Honorable René Oliveira, Chair, House Committee on Business & Industry
FROM:
Ursula Parks, Director, Legislative Budget Board
IN RE:
HB3478 by Elkins (Relating to a breach of system security of a business that exposes consumer credit card or debit card information; providing a civil penalty.), As Introduced
Estimated Two-year Net Impact to General Revenue Related Funds for HB3478, As Introduced: a negative impact of ($28,687,228) through the biennium ending August 31, 2017.
The bill would make no appropriation but could provide the legal basis for an appropriation of funds to implement the provisions of the bill.
Fiscal Year
Probable Net Positive/(Negative) Impact to General Revenue Related Funds
2016
($15,281,730)
2017
($13,405,498)
2018
($11,705,498)
2019
($11,705,498)
2020
($11,705,498)
Fiscal Year
Probable Savings/(Cost) from General Revenue Fund 1
Probable Savings/(Cost) from Data Security Breach Victim Compensation Fund
Change in Number of State Employees from FY 2015
2016
($15,281,730)
$800,000
165.0
2017
($13,405,498)
$2,376,675
165.0
2018
($11,705,498)
$2,376,675
165.0
2019
($11,705,498)
$2,376,675
165.0
2020
($11,705,498)
$2,376,675
165.0
Fiscal Analysis
The bill would amend the Business and Commerce Code to create the Data Security Breach Victim Compensation Fund as a dedicated account in the General Revenue Fund and direct the funds be appropriated to the Office of the Attorney General to compensate certain victims and reimburse financial institutions relating to a breach of system security involving credit or debit card information.
Under the bill provisions, the Office of the Attorney General indicated the fiscal impact for processing claims and reimbursement related to system security breaches would be $15,281,730 in fiscal year 2016, $13,405,498 in fiscal year 2017, and $11,705,498 each fiscal year from 2018-2020. Costs include salaries for 165.0 FTEs, general operating, lease space, travel, capital equipment, and benefits.
The Data Security Breach Victim Compensation Fund would be funded through civil penalties against businesses that fail to protect against breaches of system security. The Comptroller of Public Accounts estimates $800,000 in civil penalties in fiscal year 2016. The Office of the Attorney General estimates the amount of civil penalties collected annually under the bill provisions for the Data Security Breach Victim Compensation Fund would be $2,376,675.
This legislation would do one or more of the following: create or recreate a dedicated account in the General Revenue Fund, create or recreate a special or trust fund either with or outside of the Treasury, or create a dedicated revenue source. The fund, account, or revenue dedication included in the bill would be subject to funds consolidation review by the current Legislature.
The Comptroller of Public Accounts indicated the costs associated with implementation of the bill could be absorbed with existing resources.
The bill would take effect September 1, 2015.
Methodology
Currently, the state does not collect civil penalties or provide compensation related to breaches of system security involving credit or debit card information. The Office of the Attorney General currently processes applications for compensation related to certain criminally injurious conduct. In fiscal year 2014, there were 25,145 applications processed by the 98.0 FTEs of the Crime Victims Compensation program.
The Office of the Attorney General assumes the following related to the bill provisions:
1) There would be 66,547 new applications for individual compensation each fiscal year; 2) There would be 190,134 incidents for which financial institutions could be reimbursed; and 3) The agency would seek to collect civil penalties from 95,067 businesses.
The Comptroller of Public Accounts assumes $800,000 in collected civil penalties in the first fiscal year. The OAG assumes there would be $2,376,675 collected in civil penalties each fiscal year thereafter.
Based on the above assumptions, the Office of the Attorney General estimates the litigation related to collecting civil penalties and administrative needs for compensation and reimbursement payments would require four Assistant Attorney General III (4.0 FTEs), one Assistant Attorney General IV (1.0 FTEs), one Assistant Attorney General V (1.0 FTEs), six Legal Assistant III (6.0 FTEs), eleven Administrative Assistant I (11.0 FTEs), fourteen Administrative Assistant II (14.0 FTEs), twenty four Administrative Assistant III (24.0 FTEs), one Director I (1.0 FTEs), one Director III (1.0 FTEs), one Executive Assistant I (1.0 FTEs), one Program Supervisor III (1.0 FTEs), two Program Supervisor IV (2.0 FTEs), forty one Accountant I (41.0 FTEs), one Accountant IV (1.0 FTEs), and fifty six Reimbursement Officer III (56.0 FTEs) with a combined fiscal year cost of $9,266,993 for salaries ($6,921,865) and related benefits ($2,345,128).
Under the bill provisions, the revenue collected from civil penalties (estimated to be $2,376,675) would be used for compensation and reimbursement payments and could not be used for litigation and administrative purposes.
Additionally, the Office of the Attorney General anticipates the creation of a Data Breach Victim Compensation Claims Management System would be necessary under the bill provisions. The Office of the Attorney General estimates that the claims management system would be developed and deployed in two phases with a total one-time cost of $4,495,283 ($2,495,283 in fiscal year 2016 and $2,000,000 in fiscal year 2017) with a recurring system maintenance fiscal year cost of $300,000 beginning in fiscal year 2018.
Technology
There would be a technology impact related to computer hardware, software, telecommunication equipment, claims management system, and network storage estimated to be $2,663,051 in fiscal year 2016, $2,386,100 in fiscal year 2017, and $686,100 in subsequent fiscal years.
Local Government Impact
No significant fiscal implication to units of local government is anticipated.
Source Agencies:
302 Office of the Attorney General, 304 Comptroller of Public Accounts