Embed Size (px)
Citation preview
2004 - 2005 LEGISLATIVE UPDATE DATA PRIVACY AND
SECURITY RELATED BILLS
Written By:
JOHN PODVIN1 Guaranty Bank
8333 Douglas Avenue Suite 900
Dallas, Texas 75225
IRENE KOSTURAKIS 2 Hewlett-Packard Company
20555 S.H. 249 Houston, Texas 77070
Presented By:
IRENE KOSTURAKIS
State Bar of Texas LEGISLATIVE UPDATE
August 19, 2005 Via Satellite
CHAPTER 2.2
1 John Podvin is Deputy General Counsel, Chief Compliance Officer and Chief Privacy Officer for Guaranty Bank and for Guaranty Financial Services, the holding company for Guaranty Bank, Guaranty Insurance Services, Inc. and its subsidiaries. The views expressed in this paper are entirely his own and do not represent nor reflect the views of Guaranty Bank. Mr. Podvin may be contacted at [email protected] . 2 Irene Kosturakis is a Senior Counsel in the Intellectual Property Section of the Hewlett-Packard Company’s legal department. The views expressed in this paper are entirely her own and do not represent nor reflect the views of the Hewlett-Packard Company. Ms. Kosturakis may be contacted at [email protected].
IRENE KOSTURAKIS HEWLETT-PACKARD COMPANY
MC 110701 20555 S.H. 249
HOUSTON, TEXAS 77070 TEL: 281-514-5167 FAX: 281-514-8332
Irene Kosturakis is Senior Counsel, Intellectual Property for Hewlett-Packard Company. She has been handling intellectual property issues for over 15 years. Currently, she is supporting the company’s Industry Standard Server Business Unit on licensing, intellectual property transactions, industry standards setting efforts, and other IP issues. Irene has also supported the Company on all issues relating to Copyright law. Prior to the merger with HP and since 1990 Irene was with Compaq Computer Corporation, where at one time or another, she supported every product business unit and was responsible for the setting up Compaq’s intellectual property holding company. For a period of three years, during which Compaq Computer Corporation filed the most patent applications ever, she also set the invention protection and patent acquisition strategy for Compaq. Prior to Compaq, Irene was in the Energy and Environmental Litigation Section of Fulbright & Jaworski. Prior to being with F & J, Irene was Briefing Attorney for Judge Murry Cohen of the Court of Appeals for the First Supreme Judicial District of the State of Texas.
Irene is licensed to practice in the State of Texas. She is also a registered patent attorney. Irene is currently the Chairperson of the State Bar's E-Commerce Committee, which assisted in the passage in the State of Texas of the Uniform Electronic Transactions Act during the 2001st state legislative session and drafted the State Bar Comments on that law, which were published in July 2003. As Chairperson, she is responsible for the State Bar’s Business Law Section’s consideration of the Uniform Computer Information Transactions Act. She is a board member of the Houston chapter of the Association of Corporate Counsel America and has served as secretary of the Houston Intellectual Property Law Association. Irene is a member of the American Intellectual Property Law Association, the Intellectual Property Owners, the Houston Intellectual Property Law Association, and the Houston Bar Association. Over the past 10 years, Irene has had the honor of being on the faculty of various seminars, symposiums, and continuing legal education courses both in the State of Texas and outside the state.
Irene has an LLM in Intellectual Property from the University of Houston, a J.D. from South Texas College of Law, a Masters of Science in Civil Engineering from the University of Houston, and a Bachelor of Science in Civil Engineering from the University of Texas at El Paso.
