| |
| |
| |
|
|
AN ACT
|
|
|
relating to a breach of computer security involving sensitive |
|
|
personal information and to the protection of sensitive personal |
|
|
information and certain protected health information. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 521.002(a)(2), Business & Commerce Code, |
|
|
as effective April 1, 2009, is amended to read as follows: |
|
|
(2) "Sensitive personal information" means, subject |
|
|
to Subsection (b): |
|
|
(A) [,] an individual's first name or first |
|
|
initial and last name in combination with any one or more of the |
|
|
following items, if the name and the items are not encrypted: |
|
|
(i) [(A)] social security number; |
|
|
(ii) [(B)] driver's license number or |
|
|
government-issued identification number; or |
|
|
(iii) [(C)] account number or credit or |
|
|
debit card number in combination with any required security code, |
|
|
access code, or password that would permit access to an |
|
|
individual's financial account; or |
|
|
(B) information that identifies an individual |
|
|
and relates to: |
|
|
(i) the physical or mental health or |
|
|
condition of the individual; |
|
|
(ii) the provision of health care to the |
|
|
individual; or |
|
|
(iii) payment for the provision of health |
|
|
care to the individual. |
|
|
SECTION 2. Section 521.052, Business & Commerce Code, is |
|
|
amended by adding Subsection (d) to read as follows: |
|
|
(d) As used in this section, "business" includes a nonprofit |
|
|
athletic or sports association. |
|
|
SECTION 3. Section 521.053(a), Business & Commerce Code, as |
|
|
effective April 1, 2009, is amended to read as follows: |
|
|
(a) In this section, "breach of system security" means |
|
|
unauthorized acquisition of computerized data that compromises the |
|
|
security, confidentiality, or integrity of sensitive personal |
|
|
information maintained by a person, including data that is |
|
|
encrypted if the person accessing the data has the key required to |
|
|
decrypt the data. Good faith acquisition of sensitive personal |
|
|
information by an employee or agent of the person for the purposes |
|
|
of the person is not a breach of system security unless the person |
|
|
uses or discloses the sensitive personal information in an |
|
|
unauthorized manner. |
|
|
SECTION 4. Subchapter F, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.1125 to read as follows: |
|
|
Sec. 2054.1125. SECURITY BREACH NOTIFICATION BY STATE |
|
|
AGENCY. (a) In this section: |
|
|
(1) "Breach of system security" has the meaning |
|
|
assigned by Section 521.053, Business & Commerce Code. |
|
|
(2) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(b) A state agency that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information |
|
|
shall comply, in the event of a breach of system security, with the |
|
|
notification requirements of Section 521.053, Business & Commerce |
|
|
Code, to the same extent as a person who conducts business in this |
|
|
state. |
|
|
SECTION 5. Subchapter A, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Section 181.006 to read as follows: |
|
|
Sec. 181.006. PROTECTED HEALTH INFORMATION NOT PUBLIC. For |
|
|
a covered entity that is a governmental unit, an individual's |
|
|
protected health information: |
|
|
(1) includes any information that reflects that an |
|
|
individual received health care from the covered entity; and |
|
|
(2) is not public information and is not subject to |
|
|
disclosure under Chapter 552, Government Code. |
|
|
SECTION 6. Chapter 205, Local Government Code, is amended |
|
|
by adding Section 205.010 to read as follows: |
|
|
Sec. 205.010. SECURITY BREACH NOTIFICATION BY LOCAL |
|
|
GOVERNMENT. (a) In this section: |
|
|
(1) "Breach of system security" has the meaning |
|
|
assigned by Section 521.053, Business & Commerce Code. |
|
|
(2) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(b) A local government that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information |
|
|
shall comply, in the event of a breach of system security, with the |
|
|
notification requirements of Section 521.053, Business & Commerce |
|
|
Code, to the same extent as a person who conducts business in this |
|
|
state. |
|
|
SECTION 7. The changes in law made by this Act apply only to |
|
|
a breach of system security that occurs on or after the effective |
|
|
date of this Act. A breach of system security that occurs before the |
|
|
effective date of this Act is governed by the law in effect on the |
|
|
date the breach occurred, and the former law is continued in effect |
|
|
for that purpose. |
|
|
SECTION 8. This Act takes effect September 1, 2009. |
| |
| |
| |
______________________________ |
______________________________ |
| |
President of the Senate |
Speaker of the House |
| |
| |
|
|
I certify that H.B. No. 2004 was passed by the House on April |
|
|
28, 2009, by the following vote: Yeas 148, Nays 0, 1 present, not |
|
|
voting. |
|
|
|
|
|
______________________________ |
|
|
Chief Clerk of the House |
| |
| |
|
|
I certify that H.B. No. 2004 was passed by the Senate on May |
|
|
21, 2009, by the following vote: Yeas 31, Nays 0. |
|
|
|
|
|
______________________________ |
|
|
Secretary of the Senate |
|
|
APPROVED: _____________________ |
|
|
Date |
|
|
|
|
|
_____________________ |
|
|
Governor |