House File 2107 - Introduced HOUSE FILE BY WISE Passed House, Date Passed Senate, Date Vote: Ayes Nays Vote: Ayes Nays Approved A BILL FOR 1 An Act to require notification of a breach of the security of a 2 system of computerized data containing personal information 3 and providing for civil remedies. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 TLSB 5634HH 81 6 kk/sh/8 PAG LIN 1 1 Section 1. NEW SECTION. 715C.1 DEFINITIONS. 1 2 As used in this chapter, unless the context otherwise 1 3 requires: 1 4 1. "Breach of the security of the system" means 1 5 unauthorized acquisition of computerized data that compromises 1 6 the security, confidentiality, or integrity of personal 1 7 information maintained by an information holder. Good faith 1 8 acquisition of personal information by an employee or agent of 1 9 the information holder for the purposes of the information 1 10 holder is not a breach of the security of the system, provided 1 11 that the personal information is not used or subject to 1 12 further unauthorized disclosure. 1 13 2. "Information holder" means any person that conducts 1 14 business in this state, or any agency of this state or any of 1 15 its political subdivisions, that owns or licenses computerized 1 16 data that includes personal information. 1 17 3. "Personal information" means a person's first name, or 1 18 first initial, and last name in combination with any one or 1 19 more of the following data elements, when either the name or 1 20 the data elements are not encrypted: 1 21 a. Social security number. 1 22 b. Driver's license or nonoperator's identification card 1 23 number. 1 24 c. Account number or credit or debit card number, in 1 25 combination with any required security code, access code, or 1 26 password that would permit access to a person's financial 1 27 account. 1 28 "Personal information" does not include publicly available 1 29 information that is lawfully made available to the general 1 30 public from federal, state, or local government records. 1 31 Sec. 2. NEW SECTION. 715C.2 DISCLOSURE OF BREACH OF 1 32 SECURITY. 1 33 1. An information holder shall disclose any breach of the 1 34 security of the system following discovery or notification of 1 35 the breach in the security of the data held by the information 2 1 holder to any resident of this state whose personal 2 2 information was, or is reasonably believed to have been, 2 3 acquired by an unauthorized person. The disclosure shall be 2 4 made in the most expedient manner possible and without 2 5 unreasonable delay, consistent with the legitimate needs of 2 6 law enforcement, as provided in subsection 3, or any measures 2 7 necessary to determine the scope of the breach and restore the 2 8 reasonable integrity of the data system. 2 9 2. An information holder that maintains computerized data 2 10 that includes personal information that the information holder 2 11 does not own shall notify the owner or licensee of the 2 12 information of any breach of the security of the data 2 13 immediately following discovery if the personal information 2 14 was, or is reasonably believed to have been, acquired by an 2 15 unauthorized person. 2 16 3. The notification required by this section may be 2 17 delayed if a law enforcement agency determines that the 2 18 notification will impede a criminal investigation. The 2 19 notification required by this section shall be made after the 2 20 law enforcement agency determines that it will not compromise 2 21 the investigation. 2 22 4. For purposes of this section, notice shall be provided 2 23 by one of the following methods: 2 24 a. Written notice. 2 25 b. Electronic notice, if the notice provided is consistent 2 26 with the provisions regarding electronic records and 2 27 signatures set forth in chapter 554D and 15 U.S.C. } 7001. 2 28 c. Substitute notice, if the information holder 2 29 demonstrates that the cost of providing notice would exceed 2 30 two hundred fifty thousand dollars, or that the affected class 2 31 of subject persons to be notified exceeds five hundred 2 32 thousand persons, or the information holder does not have 2 33 sufficient contact information. Substitute notice shall 2 34 consist of all of the following: 2 35 (1) Notice by electronic mail when the information holder 3 1 has an electronic mail address for the subject person. 3 2 (2) Conspicuous posting of the notice on the information 3 3 holder's internet website, if the information holder maintains 3 4 an internet website. 3 5 (3) Notification to major statewide media. 3 6 5. Notwithstanding subsection 4, an information holder 3 7 that maintains its own notification procedures as part of an 3 8 information security policy for the treatment of personal 3 9 information and is otherwise consistent with the timing 3 10 requirements of this section shall be deemed to be in 3 11 compliance with the notification requirements of this section 3 12 if the information holder notifies subject persons in 3 13 accordance with its policies in the event of a breach of 3 14 security of the system. 3 15 Sec. 3. NEW SECTION. 715C.3 REMEDIES. 3 16 1. Any person who is neither an agency of this state nor a 3 17 political subdivision of this state, and who is injured by a 3 18 violation of this chapter, may institute a civil action to 3 19 recover actual damages, court costs, interest, and attorney 3 20 fees, and to enjoin the information holder from further action 3 21 in violation of this chapter. 3 22 2. The rights and remedies available under this section 3 23 are cumulative to each other and to any other rights and 3 24 remedies available under law. 3 25 EXPLANATION 3 26 This bill requires an information holder that owns or 3 27 licenses computerized data that includes personal information 3 28 to disclose any breach of the person's security of the data to 3 29 those residents of this state whose personal information was 3 30 or may have been acquired by an unauthorized person. An 3 31 "information holder" is defined as any person that conducts 3 32 business in this state and includes a state agency or a 3 33 political subdivision of the state. The bill requires an 3 34 information holder that maintains computerized data that 3 35 includes personal information that the information holder does 4 1 not own to notify the owner of the data of any breach in the 4 2 security of the data. 4 3 The notification shall be provided immediately unless a law 4 4 enforcement agency determines that the notification will 4 5 impede a criminal investigation. The notice may be made in 4 6 writing, through electronic means, or by substitute notice as 4 7 defined by the bill. 4 8 The bill provides that a person who is injured by the 4 9 failure to be notified of a security breach required by the 4 10 bill may file a civil action for an injunction and actual 4 11 damages, attorney fees, interest, and court costs. 4 12 LSB 5634HH 81 4 13 kk:nh/sh/8