F. JOHN PODVIN, JR. Deputy General Counsel, Chief Compliance Officer & Chief Privacy Officer
Guaranty Financial Services Dallas, Texas
Profile John Podvin currently serves as Deputy General Counsel, Chief Compliance Officer and Chief Privacy Officer for Guaranty Bank, a $16 Billion Federal Savings Bank with branches in Texas and California. He is also the designated Chief Compliance Officer for Guaranty Financial Services, the holding company for Guaranty Bank, Guaranty Insurance Services, Inc., and its subsidiaries. Mr. Podvin joined Guaranty Bank in 2004 after nine years as an associate and partner at the law firm of Bracewell & Patterson, L.L.P. in Dallas, Texas, which was recently renamed Bracewell & Guiliani, L.L.P. At Bracewell, Mr. Podvin’s principal areas of practice included assisting financial institutions in matters of state and federal banking laws, regulations, supervisory agencies, mergers, acquisitions and litigation involving financial institutions. He spoke frequently on legal matters concerning privacy and security and he advised domestic and international clients on these issues. Mr. Podvin worked closely with financial institutions in developing new products and services, which included electronic banking services, Internet services, and other forms of information technology. He served as a legal advisor to the National Bank of Moldova, the central bank in the Republic of Moldova, a former republic of the Soviet Union. In Chambers & Partners’ America’s Leading Business Lawyers 2003-04, John Podvin was named among Texas’ leading communications and technology attorneys and was applauded in that publication by contributing clients and colleagues as “a client-friendly and professional attorney.” Recently, John Podvin was named as a 2004 Rising Star in the area of Banking & Finance in the Rising Stars edition of Super Lawyers. Before joining Bracewell, John Podvin was an attorney at the Office of the Comptroller of the Currency in Washington D.C. for three years. While at the OCC, he provided legal counsel and advice to the Comptroller, bankers, bank counsel and staff on various topics related to the interpretation and enforcement of the federal banking laws. Mr. Podvin also served as principal draftsman for a number of federal regulations while at the OCC. John Podvin is currently serving on the Board of Directors for the Dallas Division of the March of Dimes Birth Defects Foundation. He serves as Chairman for the Data Privacy and Security Committee of the Business Law Section of the State Bar of Texas. From 2001 – 2004, he served on the Board of Directors of the Texas Association of Bank Counsel. B.A. – Economics, Minor – Theology, Georgetown University 1988 J.D. – University of Wisconsin Law School 1991
Data Privacy Legislative Update Chapter 2.2
i
TABLE OF CONTENTS
I. INTRODUCTION....................................................................................................................................... 1
II. SENATE BILL 122 ..................................................................................................................................... 1 A. Duty to Protect Sensitive Personal Information ....................................................................................... 1 B. Duty to Protect Personal Identifying Information .................................................................................... 2 C. Obligations When a Business Experiences a Breach of System Security................................................... 2 D. Penalties for Violations under SB 122 .................................................................................................... 2 E. Implication of SB 122 Provisions........................................................................................................... 2 F. Exemption from the Provisions of SB 122 .............................................................................................. 2
III. HOUSE BILL 698 ....................................................................................................................................... 3 A. HB 698’s Definition for “Personal Identifying Information” .................................................................... 3 B. Requirements of HB 698....................................................................................................................... 3 C. Penalties for Violations of HB 698......................................................................................................... 3 D. Implication of HB 698 Provisions .......................................................................................................... 3
IV. CONCLUSION........................................................................................................................................... 3
BILLS: ......................................................................................................................................................................................................................5 S. B. No. 122 H. B. No. 698
Data Privacy Legislative Update Chapter 2.2
1
2004 - 2005 LEGISLATIVE UPDATE DATA PRIVACY AND SECURITY RELATED BILLS
I. INTRODUCTION
This year, there have been so many breaches of data security that the Washington Post has dubbed this the “year of the data breach.” Ubiquitous Technology, Bad Practices Drive Up Data Theft, Jonathan Krim, Washington Post, June 22, 2005, washingtonpost.com. The first widely publicized breach was in February when Alpharetta, Georgia -based ChoicePoint Inc., a national provider of identification and credential verification services, revealed that it had sold the personal data of 145,000 individuals to thieves posing as businessmen, who are part of an identity theft crime ring. There were victims in each of the 50 states. The scandal has prompted calls for new legislation to protect consumers' privacy rights.
In March, there was a security breach at a company owned by Lexis-Nexis, which provides personal data to a variety of business and government clients, and crooks obtained customer passwords and accessed names, addresses, Social Security numbers, and driver’s license numbers. Initially the breach was believed to affect 32,000 people, however, later in April, Lexis-Nexis acknowledged that it was 310,000 people whose data was accessed.
DSW Shoe Warehouse also reported in March that 100,000 credit card account numbers and other information had been stolen from a company computer database. Then, in April, it turned out that it was worse than initially reported; the credit card information of 1.4 million customers and driver’s license information of 96,000 customers had been accessed by thieves.
In April, Bank of America reported that tapes where the social security numbers, addresses, and credit account numbers of 1.2 million federal workers, possibly including that of some members of Congress, were recorded had been lost, perhaps stolen by baggage handlers from a commercial airplane transporting the tapes.
In June, CardSystems Solutions Inc. announced that 40 million credit card numbers may have been compromised and taken by hackers. Other breaches at brokers, universities, and cable companies have many clamoring for stiffer identity theft protection laws. See http://www.consumersunion.org/creditmatters/creditmattersupdates/002244.html .
