House
File
2423
-
Introduced
HOUSE
FILE
2423
BY
COMMITTEE
ON
JUDICIARY
(SUCCESSOR
TO
HSB
622)
A
BILL
FOR
An
Act
relating
to
consumer
protection
modifying
provisions
1
applicable
to
consumer
security
freezes
and
personal
2
information
security
breach
protection.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
6148HV
(6)
87
gh/rn
H.F.
2423
Section
1.
Section
714G.2,
Code
2018,
is
amended
to
read
as
1
follows:
2
714G.2
Security
freeze.
3
1.
A
consumer
may
submit
by
certified
mail
to
a
consumer
4
reporting
agency
a
written
request
for
a
security
freeze
to
5
a
consumer
reporting
agency
by
first-class
mail,
telephone,
6
facsimile,
secure
internet
connection,
secure
electronic
mail,
7
or
other
secure
electronic
contact
method
.
The
consumer
must
8
submit
proper
identification
and
the
applicable
fee
with
the
9
request.
Within
five
three
business
days
after
receiving
10
the
request,
the
consumer
reporting
agency
shall
commence
11
the
security
freeze.
Within
ten
three
business
days
after
12
commencing
the
security
freeze,
the
consumer
reporting
agency
13
shall
send
a
written
confirmation
to
the
consumer
of
the
14
security
freeze,
a
personal
identification
number
or
password,
15
other
than
the
consumer’s
social
security
number,
for
the
16
consumer
to
use
in
authorizing
the
suspension
or
removal
of
17
the
security
freeze,
including
information
on
how
the
security
18
freeze
may
be
temporarily
suspended.
19
2.
a.
If
a
consumer
requests
a
security
freeze
from
a
20
consumer
reporting
agency
that
compiles
and
maintains
files
21
on
a
nationwide
basis,
the
consumer
may
request
to
have
the
22
security
freeze
applied
to
any
other
consumer
reporting
agency
23
that
compiles
and
maintains
files
on
consumers
on
a
nationwide
24
basis.
25
b.
For
purposes
of
this
subsection,
“consumer
reporting
26
agency
that
compiles
and
maintains
files
on
a
nationwide
basis”
27
means
the
same
as
defined
in
15
U.S.C.
§1681a(p).
28
Sec.
2.
Section
714G.3,
subsection
1,
Code
2018,
is
amended
29
to
read
as
follows:
30
1.
A
consumer
may
request
that
a
security
freeze
be
31
temporarily
suspended
to
allow
the
consumer
reporting
agency
to
32
release
the
consumer
credit
report
for
a
specific
time
period.
33
The
consumer
reporting
agency
may
shall
develop
procedures
34
to
expedite
the
receipt
and
processing
of
requests
which
may
35
-1-
LSB
6148HV
(6)
87
gh/rn
1/
7
H.F.
2423
involve
the
use
of
telephones
by
first-class
mail,
telephone
,
1
facsimile
transmissions
,
the
secure
internet
connection
,
secure
2
electronic
mail,
or
other
secure
electronic
media
contact
3
method
.
The
consumer
reporting
agency
shall
comply
with
4
the
request
within
three
business
days
after
receiving
the
5
consumer’s
written
request,
or
within
fifteen
minutes
after
6
the
consumer’s
request
is
received
by
the
consumer
reporting
7
agency
through
facsimile,
the
secure
internet
connection
,
8
secure
electronic
mail,
or
other
secure
electronic
contact
9
method
chosen
by
the
consumer
reporting
agency
,
or
the
use
of
10
a
telephone,
during
normal
business
hours.
The
consumer’s
11
request
shall
include
all
of
the
following:
12
a.
Proper
identification.
13
b.
The
personal
identification
number
or
password
provided
14
by
the
consumer
reporting
agency.
15
c.
Explicit
instructions
of
the
specific
time
period
16
designated
for
suspension
of
the
security
freeze.
17
d.
Payment
of
the
applicable
fee.
18
Sec.
3.
