|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to protection of individual identifying information and |
|
consumer credit information from unauthorized use or disclosure. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 20.034(a), Business & Commerce Code, is |
|
amended to read as follows: |
|
(a) On written request sent by certified mail that includes |
|
proper identification provided by a consumer, a consumer reporting |
|
agency shall place a security freeze on a consumer's consumer file |
|
not later than the fifth business day after the date the agency |
|
receives the request. A security freeze remains in effect until the |
|
consumer requests that the security freeze be removed or |
|
temporarily lifted as provided by Section 20.037. |
|
SECTION 2. Chapter 20, Business & Commerce Code, is amended |
|
by adding Section 20.0387 to read as follows: |
|
Sec. 20.0387. EFFECT OF SECURITY FREEZE ON CONSUMER |
|
APPLICATION. If a person requests a consumer report and a security |
|
freeze is in effect for the consumer file involved in that report, |
|
the person may treat any application submitted by the consumer for |
|
an extension of credit or other purpose as incomplete if the |
|
consumer does not allow access to the consumer's report for that |
|
specific requester or period while the security freeze is in |
|
effect. |
|
SECTION 3. Section 501.001, Business & Commerce Code, as |
|
effective April 1, 2009, is amended by amending Subsection (a) and |
|
adding Subsection (g) to read as follows: |
|
(a) A person, other than a government or a governmental |
|
subdivision or agency, may not: |
|
(1) intentionally communicate or otherwise make |
|
available to the public an individual's social security number; |
|
(2) display an individual's social security number on |
|
a card or other device required to access a product or service |
|
provided by the person; |
|
(3) require an individual to transmit the individual's |
|
social security number over the Internet unless: |
|
(1) the Internet connection is secure; or |
|
(2) the social security number is encrypted; |
|
(4) require an individual's social security number for |
|
access to an Internet website unless a password or unique personal |
|
identification number or other authentication device is also |
|
required for access; [or] |
|
(5) except as provided by Subsection (f), print an |
|
individual's social security number on any material sent by mail, |
|
unless state or federal law requires that social security number to |
|
be included in the material; or |
|
(6) intentionally disclose an individual's social |
|
security number to another person without the individual's written |
|
consent, if the person making the disclosure knows or in the |
|
exercise of reasonable diligence should know that the person does |
|
not have a legitimate purpose for obtaining the individual's social |
|
security number. |
|
(g) If an individual's social security number is permitted |
|
to be included in material sent by mail under Subsection (f), a |
|
person, other than a government or a governmental subdivision or |
|
agency, may not: |
|
(1) print any part of the individual's social security |
|
number on a postcard or other mailer not requiring an envelope; or |
|
(2) send the material including the individual's |
|
social security number by envelope if any part of the social |
|
security number is visible without opening the envelope. |
|
SECTION 4. Section 521.052, Business & Commerce Code, as |
|
effective April 1, 2009, is amended by amending Subsections (a) and |
|
(b) and adding Subsection (b-1) to read as follows: |
|
(a) A business shall adopt written policies and implement |
|
and maintain reasonable procedures, including taking any |
|
appropriate corrective action, to protect from unlawful use or |
|
disclosure any sensitive personal information collected or |
|
maintained by the business in the regular course of business. |
|
(b) Subject to Subsection (b-1), a [A] business shall |
|
destroy or arrange for the destruction of customer records |
|
containing sensitive personal information within the business's |
|
custody or control that are not to be retained by the business by: |
|
(1) shredding; |
|
(2) erasing; or |
|
(3) otherwise modifying the sensitive personal |
|
information in the records to make the information unreadable or |
|
indecipherable through any means. |
|
(b-1) A business, after exercising due diligence, may enter |
|
into a contract with another business for the destruction of |
|
customer records described by Subsection (b). A business that |
|
exercises that contracting authority, after exercising due |
|
diligence, shall monitor the business that receives customer |
|
records for destruction to ensure that it destroys the sensitive |
|
personal information contained in the records in a manner |
|
consistent with this section. For purposes of this subsection, |
|
exercise of due diligence includes: |
|
(1) reviewing an independent audit of the operations |
|
of the receiving business or the receiving business's compliance |
|
with this section; |
|
(2) obtaining information about the receiving |
|
business from multiple references or other reliable sources; |
|
