<?xml version="1.0" encoding="UTF-8"?><slim:Document xmlns:slim="urn:legix:slim" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:atipl="http://www.arbortext.com/namespace/PageLayout" class="codeChapter" id="chp554G" name="554G"><slim:About class="header"><slim:Property type="string" name="taskInfo">1035:D4E7333F-AA61-4443-ADFC-BC72FD4C4B5B</slim:Property><slim:Property type="string" name="checkinTime">07/19/2023 08:29</slim:Property><slim:Property type="string" name="version">2</slim:Property></slim:About><slim:TOC><slim:Item idref="sec554G.1" title="554G.1   Definitions."/><slim:Item idref="sec554G.2" title="554G.2   Affirmative defenses."/><slim:Item idref="sec554G.3" title="554G.3   Cybersecurity program framework."/><slim:Item idref="sec554G.4" title="554G.4   Causes of action."/></slim:TOC><slim:Body><slim:Level class="codeChapter" id="chp554G"><slim:Heading class="heading"><xhtml:span class="identifier">554G</xhtml:span><xhtml:span class="headnote">TORT LIABILITY — CYBERSECURITY PROGRAMS</xhtml:span></slim:Heading><slim:Section class="codeSection" id="sec554G.1"><xhtml:div class="heading"><xhtml:span class="identifier">554G.1</xhtml:span><xhtml:span class="headnote">Definitions.</xhtml:span></xhtml:div><xhtml:p class="para">As used in <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>:</xhtml:p><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Business”</xhtml:span> means any limited liability company, limited liability partnership, corporation, sole proprietorship, association, or other group, however organized and whether operating for profit or not for profit, including a financial institution organized, chartered, or holding a license authorizing operation under the laws of this state, any other state, the United States, or any other country, or the parent or subsidiary of any of the foregoing, including an entity organized under <xhtml:span class="iowaCodeRef">chapter 28E</xhtml:span>. <xhtml:span class="term">“Business”</xhtml:span> does not include a municipality as defined in <xhtml:span class="iowaCodeRef">section 670.1</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Contract”</xhtml:span> means the same as defined in <xhtml:span class="iowaCodeRef">section 554D.103</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Covered entity”</xhtml:span> means a business that accesses, receives, stores, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Data breach”</xhtml:span> means an intentional or unintentional action that could result in electronic records owned, licensed to, or otherwise protected by a covered entity being viewed, copied, modified, transmitted, or destroyed in a manner that is reasonably believed to have or may cause material risk of identity theft, fraud, or other injury or damage to person or property. <xhtml:span class="term">“Data breach”</xhtml:span> does not include any of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Good-faith acquisition of personal information or restricted information by the covered entity’s employee or agent for the purposes of the covered entity, provided that the personal information or restricted information is not used for an unlawful purpose or subject to further unauthorized disclosure.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Acquisition or disclosure of personal information or restricted information pursuant to a search warrant, subpoena, or other court order, or pursuant to a subpoena, order, or duty of a regulatory state agency.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">5</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Distributed ledger technology”</xhtml:span> means the same as defined in <xhtml:span class="iowaCodeRef">section 554E.1</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">6</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Electronic record”</xhtml:span> means the same as defined in <xhtml:span class="iowaCodeRef">section 554D.103</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">7</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Encrypted”</xhtml:span> means the use of an algorithmic process to transform data into a form for which there is a low probability of assigning meaning without use of a confidential process or key.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">8</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Individual”</xhtml:span> means a natural person.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">9</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Maximum probable loss”</xhtml:span> means the greatest damage expectation that could reasonably occur from a data breach. For purposes of <xhtml:span class="iowaCodeRef">this subsection</xhtml:span>, <xhtml:span class="term">“damage expectation”</xhtml:span> means the total value of possible damage multiplied by the probability that damage would occur.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">10</xhtml:span></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Personal information”</xhtml:span> means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, social security number, driver’s license number or state identification card number, passport number, account number or credit or debit card number, location data, biometric data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Personal information”</xhtml:span> does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or any of the following media that are widely distributed:</xhtml:p><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">Any news, editorial, or advertising statement published in any bona fide newspaper, journal, or magazine, or broadcast over radio, television, or the internet.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">Any gathering or furnishing of information or news by any bona fide reporter, correspondent, or news bureau to news media identified in this paragraph.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">Any publication designed for and distributed to members of any bona fide association or charitable or fraternal nonprofit business.