Bill Text: TX HB4390 | 2019-2020 | 86th Legislature | Comm Sub

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council.

Spectrum: Bipartisan Bill

Status: (Passed) 2019-06-14 - See remarks for effective date [HB4390 Detail]

Download: Texas-2019-HB4390-Comm_Sub.html
  86R28657 TSR-F
 
  By: Capriglione, Martinez Fischer, Rodriguez, H.B. No. 4390
      Collier
 
  Substitute the following for H.B. No. 4390:
 
  By:  Darby C.S.H.B. No. 4390
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the privacy of personal identifying information and the
  creation of the Texas Privacy Protection Advisory Council.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 521.053, Business & Commerce Code, is
  amended by amending Subsection (b) and adding Subsection (i) to
  read as follows:
         (b)  A person who conducts business in this state and owns or
  licenses computerized data that includes sensitive personal
  information shall disclose any breach of system security, after
  discovering or receiving notification of the breach, to any
  individual whose sensitive personal information was, or is
  reasonably believed to have been, acquired by an unauthorized
  person. The disclosure shall be made without unreasonable delay and
  in each case not later than the 60th day after the date on which the
  person determines that the breach occurred [as quickly as
  possible], except as provided by Subsection (d) or as necessary to
  determine the scope of the breach and restore the reasonable
  integrity of the data system.
         (i)  A person who is required to disclose or provide
  notification of a breach of system security under this section
  shall notify the attorney general of that breach if the breach
  involves at least 250 residents of this state. The notification
  under this subsection must include:
               (1)  a detailed description of the nature and
  circumstances of the breach or the use of sensitive personal
  information acquired as a result of the breach;
               (2)  the number of residents of this state affected by
  the breach at the time of notification;
               (3)  the measures taken by the person regarding the
  breach;
               (4)  any measures the person intends to take regarding
  the breach after the notification under this subsection; and
               (5)  information regarding whether law enforcement is
  engaged in investigating the breach.
         SECTION 2.  (a) In this section, "council" means the Texas
  Privacy Protection Advisory Council created under this section.
         (b)  The Texas Privacy Protection Advisory Council is
  created to study data privacy laws in this state, other states, and
  relevant foreign jurisdictions.
         (c)  The council is composed of:
               (1)  five members of the house of representatives
  appointed by the speaker of the house of representatives;
               (2)  five senators appointed by the lieutenant
  governor; and
               (3)  five members of industry who are residents of this
  state appointed by the governor as follows:
                     (A)  one member representing the retail and
  electronic transaction industry;
                     (B)  one member representing the
  telecommunications industry;
                     (C)  one member representing the consumer data
  analytics industry;
                     (D)  one member representing the advertising
  industry; and
                     (E)  one member representing the Internet service
  provider industry.
         (d)  The speaker of the house of representatives and the
  lieutenant governor shall each designate a co-chair from among
  their respective appointments to the council.
         (e)  The council shall convene on a regular basis at the
  joint call of the co-chairs.
         (f)  The council shall:
               (1)  study and evaluate the laws in this state, other
  states, and relevant foreign jurisdictions that govern the privacy
  and protection of information that alone or in conjunction with
  other information identifies or is linked or reasonably linkable to
  a specific individual, technological device, or household; and
               (2)  make recommendations to the members of the
  legislature on specific statutory changes regarding the privacy and
  protection of that information, including changes to Chapter 521,
  Business & Commerce Code, as amended by this Act, or to the Penal
  Code, that appear necessary from the results of the council's study
  under this section.
         (g)  Not later than December 1, 2020, the council shall
  report the council's findings and recommendations to the members of
  the legislature.
         (h)  Not later than the 60th day after the effective date of
  this Act, the speaker of the house of representatives, the
  lieutenant governor, and the governor shall appoint the members of
  the council.
         (i)  The council is abolished and this section expires
  December 31, 2020.
         SECTION 3.  This Act takes effect September 1, 2019.
feedback