By: Ellis  S.B. No. 1884
         (In the Senate - Filed March 11, 2009; March 24, 2009, read
  first time and referred to Committee on Government Organization;
  April 23, 2009, reported adversely, with favorable Committee
  Substitute by the following vote:  Yeas 5, Nays 0; April 23, 2009,
  sent to printer.)
 
  COMMITTEE SUBSTITUTE FOR S.B. No. 1884 By:  Nelson
 
 
A BILL TO BE ENTITLED
 
AN ACT
 
  relating to a breach of computer security involving sensitive
  personal information and the confidentiality of protected health
  information.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subdivision (2), Subsection (a), Section
  521.002, Business & Commerce Code, as effective April 1, 2009, is
  amended to read as follows:
               (2)  "Sensitive personal information" means, subject
  to Subsection (b):
                     (A)  [,] an individual's first name or first
  initial and last name in combination with any one or more of the
  following items, if the name and the items are not encrypted:
                           (i) [(A)]  social security number;
                           (ii) [(B)]  driver's license number or
  government-issued identification number; or
                           (iii) [(C)]  account number or credit or
  debit card number in combination with any required security code,
  access code, or password that would permit access to an
  individual's financial account; or
                     (B)  information that identifies an individual
  and relates to:
                           (i)  the physical or mental health or
  condition of the individual;
                           (ii)  the provision of health care to the
  individual; or
                           (iii)  payment for the provision of health
  care to the individual.
         SECTION 2.  Subsection (a), Section 521.053, Business &
  Commerce Code, as effective April 1, 2009, is amended to read as
  follows:
         (a)  In this section, "breach of system security" means
  unauthorized acquisition of computerized data that compromises the
  security, confidentiality, or integrity of sensitive personal
  information maintained by a person, including data that is
  encrypted if the person accessing the data has the key required to
  decrypt the data.  Good faith acquisition of sensitive personal
  information by an employee or agent of the person for the purposes
  of the person is not a breach of system security unless the person
  uses or discloses the sensitive personal information in an
  unauthorized manner.
         SECTION 3.  Subchapter F, Chapter 2054, Government Code, is
  amended by adding Section 2054.1125 to read as follows:
         Sec. 2054.1125.  SECURITY BREACH NOTIFICATION BY STATE
  AGENCY.  (a)  In this section:
               (1)  "Breach of system security" has the meaning
  assigned by Section 521.053, Business & Commerce Code.
               (2)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
         (b)  A state agency that owns, licenses, or maintains
  computerized data that includes sensitive personal information
  shall comply, in the event of a breach of system security, with the
  notification requirements of Section 521.053, Business & Commerce
  Code, to the same extent as a person who conducts business in this
  state.
         SECTION 4.  Subchapter A, Chapter 181, Health and Safety
  Code, is amended by adding Section 181.006 to read as follows:
         Sec. 181.006.  PROTECTED HEALTH INFORMATION NOT PUBLIC.  For
  a covered entity that is a governmental unit, an individual's
  protected health information:
               (1)  includes any information that reflects that an
  individual received health care from the covered entity; and
               (2)  is not public information and is not subject to
  disclosure under Chapter 552, Government Code.
         SECTION 5.  Chapter 205, Local Government Code, is amended
  by adding Section 205.010 to read as follows:
         Sec. 205.010.  SECURITY BREACH NOTIFICATION BY LOCAL
  GOVERNMENT.  (a)  In this section:
               (1)  "Breach of system security" has the meaning
  assigned by Section 521.053, Business & Commerce Code.
               (2)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
         (b)  A local government that owns, licenses, or maintains
  computerized data that includes sensitive personal information
  shall comply, in the event of a breach of system security, with the
  notification requirements of Section 521.053, Business & Commerce
  Code, to the same extent as a person who conducts business in this
  state.
         SECTION 6.  The changes in law made by this Act apply only to
  a breach of system security that occurs on or after the effective
  date of this Act.  A breach of system security that occurs before
  the effective date of this Act is governed by the law in effect on
  the date the breach occurred, and the former law is continued in
  effect for that purpose.
         SECTION 7.  This Act takes effect September 1, 2009.
 
  * * * * *