Senate Study Bill 3019
SENATE/HOUSE FILE
BY (PROPOSED ATTORNEY GENERAL
BILL)
Passed Senate, Date Passed House, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act relating to offenses against identity, requiring notice of
2 a breach of security of computer data containing personal
3 information, and providing a procedure to secure credit
4 information, and providing a penalty.
5 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
6 TLSB 5469DP 81
7 eg/gg/14
PAG LIN
1 1 DIVISION I
1 2 Section 1. Section 702.1A, unnumbered paragraph 1, Code
1 3 2005, is amended to read as follows:
1 4 For purposes of section 714.1, subsection 8, section
1 5 714.16C, and section 716.6B:
1 6 Sec. 2 NEW SECTION. 714.16C NOTICE OF SECURITY BREACH
1 7 REQUIRED.
1 8 1. As used in this section, unless the context otherwise
1 9 requires:
1 10 a. "Customer" means an individual who is a resident of
1 11 this state who provides personal information to a person for
1 12 the purpose of purchasing, leasing, or obtaining goods or
1 13 services.
1 14 b. "Individual" means a natural person.
1 15 c. "Person" means an individual, sole proprietorship,
1 16 partnership, business corporation, nonprofit corporation,
1 17 association, or other group, however organized and conducting
1 18 business in this state, including a financial institution as
1 19 defined in section 527.2, and a business organized for the
1 20 purpose of destroying records.
1 21 d. "Personal information" means an individual's first name
1 22 or first initial in combination with the individual's last
1 23 name together with any other identification information
1 24 defined in section 715A.8 when neither the name nor other
1 25 identification information is encrypted. The attorney general
1 26 may provide by rule for additional items of identification
1 27 information. "Personal information" does not include
1 28 information that is available to the public from federal,
1 29 state, or local government records, or information that an
1 30 individual consents to have publicly listed or disseminated,
1 31 such as name, address, or telephone number.
1 32 e. "Security breach" means an unauthorized computer access
1 33 or acquisition of computer data that compromises the security,
1 34 confidentiality, or integrity of a customer's personal
1 35 information. "Security breach" also means the unauthorized
2 1 disclosure of a customer's personal information subsequent to
2 2 a good faith, authorized computer access or acquisition of
2 3 computer data.
2 4 2. If a person that owns or licenses computer data
2 5 discovers that a security breach has occurred, the person
2 6 shall immediately notify the customer, subsequent to the
2 7 following:
2 8 a. A law enforcement agency has not determined that notice
2 9 will impede or compromise a criminal investigation.
2 10 b. The person has taken the necessary steps to determine
2 11 the scope of the security breach and has determined how to
2 12 restore the security of the computer data.
2 13 3. A person who maintains computer data containing
2 14 personal information that the person does not own or license
2 15 shall upon discovery of a security breach immediately notify
2 16 the owner or licensee that a security breach has occurred.
2 17 4. Notice under subsections 2 and 3 may be provided by one
2 18 of the following methods:
2 19 a. Written notice.
2 20 b. Electronic notice.
2 21 c. If the cost of providing notice exceeds two hundred
2 22 fifty thousand dollars or the number of customers exceeds five
2 23 hundred thousand, or if insufficient customer contact
2 24 information exists, the person may provide notice as follows:
2 25 (1) By electronically mailing notice to customers with
2 26 electronic mail addresses.
2 27 (2) By conspicuously posting a notice on the person's
2 28 website, if the person maintains one.
2 29 (3) By publishing notice in major statewide media.
2 30 5. The notice under subsections 2 and 3 shall include all
2 31 of the following:
2 32 a. To the extent possible, a description of the personal
2 33 information reasonably believed to have been accessed,
2 34 acquired or disclosed.
2 35 b. A toll=free telephone number that the customer may use
3 1 to contact the person or the person's agent for the following
3 2 information:
3 3 (1) The type of personal information maintained about the
3 4 customer or about customers in general.
3 5 (2) Whether the person maintained information about the
3 6 customer.
3 7 (3) The toll=free telephone number and address for each of
3 8 the three largest consumer credit reporting agencies as
3 9 defined in section 714F.1.