Section
714G.4,
unnumbered
paragraph
1,
Code
2018,
19
is
amended
to
read
as
follows:
20
A
security
freeze
remains
in
effect
until
the
consumer
21
requests
that
the
security
freeze
be
removed.
A
consumer
22
reporting
agency
shall
remove
a
security
freeze
within
three
23
business
days
after
receiving
a
request
for
removal
that
24
includes
proper
identification
of
the
consumer,
and
the
25
personal
identification
number
or
password
provided
by
the
26
consumer
reporting
agency
,
and
payment
of
the
applicable
fee
.
27
Sec.
4.
Section
714G.5,
Code
2018,
is
amended
to
read
as
28
follows:
29
714G.5
Fees
prohibited
.
30
1.
A
consumer
reporting
agency
shall
not
charge
any
fee
to
31
a
consumer
who
is
the
victim
of
identity
theft
for
commencing
32
a
security
freeze,
temporary
suspension,
or
removal
if
with
33
the
initial
security
freeze
request,
the
consumer
submits
a
34
valid
copy
of
the
police
report
concerning
the
unlawful
use
of
35
-2-
LSB
6148HV
(6)
87
gh/rn
2/
7
H.F.
2423
identification
information
by
another
person.
1
2.
A
consumer
reporting
agency
may
charge
a
fee
not
to
2
exceed
ten
dollars
to
a
consumer
who
is
not
the
victim
of
3
identity
theft
for
each
security
freeze,
removal,
or
for
4
reissuing
a
personal
identification
number
or
password
if
the
5
consumer
fails
to
retain
the
original
number.
The
consumer
6
reporting
agency
may
charge
a
fee
not
to
exceed
twelve
dollars
7
for
each
temporary
suspension
of
a
security
freeze.
8
A
consumer
reporting
agency
shall
not
charge
a
fee
to
a
9
consumer
for
providing
any
service
pursuant
to
this
chapter,
10
including
but
not
limited
to
placing,
removing,
temporarily
11
suspending,
or
reinstating
a
security
freeze.
12
Sec.
5.
Section
714G.8A,
subsection
1,
paragraph
d,
Code
13
2018,
is
amended
by
striking
the
paragraph.
14
Sec.
6.
Section
714G.8A,
subsection
3,
paragraph
d,
Code
15
2018,
is
amended
by
striking
the
paragraph.
16
Sec.
7.
Section
714G.8A,
subsection
5,
Code
2018,
is
amended
17
to
read
as
follows:
18
5.
a.
A
consumer
reporting
agency
may
shall
not
charge
19
a
reasonable
fee
,
not
to
exceed
five
dollars,
for
each
the
20
placement
,
or
removal
,
or
reinstatement
of
a
protected
consumer
21
security
freeze.
A
consumer
reporting
agency
may
not
charge
22
any
other
fee
for
a
service
performed
pursuant
to
this
section
.
23
b.
Notwithstanding
paragraph
“a”
,
a
fee
may
not
be
charged
24
by
a
consumer
reporting
agency
pursuant
to
either
of
the
25
following:
26
(1)
If
the
protected
consumer’s
representative
has
obtained
27
a
police
report
or
affidavit
of
alleged
identity
theft
under
28
section
715A.8
and
submits
a
copy
of
the
report
or
affidavit
to
29
the
consumer
reporting
agency.
30
(2)
A
request
for
the
commencement
or
removal
of
a
protected
31
consumer
security
freeze
is
for
a
protected
consumer
who
is
32
under
the
age
of
sixteen
years
at
the
time
of
the
request
and
33
the
consumer
reporting
agency
has
a
consumer
credit
report
34
pertaining
to
the
protected
consumer.
35
-3-
LSB
6148HV
(6)
87
gh/rn
3/
7
H.F.
2423
Sec.
8.
Section
715C.1,
subsections
1
and
5,
Code
2018,
are
1
amended
to
read
as
follows:
2
1.
