Senate File 2391 S-5079 Amend Senate File 2391 as follows: 1 1. Page 1, by striking lines 4 through 6 and inserting 2 < subdivision of the state, in consultation with the department 3 of public safety and the department of homeland security and 4 emergency management, to expend revenue received from taxpayers 5 for payment to a person responsible for, or reasonably believed 6 to be responsible for, a ransomware attack pursuant to section 7 8H.3. > 8 2. Page 1, after line 9 by inserting: 9 < ___. “Critical infrastructure” means the same as defined 10 in section 29C.24. > 11 3. By striking page 1, line 25, through page 2, line 6, and 12 inserting: 13 < Sec. ___. NEW SECTION . 8H.2 Requirement to report a 14 ransomware attack. If the state or a political subdivision of 15 the state is subject to a ransomware attack, the state or the 16 political subdivision shall provide notice of the ransomware 17 attack to the office of the chief information officer following 18 discovery of the ransomware attack. The notice shall be 19 provided in the most expeditious manner possible and without 20 unreasonable delay. The office of the chief information 21 officer shall adopt rules establishing notification procedures 22 pursuant to this section. 23 Sec. ___. NEW SECTION . 8H.3 Revenue received from taxpayers 24 —— prohibition —— ransomware. 25 1. Except as provided in subsection 2 or 3, the state or 26 a political subdivision of the state shall not expend revenue 27 received from taxpayers for payment to a person responsible 28 for, or reasonably believed to be responsible for, a ransomware 29 attack. 30 2. The office of the chief information officer, in 31 consultation with the department of public safety and the 32 department of homeland security and emergency management, may 33 authorize the state or a political subdivision of the state to 34 expend revenue otherwise prohibited pursuant to subsection 1 in 35 -1- SF2391.3708 (2) 88 ja/rn 1/ 3 #1. #2. #3.

the event of any of the following: 1 a. A critical or emergency situation as defined by the 2 department of homeland security and emergency management. 3 b. A ransomware attack affecting critical infrastructure 4 within the state or a political subdivision of the state. 5 3. The state or a political subdivision of the state may 6 expend revenue otherwise prohibited pursuant to subsection 1 7 in the event of a ransomware attack affecting an officer or 8 employee of the judicial branch. 9 Sec. ___. NEW SECTION . 8H.4 Payments for insurance. 10 The state or a political subdivision of the state may use 11 revenue received from taxpayers to pay premiums, deductibles, 12 and other costs associated with an insurance policy related 13 to cybersecurity or ransomware attacks only if the state or 14 the political subdivision first exhausts all other reasonable 15 means of mitigating a potential ransomware attack. Subject 16 to section 8H.3, subsections 2 and 3, nothing in this section 17 shall be construed to authorize the state or a political 18 subdivision of the state to make a direct payment using 19 revenue received from taxpayers to a person responsible for, or 20 reasonably believed to be responsible for, a ransomware attack. 21 Sec. ___. NEW SECTION . 8H.5 Confidential records. 22 Information related to all of the following shall be 23 considered a confidential record under section 22.7: 24 1. Insurance coverage maintained by the state or a political 25 subdivision of the state related to cybersecurity or a 26 ransomware attack. 27 2. Payment by the state or a political subdivision of 28 the state to a person responsible for, or believed to be 29 responsible for, a ransomware attack pursuant to section 8H.3. > 30 4. Page 2, after line 9 by inserting: 31 < Sec. ___. RULEMAKING. The office of the chief information 32 officer shall prepare a notice of intended action for the 33 adoption of rules to administer this Act. The notice of 34 intended action shall be submitted to the administrative 35 -2- SF2391.3708 (2) 88 ja/rn 2/ 3 #4.

rules coordinator and the administrative code editor as soon 1 as practicable, but no later than October 1, 2020. However, 2 nothing in this section authorizes the office of the chief 3 information officer to adopt rules under section 17A.4, 4 subsection 3, or section 17A.5, subsection 2, paragraph “b”. 5 Sec. ___. EFFECTIVE DATE. 6 1. Except as provided in subsection 2, this Act takes effect 7 July 1, 2021. 8 2. The section of this Act requiring the office of the chief 9 information officer to prepare a notice of intended action for 10 the adoption of rules to administer this Act takes effect upon 11 enactment. > 12 5. Title page, by striking lines 1 through 3 and inserting 13 < An Act prohibiting the state or a political subdivision of 14 the state from expending revenue received from taxpayers for 15 payment to persons responsible for ransomware attacks, and 16 including effective date provisions. > 17 6. By renumbering, redesignating, and correcting internal 18 references as necessary. 19 ______________________________ ZACH NUNN -3- SF2391.3708 (2) 88 ja/rn 3/ 3 #5. #6.