Senate Study Bill 3019





                                       SENATE/HOUSE FILE       
                                       BY  (PROPOSED ATTORNEY GENERAL
                                            BILL)


    Passed Senate, Date               Passed House,  Date             
    Vote:  Ayes        Nays           Vote:  Ayes        Nays         
                 Approved                            

                                      A BILL FOR

  1 An Act relating to offenses against identity, requiring notice of
  2    a breach of security of computer data containing personal
  3    information, and providing a procedure to secure credit
  4    information, and providing a penalty.
  5 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
  6 TLSB 5469DP 81
  7 eg/gg/14

PAG LIN



  1  1                           DIVISION I
  1  2    Section 1.  Section 702.1A, unnumbered paragraph 1, Code
  1  3 2005, is amended to read as follows:
  1  4    For purposes of section 714.1, subsection 8, section
  1  5 714.16C, and section 716.6B:
  1  6    Sec. 2  NEW SECTION.  714.16C  NOTICE OF SECURITY BREACH
  1  7 REQUIRED.
  1  8    1.  As used in this section, unless the context otherwise
  1  9 requires:
  1 10    a.  "Customer" means an individual who is a resident of
  1 11 this state who provides personal information to a person for
  1 12 the purpose of purchasing, leasing, or obtaining goods or
  1 13 services.
  1 14    b.  "Individual" means a natural person.
  1 15    c.  "Person" means an individual, sole proprietorship,
  1 16 partnership, business corporation, nonprofit corporation,
  1 17 association, or other group, however organized and conducting
  1 18 business in this state, including a financial institution as
  1 19 defined in section 527.2, and a business organized for the
  1 20 purpose of destroying records.
  1 21    d.  "Personal information" means an individual's first name
  1 22 or first initial in combination with the individual's last
  1 23 name together with any other identification information
  1 24 defined in section 715A.8 when neither the name nor other
  1 25 identification information is encrypted.  The attorney general
  1 26 may provide by rule for additional items of identification
  1 27 information.  "Personal information" does not include
  1 28 information that is available to the public from federal,
  1 29 state, or local government records, or information that an
  1 30 individual consents to have publicly listed or disseminated,
  1 31 such as name, address, or telephone number.
  1 32    e.  "Security breach" means an unauthorized computer access
  1 33 or acquisition of computer data that compromises the security,
  1 34 confidentiality, or integrity of a customer's personal
  1 35 information.  "Security breach" also means the unauthorized
  2  1 disclosure of a customer's personal information subsequent to
  2  2 a good faith, authorized computer access or acquisition of
  2  3 computer data.
  2  4    2.  If a person that owns or licenses computer data
  2  5 discovers that a security breach has occurred, the person
  2  6 shall immediately notify the customer, subsequent to the
  2  7 following:
  2  8    a.  A law enforcement agency has not determined that notice
  2  9 will impede or compromise a criminal investigation.
  2 10    b.  The person has taken the necessary steps to determine
  2 11 the scope of the security breach and has determined how to
  2 12 restore the security of the computer data.
  2 13    3.  A person who maintains computer data containing
  2 14 personal information that the person does not own or license
  2 15 shall upon discovery of a security breach immediately notify
  2 16 the owner or licensee that a security breach has occurred.
  2 17    4.  Notice under subsections 2 and 3 may be provided by one
  2 18 of the following methods:
  2 19    a.  Written notice.
  2 20    b.  Electronic notice.
  2 21    c.  If the cost of providing notice exceeds two hundred
  2 22 fifty thousand dollars or the number of customers exceeds five
  2 23 hundred thousand, or if insufficient customer contact
  2 24 information exists, the person may provide notice as follows:
  2 25    (1)  By electronically mailing notice to customers with
  2 26 electronic mail addresses.
  2 27    (2)  By conspicuously posting a notice on the person's
  2 28 website, if the person maintains one.
  2 29    (3)  By publishing notice in major statewide media.
  2 30    5.  The notice under subsections 2 and 3 shall include all
  2 31 of the following:
  2 32    a.  To the extent possible, a description of the personal
  2 33 information reasonably believed to have been accessed,
  2 34 acquired or disclosed.