Several factors are contributing to the increasing frequency of such losses. One factor is the sharp increase in data collection by businesses desiring to know more about their customers and potential customers, facilitated by the ubiquity of computer and storage technology. The Justice Department claims that another factor is that hackers, who were hacking for
entertainment, may now be working with organized crime, selling stolen data into a thriving black market run from Eastern Europe. According to the Washington Post, “a simple Internet search yields more than a dozen Web sites offering an array of personal data.” Another factor is the increase in consumer online purchases and online payments.
These factors have resulted in an environment in which Congress and state legislatures must intervene and enact legislation to make the holders of financial data responsible and accountable for its security. One statute is the California notification law, which is being considered as the basis of possible federal legislation, requiring businesses that experience data breaches to notify customers. This past legislative session, the Texas Legislature also jumped into the fray and enacted Senate Bill 122 (“SB 122”) and House Bill 698 (“HB 698”), making Texas businesses responsible for protecting consumer data.
SB 122 and HB 698 are short bills with large implications for businesses in Texas. These bills were signed by Governor Perry on June 17th and June 18th, respectively, and both become effective on September 1, 2005. It is strongly suggested that you review these bills carefully if you advise businesses, regardless of form or location, who operate in the State of Texas. These laws will cause “businesses” in Texas (who are not ‘financial institutions’ as defined by 15 U.S.C. 6809) to incur potentially significant expense to comply with these short and straightforward laws. II. SENATE BILL 122 SB 122 relates to “the prevention and punishment of identity theft” and rights of victims. It does two things: it amends the Code of Criminal Procedure, requiring that peace officers create a written report for investigations of identity theft, and it adds Chapter 48 to the Business & Commerce Code. See Section 1, and Section 2, Subchapter A. Chapter 48 is entitled the Identity Theft Enforcement and Protection Act and imposes a business duty to protect and safeguard “sensitive personal information” (see Section 2, Subchapter B, Sec. 48.102) and requires “a person that conducts business in [the State of Texas] and owns or licenses computerized data that includes sensitive personal information” to notify individual residents of Texas, whose “sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person”. Section 2, Subchapter B, Sec. 48.103.
A. Duty to Protect Sensitive Personal Information Section 48.102 of SB 122 imposes on businesses the duty to protect sensitive personal information. The phrase “sensitive personal information” is defined in Section 48.002(2) to mean “an individual’s first name or first initial and last name in combination with any one or
Data Privacy Legislative Update Chapter 2.2
2
more of the following items, if the name and the items are not encrypted: (i) social security number; (ii) driver’s license number or government-issued identification number; or (iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” Section 2, Subchapter A, Sec. 48.002(2)(A). Sensitive personal information, however, “does not include publicly available information that is lawfully made available to the general public from the federal government or a state or local government.” Section 2, Subchapter A, Sec. 48.002 (2)(B). The law requires every business to implement and maintain reasonable procedures to protect and safeguard sensitive personal information collected by the business in the regular course of business. Section 2, Subchapter B, Sec. 48.102(a). It also requires businesses to destroy or arrange for the destruction of customer records in its custody by shredding, erasing, or by making the information unreadable. Section 2, Subchapter B, Sec. 48.102(b). B. Duty to Protect Personal Identifying
Information Section 48.101 deals mainly with identity theft. It prohibits a person’s use or possession of another’s “personal identifying information” without consent, but with the intent to obtain a thing of value in the other person’s name. Section 2, Subchapter B, Sec. 48.101(a). Personal identifying information means “information that alone or in conjunction with other information identifies an individual,” such as name, social security number, date of birth, or government-issued identification number; mother’s maiden name; unique biometric data (fingerprint, voice print, retina, or iris image); unique electronic identification number, address, or routing code; and telecommunication access device. Section 2, Subchapter A, Sec. 48.002(1). A defense to an action for a violation of the use or possession of another’s personal identifying information without consent under this section is use in compliance with the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and its implementing regulations. C. Obligations When a Business Experiences a
Breach of System Security Section 48.103 requires that a person conducting business in Texas, who owns or licenses computerized sensitive personal information, must disclose any “breach of system security” (unauthorized acquisition of computerized data that compromises the security of sensitive personal data) experienced by the person to the Texas resident whose information “was, or is reasonably believed to have been, acquired by an unauthorized person.” Section 2, Subchapter B, Sec. 48.103. The disclosure must be immediate after determining the