“Breach
of
security”
means
unauthorized
acquisition
,
3
or
reasonable
belief
of
unauthorized
acquisition,
of
personal
4
information
maintained
in
computerized
form
by
a
person
that
5
compromises
the
security,
confidentiality,
or
integrity
of
6
the
personal
information.
“Breach
of
security”
also
means
7
unauthorized
acquisition
of
personal
information
maintained
8
by
a
person
in
any
medium,
including
on
paper,
that
was
9
transferred
by
the
person
to
that
medium
from
computerized
10
form
and
that
compromises
the
security,
confidentiality,
or
11
integrity
of
the
personal
information.
Good
faith
acquisition
12
of
personal
information
by
a
person
or
that
person’s
employee
13
or
agent
for
a
legitimate
purpose
of
that
person
is
not
a
14
breach
of
security,
provided
that
the
personal
information
15
is
not
used
in
violation
of
applicable
law
or
in
a
manner
16
that
harms
or
poses
an
actual
threat
to
the
security,
17
confidentiality,
or
integrity
of
the
personal
information.
18
5.
“Encryption”
means
the
use
of
an
algorithmic
process
19
pursuant
to
accepted
industry
standards
to
transform
data
into
20
a
form
in
which
the
data
is
rendered
unreadable
or
unusable
21
without
the
use
of
a
confidential
process
or
key.
22
Sec.
9.
Section
715C.2,
subsections
7
and
8,
Code
2018,
are
23
amended
to
read
as
follows:
24
7.
This
section
does
not
apply
to
any
of
the
following:
25
a.
A
person
who
complies
with
notification
requirements
or
26
breach
of
security
procedures
that
provide
greater
protection
27
to
personal
information
and
at
least
as
thorough
disclosure
28
requirements
than
that
provided
by
this
section
pursuant
to
29
the
rules,
regulations,
procedures,
guidance,
or
guidelines
30
established
by
the
person’s
primary
or
functional
federal
31
regulator.
32
b.
A
person
who
complies
with
a
state
or
federal
law
33
that
provides
greater
protection
to
personal
information
and
34
at
least
as
thorough
disclosure
requirements
for
breach
of
35
-4-
LSB
6148HV
(6)
87
gh/rn
4/
7
H.F.
2423
security
or
personal
information
than
that
provided
by
this
1
section
.
2
c.
A
person
who
is
subject
to
and
complies
with
regulations
3
promulgated
pursuant
to
Tit.
V
of
the
federal
4
Gramm-Leach-Bliley
Act
of
1999,
15
U.S.C.
§6801
–
6809.
5
d.
A
person
who
is
subject
to
and
complies
with
regulations
6
promulgated
pursuant
to
Tit.
II,
subtit.
F
of
the
federal
7
Health
Insurance
Portability
and
Accountability
Act
of
1996,
8
42
U.S.C.
§1320d
–
1320d-9,
and
Tit.
XIII,
subtit.
D
of
the
9
federal
Health
Information
Technology
for
Economic
and
Clinical
10
Health
Act
of
2009,
42
U.S.C.
§17921
–
17954.
11
8.
Any
person
who
owns
or
licenses
computerized
data
that
12
includes
a
consumer’s
personal
information
that
is
used
in
13
the
course
of
the
person’s
business,
vocation,
occupation,
14
or
volunteer
activities
and
that
was
subject
to
a
breach
of
15
security
requiring
notification
to
more
than
five
hundred
16
residents
of
this
state
pursuant
to
this
section
shall
give
17
written
notice
of
the
breach
of
security
following
discovery
18
of
such
breach
of
security,
or
receipt
of
notification
under
19
subsection
2
,
to
the
director
of
the
consumer
protection
20
division
of
the
office
of
the
attorney
general
within
five
21
business
days
after
giving
notice
of
the
breach
of
security
to
22
any
consumer
pursuant
to
this
section
.
23
EXPLANATION
24
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
25
the
explanation’s
substance
by
the
members
of
the
general
assembly.
26
This
bill
relates
to
consumer
security
freezes
and
personal
27
information
security
breach
protection.
28
Current
law
permits
a
consumer
to
submit
a
request
for
a
29
security
freeze
via
certified
mail.
