AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Many state entities collect data from their members, patients, users, and customers in the ordinary course of their duties. This aggregated data that can then be utilized to analyze consumer habits, health trends, and other statistical information. This data has been known to be sold to private institutions or research companies. In order to maintain an individual’s privacy, this data undergoes a “de-identification” or "anonymization" process to scrub the data of any information which may be directly tied to an individual. This process removes certain personal identifiers such as name and Social Security number from the database.
Unfortunately, in many circumstances the de-identification process does not adequately protect individuals, as it can be relatively easy to “re-identify” the data and expose individuals’ sensitive information. Re-identification is the process by which anonymized personal data is matched with its true owner. Although consumers may believe that redaction of certain information (like Social Security numbers) is an adequate privacy measure, a professor and researcher from Carnegie Mellon conducted a study that reveals the assignment of Social Security numbers actually follows predictable trends and can be determined through re-identified data.
The state has a substantial interest in protecting its citizens’ personal information. S.B. 1213 seeks to protect any de-identified data released by the state or a state entity from being re-identified. This bill would make it a Class A misdemeanor to violate the re-identification law and also create a private cause of action for any individual who is harmed by re-identification or release of the private information.
As proposed, S.B. 1213 amends current law relating to prohibiting the reidentification of certain deidentified information and the release of any reidentified information and creates a criminal offense.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subtitle A, Title 11, Business & Commerce Code, by adding Chapter 506, as follows:
CHAPTER 506. REIDENTIFICATION OF DEIDENTIFIED INFORMATION
Sec. 506.001. DEFINITIONS. Defines "deidentified information" and "personal identifying information" in this chapter.
Sec. 506.0015. APPLICABILITY. Provides that this chapter applies only to the release of deidentified information by a board, commission, department, or other agency of this state, including an institution of higher education defined by Section 61.003 or a hospital maintained or operated by the state.
Sec. 506.002. PROHIBITED ACTS. (a) Prohibits a person from:
(1) reidentifying or attempting to reidentify an individual who is the subject of deidentified information; or
(2) disclosing or releasing information the person knows was reidentified in violation of this section.
(b) Provides that it is a defense to prosecution under this section that the person:
(1) was reidentifying the information for the purpose of a study or other scholarly research, including performing an evaluation or test of software intended to deidentify information; and
(2) did not release or publish the names or other information identifying any subjects of the reidentified information.
Sec. 506.003. OFFENSE. (a) Provides that a person who violates Section 506.002 commits an offense.
(b) Provides that an offense under this section is a Class A misdemeanor.
Sec. 506.004. PRIVATE CAUSE OF ACTION. Provides that a person who violates Section 506.002 is liable to the individual who is the subject of the information for any damages caused by the reidentification or release of the information.
SECTION 2. Makes application of this Act prospective.
SECTION 3. Effective date: September 1, 2015.