scope of the breach and restoring the system’s integrity. Section 2, Subchapter B, Sec. 48.103(c). The notice may be given in writing or electronically, if such electronic notice is in accordance with 15 U.S.C. Section 7001, the Electronic Signatures in Global and National Commerce Act (Section 2, Subchapter B, Sec. 48.103(e)). See also Texas’s Uniform Electronic Transactions Act, Bus. & Com. Code, Secs. 43.001-43.021 found at http://www.capitol.state.tx.us/statutes/docs/BC/content/word/bc.004.00.000043.00.doc. Other provisions relate to notification procedures for large numbers of affected persons or when insufficient contact information about the victims is available. See Section 2, Subchapter B, Secs. 48.103(f) and (h). D. Penalties for Violations under SB 122 In Section 2, Subchapter C, SB 122 provides that a person who violates Chapter 48 is liable to the state for at least $2,000, but not more than $50,000 for each violation. Section 2, Subchapter C, Sec. 48.201(a). The attorney general may bring suit to recover the civil penalty. Id. Finally, a violation of the provisions in Section 48.101, the identity theft provision, is a deceptive trade practice and is actionable under the Deceptive Trade Practices Act. Section 2, Subchapter C, Sec. 48.203. E. Implication of SB 122 Provisions Several practical observations about SB 122 can be made. First, Section 48.101, regarding identity theft, applies to “A person . . .”. “’Person’ includes corporation, organization, government or governmental subdivision or agency, business trust, estate, trust, partnership, association, and any other legal entity.” Gov’t Code, Sec. 311.005. SB 122, therefore, broadly applies to anyone in Texas, businesses, as well as individuals. Section 48.102 of this Bill, which imposes a duty on businesses to protect sensitive personal information, would appear to apply to any business, no matter the size, whether in or out of Texas, which conducts business in this state. F. Exemption from the Provisions of SB 122 Various sections of SB 122 have an exemption for "financial institutions" as defined under the Gramm-Leach-Bliley Act (15 U.S.C. 6809(3)) and for a "covered entity" under Sections 601.001 or 601.002 of the Insurance Code. A “financial institution” is defined under 12 U.S.C. 6809(3) as “any institution the business of which is engaged in financial activities as described in [12 U.S.C. 1843(k)]”. For more information about what types of businesses may be considered “financial institutions” under Federal law visit the Federal Trade Commission’s website at www.ftc.gov and click on the
Data Privacy Legislative Update Chapter 2.2
3
“Privacy Initiatives” link. If a business falls within that definition, it is exempt from many of the requirements in SB 122, but not the notification requirements in Section 48.103. The electronic version of SB 122 may be found at this link: http://www.capitol.state.tx.us/cgi-bin/tlo/textframe.cmd?LEG=79&SESS=R&CHAMBER=S&BILLTYPE=B&BILLSUFFIX=00122&VERSION=5&TYPE=B III. HOUSE BILL 698 The Governor also signed HB 698, a very short bill, which amends Section 35.48 of the Business and Commerce Code. It relates to retention and disposal of business records. A short name for HB 698 could be “the shredder bill” because it relates to disposal of business records. A. HB 698’s Definition for “Personal Identifying
Information” HB 698 amends Section 35.48(a) of the Texas Business and Commerce Code by adding a definition for “personal identifying information.” It is “an individual’s first name or initial and last name in combination with one or more of the following items: (A) date of birth; (B) social security number or other government-issued identification number; (C) mother’s maiden name; (D) unique biometric data; (E) unique electronic identification number, address, or routing code; or (G) financial institution account number or any other financial information.” Section 2. B. Requirements of HB 698 This Bill requires that when a business disposes of a business record containing a customer’s personal identifying information, the business must shred, erase, or otherwise destroy such information to make it unreadable or undecipherable. Section 3. A business can contract out the disposal of the business record with “a person engaged in the business of disposing of records”. Section 3. C. Penalties for Violations of HB 698 There are civil penalties of up to $500 for each customer business record that is not properly destroyed. Section 3. The attorney general may bring suit to recover the civil penalty. Id. Costs and reasonable attorney’s fees are recoverable. Id. A business is not liable for a civil penalty, if the business “in good faith” modifies a record as required by the law, but the record was reconstructed, in whole or in part, “through extraordinary means.” Id. Section 4 of the Bill clarifies that the law applies to the disposal of business records without regard to whether the records were created
before, on, or after September 1, 2005, the effective date for the Act. D. Implication of HB 698 Provisions
This law will also impose additional costs on businesses when they operate in Texas. Section 35.48(a)(1) of the Business and Commerce Code defines “business record” very broadly, including electronic information. One implication is that this law could stop any business from donating an old computer to a charity for fear of disclosing customer information. The electronic version of HB 698 may be found at this link: http://www.capitol.state.tx.us/cgi-bin/tlo/textframe.cmd?LEG=79&SESS=R&CHAMBER=H&BILLTYPE=B&BILLSUFFIX=00698&VERSION=5&TYPE=B IV. CONCLUSION
SB 122 and HB 698 impose a banking standard on all businesses that collect customer data as basic as names and birth dates. While their implications are yet to be understood, when read in the context of their application to small Texas businesses, you can gauge the magnitude of the impact they will have. All who advise business clients would do well to become familiar with their provisions.
