| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to a breach of computer security involving sensitive |
|
|
personal information. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 521.002(a)(2), Business & Commerce Code, |
|
|
as effective April 1, 2009, is amended to read as follows: |
|
|
(2) "Sensitive personal information" means, subject |
|
|
to Subsection (b): |
|
|
(A) [,] an individual's first name or first |
|
|
initial and last name in combination with any one or more of the |
|
|
following items, if the name and the items are not encrypted: |
|
|
(i) [(A)] social security number; |
|
|
(ii) [(B)] driver's license number or |
|
|
government-issued identification number; or |
|
|
(iii) [(C)] account number or credit or |
|
|
debit card number in combination with any required security code, |
|
|
access code, or password that would permit access to an |
|
|
individual's financial account; or |
|
|
(B) information that identifies an individual |
|
|
and relates to: |
|
|
(i) the physical or mental health or |
|
|
condition of the individual; |
|
|
(ii) the provision of health care to the |
|
|
individual; or |
|
|
(iii) payment for the provision of health |
|
|
care to the individual. |
|
|
SECTION 2. Section 521.053(a), Business & Commerce Code, as |
|
|
effective April 1, 2009, is amended to read as follows: |
|
|
(a) In this section, "breach of system security" means |
|
|
unauthorized acquisition of computerized data that compromises the |
|
|
security, confidentiality, or integrity of sensitive personal |
|
|
information maintained by a person, including data that is |
|
|
encrypted if the person accessing the data has the key required to |
|
|
decrypt the data. Good faith acquisition of sensitive personal |
|
|
information by an employee or agent of the person for the purposes |
|
|
of the person is not a breach of system security unless the person |
|
|
uses or discloses the sensitive personal information in an |
|
|
unauthorized manner. |
|
|
SECTION 3. Subchapter F, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.1125 to read as follows: |
|
|
Sec. 2054.1125. SECURITY BREACH NOTIFICATION BY STATE |
|
|
AGENCY. (a) In this section: |
|
|
(1) "Breach of system security" has the meaning |
|
|
assigned by Section 521.053, Business & Commerce Code. |
|
|
(2) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(b) A state agency that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information |
|
|
shall comply, in the event of a breach of system security, with the |
|
|
notification requirements of Section 521.053, Business & Commerce |
|
|
Code, to the same extent as a person who conducts business in this |
|
|
state. |
|
|
SECTION 4. Chapter 205, Local Government Code, is amended |
|
|
by adding Section 205.010 to read as follows: |
|
|
Sec. 205.010. SECURITY BREACH NOTIFICATION BY LOCAL |
|
|
GOVERNMENT. (a) In this section: |
|
|
(1) "Breach of system security" has the meaning |
|
|
assigned by Section 521.053, Business & Commerce Code. |
|
|
(2) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(b) A local government that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information |
|
|
shall comply, in the event of a breach of system security, with the |
|
|
notification requirements of Section 521.053, Business & Commerce |
|
|
Code, to the same extent as a person who conducts business in this |
|
|
state. |
|
|
SECTION 5. The changes in law made by this Act apply only to |
|
|
a breach of system security that occurs on or after the effective |
|
|
date of this Act. A breach of system security that occurs before the |
|
|
effective date of this Act is governed by the law in effect on the |
|
|
date the breach occurred, and the former law is continued in effect |
|
|
for that purpose. |
|
|
SECTION 6. This Act takes effect September 1, 2009. |