|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to the protection of personal information sold by a state |
|
agency to a contractor; authorizing a civil penalty. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Subchapter F, Chapter 2054, Government Code, is |
|
amended by adding Section 2054.1126 to read as follows: |
|
Sec. 2054.1126. SECURITY BREACH BY STATE AGENCY CONTRACTOR; |
|
DEBARMENT; CIVIL PENALTY. (a) In this section: |
|
(1) "Breach of system security" has the meaning |
|
assigned by Section 521.053, Business & Commerce Code. |
|
(2) "Sensitive personal information" has the meaning |
|
assigned by Section 521.002, Business & Commerce Code. |
|
(b) A state agency that owns, licenses, or maintains |
|
computerized data that includes sensitive personal information, |
|
confidential information, or information the disclosure of which is |
|
regulated by law may sell that data to a contractor only if the sale |
|
is authorized under other law and the sale contract includes a |
|
statement that the contractor: |
|
(1) will comply with the notification requirements of |
|
Section 521.053, Business & Commerce Code; |
|
(2) will notify the state agency not later than 48 |
|
hours after the discovery of the breach of system security, |
|
suspected breach of system security, or unauthorized exposure; |
|
(3) will assist each person whose personal information |
|
was exposed with: |
|
(A) protecting the person from identity theft; |
|
and |
|
(B) protecting or restoring the person's credit |
|
rating; |
|
(4) will pay any civil penalty assessed against the |
|
contractor; and |
|
(5) acknowledges that the contractor's failure to |
|
comply with this section: |
|
(A) constitutes a default of the contract on |
|
notice from the state agency; and |
|
(B) may subject the contractor to debarment from |
|
contracting with the state. |
|
(c) A state agency that determines a contractor has not |
|
complied with this section shall refer the matter to the |
|
comptroller for action. The comptroller shall bar the contractor |
|
from contracting with the state using procedures prescribed under |
|
Section 2155.077. Debarment under this subsection expires on the |
|
third anniversary of the date of the debarment. |
|
(d) A contractor who obtains from a state agency |
|
computerized data that includes sensitive personal information, |
|
confidential information, or information the disclosure of which is |
|
regulated by law is liable to this state for a civil penalty imposed |
|
in accordance with Section 521.151, Business & Commerce Code, for a |
|
breach of system security or an unauthorized exposure of that |
|
information. |
|
SECTION 2. Section 2054.1126, Government Code, as added by |
|
this Act, applies only to a contract entered into or renewed on or |
|
after the effective date of this Act. |
|
SECTION 3. This Act takes effect September 1, 2021. |