81R3320 JE-D
	By: Carona	S.B. No. 1911

	A BILL TO BE ENTITLED
	AN ACT
	relating to protection of individual identifying information and
	consumer credit information from unauthorized use or disclosure.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  Section 20.034(a), Business & Commerce Code, is
	amended to read as follows:
	(a)  On written request sent by certified mail that includes
	proper identification provided by a consumer, a consumer reporting
	agency shall place a security freeze on a consumer's consumer file
	not later than the fifth business day after the date the agency
	receives the request. A security freeze remains in effect until the
	consumer requests that the security freeze be removed or
	temporarily lifted as provided by Section 20.037.
	SECTION 2.  Chapter 20, Business & Commerce Code, is amended
	by adding Section 20.0387 to read as follows:
	Sec. 20.0387.  EFFECT OF SECURITY FREEZE ON CONSUMER
	APPLICATION. If a person requests a consumer report and a security
	freeze is in effect for the consumer file involved in that report,
	the person may treat any application submitted by the consumer for
	an extension of credit or other purpose as incomplete if the
	consumer does not allow access to the consumer's report for that
	specific requester or period while the security freeze is in
	effect.
	SECTION 3.  Section 501.001, Business & Commerce Code, as
	effective April 1, 2009, is amended by amending Subsection (a) and
	adding Subsection (g) to read as follows:
	(a)  A person, other than a government or a governmental
	subdivision or agency, may not:
	(1)  intentionally communicate or otherwise make
	available to the public an individual's social security number;
	(2)  display an individual's social security number on
	a card or other device required to access a product or service
	provided by the person;
	(3)  require an individual to transmit the individual's
	social security number over the Internet unless:
	(1)  the Internet connection is secure; or
	(2)  the social security number is encrypted;
	(4)  require an individual's social security number for
	access to an Internet website unless a password or unique personal
	identification number or other authentication device is also
	required for access; [or]
	(5)  except as provided by Subsection (f), print an
	individual's social security number on any material sent by mail,
	unless state or federal law requires that social security number to
	be included in the material; or
	(6)  intentionally disclose an individual's social
	security number to another person without the individual's written
	consent, if the person making the disclosure knows or in the
	exercise of reasonable diligence should know that the person does
	not have a legitimate purpose for obtaining the individual's social
	security number.
	(g)  If an individual's social security number is permitted
	to be included in material sent by mail under Subsection (f), a
	person, other than a government or a governmental subdivision or
	agency, may not:
	(1)  print any part of the individual's social security
	number on a postcard or other mailer not requiring an envelope; or
	(2)  send the material including the individual's
	social security number by envelope if any part of the social
	security number is visible without opening the envelope.
	SECTION 4.  Section 521.052, Business & Commerce Code, as
	effective April 1, 2009, is amended by amending Subsections (a) and
	(b) and adding Subsection (b-1) to read as follows:
	(a)  A business shall adopt written policies and implement
	and maintain reasonable procedures, including taking any
	appropriate corrective action, to protect from unlawful use or
	disclosure any sensitive personal information collected or
	maintained by the business in the regular course of business.
	(b)  Subject to Subsection (b-1), a [A] business shall
	destroy or arrange for the destruction of customer records
	containing sensitive personal information within the business's
	custody or control that are not to be retained by the business by:
	(1)  shredding;
	(2)  erasing; or
	(3)  otherwise modifying the sensitive personal
	information in the records to make the information unreadable or
	indecipherable through any means.
	(b-1)  A business, after exercising due diligence, may enter
	into a contract with another business for the destruction of
	customer records described by Subsection (b).  A business that
	exercises that contracting authority, after exercising due
	diligence, shall monitor the business that receives customer
	records for destruction to ensure that it destroys the sensitive
	personal information contained in the records in a manner
	consistent with this section. For purposes of this subsection,
	exercise of due diligence includes:
	(1)  reviewing an independent audit of the operations
	of the receiving business or the receiving business's compliance
	with this section;
	(2)  obtaining information about the receiving
	business from multiple references or other reliable sources;
	(3)  requiring that the receiving business be certified
	by a recognized trade association or similar association with a
	reputation for high standards of quality review;
	(4)  reviewing and evaluating the information security
	policies or procedures of the receiving business; and
	(5)  taking any other appropriate measure to determine
	the competency and integrity of the receiving business.
