| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the privacy of personal identifying information and the |
|
|
creation of the Texas Privacy Protection Advisory Council. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 521.053, Business & Commerce Code, is |
|
|
amended by amending Subsection (b) and adding Subsection (i) to |
|
|
read as follows: |
|
|
(b) A person who conducts business in this state and owns or |
|
|
licenses computerized data that includes sensitive personal |
|
|
information shall disclose any breach of system security, after |
|
|
discovering or receiving notification of the breach, to any |
|
|
individual whose sensitive personal information was, or is |
|
|
reasonably believed to have been, acquired by an unauthorized |
|
|
person. The disclosure shall be made without unreasonable delay and |
|
|
in each case not later than the 60th day after the date on which the |
|
|
person determines that the breach occurred [as quickly as
|
|
|
possible], except as provided by Subsection (d) or as necessary to |
|
|
determine the scope of the breach and restore the reasonable |
|
|
integrity of the data system. |
|
|
(i) A person who is required to disclose or provide |
|
|
notification of a breach of system security under this section |
|
|
shall notify the attorney general of that breach if the breach |
|
|
involves at least 250 residents of this state. The notification |
|
|
under this subsection must include: |
|
|
(1) a detailed description of the nature and |
|
|
circumstances of the breach or the use of sensitive personal |
|
|
information acquired as a result of the breach; |
|
|
(2) the number of residents of this state affected by |
|
|
the breach at the time of notification; |
|
|
(3) the measures taken by the person regarding the |
|
|
breach; |
|
|
(4) any measures the person intends to take regarding |
|
|
the breach after the notification under this subsection; and |
|
|
(5) information regarding whether law enforcement is |
|
|
engaged in investigating the breach. |
|
|
SECTION 2. (a) In this section, "council" means the Texas |
|
|
Privacy Protection Advisory Council created under this section. |
|
|
(b) The Texas Privacy Protection Advisory Council is |
|
|
created to study data privacy laws in this state, other states, and |
|
|
relevant foreign jurisdictions. |
|
|
(c) The council is composed of: |
|
|
(1) five members of the house of representatives |
|
|
appointed by the speaker of the house of representatives; |
|
|
(2) five senators appointed by the lieutenant |
|
|
governor; and |
|
|
(3) five members of industry who are residents of this |
|
|
state appointed by the governor as follows: |
|
|
(A) one member representing the retail and |
|
|
electronic transaction industry; |
|
|
(B) one member representing the |
|
|
telecommunications industry; |
|
|
(C) one member representing the consumer data |
|
|
analytics industry; |
|
|
(D) one member representing the advertising |
|
|
industry; and |
|
|
(E) one member representing the Internet service |
|
|
provider industry. |
|
|
(d) The speaker of the house of representatives and the |
|
|
lieutenant governor shall each designate a co-chair from among |
|
|
their respective appointments to the council. |
|
|
(e) The council shall convene on a regular basis at the |
|
|
joint call of the co-chairs. |
|
|
(f) The council shall: |
|
|
(1) study and evaluate the laws in this state, other |
|
|
states, and relevant foreign jurisdictions that govern the privacy |
|
|
and protection of information that alone or in conjunction with |
|
|
other information identifies or is linked or reasonably linkable to |
|
|
a specific individual, technological device, or household; and |
|
|
(2) make recommendations to the members of the |
|
|
legislature on specific statutory changes regarding the privacy and |
|
|
protection of that information, including changes to Chapter 521, |
|
|
Business & Commerce Code, as amended by this Act, or to the Penal |
|
|
Code, that appear necessary from the results of the council's study |
|
|
under this section. |
|
|
(g) Not later than December 1, 2020, the council shall |
|
|
report the council's findings and recommendations to the members of |
|
|
the legislature. |
|
|
(h) Not later than the 60th day after the effective date of |
|
|
this Act, the speaker of the house of representatives, the |
|
|
lieutenant governor, and the governor shall appoint the members of |
|
|
the council. |
|
|
(i) The council is abolished and this section expires |
|
|
December 31, 2020. |
|
|
SECTION 3. This Act takes effect September 1, 2019. |