This website will be unavailable from Thursday, May 30, 2024 at 6:00 p.m. through Monday, June 3, 2024 at 7:00 a.m. due to data center maintenance.

BILL ANALYSIS

 

 

Senate Research Center

S.B. 1213

 

By: Kolkhorst

 

Business & Commerce

 

6/29/2015

 

Enrolled

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

Many state entities collect data from their members, patients, users, and customers in the ordinary course of their duties. This aggregated data that can then be utilized to analyze consumer habits, health trends, and other statistical information. This data has been known to be sold to private institutions or research companies. In order to maintain an individual’s privacy, this data undergoes a “de-identification” or "anonymization" process to scrub the data of any information which may be directly tied to an individual. This process removes certain personal identifiers such as name and Social Security number from the database.

 

Unfortunately, in many circumstances the de-identification process does not adequately protect individuals, as it can be relatively easy to “re-identify” the data and expose individuals’ sensitive information. Re-identification is the process by which anonymized personal data is matched with its true owner. Although consumers may believe that redaction of certain information (like Social Security numbers) is an adequate privacy measure, a professor and researcher from Carnegie Mellon conducted a study that reveals the assignment of Social Security numbers actually follows predictable trends and can be determined through re-identified data.

 

The state has a substantial interest in protecting its citizens’ personal information. S.B. 1213 seeks to protect any de-identified data released by the state or a state entity from being re-identified. This bill would make it a Class A misdemeanor to violate the re-identification law and also create a private cause of action for any individual who is harmed by re-identification or release of the private information.

 

S.B. 1213 amends current law relating to prohibiting the reidentification of certain deidentified information and the release of reidentified information, creates a criminal offense, and provides a civil penalty.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Subtitle A, Title 11, Business & Commerce Code, by adding Chapter 506, as follows:

 

CHAPTER 506. REIDENTIFICATION OF DEIDENTIFIED INFORMATION

 

Sec. 506.001. DEFINITIONS. Defines "covered information," "deidentified information," and "personal identifying information" in this chapter.

 

Sec. 506.002. REQUIRED NOTICES. (a) Requires an agency of this state to provide written notice to a person to whom the agency releases deidentified information that the information is deidentified information.

 

(b) Requires a person who sells covered information or otherwise receives compensation for the transfer or disclosure of covered information to provide written notice to the person to whom the information is sold, transferred, or disclosed that the information is deidentified information obtained from an agency of this state.

 

Sec. 506.003. PROHIBITED ACTS. (a) Prohibits a person from:

 

(1) reidentifying or attempting to reidentify personal identifying information about an individual who is the subject of covered information; or

 

(2) knowingly disclosing or releasing covered information that was reidentified in violation of this section.

 

(b) Provides that it is a defense to a civil action or prosecution for a violation of this section that:

 

(1) the person:

 

(A) was reidentifying the covered information for the purpose of a study or other scholarly research, including performing an evaluation or test of software intended to deidentify information; and

 

(B) did not release or publish the names or other information identifying any subjects of the reidentified covered information; or

 

(2) the person obtained informed, written consent from the individual who is the subject of the covered information that specifically referenced the information to be reidentified, disclosed, or released, and authorized the reidentification, disclosure, or release of that information.

 

Sec. 506.004. OFFENSE. (a) Provides that a person who violates Section 506.003 commits an offense.

 

(b) Provides that an offense under this section is a Class A misdemeanor.

 

Sec. 506.005. PRIVATE CAUSE OF ACTION. Provides that a person who violates Section 506.003 is liable to the individual who is the subject of the covered information for statutory damages in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000.

 

Sec. 506.006. CIVIL PENALTY. (a) Provides that, in addition to other penalties and remedies assessed or recovered under this chapter, a person who violates Section 506.003 is liable to this state for a civil penalty in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000.

 

(b) Authorizes the attorney general to bring an action to recover a civil penalty under this section.

 

(c) Entitles the attorney general to recover reasonable expenses incurred in bringing an action under this section, including reasonable attorney's fees, court costs, and investigatory costs.

 

SECTION 2. Makes application of this Act prospective.

 

SECTION 3. Effective date: September 1, 2015.