|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to a business's duty to protect sensitive personal |
|
information contained in its customer records. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 521.052, Business & Commerce Code, as |
|
effective April 1, 2009, is amended to read as follows: |
|
Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL |
|
INFORMATION. (a) In this section: |
|
(1) "Access device" means a card or device issued by a |
|
financial institution that contains a magnetic stripe, |
|
microprocessor chip, or other means for storing information. The |
|
term includes a credit card, debit card, or stored value card. |
|
(2) "Breach of system security" has the meaning |
|
assigned by Section 521.053. |
|
(3) "Financial institution" has the meaning assigned |
|
by 15 U.S.C. Section 6809. |
|
(b) A business shall implement and maintain reasonable |
|
procedures, including taking any appropriate corrective action, to |
|
protect from unlawful use or disclosure any sensitive personal |
|
information collected or maintained by the business in the regular |
|
course of business. |
|
(c) A business that, in the regular course of business and |
|
in connection with an access device, collects sensitive personal |
|
information or stores or maintains sensitive personal information |
|
in a structured database or unstructured files must comply with |
|
payment card industry data security standards. |
|
(d) [(b)] A business shall destroy or arrange for the |
|
destruction of customer records containing sensitive personal |
|
information within the business's custody or control that are not |
|
to be retained by the business by: |
|
(1) shredding; |
|
(2) erasing; or |
|
(3) otherwise modifying the sensitive personal |
|
information in the records to make the information unreadable or |
|
indecipherable through any means. |
|
(e) A financial institution may bring an action against a |
|
business that is subject to a breach of system security if, at the |
|
time of the breach, the business is in violation of Subsection (c). |
|
A court may not certify an action brought under this subsection as a |
|
class action. |
|
(f) Before filing an action under Subsection (e), a |
|
financial institution must provide to the business written notice |
|
requesting that the business provide certification or an assessment |
|
of the business's compliance with payment card industry data |
|
security standards. The certification or assessment must be issued |
|
by a payment card industry-approved auditor or another person |
|
authorized to issue that certification or assessment under payment |
|
card industry data security standards. The court shall, on a |
|
motion, dismiss an action brought under Subsection (e) with |
|
prejudice to the refiling of the action if the business provides to |
|
the financial institution the certification or assessment of |
|
compliance required under this subsection not later than the 30th |
|
day after receiving the notice. |
|
(g) A presumption that a business has complied with |
|
Subsection (c) exists if: |
|
(1) the business contracts for or otherwise uses the |
|
services of a third party to collect, maintain, or store sensitive |
|
personal information in connection with an access device; |
|
(2) the business requires that the third party attest |
|
to or offer proof of compliance with payment card industry data |
|
security standards; and |
|
(3) the business contractually requires the third |
|
party's continued compliance with payment card industry data |
|
security standards. |
|
(h) A financial institution that brings an action under |
|
Subsection (e) may obtain actual damages arising from the |
|
violation. Actual damages include any cost incurred by the |
|
financial institution in connection with: |
|
(1) the cancellation or reissuance of an access device |
|
affected by the breach; |
|
(2) the closing of a deposit, transaction, share |
|
draft, or other account affected by the breach and any action to |
|
stop payment or block a transaction with respect to the account; |
|
(3) the opening or reopening of a deposit, |
|
transaction, share draft, or other account affected by the breach; |
|
(4) a refund or credit made to an account holder to |
|
cover the cost of any unauthorized transaction related to the |
|
breach; and |
|
(5) the notification of account holders affected by |
|
the breach. |
|
(i) In an action brought under Subsection (e), the court |
|
shall award the prevailing party reasonable attorney's fees and |
|
costs, except that a business may not be awarded reasonable |
|
attorney's fees and costs unless the court is presented proof that |
|
the business provided the certification or assessment of compliance |
|
with security standards to the financial institution within the |
|
period prescribed by Subsection (f). |
|
(j) [(c)] This section does not apply to a financial |
|
institution, except that a financial institution that is injured |
|
following a breach of system security of a business's computerized |
|
data may bring an action under Subsection (e) and may be held liable |
|
for attorney's fees and costs for an action brought under that |
|
subsection as provided by Subsection (i) [as defined by 15 U.S.C.
|
|
Section 6809]. |
|
SECTION 2. This Act takes effect January 1, 2011. |