  2 35    b.  A toll=free telephone number that the customer may use
  3  1 to contact the person or the person's agent for the following
  3  2 information:
  3  3    (1)  The type of personal information maintained about the
  3  4 customer or about customers in general.
  3  5    (2)  Whether the person maintained information about the
  3  6 customer.
  3  7    (3)  The toll=free telephone number and address for each of
  3  8 the three largest consumer credit reporting agencies as
  3  9 defined in section 714F.1.
  3 10    6.  A waiver by a customer of the provisions of this
  3 11 section is contrary to public policy, and is void and
  3 12 unenforceable.
  3 13    7.  A person who violates this section violates section
  3 14 714.16, subsection 2, paragraph "a".  All powers conferred
  3 15 upon the attorney general to accomplish the objectives and
  3 16 carry out the duties prescribed in section 714.16 are also
  3 17 conferred upon the attorney general to enforce this section,
  3 18 including but not limited to the power to issue subpoenas,
  3 19 adopt rules, and seek injunctive relief and a monetary award
  3 20 for civil penalties, attorney fees, and costs.  Additionally,
  3 21 the attorney general may seek and recover the greater of five
  3 22 hundred dollars or actual damages for each customer injured by
  3 23 a violation of this section.
  3 24                           DIVISION II
  3 25    Sec. 2.  NEW SECTION.  714F.1  DEFINITIONS.
  3 26    For the purposes of this chapter, unless the context
  3 27 otherwise requires:
  3 28    1.  "Consumer" means an individual.
  3 29    2.  "Consumer report" means any information relating to the
  3 30 creditworthiness of a consumer.
  3 31    3.  "Consumer reporting agency" means any person or entity
  3 32 engaged in the practice of assembling or evaluating consumer
  3 33 credit information for the purpose of furnishing a consumer
  3 34 report to a third party.  A consumer reporting agency shall
  3 35 not include any of the following:
  4  1    a.  A check service or fraud prevention service company
  4  2 that reports on incidents of fraud or issues authorizations
  4  3 for the purpose of approving or processing negotiable
  4  4 instruments, electronic fund transfers, or similar methods of
  4  5 payment.
  4  6    b.  A deposit account information service company that
  4  7 issues reports regarding account closures due to fraud,
  4  8 overdrafts, automated teller machine abuse, or similar
  4  9 negative information regarding a consumer to inquiring
  4 10 financial institutions for use only in reviewing the
  4 11 consumer's request for a deposit account at the inquiring
  4 12 financial institution.
  4 13    c.  Any person or entity engaged in the practice of
  4 14 assembling and merging information contained in a database of
  4 15 one or more consumer reporting agencies and does not maintain
  4 16 a permanent database of credit information from which new
  4 17 consumer reports are produced.
  4 18    4.  "Identification information" means as defined in
  4 19 section 715A.8.
  4 20    5.  "Identity theft" means as used in section 715A.8.
  4 21    6.  "Proper identification" means sufficient identification
  4 22 information to ascertain that individual's identity.
  4 23    7.  "Security freeze" means a hold placed on a consumer
  4 24 report that prevents a consumer reporting agency from
  4 25 releasing a consumer report without first obtaining the
  4 26 consumer's express authorization.
  4 27    Sec. 3.  NEW SECTION.  714F.2  SECURITY FREEZE.
  4 28    A consumer may submit by certified mail to a consumer
  4 29 reporting agency a written request for a security freeze.  The
  4 30 consumer must submit proper identification with the request.
  4 31 Within five business days after receiving the request, the
  4 32 consumer reporting agency shall commence the security freeze.
  4 33 Within ten business days after commencing the security freeze,
  4 34 the consumer reporting agency shall send a written
  4 35 confirmation to the consumer of the security freeze, a
  5  1 personal identification number or password, other than the
  5  2 consumer's social security number, for the consumer to use in
  5  3 authorizing the suspension or removal of the security freeze,
  5  4 including information on how the security freeze may be
  5  5 temporarily suspended.
  5  6    Sec. 4.  NEW SECTION.  714F.3  TEMPORARY SUSPENSION.
