House Amendment to Senate File 2177 S-5083 Amend Senate File 2177, as passed by the Senate, as follows: 1 1. Page 1, by striking lines 7 and 8 and inserting < secure 2 internet connection, or other secure electronic contact method 3 designated by the consumer reporting agency . The consumer 4 must > 5 2. Page 1, by striking lines 22 through 25 and inserting 6 < on a nationwide basis, the consumer reporting agency shall 7 identify, to the best of its knowledge, any other consumer 8 reporting agency that compiles and maintains files on consumers 9 on a nationwide basis and inform consumers of appropriate 10 contact information that would permit the consumer to place, 11 lift, or remove a security freeze from such other consumer 12 reporting agency. > 13 3. Page 2, by striking lines 2 through 4 and inserting 14 < facsimile transmissions, the secure internet connection , or 15 other secure electronic media contact method designated by the 16 consumer reporting agency . The consumer reporting agency shall 17 comply with > 18 4. Page 2, by striking lines 8 through 10 and inserting 19 < agency through facsimile, the secure internet , connection or 20 other secure electronic contact method chosen designated by the 21 consumer reporting agency, or the use of > 22 5. Page 4, by striking lines 1 and 2 and inserting: 23 < Sec. ___. Section 715C.1, subsections 1 and 5, Code 2018, 24 are amended to read as follows: 25 1. “Breach of security” means unauthorized acquisition , 26 or reasonable belief of unauthorized acquisition, of personal 27 information maintained in computerized form by a person that 28 compromises the security, confidentiality, or integrity of 29 the personal information. “Breach of security” also means 30 unauthorized acquisition of personal information maintained 31 by a person in any medium, including on paper, that was 32 transferred by the person to that medium from computerized 33 form and that compromises the security, confidentiality, or 34 integrity of the personal information. Good faith acquisition 35 -1- SF2177.4259 (1) 87 md 1/ 3 #1. #2. #3. #4. #5.

of personal information by a person or that person’s employee 1 or agent for a legitimate purpose of that person is not a 2 breach of security, provided that the personal information 3 is not used in violation of applicable law or in a manner 4 that harms or poses an actual threat to the security, 5 confidentiality, or integrity of the personal information. 6 5. “Encryption” means the use of an algorithmic process 7 pursuant to accepted industry standards to transform data into 8 a form in which the data is rendered unreadable or unusable 9 without the use of a confidential process or key. 10 Sec. ___. Section 715C.2, subsections 7 and 8, Code 2018, 11 are amended to read as follows: 12 7. This section does not apply to any of the following: 13 a. A person who complies with notification requirements or 14 breach of security procedures that provide greater protection 15 to personal information and at least as thorough disclosure 16 requirements than that provided by this section pursuant to 17 the rules, regulations, procedures, guidance, or guidelines 18 established by the person’s primary or functional federal 19 regulator. 20 b. A person who complies with a state or federal law 21 that provides greater protection to personal information and 22 at least as thorough disclosure requirements for breach of 23 security or personal information than that provided by this 24 section . 25 c. A person who is subject to and complies with regulations 26 promulgated pursuant to Tit. V of the federal 27 Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809. 28 d. A person who is subject to and complies with regulations 29 promulgated pursuant to Tit. II, subtit. F of the federal 30 Health Insurance Portability and Accountability Act of 1996, 31 42 U.S.C. §1320d – 1320d-9, and Tit. XIII, subtit. D of the 32 federal Health Information Technology for Economic and Clinical 33 Health Act of 2009, 42 U.S.C. §17921 – 17954. 34 8. Any person who owns or licenses computerized data that 35 -2- SF2177.4259 (1) 87 md 2/ 3

includes a consumer’s personal information that is used in 1 the course of the person’s business, vocation, occupation, 2 or volunteer activities and that was subject to a breach of 3 security requiring notification to more than five hundred 4 residents of this state pursuant to this section shall give 5 written notice of the breach of security following discovery 6 of such breach of security, or receipt of notification under 7 subsection 2 , to the director of the consumer protection 8 division of the office of the attorney general within five 9 business days after giving notice of the breach of security to 10 any consumer pursuant to this section . 11 Sec. ___. EFFECTIVE DATE. The following take effect January 12 1, 2019: 13 1. The section of this Act amending section 714G.2. 14 2. The section of this Act amending section 714G.3, 15 subsection 1. 16 3. The section of this Act amending section 714G.4, 17 unnumbered paragraph 1. > 18 6. Title page, line 2, after < and > by inserting < personal 19 information security breach protection, and > 20 7. By renumbering as necessary. 21 -3- SF2177.4259 (1) 87 md 3/ 3 #6.