House File 719 - Enrolled House File 719 AN ACT RELATING TO STANDARDS FOR DATA SECURITY, AND INVESTIGATIONS AND NOTIFICATIONS OF CYBERSECURITY EVENTS, FOR CERTAIN LICENSEES UNDER THE JURISDICTION OF THE COMMISSIONER OF INSURANCE, MAKING PENALTIES APPLICABLE, AND INCLUDING EFFECTIVE DATE PROVISIONS. BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: Section 1. NEW SECTION . 507F.1 Title. This chapter may be cited as the “Insurance Data Security Act” . Sec. 2. NEW SECTION . 507F.2 Purpose and scope. 1. Notwithstanding any provision of law to the contrary, this chapter establishes the exclusive state standards for data security, and the investigation and notification of cybersecurity events, applicable to licensees. 2. This chapter shall not be construed to create or imply a private cause of action for a violation of its provisions, and shall not be construed to curtail a private cause of action that otherwise exists in the absence of this chapter. Sec. 3. NEW SECTION . 507F.3 Definitions. As used in this chapter, unless the context otherwise requires: 1. “Authorized individual” means an individual known to and screened by a licensee and determined to be necessary and appropriate to have access to nonpublic information held by the licensee and the licensee’s information system.

House File 719, p. 2 2. “Commissioner” means the commissioner of insurance. 3. “Consumer” means an individual, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in a licensee’s possession, custody, or control. 4. “Cybersecurity event” means an event resulting in unauthorized access to, or the disruption or misuse of, an information system or of nonpublic information stored on an information system. “Cybersecurity event” does not include any of the following: a. The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. b. An event for which a licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released, and the nonpublic information has been returned or destroyed. 5. “Delivered by electronic means” means delivery to an electronic mail address at which a consumer has consented to receive notices or documents. 6. “Encrypted” means the transformation of data into a form that results in a low probability of assigning meaning to the data without the use of a protective process or key. 7. “Gramm-Leach-Bliley Act” means the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq., including amendments thereto and regulations promulgated thereunder. 8. “Health Insurance Portability and Accountability Act” or “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, including amendments thereto and regulations promulgated thereunder. 9. “Home state” means the same as defined in section 522B.1. 10. “Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information. 11. “Information system” means a discrete set of electronic information resources organized for the collection, processing,

House File 719, p. 3 maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, and any specialized system such as an industrial or process controls system, a telephone switching and private branch exchange system, or an environmental control system. 12. “Insurer” means the same as defined in section 521A.1. 13. “Licensee” means a person licensed, authorized to operate, or registered, or a person required to be licensed, authorized to operate, or registered pursuant to the insurance laws of this state. “Licensee” does not include a purchasing group or a risk retention group chartered and licensed in a state other than this state, or a person acting as an assuming insurer that is domiciled in another state or jurisdiction. 14. “Multi-factor authentication” means authentication through verification of at least two of the following types of authentication factors: a. A knowledge factor, such as a password. b. A possession factor, such as a token or text message on a mobile phone. c. An inherence factor, such as a biometric characteristic. 15. “Nonpublic information” means electronic information that is not publicly available information and that is any of the following: a. Business-related information of a licensee the tampering of which, or unauthorized disclosure, access, or use of which, will cause a material adverse impact to the business, operations, or security of the licensee. b. Information concerning a consumer which can be used to identify the consumer due to a name, number, personal mark, or other identifier, used in combination with any one or more of the following data elements: (1) A social security number. (2) A driver’s license number or a nondriver identification card number. (3) A financial account number, a credit card number, or a debit card number. (4) A security code, an access code, or a password that will permit access to a consumer’s financial accounts. (5) A biometric record.