3 10 6. A waiver by a customer of the provisions of this
3 11 section is contrary to public policy, and is void and
3 12 unenforceable.
3 13 7. A person who violates this section violates section
3 14 714.16, subsection 2, paragraph "a". All powers conferred
3 15 upon the attorney general to accomplish the objectives and
3 16 carry out the duties prescribed in section 714.16 are also
3 17 conferred upon the attorney general to enforce this section,
3 18 including but not limited to the power to issue subpoenas,
3 19 adopt rules, and seek injunctive relief and a monetary award
3 20 for civil penalties, attorney fees, and costs. Additionally,
3 21 the attorney general may seek and recover the greater of five
3 22 hundred dollars or actual damages for each customer injured by
3 23 a violation of this section.
3 24 DIVISION II
3 25 Sec. 2. NEW SECTION. 714F.1 DEFINITIONS.
3 26 For the purposes of this chapter, unless the context
3 27 otherwise requires:
3 28 1. "Consumer" means an individual.
3 29 2. "Consumer report" means any information relating to the
3 30 creditworthiness of a consumer.
3 31 3. "Consumer reporting agency" means any person or entity
3 32 engaged in the practice of assembling or evaluating consumer
3 33 credit information for the purpose of furnishing a consumer
3 34 report to a third party. A consumer reporting agency shall
3 35 not include any of the following:
4 1 a. A check service or fraud prevention service company
4 2 that reports on incidents of fraud or issues authorizations
4 3 for the purpose of approving or processing negotiable
4 4 instruments, electronic fund transfers, or similar methods of
4 5 payment.
4 6 b. A deposit account information service company that
4 7 issues reports regarding account closures due to fraud,
4 8 overdrafts, automated teller machine abuse, or similar
4 9 negative information regarding a consumer to inquiring
4 10 financial institutions for use only in reviewing the
4 11 consumer's request for a deposit account at the inquiring
4 12 financial institution.
4 13 c. Any person or entity engaged in the practice of
4 14 assembling and merging information contained in a database of
4 15 one or more consumer reporting agencies and does not maintain
4 16 a permanent database of credit information from which new
4 17 consumer reports are produced.
4 18 4. "Identification information" means as defined in
4 19 section 715A.8.
4 20 5. "Identity theft" means as used in section 715A.8.
4 21 6. "Proper identification" means sufficient identification
4 22 information to ascertain that individual's identity.
4 23 7. "Security freeze" means a hold placed on a consumer
4 24 report that prevents a consumer reporting agency from
4 25 releasing a consumer report without first obtaining the
4 26 consumer's express authorization.
4 27 Sec. 3. NEW SECTION. 714F.2 SECURITY FREEZE.
4 28 A consumer may submit by certified mail to a consumer
4 29 reporting agency a written request for a security freeze. The
4 30 consumer must submit proper identification with the request.
4 31 Within five business days after receiving the request, the
4 32 consumer reporting agency shall commence the security freeze.
4 33 Within ten business days after commencing the security freeze,
4 34 the consumer reporting agency shall send a written
4 35 confirmation to the consumer of the security freeze, a
5 1 personal identification number or password, other than the
5 2 consumer's social security number, for the consumer to use in
5 3 authorizing the suspension or removal of the security freeze,
5 4 including information on how the security freeze may be
5 5 temporarily suspended.
5 6 Sec. 4. NEW SECTION. 714F.3 TEMPORARY SUSPENSION.
5 7 A consumer may request that a security freeze be
5 8 temporarily suspended to allow the consumer reporting agency
5 9 to release the consumer report for a specific time period or
5 10 to a specific third party. The consumer reporting agency may
5 11 develop procedures to expedite the receipt and processing of
5 12 requests which may involve the use of telephones, facsimile
5 13 transmissions, the internet, or other electronic media. The
5 14 consumer reporting agency shall comply with the request within
5 15 three business days after receiving the request. The
5 16 consumer's request shall include all of the following:
5 17 1. Proper identification.
5 18 2. The personal identification number or password provided
5 19 by the consumer reporting agency.
5 20 3. Explicit instructions of the specific time period or
5 21 specific third party designated for suspension of the security
5 22 freeze.
5 23 Sec. 5. NEW SECTION. 714F.4 REMOVAL.