The
bill
expands
the
30
methods
permitted
for
a
consumer
to
submit
a
request
for
31
a
security
freeze
to
allow
such
requests
to
be
submitted
32
via
first-class
mail,
telephone,
facsimile,
secure
internet
33
connection,
secure
electronic
mail,
or
other
secure
electronic
34
contact
method.
35
-5-
LSB
6148HV
(6)
87
gh/rn
5/
7
H.F.
2423
The
bill
reduces
the
number
of
days
by
which
a
consumer
1
reporting
agency
must
commence
a
security
freeze
after
2
receiving
a
request
from
five
to
three
business
days.
The
bill
3
also
reduces
the
number
of
days
by
which
a
consumer
reporting
4
agency
must
send
written
confirmation
to
a
consumer
after
5
commencing
a
security
freeze
from
ten
to
three
business
days.
6
The
bill
provides
that
if
a
consumer
requests
a
security
7
freeze
from
a
consumer
reporting
agency
that
compiles
and
8
maintains
files
on
a
nationwide
basis,
as
defined
in
the
bill,
9
the
consumer
may
request
to
have
the
security
freeze
applied
to
10
any
other
similar
consumer
reporting
agency.
11
The
bill
requires
consumer
reporting
agencies
to
develop
12
procedures
to
expedite
the
receipt
and
processing
of
security
13
freeze
suspension
requests
received
via
the
same
methods
14
permitted
for
consumers
to
submit
such
requests.
The
bill
15
requires
a
consumer
reporting
agency
to
commence
a
security
16
freeze
suspension
within
15
minutes
after
receiving
a
request
17
through
telephone,
facsimile,
secure
internet
connection,
18
secure
electronic
mail,
or
other
secure
electronic
contact
19
method.
20
The
bill
prohibits
consumer
reporting
agencies
from
charging
21
fees
to
consumers
for
providing
any
service
pursuant
to
Code
22
chapter
714G,
including
but
not
limited
to
placing,
removing,
23
temporarily
suspending,
or
reinstating
a
security
freeze.
The
24
bill
also
prohibits
consumer
reporting
agencies
from
charging
25
fees
for
placing
or
removing
a
protected
consumer
security
26
freeze
pursuant
to
Code
section
714G.8A.
The
bill
removes
27
several
references
to
payment
of
fees
in
Code
chapter
714G.
28
The
bill
also
modifies
various
provisions
relating
to
29
personal
information
security
breach
protection
in
Code
30
chapter
715C.
The
bill
expands
the
definition
of
“breach
of
31
security”
to
include
the
reasonable
belief
of
unauthorized
32
acquisition
of
personal
information.
However,
the
bill
removes
33
the
unauthorized
acquisition
of
personal
information
that
was
34
transferred
from
computerized
form
to
another
medium
from
35
-6-
LSB
6148HV
(6)
87
gh/rn
6/
7
H.F.
2423
the
definition
of
“breach
of
security”.
The
definition
of
1
“encryption”
is
modified
to
mean
the
use
of
an
algorithmic
2
process
pursuant
to
accepted
industry
standards.
3
The
bill
exempts
from
the
consumer
notification
requirements
4
persons
who
are
subject
to
and
comply
with
specified
federal
5
health
information
laws.
6
Current
law
requires
a
person
who
owns
or
licenses
personal
7
information
that
is
subject
to
a
breach
of
security
requiring
8
notification
to
more
than
500
consumers
in
the
state,
as
9
required
by
Code
section
715C.2,
to
give
written
notice
of
the
10
breach
of
security
to
the
director
of
the
consumer
protection
11
division
of
the
office
of
the
attorney
general
within
five
12
business
days
after
giving
notice
of
the
security
breach
to
any
13
consumer.
The
bill
removes
language
stating
that
a
person
give
14
such
written
notice
following
the
discovery
of
the
breach
or
15
receipt
of
notification.
16
-7-
LSB
6148HV
(6)
87
gh/rn
7/
7