Sec. 72.004.  DISPOSAL OF BUSINESS RECORDS CONTAINING PERSONAL IDENTIFYING INFORMATION.  (a)  This section does not apply to:
(1)  a financial institution as defined by 15 U.S.C. Section 6809; or
(2)  a covered entity as defined by Section 601.001 or 602.001, Insurance Code.
(b)  When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information so as to make the information unreadable or undecipherable.
(c)  A business is considered to comply with Subsection (b) if the business contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with that subsection.
(d)  A business that disposes of a business record without  complying with Subsection (b) is liable for a civil penalty in an amount not to exceed $500 for each business record.  The attorney general may bring an action against the business to:
(1)  recover the civil penalty;
(2)  obtain any other remedy, including injunctive relief;  and
(3)  recover costs and reasonable attorney's fees incurred in bringing the action.
(e)  A business that in good faith modifies a business record as required by Subsection (b) is not liable for a civil penalty under Subsection (d) if the business record is reconstructed, wholly or partly, through extraordinary means.
(f)  Subsection (b) does not require a business to modify a business record if:
(1)  the business is required to retain the business record under another law;  or
(2)  the business record is historically significant and:
(A)  there is no potential for identity theft or fraud while the business retains custody of the business record; or
(B)  the business record is transferred to a professionally managed historical repository.
Added by Acts 2007, 80th Leg., R.S., Ch. 885 (H.B. 2278), Sec. 2.01, eff. April 1, 2009.