to comply with this chapter if the state agency or local government complies with the notification requirements under Chapter 521 (Unauthorized Use of Identifying Information), Business & Commerce Code, or a federal or state law that has notice requirements at least as stringent as the requirements under this chapter.

 

SECTION 2.  Makes application of this Act prospective.

 

SECTION 3.  Effective date:  September 1, 2009.