(a) This section does not apply to:
- (1) a financial institution as defined by 15 U.S.C. Section 6809; or
- (2) a covered entity as defined by Section 601.001 or 602.001, Insurance Code.
- (b) When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information so as to make the information unreadable or undecipherable.
- (c) A business is considered to comply with Subsection (b) if the business contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with that subsection.
(d) A business that disposes of a business record without complying with Subsection (b) is liable for a civil penalty in an amount not to exceed $500 for each business record. The attorney general may bring an action against the business to:
- (1) recover the civil penalty;
- (2) obtain any other remedy, including injunctive relief; and
- (3) recover costs and reasonable attorney's fees incurred in bringing the action.
- (e) A business that in good faith modifies a business record as required by Subsection (b) is not liable for a civil penalty under Subsection (d) if the business record is reconstructed, wholly or partly, through extraordinary means.
(f) Subsection (b) does not require a business to modify a business record if:
- (1) the business is required to retain the business record under another law; or
(2) the business record is historically significant and:
- (A) there is no potential for identity theft or fraud while the business retains custody of the business record; or
- (B) the business record is transferred to a professionally managed historical repository.
Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.