Texas Laws - Business and Commerce Code
BUSINESS AND COMMERCE CODE
TITLE 11. PERSONAL IDENTITY INFORMATION

SUBCHAPTER B. IDENTITY THEFT (11956)(1-click HTML)
Sec. 521.051. UNAUTHORIZED USE OR POSSESSION OF PERSONAL IDENTIFYING INFORMATION. (11957)(1-click HTML)

(a) A person may not obtain, possess, transfer, or use personal identifying information of another person without the other person's consent and with intent to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person's name. (11958)

(b) It is a defense to an action brought under this section that an act by a person: (11959)

(1) is covered by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.); and (11960)

(2) is in compliance with that Act and regulations adopted under that Act. (11961)

(c) This section does not apply to: (11962)

(1) a financial institution as defined by 15 U.S.C. Section 6809; or (11963)

(2) a covered entity as defined by Section 601.001 or 602.001, Insurance Code. (11964)

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009. (11965)

Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL INFORMATION. (11966)(1-click HTML)

(a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. (11967)

(b) A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business's custody or control that are not to be retained by the business by: (11968)

(1) shredding; (11969)

(2) erasing; or (11970)

(3) otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means. (11971)

(c) This section does not apply to a financial institution as defined by 15 U.S.C. Section 6809. (11972)

(d) As used in this section, "business" includes a nonprofit athletic or sports association. (11973)

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009. (11974)

Amended by: (11975)

Acts 2009, 81st Leg., R.S., Ch. 419 (H.B. 2004), Sec. 2, eff. September 1, 2009. (11976)

Sec. 521.053. NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY OF COMPUTERIZED DATA. (11977)(1-click HTML)

(a) In this section, "breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner. (11978)

(b) A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system. (11979)

(b-1) If the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of a state that requires a person described by Subsection (b) to provide notice of a breach of system security, the notice of the breach of system security required under Subsection (b) may be provided under that state's law or under Subsection (b). (11980)

(c) Any person who maintains computerized data that includes sensitive personal information not owned by the person shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (11981)

(d) A person may delay providing notice as required by Subsection (b) or (c) at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation. (11982)

(e) A person may give notice as required by Subsection (b) or (c) by providing: (11983)

(1) written notice at the last known address of the individual; (11984)

(2) electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001; or (11985)

(3) notice as provided by Subsection (f). (11986)

(f) If the person required to give notice under Subsection (b) or (c) demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the person does not have sufficient contact information, the notice may be given by: (11987)

(1) electronic mail, if the person has electronic mail addresses for the affected persons; (11988)

(2) conspicuous posting of the notice on the person's website; or (11989)

(3) notice published in or broadcast on major statewide media. (11990)

(g) Notwithstanding Subsection (e), a person who maintains the person's own notification procedures as part of an information security policy for the treatment of sensitive personal information that complies with the timing requirements for notice under this section complies with this section if the person notifies affected persons in accordance with that policy. (11991)

(h) If a person is required by this section to notify at one time more than 10,000 persons of a breach of system security, the person shall also notify each consumer reporting agency, as defined by 15 U.S.C. Section 1681a, that maintains files on consumers on a nationwide basis, of the timing, distribution, and content of the notices. The person shall provide the notice required by this subsection without unreasonable delay. (11992)

Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009. (11993)

Amended by: (11994)

Acts 2009, 81st Leg., R.S., Ch. 419 (H.B. 2004), Sec. 3, eff. September 1, 2009. (11995)

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 14, eff. September 1, 2012. (11996)

Acts 2013, 83rd Leg., R.S., Ch. 1368 (S.B. 1610), Sec. 1, eff. June 14, 2013. (11997)

  

Our Mission
Objective

Our mission is to provide citizens free access to the laws and codes of their state utilizing a unique search engine that matches clients with qualified legal professionals who can help with specific issues.

Our goal is to do this in a manner that promotes open government and freedom of information, while providing attorneys with valuable tools to connect with qualified prospects in need of professional services.

Ignorance Is No Excuse
Your Right To Know The Law

All citizens have a right to have access to the laws that govern them. Citizen awareness and participation in government is fundamental to ensuring a sound democracy.

Although unfettered access to the law is a fundamental right to all citizens, there is no substitute for experienced legal counsel.

We do not recommend self-representation. We do, however, recognize that in an age where people routinely research legal matters online using everything from a smartphone to their xbox, both attorneys and clients alike can benefit from this resource.