Bill Text: TX HB4390 | 2019-2020 | 86th Legislature | Engrossed
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council.
Spectrum: Bipartisan Bill
Status: (Passed) 2019-06-14 - See remarks for effective date [HB4390 Detail]
Download: Texas-2019-HB4390-Engrossed.html
Bill Title: Relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council.
Spectrum: Bipartisan Bill
Status: (Passed) 2019-06-14 - See remarks for effective date [HB4390 Detail]
Download: Texas-2019-HB4390-Engrossed.html
| By: Capriglione, Martinez Fischer, Rodriguez, | H.B. No. 4390 | |
| Collier | ||
|
|
||
|
|
||
| relating to the privacy of personal identifying information and the | ||
| creation of the Texas Privacy Protection Advisory Council. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 521.053, Business & Commerce Code, is | ||
| amended by amending Subsection (b) and adding Subsection (i) to | ||
| read as follows: | ||
| (b) A person who conducts business in this state and owns or | ||
| licenses computerized data that includes sensitive personal | ||
| information shall disclose any breach of system security, after | ||
| discovering or receiving notification of the breach, to any | ||
| individual whose sensitive personal information was, or is | ||
| reasonably believed to have been, acquired by an unauthorized | ||
| person. The disclosure shall be made without unreasonable delay and | ||
| in each case not later than the 60th day after the date on which the | ||
| person determines that the breach occurred [ |
||
|
|
||
| determine the scope of the breach and restore the reasonable | ||
| integrity of the data system. | ||
| (i) A person who is required to disclose or provide | ||
| notification of a breach of system security under this section | ||
| shall notify the attorney general of that breach not later than the | ||
| 60th day after the date on which the person determines that the | ||
| breach occurred if the breach involves at least 250 residents of | ||
| this state. The notification under this subsection must include: | ||
| (1) a detailed description of the nature and | ||
| circumstances of the breach or the use of sensitive personal | ||
| information acquired as a result of the breach; | ||
| (2) the number of residents of this state affected by | ||
| the breach at the time of notification; | ||
| (3) the measures taken by the person regarding the | ||
| breach; | ||
| (4) any measures the person intends to take regarding | ||
| the breach after the notification under this subsection; and | ||
| (5) information regarding whether law enforcement is | ||
| engaged in investigating the breach. | ||
| SECTION 2. (a) In this section, "council" means the Texas | ||
| Privacy Protection Advisory Council created under this section. | ||
| (b) The Texas Privacy Protection Advisory Council is | ||
| created to study data privacy laws in this state, other states, and | ||
| relevant foreign jurisdictions. | ||
| (c) The council is composed of members who are residents of | ||
| this state and appointed as follows: | ||
| (1) five members appointed by the speaker of the house | ||
| of representatives, two of whom must be representatives of an | ||
| industry listed under Subsection (d) of this section and three of | ||
| whom must be members of the house of representatives; | ||
| (2) five members appointed by the lieutenant governor, | ||
| two of whom must be representatives of an industry listed under | ||
| Subsection (d) of this section and three of whom must be senators; | ||
| and | ||
| (3) five members appointed by the governor, three of | ||
| whom must be representatives of an industry listed under Subsection | ||
| (d) of this section and two of whom must be either: | ||
| (A) a representative of a nonprofit organization | ||
| that studies or evaluates data privacy laws from the perspective of | ||
| individuals whose information is collected or processed by | ||
| businesses; or | ||
| (B) a professor who teaches at a law school in | ||
| this state or other institution of higher education, as defined by | ||
| Section 61.003, Education Code, and whose books or scholarly | ||
| articles on the topic of data privacy have been published. | ||
| (d) For purposes of making appointments of members who | ||
| represent industries under Subsection (c) of this section, the | ||
| speaker of the house of representatives, lieutenant governor, and | ||
| governor shall appoint members from among the following industries | ||
| and must coordinate their appointments to avoid overlap in | ||
| representation of the industries: | ||
| (1) medical profession; | ||
| (2) technology; | ||
| (3) Internet; | ||
| (4) retail and electronic transactions; | ||
| (5) consumer banking; | ||
| (6) telecommunications; | ||
| (7) consumer data analytics; | ||
| (8) advertising; | ||
| (9) Internet service providers; | ||
| (10) social media platforms; | ||
| (11) cloud data storage; or | ||
| (12) virtual private networks. | ||
| (e) The speaker of the house of representatives and the | ||
| lieutenant governor shall each designate a co-chair from among | ||
| their respective appointments to the council who are members of the | ||
| legislature. | ||
| (f) The council shall convene on a regular basis at the | ||
| joint call of the co-chairs. | ||
| (g) The council shall: | ||
| (1) study and evaluate the laws in this state, other | ||
| states, and relevant foreign jurisdictions that govern the privacy | ||
| and protection of information that alone or in conjunction with | ||
| other information identifies or is linked or reasonably linkable to | ||
| a specific individual, technological device, or household; and | ||
| (2) make recommendations to the members of the | ||
| legislature on specific statutory changes regarding the privacy and | ||
| protection of that information, including changes to Chapter 521, | ||
| Business & Commerce Code, as amended by this Act, or to the Penal | ||
| Code, that appear necessary from the results of the council's study | ||
| under this section. | ||
| (h) Not later than September 1, 2020, the council shall | ||
| report the council's findings and recommendations to the members of | ||
| the legislature. | ||
| (i) The Department of Information Resources shall provide | ||
| administrative support to the council. | ||
| (j) Not later than the 60th day after the effective date of | ||
| this Act, the speaker of the house of representatives, the | ||
| lieutenant governor, and the governor shall appoint the members of | ||
| the council. | ||
| (k) The council is abolished and this section expires | ||
| December 31, 2020. | ||
| SECTION 3. This Act takes effect September 1, 2019. | ||
