LEGISLATIVE BUDGET BOARD
Austin, Texas
 
FISCAL NOTE, 81ST LEGISLATIVE REGULAR SESSION
 
April 22, 2009

TO:
Honorable Rodney Ellis, Chair, Senate Committee on Government Organization
 
FROM:
John S. O'Brien, Director, Legislative Budget Board
 
IN RE:
SB1884 by Ellis (relating to a breach of computer security involving sensitive personal information and the confidentiality of protected health information.), Committee Report 1st House, Substituted

No significant fiscal implication to the State is anticipated.

The bill would amend the Government Code and the Local Government Code to require state agencies and local governments to notify affected individuals of a computer security breach which discloses “sensitive personal information,” such as an individual’s name and Social Security number, driver’s license number, financial account information, or certain health information.

Notice shall be given as proscribed by current requirements in Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state.

The bill would amend the Health and Safety Code to define an individual's health information that is not public information.

The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future.

The Department of Information Resources reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources.

If an agency chose to send written notice by mail, then it is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State.


Local Government Impact

The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals.



Source Agencies:
212 Office of Court Administration, Texas Judicial Council, 301 Office of the Governor, 302 Office of the Attorney General, 303 Facilities Commission, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 327 Employees Retirement System, 405 Department of Public Safety, 452 Department of Licensing and Regulation, 504 Texas State Board of Dental Examiners, 520 Board of Examiners of Psychologists, 529 Health and Human Services Commission
LBB Staff:
JOB, KK, SD, PJK, KJG, TP