Senate File 2177 - Enrolled Senate File 2177 AN ACT RELATING TO CONSUMER PROTECTION MODIFYING PROVISIONS APPLICABLE TO CONSUMER SECURITY FREEZES AND PERSONAL INFORMATION SECURITY BREACH PROTECTION, AND INCLUDING EFFECTIVE DATE PROVISIONS. BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: Section 1. Section 714G.2, Code 2018, is amended to read as follows: 714G.2 Security freeze. 1. A consumer may submit by certified mail to a consumer reporting agency a written request for a security freeze to a consumer reporting agency by first-class mail, telephone, secure internet connection, or other secure electronic contact method designated by the consumer reporting agency . The consumer must submit proper identification and the applicable fee with the request. Within five three business days after receiving the request, the consumer reporting agency shall commence the security freeze. Within ten three business days after commencing the security freeze, the consumer reporting agency shall send a written confirmation to the consumer of the security freeze, a personal identification number or password, other than the consumer’s social security number, for the consumer to use in authorizing the suspension or removal of the security freeze, including information on how the security freeze may be temporarily suspended. 2. a. If a consumer requests a security freeze from a

Senate File 2177, p. 2 consumer reporting agency that compiles and maintains files on a nationwide basis, the consumer reporting agency shall identify, to the best of its knowledge, any other consumer reporting agency that compiles and maintains files on consumers on a nationwide basis and inform consumers of appropriate contact information that would permit the consumer to place, lift, or remove a security freeze from such other consumer reporting agency. b. For purposes of this subsection, “consumer reporting agency that compiles and maintains files on a nationwide basis” means the same as defined in 15 U.S.C. §1681a(p). Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended to read as follows: 1. A consumer may request that a security freeze be temporarily suspended to allow the consumer reporting agency to release the consumer credit report for a specific time period. The consumer reporting agency may shall develop procedures to expedite the receipt and processing of requests which may involve the use of telephones by first-class mail, telephone , facsimile transmissions, the secure internet connection , or other secure electronic media contact method designated by the consumer reporting agency . The consumer reporting agency shall comply with the request within three business days after receiving the consumer’s written request, or within fifteen minutes after the consumer’s request is received by the consumer reporting agency through facsimile, the secure internet , connection or other secure electronic contact method chosen designated by the consumer reporting agency, or the use of a telephone, during normal business hours. The consumer’s request shall include all of the following: a. Proper identification. b. The personal identification number or password provided by the consumer reporting agency. c. Explicit instructions of the specific time period designated for suspension of the security freeze. d. Payment of the applicable fee. Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018, is amended to read as follows: A security freeze remains in effect until the consumer

Senate File 2177, p. 3 requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days after receiving a request for removal that includes proper identification of the consumer, and the personal identification number or password provided by the consumer reporting agency , and payment of the applicable fee . Sec. 4. Section 714G.5, Code 2018, is amended to read as follows: 714G.5 Fees prohibited . 1. A consumer reporting agency shall not charge any fee to a consumer who is the victim of identity theft for commencing a security freeze, temporary suspension, or removal if with the initial security freeze request, the consumer submits a valid copy of the police report concerning the unlawful use of identification information by another person. 2. A consumer reporting agency may charge a fee not to exceed ten dollars to a consumer who is not the victim of identity theft for each security freeze, removal, or for reissuing a personal identification number or password if the consumer fails to retain the original number. The consumer reporting agency may charge a fee not to exceed twelve dollars for each temporary suspension of a security freeze. A consumer reporting agency shall not charge a fee to a consumer for providing any service pursuant to this chapter, including but not limited to placing, removing, temporarily suspending, or reinstating a security freeze. Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code 2018, is amended by striking the paragraph. Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code 2018, is amended by striking the paragraph. Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended to read as follows: 5. a. A consumer reporting agency may shall not charge a reasonable fee , not to exceed five dollars, for each the placement , or removal , or reinstatement of a protected consumer security freeze. A consumer reporting agency may not charge any other fee for a service performed pursuant to this section . b. Notwithstanding paragraph “a” , a fee may not be charged by a consumer reporting agency pursuant to either of the

Senate File 2177, p. 4 following: (1) If the protected consumer’s representative has obtained a police report or affidavit of alleged identity theft under section 715A.8 and submits a copy of the report or affidavit to the consumer reporting agency. (2) A request for the commencement or removal of a protected consumer security freeze is for a protected consumer who is under the age of sixteen years at the time of the request and the consumer reporting agency has a consumer credit report pertaining to the protected consumer. Sec. 8. Section 715C.1, subsection 5, Code 2018, is amended to read as follows: 5. “Encryption” means the use of an algorithmic process pursuant to accepted industry standards to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key. Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are amended to read as follows: 7. This section does not apply to any of the following: a. A person who complies with notification requirements or breach of security procedures that provide greater protection to personal information and at least as thorough disclosure requirements than that provided by this section pursuant to the rules, regulations, procedures, guidance, or guidelines established by the person’s primary or functional federal regulator. b. A person who complies with a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breach of security or personal information than that provided by this section . c. A person who is subject to and complies with regulations promulgated pursuant to Tit. V of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809. d. A person who is subject to and complies with regulations promulgated pursuant to Tit. II, subtit. F of the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §1320d – 1320d-9, and Tit. XIII, subtit. D of the federal Health Information Technology for Economic and Clinical

Senate File 2177, p. 5 Health Act of 2009, 42 U.S.C. §17921 – 17954. 8. Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security requiring notification to more than five hundred residents of this state pursuant to this section shall give written notice of the breach of security following discovery of such breach of security, or receipt of notification under subsection 2 , to the director of the consumer protection division of the office of the attorney general within five business days after giving notice of the breach of security to any consumer pursuant to this section . Sec. 10. EFFECTIVE DATE. The following take effect January 1, 2019: 1. The section of this Act amending section 714G.2. 2. The section of this Act amending section 714G.3, subsection 1. 3. The section of this Act amending section 714G.4, unnumbered paragraph 1. ______________________________ CHARLES SCHNEIDER President of the Senate ______________________________ LINDA UPMEYER Speaker of the House I hereby certify that this bill originated in the Senate and is known as Senate File 2177, Eighty-seventh General Assembly. ______________________________ W. CHARLES SMITHSON Secretary of the Senate Approved _______________, 2018 ______________________________ KIM REYNOLDS Governor