By: Capriglione, et al. (Senate Sponsor - Nelson) H.B. No. 4390
         (In the Senate - Received from the House May 8, 2019;
  May 10, 2019, read first time and referred to Committee on Business &
  Commerce; May 20, 2019, reported adversely, with favorable
  Committee Substitute by the following vote:  Yeas 9, Nays 0;
  May 20, 2019, sent to printer.)
Click here to see the committee vote
 
  COMMITTEE SUBSTITUTE FOR H.B. No. 4390 By:  Nichols
 
 
A BILL TO BE ENTITLED
 
AN ACT
 
  relating to the privacy of personal identifying information and the
  creation of the Texas Privacy Protection Advisory Council.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 521.053, Business & Commerce Code, is
  amended by amending Subsection (b) and adding Subsection (i) to
  read as follows:
         (b)  A person who conducts business in this state and owns or
  licenses computerized data that includes sensitive personal
  information shall disclose any breach of system security, after
  discovering or receiving notification of the breach, to any
  individual whose sensitive personal information was, or is
  reasonably believed to have been, acquired by an unauthorized
  person. The disclosure shall be made without unreasonable delay and
  in each case not later than the 60th day after the date on which the
  person determines that the breach occurred [as quickly as
  possible], except as provided by Subsection (d) or as necessary to
  determine the scope of the breach and restore the reasonable
  integrity of the data system.
         (i)  A person who is required to disclose or provide
  notification of a breach of system security under this section
  shall notify the attorney general of that breach not later than the
  60th day after the date on which the person determines that the
  breach occurred if the breach involves at least 250 residents of
  this state. The notification under this subsection must include:
               (1)  a detailed description of the nature and
  circumstances of the breach or the use of sensitive personal
  information acquired as a result of the breach;
               (2)  the number of residents of this state affected by
  the breach at the time of notification;
               (3)  the measures taken by the person regarding the
  breach;
               (4)  any measures the person intends to take regarding
  the breach after the notification under this subsection; and
               (5)  information regarding whether law enforcement is
  engaged in investigating the breach.
         SECTION 2.  (a) In this section, "council" means the Texas
  Privacy Protection Advisory Council created under this section.
         (b)  The Texas Privacy Protection Advisory Council is
  created to study data privacy laws in this state, other states, and
  relevant foreign jurisdictions.
         (c)  The council is composed of members who are residents of
  this state and appointed as follows:
               (1)  five members appointed by the speaker of the house
  of representatives, two of whom must be representatives of an
  industry listed under Subsection (d) of this section and three of
  whom must be members of the house of representatives;
               (2)  five members appointed by the lieutenant governor,
  two of whom must be representatives of an industry listed under
  Subsection (d) of this section and three of whom must be senators;
  and
               (3)  five members appointed by the governor, three of
  whom must be representatives of an industry listed under Subsection
  (d) of this section and two of whom must be either:
                     (A)  a representative of a nonprofit organization
  that studies or evaluates data privacy laws from the perspective of
  individuals whose information is collected or processed by
  businesses; or
                     (B)  a professor who teaches at a law school in
  this state or other institution of higher education, as defined by
  Section 61.003, Education Code, and whose books or scholarly
  articles on the topic of data privacy have been published.
         (d)  For purposes of making appointments of members who
  represent industries under Subsection (c) of this section, the
  speaker of the house of representatives, lieutenant governor, and
  governor shall appoint members from among the following industries
  and must coordinate their appointments to avoid overlap in
  representation of the industries:
               (1)  medical profession;
               (2)  technology;
               (3)  Internet;
               (4)  retail and electronic transactions;
               (5)  consumer banking;
               (6)  telecommunications;
               (7)  consumer data analytics;
               (8)  advertising;
               (9)  Internet service providers;
               (10)  social media platforms;
               (11)  cloud data storage;
               (12)  virtual private networks; or
               (13)  retail electric.
         (e)  The speaker of the house of representatives and the
  lieutenant governor shall each designate a co-chair from among
  their respective appointments to the council who are members of the
  legislature.
         (f)  The council shall convene on a regular basis at the
  joint call of the co-chairs.
         (g)  The council shall:
               (1)  study and evaluate the laws in this state, other
  states, and relevant foreign jurisdictions that govern the privacy
  and protection of information that alone or in conjunction with
  other information identifies or is linked or reasonably linkable to
  a specific individual, technological device, or household; and
               (2)  make recommendations to the members of the
  legislature on specific statutory changes regarding the privacy and
  protection of that information, including changes to Chapter 521,
  Business & Commerce Code, as amended by this Act, or to the Penal
  Code, that appear necessary from the results of the council's study
  under this section.
         (h)  Not later than September 1, 2020, the council shall
  report the council's findings and recommendations to the members of
  the legislature.
         (i)  The Department of Information Resources shall provide
  administrative support to the council.
         (j)  Not later than the 60th day after the effective date of
  this Act, the speaker of the house of representatives, the
  lieutenant governor, and the governor shall appoint the members of
  the council.
         (k)  The council is abolished and this section expires
  December 31, 2020.
         SECTION 3.  (a)  Except as provided by Subsection (b) of this
  section, this Act takes effect September 1, 2019.
         (b)  Section 521.053, Business & Commerce Code, as amended by
  this Act, takes effect January 1, 2020.
 
  * * * * *