House Amendment 8134
PAG LIN
1 1 Amend House File 2610 as follows:
1 2 #1. Page 4, by inserting after line 27 the
1 3 following:
1 4 <Sec. . NEW SECTION. 23.1 DEFINITIONS.
1 5 1. "Breach of security" means the unauthorized
1 6 access and acquisition of unencrypted or unredacted
1 7 personal information that compromises the security,
1 8 confidentiality, or integrity of an individual's
1 9 personal information maintained by a person and that
1 10 causes, or the person reasonably believes has caused
1 11 or will cause, identity theft to the individual. Good
1 12 faith acquisition of personal information by a person
1 13 or a person's agent is not a breach of security,
1 14 provided the personal information is not used for or
1 15 is not subject to further unauthorized disclosure.
1 16 2. "Person" means any individual, partnership,
1 17 corporation, trust, estate, cooperative, association,
1 18 other entity, or government body as defined in section
1 19 22.1.
1 20 3. "Personal information" means an individual's
1 21 first name or first initial and last name in
1 22 combination with any one or more of the following data
1 23 elements that relate to the individual if neither the
1 24 name nor the data elements are encrypted, redacted, or
1 25 otherwise altered by any method or technology in such
1 26 a manner that the name or data elements are
1 27 unreadable:
1 28 a. Social security number.
1 29 b. Driver's license number or other unique
1 30 identification number.
1 31 c. Financial account number, credit card number,
1 32 or debit card number in combination with any required
1 33 security code, access code, or password that would
1 34 permit access to an individual's financial account.
1 35 d. Unique electronic identifier or routing code,
1 36 in combination with any required security code, access
1 37 code, or password.
1 38 e. Unique biometric data, such as a fingerprint,
1 39 voice print or recording, retina or iris image, or
1 40 other unique physical representation or digital
1 41 representation of the biometric data.
1 42 4. "Record" means information that is inscribed on
1 43 a tangible medium, or that is stored in an electronic
1 44 or other medium and is retrievable in perceivable
1 45 form.
1 46 5. "Redact" means alteration or truncation of data
1 47 such that no more than any of the following are
1 48 accessible as part of the personal information:
1 49 a. Five digits of a social security number.
1 50 b. The last four digits of any account or
2 1 identification number specified under subsection 3.
2 2 Sec. . NEW SECTION. 23.2 BREACH OF SECURITY
2 3 == NOTICE.
2 4 1. a. A person that collects, maintains,
2 5 licenses, or processes a record containing personal
2 6 information shall disclose any breach of security to
2 7 each affected individual upon discovery of the breach
2 8 of security. Notice of the breach of security shall
2 9 also be provided to an appropriate law enforcement
2 10 agency. Notice to the affected individual shall be
2 11 made in the most expedient time and manner possible
2 12 and without unreasonable delay, consistent with any
2 13 measures necessary to determine the scope of the
2 14 breach of security and with the legitimate needs of
2 15 law enforcement as provided in subsection 2.
2 16 b. If the affected individual is a minor, the
2 17 person shall provide notice to the minor's parent or
2 18 guardian.
2 19 c. In the event that a person discovers
2 20 circumstances requiring notification pursuant to this
2 21 section of more than one thousand individuals at one
2 22 time, the person shall also notify, without
2 23 unreasonable delay, all consumer reporting agencies
2 24 that compile and maintain files on individuals on a
2 25 nationwide basis, as defined by 15 U.S.C. } 1681a(p),
2 26 of the timing, distribution, and content of the notice
2 27 provided to the affected individuals.
2 28 d. A person that is regulated by state or federal
2 29 law and that maintains procedures for a breach of the
2 30 security pursuant to the rules, regulations, or
2 31 guidelines established by the person's state or
2 32 federal regulator is deemed to be in compliance with
2 33 this section. This section shall not relieve a person
2 34 from a duty to comply with other requirements of state
2 35 or federal law regarding the protection and privacy of
2 36 personal information.
2 37 2. If requested by a law enforcement agency, the
2 38 person shall delay giving notice to the affected
2 39 individual if notice may impede a criminal
2 40 investigation or endanger state or national security.
2 41 The request by a law enforcement agency shall be in
2 42 writing or documented in writing by the person. After
2 43 the law enforcement agency notifies the person that
2 44 notice of the breach of security will no longer impede
2 45 the investigation or endanger state or national
2 46 security, the person shall give notice to the affected
2 47 individuals without unreasonable delay.
2 48 Sec. . NEW SECTION. 23.3 FORM OF NOTICE.
2 49 1. Notice provided to an affected individual
2 50 pursuant to section 23.2 shall be clear and
3 1 conspicuous and shall include all of the following:
3 2 a. A description of the incident causing the
3 3 breach of security.
3 4 b. The type of personal information compromised by
3 5 the breach of security.
3 6 c. A description of any remedial action taken by
3 7 the person.
3 8 d. Contact information for the person with whom
3 9 the affected individual may communicate in order to
3 10 receive further information and assistance.
3 11 e. A statement advising the affected individual to
3 12 thoroughly and continually review financial account
3 13 information and credit reports.
3 14 2. Notice to an affected individual pursuant to
3 15 section 23.2 shall be provided by at least one of the
3 16 following:
3 17 a. Written notice to the affected individual's
3 18 last address of record.
3 19 b. Electronic mail notice, if the affected
3 20 individual has agreed to receive communications
3 21 electronically from the person.
3 22 c. Telephonic notice, if the communication is made
3 23 directly with the affected individual.
3 24 d. Substitute notice, if the person determines
3 25 that the cost of providing notice to all affected
3 26 individuals under paragraphs "a" through "c" exceeds
3 27 one hundred thousand dollars, that the number of
3 28 affected individuals exceeds five thousand, or that
3 29 the person does not have sufficient contact
3 30 information needed to provide notice under paragraphs
3 31 "a" through "c". Substitute notice shall consist of
3 32 any of the following:
3 33 (1) Electronic mail notice.
3 34 (2) Conspicuous notice posted on the person's web
3 35 site.
3 36 (3) Notification through local or statewide media.
3 37 Sec. . NEW SECTION. 23.4 ENFORCEMENT BY
3 38 ATTORNEY GENERAL == PENALTY.
3 39 1. A person, other than a government body, who
3 40 violates this chapter is subject to a civil penalty
3 41 not to exceed ten thousand dollars for each breach of
3 42 security unless the person is subject to a civil
3 43 penalty for the same breach of security under another
3 44 provision of state or federal law.
3 45 2. The office of attorney general shall initiate
3 46 an action against a person who violates this chapter
3 47 to enforce payment of a civil penalty.
3 48 3. A civil penalty imposed under this section
3 49 shall not preclude a civil action filed by an affected
3 50 individual.
4 1 #2. Title page, line 1, by inserting after the
4 2 word <to> the following: <identity determination and
4 3 protection and>.
4 4 #3. Title page, line 3, by inserting after the
4 5 word <individuals,> the following: <and specifying
4 6 notice procedures following a breach of security,>.
4 7 #4. By renumbering as necessary.
4 8
4 9
4 10
4 11 DEYOE of Story
4 12 HF 2610.705 82
4 13 ak/rj/11214
-1-