|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to a business's duty to protect and safeguard sensitive |
|
|
personal information contained in its customer records. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 48.102, Business & Commerce Code, as |
|
|
added by Chapter 294, Acts of the 79th Legislature, Regular |
|
|
Session, 2005, is amended to read as follows: |
|
|
Sec. 48.102. BUSINESS DUTY TO PROTECT AND SAFEGUARD |
|
|
SENSITIVE PERSONAL INFORMATION. (a) In this section: |
|
|
(1) "Access device" means a card or device issued by a |
|
|
financial institution that contains a magnetic stripe, |
|
|
microprocessor chip, or other means for storing information. The |
|
|
term includes a credit card, debit card, or stored value card. |
|
|
(2) "Breach of system security" has the meaning |
|
|
assigned by Section 48.103. |
|
|
(3) "Financial institution" has the meaning assigned |
|
|
by 15 U.S.C. Section 6809. |
|
|
(b) A business shall implement and maintain reasonable |
|
|
procedures, including taking any appropriate corrective action, to |
|
|
protect and safeguard from unlawful use or disclosure any sensitive |
|
|
personal information collected or maintained by the business in the |
|
|
regular course of business. |
|
|
(c) A business that, in the regular course of business, |
|
|
collects, maintains, or stores sensitive personal information in |
|
|
connection with an access device must comply with payment card |
|
|
industry data security standards. |
|
|
(d) [(b)] A business shall destroy or arrange for the |
|
|
destruction of customer records containing sensitive personal |
|
|
information within the business's custody or control that are not |
|
|
to be retained by the business by: |
|
|
(1) shredding; |
|
|
(2) erasing; or |
|
|
(3) otherwise modifying the sensitive personal |
|
|
information in the records to make the information unreadable or |
|
|
undecipherable through any means. |
|
|
(e) A financial institution may bring an action against a |
|
|
business that is subject to a breach of system security if, at the |
|
|
time of the breach, the business is in violation of Subsection (c). |
|
|
A court may not certify an action brought under this subsection as a |
|
|
class action. |
|
|
(f) Before filing an action under Subsection (e), a |
|
|
financial institution must provide to the business written notice |
|
|
requesting that the business provide certification of the |
|
|
business's compliance with payment card industry data security |
|
|
standards. The certification must be issued by a payment card |
|
|
industry-approved auditor not earlier than the 90th day before the |
|
|
date of the breach. The court shall, on motion, dismiss an action |
|
|
brought under Subsection (e) with prejudice to the refiling of the |
|
|
action if the business provides to the financial institution the |
|
|
certification of compliance required under this subsection not |
|
|
later than the 30th day after receiving the notice. Failure to |
|
|
provide the certification creates a presumption of noncompliance |
|
|
with payment card industry data security standards. |
|
|
(g) A presumption that a business has complied with |
|
|
Subsection (c) exists if: |
|
|
(1) the business contracts for or otherwise uses the |
|
|
services of a third party to collect, maintain, or store sensitive |
|
|
personal information in connection with an access device; |
|
|
(2) the third party is in compliance with payment card |
|
|
industry data security standards; and |
|
|
(3) the business secures the third party's continued |
|
|
compliance with those standards. |
|
|
(h) A financial institution that brings an action under |
|
|
Subsection (e) may obtain actual damages arising from the violation |
|
|
and reasonable attorney's fees. Actual damages include any cost |
|
|
incurred by the financial institution in connection with: |
|
|
(1) the cancellation or reissuance of an access device |
|
|
affected by the breach; |
|
|
(2) the closing of a deposit, transaction, share |
|
|
draft, or other account affected by the breach and any action to |
|
|
stop payment or block a transaction with respect to the account; |
|
|
(3) the opening or reopening of a deposit, |
|
|
transaction, share draft, or other account affected by the breach; |
|
|
(4) a refund or credit made to an account holder to |
|
|
cover the cost of any unauthorized transaction related to the |
|
|
breach; and |
|
|
(5) the notification of account holders affected by |
|
|
the breach. |
|
|
(i) [(c)] This section does not apply to a financial |
|
|
institution, except that a financial institution that is injured |
|
|
following a breach of system security of a business's computerized |
|
|
data may bring an action under Subsection (e) [as defined by 15
|
|
|
U.S.C. Section 6809]. |
|
|
SECTION 2. This Act takes effect January 1, 2009. |