House Amendment 8189 PAG LIN 1 1 Amend House File 2610 as follows: 1 2 #1. Page 1, by inserting before line 3 the 1 3 following: 1 4 <Section 1. Section 2C.18, Code 2007, is amended 1 5 to read as follows: 1 6 2C.18REPORTREPORTS TO GENERAL ASSEMBLY. 1 7 1. The citizens' aide shall by April 1 of each 1 8 year submit an economically designed and reproduced 1 9 report to the general assembly and to the governor 1 10 concerning the exercise of the citizens' aide 1 11 functions during the preceding calendar year. In 1 12 discussing matters with which the citizens' aide has 1 13 been concerned, the citizens' aide shall not identify 1 14 specific persons if to do so would cause needless 1 15 hardship. If the annual report criticizes a named 1 16 agency or official, it shall also include unedited 1 17 replies made by the agency or official to the 1 18 criticism, unless excused by the agency or official 1 19 affected. 1 20 2. The citizens' aide shall by January 1 of each 1 21 year submit a report to the general assembly and to 1 22 the governor concerning all notices received pursuant 1 23 to section 22.15. The report shall not disclose the 1 24 name or personal information of any affected 1 25 individual. If the report criticizes a named agency 1 26 or official, it shall also include unedited replies 1 27 made by the agency or official to the criticism, 1 28 unless excused by the agency or official.> 1 29 #2. Page 4, by inserting after line 27 the 1 30 following: 1 31 <Sec. . NEW SECTION. 22.15 BREACH OF SECURITY 1 32 == NOTICE REQUIRED. 1 33 1. For purposes of this section, the following 1 34 definitions apply: 1 35 a. "Breach of security" means any of the 1 36 following: 1 37 (1) The unauthorized access to or acquisition of 1 38 personal information. 1 39 (2) The unauthorized access to or acquisition of 1 40 any electronic device containing personal information 1 41 that compromises the security, confidentiality, or 1 42 integrity of such personal information. 1 43 (3) The unauthorized disclosure of personal 1 44 information subsequent to a good faith, authorized 1 45 access to or acquisition of personal information. 1 46 b. "Personal information" means an individual's 1 47 first name or first initial and last name in 1 48 combination with any one or more of the following data 1 49 elements that relate to the individual if neither the 1 50 name nor the data elements are encrypted, redacted, or 2 1 otherwise altered by any method or technology in such 2 2 a manner that the name or data elements are 2 3 unreadable: 2 4 (1) Social security number. 2 5 (2) Driver's license number or other unique 2 6 identification number created or collected by a 2 7 government body. 2 8 (3) Financial account number, credit card number, 2 9 or debit card number in combination with any required 2 10 security code, access code, or password that would 2 11 permit access to an individual's financial account. 2 12 (4) Unique electronic identifier or routing code, 2 13 in combination with any required security code, access 2 14 code, or password. 2 15 (5) Unique biometric data, such as a fingerprint, 2 16 voice print or recording, retina or iris image, or 2 17 other unique physical representation or digital 2 18 representation of the biometric data. 2 19 2. a. A government body that collects, maintains, 2 20 or processes a public record containing personal 2 21 information shall disclose any breach of security to 2 22 each affected individual upon discovery or 2 23 notification of the breach of security. Notice shall 2 24 be made in the most expedient time and manner possible 2 25 and without unreasonable delay, consistent with any 2 26 measures necessary to determine the scope of the 2 27 breach of security and consistent with the legitimate 2 28 needs of law enforcement as provided in paragraph "b". 2 29 If the affected person is a minor, the government body 2 30 shall provide notice to the minor's parent or 2 31 guardian. 2 32 b. If requested by a law enforcement agency, the 2 33 government body shall delay giving notice if notice 2 34 may impede a criminal investigation or endanger state 2 35 or national security. The request by a law 2 36 enforcement agency shall be in writing or documented 2 37 in writing by the government body. After the law 2 38 enforcement agency notifies the government body that 2 39 notice of the breach of security will no longer impede 2 40 the investigation or endanger state or national 2 41 security, the government body shall give notice to the 2 42 affected individuals without unreasonable delay. 2 43 c. Following disclosure to the affected 2 44 individual, a government body shall provide written 2 45 notice of the breach to the citizens' aide. The 2 46 notice provided to the citizens' aide shall include 2 47 the same information as required under subsection 3, 2 48 paragraph "a". The citizens' aide shall compile and 2 49 summarize all notices received under this paragraph 2 50 and prepare an annual report to the general assembly 3 1 and the governor pursuant to section 2C.18, subsection 3 2 2. 3 3 3. a. Notice provided by a government body shall 3 4 be clear and conspicuous and shall include all of the 3 5 following: 3 6 (1) A description of the incident causing the 3 7 breach of security. 3 8 (2) The type of personal information compromised 3 9 by the breach of security. 3 10 (3) A description of any remedial action taken by 3 11 the government body. 3 12 (4) Contact information for an individual within 3 13 the government body with whom the individual may 3 14 communicate in order to receive further information 3 15 and assistance. 3 16 (5) A statement advising the affected individual 3 17 to thoroughly and continually review financial account 3 18 information and credit reports. 3 19 b. Notice shall be provided by at least one of the 3 20 following: 3 21 (1) Written notice to the affected individual's 3 22 last address of record. 3 23 (2) Electronic mail notice, if the affected 3 24 individual has agreed to receive communications 3 25 electronically. 3 26 (3) Telephonic notice, if the communication is 3 27 made directly with the affected individual. 3 28 (4) Substitute notice, if the government body 3 29 determines that the cost of providing notice to the 3 30 affected individual under subparagraphs (1) through 3 31 (3) exceeds one hundred thousand dollars, the total 3 32 cost of providing notice to all affected individuals 3 33 exceeds two hundred fifty thousand dollars, or the 3 34 government body does not have sufficient contact 3 35 information needed to provide notice under 3 36 subparagraphs (1) through (3). Substitute notice 3 37 shall consist of any of the following: 3 38 (a) Electronic mail notice. 3 39 (b) Conspicuous notice posted on the government 3 40 body's internet site. 3 41 (c) Notification through local or statewide media. 3 42 4. Notwithstanding the requirements of this 3 43 section, a government body that has approved its own 3 44 notification procedures for a breach of security 3 45 involving personal information, which are otherwise 3 46 consistent with the requirements of this section, 3 47 shall be deemed to be in compliance with this section 3 48 if the government body notifies the affected 3 49 individuals of the breach of security in accordance 3 50 with its own procedures.> 4 1 #3. Title page, line 1, by inserting after the 4 2 word <to> the following: <identity determination and 4 3 protection and>. 4 4 #4. Title page, line 3, by inserting after the 4 5 word <individuals,> the following: <and requiring 4 6 government bodies to report breaches of security 4 7 involving personal information,>. 4 8 #5. By renumbering as necessary. 4 9 4 10 4 11 4 12 GRANZOW of Hardin 4 13 HF 2610.704 82 4 14 ak/rj/11213 -1-