81R2683 CLG-D
By: Van de Putte S.B. No. 327
A BILL TO BE ENTITLED
AN ACT
relating to a business's duty to protect sensitive personal
information contained in its customer records.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 521.052, Business & Commerce Code, as
effective April 1, 2009, is amended to read as follows:
Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL
INFORMATION. (a) In this section:
(1) "Access device" means a card or device issued by a
financial institution that contains a magnetic stripe,
microprocessor chip, or other means for storing information. The
term includes a credit card, debit card, or stored value card.
(2) "Breach of system security" has the meaning
assigned by Section 521.053.
(3) "Financial institution" has the meaning assigned
by 15 U.S.C. Section 6809.
(b) A business shall implement and maintain reasonable
procedures, including taking any appropriate corrective action, to
protect from unlawful use or disclosure any sensitive personal
information collected or maintained by the business in the regular
course of business.
(c) A business that, in the regular course of business and
in connection with an access device, collects sensitive personal
information or stores or maintains sensitive personal information
in a structured database or unstructured files must comply with
payment card industry data security standards.
(d) [(b)] A business shall destroy or arrange for the
destruction of customer records containing sensitive personal
information within the business's custody or control that are not
to be retained by the business by:
(1) shredding;
(2) erasing; or
(3) otherwise modifying the sensitive personal
information in the records to make the information unreadable or
indecipherable through any means.
(e) A financial institution may bring an action against a
business that is subject to a breach of system security if, at the
time of the breach, the business is in violation of Subsection (c).
A court may not certify an action brought under this subsection as a
class action.
(f) Before filing an action under Subsection (e), a
financial institution must provide to the business written notice
requesting that the business provide certification or an assessment
of the business's compliance with payment card industry data
security standards. The certification or assessment must be issued
by a payment card industry-approved auditor or another person
authorized to issue that certification or assessment under payment
card industry data security standards. The court shall, on a
motion, dismiss an action brought under Subsection (e) with
prejudice to the refiling of the action if the business provides to
the financial institution the certification or assessment of
compliance required under this subsection not later than the 30th
day after receiving the notice.
(g) A presumption that a business has complied with
Subsection (c) exists if:
(1) the business contracts for or otherwise uses the
services of a third party to collect, maintain, or store sensitive
personal information in connection with an access device;
(2) the business requires that the third party attest
to or offer proof of compliance with payment card industry data
security standards; and
(3) the business contractually requires the third
party's continued compliance with payment card industry data
security standards.
(h) A financial institution that brings an action under
Subsection (e) may obtain actual damages arising from the
violation. Actual damages include any cost incurred by the
financial institution in connection with:
(1) the cancellation or reissuance of an access device
affected by the breach;
(2) the closing of a deposit, transaction, share
draft, or other account affected by the breach and any action to
stop payment or block a transaction with respect to the account;
(3) the opening or reopening of a deposit,
transaction, share draft, or other account affected by the breach;
(4) a refund or credit made to an account holder to
cover the cost of any unauthorized transaction related to the
breach; and
(5) the notification of account holders affected by
the breach.
(i) In an action brought under Subsection (e), the court
shall award the prevailing party reasonable attorney's fees and
costs, except that a business may not be awarded reasonable
attorney's fees and costs unless the court is presented proof that
the business provided the certification or assessment of compliance
with security standards to the financial institution within the
period prescribed by Subsection (f).
(j) [(c)] This section does not apply to a financial
institution, except that a financial institution that is injured
following a breach of system security of a business's computerized
data may bring an action under Subsection (e) and may be held liable
for attorney's fees and costs for an action brought under that
subsection as provided by Subsection (i) [as defined by 15 U.S.C.
Section 6809].
SECTION 2. This Act takes effect January 1, 2011.