Senate File 495 S-3155 Amend Senate File 495 as follows: 1 1. By striking everything after the enacting clause and 2 inserting: 3 < Section 1. NEW SECTION . 554G.1 Definitions. 4 As used in this chapter: 5 1. “Business” means any limited liability company, limited 6 liability partnership, corporation, sole proprietorship, 7 association, or other group, however organized and whether 8 operating for profit or not for profit, including a financial 9 institution organized, chartered, or holding a license 10 authorizing operation under the laws of this state, any other 11 state, the United States, or any other country, or the parent 12 or subsidiary of any of the foregoing, including an entity 13 organized under chapter 28E. “Business” does not include a 14 municipality as defined in section 670.1. 15 2. “Contract” means the same as defined in section 554D.103. 16 3. “Covered entity” means a business that accesses, 17 receives, stores, maintains, communicates, or processes 18 personal information or restricted information in or through 19 one or more systems, networks, or services located in or 20 outside this state. 21 4. “Data breach” means an intentional or unintentional 22 action that could result in electronic records owned, licensed 23 to, or otherwise protected by a covered entity being viewed, 24 copied, modified, transmitted, or destroyed in a manner that 25 is reasonably believed to have or may cause material risk of 26 identity theft, fraud, or other injury or damage to person or 27 property. “Data breach” does not include any of the following: 28 a. Good-faith acquisition of personal information or 29 restricted information by the covered entity’s employee or 30 agent for the purposes of the covered entity, provided that 31 the personal information or restricted information is not used 32 for an unlawful purpose or subject to further unauthorized 33 disclosure. 34 b. Acquisition or disclosure of personal information or 35 -1- SF 495.1861 (1) 90 (amending this SF 495 to CONFORM to HF 553) cm/ns 1/ 7 #1.

restricted information pursuant to a search warrant, subpoena, 1 or other court order, or pursuant to a subpoena, order, or duty 2 of a regulatory state agency. 3 5. “Distributed ledger technology” means the same as defined 4 in section 554E.1. 5 6. “Electronic record” means the same as defined in section 6 554D.103. 7 7. “Encrypted” means the use of an algorithmic process to 8 transform data into a form for which there is a low probability 9 of assigning meaning without use of a confidential process or 10 key. 11 8. “Individual” means a natural person. 12 9. “Maximum probable loss” means the greatest damage 13 expectation that could reasonably occur from a data breach. 14 For purposes of this subsection, “damage expectation” means the 15 total value of possible damage multiplied by the probability 16 that damage would occur. 17 10. a. “Personal information” means any information 18 relating to an individual who can be identified, directly or 19 indirectly, in particular by reference to an identifier such 20 as a name, an identification number, social security number, 21 driver’s license number or state identification card number, 22 passport number, account number or credit or debit card number, 23 location data, biometric data, an online identifier, or to 24 one or more factors specific to the physical, physiological, 25 genetic, mental, economic, cultural, or social identity of that 26 individual. 27 b. “Personal information” does not include publicly 28 available information that is lawfully made available to the 29 general public from federal, state, or local government records 30 or any of the following media that are widely distributed: 31 (1) Any news, editorial, or advertising statement published 32 in any bona fide newspaper, journal, or magazine, or broadcast 33 over radio, television, or the internet. 34 (2) Any gathering or furnishing of information or news by 35 -2- SF 495.1861 (1) 90 (amending this SF 495 to CONFORM to HF 553) cm/ns 2/ 7

any bona fide reporter, correspondent, or news bureau to news 1 media identified in this paragraph. 2 (3) Any publication designed for and distributed to members 3 of any bona fide association or charitable or fraternal 4 nonprofit business. 5 (4) Any type of media similar in nature to any item, entity, 6 or activity identified in this paragraph. 7 11. “Record” means the same as defined in section 554D.103. 8 12. “Redacted” means altered, truncated, or anonymized so 9 that, when applied to personal information, the data can no 10 longer be attributed to a specific individual without the use 11 of additional information. 12 13. “Restricted information” means any information about 13 an individual, other than personal information, or business 14 that, alone or in combination with other information, including 15 personal information, can be used to distinguish or trace the 16 identity of the individual or business, or that is linked or 17 linkable to an individual or business, if the information is 18 not encrypted, redacted, tokenized, or altered by any method or 19 technology in such a manner that the information is anonymized, 20 and the breach of which is likely to result in a material risk 21 of identity theft or other fraud to person or property. 22 14. “Smart contract” means the same as defined in section 23 554E.1. 24 15. “Transaction” means a sale, trade, exchange, transfer, 25 payment, or conversion of virtual currency or other digital 26 asset or any other property or any other action or set of 27 actions occurring between two or more persons relating to the 28 conduct of business, commercial, or governmental affairs. 29 Sec. 2. NEW SECTION . 554G.2 Affirmative defenses. 30 1. A covered entity seeking an affirmative defense under 31 this chapter shall create, maintain, and comply with a written 32 cybersecurity program that contains administrative, technical, 33 operational, and physical safeguards for the protection of both 34 personal information and restricted information. 35 -3- SF 495.1861 (1) 90 (amending this SF 495 to CONFORM to HF 553) cm/ns 3/ 7