Data Privacy Legislative Update Chapter 2.2
5
BILLS
S.B. No. 122
H.B. No. 698
S.B.ANo.A122
AN ACT
relating to the prevention and punishment of identity theft and the
rights of certain victims of identity theft; providing penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTIONA1.AA(a)AAChapter 2, Code of Criminal Procedure, is
amended by adding Article 2.29 to read as follows:
Art.A2.29.AAREPORT REQUIRED IN CONNECTION WITH FRAUDULENT
USE OR POSSESSION OF IDENTIFYING INFORMATION. (a)AAA peace officer
to whom an alleged violation of Section 32.51, Penal Code, is
reported shall make a written report to the law enforcement agency
that employs the peace officer that includes the following
information:
(1)AAthe name of the victim;
(2)AAthe name of the suspect, if known;
(3)AAthe type of identifying information obtained,
possessed, transferred, or used in violation of Section 32.51,
Penal Code; and
(4)AAthe results of any investigation.
(b)AAOn the victim’s request, the law enforcement agency
shall provide the report created under Subsection (a) to the
victim. In providing the report, the law enforcement agency shall
redact any otherwise confidential information that is included in
the report, other than the information described by Subsection (a).
(b)AAThe change in law made by this section applies only to
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
the investigation of an offense committed on or after September 1,
2005. The investigation of an offense committed before September
1, 2005, is covered by the law in effect when the offense was
committed, and the former law is continued in effect for that
purpose. For purposes of this subsection, an offense is committed
before September 1, 2005, if any element of the offense occurs
before that date.
SECTIONA2.AATitle 4, Business & Commerce Code, is amended by
adding Chapter 48 to read as follows:
CHAPTERA48.AAUNAUTHORIZED USE OF IDENTIFYING INFORMATION
SUBCHAPTERAA.AAGENERAL PROVISIONS
Sec.A48.001.AASHORT TITLE. This chapter may be cited as the
Identity Theft Enforcement and Protection Act.
Sec.A48.002.AADEFINITIONS. In this chapter:
(1)AA"Personal identifying information" means
information that alone or in conjunction with other information
identifies an individual, including an individual’s:
(A)AAname, social security number, date of birth,
or government-issued identification number;
(B)AAmother’s maiden name;
(C)AAunique biometric data, including the
individual ’s fingerprint, voice print, and retina or iris image;
(D)AAunique electronic identification number,
address, or routing code; and
(E)AAtelecommunication access device.
(2)AA"Sensitive personal information":
(A)AAmeans an individual ’s first name or first
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
2
initial and last name in combination with any one or more of the
following items, if the name and the items are not encrypted:
(i)AAsocial security number;
(ii)AAdriver’s license number or
government-issued identification number; or
(iii)AAaccount number or credit or debit
card number in combination with any required security code, access
code, or password that would permit access to an individual’s
financial account; and
(B)AAdoes not include publicly available
information that is lawfully made available to the general public
from the federal government or a state or local government.
(3)AA"Telecommunication access device" has the meaning
assigned by Section 32.51, Penal Code.
(4)AA"Victim" means a person whose identifying
information is used by an unauthorized person.
[Sections 48.003-48.100 reserved for expansion]
SUBCHAPTERAB.AAIDENTITY THEFT
Sec.A48.101.AAUNAUTHORIZED USE OR POSSESSION OF PERSONAL
IDENTIFYING INFORMATION. (a)AAA person may not obtain, possess,
transfer, or use personal identifying information of another person
without the other person’s consent and with intent to obtain a good,
a service, insurance, an extension of credit, or any other thing of
value in the other person’s name.
(b)AAIt is a defense to an action brought under this section
that an act by a person:
(1)AAis covered by the Fair Credit Reporting Act (15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
3
U.S.C. Section 1681 et seq.); and
(2)AAis in compliance with that Act and regulations
adopted under that Act.
(c)AAThis section does not apply to:
(1)AAa financial institution as defined by 15 U.S.C.
