Sec. 521.052. BUSINESS DUTY TO PROTECT SENSITIVE PERSONAL INFORMATION. (a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
(b) A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business's custody or control that are not to be retained by the business by:
(1) shredding;
(2) erasing; or
(3) otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.
(c) This section does not apply to a financial institution as defined by 15 U.S.C. Section 6809.
(d) As used in this section, "business" includes a nonprofit athletic or sports association.
Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.
Amended by:
Acts 2009, 81st Leg., R.S., Ch. 419 (H.B. 2004), Sec. 2, eff. September 1, 2009.