House
Amendment
to
Senate
File
2177
S-5083
Amend
Senate
File
2177,
as
passed
by
the
Senate,
as
follows:
1
1.
Page
1,
by
striking
lines
7
and
8
and
inserting
<
secure
2
internet
connection,
or
other
secure
electronic
contact
method
3
designated
by
the
consumer
reporting
agency
.
The
consumer
4
must
>
5
2.
Page
1,
by
striking
lines
22
through
25
and
inserting
6
<
on
a
nationwide
basis,
the
consumer
reporting
agency
shall
7
identify,
to
the
best
of
its
knowledge,
any
other
consumer
8
reporting
agency
that
compiles
and
maintains
files
on
consumers
9
on
a
nationwide
basis
and
inform
consumers
of
appropriate
10
contact
information
that
would
permit
the
consumer
to
place,
11
lift,
or
remove
a
security
freeze
from
such
other
consumer
12
reporting
agency.
>
13
3.
Page
2,
by
striking
lines
2
through
4
and
inserting
14
<
facsimile
transmissions,
the
secure
internet
connection
,
or
15
other
secure
electronic
media
contact
method
designated
by
the
16
consumer
reporting
agency
.
The
consumer
reporting
agency
shall
17
comply
with
>
18
4.
Page
2,
by
striking
lines
8
through
10
and
inserting
19
<
agency
through
facsimile,
the
secure
internet
,
connection
or
20
other
secure
electronic
contact
method
chosen
designated
by
the
21
consumer
reporting
agency,
or
the
use
of
>
22
5.
Page
4,
by
striking
lines
1
and
2
and
inserting:
23
<
Sec.
___.
Section
715C.1,
subsections
1
and
5,
Code
2018,
24
are
amended
to
read
as
follows:
25
1.
“Breach
of
security”
means
unauthorized
acquisition
,
26
or
reasonable
belief
of
unauthorized
acquisition,
of
personal
27
information
maintained
in
computerized
form
by
a
person
that
28
compromises
the
security,
confidentiality,
or
integrity
of
29
the
personal
information.
“Breach
of
security”
also
means
30
unauthorized
acquisition
of
personal
information
maintained
31
by
a
person
in
any
medium,
including
on
paper,
that
was
32
transferred
by
the
person
to
that
medium
from
computerized
33
form
and
that
compromises
the
security,
confidentiality,
or
34
integrity
of
the
personal
information.
Good
faith
acquisition
35
-1-
SF2177.4259
(1)
87
md
1/
3
#1.
#2.
#3.
#4.
#5.
of
personal
information
by
a
person
or
that
person’s
employee
1
or
agent
for
a
legitimate
purpose
of
that
person
is
not
a
2
breach
of
security,
provided
that
the
personal
information
3
is
not
used
in
violation
of
applicable
law
or
in
a
manner
4
that
harms
or
poses
an
actual
threat
to
the
security,
5
confidentiality,
or
integrity
of
the
personal
information.
6
5.
“Encryption”
means
the
use
of
an
algorithmic
process
7
pursuant
to
accepted
industry
standards
to
transform
data
into
8
a
form
in
which
the
data
is
rendered
unreadable
or
unusable
9
without
the
use
of
a
confidential
process
or
key.
10
Sec.
___.
Section
715C.2,
subsections
7
and
8,
Code
2018,
11
are
amended
to
read
as
follows:
12
7.
This
section
does
not
apply
to
any
of
the
following:
13
a.
A
person
who
complies
with
notification
requirements
or
14
breach
of
security
procedures
that
provide
greater
protection
15
to
personal
information
and
at
least
as
thorough
disclosure
16
requirements
than
that
provided
by
this
section
pursuant
to
17
the
rules,
regulations,
procedures,
guidance,
or
guidelines
18
established
by
the
person’s
primary
or
functional
federal
19
regulator.
20
b.
A
person
who
complies
with
a
state
or
federal
law
21
that
provides
greater
protection
to
personal
information
and
22
at
least
as
thorough
disclosure
requirements
for
breach
of
23
security
or
personal
information
than
that
provided
by
this
24
section
.
25
c.
A
person
who
is
subject
to
and
complies
with
regulations
26
promulgated
pursuant
to
Tit.
V
of
the
federal
27
Gramm-Leach-Bliley
Act
of
1999,
15
U.S.C.
§6801
–
6809.
28
d.
A
person
who
is
subject
to
and
complies
with
regulations
29
promulgated
pursuant
to
Tit.
II,
subtit.
F
of
the
federal
30
Health
Insurance
Portability
and
Accountability
Act
of
1996,
31
42
U.S.C.
§1320d
–
1320d-9,
and
Tit.
XIII,
subtit.
D
of
the
32
federal
Health
Information
Technology
for
Economic
and
Clinical
33
Health
Act
of
2009,
42
U.S.C.
§17921
–
17954.
34
8.
Any
person
who
owns
or
licenses
computerized
data
that
35
-2-
SF2177.4259
(1)
87
md
2/
3
includes
a
consumer’s
personal
information
that
is
used
in
1
the
course
of
the
person’s
business,
vocation,
occupation,
2
or
volunteer
activities
and
that
was
subject
to
a
breach
of
3
security
requiring
notification
to
more
than
five
hundred
4
residents
of
this
state
pursuant
to
this
section
shall
give
5
written
notice
of
the
breach
of
security
following
discovery
6
of
such
breach
of
security,
or
receipt
of
notification
under
7
subsection
2
,
to
the
director
of
the
consumer
protection
8
division
of
the
office
of
the
attorney
general
within
five
9
business
days
after
giving
notice
of
the
breach
of
security
to
10
any
consumer
pursuant
to
this
section
.
11
Sec.
___.
EFFECTIVE
DATE.
The
following
take
effect
January
12
1,
2019:
13
1.
The
section
of
this
Act
amending
section
714G.2.
14
2.
The
section
of
this
Act
amending
section
714G.3,
15
subsection
1.
16
3.
The
section
of
this
Act
amending
section
714G.4,
17
unnumbered
paragraph
1.
>
18
6.
Title
page,
line
2,
after
<
and
>
by
inserting
<
personal
19
information
security
breach
protection,
and
>
20
7.
By
renumbering
as
necessary.
21
-3-
SF2177.4259
(1)
87
md
3/
3
#6.