	SECTION 5.  Section 521.053, Business & Commerce Code, as
	effective April 1, 2009, is amended by amending Subsections (d),
	(e), and (h) and adding Subsection (e-1) to read as follows:
	(d)  A person may delay providing notice as required by
	Subsection (b) or (c) at the request of a law enforcement agency
	that determines that the notification will impede a criminal
	investigation or jeopardize national or homeland security.  The
	agency's request must be made in writing or contemporaneously
	documented by the person in writing and must include the names of
	the law enforcement officer making the request and the agency. The
	notification shall be made as soon as the law enforcement agency
	determines that the notification will not compromise the
	investigation or jeopardize national or homeland security.
	(e)  Subject to Subsection (e-1), a [A] person may give
	notice as required by Subsection (b) or (c) by providing:
	(1)  written notice;
	(2)  electronic notice, if the notice is provided in
	accordance with 15 U.S.C. Section 7001;
	(2-a)  telephonic notice directly to an affected
	person; or
	(3)  notice as provided by Subsection (f).
	(e-1)  The notice required by Subsection (b) or (c) must:
	(1)  be clear and, if in writing, conspicuous;
	(2)  include a general description of the incident;
	(3)  describe the type of sensitive personal
	information accessed and acquired;
	(4)  include a general description of the measures the
	business has taken to protect against a further breach of system
	security;
	(5)  include a telephone number that the affected
	person may call for further information and assistance; and
	(6)  include a statement advising the affected person
	to review account statements and access and monitor free credit
	reports available to the person.
	(h)  If a person is required by this section to notify at one
	time more than 1,000 [10,000] persons of a breach of system
	security, the person shall also notify each consumer reporting
	agency, as defined by 15 U.S.C. Section 1681a, that maintains files
	on consumers on a nationwide basis and the consumer protection
	division of the attorney general's office, of the timing,
	distribution, and content of the notices.  The person shall provide
	the notice required by this subsection without unreasonable delay.
	SECTION 6.  Section 521.152, Business & Commerce Code, as
	effective April 1, 2009, is amended to read as follows:
	Sec. 521.152.  DECEPTIVE TRADE PRACTICE.  (a) A violation
	of Section 521.051 or 521.052 is a deceptive trade practice
	actionable under Subchapter E, Chapter 17.
	(b)  Any damages assessed against a business for a violation
	of Section 521.052 resulting from the acts or omissions of the
	business's nonmanagerial employees may not be trebled unless the
	business was negligent in the training, supervision, or monitoring
	of those employees.
	SECTION 7.  Subchapter D, Chapter 521, Business & Commerce
	Code, as effective April 1, 2009, is amended by adding Section
	521.153 to read as follows:
	Sec. 521.153.  PRIVATE RIGHT OF ACTION. An individual
	injured by a violation of Section 521.053 may bring an action to
	recover damages.
	SECTION 8.  (a)  The change in law made by this Act to Section
	20.034(a), Business & Commerce Code, applies only to a request for
	placement of a security freeze on a consumer file that is made on or
	after the effective date of this Act. A request for placement of a
	security freeze on a consumer file that is made before the effective
	date of this Act is governed by the law in effect immediately before
	the effective date of this Act, and that law is continued in effect
	for that purpose.
	(b)  The changes in law made by this Act to Section 521.053,
	Business & Commerce Code, apply only to a breach of system security
	that occurs on or after the effective date of this Act. A breach of
	system security that occurs before the effective date of this Act is
	governed by the law in effect immediately before the effective date
	of this Act, and that law is continued in effect for that purpose.
	(c)  The changes in law made by this Act to Section 521.152,
	Business & Commerce Code, apply only to a violation that occurs on
	or after the effective date of this Act. A violation that occurred
	before the effective date of this Act is governed by the law in
	effect immediately before the effective date of this Act, and that
	law is continued in effect for that purpose.
	(d)  Section 521.153, Business & Commerce Code, as added by
	this Act, applies only to a violation that occurs on or after the
	effective date of this Act.
	SECTION 9.  This Act takes effect September 1, 2009.