| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to a breach of computer security involving sensitive |
|
|
personal information maintained by a state agency or local |
|
|
government. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subtitle B, Title 10, Government Code, is |
|
|
amended by adding Chapter 2061 to read as follows: |
|
|
CHAPTER 2061. SECURITY BREACH NOTIFICATION BY STATE AGENCY OR LOCAL |
|
|
GOVERNMENT |
|
|
Sec. 2061.001. DEFINITIONS. (a) In this chapter: |
|
|
(1) "Breach of system security" means unauthorized |
|
|
acquisition of computerized data that compromises the security or |
|
|
confidentiality of sensitive personal information maintained by a |
|
|
state agency or local government. Good faith acquisition of |
|
|
sensitive personal information by an employee, contractor, or agent |
|
|
of the state agency or local government for the purposes of the |
|
|
state agency or local government is not a breach of system security |
|
|
unless the employee, contractor, or agent uses or discloses the |
|
|
sensitive personal information in an unauthorized manner. |
|
|
(2) "Local government" has the meaning assigned by |
|
|
Section 2054.003. |
|
|
(3) "Sensitive personal information" means, subject |
|
|
to Subsection (b), an individual's first name or first initial and |
|
|
last name in combination with one or more of the following items, if |
|
|
the name and the items are not encrypted or the name and the items |
|
|
are encrypted and the person accessing the information has access |
|
|
to the key required to decrypt the information: |
|
|
(A) social security number; |
|
|
(B) driver's license number or government-issued |
|
|
identification number; or |
|
|
(C) account number or credit or debit card number |
|
|
in combination with any required security code, access code, or |
|
|
password that would permit access to an individual's financial |
|
|
account. |
|
|
(4) "State agency" has the meaning assigned by Section |
|
|
2054.003. |
|
|
(b) For purposes of this chapter, "sensitive personal |
|
|
information" does not include publicly available information that |
|
|
is lawfully made available to the public by the federal government |
|
|
or a state or local government. |
|
|
Sec. 2061.002. NOTIFICATION REQUIRED FOLLOWING BREACH OF |
|
|
SYSTEM SECURITY. (a) A state agency or local government that owns or |
|
|
licenses computerized data that includes sensitive personal |
|
|
information shall disclose any breach of system security, after |
|
|
discovering or receiving notification of the breach, to any |
|
|
individual whose sensitive personal information was, or is |
|
|
reasonably believed to have been, acquired as a result of the breach |
|
|
by an unauthorized person who commits, or who the state agency or |
|
|
local government reasonably believes has committed or will commit, |
|
|
identity theft or other fraud against any individual. The |
|
|
disclosure shall be made as quickly as possible, except as provided |
|
|
by Subsection (c) or as necessary to determine the scope of the |
|
|
breach and reasonably restore the integrity of the data system. |
|
|
(b) A state agency or local government that maintains |
|
|
computerized data that includes sensitive personal information not |
|
|
owned or licensed by the state agency or local government shall |
|
|
notify the owner of the information of any breach of system security |
|
|
as soon as practicable after discovering the breach. |
|
|
(c) A state agency or local government may delay providing |
|
|
notice as required by Subsection (a) or (b) at the request of a law |
|
|
enforcement agency that determines that the notification will |
|
|
impede a civil or criminal investigation or jeopardize homeland |
|
|
security. The notification shall be made without unreasonable delay |
|
|
after the law enforcement agency determines that notification will |
|
|
not compromise the investigation or jeopardize homeland security. |
|
|
(d) A state agency or local government may give notice as |
|
|
required by Subsection (a) or (b) by providing: |
|
|
(1) written notice sent by mail; |
|
|
(2) telephone notice; |
|
|
(3) electronic notice, if the notice is provided in |
|
|
accordance with 15 U.S.C. Section 7001; or |
|
|
(4) notice as provided by Subsection (e). |
|
|
(e) If the state agency or local government required to give |
|
|
notice under Subsection (a) or (b) demonstrates that the cost of |
|
|
providing notice would exceed $50,000, the number of affected |
|
|
persons exceeds 100,000, or the state agency or local government |
|
|
does not have sufficient contact information, the notice may be |
|
|
given by: |
|
|
(1) electronic mail, if the state agency or local |
|
|
government has electronic mail addresses for the affected persons; |
|
|
(2) conspicuous posting of the notice on the Internet |
|
|
website of the state agency or local government; or |
|
|
(3) notice published in or broadcast on major national |
|
|
media. |
|
|
(f) Notwithstanding any other provision of this chapter, a |
|
|
state agency or local government is not required to comply with this |
|
|
chapter if the state agency or local government complies with the |
|
|
notification requirements under Chapter 521, Business & Commerce |
|
|
Code, or a federal or state law that has notice requirements at |
|
|
least as stringent as the requirements under this chapter. |
|
|
SECTION 2. The changes in law made by this Act apply only to |
|
|
a breach of system security that occurs on or after the effective |
|
|
date of this Act. A breach of system security that occurs before the |
|
|
effective date of this Act is governed by the law in effect on the |
|
|
date the breach occurred, and the former law is continued in effect |
|
|
for that purpose. |
|
|
SECTION 3. This Act takes effect September 1, 2009. |