81R4365 EAH-F
By: McCall H.B. No. 2004
A BILL TO BE ENTITLED
AN ACT
relating to a breach of computer security involving sensitive
personal information maintained by a state agency or local
government.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subtitle B, Title 10, Government Code, is
amended by adding Chapter 2061 to read as follows:
CHAPTER 2061. SECURITY BREACH NOTIFICATION BY STATE AGENCY OR LOCAL
GOVERNMENT
Sec. 2061.001. DEFINITIONS. (a) In this chapter:
(1) "Breach of system security" means unauthorized
acquisition of computerized data that compromises the security or
confidentiality of sensitive personal information maintained by a
state agency or local government. Good faith acquisition of
sensitive personal information by an employee, contractor, or agent
of the state agency or local government for the purposes of the
state agency or local government is not a breach of system security
unless the employee, contractor, or agent uses or discloses the
sensitive personal information in an unauthorized manner.
(2) "Local government" has the meaning assigned by
Section 2054.003.
(3) "Sensitive personal information" means, subject
to Subsection (b), an individual's first name or first initial and
last name in combination with one or more of the following items, if
the name and the items are not encrypted or the name and the items
are encrypted and the person accessing the information has access
to the key required to decrypt the information:
(A) social security number;
(B) driver's license number or government-issued
identification number; or
(C) account number or credit or debit card number
in combination with any required security code, access code, or
password that would permit access to an individual's financial
account.
(4) "State agency" has the meaning assigned by Section
2054.003.
(b) For purposes of this chapter, "sensitive personal
information" does not include publicly available information that
is lawfully made available to the public by the federal government
or a state or local government.
Sec. 2061.002. NOTIFICATION REQUIRED FOLLOWING BREACH OF
SYSTEM SECURITY. (a) A state agency or local government that owns or
licenses computerized data that includes sensitive personal
information shall disclose any breach of system security, after
discovering or receiving notification of the breach, to any
individual whose sensitive personal information was, or is
reasonably believed to have been, acquired as a result of the breach
by an unauthorized person who commits, or who the state agency or
local government reasonably believes has committed or will commit,
identity theft or other fraud against any individual. The
disclosure shall be made as quickly as possible, except as provided
by Subsection (c) or as necessary to determine the scope of the
breach and reasonably restore the integrity of the data system.
(b) A state agency or local government that maintains
computerized data that includes sensitive personal information not
owned or licensed by the state agency or local government shall
notify the owner of the information of any breach of system security
as soon as practicable after discovering the breach.
(c) A state agency or local government may delay providing
notice as required by Subsection (a) or (b) at the request of a law
enforcement agency that determines that the notification will
impede a civil or criminal investigation or jeopardize homeland
security. The notification shall be made without unreasonable delay
after the law enforcement agency determines that notification will
not compromise the investigation or jeopardize homeland security.
(d) A state agency or local government may give notice as
required by Subsection (a) or (b) by providing:
(1) written notice sent by mail;
(2) telephone notice;
(3) electronic notice, if the notice is provided in
accordance with 15 U.S.C. Section 7001; or
(4) notice as provided by Subsection (e).
(e) If the state agency or local government required to give
notice under Subsection (a) or (b) demonstrates that the cost of
providing notice would exceed $50,000, the number of affected
persons exceeds 100,000, or the state agency or local government
does not have sufficient contact information, the notice may be
given by:
(1) electronic mail, if the state agency or local
government has electronic mail addresses for the affected persons;
(2) conspicuous posting of the notice on the Internet
website of the state agency or local government; or
(3) notice published in or broadcast on major national
media.
(f) Notwithstanding any other provision of this chapter, a
state agency or local government is not required to comply with this
chapter if the state agency or local government complies with the
notification requirements under Chapter 521, Business & Commerce
Code, or a federal or state law that has notice requirements at
least as stringent as the requirements under this chapter.
SECTION 2. The changes in law made by this Act apply only to
a breach of system security that occurs on or after the effective
date of this Act. A breach of system security that occurs before the
effective date of this Act is governed by the law in effect on the
date the breach occurred, and the former law is continued in effect
for that purpose.
SECTION 3. This Act takes effect September 1, 2009.