| 4 | 12 | | AN ACT |
|---|
| 5 | 13 | | relating to the privacy of personal identifying information and the |
|---|
| 6 | 14 | | creation of the Texas Privacy Protection Advisory Council. |
|---|
| 7 | 15 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 8 | 16 | | SECTION 1. Section 521.053, Business & Commerce Code, is |
|---|
| 9 | 17 | | amended by amending Subsection (b) and adding Subsection (i) to |
|---|
| 10 | 18 | | read as follows: |
|---|
| 11 | 19 | | (b) A person who conducts business in this state and owns or |
|---|
| 12 | 20 | | licenses computerized data that includes sensitive personal |
|---|
| 13 | 21 | | information shall disclose any breach of system security, after |
|---|
| 14 | 22 | | discovering or receiving notification of the breach, to any |
|---|
| 15 | 23 | | individual whose sensitive personal information was, or is |
|---|
| 16 | 24 | | reasonably believed to have been, acquired by an unauthorized |
|---|
| 17 | 25 | | person. The disclosure shall be made without unreasonable delay and |
|---|
| 18 | 26 | | in each case not later than the 60th day after the date on which the |
|---|
| 19 | 27 | | person determines that the breach occurred [as quickly as |
|---|
| 20 | 28 | | possible], except as provided by Subsection (d) or as necessary to |
|---|
| 21 | 29 | | determine the scope of the breach and restore the reasonable |
|---|
| 22 | 30 | | integrity of the data system. |
|---|
| 23 | 31 | | (i) A person who is required to disclose or provide |
|---|
| 24 | 32 | | notification of a breach of system security under this section |
|---|
| 25 | 33 | | shall notify the attorney general of that breach not later than the |
|---|
| 26 | 34 | | 60th day after the date on which the person determines that the |
|---|
| 27 | 35 | | breach occurred if the breach involves at least 250 residents of |
|---|
| 28 | 36 | | this state. The notification under this subsection must include: |
|---|
| 29 | 37 | | (1) a detailed description of the nature and |
|---|
| 30 | 38 | | circumstances of the breach or the use of sensitive personal |
|---|
| 31 | 39 | | information acquired as a result of the breach; |
|---|
| 32 | 40 | | (2) the number of residents of this state affected by |
|---|
| 33 | 41 | | the breach at the time of notification; |
|---|
| 34 | 42 | | (3) the measures taken by the person regarding the |
|---|
| 35 | 43 | | breach; |
|---|
| 36 | 44 | | (4) any measures the person intends to take regarding |
|---|
| 37 | 45 | | the breach after the notification under this subsection; and |
|---|
| 38 | 46 | | (5) information regarding whether law enforcement is |
|---|
| 39 | 47 | | engaged in investigating the breach. |
|---|
| 40 | 48 | | SECTION 2. (a) In this section, "council" means the Texas |
|---|
| 41 | 49 | | Privacy Protection Advisory Council created under this section. |
|---|
| 42 | 50 | | (b) The Texas Privacy Protection Advisory Council is |
|---|
| 43 | 51 | | created to study data privacy laws in this state, other states, and |
|---|
| 44 | 52 | | relevant foreign jurisdictions. |
|---|
| 45 | 53 | | (c) The council is composed of members who are residents of |
|---|
| 46 | 54 | | this state and appointed as follows: |
|---|
| 47 | 55 | | (1) five members appointed by the speaker of the house |
|---|
| 48 | 56 | | of representatives, two of whom must be representatives of an |
|---|
| 49 | 57 | | industry listed under Subsection (d) of this section and three of |
|---|
| 50 | 58 | | whom must be members of the house of representatives; |
|---|
| 51 | 59 | | (2) five members appointed by the lieutenant governor, |
|---|
| 52 | 60 | | two of whom must be representatives of an industry listed under |
|---|
| 53 | 61 | | Subsection (d) of this section and three of whom must be senators; |
|---|
| 54 | 62 | | and |
|---|
| 55 | 63 | | (3) five members appointed by the governor, three of |
|---|
| 56 | 64 | | whom must be representatives of an industry listed under Subsection |
|---|
| 57 | 65 | | (d) of this section and two of whom must be either: |
|---|
