Senate
File
2391
S-5079
Amend
Senate
File
2391
as
follows:
1
1.
Page
1,
by
striking
lines
4
through
6
and
inserting
2
<
subdivision
of
the
state,
in
consultation
with
the
department
3
of
public
safety
and
the
department
of
homeland
security
and
4
emergency
management,
to
expend
revenue
received
from
taxpayers
5
for
payment
to
a
person
responsible
for,
or
reasonably
believed
6
to
be
responsible
for,
a
ransomware
attack
pursuant
to
section
7
8H.3.
>
8
2.
Page
1,
after
line
9
by
inserting:
9
<
___.
“Critical
infrastructure”
means
the
same
as
defined
10
in
section
29C.24.
>
11
3.
By
striking
page
1,
line
25,
through
page
2,
line
6,
and
12
inserting:
13
<
Sec.
___.
NEW
SECTION
.
8H.2
Requirement
to
report
a
14
ransomware
attack.
If
the
state
or
a
political
subdivision
of
15
the
state
is
subject
to
a
ransomware
attack,
the
state
or
the
16
political
subdivision
shall
provide
notice
of
the
ransomware
17
attack
to
the
office
of
the
chief
information
officer
following
18
discovery
of
the
ransomware
attack.
The
notice
shall
be
19
provided
in
the
most
expeditious
manner
possible
and
without
20
unreasonable
delay.
The
office
of
the
chief
information
21
officer
shall
adopt
rules
establishing
notification
procedures
22
pursuant
to
this
section.
23
Sec.
___.
NEW
SECTION
.
8H.3
Revenue
received
from
taxpayers
24
——
prohibition
——
ransomware.
25
1.
Except
as
provided
in
subsection
2
or
3,
the
state
or
26
a
political
subdivision
of
the
state
shall
not
expend
revenue
27
received
from
taxpayers
for
payment
to
a
person
responsible
28
for,
or
reasonably
believed
to
be
responsible
for,
a
ransomware
29
attack.
30
2.
The
office
of
the
chief
information
officer,
in
31
consultation
with
the
department
of
public
safety
and
the
32
department
of
homeland
security
and
emergency
management,
may
33
authorize
the
state
or
a
political
subdivision
of
the
state
to
34
expend
revenue
otherwise
prohibited
pursuant
to
subsection
1
in
35
-1-
SF2391.3708
(2)
88
ja/rn
1/
3
#1.
#2.
#3.
the
event
of
any
of
the
following:
1
a.
A
critical
or
emergency
situation
as
defined
by
the
2
department
of
homeland
security
and
emergency
management.
3
b.
A
ransomware
attack
affecting
critical
infrastructure
4
within
the
state
or
a
political
subdivision
of
the
state.
5
3.
The
state
or
a
political
subdivision
of
the
state
may
6
expend
revenue
otherwise
prohibited
pursuant
to
subsection
1
7
in
the
event
of
a
ransomware
attack
affecting
an
officer
or
8
employee
of
the
judicial
branch.
9
Sec.
___.
NEW
SECTION
.
8H.4
Payments
for
insurance.
10
The
state
or
a
political
subdivision
of
the
state
may
use
11
revenue
received
from
taxpayers
to
pay
premiums,
deductibles,
12
and
other
costs
associated
with
an
insurance
policy
related
13
to
cybersecurity
or
ransomware
attacks
only
if
the
state
or
14
the
political
subdivision
first
exhausts
all
other
reasonable
15
means
of
mitigating
a
potential
ransomware
attack.
Subject
16
to
section
8H.3,
subsections
2
and
3,
nothing
in
this
section
17
shall
be
construed
to
authorize
the
state
or
a
political
18
subdivision
of
the
state
to
make
a
direct
payment
using
19
revenue
received
from
taxpayers
to
a
person
responsible
for,
or
20
reasonably
believed
to
be
responsible
for,
a
ransomware
attack.
21
Sec.
___.
NEW
SECTION
.
8H.5
Confidential
records.
22
Information
related
to
all
of
the
following
shall
be
23
considered
a
confidential
record
under
section
22.7:
24
1.
Insurance
coverage
maintained
by
the
state
or
a
political
25
subdivision
of
the
state
related
to
cybersecurity
or
a
26
ransomware
attack.
27
2.
Payment
by
the
state
or
a
political
subdivision
of
28
the
state
to
a
person
responsible
for,
or
believed
to
be
29
responsible
for,
a
ransomware
attack
pursuant
to
section
8H.3.
>
30
4.
Page
2,
after
line
9
by
inserting:
31
<
Sec.
___.
RULEMAKING.
The
office
of
the
chief
information
32
officer
shall
prepare
a
notice
of
intended
action
for
the
33
adoption
of
rules
to
administer
this
Act.
The
notice
of
34
intended
action
shall
be
submitted
to
the
administrative
35
-2-
SF2391.3708
(2)
88
ja/rn
2/
3
#4.
rules
coordinator
and
the
administrative
code
editor
as
soon
1
as
practicable,
but
no
later
than
October
1,
2020.
However,
2
nothing
in
this
section
authorizes
the
office
of
the
chief
3
information
officer
to
adopt
rules
under
section
17A.4,
4
subsection
3,
or
section
17A.5,
subsection
2,
paragraph
“b”.
5
Sec.
___.
EFFECTIVE
DATE.
6
1.
Except
as
provided
in
subsection
2,
this
Act
takes
effect
7
July
1,
2021.
8
2.
The
section
of
this
Act
requiring
the
office
of
the
chief
9
information
officer
to
prepare
a
notice
of
intended
action
for
10
the
adoption
of
rules
to
administer
this
Act
takes
effect
upon
11
enactment.
>
12
5.
Title
page,
by
striking
lines
1
through
3
and
inserting
13
<
An
Act
prohibiting
the
state
or
a
political
subdivision
of
14
the
state
from
expending
revenue
received
from
taxpayers
for
15
payment
to
persons
responsible
for
ransomware
attacks,
and
16
including
effective
date
provisions.
>
17
6.
By
renumbering,
redesignating,
and
correcting
internal
18
references
as
necessary.
19
______________________________
ZACH
NUNN
-3-
SF2391.3708
(2)
88
ja/rn
3/
3
#5.
#6.