House Amendment 8189
PAG LIN
1 1 Amend House File 2610 as follows:
1 2 #1. Page 1, by inserting before line 3 the
1 3 following:
1 4 <Section 1. Section 2C.18, Code 2007, is amended
1 5 to read as follows:
1 6 2C.18 REPORT REPORTS TO GENERAL ASSEMBLY.
1 7 1. The citizens' aide shall by April 1 of each
1 8 year submit an economically designed and reproduced
1 9 report to the general assembly and to the governor
1 10 concerning the exercise of the citizens' aide
1 11 functions during the preceding calendar year. In
1 12 discussing matters with which the citizens' aide has
1 13 been concerned, the citizens' aide shall not identify
1 14 specific persons if to do so would cause needless
1 15 hardship. If the annual report criticizes a named
1 16 agency or official, it shall also include unedited
1 17 replies made by the agency or official to the
1 18 criticism, unless excused by the agency or official
1 19 affected.
1 20 2. The citizens' aide shall by January 1 of each
1 21 year submit a report to the general assembly and to
1 22 the governor concerning all notices received pursuant
1 23 to section 22.15. The report shall not disclose the
1 24 name or personal information of any affected
1 25 individual. If the report criticizes a named agency
1 26 or official, it shall also include unedited replies
1 27 made by the agency or official to the criticism,
1 28 unless excused by the agency or official.>
1 29 #2. Page 4, by inserting after line 27 the
1 30 following:
1 31 <Sec. . NEW SECTION. 22.15 BREACH OF SECURITY
1 32 == NOTICE REQUIRED.
1 33 1. For purposes of this section, the following
1 34 definitions apply:
1 35 a. "Breach of security" means any of the
1 36 following:
1 37 (1) The unauthorized access to or acquisition of
1 38 personal information.
1 39 (2) The unauthorized access to or acquisition of
1 40 any electronic device containing personal information
1 41 that compromises the security, confidentiality, or
1 42 integrity of such personal information.
1 43 (3) The unauthorized disclosure of personal
1 44 information subsequent to a good faith, authorized
1 45 access to or acquisition of personal information.
1 46 b. "Personal information" means an individual's
1 47 first name or first initial and last name in
1 48 combination with any one or more of the following data
1 49 elements that relate to the individual if neither the
1 50 name nor the data elements are encrypted, redacted, or
2 1 otherwise altered by any method or technology in such
2 2 a manner that the name or data elements are
2 3 unreadable:
2 4 (1) Social security number.
2 5 (2) Driver's license number or other unique
2 6 identification number created or collected by a
2 7 government body.
2 8 (3) Financial account number, credit card number,
2 9 or debit card number in combination with any required
2 10 security code, access code, or password that would
2 11 permit access to an individual's financial account.
2 12 (4) Unique electronic identifier or routing code,
2 13 in combination with any required security code, access
2 14 code, or password.
2 15 (5) Unique biometric data, such as a fingerprint,
2 16 voice print or recording, retina or iris image, or
2 17 other unique physical representation or digital
2 18 representation of the biometric data.
2 19 2. a. A government body that collects, maintains,
2 20 or processes a public record containing personal
2 21 information shall disclose any breach of security to
2 22 each affected individual upon discovery or
2 23 notification of the breach of security. Notice shall
2 24 be made in the most expedient time and manner possible
2 25 and without unreasonable delay, consistent with any
2 26 measures necessary to determine the scope of the
2 27 breach of security and consistent with the legitimate
2 28 needs of law enforcement as provided in paragraph "b".
2 29 If the affected person is a minor, the government body
2 30 shall provide notice to the minor's parent or
2 31 guardian.
2 32 b. If requested by a law enforcement agency, the
2 33 government body shall delay giving notice if notice
2 34 may impede a criminal investigation or endanger state
2 35 or national security. The request by a law
2 36 enforcement agency shall be in writing or documented
2 37 in writing by the government body. After the law
2 38 enforcement agency notifies the government body that
2 39 notice of the breach of security will no longer impede
2 40 the investigation or endanger state or national
2 41 security, the government body shall give notice to the
2 42 affected individuals without unreasonable delay.
2 43 c. Following disclosure to the affected
2 44 individual, a government body shall provide written
2 45 notice of the breach to the citizens' aide. The
2 46 notice provided to the citizens' aide shall include
2 47 the same information as required under subsection 3,
2 48 paragraph "a". The citizens' aide shall compile and
2 49 summarize all notices received under this paragraph
2 50 and prepare an annual report to the general assembly
3 1 and the governor pursuant to section 2C.18, subsection
3 2 2.
3 3 3. a. Notice provided by a government body shall
3 4 be clear and conspicuous and shall include all of the
3 5 following:
3 6 (1) A description of the incident causing the
3 7 breach of security.
3 8 (2) The type of personal information compromised
3 9 by the breach of security.
3 10 (3) A description of any remedial action taken by
3 11 the government body.
3 12 (4) Contact information for an individual within
3 13 the government body with whom the individual may
3 14 communicate in order to receive further information
3 15 and assistance.
3 16 (5) A statement advising the affected individual
3 17 to thoroughly and continually review financial account
3 18 information and credit reports.
3 19 b. Notice shall be provided by at least one of the
3 20 following:
3 21 (1) Written notice to the affected individual's
3 22 last address of record.
3 23 (2) Electronic mail notice, if the affected
3 24 individual has agreed to receive communications
3 25 electronically.
3 26 (3) Telephonic notice, if the communication is
3 27 made directly with the affected individual.
3 28 (4) Substitute notice, if the government body
3 29 determines that the cost of providing notice to the
3 30 affected individual under subparagraphs (1) through
3 31 (3) exceeds one hundred thousand dollars, the total
3 32 cost of providing notice to all affected individuals
3 33 exceeds two hundred fifty thousand dollars, or the
3 34 government body does not have sufficient contact
3 35 information needed to provide notice under
3 36 subparagraphs (1) through (3). Substitute notice
3 37 shall consist of any of the following:
3 38 (a) Electronic mail notice.
3 39 (b) Conspicuous notice posted on the government
3 40 body's internet site.
3 41 (c) Notification through local or statewide media.
3 42 4. Notwithstanding the requirements of this
3 43 section, a government body that has approved its own
3 44 notification procedures for a breach of security
3 45 involving personal information, which are otherwise
3 46 consistent with the requirements of this section,
3 47 shall be deemed to be in compliance with this section
3 48 if the government body notifies the affected
3 49 individuals of the breach of security in accordance
3 50 with its own procedures.>
4 1 #3. Title page, line 1, by inserting after the
4 2 word <to> the following: <identity determination and
4 3 protection and>.
4 4 #4. Title page, line 3, by inserting after the
4 5 word <individuals,> the following: <and requiring
4 6 government bodies to report breaches of security
4 7 involving personal information,>.
4 8 #5. By renumbering as necessary.
4 9
4 10
4 11
4 12 GRANZOW of Hardin
4 13 HF 2610.704 82
4 14 ak/rj/11213
-1-