85R9050 TSR-F
 
  By: Menéndez S.B. No. 1409
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to a breach of system security of a business that exposes
  consumer credit card or debit card information; providing a civil
  penalty.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 521.053(a), Business & Commerce Code, is
  amended to read as follows:
         (a)  In this section, "breach of system security" means
  unauthorized acquisition of computerized data that compromises the
  security, confidentiality, or integrity of sensitive personal
  information, credit card information, or debit card information
  maintained by a person, including data that is encrypted if the
  person accessing the data has the key required to decrypt the data.
  Good faith acquisition of sensitive personal information by an
  employee or agent of the person for the purposes of the person is
  not a breach of system security unless the person uses or discloses
  the sensitive personal information in an unauthorized manner.
         SECTION 2.  Subchapter B, Chapter 521, Business & Commerce
  Code, is amended by adding Sections 521.054 and 521.055 to read as
  follows:
         Sec. 521.054.  BREACH INVOLVING CREDIT CARD OR DEBIT CARD
  INFORMATION. (a) A business that accepts a credit card or debit
  card for payment and retains any data related to the card other than
  a confirmation number for the transaction shall secure the retained
  information from a breach of system security, as defined by Section
  521.053.
         (b)  If a breach of system security occurs in which credit
  card or debit card information is compromised, the business shall:
               (1)  not more than 24 hours after the business
  discovers or receives notification of the breach of system
  security, send notice of the breach to the attorney general; and
               (2)  as soon as practicable after the business
  discovers or receives notification of the breach of system
  security, send notice of the breach to each financial institution
  that issued a credit or debit card affected by the breach.
         Sec. 521.055.  DATA SECURITY BREACH VICTIM COMPENSATION
  FUND. (a) The data security breach victim compensation fund is
  created as a dedicated account in the general revenue fund.
         (b)  The fund consists of money collected under Section
  521.1515.
         (c)  Money in the fund may be appropriated only to the
  attorney general to:
               (1)  pay claims to consumers who have suffered
  financial loss in relation to a breach of system security under
  Section 521.054; and 
               (2)  reimburse a financial institution for costs
  associated with a breach of system security under Section 521.054.
         (d)  The office of the attorney general shall develop a
  claims process to make payments from the fund in accordance with
  Subsection (c).
         SECTION 3.  Subchapter D, Chapter 521, Business & Commerce
  Code, is amended by adding Section 521.1515 to read as follows:
         Sec. 521.1515.  ADDITIONAL CIVIL PENALTY. (a) In addition
  to penalties assessed under Section 521.151, a business that fails
  to secure the business's computer system and suffers a breach of
  system security described by Section 521.054 is liable to this
  state for a civil penalty of $50 for each credit card and debit card
  from which information was compromised. 
         (b)  The attorney general may bring an action to recover a
  civil penalty under this section. Amounts collected by the attorney
  general under this section shall be deposited to the credit of the
  data security breach victim compensation fund created under Section
  521.055 and may be appropriated only as provided by that section.
         SECTION 4.  The changes in law made by this Act apply only to
  a breach of system security that occurs on or after the effective
  date of this Act. A breach of system security that occurs before the
  effective date of this Act is governed by the law in effect at the
  time the breach occurred, and that law is continued in effect for
  that purpose.
         SECTION 5.  This Act takes effect September 1, 2017.