| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to a business's duty to protect sensitive personal |
|
|
information contained in its customer records. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 521.052, Business & Commerce Code, is |
|
|
amended to read as follows: |
|
|
Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL |
|
|
INFORMATION. (a) In this section, "access device" means a card or |
|
|
device issued by a financial institution that contains a magnetic |
|
|
stripe, microprocessor chip, or other means for storing |
|
|
information. The term includes a credit card, debit card, or stored |
|
|
value card. |
|
|
(b) A business shall implement and maintain reasonable |
|
|
procedures, including taking any appropriate corrective action, to |
|
|
protect from unlawful use or disclosure any sensitive personal |
|
|
information collected or maintained by the business in the regular |
|
|
course of business. |
|
|
(c) [(b)] A business shall destroy or arrange for the |
|
|
destruction of customer records containing sensitive personal |
|
|
information within the business's custody or control that are not |
|
|
to be retained by the business by: |
|
|
(1) shredding; |
|
|
(2) erasing; or |
|
|
(3) otherwise modifying the sensitive personal |
|
|
information in the records to make the information unreadable or |
|
|
indecipherable through any means. |
|
|
(d) A business that stores sensitive personal information |
|
|
derived from an access device shall reasonably protect the |
|
|
sensitive personal information against unauthorized access or use. |
|
|
(e) [(c)] This section does not apply to a financial |
|
|
institution as defined by 15 U.S.C. Section 6809. |
|
|
SECTION 2. Section 521.151, Business & Commerce Code, is |
|
|
amended by adding Subsection (a-1) to read as follows: |
|
|
(a-1) If a violation of Section 521.052(d) results in a |
|
|
breach of system security, as defined by Section 521.053, the |
|
|
attorney general in bringing an action under Subsection (a) may |
|
|
seek any order or judgment necessary to compensate a financial |
|
|
institution for actual damages resulting from the violation, |
|
|
including reasonable costs incurred by the financial institution in |
|
|
connection with: |
|
|
(1) the cancellation and reissuance of an access |
|
|
device affected by the breach; |
|
|
(2) the closing of an account affected by the breach |
|
|
and any action to stop payment or block a transaction with respect |
|
|
to the account; |
|
|
(3) the opening or reopening of an account affected by |
|
|
the breach; |
|
|
(4) a refund or credit made to an account holder to |
|
|
cover the cost of any unauthorized transaction related to the |
|
|
breach; and |
|
|
(5) the notification of account holders affected by |
|
|
the breach. |
|
|
SECTION 3. This Act takes effect January 1, 2011. |