| 58 | 66 | | (A) a representative of a nonprofit organization |
|---|
| 59 | 67 | | that studies or evaluates data privacy laws from the perspective of |
|---|
| 60 | 68 | | individuals whose information is collected or processed by |
|---|
| 61 | 69 | | businesses; or |
|---|
| 62 | 70 | | (B) a professor who teaches at a law school in |
|---|
| 63 | 71 | | this state or other institution of higher education, as defined by |
|---|
| 64 | 72 | | Section 61.003, Education Code, and whose books or scholarly |
|---|
| 65 | 73 | | articles on the topic of data privacy have been published. |
|---|
| 66 | 74 | | (d) For purposes of making appointments of members who |
|---|
| 67 | 75 | | represent industries under Subsection (c) of this section, the |
|---|
| 68 | 76 | | speaker of the house of representatives, lieutenant governor, and |
|---|
| 69 | 77 | | governor shall appoint members from among the following industries |
|---|
| 70 | 78 | | and must coordinate their appointments to avoid overlap in |
|---|
| 71 | 79 | | representation of the industries: |
|---|
| 72 | 80 | | (1) medical profession; |
|---|
| 73 | 81 | | (2) technology; |
|---|
| 74 | 82 | | (3) Internet; |
|---|
| 75 | 83 | | (4) retail and electronic transactions; |
|---|
| 76 | 84 | | (5) consumer banking; |
|---|
| 77 | 85 | | (6) telecommunications; |
|---|
| 78 | 86 | | (7) consumer data analytics; |
|---|
| 79 | 87 | | (8) advertising; |
|---|
| 80 | 88 | | (9) Internet service providers; |
|---|
| 81 | 89 | | (10) social media platforms; |
|---|
| 82 | 90 | | (11) cloud data storage; |
|---|
| 83 | 91 | | (12) virtual private networks; or |
|---|
| 84 | 92 | | (13) retail electric. |
|---|
| 85 | 93 | | (e) The speaker of the house of representatives and the |
|---|
| 86 | 94 | | lieutenant governor shall each designate a co-chair from among |
|---|
| 87 | 95 | | their respective appointments to the council who are members of the |
|---|
| 88 | 96 | | legislature. |
|---|
| 89 | 97 | | (f) The council shall convene on a regular basis at the |
|---|
| 90 | 98 | | joint call of the co-chairs. |
|---|
| 91 | 99 | | (g) The council shall: |
|---|
| 92 | 100 | | (1) study and evaluate the laws in this state, other |
|---|
| 93 | 101 | | states, and relevant foreign jurisdictions that govern the privacy |
|---|
| 94 | 102 | | and protection of information that alone or in conjunction with |
|---|
| 95 | 103 | | other information identifies or is linked or reasonably linkable to |
|---|
| 96 | 104 | | a specific individual, technological device, or household; and |
|---|
| 97 | 105 | | (2) make recommendations to the members of the |
|---|
| 98 | 106 | | legislature on specific statutory changes regarding the privacy and |
|---|
| 99 | 107 | | protection of that information, including changes to Chapter 521, |
|---|
| 100 | 108 | | Business & Commerce Code, as amended by this Act, or to the Penal |
|---|
| 101 | 109 | | Code, that appear necessary from the results of the council's study |
|---|
| 102 | 110 | | under this section. |
|---|
| 103 | 111 | | (h) Not later than September 1, 2020, the council shall |
|---|
| 104 | 112 | | report the council's findings and recommendations to the members of |
|---|
| 105 | 113 | | the legislature. |
|---|
| 106 | 114 | | (i) The Department of Information Resources shall provide |
|---|
| 107 | 115 | | administrative support to the council. |
|---|
| 108 | 116 | | (j) Not later than the 60th day after the effective date of |
|---|
| 109 | 117 | | this Act, the speaker of the house of representatives, the |
|---|
| 110 | 118 | | lieutenant governor, and the governor shall appoint the members of |
|---|
| 111 | 119 | | the council. |
|---|
| 112 | 120 | | (k) The council is abolished and this section expires |
|---|
| 113 | 121 | | December 31, 2020. |
|---|
| 114 | 122 | | SECTION 3. (a) Except as provided by Subsection (b) of this |
|---|
| 115 | 123 | | section, this Act takes effect September 1, 2019. |
|---|
| 116 | 124 | | (b) Section 521.053, Business & Commerce Code, as amended by |
|---|
| 117 | 125 | | this Act, takes effect January 1, 2020. |
|---|