H.F. _____ Section 1. Section 714G.2, Code 2018, is amended to read as 1 follows: 2 714G.2 Security freeze. 3 1. A consumer may submit by certified mail to a consumer 4 reporting agency a written request for a security freeze to 5 a consumer reporting agency by first-class mail, telephone, 6 facsimile, secure internet connection, secure electronic mail, 7 or other secure electronic contact method . The consumer must 8 submit proper identification and the applicable fee with the 9 request. Within five three business days after receiving 10 the request, the consumer reporting agency shall commence 11 the security freeze. Within ten three business days after 12 commencing the security freeze, the consumer reporting agency 13 shall send a written confirmation to the consumer of the 14 security freeze, a personal identification number or password, 15 other than the consumer’s social security number, for the 16 consumer to use in authorizing the suspension or removal of 17 the security freeze, including information on how the security 18 freeze may be temporarily suspended. 19 2. a. If a consumer requests a security freeze from a 20 consumer reporting agency that compiles and maintains files 21 on a nationwide basis, the consumer may request to have the 22 security freeze applied to any other consumer reporting agency 23 that compiles and maintains files on consumers on a nationwide 24 basis. 25 b. For purposes of this subsection, “consumer reporting 26 agency that compiles and maintains files on a nationwide basis” 27 means the same as defined in 15 U.S.C. §1681a(p). 28 Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended 29 to read as follows: 30 1. A consumer may request that a security freeze be 31 temporarily suspended to allow the consumer reporting agency to 32 release the consumer credit report for a specific time period. 33 The consumer reporting agency may shall develop procedures 34 to expedite the receipt and processing of requests which may 35 -1- LSB 6148YC (4) 87 gh/rn 1/ 7

H.F. _____ involve the use of telephones by first-class mail, telephone , 1 facsimile transmissions , the secure internet connection , secure 2 electronic mail, or other secure electronic media contact 3 method . The consumer reporting agency shall comply with 4 the request within three business days after receiving the 5 consumer’s written request, or within fifteen minutes after 6 the consumer’s request is received by the consumer reporting 7 agency through facsimile, the secure internet connection , 8 secure electronic mail, or other secure electronic contact 9 method chosen by the consumer reporting agency , or the use of 10 a telephone, during normal business hours. The consumer’s 11 request shall include all of the following: 12 a. Proper identification. 13 b. The personal identification number or password provided 14 by the consumer reporting agency. 15 c. Explicit instructions of the specific time period 16 designated for suspension of the security freeze. 17 d. Payment of the applicable fee. 18 Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018, 19 is amended to read as follows: 20 A security freeze remains in effect until the consumer 21 requests that the security freeze be removed. A consumer 22 reporting agency shall remove a security freeze within three 23 business days after receiving a request for removal that 24 includes proper identification of the consumer, and the 25 personal identification number or password provided by the 26 consumer reporting agency , and payment of the applicable fee . 27 Sec. 4. Section 714G.5, Code 2018, is amended to read as 28 follows: 29 714G.5 Fees prohibited . 30 1. A consumer reporting agency shall not charge any fee to 31 a consumer who is the victim of identity theft for commencing 32 a security freeze, temporary suspension, or removal if with 33 the initial security freeze request, the consumer submits a 34 valid copy of the police report concerning the unlawful use of 35 -2- LSB 6148YC (4) 87 gh/rn 2/ 7

H.F. _____ identification information by another person. 1 2. A consumer reporting agency may charge a fee not to 2 exceed ten dollars to a consumer who is not the victim of 3 identity theft for each security freeze, removal, or for 4 reissuing a personal identification number or password if the 5 consumer fails to retain the original number. The consumer 6 reporting agency may charge a fee not to exceed twelve dollars 7 for each temporary suspension of a security freeze. 8 A consumer reporting agency shall not charge a fee to a 9 consumer for providing any service pursuant to this chapter, 10 including but not limited to placing, removing, temporarily 11 suspending, or reinstating a security freeze. 12 Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code 13 2018, is amended by striking the paragraph. 14 Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code 15 2018, is amended by striking the paragraph. 16 Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended 17 to read as follows: 18 5. a. A consumer reporting agency may shall not charge 19 a reasonable fee , not to exceed five dollars, for each the 20 placement , or removal , or reinstatement of a protected consumer 21 security freeze. A consumer reporting agency may not charge 22 any other fee for a service performed pursuant to this section . 23 b. Notwithstanding paragraph “a” , a fee may not be charged 24 by a consumer reporting agency pursuant to either of the 25 following: 26 (1) If the protected consumer’s representative has obtained 27 a police report or affidavit of alleged identity theft under 28 section 715A.8 and submits a copy of the report or affidavit to 29 the consumer reporting agency. 30 (2) A request for the commencement or removal of a protected 31 consumer security freeze is for a protected consumer who is 32 under the age of sixteen years at the time of the request and 33 the consumer reporting agency has a consumer credit report 34 pertaining to the protected consumer. 35 -3- LSB 6148YC (4) 87 gh/rn 3/ 7

