| 1 | 1 | | H.B. No. 2004 |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | AN ACT |
|---|
| 5 | 5 | | relating to a breach of computer security involving sensitive |
|---|
| 6 | 6 | | personal information and to the protection of sensitive personal |
|---|
| 7 | 7 | | information and certain protected health information. |
|---|
| 8 | 8 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 9 | 9 | | SECTION 1. Section 521.002(a)(2), Business & Commerce Code, |
|---|
| 10 | 10 | | as effective April 1, 2009, is amended to read as follows: |
|---|
| 11 | 11 | | (2) "Sensitive personal information" means, subject |
|---|
| 12 | 12 | | to Subsection (b): |
|---|
| 13 | 13 | | (A) [,] an individual's first name or first |
|---|
| 14 | 14 | | initial and last name in combination with any one or more of the |
|---|
| 15 | 15 | | following items, if the name and the items are not encrypted: |
|---|
| 16 | 16 | | (i) [(A)] social security number; |
|---|
| 17 | 17 | | (ii) [(B)] driver's license number or |
|---|
| 18 | 18 | | government-issued identification number; or |
|---|
| 19 | 19 | | (iii) [(C)] account number or credit or |
|---|
| 20 | 20 | | debit card number in combination with any required security code, |
|---|
| 21 | 21 | | access code, or password that would permit access to an |
|---|
| 22 | 22 | | individual's financial account; or |
|---|
| 23 | 23 | | (B) information that identifies an individual |
|---|
| 24 | 24 | | and relates to: |
|---|
| 25 | 25 | | (i) the physical or mental health or |
|---|
| 26 | 26 | | condition of the individual; |
|---|
| 27 | 27 | | (ii) the provision of health care to the |
|---|
| 28 | 28 | | individual; or |
|---|
| 29 | 29 | | (iii) payment for the provision of health |
|---|
| 30 | 30 | | care to the individual. |
|---|
| 31 | 31 | | SECTION 2. Section 521.052, Business & Commerce Code, is |
|---|
| 32 | 32 | | amended by adding Subsection (d) to read as follows: |
|---|
| 33 | 33 | | (d) As used in this section, "business" includes a nonprofit |
|---|
| 34 | 34 | | athletic or sports association. |
|---|
| 35 | 35 | | SECTION 3. Section 521.053(a), Business & Commerce Code, as |
|---|
| 36 | 36 | | effective April 1, 2009, is amended to read as follows: |
|---|
| 37 | 37 | | (a) In this section, "breach of system security" means |
|---|
| 38 | 38 | | unauthorized acquisition of computerized data that compromises the |
|---|
| 39 | 39 | | security, confidentiality, or integrity of sensitive personal |
|---|
| 40 | 40 | | information maintained by a person, including data that is |
|---|
| 41 | 41 | | encrypted if the person accessing the data has the key required to |
|---|
| 42 | 42 | | decrypt the data. Good faith acquisition of sensitive personal |
|---|
| 43 | 43 | | information by an employee or agent of the person for the purposes |
|---|
| 44 | 44 | | of the person is not a breach of system security unless the person |
|---|
| 45 | 45 | | uses or discloses the sensitive personal information in an |
|---|
| 46 | 46 | | unauthorized manner. |
|---|
| 47 | 47 | | SECTION 4. Subchapter F, Chapter 2054, Government Code, is |
|---|
| 48 | 48 | | amended by adding Section 2054.1125 to read as follows: |
|---|
| 49 | 49 | | Sec. 2054.1125. SECURITY BREACH NOTIFICATION BY STATE |
|---|
| 50 | 50 | | AGENCY. (a) In this section: |
|---|
| 51 | 51 | | (1) "Breach of system security" has the meaning |
|---|
| 52 | 52 | | assigned by Section 521.053, Business & Commerce Code. |
|---|
| 53 | 53 | | (2) "Sensitive personal information" has the meaning |
|---|
| 54 | 54 | | assigned by Section 521.002, Business & Commerce Code. |