House File 719, p. 4 c. Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, and that relates to any of the following: (1) The past, present, or future physical, mental or behavioral health or condition of a consumer, or a member of the consumer’s family. (2) The provision of health care services to a consumer. (3) Payment for the provision of health care services to a consumer. 16. “Person” means an individual or a nongovernmental entity, including but not limited to a nongovernmental partnership, corporation, branch, agency, or association. 17. “Publicly available information” means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, by widely distributed media, or by disclosure to the general public as required by federal, state, or local law. For purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has determined all of the following: a. That the information is of a type that is available to the general public. b. That if a consumer may direct that the information not be made available to the general public, that the consumer has not directed that the information not be made available to the general public. 18. “Risk assessment” means the assessment that a licensee is required to conduct pursuant to section 507F.4, subsection 3. 19. “Third-party service provider” means a person that is not a licensee that contracts with a licensee to maintain, process, store, or is otherwise permitted access to nonpublic information through the person’s provision of services to the licensee. Sec. 4. NEW SECTION . 507F.4 Information security program. 1. a. Commensurate with the size and complexity of a licensee, the nature and scope of a licensee’s activities including the licensee’s use of third-party service providers,

House File 719, p. 5 and the sensitivity of nonpublic information used by the licensee or that is in the licensee’s possession, custody, or control, the licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment conducted pursuant to subsection 3. b. This section shall not apply to any of the following: (1) A licensee that meets any of the following criteria: (a) Has fewer than twenty individuals on its workforce, including employees and independent contractors. (b) Has less than five million dollars in gross annual revenue. (c) Has less than ten million dollars in year-end total assets. (2) An employee, agent, representative, or designee of a licensee, and the employee, agent, representative, or designee is also a licensee, if the employee, agent, representative, or designee is covered by the information security program of the other licensee. c. A licensee shall have one hundred eighty calendar days from the date the licensee no longer qualifies for exemption under paragraph “b” to comply with this section. 2. A licensee’s information security program must be designed to do all of the following: a. Protect the security and confidentiality of nonpublic information and the security of the licensee’s information system. b. Protect against threats or hazards to the security or integrity of nonpublic information and the licensee’s information system. c. Protect against unauthorized access to or the use of nonpublic information, and minimize the likelihood of harm to any consumer. d. Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for the destruction of nonpublic information if retention is no longer necessary for the licensee’s business operations, or is no longer required by applicable law. 3. A licensee shall conduct a risk assessment that accomplishes all of the following:

House File 719, p. 6 a. Designates one or more employees, an affiliate, or an outside vendor to act on behalf of the licensee and that has responsibility for the information security program. b. Identifies reasonably foreseeable internal or external threats that may result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including nonpublic information that is accessible to, or held by, a third-party service provider. c. Assesses the probability of, and the potential damage caused by, the threats identified in paragraph “b” , taking into consideration the sensitivity of nonpublic information. d. Assesses the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats identified in paragraph “b” . This assessment must include consideration of threats identified in each relevant area of the licensee’s operations, including all of the following: (1) Employee training and management. (2) Information systems, including network and software design; and information classification, governance, processing, storage, transmission, and disposal. (3) Detection, prevention, and response to an attack, intrusion, or other system failure. e. Implements information safeguards to manage threats identified in the licensee’s ongoing risk assessments and, at least annually, assesses the effectiveness of the information safeguards’ key controls, systems, and procedures. 4. Based on the risk assessment conducted pursuant to subsection 3, a licensee shall do all of the following: a. Develop, implement, and maintain an information security program as described in subsections 1 and 2. b. Determine which of the following security measures are appropriate and implement each appropriate security measure: (1) Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information. (2) Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve

House File 719, p. 7 its business purposes in accordance with the data, personnel, devices, systems, and facilities relative importance to the licensee’s business objectives and risk strategy. (3) Restrict access of nonpublic information stored in or at physical locations to authorized individuals only. (4) Protect by encryption or other appropriate means, all nonpublic information while the nonpublic information is transmitted over an external network, and all nonpublic information that is stored on a laptop computer, a portable computing or storage device, or portable computing or storage media. (5) Adopt secure development practices for in-house developed applications utilized by the licensee, and procedures for evaluating, assessing, and testing the security of externally developed applications utilized by the licensee. (6) Modify information systems in accordance with the licensee’s information security program. (7) Utilize effective controls, which may include multi-factor authentication procedures for authorized individuals accessing nonpublic information. (8) Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems. (9) Include audit trails within the information security program designed to detect and respond to cybersecurity events, and designed to reconstruct material financial transactions sufficient to support the normal business operations and obligations of the licensee. (10) Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards, natural disasters, catastrophes, or technological failures. (11) Develop, implement, and maintain procedures for the secure disposal of nonpublic information that is contained in any format. c. Include cybersecurity risks in the licensee’s enterprise-wide risk management process. d. Maintain knowledge and understanding of emerging threats or vulnerabilities and utilize reasonable security measures,

