CHAPTER 521. UNAUTHORIZED USE OF IDENTIFYING INFORMATION
BUSINESS AND COMMERCE CODE
TITLE 11. PERSONAL IDENTITY INFORMATION
SUBTITLE B. IDENTITY THEFT
CHAPTER 521. UNAUTHORIZED USE OF IDENTIFYING INFORMATION
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 521.001. SHORT TITLE. This chapter may be cited as the
Identity Theft Enforcement and Protection Act.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 521.002. DEFINITIONS. (a) In this chapter:
(1) "Personal identifying information" means information that
alone or in conjunction with other information identifies an
individual, including an individual's:
(A) name, social security number, date of birth, or
government-issued identification number;
(B) mother's maiden name;
(C) unique biometric data, including the individual's
fingerprint, voice print, and retina or iris image;
(D) unique electronic identification number, address, or routing
code; and
(E) telecommunication access device as defined by Section 32.51,
Penal Code.
(2) "Sensitive personal information" means, subject to
Subsection (b):
(A) an individual's first name or first initial and last name in
combination with any one or more of the following items, if the
name and the items are not encrypted:
(i) social security number;
(ii) driver's license number or government-issued identification
number; or
(iii) account number or credit or debit card number in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; or
(B) information that identifies an individual and relates to:
(i) the physical or mental health or condition of the
individual;
(ii) the provision of health care to the individual; or
(iii) payment for the provision of health care to the
individual.
(3) "Victim" means a person whose identifying information is
used by an unauthorized person.
(b) For purposes of this chapter, the term "sensitive personal
information" does not include publicly available information that
is lawfully made available to the public from the federal
government or a state or local government.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch.
419, Sec. 1, eff. September 1, 2009.
SUBCHAPTER B. IDENTITY THEFT
Sec. 521.051. UNAUTHORIZED USE OR POSSESSION OF PERSONAL
IDENTIFYING INFORMATION. (a) A person may not obtain, possess,
transfer, or use personal identifying information of another
person without the other person's consent and with intent to
obtain a good, a service, insurance, an extension of credit, or
any other thing of value in the other person's name.
(b) It is a defense to an action brought under this section that
an act by a person:
(1) is covered by the Fair Credit Reporting Act (15 U.S.C.
Section 1681 et seq.); and
(2) is in compliance with that Act and regulations adopted under
that Act.
(c) This section does not apply to:
(1) a financial institution as defined by 15 U.S.C. Section
6809; or
(2) a covered entity as defined by Section 601.001 or 602.001,
Insurance Code.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL
INFORMATION. (a) A business shall implement and maintain
reasonable procedures, including taking any appropriate
corrective action, to protect from unlawful use or disclosure any
sensitive personal information collected or maintained by the
business in the regular course of business.
(b) A business shall destroy or arrange for the destruction of
customer records containing sensitive personal information within
the business's custody or control that are not to be retained by
the business by:
(1) shredding;
(2) erasing; or
(3) otherwise modifying the sensitive personal information in
the records to make the information unreadable or indecipherable
through any means.
(c) This section does not apply to a financial institution as
defined by 15 U.S.C. Section 6809.
(d) As used in this section, "business" includes a nonprofit
athletic or sports association.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch.
419, Sec. 2, eff. September 1, 2009.
Sec. 521.053. NOTIFICATION REQUIRED FOLLOWING BREACH OF SECURITY
OF COMPUTERIZED DATA. (a) In this section, "breach of system
security" means unauthorized acquisition of computerized data
that compromises the security, confidentiality, or integrity of
sensitive personal information maintained by a person, including
data that is encrypted if the person accessing the data has the
key required to decrypt the data. Good faith acquisition of
sensitive personal information by an employee or agent of the
person for the purposes of the person is not a breach of system
security unless the person uses or discloses the sensitive
personal information in an unauthorized manner.
(b) A person who conducts business in this state and owns or
licenses computerized data that includes sensitive personal
information shall disclose any breach of system security, after
discovering or receiving notification of the breach, to any
resident of this state whose sensitive personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure shall be made as quickly as
possible, except as provided by Subsection (d) or as necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
(c) Any person who maintains computerized data that includes
sensitive personal information not owned by the person shall
notify the owner or license holder of the information of any
breach of system security immediately after discovering the
breach, if the sensitive personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person.
(d) A person may delay providing notice as required by
Subsection (b) or (c) at the request of a law enforcement agency
that determines that the notification will impede a criminal
investigation. The notification shall be made as soon as the law
enforcement agency determines that the notification will not
compromise the investigation.
(e) A person may give notice as required by Subsection (b) or
(c) by providing:
(1) written notice;
(2) electronic notice, if the notice is provided in accordance
with 15 U.S.C. Section 7001; or
(3) notice as provided by Subsection (f).
(f) If the person required to give notice under Subsection (b)
or (c) demonstrates that the cost of providing notice would
exceed $250,000, the number of affected persons exceeds 500,000,
or the person does not have sufficient contact information, the
notice may be given by:
(1) electronic mail, if the person has electronic mail addresses
for the affected persons;
(2) conspicuous posting of the notice on the person's website;
or
(3) notice published in or broadcast on major statewide media.
(g) Notwithstanding Subsection (e), a person who maintains the
person's own notification procedures as part of an information
security policy for the treatment of sensitive personal
information that complies with the timing requirements for notice
under this section complies with this section if the person
notifies affected persons in accordance with that policy.