  5  7    A consumer may request that a security freeze be
  5  8 temporarily suspended to allow the consumer reporting agency
  5  9 to release the consumer report for a specific time period or
  5 10 to a specific third party.  The consumer reporting agency may
  5 11 develop procedures to expedite the receipt and processing of
  5 12 requests which may involve the use of telephones, facsimile
  5 13 transmissions, the internet, or other electronic media.  The
  5 14 consumer reporting agency shall comply with the request within
  5 15 three business days after receiving the request.  The
  5 16 consumer's request shall include all of the following:
  5 17    1.  Proper identification.
  5 18    2.  The personal identification number or password provided
  5 19 by the consumer reporting agency.
  5 20    3.  Explicit instructions of the specific time period or
  5 21 specific third party designated for suspension of the security
  5 22 freeze.
  5 23    Sec. 5.  NEW SECTION.  714F.4  REMOVAL.
  5 24    A security freeze remains in effect until the consumer
  5 25 requests that the security freeze be removed.  A consumer
  5 26 reporting agency shall remove a security freeze within three
  5 27 business days after receiving a request for removal that
  5 28 includes proper identification of the consumer and the
  5 29 personal identification number or password provided by the
  5 30 consumer reporting agency.
  5 31    Sec. 6.  NEW SECTION.  714F.5  FEES.
  5 32    1.  A consumer reporting agency shall not charge any fee to
  5 33 a consumer who is the victim of identity theft for
  5 34 effectuating a security freeze, temporary suspension, or
  5 35 removal if with the initial security freeze request, the
  6  1 consumer submits a valid copy of the police report,
  6  2 investigative report, or complaint filed with a law
  6  3 enforcement agency concerning the unlawful use of
  6  4 identification information by another person.
  6  5    2.  A consumer reporting agency may charge a fee not to
  6  6 exceed ten dollars to a consumer who is not the victim of
  6  7 identity theft for each security freeze, removal, or for
  6  8 reissuing a personal identification number or password if the
  6  9 consumer fails to retain the original number.  The consumer
  6 10 reporting agency may charge a fee not to exceed twelve dollars
  6 11 for each temporary suspension of a security freeze.
  6 12    Sec. 7.  NEW SECTION.  714F.6  THIRD PARTIES.
  6 13    If a third party requests a consumer report that is subject
  6 14 to a security freeze, the consumer reporting agency may advise
  6 15 the third party that a security freeze is in effect.  If the
  6 16 consumer does not expressly authorize the third party to have
  6 17 access to the consumer report through a temporary suspension
  6 18 of the security freeze, the third party shall not be given
  6 19 access to the consumer report but may treat a credit
  6 20 application as incomplete.
  6 21    Sec. 8.  NEW SECTION.  714F.7  MISREPRESENTATION OF FACT.
  6 22    A consumer reporting agency may suspend or remove a
  6 23 security freeze upon a material misrepresentation of fact by
  6 24 the consumer.  However, the consumer reporting agency shall
  6 25 notify the consumer in writing prior to suspending or removing
  6 26 the security freeze.
  6 27    Sec. 9.  NEW SECTION.  714F.8  EXCEPTIONS.
  6 28    A security freeze shall not apply to the following persons
  6 29 or entities:
  6 30    1.  A person or person's subsidiary, affiliate, agent, or
  6 31 assignee with which the consumer has or prior to assignment
  6 32 had an account, contract, or debtor=creditor relationship for
  6 33 the purposes of reviewing the account or collecting the
  6 34 financial obligation owing for the account, contract, or debt,
  6 35 or extending credit to a consumer with a prior or existing
  7  1 account, contract, or debtor=creditor relationship.
  7  2 "Reviewing the account" includes activities related to account
  7  3 maintenance, monitoring, credit line increases, and account
  7  4 upgrades and enhancements.
  7  5    2.  A subsidiary, affiliate, agent, assignee, or
  7  6 prospective assignee of a person to whom access has been
  7  7 granted under a temporary suspension for purposes of
  7  8 facilitating the extension of credit or another permissible
  7  9 use.
  7 10    3.  A person acting pursuant to a court order, warrant, or
  7 11 subpoena.