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:p class="para">Any type of media similar in nature to any item, entity, or activity identified in this paragraph.</xhtml:p></xhtml:div></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">11</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Record”</xhtml:span> means the same as defined in <xhtml:span class="iowaCodeRef">section 554D.103</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">12</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Redacted”</xhtml:span> means altered, truncated, or anonymized so that, when applied to personal information, the data can no longer be attributed to a specific individual without the use of additional information.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">13</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Restricted information”</xhtml:span> means any information about an individual, other than personal information, or business that, alone or in combination with other information, including personal information, can be used to distinguish or trace the identity of the individual or business, or that is linked or linkable to an individual or business, if the information is not encrypted, redacted, tokenized, or altered by any method or technology in such a manner that the information is anonymized, and the breach of which is likely to result in a material risk of identity theft or other fraud to person or property.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">14</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Smart contract”</xhtml:span> means the same as defined in <xhtml:span class="iowaCodeRef">section 554E.1</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">15</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="term">“Transaction”</xhtml:span> means a sale, trade, exchange, transfer, payment, or conversion of virtual currency or other digital asset or any other property or any other action or set of actions occurring between two or more persons relating to the conduct of business, commercial, or governmental affairs.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2023 Acts, ch 63, §1</xhtml:span></xhtml:div></xhtml:div><xhtml:div class="footnotes"/></slim:Section><slim:Section class="codeSection" id="sec554G.2"><xhtml:div class="heading"><xhtml:span class="identifier">554G.2</xhtml:span><xhtml:span class="headnote">Affirmative defenses.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">A covered entity seeking an affirmative defense under <xhtml:span class="iowaCodeRef">this chapter</xhtml:span> shall create, maintain, and comply with a written cybersecurity program that contains administrative, technical, operational, and physical safeguards for the protection of both personal information and restricted information.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">A covered entity’s cybersecurity program shall be designed to do all of the following:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">Continually evaluate and mitigate any reasonably anticipated internal or external threats or hazards that could lead to a data breach.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">Periodically evaluate no less than annually the maximum probable loss attainable from a data breach.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">Communicate to any affected parties the extent of any risk posed and any actions the affected parties could take to reduce any damages if a data breach is known to have occurred.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">3</xhtml:span></xhtml:div><xhtml:p class="para">The scale and scope of a covered entity’s cybersecurity program is appropriate if the cost to operate the cybersecurity program is no less than the covered entity’s most recently calculated maximum probable loss value.</xhtml:p></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">4</xhtml:span></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">A covered entity that satisfies all requirements of <xhtml:span class="iowaCodeRef">this section</xhtml:span> is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.</xhtml:p></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">A covered entity satisfies all requirements of <xhtml:span class="iowaCodeRef">this section</xhtml:span> if its cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework, as described in <xhtml:span class="iowaCodeRef">section 554G.3</xhtml:span>.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2023 Acts, ch 63, §2</xhtml:span></xhtml:div></xhtml:div><xhtml:div class="footnotes"/></slim:Section><slim:Section class="codeSection" id="sec554G.3"><xhtml:div class="heading"><xhtml:span class="identifier">554G.3</xhtml:span><xhtml:span class="headnote">Cybersecurity program framework.</xhtml:span></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">A covered entity’s cybersecurity program, as described in <xhtml:span class="iowaCodeRef">section 554G.2</xhtml:span>, reasonably conforms to an industry-recognized cybersecurity framework for purposes of <xhtml:span class="iowaCodeRef">section 554G.2</xhtml:span> if any of the following are true:</xhtml:p><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">The cybersecurity program reasonably conforms to the current version of any of the following or any combination of the following, subject to subparagraph (2) and <xhtml:span class="iowaCodeRef">subsection 2</xhtml:span>:</xhtml:p><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">The framework for improving critical infrastructure cybersecurity developed by the national institute of standards and technology.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para">National institute of standards and technology special publication 800-171.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">National institute of standards and technology special publications 800-53 and 800-53a.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">The federal risk and authorization management program security assessment framework.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">e</xhtml:span></xhtml:div><xhtml:p class="para">The center for internet security critical security controls for effective cyber defense.