House File 2107 - Introduced
HOUSE FILE
BY WISE
Passed House, Date Passed Senate, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act to require notification of a breach of the security of a
2 system of computerized data containing personal information
3 and providing for civil remedies.
4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
5 TLSB 5634HH 81
6 kk/sh/8
PAG LIN
1 1 Section 1. NEW SECTION. 715C.1 DEFINITIONS.
1 2 As used in this chapter, unless the context otherwise
1 3 requires:
1 4 1. "Breach of the security of the system" means
1 5 unauthorized acquisition of computerized data that compromises
1 6 the security, confidentiality, or integrity of personal
1 7 information maintained by an information holder. Good faith
1 8 acquisition of personal information by an employee or agent of
1 9 the information holder for the purposes of the information
1 10 holder is not a breach of the security of the system, provided
1 11 that the personal information is not used or subject to
1 12 further unauthorized disclosure.
1 13 2. "Information holder" means any person that conducts
1 14 business in this state, or any agency of this state or any of
1 15 its political subdivisions, that owns or licenses computerized
1 16 data that includes personal information.
1 17 3. "Personal information" means a person's first name, or
1 18 first initial, and last name in combination with any one or
1 19 more of the following data elements, when either the name or
1 20 the data elements are not encrypted:
1 21 a. Social security number.
1 22 b. Driver's license or nonoperator's identification card
1 23 number.
1 24 c. Account number or credit or debit card number, in
1 25 combination with any required security code, access code, or
1 26 password that would permit access to a person's financial
1 27 account.
1 28 "Personal information" does not include publicly available
1 29 information that is lawfully made available to the general
1 30 public from federal, state, or local government records.
1 31 Sec. 2. NEW SECTION. 715C.2 DISCLOSURE OF BREACH OF
1 32 SECURITY.
1 33 1. An information holder shall disclose any breach of the
1 34 security of the system following discovery or notification of
1 35 the breach in the security of the data held by the information
2 1 holder to any resident of this state whose personal
2 2 information was, or is reasonably believed to have been,
2 3 acquired by an unauthorized person. The disclosure shall be
2 4 made in the most expedient manner possible and without
2 5 unreasonable delay, consistent with the legitimate needs of
2 6 law enforcement, as provided in subsection 3, or any measures
2 7 necessary to determine the scope of the breach and restore the
2 8 reasonable integrity of the data system.
2 9 2. An information holder that maintains computerized data
2 10 that includes personal information that the information holder
2 11 does not own shall notify the owner or licensee of the
2 12 information of any breach of the security of the data
2 13 immediately following discovery if the personal information
2 14 was, or is reasonably believed to have been, acquired by an
2 15 unauthorized person.
2 16 3. The notification required by this section may be
2 17 delayed if a law enforcement agency determines that the
2 18 notification will impede a criminal investigation. The
2 19 notification required by this section shall be made after the
2 20 law enforcement agency determines that it will not compromise
2 21 the investigation.
2 22 4. For purposes of this section, notice shall be provided
2 23 by one of the following methods:
2 24 a. Written notice.
2 25 b. Electronic notice, if the notice provided is consistent
2 26 with the provisions regarding electronic records and
2 27 signatures set forth in chapter 554D and 15 U.S.C. } 7001.
2 28 c. Substitute notice, if the information holder
2 29 demonstrates that the cost of providing notice would exceed
2 30 two hundred fifty thousand dollars, or that the affected class
2 31 of subject persons to be notified exceeds five hundred
2 32 thousand persons, or the information holder does not have
2 33 sufficient contact information. Substitute notice shall
2 34 consist of all of the following:
2 35 (1) Notice by electronic mail when the information holder
3 1 has an electronic mail address for the subject person.
3 2 (2) Conspicuous posting of the notice on the information
3 3 holder's internet website, if the information holder maintains
3 4 an internet website.
3 5 (3) Notification to major statewide media.
3 6 5. Notwithstanding subsection 4, an information holder
3 7 that maintains its own notification procedures as part of an
3 8 information security policy for the treatment of personal
3 9 information and is otherwise consistent with the timing
3 10 requirements of this section shall be deemed to be in
3 11 compliance with the notification requirements of this section
3 12 if the information holder notifies subject persons in
3 13 accordance with its policies in the event of a breach of
3 14 security of the system.
3 15 Sec. 3. NEW SECTION. 715C.3 REMEDIES.
3 16 1. Any person who is neither an agency of this state nor a
3 17 political subdivision of this state, and who is injured by a
3 18 violation of this chapter, may institute a civil action to
3 19 recover actual damages, court costs, interest, and attorney
3 20 fees, and to enjoin the information holder from further action
3 21 in violation of this chapter.
3 22 2. The rights and remedies available under this section
3 23 are cumulative to each other and to any other rights and
3 24 remedies available under law.
3 25 EXPLANATION
3 26 This bill requires an information holder that owns or
3 27 licenses computerized data that includes personal information
3 28 to disclose any breach of the person's security of the data to
3 29 those residents of this state whose personal information was
3 30 or may have been acquired by an unauthorized person. An
3 31 "information holder" is defined as any person that conducts
3 32 business in this state and includes a state agency or a
3 33 political subdivision of the state. The bill requires an
3 34 information holder that maintains computerized data that
3 35 includes personal information that the information holder does
4 1 not own to notify the owner of the data of any breach in the
4 2 security of the data.
4 3 The notification shall be provided immediately unless a law
4 4 enforcement agency determines that the notification will
4 5 impede a criminal investigation. The notice may be made in
4 6 writing, through electronic means, or by substitute notice as
4 7 defined by the bill.
4 8 The bill provides that a person who is injured by the
4 9 failure to be notified of a security breach required by the
4 10 bill may file a civil action for an injunction and actual
4 11 damages, attorney fees, interest, and court costs.
4 12 LSB 5634HH 81
4 13 kk:nh/sh/8