Bill Text: TX HB2333 | 2017-2018 | 85th Legislature | Introduced
Bill Title: Relating to a breach of system security of a business that exposes consumer credit card or debit card information; providing a civil penalty.
Spectrum: Partisan Bill (Republican 2-0)
Status: (Introduced - Dead) 2017-04-24 - Left pending in committee [HB2333 Detail]
Download: Texas-2017-HB2333-Introduced.html
85R9050 TSR-F | ||
By: Elkins | H.B. No. 2333 |
|
||
|
||
relating to a breach of system security of a business that exposes | ||
consumer credit card or debit card information; providing a civil | ||
penalty. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Section 521.053(a), Business & Commerce Code, is | ||
amended to read as follows: | ||
(a) In this section, "breach of system security" means | ||
unauthorized acquisition of computerized data that compromises the | ||
security, confidentiality, or integrity of sensitive personal | ||
information, credit card information, or debit card information | ||
maintained by a person, including data that is encrypted if the | ||
person accessing the data has the key required to decrypt the data. | ||
Good faith acquisition of sensitive personal information by an | ||
employee or agent of the person for the purposes of the person is | ||
not a breach of system security unless the person uses or discloses | ||
the sensitive personal information in an unauthorized manner. | ||
SECTION 2. Subchapter B, Chapter 521, Business & Commerce | ||
Code, is amended by adding Sections 521.054 and 521.055 to read as | ||
follows: | ||
Sec. 521.054. BREACH INVOLVING CREDIT CARD OR DEBIT CARD | ||
INFORMATION. (a) A business that accepts a credit card or debit | ||
card for payment and retains any data related to the card other than | ||
a confirmation number for the transaction shall secure the retained | ||
information from a breach of system security, as defined by Section | ||
521.053. | ||
(b) If a breach of system security occurs in which credit | ||
card or debit card information is compromised, the business shall: | ||
(1) not more than 24 hours after the business | ||
discovers or receives notification of the breach of system | ||
security, send notice of the breach to the attorney general; and | ||
(2) as soon as practicable after the business | ||
discovers or receives notification of the breach of system | ||
security, send notice of the breach to each financial institution | ||
that issued a credit or debit card affected by the breach. | ||
Sec. 521.055. DATA SECURITY BREACH VICTIM COMPENSATION | ||
FUND. (a) The data security breach victim compensation fund is | ||
created as a dedicated account in the general revenue fund. | ||
(b) The fund consists of money collected under Section | ||
521.1515. | ||
(c) Money in the fund may be appropriated only to the | ||
attorney general to: | ||
(1) pay claims to consumers who have suffered | ||
financial loss in relation to a breach of system security under | ||
Section 521.054; and | ||
(2) reimburse a financial institution for costs | ||
associated with a breach of system security under Section 521.054. | ||
(d) The office of the attorney general shall develop a | ||
claims process to make payments from the fund in accordance with | ||
Subsection (c). | ||
SECTION 3. Subchapter D, Chapter 521, Business & Commerce | ||
Code, is amended by adding Section 521.1515 to read as follows: | ||
Sec. 521.1515. ADDITIONAL CIVIL PENALTY. (a) In addition | ||
to penalties assessed under Section 521.151, a business that fails | ||
to secure the business's computer system and suffers a breach of | ||
system security described by Section 521.054 is liable to this | ||
state for a civil penalty of $50 for each credit card and debit card | ||
from which information was compromised. | ||
(b) The attorney general may bring an action to recover a | ||
civil penalty under this section. Amounts collected by the attorney | ||
general under this section shall be deposited to the credit of the | ||
data security breach victim compensation fund created under Section | ||
521.055 and may be appropriated only as provided by that section. | ||
SECTION 4. The changes in law made by this Act apply only to | ||
a breach of system security that occurs on or after the effective | ||
date of this Act. A breach of system security that occurs before the | ||
effective date of this Act is governed by the law in effect at the | ||
time the breach occurred, and that law is continued in effect for | ||
that purpose. | ||
SECTION 5. This Act takes effect September 1, 2017. |