H.B. No. 2004
 
 
 
 
AN ACT
  relating to a breach of computer security involving sensitive
  personal information and to the protection of sensitive personal
  information and certain protected health information.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 521.002(a)(2), Business & Commerce Code,
  as effective April 1, 2009, is amended to read as follows:
               (2)  "Sensitive personal information" means, subject
  to Subsection (b):
                     (A)  [,] an individual's first name or first
  initial and last name in combination with any one or more of the
  following items, if the name and the items are not encrypted:
                           (i) [(A)]  social security number;
                           (ii) [(B)]  driver's license number or
  government-issued identification number; or
                           (iii) [(C)]  account number or credit or
  debit card number in combination with any required security code,
  access code, or password that would permit access to an
  individual's financial account; or
                     (B)  information that identifies an individual
  and relates to:
                           (i)  the physical or mental health or
  condition of the individual;
                           (ii)  the provision of health care to the
  individual; or
                           (iii)  payment for the provision of health
  care to the individual.
         SECTION 2.  Section 521.052, Business & Commerce Code, is
  amended by adding Subsection (d) to read as follows:
         (d)  As used in this section, "business" includes a nonprofit
  athletic or sports association.
         SECTION 3.  Section 521.053(a), Business & Commerce Code, as
  effective April 1, 2009, is amended to read as follows:
         (a)  In this section, "breach of system security" means
  unauthorized acquisition of computerized data that compromises the
  security, confidentiality, or integrity of sensitive personal
  information maintained by a person, including data that is
  encrypted if the person accessing the data has the key required to
  decrypt the data.  Good faith acquisition of sensitive personal
  information by an employee or agent of the person for the purposes
  of the person is not a breach of system security unless the person
  uses or discloses the sensitive personal information in an
  unauthorized manner.
         SECTION 4.  Subchapter F, Chapter 2054, Government Code, is
  amended by adding Section 2054.1125 to read as follows:
         Sec. 2054.1125.  SECURITY BREACH NOTIFICATION BY STATE
  AGENCY.  (a)  In this section:
               (1)  "Breach of system security" has the meaning
  assigned by Section 521.053, Business & Commerce Code.
               (2)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
         (b)  A state agency that owns, licenses, or maintains
  computerized data that includes sensitive personal information
  shall comply, in the event of a breach of system security, with the
  notification requirements of Section 521.053, Business & Commerce
  Code, to the same extent as a person who conducts business in this
  state.
         SECTION 5.  Subchapter A, Chapter 181, Health and Safety
  Code, is amended by adding Section 181.006 to read as follows:
         Sec. 181.006.  PROTECTED HEALTH INFORMATION NOT PUBLIC. For
  a covered entity that is a governmental unit, an individual's
  protected health information:
               (1)  includes any information that reflects that an
  individual received health care from the covered entity; and
               (2)  is not public information and is not subject to
  disclosure under Chapter 552, Government Code.
         SECTION 6.  Chapter 205, Local Government Code, is amended
  by adding Section 205.010 to read as follows:
         Sec. 205.010.  SECURITY BREACH NOTIFICATION BY LOCAL
  GOVERNMENT.  (a)  In this section:
               (1)  "Breach of system security" has the meaning
  assigned by Section 521.053, Business & Commerce Code.
               (2)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
         (b)  A local government that owns, licenses, or maintains
  computerized data that includes sensitive personal information
  shall comply, in the event of a breach of system security, with the
  notification requirements of Section 521.053, Business & Commerce
  Code, to the same extent as a person who conducts business in this
  state.
         SECTION 7.  The changes in law made by this Act apply only to
  a breach of system security that occurs on or after the effective
  date of this Act. A breach of system security that occurs before the
  effective date of this Act is governed by the law in effect on the
  date the breach occurred, and the former law is continued in effect
  for that purpose.
         SECTION 8.  This Act takes effect September 1, 2009.
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
 
         I certify that H.B. No. 2004 was passed by the House on April
  28, 2009, by the following vote:  Yeas 148, Nays 0, 1 present, not
  voting.
 
  ______________________________
  Chief Clerk of the House   
 
 
         I certify that H.B. No. 2004 was passed by the Senate on May
  21, 2009, by the following vote:  Yeas 31, Nays 0.
 
  ______________________________
  Secretary of the Senate    
  APPROVED:  _____________________
                     Date          
   
            _____________________
                   Governor