H.F. _____ Sec. 8. Section 715C.1, subsections 1 and 5, Code 2018, are 1 amended to read as follows: 2 1. “Breach of security” means unauthorized acquisition , 3 or reasonable belief of unauthorized acquisition, of personal 4 information maintained in computerized any form , including 5 but not limited to electronic or paper form, by a person that 6 compromises the security, confidentiality, or integrity of 7 the personal information. “Breach of security” also means 8 unauthorized acquisition of personal information maintained 9 by a person in any medium, including on paper, that was 10 transferred by the person to that medium from computerized 11 form and that compromises the security, confidentiality, or 12 integrity of the personal information. Good faith acquisition 13 of personal information by a person or that person’s employee 14 or agent for a legitimate purpose of that person is not a 15 breach of security, provided that the personal information 16 is not used in violation of applicable law or in a manner 17 that harms or poses an actual threat to the security, 18 confidentiality, or integrity of the personal information. 19 5. “Encryption” means the use of an one-hundred-twenty- 20 eight-bit or higher algorithmic process to transform data into 21 a form in which the data is rendered unreadable or unusable 22 without the use of a confidential process or key. 23 Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are 24 amended to read as follows: 25 7. This section does Subsections 1 through 6 shall not apply 26 to any of the following: 27 a. A person who complies with notification requirements or 28 breach of security procedures that provide greater protection 29 to personal information and at least as thorough disclosure 30 requirements than that provided by this section pursuant to 31 the rules, regulations, procedures, guidance, or guidelines 32 established by the person’s primary or functional federal 33 regulator. 34 b. A person who complies with a state or federal law 35 -4- LSB 6148YC (4) 87 gh/rn 4/ 7

H.F. _____ that provides greater protection to personal information and 1 at least as thorough disclosure requirements for breach of 2 security or personal information than that provided by this 3 section . 4 c. A person who is subject to and complies with 5 regulations promulgated pursuant to Tit. V of the federal 6 Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809. 7 d. A person who is subject to and complies with regulations 8 promulgated pursuant to Tit. II, subtit. F of the federal 9 Health Insurance Portability and Accountability Act of 1996, 10 42 U.S.C. §1320d – 1320d-9, and Tit. XIII, subtit. D of the 11 federal Health Information Technology for Economic and Clinical 12 Health Act of 2009, 42 U.S.C. §17921 – 17954. 13 8. Any person who owns or licenses computerized data 14 that includes a consumer’s personal information that is 15 used in the course of the person’s business, vocation, 16 occupation, or volunteer activities and that was subject to a 17 breach of security requiring notification to more than five 18 hundred residents of this state consumers pursuant to this 19 section subsection 1 or any of the laws, rules, regulations, 20 procedures, guidance, or guidelines set forth in subsection 21 7 shall give written notice of the breach of security 22 following discovery of such breach of security, or receipt 23 of notification under subsection 2 , to the director of the 24 consumer protection division of the office of the attorney 25 general within five business days after giving notice of the 26 breach of security to any consumer pursuant to this section . 27 EXPLANATION 28 The inclusion of this explanation does not constitute agreement with 29 the explanation’s substance by the members of the general assembly. 30 This bill relates to consumer security freezes and personal 31 information security breach protection. 32 Current law permits a consumer to submit a request for a 33 security freeze via certified mail. The bill expands the 34 methods permitted for a consumer to submit a request for 35 -5- LSB 6148YC (4) 87 gh/rn 5/ 7

H.F. _____ a security freeze to allow such requests to be submitted 1 via first-class mail, telephone, facsimile, secure internet 2 connection, secure electronic mail, or other secure electronic 3 contact method. 4 The bill reduces the number of days by which a consumer 5 reporting agency must commence a security freeze after 6 receiving a request from five to three business days. The bill 7 also reduces the number of days by which a consumer reporting 8 agency must send written confirmation to a consumer after 9 commencing a security freeze from ten to three business days. 10 The bill provides that if a consumer requests a security 11 freeze from a consumer reporting agency that compiles and 12 maintains files on a nationwide basis, as defined in the bill, 13 the consumer may request to have the security freeze applied to 14 any other similar consumer reporting agency. 15 The bill requires consumer reporting agencies to develop 16 procedures to expedite the receipt and processing of security 17 freeze suspension requests received via the same methods 18 permitted for consumers to submit such requests. The bill 19 requires a consumer reporting agency to commence a security 20 freeze suspension within 15 minutes after receiving a request 21 through telephone, facsimile, secure internet connection, 22 secure electronic mail, or other secure electronic contact 23 method. 24 The bill prohibits consumer reporting agencies from charging 25 fees to consumers for providing any service pursuant to Code 26 chapter 714G, including but not limited to placing, removing, 27 temporarily suspending, or reinstating a security freeze. The 28 bill also prohibits consumer reporting agencies from charging 29 fees for placing or removing a protected consumer security 30 freeze pursuant to Code section 714G.8A. The bill removes 31 several references to payment of fees in Code chapter 714G. 32 The bill also modifies various provisions relating to 33 personal information security breach protection in Code 34 chapter 715C. The bill expands the definition of “breach of 35 -6- LSB 6148YC (4) 87 gh/rn 6/ 7

H.F. _____ security” to include the reasonable belief of unauthorized 1 acquisition of personal information, which may be in any 2 form, including electronic or paper form. However, the bill 3 removes the unauthorized acquisition of personal information 4 that was transferred from computerized form to another medium 5 from the definition of “breach of security”. The definition 6 of “encryption” is modified to mean the use of an 128-bit or 7 higher algorithmic process. 8 The bill exempts from the consumer notification requirements 9 persons who are subject to and comply with specified federal 10 health information laws. 11 Current law requires a person who owns or licenses personal 12 information that is subject to a breach of security requiring 13 notification to more than 500 consumers in the state, as 14 required by Code section 715C.2, to give written notice of the 15 breach of security to the director of the consumer protection 16 division of the office of the attorney general. The bill 17 provides that written notification to the attorney general 18 is also required for breaches of security where written 19 notification to more than 500 consumers in the state is 20 required by a person’s primary or functional federal regulator, 21 a state or federal law that gives greater protection to 22 personal information than provided in Code section 715C.2, or 23 certain federal law. 24 -7- LSB 6148YC (4) 87 gh/rn 7/ 7