By: McCall (Senate Sponsor - Ellis) H.B. No. 2004
(In the Senate - Received from the House April 29, 2009;
May 1, 2009, read first time and referred to Committee on
Government Organization; May 13, 2009, reported favorably by the
following vote: Yeas 6, Nays 0; May 13, 2009, sent to printer.)
A BILL TO BE ENTITLED
AN ACT
relating to a breach of computer security involving sensitive
personal information and to the protection of sensitive personal
information and certain protected health information.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 521.002(a)(2), Business & Commerce Code,
as effective April 1, 2009, is amended to read as follows:
(2) "Sensitive personal information" means, subject
to Subsection (b):
(A) [,] an individual's first name or first
initial and last name in combination with any one or more of the
following items, if the name and the items are not encrypted:
(i) [(A)] social security number;
(ii) [(B)] driver's license number or
government-issued identification number; or
(iii) [(C)] account number or credit or
debit card number in combination with any required security code,
access code, or password that would permit access to an
individual's financial account; or
(B) information that identifies an individual
and relates to:
(i) the physical or mental health or
condition of the individual;
(ii) the provision of health care to the
individual; or
(iii) payment for the provision of health
care to the individual.
SECTION 2. Section 521.052, Business & Commerce Code, is
amended by adding Subsection (d) to read as follows:
(d) As used in this section, "business" includes a nonprofit
athletic or sports association.
SECTION 3. Section 521.053(a), Business & Commerce Code, as
effective April 1, 2009, is amended to read as follows:
(a) In this section, "breach of system security" means
unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of sensitive personal
information maintained by a person, including data that is
encrypted if the person accessing the data has the key required to
decrypt the data. Good faith acquisition of sensitive personal
information by an employee or agent of the person for the purposes
of the person is not a breach of system security unless the person
uses or discloses the sensitive personal information in an
unauthorized manner.
SECTION 4. Subchapter F, Chapter 2054, Government Code, is
amended by adding Section 2054.1125 to read as follows:
Sec. 2054.1125. SECURITY BREACH NOTIFICATION BY STATE
AGENCY. (a) In this section:
(1) "Breach of system security" has the meaning
assigned by Section 521.053, Business & Commerce Code.
(2) "Sensitive personal information" has the meaning
assigned by Section 521.002, Business & Commerce Code.
(b) A state agency that owns, licenses, or maintains
computerized data that includes sensitive personal information
shall comply, in the event of a breach of system security, with the
notification requirements of Section 521.053, Business & Commerce
Code, to the same extent as a person who conducts business in this
state.
SECTION 5. Subchapter A, Chapter 181, Health and Safety
Code, is amended by adding Section 181.006 to read as follows:
Sec. 181.006. PROTECTED HEALTH INFORMATION NOT PUBLIC. For
a covered entity that is a governmental unit, an individual's
protected health information:
(1) includes any information that reflects that an
individual received health care from the covered entity; and
(2) is not public information and is not subject to
disclosure under Chapter 552, Government Code.
SECTION 6. Chapter 205, Local Government Code, is amended
by adding Section 205.010 to read as follows:
Sec. 205.010. SECURITY BREACH NOTIFICATION BY LOCAL
GOVERNMENT. (a) In this section:
(1) "Breach of system security" has the meaning
assigned by Section 521.053, Business & Commerce Code.
(2) "Sensitive personal information" has the meaning
assigned by Section 521.002, Business & Commerce Code.
(b) A local government that owns, licenses, or maintains
computerized data that includes sensitive personal information
shall comply, in the event of a breach of system security, with the
notification requirements of Section 521.053, Business & Commerce
Code, to the same extent as a person who conducts business in this
state.
SECTION 7. The changes in law made by this Act apply only to
a breach of system security that occurs on or after the effective
date of this Act. A breach of system security that occurs before the
effective date of this Act is governed by the law in effect on the
date the breach occurred, and the former law is continued in effect
for that purpose.
SECTION 8. This Act takes effect September 1, 2009.
* * * * *