Section 6809; or
(2)AAa covered entity as defined by Section 601.001 or
602.001, Insurance Code.
Sec.A48.102.AABUSINESS DUTY TO PROTECT AND SAFEGUARD
SENSITIVE PERSONAL INFORMATION. (a)AAA business shall implement
and maintain reasonable procedures, including taking any
appropriate corrective action, to protect and safeguard from
unlawful use or disclosure any sensitive personal information
collected or maintained by the business in the regular course of
business.
(b)AAA business shall destroy or arrange for the destruction
of customer records containing sensitive personal information
within the business’s custody or control that are not to be retained
by the business by:
(1)AAshredding;
(2)AAerasing; or
(3)AAotherwise modifying the sensitive personal
information in the records to make the information unreadable or
undecipherable through any means.
(c)AAThis section does not apply to a financial institution
as defined by 15 U.S.C. Section 6809.
Sec.A48.103.AANOTIFICATION REQUIRED FOLLOWING BREACH OF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
4
SECURITY OF COMPUTERIZED DATA. (a)AAIn this section, "breach of
system security" means unauthorized acquisition of computerized
data that compromises the security, confidentiality, or integrity
of sensitive personal information maintained by a person. Good
faith acquisition of sensitive personal information by an employee
or agent of the person or business for the purposes of the person is
not a breach of system security unless the sensitive personal
information is used or disclosed by the person in an unauthorized
manner.
(b)AAA person that conducts business in this state and owns
or licenses computerized data that includes sensitive personal
information shall disclose any breach of system security, after
discovering or receiving notification of the breach, to any
resident of this state whose sensitive personal information was, or
is reasonably believed to have been, acquired by an unauthorized
person. The disclosure shall be made as quickly as possible, except
as provided by Subsection (d) or as necessary to determine the scope
of the breach and restore the reasonable integrity of the data
system.
(c)AAAny person that maintains computerized data that
includes sensitive personal information that the person does not
own shall notify the owner or license holder of the information of
any breach of system security immediately after discovering the
breach, if the sensitive personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
(d)AAA person may delay providing notice as required by
Subsections (b) and (c) at the request of a law enforcement agency
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
5
that determines that the notification will impede a criminal
investigation. The notification shall be made as soon as the law
enforcement agency determines that it will not compromise the
investigation.
(e)AAA person may give notice as required by Subsections (b)
and (c) by providing:
(1)AAwritten notice;
(2)AAelectronic notice, if the notice is provided in
accordance with 15 U.S.C. Section 7001; or
(3)AAnotice as provided by Subsection (f).
(f)AAIf the person or business demonstrates that the cost of
providing notice would exceed $250,000, the number of affected
persons exceeds 500,000, or the person does not have sufficient
contact information, the notice may be given by:
(1)AAelectronic mail, if the person has an electronic
mail address for the affected persons;
(2)AAconspicuous posting of the notice on the person ’s
website; or
(3)AAnotice published in or broadcast on major
statewide media.
(g)AANotwithstanding Subsection (e), a person that maintains
its own notification procedures as part of an information security
policy for the treatment of sensitive personal information that
complies with the timing requirements for notice under this section
complies with this section if the person notifies affected persons
in accordance with that policy.
(h)AAIf a person is required by this section to notify at one
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
6
time more than 10,000 persons of a breach of system security, the
person shall also notify, without unreasonable delay, all consumer
reporting agencies, as defined by 15 U.S.C. Section 1681a, that
maintain files on consumers on a nationwide basis, of the timing,
distribution, and content of the notices.
[Sections 48.104-48.200 reserved for expansion]
SUBCHAPTER C. REMEDIES AND OFFENSES
Sec.A48.201.AACIVIL PENALTY; INJUNCTION. (a)AAA person who
violates this chapter is liable to the state for a civil penalty of
at least $2,000 but not more than $50,000 for each violation. The
attorney general may bring suit to recover the civil penalty
imposed by this subsection.
(b)AAIf it appears to the attorney general that a person is
engaging in, has engaged in, or is about to engage in conduct that
violates this chapter, the attorney general may bring an action in
the name of this state against the person to restrain the violation
by a temporary restraining order or a permanent or temporary
injunction.
(c)AAAn action brought under Subsection (b) shall be filed in
a district court in Travis County or:
(1)AAin any county in which the violation occurred; or
(2)AAin the county in which the victim resides,
regardless of whether the alleged violator has resided, worked, or
done business in the county in which the victim resides.