House File 719, p. 8 relative to the character of the sharing and the type of information being shared, when sharing information. e. Provide the licensee’s personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee’s risk assessment. 5. a. If a licensee has a board of directors, the board or an appropriate committee of the board shall at a minimum require the licensee’s executive management or the executive management’s delegates to: (1) Develop, implement, and maintain the licensee’s information security program. (2) Provide a written report to the board, at least annually, that documents all of the following: (a) The overall status of the licensee’s information security program and the licensee’s compliance with this chapter. (b) Material matters related to the licensee’s information security program including issues such as risk assessment; risk management and control decisions; third-party service provider arrangements; results of testing, cybersecurity events, or violations; management’s response to cybersecurity events or violations; and recommendations for changes in the licensee’s information security program. b. If a licensee’s executive management delegates any of its responsibilities under this section the executive management shall oversee the delegate’s development, implementation, and maintenance of the licensee’s information security program, and shall require the delegate to submit an annual written report to executive management that contains the information required under paragraph “a” , subparagraph (2). If the licensee has a board of directors, the executive management shall provide a copy of the report to the board. 6. A licensee shall monitor, evaluate, and adjust the licensee’s information security program consistent with relevant changes in technology, the sensitivity of the licensee’s nonpublic information, changes to the licensee’s information systems, internal or external threats to the licensee’s nonpublic information, and the licensee’s changing business arrangements, including but not limited to mergers and

House File 719, p. 9 acquisitions, alliances and joint ventures, and outsourcing arrangements. 7. As part of a licensee’s information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee’s possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s operations. The written incident response plan must address all of the following: a. The licensee’s internal process for responding to a cybersecurity event. b. The goals of the licensee’s incident response plan. c. The assignment of clear roles, responsibilities, and levels of decision-making authority for the licensee’s personnel that participate in the incident response plan. d. External communications, internal communications, and information sharing related to a cybersecurity event. e. The identification of remediation requirements for weaknesses identified in information systems and associated controls. f. Documentation and reporting regarding cybersecurity events and related incident response activities. g. The evaluation and revision of the incident response plan, as appropriate, following a cybersecurity event. 8. An insurer domiciled in this state shall annually submit to the commissioner on or before April 15 a written certification that the insurer is in compliance with this section. Each insurer shall maintain all records, schedules, documentation, and data supporting the insurer’s certification for five years. To the extent an insurer has identified an area, system, or process that requires material improvement, updating, or redesign, the insurer shall document the process used to identify the area, system, or process, and the remediation that has been implemented, or will be implemented, to address the area, system, or process. All records, schedules, documentation, and data described in this subsection shall be made available for inspection by the commissioner,

