| 1 | 1 | | 87R6107 YDB-D |
|---|
| 2 | 2 | | By: Guerra H.B. No. 1743 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to the protection of personal information sold by a state |
|---|
| 8 | 8 | | agency to a contractor; authorizing a civil penalty. |
|---|
| 9 | 9 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 10 | 10 | | SECTION 1. Subchapter F, Chapter 2054, Government Code, is |
|---|
| 11 | 11 | | amended by adding Section 2054.1126 to read as follows: |
|---|
| 12 | 12 | | Sec. 2054.1126. SECURITY BREACH BY STATE AGENCY CONTRACTOR; |
|---|
| 13 | 13 | | DEBARMENT; CIVIL PENALTY. (a) In this section: |
|---|
| 14 | 14 | | (1) "Breach of system security" has the meaning |
|---|
| 15 | 15 | | assigned by Section 521.053, Business & Commerce Code. |
|---|
| 16 | 16 | | (2) "Sensitive personal information" has the meaning |
|---|
| 17 | 17 | | assigned by Section 521.002, Business & Commerce Code. |
|---|
| 18 | 18 | | (b) A state agency that owns, licenses, or maintains |
|---|
| 19 | 19 | | computerized data that includes sensitive personal information, |
|---|
| 20 | 20 | | confidential information, or information the disclosure of which is |
|---|
| 21 | 21 | | regulated by law may sell that data to a contractor only if the sale |
|---|
| 22 | 22 | | is authorized under other law and the sale contract includes a |
|---|
| 23 | 23 | | statement that the contractor: |
|---|
| 24 | 24 | | (1) will comply with the notification requirements of |
|---|
| 25 | 25 | | Section 521.053, Business & Commerce Code; |
|---|
| 26 | 26 | | (2) will notify the state agency not later than 48 |
|---|
| 27 | 27 | | hours after the discovery of the breach of system security, |
|---|
| 28 | 28 | | suspected breach of system security, or unauthorized exposure; |
|---|
| 29 | 29 | | (3) will assist each person whose personal information |
|---|
| 30 | 30 | | was exposed with: |
|---|
| 31 | 31 | | (A) protecting the person from identity theft; |
|---|
| 32 | 32 | | and |
|---|
| 33 | 33 | | (B) protecting or restoring the person's credit |
|---|
| 34 | 34 | | rating; |
|---|
| 35 | 35 | | (4) will pay any civil penalty assessed against the |
|---|
| 36 | 36 | | contractor; and |
|---|
| 37 | 37 | | (5) acknowledges that the contractor's failure to |
|---|
| 38 | 38 | | comply with this section: |
|---|
| 39 | 39 | | (A) constitutes a default of the contract on |
|---|
| 40 | 40 | | notice from the state agency; and |
|---|
| 41 | 41 | | (B) may subject the contractor to debarment from |
|---|
| 42 | 42 | | contracting with the state. |
|---|
| 43 | 43 | | (c) A state agency that determines a contractor has not |
|---|
| 44 | 44 | | complied with this section shall refer the matter to the |
|---|
| 45 | 45 | | comptroller for action. The comptroller shall bar the contractor |
|---|
| 46 | 46 | | from contracting with the state using procedures prescribed under |
|---|
| 47 | 47 | | Section 2155.077. Debarment under this subsection expires on the |
|---|
| 48 | 48 | | third anniversary of the date of the debarment. |
|---|
| 49 | 49 | | (d) A contractor who obtains from a state agency |
|---|
| 50 | 50 | | computerized data that includes sensitive personal information, |
|---|
| 51 | 51 | | confidential information, or information the disclosure of which is |
|---|
| 52 | 52 | | regulated by law is liable to this state for a civil penalty imposed |
|---|
| 53 | 53 | | in accordance with Section 521.151, Business & Commerce Code, for a |
|---|
| 54 | 54 | | breach of system security or an unauthorized exposure of that |
|---|
| 55 | 55 | | information. |
|---|
| 56 | 56 | | SECTION 2. Section 2054.1126, Government Code, as added by |
|---|
| 57 | 57 | | this Act, applies only to a contract entered into or renewed on or |
|---|
| 58 | 58 | | after the effective date of this Act. |
|---|
| 59 | 59 | | SECTION 3. This Act takes effect September 1, 2021. |
|---|