87R6107 YDB-D
By: Guerra H.B. No. 1743
A BILL TO BE ENTITLED
AN ACT
relating to the protection of personal information sold by a state
agency to a contractor; authorizing a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subchapter F, Chapter 2054, Government Code, is
amended by adding Section 2054.1126 to read as follows:
Sec. 2054.1126. SECURITY BREACH BY STATE AGENCY CONTRACTOR;
DEBARMENT; CIVIL PENALTY. (a) In this section:
(1) "Breach of system security" has the meaning
assigned by Section 521.053, Business & Commerce Code.
(2) "Sensitive personal information" has the meaning
assigned by Section 521.002, Business & Commerce Code.
(b) A state agency that owns, licenses, or maintains
computerized data that includes sensitive personal information,
confidential information, or information the disclosure of which is
regulated by law may sell that data to a contractor only if the sale
is authorized under other law and the sale contract includes a
statement that the contractor:
(1) will comply with the notification requirements of
Section 521.053, Business & Commerce Code;
(2) will notify the state agency not later than 48
hours after the discovery of the breach of system security,
suspected breach of system security, or unauthorized exposure;
(3) will assist each person whose personal information
was exposed with:
(A) protecting the person from identity theft;
and
(B) protecting or restoring the person's credit
rating;
(4) will pay any civil penalty assessed against the
contractor; and
(5) acknowledges that the contractor's failure to
comply with this section:
(A) constitutes a default of the contract on
notice from the state agency; and
(B) may subject the contractor to debarment from
contracting with the state.
(c) A state agency that determines a contractor has not
complied with this section shall refer the matter to the
comptroller for action. The comptroller shall bar the contractor
from contracting with the state using procedures prescribed under
Section 2155.077. Debarment under this subsection expires on the
third anniversary of the date of the debarment.
(d) A contractor who obtains from a state agency
computerized data that includes sensitive personal information,
confidential information, or information the disclosure of which is
regulated by law is liable to this state for a civil penalty imposed
in accordance with Section 521.151, Business & Commerce Code, for a
breach of system security or an unauthorized exposure of that
information.
SECTION 2. Section 2054.1126, Government Code, as added by
this Act, applies only to a contract entered into or renewed on or
after the effective date of this Act.
SECTION 3. This Act takes effect September 1, 2021.