House File 719, p. 10 or the commissioner’s representative, upon request of the commissioner. 9. Licensees shall comply with this section no later than January 1, 2023. Sec. 5. NEW SECTION . 507F.5 Third-party service provider arrangements. 1. A licensee shall exercise due diligence in the selection of third-party service providers, conduct oversight of all third-party service provider arrangements, and require all third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the licensee’s third-party service providers. 2. Licensees shall comply with this section no later than January 1, 2024. Sec. 6. NEW SECTION . 507F.6 Cybersecurity event —— investigation. 1. If a licensee discovers that a cybersecurity event has occurred, or that a cybersecurity event may have occurred, the licensee, or the outside vendor or third-party service provider the licensee has designated to act on behalf of the licensee, shall conduct a prompt investigation of the event. 2. During the investigation, the licensee, outside vendor, or third-party service provider the licensee has designated to act on behalf of the licensee, shall, at a minimum, determine as much of the following as possible: a. Confirm that a cybersecurity event has occurred. b. Assess the nature and scope of the cybersecurity event. c. Identify all nonpublic information that may have been compromised by the cybersecurity event. d. Perform or oversee reasonable measures to restore the security of any compromised information systems in order to prevent further unauthorized acquisition, release, or use of nonpublic information that is in the licensee’s possession, custody, or control. 3. If a licensee learns that a cybersecurity event has occurred, or may have occurred, in an information system maintained by a third-party service provider of the licensee,

House File 719, p. 11 the licensee shall complete an investigation in compliance with this section, or confirm and document that the third-party service provider has completed an investigation in compliance with this section. 4. A licensee shall maintain all records and documentation related to the licensee’s investigation of a cybersecurity event for a minimum of five years from the date of the event, and shall produce the records and documentation upon demand of the commissioner. Sec. 7. NEW SECTION . 507F.7 Cybersecurity event —— notification and report to the commissioner. 1. A licensee shall notify the commissioner no later than three business days from the date of the licensee’s confirmation of a cybersecurity event if any of the following conditions apply: a. The licensee is an insurer who is domiciled in this state, or is a producer whose home state is this state, and any of the following apply: (1) The laws of this state or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body. (2) The cybersecurity event has a reasonable likelihood of causing material harm to a material part of the normal business, operations, or security of the licensee. b. The licensee reasonably believes that nonpublic information compromised by the cybersecurity event involves two hundred fifty or more consumers and either of the following apply: (1) State or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body. (2) The cybersecurity event has a reasonable likelihood of causing material harm to a consumer, or to a material part of the normal business, operations, or security of the licensee. 2. A licensee’s notification to the commissioner pursuant to subsection 1 shall provide, in the form and manner prescribed by the commissioner by rule, as much of the following information as is available to the licensee at the

House File 719, p. 12 time of the notification: a. The date and time of the cybersecurity event. b. A description of how nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of the licensee’s third-party service providers, if any. c. How the licensee discovered or became aware of the cybersecurity event. d. If any lost, stolen, or breached nonpublic information has been recovered and if so, how the recovery occurred. e. The identity of the source of the cybersecurity event. f. The identity of any regulatory, governmental, or law enforcement agencies the licensee has notified, and the date and time of each notification. g. A description of the specific types of nonpublic information that were lost, stolen, or breached. h. The total number of consumers affected by the cybersecurity event. The licensee shall provide the best estimate of affected consumers in the licensee’s initial report to the commissioner and shall update the estimate in each subsequent report to the commissioner under subsection 3. i. The results of any internal review conducted by the licensee that identified a lapse in the licensee’s automated controls or internal procedures, or that confirmed the licensee’s compliance with all automated controls or internal procedures. j. A description of the licensee’s efforts to remediate the circumstances that allowed the cybersecurity event. k. A copy of the licensee’s privacy policy. l. A statement outlining the steps the licensee is taking to identify and notify consumers affected by the cybersecurity event. m. The contact information for the individual authorized to act on behalf of the licensee and who is also knowledgeable regarding the cybersecurity event. 3. A licensee shall have a continuing obligation to update and supplement the licensee’s initial notification to the commissioner as material changes to information previously provided to the commissioner occur.

