House
Study
Bill
622
-
Introduced
HOUSE
FILE
_____
BY
(PROPOSED
COMMITTEE
ON
JUDICIARY
BILL
BY
CHAIRPERSON
NUNN)
A
BILL
FOR
An
Act
relating
to
consumer
protection
modifying
provisions
1
applicable
to
consumer
security
freezes
and
personal
2
information
security
breach
protection.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
6148YC
(4)
87
gh/rn
H.F.
_____
Section
1.
Section
714G.2,
Code
2018,
is
amended
to
read
as
1
follows:
2
714G.2
Security
freeze.
3
1.
A
consumer
may
submit
by
certified
mail
to
a
consumer
4
reporting
agency
a
written
request
for
a
security
freeze
to
5
a
consumer
reporting
agency
by
first-class
mail,
telephone,
6
facsimile,
secure
internet
connection,
secure
electronic
mail,
7
or
other
secure
electronic
contact
method
.
The
consumer
must
8
submit
proper
identification
and
the
applicable
fee
with
the
9
request.
Within
five
three
business
days
after
receiving
10
the
request,
the
consumer
reporting
agency
shall
commence
11
the
security
freeze.
Within
ten
three
business
days
after
12
commencing
the
security
freeze,
the
consumer
reporting
agency
13
shall
send
a
written
confirmation
to
the
consumer
of
the
14
security
freeze,
a
personal
identification
number
or
password,
15
other
than
the
consumer’s
social
security
number,
for
the
16
consumer
to
use
in
authorizing
the
suspension
or
removal
of
17
the
security
freeze,
including
information
on
how
the
security
18
freeze
may
be
temporarily
suspended.
19
2.
a.
If
a
consumer
requests
a
security
freeze
from
a
20
consumer
reporting
agency
that
compiles
and
maintains
files
21
on
a
nationwide
basis,
the
consumer
may
request
to
have
the
22
security
freeze
applied
to
any
other
consumer
reporting
agency
23
that
compiles
and
maintains
files
on
consumers
on
a
nationwide
24
basis.
25
b.
For
purposes
of
this
subsection,
“consumer
reporting
26
agency
that
compiles
and
maintains
files
on
a
nationwide
basis”
27
means
the
same
as
defined
in
15
U.S.C.
§1681a(p).
28
Sec.
2.
Section
714G.3,
subsection
1,
Code
2018,
is
amended
29
to
read
as
follows:
30
1.
A
consumer
may
request
that
a
security
freeze
be
31
temporarily
suspended
to
allow
the
consumer
reporting
agency
to
32
release
the
consumer
credit
report
for
a
specific
time
period.
33
The
consumer
reporting
agency
may
shall
develop
procedures
34
to
expedite
the
receipt
and
processing
of
requests
which
may
35
-1-
LSB
6148YC
(4)
87
gh/rn
1/
7
H.F.
_____
involve
the
use
of
telephones
by
first-class
mail,
telephone
,
1
facsimile
transmissions
,
the
secure
internet
connection
,
secure
2
electronic
mail,
or
other
secure
electronic
media
contact
3
method
.
The
consumer
reporting
agency
shall
comply
with
4
the
request
within
three
business
days
after
receiving
the
5
consumer’s
written
request,
or
within
fifteen
minutes
after
6
the
consumer’s
request
is
received
by
the
consumer
reporting
7
agency
through
facsimile,
the
secure
internet
connection
,
8
secure
electronic
mail,
or
other
secure
electronic
contact
9
method
chosen
by
the
consumer
reporting
agency
,
or
the
use
of
10
a
telephone,
during
normal
business
hours.
The
consumer’s
11
request
shall
include
all
of
the
following:
12
a.
Proper
identification.
13
b.
The
personal
identification
number
or
password
provided
14
by
the
consumer
reporting
agency.
15
c.
Explicit
instructions
of
the
specific
time
period
16
designated
for
suspension
of
the
security
freeze.
17
d.
Payment
of
the
applicable
fee.
18
Sec.
3.
Section
714G.4,
unnumbered
paragraph
1,
Code
2018,
19
is
amended
to
read
as
follows:
20
A
security
freeze
remains
in
effect
until
the
consumer
21
requests
that
the
security
freeze
be
removed.
