This website will be unavailable from Friday, April 26, 2024 at 6:00 p.m. through Monday, April 29, 2024 at 7:00 a.m. due to data center maintenance.

BILL ANALYSIS

 

 

 

C.S.S.B. 1213

By: Kolkhorst

Business & Industry

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

Interested parties explain that many state entities collect data from their members, patients, users, and customers in the ordinary course of their duties that may be utilized to analyze consumer habits, health trends, and other statistical information and possibly be sold to private institutions or research companies. In order to maintain an individual's privacy, this data undergoes a process to scrub the data of any information that may be directly tied to an individual. The parties contend that, unfortunately, in many circumstances that process does not adequately protect individuals, as it can be relatively easy to "reidentify" the data and expose individuals' sensitive information. In the interest of protecting citizens' personal information, C.S.S.B. 1213 seeks to address this issue.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill expressly does one or more of the following: creates a criminal offense, increases the punishment for an existing criminal offense or category of offenses, or changes the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

C.S.S.B. 1213 amends the Business & Commerce Code to require a state agency to provide written notice to a person to whom the agency releases deidentified information that the information is deidentified information. The bill requires a person who sells covered information or otherwise receives compensation for the transfer or disclosure of covered information, defined by the bill as deidentified information released by a board, commission, department, or other agency of the state, including an institution of higher education, or a hospital that is maintained or operated by the state, to provide written notice to the person to whom the information is sold, transferred, or disclosed that the information is deidentified information obtained from a state agency. The bill defines "deidentified information" as information with respect to which the holder of the information has made a good faith effort to remove all personal identifying information or other information that may be used by itself or in combination with other information to identify the subject of the information, including aggregate statistics, redacted information, information for which random or fictitious alternatives have been substituted for personal identifying information, and information for which personal identifying information has been encrypted and for which the encryption key is maintained by a person otherwise authorized to have access to the information in an identifiable format.

 

C.S.S.B. 1213 makes it a Class A misdemeanor to reidentify or attempt to reidentify personal identifying information about an individual who is the subject of covered information or to knowingly disclose or release covered information that was reidentified in violation of this prohibition. The bill makes a person who commits such an offense liable to the individual who is the subject of the covered information for statutory damages in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000. The bill makes a person who commits such an offense also liable to the state for a civil penalty in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000, authorizes the attorney general to bring an action to recover the civil penalty, and entitles the attorney general to recover reasonable expenses incurred in bringing such an action, including reasonable attorney's fees, court costs, and investigatory costs. The bill establishes that it is a defense to a civil action or prosecution for such an offense that the person was reidentifying the covered information for the purpose of a study or other scholarly research, including performing an evaluation or test of software intended to deidentify information, and did not release or publish the names or other information identifying any subjects of the reidentified covered information or that the person obtained informed, written consent from the individual who is the subject of the covered information that specifically referenced the information to be reidentified, disclosed, or released, and authorized the reidentification, disclosure, or release of that information.

 

EFFECTIVE DATE

 

September 1, 2015.

 

COMPARISON OF SENATE ENGROSSED AND SUBSTITUTE

 

While C.S.S.B. 1213 may differ from the engrossed in minor or nonsubstantive ways, the following comparison is organized and formatted in a manner that indicates the substantial differences between the engrossed and committee substitute versions of the bill.

 

SENATE ENGROSSED

HOUSE COMMITTEE SUBSTITUTE

SECTION 1.  Subtitle A, Title 11, Business & Commerce Code, is amended by adding Chapter 506 to read as follows:

CHAPTER 506.  REIDENTIFICATION OF DEIDENTIFIED INFORMATION

 

Sec. 506.001.  DEFINITIONS.  In this chapter:

 

(See Sec. 506.0015 below.)

 

 

 

 

 

 

(1)  "Deidentified information" means information with respect to which the holder of the information has made a good faith effort to remove all personal identifying information or other information that may be used by itself or in combination with other information to identify the subject of the information.  The term includes aggregate statistics, redacted information, information for which random or fictitious alternatives have been substituted for personal identifying information, and information for which personal identifying information has been encrypted and for which the encryption key is maintained by a person otherwise authorized to have access to the information in an identifiable format.

(2)  "Personal identifying information" has the meaning assigned by Section 521.002(a)(1).