House File 719, p. 13 Sec. 8. NEW SECTION . 507F.8 Cybersecurity event —— notification to consumers. 1. In the event of a cybersecurity event involving nonpublic information a licensee shall comply with the notification requirements pursuant to section 715C.2, and all other applicable notification requirements pursuant to federal or state law. 2. If a licensee is required to provide notice of a cybersecurity event to the commissioner pursuant to section 507F.7, subsection 1, the licensee shall submit to the commissioner a copy of the consumer notices provided by the licensee to consumers under this section. Sec. 9. NEW SECTION . 507F.9 Cybersecurity event —— third-party service providers. 1. If a licensee becomes aware of a cybersecurity event in an information system maintained by a third-party service provider of the licensee, the licensee shall comply with section 507F.7, or the licensee may obtain a written certification from the third-party service provider that the provider is in compliance with section 507F.7. If the third-party provider fails to provide written certification to the licensee, the licensee shall comply with section 507F.7. The computation of the licensee’s deadlines pursuant to section 507F.7 shall begin on the business day after the date on which the licensee’s third-party service provider notifies the licensee of a cybersecurity event, or the date on which the licensee has actual knowledge of the cybersecurity event, whichever date is earlier. 2. This section shall not be construed to prohibit or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party for the other licensee, third-party service provider, or other party to execute the requirements under section 507F.6 or section 507F.7 on behalf of the licensee. Sec. 10. NEW SECTION . 507F.10 Cybersecurity event reinsurers. 1. If a cybersecurity event involves nonpublic information used by, or that is in the possession, custody, or control of, a licensee that is acting as an assuming insurer and that

House File 719, p. 14 does not have a direct contractual relationship with consumers affected by the cybersecurity event, the assuming insurer shall notify each of the assuming insurer’s affected ceding insurers and the commissioner of the assuming insurer’s state of domicile within three business days of determining that a cybersecurity event has occurred. A ceding insurer that has a direct contractual relationship with a consumer affected by the cybersecurity event shall comply with the applicable provisions of section 715C.2, and all other applicable notification requirements pursuant to federal or state law. 2. If a cybersecurity event involves nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is acting as an assuming insurer, the assuming insurer shall notify each of the assuming insurer’s affected ceding insurers and the commissioner of the assuming insurer’s state of domicile within three business days of the date the assuming insurer receives notice from the assuming insurer’s third-party service provider that a cybersecurity event involving nonpublic information has occurred. A ceding insurer that has a direct contractual relationship with a consumer affected by the cybersecurity event shall comply with the applicable provisions of section 715C.2, and all other applicable notification requirements pursuant to federal or state law. 3. Notwithstanding any law to the contrary, a licensee acting as an assuming insurer shall have no other notice obligations related to a cybersecurity event or other data breach than the notice requirements pursuant to subsections 1 and 2. Sec. 11. NEW SECTION . 507F.11 Cybersecurity event —— producers of record. If a cybersecurity event involves nonpublic information that is in the possession, custody, or control of a licensee that is an insurer, or in the possession, custody, or control of the insurer’s third-party service provider, and for which a consumer accessed the insurer’s services through an independent insurance producer, the insurer shall notify the insurance producer of record of each consumer affected by the cybersecurity event no later than the date on which notice is

House File 719, p. 15 provided to affected consumers pursuant to section 507F.7. An insurer shall not be required to notify an insurance producer that is not authorized by law or contract to sell, solicit, or negotiate on behalf of the insurer, or in a circumstance in which the insurer does not have current contact information for the producer of record for a specific affected consumer. Sec. 12. NEW SECTION . 507F.12 Confidentiality. 1. Documents, materials, and other information in the control or possession of the commissioner that are furnished by a licensee, or by an employee or agent of the licensee acting on behalf of the licensee, or that are obtained by the commissioner in an investigation or examination, shall be confidential by law and privileged, shall not constitute a public record under chapter 22, shall not be subject to subpoena or discovery, and shall not be admissible as evidence in a private civil action. The commissioner, however, shall be authorized to use the documents, materials, and other information in the furtherance of a regulatory or legal action brought as part of the commissioner’s official duties. The commissioner shall not otherwise make the documents, materials, and other information public without the prior written consent of the licensee. 2. The commissioner, or an individual who receives documents, materials, or other information under the authority of the commissioner, shall not be permitted or required to testify in a private civil action concerning any documents, materials, or other information subject to subsection 1. 3. In order to assist in the performance of the commissioner’s duties under this chapter, the commissioner may: a. Share documents, materials, and other information, including documents, materials, and other information subject to subsection 1, with state, federal, and international regulatory agencies; the national association of insurance commissioners, its affiliates and subsidiaries; and with state, federal, and international law enforcement authorities, provided that the recipient certifies in writing that the recipient will maintain the confidentiality or privileged status of any documents, materials, or other information to which confidentiality or privileged status applies.