A
consumer
22
reporting
agency
shall
remove
a
security
freeze
within
three
23
business
days
after
receiving
a
request
for
removal
that
24
includes
proper
identification
of
the
consumer,
and
the
25
personal
identification
number
or
password
provided
by
the
26
consumer
reporting
agency
,
and
payment
of
the
applicable
fee
.
27
Sec.
4.
Section
714G.5,
Code
2018,
is
amended
to
read
as
28
follows:
29
714G.5
Fees
prohibited
.
30
1.
A
consumer
reporting
agency
shall
not
charge
any
fee
to
31
a
consumer
who
is
the
victim
of
identity
theft
for
commencing
32
a
security
freeze,
temporary
suspension,
or
removal
if
with
33
the
initial
security
freeze
request,
the
consumer
submits
a
34
valid
copy
of
the
police
report
concerning
the
unlawful
use
of
35
-2-
LSB
6148YC
(4)
87
gh/rn
2/
7
H.F.
_____
identification
information
by
another
person.
1
2.
A
consumer
reporting
agency
may
charge
a
fee
not
to
2
exceed
ten
dollars
to
a
consumer
who
is
not
the
victim
of
3
identity
theft
for
each
security
freeze,
removal,
or
for
4
reissuing
a
personal
identification
number
or
password
if
the
5
consumer
fails
to
retain
the
original
number.
The
consumer
6
reporting
agency
may
charge
a
fee
not
to
exceed
twelve
dollars
7
for
each
temporary
suspension
of
a
security
freeze.
8
A
consumer
reporting
agency
shall
not
charge
a
fee
to
a
9
consumer
for
providing
any
service
pursuant
to
this
chapter,
10
including
but
not
limited
to
placing,
removing,
temporarily
11
suspending,
or
reinstating
a
security
freeze.
12
Sec.
5.
Section
714G.8A,
subsection
1,
paragraph
d,
Code
13
2018,
is
amended
by
striking
the
paragraph.
14
Sec.
6.
Section
714G.8A,
subsection
3,
paragraph
d,
Code
15
2018,
is
amended
by
striking
the
paragraph.
16
Sec.
7.
Section
714G.8A,
subsection
5,
Code
2018,
is
amended
17
to
read
as
follows:
18
5.
a.
A
consumer
reporting
agency
may
shall
not
charge
19
a
reasonable
fee
,
not
to
exceed
five
dollars,
for
each
the
20
placement
,
or
removal
,
or
reinstatement
of
a
protected
consumer
21
security
freeze.
A
consumer
reporting
agency
may
not
charge
22
any
other
fee
for
a
service
performed
pursuant
to
this
section
.
23
b.
Notwithstanding
paragraph
“a”
,
a
fee
may
not
be
charged
24
by
a
consumer
reporting
agency
pursuant
to
either
of
the
25
following:
26
(1)
If
the
protected
consumer’s
representative
has
obtained
27
a
police
report
or
affidavit
of
alleged
identity
theft
under
28
section
715A.8
and
submits
a
copy
of
the
report
or
affidavit
to
29
the
consumer
reporting
agency.
30
(2)
A
request
for
the
commencement
or
removal
of
a
protected
31
consumer
security
freeze
is
for
a
protected
consumer
who
is
32
under
the
age
of
sixteen
years
at
the
time
of
the
request
and
33
the
consumer
reporting
agency
has
a
consumer
credit
report
34
pertaining
to
the
protected
consumer.
35
-3-
LSB
6148YC
(4)
87
gh/rn
3/
7
H.F.
_____
Sec.
8.
Section
715C.1,
subsections
1
and
5,
Code
2018,
are
1
amended
to
read
as
follows:
2
1.
“Breach
of
security”
means
unauthorized
acquisition
,
3
or
reasonable
belief
of
unauthorized
acquisition,
of
personal
4
information
maintained
in
computerized
any
form
,
including
5
but
not
limited
to
electronic
or
paper
form,
by
a
person
that
6
compromises
the
security,
confidentiality,
or
integrity
of
7
the
personal
information.