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">f</xhtml:span></xhtml:div><xhtml:p class="para">The international organization for standardization/international electrotechnical commission 27000 family <xhtml:span class="em-dash"/> information security management systems.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">When a final revision to a framework listed in subparagraph (1) is published, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform the elements of its cybersecurity program to the revised framework within the time frame provided in the relevant framework upon which the covered entity intends to rely to support its affirmative defense, but in no event later than one year after the publication date stated in the revision.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following, subject to subparagraph (2):</xhtml:p><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">a</xhtml:span></xhtml:div><xhtml:p class="para">The security requirements of the federal <xhtml:span class="USActsRef">Health Insurance Portability and Accountability Act of 1996</xhtml:span>, as set forth in <xhtml:span class="CFRRef">45 C.F.R. pt. 164, subpt. C</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">b</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="USActsRef">Title V of the federal Gramm-Leach-Bliley Act of 1999</xhtml:span>, <xhtml:span class="USCRef">Pub. L. No. 106-102, as amended</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:p class="para">The federal <xhtml:span class="USActsRef">Information Security Modernization Act of 2014</xhtml:span>, <xhtml:span class="USCRef">Pub. L. No. 113-283</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">d</xhtml:span></xhtml:div><xhtml:p class="para">The federal <xhtml:span class="USActsRef">Health Information Technology for Economic and Clinical Health Act</xhtml:span> as set forth in <xhtml:span class="CFRRef">45 C.F.R. pt. 162</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">e</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">Chapter 507F</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subparaDiv"><xhtml:div class="heading"><xhtml:span class="identifier">f</xhtml:span></xhtml:div><xhtml:p class="para">Any applicable rules, regulations, or guidelines for critical infrastructure protection adopted by the federal environmental protection agency, the federal cybersecurity and infrastructure security agency, or the north American reliability corporation.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">When a framework listed in subparagraph (1) is amended, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform the elements of its cybersecurity program to the amended framework within the time frame provided in the relevant framework upon which the covered entity intends to rely to support its affirmative defense, but in no event later than one year after the effective date of the amended framework.</xhtml:p></xhtml:div></xhtml:div><xhtml:div class="letteredPara"><xhtml:div class="heading"><xhtml:span class="identifier">c</xhtml:span></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">1</xhtml:span></xhtml:div><xhtml:p class="para">The cybersecurity program reasonably complies with both the current version of the payment card industry data security standard and conforms to the current version of another applicable industry-recognized cybersecurity framework listed in paragraph <xhtml:span class="i">“a”</xhtml:span>, subject to subparagraph (2) and <xhtml:span class="iowaCodeRef">subsection 2</xhtml:span>.</xhtml:p></xhtml:div><xhtml:div class="subpara"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">When a final revision to the payment card industry data security standard is published, a covered entity whose cybersecurity program reasonably complies with that standard shall reasonably comply the elements of its cybersecurity program with the revised standard within the time frame provided in the relevant framework upon which the covered entity intends to rely to support its affirmative defense, but not later than the effective date for compliance.</xhtml:p></xhtml:div></xhtml:div></xhtml:div><xhtml:div class="subsection"><xhtml:div class="heading"><xhtml:span class="identifier">2</xhtml:span></xhtml:div><xhtml:p class="para">If a covered entity’s cybersecurity program reasonably conforms to a combination of industry-recognized cybersecurity frameworks, or complies with a standard, as in the case of the payment card industry data security standard, as described in <xhtml:span class="iowaCodeRef">subsection 1</xhtml:span>, paragraph <xhtml:span class="i">“a”</xhtml:span> or <xhtml:span class="i">“c”</xhtml:span>, and two or more of those frameworks are revised, the covered entity whose cybersecurity program reasonably conforms to or complies with, as applicable, those frameworks shall reasonably conform the elements of its cybersecurity program to or comply with, as applicable, all of the revised frameworks within the time frames provided in the relevant frameworks but in no event later than one year after the latest publication date stated in the revisions.</xhtml:p></xhtml:div><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2023 Acts, ch 63, §3</xhtml:span></xhtml:div></xhtml:div><xhtml:div class="footnotes"/></slim:Section><slim:Section class="codeSection" id="sec554G.4"><xhtml:div class="heading"><xhtml:span class="identifier">554G.4</xhtml:span><xhtml:span class="headnote">Causes of action.</xhtml:span></xhtml:div><xhtml:p class="para"><xhtml:span class="iowaCodeRef">This chapter</xhtml:span> shall not be construed to provide a private right of action, including a class action, with respect to any act or practice regulated under <xhtml:span class="iowaCodeRef">this chapter</xhtml:span>.</xhtml:p><xhtml:div class="history"><xhtml:div class="historyItem"><xhtml:span class="iowaActsRef">2023 Acts, ch 63, §4</xhtml:span></xhtml:div></xhtml:div><xhtml:div class="footnotes"/></slim:Section></slim:Level></slim:Body></slim:Document>