(h) If a person is required by this section to notify at one
time more than 10,000 persons of a breach of system security, the
person shall also notify each consumer reporting agency, as
defined by 15 U.S.C. Section 1681a, that maintains files on
consumers on a nationwide basis, of the timing, distribution, and
content of the notices. The person shall provide the notice
required by this subsection without unreasonable delay.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch.
419, Sec. 3, eff. September 1, 2009.
SUBCHAPTER C. COURT ORDER DECLARING INDIVIDUAL
A VICTIM OF IDENTITY THEFT
Sec. 521.101. APPLICATION FOR COURT ORDER TO DECLARE INDIVIDUAL
A VICTIM OF IDENTITY THEFT. (a) A person who is injured by a
violation of Section 521.051 or who has filed a criminal
complaint alleging commission of an offense under Section 32.51,
Penal Code, may file an application with a district court for the
issuance of an order declaring that the person is a victim of
identity theft.
(b) A person may file an application under this section
regardless of whether the person is able to identify each person
who allegedly transferred or used the person's identifying
information in an unlawful manner.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 521.102. PRESUMPTION OF APPLICANT'S STATUS AS VICTIM. An
applicant under Section 521.101 is presumed to be a victim of
identity theft under this subchapter if the person charged with
an offense under Section 32.51, Penal Code, is convicted of the
offense.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 521.103. ISSUANCE OF ORDER; CONTENTS. (a) After notice
and hearing, if the court is satisfied by a preponderance of the
evidence that an applicant under Section 521.101 has been injured
by a violation of Section 521.051 or is the victim of an offense
under Section 32.51, Penal Code, the court shall enter an order
declaring that the applicant is a victim of identity theft
resulting from a violation of Section 521.051 or an offense under
Section 32.51, Penal Code, as appropriate.
(b) An order under this section must contain:
(1) any known information identifying the violator or person
charged with the offense;
(2) the specific personal identifying information and any
related document used to commit the alleged violation or offense;
and
(3) information identifying any financial account or transaction
affected by the alleged violation or offense, including:
(A) the name of the financial institution in which the account
is established or of the merchant involved in the transaction, as
appropriate;
(B) any relevant account numbers;
(C) the dollar amount of the account or transaction affected by
the alleged violation or offense; and
(D) the date of the alleged violation or offense.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 521.104. CONFIDENTIALITY OF ORDER. (a) An order issued
under Section 521.103 must be sealed because of the confidential
nature of the information required to be included in the order.
The order may be opened and the order or a copy of the order may
be released only:
(1) to the proper officials in a civil proceeding brought by or
against the victim arising or resulting from a violation of this
chapter, including a proceeding to set aside a judgment obtained
against the victim;
(2) to the victim for the purpose of submitting the copy of the
order to a governmental entity or private business to:
(A) prove that a financial transaction or account of the victim
was directly affected by a violation of this chapter or the
commission of an offense under Section 32.51, Penal Code; or
(B) correct any record of the entity or business that contains
inaccurate or false information as a result of the violation or
offense;
(3) on order of the judge; or
(4) as otherwise required or provided by law.
(b) A copy of an order provided to a person under Subsection
(a)(1) must remain sealed throughout and after the civil
proceeding.
(c) Information contained in a copy of an order provided to a
governmental entity or business under Subsection (a)(2) is
confidential and may not be released to another person except as
otherwise required or provided by law.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 521.105. GROUNDS FOR VACATING ORDER. A court at any time
may vacate an order issued under Section 521.103 if the court
finds that the application filed under Section 521.101 or any
information submitted to the court by the applicant contains a
fraudulent misrepresentation or a material misrepresentation of
fact.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
SUBCHAPTER D. REMEDIES
Sec. 521.151. CIVIL PENALTY; INJUNCTION. (a) A person who
violates this chapter is liable to this state for a civil penalty
of at least $2,000 but not more than $50,000 for each violation.
The attorney general may bring an action to recover the civil
penalty imposed under this subsection.
(b) If it appears to the attorney general that a person is
engaging in, has engaged in, or is about to engage in conduct
that violates this chapter, the attorney general may bring an
action in the name of the state against the person to restrain
the violation by a temporary restraining order or by a permanent
or temporary injunction.
(c) An action brought under Subsection (b) must be filed in a
district court in Travis County or:
(1) in any county in which the violation occurred; or
(2) in the county in which the victim resides, regardless of
whether the alleged violator has resided, worked, or transacted
business in the county in which the victim resides.
(d) The attorney general is not required to give a bond in an
action under this section.
(e) In an action under this section, the court may grant any
other equitable relief that the court considers appropriate to:
(1) prevent any additional harm to a victim of identity theft or
a further violation of this chapter; or
(2) satisfy any judgment entered against the defendant,
including issuing an order to appoint a receiver, sequester
assets, correct a public or private record, or prevent the
dissipation of a victim's assets.
(f) The attorney general is entitled to recover reasonable
expenses, including reasonable attorney's fees, court costs, and
investigatory costs, incurred in obtaining injunctive relief or
civil penalties, or both, under this section. Amounts collected
by the attorney general under this section shall be deposited in
the general revenue fund and may be appropriated only for the
investigation and prosecution of other cases under this chapter.
(g) The fees associated with an action under this section are
the same as in a civil case, but the fees may be assessed only
against the defendant.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.
Sec. 521.152. DECEPTIVE TRADE PRACTICE. A violation of Section
521.051 is a deceptive trade practice actionable under Subchapter
E, Chapter 17.
Added by Acts 2007, 80th Leg., R.S., Ch.
885, Sec. 2.01, eff. April 1, 2009.