House Amendment 8134 PAG LIN 1 1 Amend House File 2610 as follows: 1 2 #1. Page 4, by inserting after line 27 the 1 3 following: 1 4 <Sec. . NEW SECTION. 23.1 DEFINITIONS. 1 5 1. "Breach of security" means the unauthorized 1 6 access and acquisition of unencrypted or unredacted 1 7 personal information that compromises the security, 1 8 confidentiality, or integrity of an individual's 1 9 personal information maintained by a person and that 1 10 causes, or the person reasonably believes has caused 1 11 or will cause, identity theft to the individual. Good 1 12 faith acquisition of personal information by a person 1 13 or a person's agent is not a breach of security, 1 14 provided the personal information is not used for or 1 15 is not subject to further unauthorized disclosure. 1 16 2. "Person" means any individual, partnership, 1 17 corporation, trust, estate, cooperative, association, 1 18 other entity, or government body as defined in section 1 19 22.1. 1 20 3. "Personal information" means an individual's 1 21 first name or first initial and last name in 1 22 combination with any one or more of the following data 1 23 elements that relate to the individual if neither the 1 24 name nor the data elements are encrypted, redacted, or 1 25 otherwise altered by any method or technology in such 1 26 a manner that the name or data elements are 1 27 unreadable: 1 28 a. Social security number. 1 29 b. Driver's license number or other unique 1 30 identification number. 1 31 c. Financial account number, credit card number, 1 32 or debit card number in combination with any required 1 33 security code, access code, or password that would 1 34 permit access to an individual's financial account. 1 35 d. Unique electronic identifier or routing code, 1 36 in combination with any required security code, access 1 37 code, or password. 1 38 e. Unique biometric data, such as a fingerprint, 1 39 voice print or recording, retina or iris image, or 1 40 other unique physical representation or digital 1 41 representation of the biometric data. 1 42 4. "Record" means information that is inscribed on 1 43 a tangible medium, or that is stored in an electronic 1 44 or other medium and is retrievable in perceivable 1 45 form. 1 46 5. "Redact" means alteration or truncation of data 1 47 such that no more than any of the following are 1 48 accessible as part of the personal information: 1 49 a. Five digits of a social security number. 1 50 b. The last four digits of any account or 2 1 identification number specified under subsection 3. 2 2 Sec. . NEW SECTION. 23.2 BREACH OF SECURITY 2 3 == NOTICE. 2 4 1. a. A person that collects, maintains, 2 5 licenses, or processes a record containing personal 2 6 information shall disclose any breach of security to 2 7 each affected individual upon discovery of the breach 2 8 of security. Notice of the breach of security shall 2 9 also be provided to an appropriate law enforcement 2 10 agency. Notice to the affected individual shall be 2 11 made in the most expedient time and manner possible 2 12 and without unreasonable delay, consistent with any 2 13 measures necessary to determine the scope of the 2 14 breach of security and with the legitimate needs of 2 15 law enforcement as provided in subsection 2. 2 16 b. If the affected individual is a minor, the 2 17 person shall provide notice to the minor's parent or 2 18 guardian. 2 19 c. In the event that a person discovers 2 20 circumstances requiring notification pursuant to this 2 21 section of more than one thousand individuals at one 2 22 time, the person shall also notify, without 2 23 unreasonable delay, all consumer reporting agencies 2 24 that compile and maintain files on individuals on a 2 25 nationwide basis, as defined by 15 U.S.C. } 1681a(p), 2 26 of the timing, distribution, and content of the notice 2 27 provided to the affected individuals. 2 28 d. A person that is regulated by state or federal 2 29 law and that maintains procedures for a breach of the 2 30 security pursuant to the rules, regulations, or 2 31 guidelines established by the person's state or 2 32 federal regulator is deemed to be in compliance with 2 33 this section. This section shall not relieve a person 2 34 from a duty to comply with other requirements of state 2 35 or federal law regarding the protection and privacy of 2 36 personal information. 2 37 2. If requested by a law enforcement agency, the 2 38 person shall delay giving notice to the affected 2 39 individual if notice may impede a criminal 2 40 investigation or endanger state or national security. 2 41 The request by a law enforcement agency shall be in 2 42 writing or documented in writing by the person. After 2 43 the law enforcement agency notifies the person that 2 44 notice of the breach of security will no longer impede 2 45 the investigation or endanger state or national 2 46 security, the person shall give notice to the affected 2 47 individuals without unreasonable delay. 2 48 Sec. . NEW SECTION. 23.3 FORM OF NOTICE. 2 49 1. Notice provided to an affected individual 2 50 pursuant to section 23.2 shall be clear and 3 1 conspicuous and shall include all of the following: 3 2 a. A description of the incident causing the 3 3 breach of security. 3 4 b. The type of personal information compromised by 3 5 the breach of security. 3 6 c. A description of any remedial action taken by 3 7 the person. 3 8 d. Contact information for the person with whom 3 9 the affected individual may communicate in order to 3 10 receive further information and assistance. 3 11 e. A statement advising the affected individual to 3 12 thoroughly and continually review financial account 3 13 information and credit reports. 3 14 2. Notice to an affected individual pursuant to 3 15 section 23.2 shall be provided by at least one of the 3 16 following: 3 17 a. Written notice to the affected individual's 3 18 last address of record. 3 19 b. Electronic mail notice, if the affected 3 20 individual has agreed to receive communications 3 21 electronically from the person. 3 22 c. Telephonic notice, if the communication is made 3 23 directly with the affected individual. 3 24 d. Substitute notice, if the person determines 3 25 that the cost of providing notice to all affected 3 26 individuals under paragraphs "a" through "c" exceeds 3 27 one hundred thousand dollars, that the number of 3 28 affected individuals exceeds five thousand, or that 3 29 the person does not have sufficient contact 3 30 information needed to provide notice under paragraphs 3 31 "a" through "c". Substitute notice shall consist of 3 32 any of the following: 3 33 (1) Electronic mail notice. 3 34 (2) Conspicuous notice posted on the person's web 3 35 site. 3 36 (3) Notification through local or statewide media. 3 37 Sec. . NEW SECTION. 23.4 ENFORCEMENT BY 3 38 ATTORNEY GENERAL == PENALTY. 3 39 1. A person, other than a government body, who 3 40 violates this chapter is subject to a civil penalty 3 41 not to exceed ten thousand dollars for each breach of 3 42 security unless the person is subject to a civil 3 43 penalty for the same breach of security under another 3 44 provision of state or federal law. 3 45 2. The office of attorney general shall initiate 3 46 an action against a person who violates this chapter 3 47 to enforce payment of a civil penalty. 3 48 3. A civil penalty imposed under this section 3 49 shall not preclude a civil action filed by an affected 3 50 individual. 4 1 #2. Title page, line 1, by inserting after the 4 2 word <to> the following: <identity determination and 4 3 protection and>. 4 4 #3. Title page, line 3, by inserting after the 4 5 word <individuals,> the following: <and specifying 4 6 notice procedures following a breach of security,>. 4 7 #4. By renumbering as necessary. 4 8 4 9 4 10 4 11 DEYOE of Story 4 12 HF 2610.705 82 4 13 ak/rj/11214 -1-