(d)AAThe plaintiff in an action under this section is not
required to give a bond. The court may also grant any other
equitable relief that the court considers appropriate to prevent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
7
any additional harm to a victim of identity theft or a further
violation of this chapter or to satisfy any judgment entered
against the defendant, including the issuance of an order to
appoint a receiver, sequester assets, correct a public or private
record, or prevent the dissipation of a victim ’s assets.
(e)AAThe attorney general is entitled to recover reasonable
expenses incurred in obtaining injunctive relief, civil penalties,
or both, under this section, including reasonable attorney ’s fees,
court costs, and investigatory costs. Amounts collected by the
attorney general under this section shall be deposited in the
general revenue fund and may be appropriated only for the
investigation and prosecution of other cases under this chapter.
(f)AAThe fees associated with an action under this section
are the same as in a civil case, but the fees may be assessed only
against the defendant.
Sec.A48.202.AACOURT ORDER TO DECLARE INDIVIDUAL A VICTIM OF
IDENTITY THEFT. (a)AAA person who is injured by a violation of
Section 48.101 or who has filed a criminal complaint alleging
commission of an offense under Section 32.51, Penal Code, may file
an application with a district court for the issuance of a court
order declaring that the person is a victim of identity theft. A
person may file an application under this section regardless of
whether the person is able to identify each person who allegedly
transferred or used the person’s identifying information in an
unlawful manner.
(b)AAA person is presumed to be a victim of identity theft
under this section if the person charged with an offense under
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
8
Section 32.51, Penal Code, is convicted of the offense.
(c)AAAfter notice and hearing, if the court is satisfied by a
preponderance of the evidence that the applicant has been injured
by a violation of Section 48.101 or is the victim of an offense
under Section 32.51, Penal Code, the court shall enter an order
containing:
(1)AAa declaration that the person filing the
application is a victim of identity theft resulting from a
violation of Section 48.101 or an offense under Section 32.51,
Penal Code, as appropriate;
(2)AAany known information identifying the violator or
person charged with the offense;
(3)AAthe specific personal identifying information and
any related document used to commit the alleged violation or
offense; and
(4)AAinformation identifying any financial account or
transaction affected by the alleged violation or offense,
including:
(A)AAthe name of the financial institution in
which the account is established or of the merchant involved in the
transaction, as appropriate;
(B)AAany relevant account numbers;
(C)AAthe dollar amount of the account or
transaction affected by the alleged violation or offense; and
(D)AAthe date of the alleged violation or offense.
(d)AAAn order rendered under this section must be sealed
because of the confidential nature of the information required to
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
9
be included in the order. The order may be opened and the order or a
copy of the order may be released only:
(1)AAto the proper officials in a civil proceeding
brought by or against the victim arising or resulting from a
violation of this chapter, including a proceeding to set aside a
judgment obtained against the victim;
(2)AAto the victim for the purpose of submitting the
copy of the order to a governmental entity or private business to:
(A)AAprove that a financial transaction or account
of the victim was directly affected by a violation of this chapter
or the commission of an offense under Section 32.51, Penal Code; or
(B)AAcorrect any record of the entity or business
that contains inaccurate or false information as a result of the
violation or offense;
(3)AAon order of the judge; or
(4)AAas otherwise required or provided by law.
(e)AAA court at any time may vacate an order issued under this
section if the court finds that the application or any information
submitted to the court by the applicant contains a fraudulent
misrepresentation or a material misrepresentation of fact.
(f)AAA copy of an order provided to a person under Subsection
(d)(1) must remain sealed throughout and after the civil
proceeding. Information contained in a copy of an order provided to
a governmental entity or business under Subsection (d)(2) is
confidential and may not be released to another person except as
otherwise required or provided by law.
Sec.A48.203.AADECEPTIVE TRADE PRACTICE. A violation of
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
S.B.ANo.A122
10
Section 48.101 is a deceptive trade practice actionable under
Subchapter E, Chapter 17.
SECTIONA3.AAThis Act takes effect September 1, 2005.
1
2
3
S.B.ANo.A122
11
______________________________AAAA______________________________President of the SenateAAAAAAAAAAAAASpeaker of the House
I hereby certify that S.B.ANo.A122 passed the Senate on
AprilA21,A2005, by the following vote:AAYeasA31, NaysA0;
MayA17,A2005, Senate refused to concur in House amendments and
requested appointment of Conference Committee; May 20, 2005, House
granted request of the Senate; MayA26,A2005, Senate adopted
Conference Committee Report by the following vote:AAYeasA31,
NaysA0.
