Bill Text: TX HB4020 | 2015-2016 | 84th Legislature | Introduced
Bill Title: Relating to the security of certain financial information and liability for certain security breaches.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2015-04-21 - Withdrawn from schedule [HB4020 Detail]
Download: Texas-2015-HB4020-Introduced.html
| 84R11229 AJA-F | ||
| By: Raymond | H.B. No. 4020 | |
|
|
||
|
|
||
| relating to the security of certain financial information and | ||
| liability for certain security breaches. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Subchapter B, Chapter 521, Business & Commerce | ||
| Code, is amended by adding Section 521.0521 to read as follows: | ||
| Sec. 521.0521. BUSINESS DUTIES REGARDING CERTAIN PAYMENT | ||
| INFORMATION. (a) In this section: | ||
| (1) "Access device" means a card that is issued by a | ||
| financial institution and that contains a magnetic strip, | ||
| microprocessor chip, or other means for storing information. The | ||
| term includes a credit card, debit card, or stored value card. | ||
| (2) "Breach of system security" has the meaning | ||
| assigned by Section 521.053. | ||
| (3) "Card security code" means the three-digit or | ||
| four-digit value that is printed on an access device or contained in | ||
| the microprocessor chip or magnetic strip of an access device and is | ||
| used to validate access device information during the authorization | ||
| process. | ||
| (4) "Financial institution" has the meaning assigned | ||
| by Section 201.101, Finance Code. | ||
| (5) "Magnetic strip data" means data contained in the | ||
| magnetic strip of an access device. | ||
| (6) "Microprocessor chip data" means data contained in | ||
| the microprocessor chip of an access device. | ||
| (7) "PIN" means a personal identification code that | ||
| identifies the cardholder. | ||
| (8) "PIN verification code data" means data used to | ||
| verify cardholder identity when a PIN is used in a transaction. | ||
| (9) "Service provider" means a person or entity that | ||
| stores, processes, or transmits access device data on behalf of a | ||
| business. | ||
| (b) Except as provided by this subsection, a business that | ||
| accepts an access device in connection with a transaction may not, | ||
| after authorization, retain the card security code, the PIN | ||
| verification code data, or the full contents of any track of | ||
| magnetic strip data. In the case of a PIN debit transaction, a code | ||
| or data described by this subsection may be retained for not more | ||
| than 48 hours after authorization. | ||
| (c) A business is in violation of Subsection (b) if its | ||
| service provider retains a code or data described by that | ||
| subsection after authorization except as permitted by that | ||
| subsection. | ||
| (d) If there is a breach of system security of a business | ||
| that has violated this section or a breach of system security of the | ||
| business's service provider, the business shall reimburse the | ||
| financial institution that issued any access device affected by the | ||
| breach for the costs of reasonable actions undertaken by the | ||
| financial institution as a result of the breach to protect the | ||
| information of its cardholders or to continue to provide services | ||
| to cardholders, including any cost incurred in connection with: | ||
| (1) the cancellation or reissuance of any access | ||
| device affected by the breach; | ||
| (2) the closure of any deposit, transaction, share | ||
| draft, or other account affected by the breach and any action to | ||
| stop payments or block transactions with respect to the account; | ||
| (3) the opening or reopening of any deposit, | ||
| transaction, share draft, or other account affected by the breach; | ||
| (4) any refund or credit made to a cardholder to cover | ||
| the cost of any unauthorized transaction relating to the breach; | ||
| and | ||
| (5) the notification of cardholders affected by the | ||
| breach. | ||
| (e) In addition to reimbursement under Subsection (d), the | ||
| financial institution is entitled to recover costs for damages paid | ||
| by the financial institution to cardholders injured by a breach of | ||
| system security of a business that has violated this section or a | ||
| breach of system security of the business's service provider. | ||
| (f) Costs that may be recovered under this section do not | ||
| include any costs recovered from a credit card company by a | ||
| financial institution. | ||
| (g) The remedies provided by this section are cumulative and | ||
| do not restrict any other right or remedy otherwise available to the | ||
| financial institution. | ||
| SECTION 2. (a) Section 521.0521, Business & Commerce Code, | ||
| as added by this Act, applies to the retention of codes and data | ||
| arising from transactions authorized before the effective date of | ||
| this Act as provided by this section. | ||
| (b) For transactions authorized before the effective date | ||
| of this Act, a business or its service provider may not retain any | ||
| codes or data described by Section 521.0521(b), Business & Commerce | ||
| Code, as added by this Act, other than codes or data arising from a | ||
| PIN debit transaction that occurred less than 48 hours before the | ||
| effective date of the Act. | ||
| (c) Codes and data arising from a PIN debit transaction | ||
| authorized less than 48 hours before the effective date of this Act | ||
| may not be retained for more than 48 hours after authorization. | ||
| SECTION 3. This Act takes effect September 1, 2015. | ||
