81R5250 ACP-D
	By: Paxton	H.B. No. 3904

	A BILL TO BE ENTITLED
	AN ACT
	relating to personal confidential information accessed by an
	employee of a state governmental body; imposing penalties.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  Section 552.023, Government Code, is amended by
	adding Subsection (a-1) to read as follows:
	(a-1)  A person or a person's authorized representative that
	has a special right of access to information under Subsection (a)
	must provide evidence satisfactory to the officer for public
	information of the governmental body that the person has the
	special right of access to that information.
	SECTION 2.  Chapter 559, Government Code, is amended by
	designating Sections 559.001, 559.002, 559.003, 559.004, and
	559.005 as Subchapter A and adding a heading for Subchapter A to
	read as follows:
	SUBCHAPTER A. REQUIRED NOTICES REGARDING INFORMATION COLLECTED BY A
	STATE GOVERNMENTAL BODY
	SECTION 3.  Section 559.001, Government Code, is amended to
	read as follows:
	Sec. 559.001.  DEFINITIONS [DEFINITION].  In this chapter:
	(1)  "Personal confidential information" includes a
	person's:
	(A)  photograph or computerized image;
	(B)  social security number;
	(C)  driver's license number;
	(D)  home address;
	(E)  home, work, and cellular telephone number;
	(F)  electronic mail address;
	(G)  bank account and other financial
	information;
	(H)  medical or disability information; and
	(I)  similar information.
	(2)  "State[, "state] governmental body" means a
	governmental body as defined by Section 552.003 that is part of
	state government.
	SECTION 4.  Section 559.005(b), Government Code, is amended
	to read as follows:
	(b)  To the extent of a conflict between this subchapter
	[chapter] and the public information law, Chapter 552, Chapter 552
	controls.
	SECTION 5.  Chapter 559, Government Code, is amended by
	adding Subchapter B to read as follows:
	SUBCHAPTER B. ACCESS BY A STATE GOVERNMENTAL BODY TO PERSONAL
	CONFIDENTIAL INFORMATION
	Sec. 559.011.  UNAUTHORIZED ACCESS TO PERSONAL CONFIDENTIAL
	INFORMATION.  The attorney general shall adopt rules for use by each
	state governmental body to control access to personal confidential
	information collected or maintained by that state governmental
	body. The rules must prescribe guidelines that assist each state
	governmental body in:
	(1)  identifying each employee of the state
	governmental body who may access personal confidential
	information;
	(2)  establishing procedures to authorize an employee
	of the state governmental body to access personal confidential
	information;
	(3)  maintaining a list of reasons that an employee of
	the state governmental body may access personal confidential
	information;
	(4)  maintaining a list of each employee of the state
	governmental body who accesses personal confidential information;
	and
	(5)  making available to each employee of the state
	governmental body copies of the laws of this state and federal law
	that regulate the dissemination of personal confidential
	information.
	Sec. 559.012.  DIRECTOR OF PRIVACY. (a) Each state
	governmental body shall designate an employee as the director of
	privacy.
	(b)  The director of privacy shall develop and publish an
	evaluation of the risks and effects of collecting and maintaining
	personal confidential information by the state governmental body.
	(c)  The director of privacy shall work with the attorney
	general to prevent unauthorized access to personal confidential
	information collected or maintained by the state governmental body.
	Sec. 559.013.  PERSONAL CONFIDENTIAL INFORMATION POLICY.
	(a)  A state employee who engages in conduct constituting an offense
	under Section 559.017 or a policy adopted under Subsection (c) is
	subject to termination of the employee's state employment or
	another employment-related sanction.
	(b)  Each state governmental body shall:
	(1)  adopt a written personal confidential information
	policy for the state governmental body's employees consistent with
	the standards prescribed by provisions of this subchapter;
	(2)  distribute a copy of the personal confidential
	information policy and this subchapter to:
	(A)  each new employee not later than the third
	business day after the date the person begins employment with the
	state governmental body; and
	(B)  each new officer not later than the third
	business day after the date the person qualifies for office;
	(3)  provide appropriate training concerning the
	personal confidential information policy, in accordance with rules
	adopted by the attorney general, to employees and officers;
	(4)  post a copy of the personal confidential
	information policy next to the sign that the state governmental
	body posts under Section 552.205; and
	(5)  make available on the state governmental body's
	Internet website a copy of the personal confidential information
	policy.
