This website will be unavailable from Friday, April 26, 2024 at 6:00 p.m. through Monday, April 29, 2024 at 7:00 a.m. due to data center maintenance.

BILL ANALYSIS

 

 

Senate Research Center

H.B. 4390

 

By: Capriglione et al. (Nelson)

 

Business & Commerce

 

5/19/2019

 

Engrossed

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

H.B. 4390 amends current law relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Section 521.053, Business & Commerce Code, by amending Subsection (b) and adding Subsection (i), as follows:

 

(b) Requires the disclosure of a breach of certain computerized personal data to be made without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred, rather than requiring the disclosure to be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

 

(i) Requires a person who is required to disclose or provide notification of a breach of system security under this section (Notification Required Following Breach of Security of Computerized Data) to notify the Texas attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state. Requires the notification under this subsection to include:

 

(1) a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;

 

(2) the number of residents of this state affected by the breach at the time of notification;

 

(3) the measures taken by the person regarding the breach;

 

(4) any measures the person intends to take regarding the breach after the notification under this subsection; and

 

(5) information regarding whether law enforcement is engaged in investigating the breach.

 

SECTION 2. (a) Defines "council" to mean the Texas Privacy Protection Advisory Council (council) created under this section.

 

(b) Provides that the council is created to study data privacy laws in this state, other states, and relevant foreign jurisdictions.

 

(c) Provides that the council is composed of members who are residents of this state and appointed as follows:

 

(1) five members appointed by the speaker of the house of representatives, two of whom must be representatives of an industry listed under Subsection (d) of this section and three of whom must be members of the house of representatives;

 

(2) five members appointed by the lieutenant governor, two of whom must be representatives of an industry listed under Subsection (d) of this section and three of whom must be senators; and

 

(3) five members appointed by the governor, three of whom must be representatives of an industry listed under Subsection (d) of this section and two of whom must be either:

 

(A) a representative of a nonprofit organization that studies or evaluates data privacy laws from the perspective of individuals whose information is collected or processed by businesses; or

 

(B) a professor who teaches at a law school in this state or other institution of higher education, as defined by Section 61.003 (Definitions), Education Code, and whose books or scholarly articles on the topic of data privacy have been published.

 

(d) Requires the speaker of the house of representatives, lieutenant governor, and governor, for purposes of making appointments of members who represent industries under Subsection (c) of this section, to appoint members from among the following industries and to coordinate their appointments to avoid overlap in representation of the industries:

 

(1) medical profession;

 

(2) technology;

 

(3) Internet;

 

(4) retail and electronic transactions;

 

(5) consumer banking;

 

(6) telecommunications;

 

(7) consumer data analytics;

 

(8) advertising;

 

(9) Internet service providers;

 

(10) social media platforms;

 

(11) cloud data storage; or

 

(12) virtual private networks.

 

(e) Requires the speaker of the house of representatives and the lieutenant governor to each designate a co-chair from among their respective appointments to the council who are members of the legislature.

 

(f) Requires the council to convene on a regular basis at the joint call of the co-chairs.

 

(g) Requires the council to:

 

(1) study and evaluate the laws in this state, other states, and relevant foreign jurisdictions that govern the privacy and protection of information that alone or in conjunction with other information identifies or is linked or reasonably linkable to a specific individual, technological device, or household; and

 

(2) make recommendations to the members of the legislature on specific statutory changes regarding the privacy and protection of that information, including changes to Chapter 521 (Unauthorized Use of Identifying Information), Business & Commerce Code, as amended by this Act, or to the Penal Code, that appear necessary from the results of the council's study under this section.

 

(h) Requires the council, not later than September 1, 2020, to report the council's findings and recommendations to the members of the legislature.

 

(i) Requires the Department of Information Resources to provide administrative support to the council.

 

(j) Requires the speaker of the house of representatives, the lieutenant governor, and the governor, not later than the 60th day after the effective date of this Act, to appoint the members of the council.

 

(k) Provides that the council is abolished and this section expires December 31, 2020.

 

SECTION 3. Effective date: September 1, 2019.