“Breach
of
security”
also
means
8
unauthorized
acquisition
of
personal
information
maintained
9
by
a
person
in
any
medium,
including
on
paper,
that
was
10
transferred
by
the
person
to
that
medium
from
computerized
11
form
and
that
compromises
the
security,
confidentiality,
or
12
integrity
of
the
personal
information.
Good
faith
acquisition
13
of
personal
information
by
a
person
or
that
person’s
employee
14
or
agent
for
a
legitimate
purpose
of
that
person
is
not
a
15
breach
of
security,
provided
that
the
personal
information
16
is
not
used
in
violation
of
applicable
law
or
in
a
manner
17
that
harms
or
poses
an
actual
threat
to
the
security,
18
confidentiality,
or
integrity
of
the
personal
information.
19
5.
“Encryption”
means
the
use
of
an
one-hundred-twenty-
20
eight-bit
or
higher
algorithmic
process
to
transform
data
into
21
a
form
in
which
the
data
is
rendered
unreadable
or
unusable
22
without
the
use
of
a
confidential
process
or
key.
23
Sec.
9.
Section
715C.2,
subsections
7
and
8,
Code
2018,
are
24
amended
to
read
as
follows:
25
7.
This
section
does
Subsections
1
through
6
shall
not
apply
26
to
any
of
the
following:
27
a.
A
person
who
complies
with
notification
requirements
or
28
breach
of
security
procedures
that
provide
greater
protection
29
to
personal
information
and
at
least
as
thorough
disclosure
30
requirements
than
that
provided
by
this
section
pursuant
to
31
the
rules,
regulations,
procedures,
guidance,
or
guidelines
32
established
by
the
person’s
primary
or
functional
federal
33
regulator.
34
b.
A
person
who
complies
with
a
state
or
federal
law
35
-4-
LSB
6148YC
(4)
87
gh/rn
4/
7
H.F.
_____
that
provides
greater
protection
to
personal
information
and
1
at
least
as
thorough
disclosure
requirements
for
breach
of
2
security
or
personal
information
than
that
provided
by
this
3
section
.
4
c.
A
person
who
is
subject
to
and
complies
with
5
regulations
promulgated
pursuant
to
Tit.
V
of
the
federal
6
Gramm-Leach-Bliley
Act
of
1999,
15
U.S.C.
§6801
–
6809.
7
d.
A
person
who
is
subject
to
and
complies
with
regulations
8
promulgated
pursuant
to
Tit.
II,
subtit.
F
of
the
federal
9
Health
Insurance
Portability
and
Accountability
Act
of
1996,
10
42
U.S.C.
§1320d
–
1320d-9,
and
Tit.
XIII,
subtit.
D
of
the
11
federal
Health
Information
Technology
for
Economic
and
Clinical
12
Health
Act
of
2009,
42
U.S.C.
§17921
–
17954.
13
8.
Any
person
who
owns
or
licenses
computerized
data
14
that
includes
a
consumer’s
personal
information
that
is
15
used
in
the
course
of
the
person’s
business,
vocation,
16
occupation,
or
volunteer
activities
and
that
was
subject
to
a
17
breach
of
security
requiring
notification
to
more
than
five
18
hundred
residents
of
this
state
consumers
pursuant
to
this
19
section
subsection
1
or
any
of
the
laws,
rules,
regulations,
20
procedures,
guidance,
or
guidelines
set
forth
in
subsection
21
7
shall
give
written
notice
of
the
breach
of
security
22
following
discovery
of
such
breach
of
security,
or
receipt
23
of
notification
under
subsection
2
,
to
the
director
of
the
24
consumer
protection
division
of
the
office
of
the
attorney
25
general
within
five
business
days
after
giving
notice
of
the
26
breach
of
security
to
any
consumer
pursuant
to
this
section
.
27
EXPLANATION
28
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
29
the
explanation’s
substance
by
the
members
of
the
general
assembly.
30
This
bill
relates
to
consumer
security
freezes
and
personal
31
information
security
breach
protection.
32
Current
law
permits
a
consumer
to
submit
a
request
for
a
33
security
freeze
via
certified
mail.
