| 1 | 1 | | 81R22644 CLG-F |
|---|
| 2 | 2 | | By: Elkins, Flynn, Berman, Bonnen H.B. No. 345 |
|---|
| 3 | 3 | | Substitute the following for H.B. No. 345: |
|---|
| 4 | 4 | | By: Quintanilla C.S.H.B. No. 345 |
|---|
| 5 | 5 | | |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | A BILL TO BE ENTITLED |
|---|
| 8 | 8 | | AN ACT |
|---|
| 9 | 9 | | relating to a business's duty to protect sensitive personal |
|---|
| 10 | 10 | | information contained in its customer records. |
|---|
| 11 | 11 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 12 | 12 | | SECTION 1. Section 521.052, Business & Commerce Code, is |
|---|
| 13 | 13 | | amended to read as follows: |
|---|
| 14 | 14 | | Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL |
|---|
| 15 | 15 | | INFORMATION. (a) In this section, "access device" means a card or |
|---|
| 16 | 16 | | device issued by a financial institution that contains a magnetic |
|---|
| 17 | 17 | | stripe, microprocessor chip, or other means for storing |
|---|
| 18 | 18 | | information. The term includes a credit card, debit card, or stored |
|---|
| 19 | 19 | | value card. |
|---|
| 20 | 20 | | (b) A business shall implement and maintain reasonable |
|---|
| 21 | 21 | | procedures, including taking any appropriate corrective action, to |
|---|
| 22 | 22 | | protect from unlawful use or disclosure any sensitive personal |
|---|
| 23 | 23 | | information collected or maintained by the business in the regular |
|---|
| 24 | 24 | | course of business. |
|---|
| 25 | 25 | | (c) [(b)] A business shall destroy or arrange for the |
|---|
| 26 | 26 | | destruction of customer records containing sensitive personal |
|---|
| 27 | 27 | | information within the business's custody or control that are not |
|---|
| 28 | 28 | | to be retained by the business by: |
|---|
| 29 | 29 | | (1) shredding; |
|---|
| 30 | 30 | | (2) erasing; or |
|---|
| 31 | 31 | | (3) otherwise modifying the sensitive personal |
|---|
| 32 | 32 | | information in the records to make the information unreadable or |
|---|
| 33 | 33 | | indecipherable through any means. |
|---|
| 34 | 34 | | (d) A business that stores sensitive personal information |
|---|
| 35 | 35 | | derived from an access device shall reasonably protect the |
|---|
| 36 | 36 | | sensitive personal information against unauthorized access or use. |
|---|
| 37 | 37 | | (e) [(c)] This section does not apply to a financial |
|---|
| 38 | 38 | | institution as defined by 15 U.S.C. Section 6809. |
|---|
| 39 | 39 | | SECTION 2. Section 521.151, Business & Commerce Code, is |
|---|
| 40 | 40 | | amended by adding Subsection (a-1) to read as follows: |
|---|
| 41 | 41 | | (a-1) If a violation of Section 521.052(d) results in a |
|---|
| 42 | 42 | | breach of system security, as defined by Section 521.053, the |
|---|
| 43 | 43 | | attorney general in bringing an action under Subsection (a) may |
|---|
| 44 | 44 | | seek any order or judgment necessary to compensate a financial |
|---|
| 45 | 45 | | institution for actual damages resulting from the violation, |
|---|
| 46 | 46 | | including reasonable costs incurred by the financial institution in |
|---|
| 47 | 47 | | connection with: |
|---|
| 48 | 48 | | (1) the cancellation and reissuance of an access |
|---|
| 49 | 49 | | device affected by the breach; |
|---|
| 50 | 50 | | (2) the closing of an account affected by the breach |
|---|
| 51 | 51 | | and any action to stop payment or block a transaction with respect |
|---|
| 52 | 52 | | to the account; |
|---|
| 53 | 53 | | (3) the opening or reopening of an account affected by |
|---|
| 54 | 54 | | the breach; |
|---|
| 55 | 55 | | (4) a refund or credit made to an account holder to |
|---|
| 56 | 56 | | cover the cost of any unauthorized transaction related to the |
|---|
| 57 | 57 | | breach; and |
|---|
| 58 | 58 | | (5) the notification of account holders affected by |
|---|
| 59 | 59 | | the breach. |
|---|
| 60 | 60 | | SECTION 3. This Act takes effect January 1, 2011. |
|---|