Senate File 2308 - Enrolled PAG LIN 1 1 SENATE FILE 2308 1 2 1 3 AN ACT 1 4 RELATING TO IDENTITY THEFT BY PROVIDING FOR THE NOTIFICATION 1 5 OF A BREACH IN THE SECURITY OF PERSONAL INFORMATION, 1 6 REQUESTING THE ESTABLISHMENT OF AN INTERIM STUDY COMMITTEE 1 7 RELATING TO DISCLOSURE OF PERSONAL INFORMATION BY PUBLIC 1 8 OFFICIALS, ENTITIES, AND AFFILIATED ORGANIZATIONS, AND 1 9 PROVIDING PENALTIES. 1 10 1 11 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 1 12 1 13 Section 1. NEW SECTION. 715C.1 DEFINITIONS. 1 14 As used in this chapter, unless the context otherwise 1 15 requires: 1 16 1. "Breach of security" means unauthorized acquisition of 1 17 personal information maintained in computerized form by a 1 18 person that compromises the security, confidentiality, or 1 19 integrity of the personal information. Good faith acquisition 1 20 of personal information by a person or that person's employee 1 21 or agent for a legitimate purpose of that person is not a 1 22 breach of security, provided that the personal information is 1 23 not used in violation of applicable law or in a manner that 1 24 harms or poses an actual threat to the security, 1 25 confidentiality, or integrity of the personal information. 1 26 2. "Consumer" means an individual who is a resident of 1 27 this state. 1 28 3. "Consumer reporting agency" means the same as defined 1 29 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a. 1 30 4. "Debt" means the same as provided in section 537.7102. 1 31 5. "Encryption" means the use of an algorithmic process to 1 32 transform data into a form in which the data is rendered 1 33 unreadable or unusable without the use of a confidential 1 34 process or key. 1 35 6. "Extension of credit" means the right to defer payment 2 1 of debt or to incur debt and defer its payment offered or 2 2 granted primarily for personal, family, or household purposes. 2 3 7. "Financial institution" means the same as defined in 2 4 section 536C.2, subsection 6. 2 5 8. "Identity theft" means the same as provided in section 2 6 715A.8. 2 7 9. "Payment card" means the same as defined in section 2 8 715A.10, subsection 3, paragraph "b". 2 9 10. "Person" means an individual; corporation; business 2 10 trust; estate; trust; partnership; limited liability company; 2 11 association; joint venture; government; governmental 2 12 subdivision, agency, or instrumentality; public corporation; 2 13 or any other legal or commercial entity. 2 14 11. "Personal information" means an individual's first 2 15 name or first initial and last name in combination with any 2 16 one or more of the following data elements that relate to the 2 17 individual if any of the data elements are not encrypted, 2 18 redacted, or otherwise altered by any method or technology in 2 19 such a manner that the name or data elements are unreadable: 2 20 a. Social security number. 2 21 b. Driver's license number or other unique identification 2 22 number created or collected by a government body. 2 23 c. Financial account number, credit card number, or debit 2 24 card number in combination with any required security code, 2 25 access code, or password that would permit access to an 2 26 individual's financial account. 2 27 d. Unique electronic identifier or routing code, in 2 28 combination with any required security code, access code, or 2 29 password that would permit access to an individual's financial 2 30 account. 2 31 e. Unique biometric data, such as a fingerprint, retina or 2 32 iris image, or other unique physical representation or digital 2 33 representation of biometric data. 2 34 "Personal information" does not include information that is 2 35 lawfully obtained from publicly available sources, or from 3 1 federal, state, or local government records lawfully made 3 2 available to the general public. 3 3 12. "Redacted" means altered or truncated so that no more 3 4 than five digits of a social security number or the last four 3 5 digits of other numbers designated in section 715A.8, 3 6 subsection 1, paragraph "a", is accessible as part of the 3 7 data. 3 8 Sec. 2. NEW SECTION. 715C.2 SECURITY BREACH == CONSUMER 3 9 NOTIFICATION == REMEDIES. 3 10 1. Any person who owns or licenses computerized data that 3 11 includes a consumer's personal information that is used in the 3 12 course of the person's business, vocation, occupation, or 3 13 volunteer activities and that was subject to a breach of 3 14 security shall give notice of the breach of security following 3 15 discovery of such breach of security, or receipt of 3 16 notification under subsection 2, to any consumer whose 3 17 personal information was included in the information that was 3 18 breached. The consumer notification shall be made in the most 3 19 expeditious manner possible and without unreasonable delay, 3 20 consistent with the legitimate needs of law enforcement as 3 21 provided in subsection 3, and consistent with any measures 3 22 necessary to sufficiently determine contact information for 3 23 the affected consumers, determine the scope of the breach, and 3 24 restore the reasonable integrity, security, and 3 25 confidentiality of the data. 3 26 2. Any person who maintains or otherwise possesses 3 27 personal information on behalf of another person shall notify 3 28 the owner or licensor of the information of any breach of 3 29 security immediately following discovery of such breach of 3 30 security if a consumer's personal information was included in 3 31 the information that was breached. 3 32 3. The consumer notification requirements of this section 3 33 may be delayed if a law enforcement agency determines that the 3 34 notification will impede a criminal investigation and the 3 35 agency has made a written request that the notification be 4 1 delayed. The notification required by this section shall be 4 2 made after the law enforcement agency determines that the 4 3 notification will not compromise the investigation and 4 4 notifies the person required to give notice in writing. 