The
bill
expands
the
34
methods
permitted
for
a
consumer
to
submit
a
request
for
35
-5-
LSB
6148YC
(4)
87
gh/rn
5/
7
H.F.
_____
a
security
freeze
to
allow
such
requests
to
be
submitted
1
via
first-class
mail,
telephone,
facsimile,
secure
internet
2
connection,
secure
electronic
mail,
or
other
secure
electronic
3
contact
method.
4
The
bill
reduces
the
number
of
days
by
which
a
consumer
5
reporting
agency
must
commence
a
security
freeze
after
6
receiving
a
request
from
five
to
three
business
days.
The
bill
7
also
reduces
the
number
of
days
by
which
a
consumer
reporting
8
agency
must
send
written
confirmation
to
a
consumer
after
9
commencing
a
security
freeze
from
ten
to
three
business
days.
10
The
bill
provides
that
if
a
consumer
requests
a
security
11
freeze
from
a
consumer
reporting
agency
that
compiles
and
12
maintains
files
on
a
nationwide
basis,
as
defined
in
the
bill,
13
the
consumer
may
request
to
have
the
security
freeze
applied
to
14
any
other
similar
consumer
reporting
agency.
15
The
bill
requires
consumer
reporting
agencies
to
develop
16
procedures
to
expedite
the
receipt
and
processing
of
security
17
freeze
suspension
requests
received
via
the
same
methods
18
permitted
for
consumers
to
submit
such
requests.
The
bill
19
requires
a
consumer
reporting
agency
to
commence
a
security
20
freeze
suspension
within
15
minutes
after
receiving
a
request
21
through
telephone,
facsimile,
secure
internet
connection,
22
secure
electronic
mail,
or
other
secure
electronic
contact
23
method.
24
The
bill
prohibits
consumer
reporting
agencies
from
charging
25
fees
to
consumers
for
providing
any
service
pursuant
to
Code
26
chapter
714G,
including
but
not
limited
to
placing,
removing,
27
temporarily
suspending,
or
reinstating
a
security
freeze.
The
28
bill
also
prohibits
consumer
reporting
agencies
from
charging
29
fees
for
placing
or
removing
a
protected
consumer
security
30
freeze
pursuant
to
Code
section
714G.8A.
The
bill
removes
31
several
references
to
payment
of
fees
in
Code
chapter
714G.
32
The
bill
also
modifies
various
provisions
relating
to
33
personal
information
security
breach
protection
in
Code
34
chapter
715C.
The
bill
expands
the
definition
of
“breach
of
35
-6-
LSB
6148YC
(4)
87
gh/rn
6/
7
H.F.
_____
security”
to
include
the
reasonable
belief
of
unauthorized
1
acquisition
of
personal
information,
which
may
be
in
any
2
form,
including
electronic
or
paper
form.
However,
the
bill
3
removes
the
unauthorized
acquisition
of
personal
information
4
that
was
transferred
from
computerized
form
to
another
medium
5
from
the
definition
of
“breach
of
security”.
The
definition
6
of
“encryption”
is
modified
to
mean
the
use
of
an
128-bit
or
7
higher
algorithmic
process.
8
The
bill
exempts
from
the
consumer
notification
requirements
9
persons
who
are
subject
to
and
comply
with
specified
federal
10
health
information
laws.
11
Current
law
requires
a
person
who
owns
or
licenses
personal
12
information
that
is
subject
to
a
breach
of
security
requiring
13
notification
to
more
than
500
consumers
in
the
state,
as
14
required
by
Code
section
715C.2,
to
give
written
notice
of
the
15
breach
of
security
to
the
director
of
the
consumer
protection
16
division
of
the
office
of
the
attorney
general.
The
bill
17
provides
that
written
notification
to
the
attorney
general
18
is
also
required
for
breaches
of
security
where
written
19
notification
to
more
than
500
consumers
in
the
state
is
20
required
by
a
person’s
primary
or
functional
federal
regulator,
21
a
state
or
federal
law
that
gives
greater
protection
to
22
personal
information
than
provided
in
Code
section
715C.2,
or
23
certain
federal
law.
24
-7-
LSB
6148YC
(4)
87
gh/rn
7/
7