Senate File 2391 S-5086 Amend Senate File 2391 as follows: 1 1. By striking everything after the enacting clause and 2 inserting: 3 < Section 1. NEW SECTION . 8H.1 Requirement to report a 4 ransomware attack. 5 If the state or a political subdivision of the state is 6 subject to a ransomware attack, the state or the political 7 subdivision shall provide notice of the ransomware attack to 8 the office of the chief information officer following discovery 9 of the ransomware attack. The notice shall be provided in 10 the most expeditious manner possible and without unreasonable 11 delay. The office of the chief information officer shall adopt 12 rules establishing notification procedures pursuant to this 13 section. For purposes of this chapter, “ransomware attack” 14 means carrying out until payment is made, or threatening to 15 carry out until payment is made, any of the following actions: 16 an act declared unlawful pursuant to section 715.4; a “breach 17 of security” as defined in section 715C.1; or the use of any 18 form of software that results in the unauthorized encryption of 19 data, the denial of access to data, the denial of access to a 20 computer, or the denial of access to a computer system. 21 Sec. 2. RANSOMWARE TASK FORCE. 22 1. The office of the chief information officer and the 23 department of homeland security and emergency management shall 24 convene a task force to meet during the 2020 legislative 25 interim to study the threat of ransomware. 26 2. The voting members of the task force shall consist 27 of representatives of the office of the chief information 28 officer, the department of homeland security and emergency 29 management, the department of administrative services, 30 political subdivisions, school boards, municipal utilities, 31 county associations, city associations, the Iowa association of 32 school boards, the university of Iowa hospitals and clinics, 33 and Broadlawns medical center. 34 3. Four legislative members shall be appointed as ex 35 -1- SF2391.3750 (5) 88 ja/rn 1/ 2 #1.

officio, nonvoting members with one member to be appointed by 1 each of the following: the majority leader of the senate, 2 the minority leader of the senate, the speaker of the house 3 of representatives, and the minority leader of the house of 4 representatives. A representative from the office of the 5 governor shall serve as a fifth ex officio, nonvoting member. 6 4. The task force shall study issues related to ransomware 7 and how to best mitigate the risks associated with ransomware. 8 The task force shall submit a report, including findings and 9 recommendations for policy changes, to the general assembly by 10 December 31, 2020. > 11 2. Title page, by striking lines 1 through 3 and inserting 12 < An Act relating to ransomware attacks in connection with the 13 state and political subdivisions of the state. > 14 3. By renumbering as necessary. 15 ______________________________ ERIC GIDDENS -2- SF2391.3750 (5) 88 ja/rn 2/ 2 #2. #3.