CS (Legal) – Information Security

A financial institution, as defined below, shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. Such safe-guards shall include the elements set forth below at ELEMENTS and shall be reasonably designed to achieve the objectives set forth below at OBJECTIVES. 16 C.F.R. 314.3(a); 15 U.S.C. 6801(b)

The objectives are to:

1. Ensure the security and confidentiality of customer information;

2. Protect against any anticipated threats or hazards to the security or integrity of such information; and

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
16 C.F.R. 314.3(b)

To develop, implement, and maintain the information security program, the financial institution shall:

1. Designate an employee or employees to coordinate the program;

2. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of the institution’s operations, including: a. Employee training and management; b. Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and c. Detecting, preventing and responding to attacks, intrusions, or other systems failures.

3. Design and implement information safeguards to control the risks the institution identifies through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguard’s key controls, systems, and procedures.

4. Oversee service providers by: a. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safe-guards for the customer information at issue; and b. Requiring the institution’s service providers by contract to implement and maintain such safeguards.

5. Evaluate and adjust the information security program in light of the results of testing and monitoring, any material changes to the institution’s operations or business arrangements, or any other circumstances that the college district knows or has reason to know may have a material impact on the information security program.
16 C.F.R. 314.4


“Customer Information” means any record containing nonpublic personal information, as defined below, about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the institution or its affiliates. 16 C.F.R. 314.2(b)

“Financial institution” means any institution the business of which is engaging in financial activities as described in the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), including lending, exchanging, transferring, investing for others, or safeguarding money or securities. An institution that is significantly engaged in financial activities is a financial institution. 12 U.S.C. 1843(k); 16 C.F.R. 313.3(k)

“Nonpublic personal information” means:

1. Personally identifiable financial information; and

2. Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
16 C.F.R. 313.3(n)

“Service provider” means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provisions of services directly to a qualifying entity. 16 C.F.R. 314.2(d)


A person, including a college district, who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose, in accordance with the notice provisions at Business and Commerce Code 521.053(e), any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided at CRIMINAL INVESTIGATION EXCEPTION, below, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Business and Commerce Code 521.053(b)

If the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of a state that requires a person described by Business and Commerce Code 521.053(b) to provide notice of a breach of system security, the notice of the breach of system security required by Section 521.053(b) may be provided under that state’s law or under Business and Commerce Code 521.053(b). Business and Commerce Code 521.053(b-1); Gov’t Code 2054.1125; Local Gov’t Code 205.010

A person who maintains computerized data that includes sensitive personal information not owned by the person shall notify the own-er or license holder, in accordance with Business and Commerce Code 521.053(e), of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Business and Commerce Code 521.053(c); Gov’t Code 2054.1125; Local Gov’t Code 205.010

If a person is required to notify at one time more than 10,000 persons of a breach of system security, the person shall also notify each consumer reporting agency, as defined by 15 U.S.C. 1681a, that maintains files on consumers on a nationwide basis, of the timing, distribution, and content of the notices. The person shall provide the notice without unreasonable delay. Business and Commerce Code 521.053(h); Gov’t Code 2054.1125; Local Gov’t Code 205.010

A person may delay providing the required notice to state residents or the owner or license holder at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation. Business and Commerce Code 521.053(d); Gov’t Code 2054.1125; Local Gov’t Code 205.010

A person who maintains the person’s own notification procedures as part of an information security policy for the treatment of sensitive personal information that complies with the timing requirements for notice under Business and Commerce Code 521.053 if the person notifies affected persons in accordance with that policy. Business and Commerce Code 521.053(g); Gov’t Code 2054.1125; Local Gov’t Code 205.010


“Breach of system security” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner. Business and Commerce Code 521.053(a)

“Sensitive personal information” means:

1. An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: a. Social security number; b. Driver’s license number or government-issued identification number; or c. Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or

2. Information that identifies an individual and relates to: a. The physical or mental health or condition of the individual; b. The provision of health care to the individual; or c. Payment for the provision of health care to the individual.

“Sensitive personal information” does not include publicly available information that is lawfully made available to the public from the federal government or a state or local government. Business and Commerce Code 521.002(a)(2), (b)

Each institution of higher education, including each college district, that proposes to receive information resources technologies under a contract from another state agency or institution of higher education shall comply with 1 Administrative Code Chapter 204, Sub-chapter C. 1 TAC 204.30–.32

DATE ISSUED: 1/23/2017 UPDATE 32