85R9050 TSR-F By: Elkins H.B. No. 2333 A BILL TO BE ENTITLED AN ACT relating to a breach of system security of a business that exposes consumer credit card or debit card information; providing a civil penalty. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Section 521.053(a), Business & Commerce Code, is amended to read as follows: (a) In this section, "breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information, credit card information, or debit card information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner. SECTION 2. Subchapter B, Chapter 521, Business & Commerce Code, is amended by adding Sections 521.054 and 521.055 to read as follows: Sec. 521.054. BREACH INVOLVING CREDIT CARD OR DEBIT CARD INFORMATION. (a) A business that accepts a credit card or debit card for payment and retains any data related to the card other than a confirmation number for the transaction shall secure the retained information from a breach of system security, as defined by Section 521.053. (b) If a breach of system security occurs in which credit card or debit card information is compromised, the business shall: (1) not more than 24 hours after the business discovers or receives notification of the breach of system security, send notice of the breach to the attorney general; and (2) as soon as practicable after the business discovers or receives notification of the breach of system security, send notice of the breach to each financial institution that issued a credit or debit card affected by the breach. Sec. 521.055. DATA SECURITY BREACH VICTIM COMPENSATION FUND. (a) The data security breach victim compensation fund is created as a dedicated account in the general revenue fund. (b) The fund consists of money collected under Section 521.1515. (c) Money in the fund may be appropriated only to the attorney general to: (1) pay claims to consumers who have suffered financial loss in relation to a breach of system security under Section 521.054; and (2) reimburse a financial institution for costs associated with a breach of system security under Section 521.054. (d) The office of the attorney general shall develop a claims process to make payments from the fund in accordance with Subsection (c). SECTION 3. Subchapter D, Chapter 521, Business & Commerce Code, is amended by adding Section 521.1515 to read as follows: Sec. 521.1515. ADDITIONAL CIVIL PENALTY. (a) In addition to penalties assessed under Section 521.151, a business that fails to secure the business's computer system and suffers a breach of system security described by Section 521.054 is liable to this state for a civil penalty of $50 for each credit card and debit card from which information was compromised. (b) The attorney general may bring an action to recover a civil penalty under this section. Amounts collected by the attorney general under this section shall be deposited to the credit of the data security breach victim compensation fund created under Section 521.055 and may be appropriated only as provided by that section. SECTION 4. The changes in law made by this Act apply only to a breach of system security that occurs on or after the effective date of this Act. A breach of system security that occurs before the effective date of this Act is governed by the law in effect at the time the breach occurred, and that law is continued in effect for that purpose. SECTION 5. This Act takes effect September 1, 2017.