(3) requiring that the receiving business be certified |
|
by a recognized trade association or similar association with a |
|
reputation for high standards of quality review; |
|
(4) reviewing and evaluating the information security |
|
policies or procedures of the receiving business; and |
|
(5) taking any other appropriate measure to determine |
|
the competency and integrity of the receiving business. |
|
SECTION 5. Section 521.053, Business & Commerce Code, as |
|
effective April 1, 2009, is amended by amending Subsections (d), |
|
(e), and (h) and adding Subsection (e-1) to read as follows: |
|
(d) A person may delay providing notice as required by |
|
Subsection (b) or (c) at the request of a law enforcement agency |
|
that determines that the notification will impede a criminal |
|
investigation or jeopardize national or homeland security. The |
|
agency's request must be made in writing or contemporaneously |
|
documented by the person in writing and must include the names of |
|
the law enforcement officer making the request and the agency. The |
|
notification shall be made as soon as the law enforcement agency |
|
determines that the notification will not compromise the |
|
investigation or jeopardize national or homeland security. |
|
(e) Subject to Subsection (e-1), a [A] person may give |
|
notice as required by Subsection (b) or (c) by providing: |
|
(1) written notice; |
|
(2) electronic notice, if the notice is provided in |
|
accordance with 15 U.S.C. Section 7001; |
|
(2-a) telephonic notice directly to an affected |
|
person; or |
|
(3) notice as provided by Subsection (f). |
|
(e-1) The notice required by Subsection (b) or (c) must: |
|
(1) be clear and, if in writing, conspicuous; |
|
(2) include a general description of the incident; |
|
(3) describe the type of sensitive personal |
|
information accessed and acquired; |
|
(4) include a general description of the measures the |
|
business has taken to protect against a further breach of system |
|
security; |
|
(5) include a telephone number that the affected |
|
person may call for further information and assistance; and |
|
(6) include a statement advising the affected person |
|
to review account statements and access and monitor free credit |
|
reports available to the person. |
|
(h) If a person is required by this section to notify at one |
|
time more than 1,000 [10,000] persons of a breach of system |
|
security, the person shall also notify each consumer reporting |
|
agency, as defined by 15 U.S.C. Section 1681a, that maintains files |
|
on consumers on a nationwide basis and the consumer protection |
|
division of the attorney general's office, of the timing, |
|
distribution, and content of the notices. The person shall provide |
|
the notice required by this subsection without unreasonable delay. |
|
SECTION 6. Section 521.152, Business & Commerce Code, as |
|
effective April 1, 2009, is amended to read as follows: |
|
Sec. 521.152. DECEPTIVE TRADE PRACTICE. (a) A violation |
|
of Section 521.051 or 521.052 is a deceptive trade practice |
|
actionable under Subchapter E, Chapter 17. |
|
(b) Any damages assessed against a business for a violation |
|
of Section 521.052 resulting from the acts or omissions of the |
|
business's nonmanagerial employees may not be trebled unless the |
|
business was negligent in the training, supervision, or monitoring |
|
of those employees. |
|
SECTION 7. Subchapter D, Chapter 521, Business & Commerce |
|
Code, as effective April 1, 2009, is amended by adding Section |
|
521.153 to read as follows: |
|
Sec. 521.153. PRIVATE RIGHT OF ACTION. An individual |
|
injured by a violation of Section 521.053 may bring an action to |
|
recover damages. |
|
SECTION 8. (a) The change in law made by this Act to Section |
|
20.034(a), Business & Commerce Code, applies only to a request for |
|
placement of a security freeze on a consumer file that is made on or |
|
after the effective date of this Act. A request for placement of a |
|
security freeze on a consumer file that is made before the effective |
|
date of this Act is governed by the law in effect immediately before |
|
the effective date of this Act, and that law is continued in effect |
|
for that purpose. |
|
(b) The changes in law made by this Act to Section 521.053, |
|
Business & Commerce Code, apply only to a breach of system security |
|
that occurs on or after the effective date of this Act. A breach of |
|
system security that occurs before the effective date of this Act is |
|
governed by the law in effect immediately before the effective date |
|
of this Act, and that law is continued in effect for that purpose. |
|
(c) The changes in law made by this Act to Section 521.152, |
|
Business & Commerce Code, apply only to a violation that occurs on |
|
or after the effective date of this Act. A violation that occurred |
|
before the effective date of this Act is governed by the law in |
|
effect immediately before the effective date of this Act, and that |
|
law is continued in effect for that purpose. |
|
(d) Section 521.153, Business & Commerce Code, as added by |
|
this Act, applies only to a violation that occurs on or after the |
|
effective date of this Act. |
|
SECTION 9. This Act takes effect September 1, 2009. |