______________________________AAAASecretary of the Senate
I hereby certify that S.B.ANo.A122 passed the House, with
amendments, on MayA13,A2005, by a non-record vote; MayA20,A2005,
House granted request of the Senate for appointment of Conference
Committee; MayA27,A2005, House adopted Conference Committee Report
by the following vote:AAYeasA142, NaysA0, two present not voting.
______________________________AAAAChief Clerk of the House
Approved:
______________________________AAAAAAAAAAAADate
______________________________AAAAAAAAAAAGovernor
S.B.ANo.A122
12
H.B.ANo.A698
AN ACT
relating to the disposal of certain business records that contain
personal identifying information; providing a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTIONA1.AAThe heading to Section 35.48, Business &
Commerce Code, is amended to read as follows:
Sec.A35.48.AARETENTION AND DISPOSAL OF BUSINESS RECORDS.
SECTIONA2.AASection 35.48(a), Business & Commerce Code, is
amended by adding Subdivisions (1-a) and (3) to read as follows:
(1-a)AA"Personal identifying information" means an
individual ’s first name or initial and last name in combination
with any one or more of the following items:
(A)AAdate of birth;
(B)AAsocial security number or other
government-issued identification number;
(C)AAmother’s maiden name;
(D)AAunique biometric data, including the
individual ’s fingerprint, voice print, and retina or iris image;
(E)AAunique electronic identification number,
address, or routing code;
(F)AAtelecommunication access device, including
debit and credit card information; or
(G)AAfinancial institution account number or any
other financial information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
(3)AA"Telecommunication access device" has the meaning
assigned by Section 32.51, Penal Code.
SECTIONA3.AASection 35.48, Business & Commerce Code, is
amended by adding Subsections (d)-(i) to read as follows:
(d)AAWhen a business disposes of a business record that
contains personal identifying information of a customer of the
business, the business shall modify, by shredding, erasing, or
other means, the personal identifying information to make it
unreadable or undecipherable.
(e)AAA business is considered to comply with Subsection (d)
if the business contracts with a person engaged in the business of
disposing of records for the modification of personal identifying
information on behalf of the business in accordance with Subsection
(d).
(f)AAA business that does not dispose of a business record of
a customer in the manner required by Subsection (d) is liable for a
civil penalty of up to $500 for each record. The attorney general
may bring an action against the business to:
(1)AArecover the civil penalty;
(2)AAobtain any other remedy, including injunctive
relief; and
(3)AArecover costs and reasonable attorney’s fees
incurred in bringing the action.
(g)AAA business that modifies a record as required by
Subsection (d) in good faith is not liable for a civil penalty under
Subsection (f) if the record is reconstructed, in whole or in part,
through extraordinary means.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
H.B.ANo.A698
2
(h)AASubsection (d) does not require a business to modify a
record if:
(1)AAthe business is required to retain the record
under other law; or
(2)AAthe record is historically significant and:
(A)AAthere is no potential for identity theft or
fraud while the record is in the custody of the business; or
(B)AAthe record is transferred to a professionally
managed historical repository.
(i)AASubsection (d) does not apply to:
(1)AAa financial institution as defined by 15 U.S.C.
Section 6809; or
(2)AAa covered entity as defined by Section 601.001 or
602.001, Insurance Code.
SECTIONA4.AAThis Act applies to the disposal of business
records without regard to whether the records were created before,
on, or after the effective date of this Act.
SECTIONA5.AAThis Act takes effect September 1, 2005.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
H.B.ANo.A698
3
______________________________ ______________________________
AAAAPresident of the Senate Speaker of the HouseAAAAAA
I certify that H.B. No. 698 was passed by the House on April
22, 2005, by a non-record vote; that the House refused to concur in
Senate amendments to H.B. No. 698 on May 27, 2005, and requested the
appointment of a conference committee to consider the differences
between the two houses; and that the House adopted the conference
committee report on H.B. No. 698 on May 29, 2005, by a non-record
vote.
______________________________
Chief Clerk of the HouseAAA
H.B.ANo.A698
4
I certify that H.B. No. 698 was passed by the Senate, with
amendments, on May 25, 2005, by the following vote:AAYeas 31, Nays
0; at the request of the House, the Senate appointed a conference
committee to consider the differences between the two houses; and
that the Senate adopted the conference committee report on H.B. No.
698 on May 29, 2005, by the following vote:AAYeas 31, Nays 0.
______________________________
Secretary of the SenateAAA
APPROVED: __________________
AAAAAAAAAAAAAAAAADateAAAAAAA
AAAAAAAAA __________________
AAAAAAAAAAAAAAAGovernorAAAAAAA
H.B.ANo.A698
5