5 24 A security freeze remains in effect until the consumer
5 25 requests that the security freeze be removed. A consumer
5 26 reporting agency shall remove a security freeze within three
5 27 business days after receiving a request for removal that
5 28 includes proper identification of the consumer and the
5 29 personal identification number or password provided by the
5 30 consumer reporting agency.
5 31 Sec. 6. NEW SECTION. 714F.5 FEES.
5 32 1. A consumer reporting agency shall not charge any fee to
5 33 a consumer who is the victim of identity theft for
5 34 effectuating a security freeze, temporary suspension, or
5 35 removal if with the initial security freeze request, the
6 1 consumer submits a valid copy of the police report,
6 2 investigative report, or complaint filed with a law
6 3 enforcement agency concerning the unlawful use of
6 4 identification information by another person.
6 5 2. A consumer reporting agency may charge a fee not to
6 6 exceed ten dollars to a consumer who is not the victim of
6 7 identity theft for each security freeze, removal, or for
6 8 reissuing a personal identification number or password if the
6 9 consumer fails to retain the original number. The consumer
6 10 reporting agency may charge a fee not to exceed twelve dollars
6 11 for each temporary suspension of a security freeze.
6 12 Sec. 7. NEW SECTION. 714F.6 THIRD PARTIES.
6 13 If a third party requests a consumer report that is subject
6 14 to a security freeze, the consumer reporting agency may advise
6 15 the third party that a security freeze is in effect. If the
6 16 consumer does not expressly authorize the third party to have
6 17 access to the consumer report through a temporary suspension
6 18 of the security freeze, the third party shall not be given
6 19 access to the consumer report but may treat a credit
6 20 application as incomplete.
6 21 Sec. 8. NEW SECTION. 714F.7 MISREPRESENTATION OF FACT.
6 22 A consumer reporting agency may suspend or remove a
6 23 security freeze upon a material misrepresentation of fact by
6 24 the consumer. However, the consumer reporting agency shall
6 25 notify the consumer in writing prior to suspending or removing
6 26 the security freeze.
6 27 Sec. 9. NEW SECTION. 714F.8 EXCEPTIONS.
6 28 A security freeze shall not apply to the following persons
6 29 or entities:
6 30 1. A person or person's subsidiary, affiliate, agent, or
6 31 assignee with which the consumer has or prior to assignment
6 32 had an account, contract, or debtor=creditor relationship for
6 33 the purposes of reviewing the account or collecting the
6 34 financial obligation owing for the account, contract, or debt,
6 35 or extending credit to a consumer with a prior or existing
7 1 account, contract, or debtor=creditor relationship.
7 2 "Reviewing the account" includes activities related to account
7 3 maintenance, monitoring, credit line increases, and account
7 4 upgrades and enhancements.
7 5 2. A subsidiary, affiliate, agent, assignee, or
7 6 prospective assignee of a person to whom access has been
7 7 granted under a temporary suspension for purposes of
7 8 facilitating the extension of credit or another permissible
7 9 use.
7 10 3. A person acting pursuant to a court order, warrant, or
7 11 subpoena.
7 12 4. Child support enforcement officials when investigating
7 13 a child support case pursuant to Title IV=D or Title XIX of
7 14 the federal Social Security Act.
7 15 5. The department of human services or its agents or
7 16 assignees acting to investigate fraud under the Medicaid
7 17 assistance program.
7 18 6. The department of revenue or local taxing authorities;
7 19 or any of their agents or assignees, acting to investigate or
7 20 collect delinquent taxes or assessments, including interest
7 21 and penalties and unpaid court orders, or to fulfill any of
7 22 their other statutory or other responsibilities.
7 23 7. A person's use of credit information for prescreening
7 24 as provided by the federal Fair Credit Reporting Act.
7 25 8. A person for the sole purpose of providing a credit
7 26 file monitoring subscription service to which the consumer has
7 27 subscribed.
7 28 9. A consumer reporting agency for the sole purpose of
7 29 providing a consumer with a copy of the consumer's consumer
7 30 report upon the consumer's request.
7 31 Sec. 10. NEW SECTION. 714F.9 WRITTEN CONFIRMATION.