4 5 4. For purposes of this section, notification to the 4 6 consumer may be provided by one of the following methods: 4 7 a. Written notice to the last available address the person 4 8 has in the person's records. 4 9 b. Electronic notice if the person's customary method of 4 10 communication with the consumer is by electronic means or is 4 11 consistent with the provisions regarding electronic records 4 12 and signatures set forth in chapter 554D and the federal 4 13 Electronic Signatures in Global and National Commerce Act, 15 4 14 U.S.C. } 7001. 4 15 c. Substitute notice, if the person demonstrates that the 4 16 cost of providing notice would exceed two hundred fifty 4 17 thousand dollars, that the affected class of consumers to be 4 18 notified exceeds three hundred fifty thousand persons, or if 4 19 the person does not have sufficient contact information to 4 20 provide notice. Substitute notice shall consist of the 4 21 following: 4 22 (1) Electronic mail notice when the person has an 4 23 electronic mail address for the affected consumers. 4 24 (2) Conspicuous posting of the notice or a link to the 4 25 notice on the internet web site of the person if the person 4 26 maintains an internet web site. 4 27 (3) Notification to major statewide media. 4 28 5. Notice pursuant to this section shall include, at a 4 29 minimum, all of the following: 4 30 a. A description of the breach of security. 4 31 b. The approximate date of the breach of security. 4 32 c. The type of personal information obtained as a result 4 33 of the breach of security. 4 34 d. Contact information for consumer reporting agencies. 4 35 e. Advice to the consumer to report suspected incidents of 5 1 identity theft to local law enforcement or the attorney 5 2 general. 5 3 6. Notwithstanding subsection 1, notification is not 5 4 required if, after an appropriate investigation or after 5 5 consultation with the relevant federal, state, or local 5 6 agencies responsible for law enforcement, the person 5 7 determined that no reasonable likelihood of financial harm to 5 8 the consumers whose personal information has been acquired has 5 9 resulted or will result from the breach. Such a determination 5 10 must be documented in writing and the documentation must be 5 11 maintained for five years. 5 12 7. This section does not apply to any of the following: 5 13 a. A person who complies with notification requirements or 5 14 breach of security procedures that provide greater protection 5 15 to personal information and at least as thorough disclosure 5 16 requirements than that provided by this section pursuant to 5 17 the rules, regulations, procedures, guidance, or guidelines 5 18 established by the person's primary or functional federal 5 19 regulator. 5 20 b. A person who complies with a state or federal law that 5 21 provides greater protection to personal information and at 5 22 least as thorough disclosure requirements for breach of 5 23 security or personal information than that provided by this 5 24 section. 5 25 c. A person who is subject to and complies with 5 26 regulations promulgated pursuant to Title V of the 5 27 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. } 6801=6809. 5 28 8. a. A violation of this chapter is an unlawful practice 5 29 pursuant to section 714.16 and, in addition to the remedies 5 30 provided to the attorney general pursuant to section 714.16, 5 31 subsection 7, the attorney general may seek and obtain an 5 32 order that a party held to violate this section pay damages to 5 33 the attorney general on behalf of a person injured by the 5 34 violation. 5 35 b. The rights and remedies available under this section 6 1 are cumulative to each other and to any other rights and 6 2 remedies available under the law. 6 3 Sec. 3. DISCLOSURE OF PERSONAL INFORMATION BY PUBLIC 6 4 OFFICIALS, ENTITIES, OR AFFILIATED ORGANIZATIONS == INTERIM 6 5 STUDY COMMITTEE REQUESTED. The legislative council is 6 6 requested to establish an interim study committee to assess 6 7 and review the extent to which public officials, entities, and 6 8 affiliated organizations in possession of or with access to 6 9 personal identifying information of a resident of this state 6 10 which could, if disclosed, render the resident vulnerable to 6 11 identity theft, are disclosing or selling such information for 6 12 compensation. Based upon this assessment and review, the 6 13 committee shall develop recommendations relating to these 6 14 practices. The committee shall be composed of ten members 6 15 representing both political parties and both houses of the 6 16 general assembly. Five members shall be members of the 6 17 senate, three of whom shall be appointed by the majority 6 18 leader of the senate and two of whom shall be appointed by the 6 19 minority leader of the senate. The other five members shall 6 20 be members of the house of representatives, three of whom 6 21 shall be appointed by the speaker of the house of 6 22 representatives and two of whom shall be appointed by the 6 23 minority leader of the house of representatives. The 6 24 committee shall issue a report of its recommendations to the 6 25 general assembly by January 15, 2009. 6 26 6 27 6 28 6 29 JOHN P. KIBBIE 6 30 President of the Senate 6 31 6 32 6 33 6 34 PATRICK J. MURPHY 6 35 Speaker of the House 7 1 7 2 I hereby certify that this bill originated in the Senate and 7 3 is known as Senate File 2308, Eighty=second General Assembly. 7 4 7 5 7 6 7 7 MICHAEL E. MARSHALL 7 8 Secretary of the Senate 7 9 Approved , 2008 7 10 7 11 7 12 7 13 CHESTER J. CULVER 7 14 Governor