�
�
�	H.B.�No.�2004

�
�
�
�	AN ACT
�	relating to a breach of computer security involving sensitive
�	personal information and to the protection of sensitive personal
�	information and certain protected health information.
�	�������BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
�	�������SECTION�1.��Section 521.002(a)(2), Business & Commerce Code,
�	as effective April 1, 2009, is amended to read as follows:
�	�������������(2)��"Sensitive personal information" means, subject
�	to Subsection (b):
�	�������������������(A)��[,] an individual's first name or first
�	initial and last name in combination with any one or more of the
�	following items, if the name and the items are not encrypted:
�	�������������������������(i)�[(A)]��social security number;
�	�������������������������(ii)�[(B)]��driver's license number or
�	government-issued identification number; or
�	�������������������������(iii)�[(C)]��account number or credit or
�	debit card number in combination with any required security code,
�	access code, or password that would permit access to an
�	individual's financial account; or
�	�������������������(B)��information that identifies an individual
�	and relates to:
�	�������������������������(i)��the physical or mental health or
�	condition of the individual;
�	�������������������������(ii)��the provision of health care to the
�	individual; or
�	�������������������������(iii)��payment for the provision of health
�	care to the individual.
�	�������SECTION�2.��Section 521.052, Business & Commerce Code, is
�	amended by adding Subsection (d) to read as follows:
�	�������(d)��As used in this section, "business"�includes a nonprofit
�	athletic or sports association.
�	�������SECTION�3.��Section 521.053(a), Business & Commerce Code, as
�	effective April 1, 2009, is amended to read as follows:
�	�������(a)��In this section, "breach of system security" means
�	unauthorized acquisition of computerized data that compromises the
�	security, confidentiality, or integrity of sensitive personal
�	information maintained by a person, including data that is
�	encrypted if the person accessing the data has the key required to
�	decrypt the data. �Good faith acquisition of sensitive personal
�	information by an employee or agent of the person for the purposes
�	of the person is not a breach of system security unless the person
�	uses or discloses the sensitive personal information in an
�	unauthorized manner.
�	�������SECTION�4.��Subchapter F, Chapter 2054, Government Code, is
�	amended by adding Section 2054.1125 to read as follows:
�	�������Sec.�2054.1125.��SECURITY BREACH NOTIFICATION BY STATE
�	AGENCY. �(a) �In this section:
�	�������������(1)��"Breach of system security" has the meaning
�	assigned by Section 521.053, Business & Commerce Code.
�	�������������(2)��"Sensitive personal information" has the meaning
�	assigned by Section 521.002, Business & Commerce Code.
�	�������(b)��A state agency that owns, licenses, or maintains
�	computerized data that includes sensitive personal information
�	shall comply, in the event of a breach of system security, with the
�	notification requirements of Section 521.053, Business & Commerce
�	Code, to the same extent as a person who conducts business in this
�	state.
�	�������SECTION�5.��Subchapter A, Chapter 181, Health and Safety
�	Code, is amended by adding Section 181.006 to read as follows:
�	�������Sec.�181.006.��PROTECTED HEALTH INFORMATION NOT PUBLIC. For
�	a covered entity that is a governmental unit, an individual's
�	protected health information:
�	�������������(1)��includes any information that reflects that an
�	individual received health care from the covered entity; and
�	�������������(2)��is not public information and is not subject to
�	disclosure under Chapter 552, Government Code.
�	�������SECTION�6.��Chapter 205, Local Government Code, is amended
�	by adding Section 205.010 to read as follows:
�	�������Sec.�205.010.��SECURITY BREACH NOTIFICATION BY LOCAL
�	GOVERNMENT. �(a) �In this section:
�	�������������(1)��"Breach of system security" has the meaning
�	assigned by Section 521.053, Business & Commerce Code.
�	�������������(2)��"Sensitive personal information" has the meaning
�	assigned by Section 521.002, Business & Commerce Code.
�	�������(b)��A local government that owns, licenses, or maintains
�	computerized data that includes sensitive personal information
�	shall comply, in the event of a breach of system security, with the
�	notification requirements of Section 521.053, Business & Commerce
�	Code, to the same extent as a person who conducts business in this
�	state.
�	�������SECTION�7.��The changes in law made by this Act apply only to
�	a breach of system security that occurs on or after the effective
�	date of this Act. A breach of system security that occurs before the
�	effective date of this Act is governed by the law in effect on the
�	date the breach occurred, and the former law is continued in effect
�	for that purpose.
�	�������SECTION�8.��This Act takes effect September 1, 2009.
�
�
�	______________________________	______________________________
�	���President of the Senate	Speaker of the House�����
�
�
�	�������I certify that H.B. No. 2004 was passed by the House on April
�	28, 2009, by the following vote:��Yeas 148, Nays 0, 1 present, not
�	voting.
�
�	______________________________
�	Chief Clerk of the House���
�
�
�	�������I certify that H.B. No. 2004 was passed by the Senate on May
�	21, 2009, by the following vote:��Yeas 31, Nays 0.
�
�	______________________________
�	Secretary of the Senate����
�	APPROVED:��_____________________
�	�������������������Date����������
�	�
�	����������_____________________
�	�����������������Governor�������