House File 719, p. 16 b. Receive documents, materials, and other information, including confidential and privileged documents, materials, and other information from the national association of insurance commissioners, its affiliates and subsidiaries; and regulatory and law enforcement officials of foreign and domestic jurisdictions. The commissioner shall maintain as confidential or privileged any document, material, or other information received by the commissioner that is confidential or privileged, or that is received with notice or the understanding that it is confidential or privileged, under the laws of the jurisdiction that is the source of the document, material, or other information. c. Share documents, materials, or other information subject to subsection 1 with a third-party consultant or vendor provided that the third-party consultant or vendor certifies in writing that the consultant or vendor will maintain the confidentiality and privileged status of the document, material, or other information. d. Enter into an agreement governing the sharing and use of documents, materials, or other information that is consistent with this subsection. 4. No waiver of an applicable privilege or claim of confidentiality in a document, material, or other information shall occur as a result of disclosure of the document, material, or other information to the commissioner under this chapter, or as a result of the sharing of the document, material, or other information as authorized under this section. 5. This chapter shall not prohibit the commissioner from releasing final, adjudicated actions that are open to public inspection pursuant to chapter 22, to a database or other clearinghouse service maintained by the national association of insurance commissioners, or its affiliates and subsidiaries. 6. Documents, materials, and other information received by the commissioner under this chapter and shared pursuant to subsection 3, shall be confidential by law and privileged, shall not constitute a public record under chapter 22, shall not be subject to subpoena or discovery, and shall not be admissible as evidence in a private civil action.

House File 719, p. 17 7. Ownership of documents, materials, and other information shared under this chapter with the national association of insurance commissioners, its affiliates and subsidiaries, or a third-party consultant or vendor, remains with the commissioner, and use of the documents, materials, and other information by the national association of insurance commissioners, its affiliates and subsidiaries, or a third-party consultant or vendor is subject to the direction of the commissioner. Sec. 13. NEW SECTION . 507F.13 Applicability. 1. This chapter shall not apply to a licensee that is subject to, and in compliance with, the Health Insurance Portability and Accountability Act. The licensee shall annually submit to the commissioner a written certification of the licensee’s compliance with HIPAA. 2. This chapter shall not apply to a licensee that is owned or controlled by a federally insured depository institution that is subject to, and in compliance with, the Gramm-Leach-Bliley Act or comparable federal law and corresponding regulations. 3. A licensee shall have one hundred eighty days from the date the licensee no longer qualifies for exemption under subsection 1 or 2 to comply with this chapter. Sec. 14. NEW SECTION . 507F.14 Penalties. A licensee that violates this chapter shall be subject to penalties pursuant to section 505.7A and chapter 507B. Sec. 15. NEW SECTION . 507F.15 Rules and enforcement. 1. The commissioner may adopt rules pursuant to chapter 17A as necessary to administer this chapter. 2. The commissioner may take any enforcement action under the commissioner’s authority to enforce compliance with this chapter. Sec. 16. NEW SECTION . 507F.16 Severability. If any provision of this chapter or its application to any person or circumstance is held invalid, the invalidity shall not affect other provisions or applications of this chapter which can be given effect without the invalid provision or application, and to this end the provisions of this chapter are severable.

House File 719, p. 18 Sec. 17. EFFECTIVE DATE. This Act takes effect January 1, 2022. ______________________________ PAT GRASSLEY Speaker of the House ______________________________ JAKE CHAPMAN President of the Senate I hereby certify that this bill originated in the House and is known as House File 719, Eighty-ninth General Assembly. ______________________________ MEGHAN NELSON Chief Clerk of the House Approved _______________, 2021 ______________________________ KIM REYNOLDS Governor