81R22644 CLG-F
By: Elkins, Flynn, Berman, Bonnen H.B. No. 345
Substitute the following for H.B. No. 345:
By: Quintanilla C.S.H.B. No. 345
A BILL TO BE ENTITLED
AN ACT
relating to a business's duty to protect sensitive personal
information contained in its customer records.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 521.052, Business & Commerce Code, is
amended to read as follows:
Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL
INFORMATION. (a) In this section, "access device" means a card or
device issued by a financial institution that contains a magnetic
stripe, microprocessor chip, or other means for storing
information. The term includes a credit card, debit card, or stored
value card.
(b) A business shall implement and maintain reasonable
procedures, including taking any appropriate corrective action, to
protect from unlawful use or disclosure any sensitive personal
information collected or maintained by the business in the regular
course of business.
(c) [(b)] A business shall destroy or arrange for the
destruction of customer records containing sensitive personal
information within the business's custody or control that are not
to be retained by the business by:
(1) shredding;
(2) erasing; or
(3) otherwise modifying the sensitive personal
information in the records to make the information unreadable or
indecipherable through any means.
(d) A business that stores sensitive personal information
derived from an access device shall reasonably protect the
sensitive personal information against unauthorized access or use.
(e) [(c)] This section does not apply to a financial
institution as defined by 15 U.S.C. Section 6809.
SECTION 2. Section 521.151, Business & Commerce Code, is
amended by adding Subsection (a-1) to read as follows:
(a-1) If a violation of Section 521.052(d) results in a
breach of system security, as defined by Section 521.053, the
attorney general in bringing an action under Subsection (a) may
seek any order or judgment necessary to compensate a financial
institution for actual damages resulting from the violation,
including reasonable costs incurred by the financial institution in
connection with:
(1) the cancellation and reissuance of an access
device affected by the breach;
(2) the closing of an account affected by the breach
and any action to stop payment or block a transaction with respect
to the account;
(3) the opening or reopening of an account affected by
the breach;
(4) a refund or credit made to an account holder to
cover the cost of any unauthorized transaction related to the
breach; and
(5) the notification of account holders affected by
the breach.
SECTION 3. This Act takes effect January 1, 2011.