2. A covered entity’s cybersecurity program shall be 1 designed to do all of the following: 2 a. Continually evaluate and mitigate any reasonably 3 anticipated internal or external threats or hazards that could 4 lead to a data breach. 5 b. Periodically evaluate no less than annually the maximum 6 probable loss attainable from a data breach. 7 c. Communicate to any affected parties the extent of any 8 risk posed and any actions the affected parties could take to 9 reduce any damages if a data breach is known to have occurred. 10 3. The scale and scope of a covered entity’s cybersecurity 11 program is appropriate if the cost to operate the cybersecurity 12 program is no less than the covered entity’s most recently 13 calculated maximum probable loss value. 14 4. a. A covered entity that satisfies all requirements 15 of this section is entitled to an affirmative defense to any 16 cause of action sounding in tort that is brought under the 17 laws of this state or in the courts of this state and that 18 alleges that the failure to implement reasonable information 19 security controls resulted in a data breach concerning personal 20 information or restricted information. 21 b. A covered entity satisfies all requirements of this 22 section if its cybersecurity program reasonably conforms to an 23 industry-recognized cybersecurity framework, as described in 24 section 554G.3. 25 Sec. 3. NEW SECTION . 554G.3 Cybersecurity program 26 framework. 27 1. A covered entity’s cybersecurity program, as 28 described in section 554G.2, reasonably conforms to an 29 industry-recognized cybersecurity framework for purposes of 30 section 554G.2 if any of the following are true: 31 a. (1) The cybersecurity program reasonably conforms to the 32 current version of any of the following or any combination of 33 the following, subject to subparagraph (2) and subsection 2: 34 (a) The framework for improving critical infrastructure 35 -4- SF 495.1861 (1) 90 (amending this SF 495 to CONFORM to HF 553) cm/ns 4/ 7

cybersecurity developed by the national institute of standards 1 and technology. 2 (b) National institute of standards and technology special 3 publication 800-171. 4 (c) National institute of standards and technology special 5 publications 800-53 and 800-53a. 6 (d) The federal risk and authorization management program 7 security assessment framework. 8 (e) The center for internet security critical security 9 controls for effective cyber defense. 10 (f) The international organization for 11 standardization/international electrotechnical commission 27000 12 family —— information security management systems. 13 (2) When a final revision to a framework listed in 14 subparagraph (1) is published, a covered entity whose 15 cybersecurity program reasonably conforms to that framework 16 shall reasonably conform the elements of its cybersecurity 17 program to the revised framework within the time frame provided 18 in the relevant framework upon which the covered entity intends 19 to rely to support its affirmative defense, but in no event 20 later than one year after the publication date stated in the 21 revision. 22 b. (1) The covered entity is regulated by the state, by 23 the federal government, or both, or is otherwise subject to 24 the requirements of any of the laws or regulations listed 25 below, and the cybersecurity program reasonably conforms to 26 the entirety of the current version of any of the following, 27 subject to subparagraph (2): 28 (a) The security requirements of the federal Health 29 Insurance Portability and Accountability Act of 1996, as set 30 forth in 45 C.F.R. pt. 164, subpt. C. 31 (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, 32 Pub. L. No. 106-102, as amended. 33 (c) The federal Information Security Modernization Act of 34 2014, Pub. L. No. 113-283. 35 -5- SF 495.1861 (1) 90 (amending this SF 495 to CONFORM to HF 553) cm/ns 5/ 7

(d) The federal Health Information Technology for Economic 1 and Clinical Health Act as set forth in 45 C.F.R. pt. 162. 2 (e) Chapter 507F. 3 (f) Any applicable rules, regulations, or guidelines for 4 critical infrastructure protection adopted by the federal 5 environmental protection agency, the federal cybersecurity 6 and infrastructure security agency, or the north American 7 reliability corporation. 8 (2) When a framework listed in subparagraph (1) is amended, 9 a covered entity whose cybersecurity program reasonably 10 conforms to that framework shall reasonably conform the 11 elements of its cybersecurity program to the amended framework 12 within the time frame provided in the relevant framework 13 upon which the covered entity intends to rely to support its 14 affirmative defense, but in no event later than one year after 15 the effective date of the amended framework. 16 c. (1) The cybersecurity program reasonably complies 17 with both the current version of the payment card industry 18 data security standard and conforms to the current version of 19 another applicable industry-recognized cybersecurity framework 20 listed in paragraph “a” , subject to subparagraph (2) and 21 subsection 2. 22 (2) When a final revision to the payment card industry 23 data security standard is published, a covered entity whose 24 cybersecurity program reasonably complies with that standard 25 shall reasonably comply the elements of its cybersecurity 26 program with the revised standard within the time frame 27 provided in the relevant framework upon which the covered 28 entity intends to rely to support its affirmative defense, but 29 not later than the effective date for compliance. 30 2. If a covered entity’s cybersecurity program reasonably 31 conforms to a combination of industry-recognized cybersecurity 32 frameworks, or complies with a standard, as in the case of the 33 payment card industry data security standard, as described in 34 subsection 1, paragraph “a” or “c” , and two or more of those 35 -6- SF 495.1861 (1) 90 (amending this SF 495 to CONFORM to HF 553) cm/ns 6/ 7

frameworks are revised, the covered entity whose cybersecurity 1 program reasonably conforms to or complies with, as applicable, 2 those frameworks shall reasonably conform the elements of its 3 cybersecurity program to or comply with, as applicable, all of 4 the revised frameworks within the time frames provided in the 5 relevant frameworks but in no event later than one year after 6 the latest publication date stated in the revisions. 7 Sec. 4. NEW SECTION . 554G.4 Causes of action. 8 This chapter shall not be construed to provide a private 9 right of action, including a class action, with respect to any 10 act or practice regulated under this chapter. > 11 ______________________________ MIKE BOUSSELOT -7- SF 495.1861 (1) 90 (amending this SF 495 to CONFORM to HF 553) cm/ns 7/ 7