85R9050 TSR-F
	By: Elkins	H.B. No. 2333

	A BILL TO BE ENTITLED
	AN ACT
	relating to a breach of system security of a business that exposes
	consumer credit card or debit card information; providing a civil
	penalty.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  Section 521.053(a), Business & Commerce Code, is
	amended to read as follows:
	(a)  In this section, "breach of system security" means
	unauthorized acquisition of computerized data that compromises the
	security, confidentiality, or integrity of sensitive personal
	information, credit card information, or debit card information
	maintained by a person, including data that is encrypted if the
	person accessing the data has the key required to decrypt the data.
	Good faith acquisition of sensitive personal information by an
	employee or agent of the person for the purposes of the person is
	not a breach of system security unless the person uses or discloses
	the sensitive personal information in an unauthorized manner.
	SECTION 2.  Subchapter B, Chapter 521, Business & Commerce
	Code, is amended by adding Sections 521.054 and 521.055 to read as
	follows:
	Sec. 521.054.  BREACH INVOLVING CREDIT CARD OR DEBIT CARD
	INFORMATION. (a) A business that accepts a credit card or debit
	card for payment and retains any data related to the card other than
	a confirmation number for the transaction shall secure the retained
	information from a breach of system security, as defined by Section
	521.053.
	(b)  If a breach of system security occurs in which credit
	card or debit card information is compromised, the business shall:
	(1)  not more than 24 hours after the business
	discovers or receives notification of the breach of system
	security, send notice of the breach to the attorney general; and
	(2)  as soon as practicable after the business
	discovers or receives notification of the breach of system
	security, send notice of the breach to each financial institution
	that issued a credit or debit card affected by the breach.
	Sec. 521.055.  DATA SECURITY BREACH VICTIM COMPENSATION
	FUND. (a) The data security breach victim compensation fund is
	created as a dedicated account in the general revenue fund.
	(b)  The fund consists of money collected under Section
	521.1515.
	(c)  Money in the fund may be appropriated only to the
	attorney general to:
	(1)  pay claims to consumers who have suffered
	financial loss in relation to a breach of system security under
	Section 521.054; and
	(2)  reimburse a financial institution for costs
	associated with a breach of system security under Section 521.054.
	(d)  The office of the attorney general shall develop a
	claims process to make payments from the fund in accordance with
	Subsection (c).
	SECTION 3.  Subchapter D, Chapter 521, Business & Commerce
	Code, is amended by adding Section 521.1515 to read as follows:
	Sec. 521.1515.  ADDITIONAL CIVIL PENALTY. (a) In addition
	to penalties assessed under Section 521.151, a business that fails
	to secure the business's computer system and suffers a breach of
	system security described by Section 521.054 is liable to this
	state for a civil penalty of $50 for each credit card and debit card
	from which information was compromised.
	(b)  The attorney general may bring an action to recover a
	civil penalty under this section. Amounts collected by the attorney
	general under this section shall be deposited to the credit of the
	data security breach victim compensation fund created under Section
	521.055 and may be appropriated only as provided by that section.
	SECTION 4.  The changes in law made by this Act apply only to
	a breach of system security that occurs on or after the effective
	date of this Act. A breach of system security that occurs before the
	effective date of this Act is governed by the law in effect at the
	time the breach occurred, and that law is continued in effect for
	that purpose.
	SECTION 5.  This Act takes effect September 1, 2017.