Senate File 2391 - Reprinted SENATE FILE 2391 BY COMMITTEE ON STATE GOVERNMENT (SUCCESSOR TO SF 2080) (As Amended and Passed by the Senate March 11, 2020 ) A BILL FOR An Act prohibiting the state or a political subdivision of the 1 state from expending revenue received from taxpayers for 2 payment to persons responsible for ransomware attacks, and 3 including effective date provisions. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 SF 2391 (3) 88 ja/rn/mb

S.F. 2391 Section 1. Section 8B.4, Code 2020, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 17A. Authorize the state or a political 3 subdivision of the state, not including a municipal utility, 4 in consultation with the department of public safety and the 5 department of homeland security and emergency management, to 6 expend revenue received from taxpayers for payment to a person 7 responsible for, or reasonably believed to be responsible for, 8 a ransomware attack pursuant to section 8H.3. 9 Sec. 2. NEW SECTION . 8H.1 Definitions. 10 As used in this chapter, unless the context otherwise 11 requires: 12 1. “Critical infrastructure” means the same as defined 13 in section 29C.24. “Critical infrastructure” includes real 14 and personal property and equipment owned or used to provide 15 fire fighting, law enforcement, medical, or other emergency 16 services. 17 2. “Encryption” means the use of an algorithmic process 18 to transform data into a form in which the data is rendered 19 unreadable or unusable without the use of a confidential 20 process or key. 21 3. “Political subdivision” means a city, county, township, 22 or school district. “Political subdivision” does not include a 23 municipal utility. 24 4. “Ransomware attack” means carrying out until payment is 25 made, or threatening to carry out until payment is made, any of 26 the following actions: 27 a. An act declared unlawful pursuant to section 715.4. 28 b. A “breach of security” as defined in section 715C.1. 29 c. The use of any form of software that results in the 30 unauthorized encryption of data, the denial of access to data, 31 the denial of access to a computer, or the denial of access to 32 a computer system. 33 Sec. 3. NEW SECTION . 8H.2 Requirement to report a 34 ransomware attack. If the state or a political subdivision of 35 -1- SF 2391 (3) 88 ja/rn/mb 1/ 4

S.F. 2391 the state is subject to a ransomware attack, the state or the 1 political subdivision shall provide notice of the ransomware 2 attack to the office of the chief information officer following 3 discovery of the ransomware attack. The notice shall be 4 provided in the most expeditious manner possible and without 5 unreasonable delay. The office of the chief information 6 officer shall adopt rules establishing notification procedures 7 pursuant to this section. 8 Sec. 4. NEW SECTION . 8H.3 Revenue received from taxpayers 9 —— prohibition —— ransomware. 10 1. Except as provided in subsection 2 or 3, the state or a 11 political subdivision of the state shall not expend tax revenue 12 received from taxpayers for payment to a person responsible 13 for, or reasonably believed to be responsible for, a ransomware 14 attack. 15 2. The office of the chief information officer, in 16 consultation with the department of public safety and the 17 department of homeland security and emergency management, may 18 authorize the state or a political subdivision of the state to 19 expend tax revenue otherwise prohibited pursuant to subsection 20 1 in the event of any of the following: 21 a. A critical or emergency situation as defined by the 22 department of homeland security and emergency management, 23 or when the department of homeland security and emergency 24 management determines the expenditure of tax revenue is in the 25 public interest. 26 b. A ransomware attack affecting critical infrastructure 27 within the state or a political subdivision of the state. 28 3. The state or a political subdivision of the state may 29 expend tax revenue otherwise prohibited pursuant to subsection 30 1 in the event of a ransomware attack affecting an officer or 31 employee of the judicial branch. 32 Sec. 5. NEW SECTION . 8H.4 Payments for insurance. 33 The state or a political subdivision of the state may use 34 revenue received from taxpayers to pay premiums, deductibles, 35 -2- SF 2391 (3) 88 ja/rn/mb 2/ 4

S.F. 2391 and other costs associated with an insurance policy related 1 to cybersecurity or ransomware attacks only if the state or 2 the political subdivision first exhausts all other reasonable 3 means of mitigating a potential ransomware attack. Subject 4 to section 8H.3, subsections 2 and 3, nothing in this section 5 shall be construed to authorize the state or a political 6 subdivision of the state to make a direct payment using 7 revenue received from taxpayers to a person responsible for, or 8 reasonably believed to be responsible for, a ransomware attack. 9 Sec. 6. NEW SECTION . 8H.5 Confidential records. 10 Information related to all of the following shall be 11 considered a confidential record under section 22.7: 12 1. Insurance coverage maintained by the state or a political 13 subdivision of the state related to cybersecurity or a 14 ransomware attack. 15 2. Payment by the state or a political subdivision of 16 the state to a person responsible for, or believed to be 17 responsible for, a ransomware attack pursuant to section 8H.3. 18 Sec. 7. LEGISLATIVE INTENT. It is the intent of the general 19 assembly that the state and the political subdivisions of the 20 state have tested cybersecurity mitigation plans and policies. 21 Sec. 8. RULEMAKING. The office of the chief information 22 officer shall prepare a notice of intended action for the 23 adoption of rules to administer this Act. The notice of 24 intended action shall be submitted to the administrative 25 rules coordinator and the administrative code editor as soon 26 as practicable, but no later than October 1, 2020. However, 27 nothing in this section authorizes the office of the chief 28 information officer to adopt rules under section 17A.4, 29 subsection 3, or section 17A.5, subsection 2, paragraph “b”. 30 Sec. 9. EFFECTIVE DATE. 31 1. Except as provided in subsection 2, this Act takes effect 32 July 1, 2021. 33 2. The section of this Act requiring the office of the chief 34 information officer to prepare a notice of intended action for 35 -3- SF 2391 (3) 88 ja/rn/mb 3/ 4