7 32 After a security freeze is in effect, a consumer reporting
7 33 agency may post a name, date of birth, social security number,
7 34 or address change in a consumer report provided that written
7 35 confirmation is sent to the consumer within thirty days of
8 1 posting the change. For an address change, written
8 2 confirmation shall be sent to both the new and former
8 3 addresses. Written confirmation is not required to correct
8 4 spelling and typographical errors.
8 5 Sec. 11. NEW SECTION. 714F.10 APPLICATION.
8 6 An entity listed in section 714F.1, subsection 2, paragraph
8 7 "a", "b", or "c", shall be subject to a security freeze
8 8 commenced by a consumer reporting agency that obtains
8 9 information from such entity.
8 10 Sec. 12. NEW SECTION. 714F.11 WAIVER VOID.
8 11 A waiver by a consumer of the provisions of this chapter is
8 12 contrary to public policy, and is void and unenforceable.
8 13 Sec. 13. NEW SECTION. 714F.12 ENFORCEMENT.
8 14 A person who violates this chapter violates section 714.16,
8 15 subsection 2, paragraph "a". All powers conferred upon the
8 16 attorney general to accomplish the objectives and carry out
8 17 the duties prescribed in section 714.16 are also conferred
8 18 upon the attorney general to enforce this chapter, including
8 19 but not limited to the power to issue subpoenas, adopt rules,
8 20 and seek injunctive relief and a monetary award for civil
8 21 penalties, attorney fees, and costs. Additionally, the
8 22 attorney general may seek and recover the greater of five
8 23 hundred dollars or actual damages for each customer injured by
8 24 a violation of this chapter.
8 25 EXPLANATION
8 26 This bill concerns the protection of a person's identity.
8 27 The bill is composed of two parts.
8 28 The first part requires that a person, e.g., a business,
8 29 notify a customer when personal information identifying the
8 30 customer is compromised by a security breach in the computer
8 31 data owned or licensed by the business.
8 32 A customer's personal information is limited by definition
8 33 to a customer's name or other identification information such
8 34 as the customer's address, date of birth, telephone number,
8 35 social security number, and other identifying numbers when
9 1 neither the name nor other identification information is
9 2 encrypted. Information that is available to the public, i.e.,
9 3 by government records or by consent, is not "personal
9 4 information". Notice must be given immediately following a
9 5 security breach, provided that notice will not impede a law
9 6 enforcement investigation and provided that the scope of the
9 7 breach and the remedy therefore have been determined. The
9 8 notice must include a description of the type of personal
9 9 information that may have been acquired and a toll=free
9 10 telephone number for the customer inquiries.
9 11 The second part of the bill creates a new Code chapter that
9 12 allows an individual, the consumer, to place a hold on the
9 13 individual's consumer report to prevent a consumer reporting
9 14 agency from releasing any information relating to the
9 15 individual's creditworthiness without first obtaining the
9 16 individual's express authorization. This "security freeze"
9 17 may be temporarily suspended to allow a consumer reporting
9 18 agency to release a consumer report for a specific time period
9 19 or to a specific third party. A security freeze remains in
9 20 effect until the individual requests its removal.
9 21 The bill provides that a consumer reporting agency cannot
9 22 charge any fees to an individual who is the victim of identify
9 23 theft. Other individuals pay a fee up to $10 per security
9 24 freeze, removal, or for reissuing a necessary password if the
9 25 individual fails to retain it, and up to $12 per temporary
9 26 suspension request.
9 27 The bill addresses third parties that seek a consumer
9 28 report, misrepresentation of a material fact by an individual,
9 29 and lists exceptions to the security freeze, including a
9 30 person with a prior debtor=creditor relationship. The bill
9 31 provides for changes in the consumer report and makes certain
9 32 entities also subject to a security freeze.
9 33 Both parts of the bill provide that a waiver of the
9 34 protections offered by the security breach notification and
9 35 the security freeze provisions is void and unenforceable.
10 1 Both parts of the bill contain enforcement provisions. A
10 2 violation is an offense under Code section 714.16 and is
10 3 subject to enforcement, including injunctive relief and money
10 4 damages, by the attorney general.
10 5 LSB 5469DP 81
10 6 eg:rj/gg/14