	(c)  The office of the attorney general shall develop and
	distribute a model policy that a state governmental body may use in
	adopting a state governmental body personal confidential
	information policy under Subsection (b).  A state governmental
	body is not required to adopt the model policy developed under this
	subsection.
	(d)  Not later than November 1, 2009, the office of the
	attorney general shall:
	(1)  develop a model personal confidential information
	policy as required by Subsection (c); and
	(2)  distribute the policy to each state governmental
	body required to adopt a policy under Subsection (b).
	(e)  Not later than January 1, 2010, each state governmental
	body shall:
	(1)  adopt a policy as required by Subsection (b); and
	(2)  distribute a copy of that policy and this
	subchapter to each employee of the state governmental body.
	(f)  Subsections (d) and (e) and this subsection expire
	September 1, 2011.
	Sec. 559.014.  PROTECTION OF INFORMATION. (a) Each state
	governmental body shall require passwords to access personal
	confidential information that is maintained in an electronic
	format.
	(b)  Each state agency shall secure personal confidential
	information that is maintained as a paper record.
	Sec. 559.015.  NOTIFICATION REQUIRED FOLLOWING UNAUTHORIZED
	ACCESS TO CONFIDENTIAL PERSONAL INFORMATION. A state governmental
	body shall promptly disclose any unauthorized access to personal
	confidential information to any individual whose personal
	confidential information was accessed.
	Sec. 559.016.  CIVIL REMEDY. A person who knowingly
	accesses personal confidential information collected or maintained
	by a state governmental body and is not authorized to access that
	information under the policies of the state governmental body is
	liable to a person injured or damaged by the access to the
	information or a resulting disclosure of the information for:
	(1)  actual damages, including damages for personal
	injury or damage, lost wages, defamation, or mental or other
	emotional distress;
	(2)  reasonable attorney's fees and court costs; and
	(3)  exemplary damages as provided by Chapter 41, Civil
	Practice and Remedies Code.
	Sec. 559.017.  CRIMINAL PENALTY.  (a)  A person commits an
	offense if the person knowingly accesses personal confidential
	information collected or maintained by a state governmental body
	that the person is not authorized to access under the policies of
	the state governmental body.
	(b)  An officer or employee of a state governmental body
	commits an offense if the officer or employee knowingly:
	(1)  accesses personal confidential information
	collected or maintained by a state governmental body for a purpose
	other than the purpose for which the information was collected and
	for a purpose unrelated to the law that permitted the officer or
	employee to obtain authorization to access the information;
	(2)  permits inspection of the personal confidential
	information by a person who is not authorized to inspect the
	information; or
	(3)  discloses the personal confidential information
	to a person who is not authorized to receive the information.
	(c)  For purposes of Subsection (b), a member of an advisory
	committee to a state governmental body who obtains access to
	confidential information in that capacity is considered to be an
	officer or employee of the state governmental body.
	(d)  An offense under this section is a Class A misdemeanor.
	(e)  A violation under this section constitutes official
	misconduct.
	Sec. 559.018.  CERTAIN INFORMATION MAINTAINED BY THE
	COMPTROLLER. (a)  The comptroller by rule shall develop and
	implement a system that records each time an employee accesses any
	database system that is created or for which the comptroller
	contracts that relates to taxes collected by the comptroller.
	(b)  The comptroller shall use the information collected
	under Subsection (a) to determine if an employee of the comptroller
	accesses a database which the employee does not have authorization
	to access.
	Sec. 559.019.  ROLE OF ATTORNEY GENERAL. (a) The attorney
	general shall:
	(1)  review each state governmental body's policies
	regarding confidential personal information; and
	(2)  enforce this subchapter.
	(b)  The attorney general may submit a report to the
	legislature that contains recommendations regarding the personal
	confidential information that state governmental bodies collect
	and maintain.
	SECTION 6.  This Act takes effect immediately if it receives
	a vote of two-thirds of all the members elected to each house, as
	provided by Section 39, Article III, Texas Constitution.  If this
	Act does not receive the vote necessary for immediate effect, this
	Act takes effect September 1, 2009.