BILL ANALYSIS |
C.S.S.B. 1213 |
By: Kolkhorst |
Business & Industry |
Committee Report (Substituted) |
BACKGROUND AND PURPOSE
Interested parties explain that many state entities collect data from their members, patients, users, and customers in the ordinary course of their duties that may be utilized to analyze consumer habits, health trends, and other statistical information and possibly be sold to private institutions or research companies. In order to maintain an individual's privacy, this data undergoes a process to scrub the data of any information that may be directly tied to an individual. The parties contend that, unfortunately, in many circumstances that process does not adequately protect individuals, as it can be relatively easy to "reidentify" the data and expose individuals' sensitive information. In the interest of protecting citizens' personal information, C.S.S.B. 1213 seeks to address this issue.
|
||||||||||||||||
CRIMINAL JUSTICE IMPACT
It is the committee's opinion that this bill expressly does one or more of the following: creates a criminal offense, increases the punishment for an existing criminal offense or category of offenses, or changes the eligibility of a person for community supervision, parole, or mandatory supervision.
|
||||||||||||||||
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
|
||||||||||||||||
ANALYSIS
C.S.S.B. 1213 amends the Business & Commerce Code to require a state agency to provide written notice to a person to whom the agency releases deidentified information that the information is deidentified information. The bill requires a person who sells covered information or otherwise receives compensation for the transfer or disclosure of covered information, defined by the bill as deidentified information released by a board, commission, department, or other agency of the state, including an institution of higher education, or a hospital that is maintained or operated by the state, to provide written notice to the person to whom the information is sold, transferred, or disclosed that the information is deidentified information obtained from a state agency. The bill defines "deidentified information" as information with respect to which the holder of the information has made a good faith effort to remove all personal identifying information or other information that may be used by itself or in combination with other information to identify the subject of the information, including aggregate statistics, redacted information, information for which random or fictitious alternatives have been substituted for personal identifying information, and information for which personal identifying information has been encrypted and for which the encryption key is maintained by a person otherwise authorized to have access to the information in an identifiable format.
C.S.S.B. 1213 makes it a Class A misdemeanor to reidentify or attempt to reidentify personal identifying information about an individual who is the subject of covered information or to knowingly disclose or release covered information that was reidentified in violation of this prohibition. The bill makes a person who commits such an offense liable to the individual who is the subject of the covered information for statutory damages in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000. The bill makes a person who commits such an offense also liable to the state for a civil penalty in an amount of not less than $25 or more than $500 for each violation, not to exceed a total amount of $150,000, authorizes the attorney general to bring an action to recover the civil penalty, and entitles the attorney general to recover reasonable expenses incurred in bringing such an action, including reasonable attorney's fees, court costs, and investigatory costs. The bill establishes that it is a defense to a civil action or prosecution for such an offense that the person was reidentifying the covered information for the purpose of a study or other scholarly research, including performing an evaluation or test of software intended to deidentify information, and did not release or publish the names or other information identifying any subjects of the reidentified covered information or that the person obtained informed, written consent from the individual who is the subject of the covered information that specifically referenced the information to be reidentified, disclosed, or released, and authorized the reidentification, disclosure, or release of that information.
|
||||||||||||||||
EFFECTIVE DATE
September 1, 2015.
|
||||||||||||||||
COMPARISON OF SENATE ENGROSSED AND SUBSTITUTE
While C.S.S.B. 1213 may differ from the engrossed in minor or nonsubstantive ways, the following comparison is organized and formatted in a manner that indicates the substantial differences between the engrossed and committee substitute versions of the bill.
|
||||||||||||||||
|