SECTION 1.  Subtitle A, Title 11, Business & Commerce Code, is amended by adding Chapter 506 to read as follows:

CHAPTER 506.  REIDENTIFICATION OF DEIDENTIFIED INFORMATION

 

Sec. 506.001.  DEFINITIONS.  In this chapter:

 

(1)  "Covered information" means deidentified information released by a board, commission, department, or other agency of this state, including an institution of higher education as defined by Section 61.003, Education Code, or a hospital that is maintained or operated by the state.

(2)  "Deidentified information" means information with respect to which the holder of the information has made a good faith effort to remove all personal identifying information or other information that may be used by itself or in combination with other information to identify the subject of the information.  The term includes aggregate statistics, redacted information, information for which random or fictitious alternatives have been substituted for personal identifying information, and information for which personal identifying information has been encrypted and for which the encryption key is maintained by a person otherwise authorized to have access to the information in an identifiable format.

(3)  "Personal identifying information" has the meaning assigned by Section 521.002(a)(1).

Sec. 506.0015.  APPLICABILITY.  This chapter applies only to the release of deidentified information by a board, commission, department, or other agency of this state, including an institution of higher education defined by Section 61.003, Education Code, or a hospital maintained or operated by the state.

No equivalent provision. (But see Sec. 506.001(1) above.)

No equivalent provision.

Sec. 506.002.  REQUIRED NOTICES.  (a)  An agency of this state shall provide written notice to a person to whom the agency releases deidentified information that the information is deidentified information.

(b)  A person who sells covered information or otherwise receives compensation for the transfer or disclosure of covered information shall provide written notice to the person to whom the information is sold, transferred, or disclosed that the information is deidentified information obtained from an agency of this state.

Sec. 506.002.  PROHIBITED ACTS.  (a)  A person may not:

(1)  reidentify or attempt to reidentify an individual who is the subject of deidentified information; or

 

(2)  disclose or release information the person knows was reidentified in violation of this section.

(b)  It is a defense to prosecution under this section that the person:

 

 

(1)  was reidentifying the information for the purpose of a study or other scholarly research, including performing an evaluation or test of software intended to deidentify information; and

(2)  did not release or publish the names or other information identifying any subjects of the reidentified information.

 

 

 

 

 

 

 

 

Sec. 506.003.  OFFENSE.  (a)  A person who violates Section 506.002 commits an offense.

(b)  An offense under this section is a Class A misdemeanor.

 

Sec. 506.004.  PRIVATE CAUSE OF ACTION.  A person who violates Section 506.002 is liable to the individual who is the subject of the information for any damages caused by the reidentification or release of the information.

 

 

Sec. 506.003.  PROHIBITED ACTS.  (a)  A person may not:

(1)  reidentify or attempt to reidentify personal identifying information about an individual who is the subject of covered information; or

(2)  knowingly disclose or release covered information that was reidentified in violation of this section.

(b)  It is a defense to a civil action or prosecution for a violation of this section that:

(1)  the person:

(A)  was reidentifying the covered information for the purpose of a study or other scholarly research, including performing an evaluation or test of software intended to deidentify information; and

(B)  did not release or publish the names or other information identifying any subjects of the reidentified covered information; or

(2)  the person obtained informed, written consent from the individual who is the subject of the covered information that specifically referenced the information to be reidentified, disclosed, or released, and authorized the reidentification, disclosure, or release of that information.

 

Sec. 506.004.  OFFENSE.  (a)  A person who violates Section 506.003 commits an offense.

(b)  An offense under this section is a Class A misdemeanor.

 

Sec. 506.005.  PRIVATE CAUSE OF ACTION.  A person who violates Section 506.003 is liable to the individual who is the subject of the covered information for statutory damages in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000.

No equivalent provision.

Sec. 506.006.  CIVIL PENALTY.  (a)  In addition to other penalties and remedies assessed or recovered under this chapter, a person who violates Section 506.003 is liable to this state for a civil penalty in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000.

(b)  The attorney general may bring an action to recover a civil penalty under this section.

(c)  The attorney general is entitled to recover reasonable expenses incurred in bringing an action under this section, including reasonable attorney's fees, court costs, and investigatory costs.

SECTION 2.  The change in law made by this Act applies to conduct that occurs on or after the effective date of this Act.  Conduct that occurs before the effective date of this Act is governed by the law in effect on the date the conduct occurred, and the former law is continued in effect for that purpose.

 

SECTION 2. Same as engrossed version.

 

 

SECTION 3.  This Act takes effect September 1, 2015.

 

SECTION 3. Same as engrossed version.