|---|
| 55 | 55 | | (b) A state agency that owns, licenses, or maintains |
|---|
| 56 | 56 | | computerized data that includes sensitive personal information |
|---|
| 57 | 57 | | shall comply, in the event of a breach of system security, with the |
|---|
| 58 | 58 | | notification requirements of Section 521.053, Business & Commerce |
|---|
| 59 | 59 | | Code, to the same extent as a person who conducts business in this |
|---|
| 60 | 60 | | state. |
|---|
| 61 | 61 | | SECTION 5. Subchapter A, Chapter 181, Health and Safety |
|---|
| 62 | 62 | | Code, is amended by adding Section 181.006 to read as follows: |
|---|
| 63 | 63 | | Sec. 181.006. PROTECTED HEALTH INFORMATION NOT PUBLIC. For |
|---|
| 64 | 64 | | a covered entity that is a governmental unit, an individual's |
|---|
| 65 | 65 | | protected health information: |
|---|
| 66 | 66 | | (1) includes any information that reflects that an |
|---|
| 67 | 67 | | individual received health care from the covered entity; and |
|---|
| 68 | 68 | | (2) is not public information and is not subject to |
|---|
| 69 | 69 | | disclosure under Chapter 552, Government Code. |
|---|
| 70 | 70 | | SECTION 6. Chapter 205, Local Government Code, is amended |
|---|
| 71 | 71 | | by adding Section 205.010 to read as follows: |
|---|
| 72 | 72 | | Sec. 205.010. SECURITY BREACH NOTIFICATION BY LOCAL |
|---|
| 73 | 73 | | GOVERNMENT. (a) In this section: |
|---|
| 74 | 74 | | (1) "Breach of system security" has the meaning |
|---|
| 75 | 75 | | assigned by Section 521.053, Business & Commerce Code. |
|---|
| 76 | 76 | | (2) "Sensitive personal information" has the meaning |
|---|
| 77 | 77 | | assigned by Section 521.002, Business & Commerce Code. |
|---|
| 78 | 78 | | (b) A local government that owns, licenses, or maintains |
|---|
| 79 | 79 | | computerized data that includes sensitive personal information |
|---|
| 80 | 80 | | shall comply, in the event of a breach of system security, with the |
|---|
| 81 | 81 | | notification requirements of Section 521.053, Business & Commerce |
|---|
| 82 | 82 | | Code, to the same extent as a person who conducts business in this |
|---|
| 83 | 83 | | state. |
|---|
| 84 | 84 | | SECTION 7. The changes in law made by this Act apply only to |
|---|
| 85 | 85 | | a breach of system security that occurs on or after the effective |
|---|
| 86 | 86 | | date of this Act. A breach of system security that occurs before the |
|---|
| 87 | 87 | | effective date of this Act is governed by the law in effect on the |
|---|
| 88 | 88 | | date the breach occurred, and the former law is continued in effect |
|---|
| 89 | 89 | | for that purpose. |
|---|
| 90 | 90 | | SECTION 8. This Act takes effect September 1, 2009. |
|---|
| 91 | 91 | | ______________________________ ______________________________ |
|---|
| 92 | 92 | | President of the Senate Speaker of the House |
|---|
| 93 | 93 | | I certify that H.B. No. 2004 was passed by the House on April |
|---|
| 94 | 94 | | 28, 2009, by the following vote: Yeas 148, Nays 0, 1 present, not |
|---|
| 95 | 95 | | voting. |
|---|
| 96 | 96 | | ______________________________ |
|---|
| 97 | 97 | | Chief Clerk of the House |
|---|
| 98 | 98 | | I certify that H.B. No. 2004 was passed by the Senate on May |
|---|
| 99 | 99 | | 21, 2009, by the following vote: Yeas 31, Nays 0. |
|---|
| 100 | 100 | | ______________________________ |
|---|
| 101 | 101 | | Secretary of the Senate |
|---|
| 102 | 102 | | APPROVED: _____________________ |
|---|
| 103 | 103 | | Date |
|---|
| 104 | 104 | | _____________________ |
|---|
| 105 | 105 | | Governor |
|---|