  7 12    4.  Child support enforcement officials when investigating
  7 13 a child support case pursuant to Title IV=D or Title XIX of
  7 14 the federal Social Security Act.
  7 15    5.  The department of human services or its agents or
  7 16 assignees acting to investigate fraud under the Medicaid
  7 17 assistance program.
  7 18    6.  The department of revenue or local taxing authorities;
  7 19 or any of their agents or assignees, acting to investigate or
  7 20 collect delinquent taxes or assessments, including interest
  7 21 and penalties and unpaid court orders, or to fulfill any of
  7 22 their other statutory or other responsibilities.
  7 23    7.  A person's use of credit information for prescreening
  7 24 as provided by the federal Fair Credit Reporting Act.
  7 25    8.  A person for the sole purpose of providing a credit
  7 26 file monitoring subscription service to which the consumer has
  7 27 subscribed.
  7 28    9.  A consumer reporting agency for the sole purpose of
  7 29 providing a consumer with a copy of the consumer's consumer
  7 30 report upon the consumer's request.
  7 31    Sec. 10.  NEW SECTION.  714F.9  WRITTEN CONFIRMATION.
  7 32    After a security freeze is in effect, a consumer reporting
  7 33 agency may post a name, date of birth, social security number,
  7 34 or address change in a consumer report provided that written
  7 35 confirmation is sent to the consumer within thirty days of
  8  1 posting the change.  For an address change, written
  8  2 confirmation shall be sent to both the new and former
  8  3 addresses.  Written confirmation is not required to correct
  8  4 spelling and typographical errors.
  8  5    Sec. 11.  NEW SECTION.  714F.10  APPLICATION.
  8  6    An entity listed in section 714F.1, subsection 2, paragraph
  8  7 "a", "b", or "c", shall be subject to a security freeze
  8  8 commenced by a consumer reporting agency that obtains
  8  9 information from such entity.
  8 10    Sec. 12.  NEW SECTION.  714F.11  WAIVER VOID.
  8 11    A waiver by a consumer of the provisions of this chapter is
  8 12 contrary to public policy, and is void and unenforceable.
  8 13    Sec. 13.  NEW SECTION.  714F.12  ENFORCEMENT.
  8 14    A person who violates this chapter violates section 714.16,
  8 15 subsection 2, paragraph "a".  All powers conferred upon the
  8 16 attorney general to accomplish the objectives and carry out
  8 17 the duties prescribed in section 714.16 are also conferred
  8 18 upon the attorney general to enforce this chapter, including
  8 19 but not limited to the power to issue subpoenas, adopt rules,
  8 20 and seek injunctive relief and a monetary award for civil
  8 21 penalties, attorney fees, and costs.  Additionally, the
  8 22 attorney general may seek and recover the greater of five
  8 23 hundred dollars or actual damages for each customer injured by
  8 24 a violation of this chapter.
  8 25                           EXPLANATION
  8 26    This bill concerns the protection of a person's identity.
  8 27 The bill is composed of two parts.
  8 28    The first part requires that a person, e.g., a business,
  8 29 notify a customer when personal information identifying the
  8 30 customer is compromised by a security breach in the computer
  8 31 data owned or licensed by the business.
  8 32    A customer's personal information is limited by definition
  8 33 to a customer's name or other identification information such
  8 34 as the customer's address, date of birth, telephone number,
  8 35 social security number, and other identifying numbers when
  9  1 neither the name nor other identification information is
  9  2 encrypted.  Information that is available to the public, i.e.,
  9  3 by government records or by consent, is not "personal
  9  4 information".  Notice must be given immediately following a
  9  5 security breach, provided that notice will not impede a law
  9  6 enforcement investigation and provided that the scope of the
  9  7 breach and the remedy therefore have been determined.  The
  9  8 notice must include a description of the type of personal
  9  9 information that may have been acquired and a toll=free
  9 10 telephone number for the customer inquiries.
  9 11    The second part of the bill creates a new Code chapter that
  9 12 allows an individual, the consumer, to place a hold on the
  9 13 individual's consumer report to prevent a consumer reporting
  9 14 agency from releasing any information relating to the
  9 15 individual's creditworthiness without first obtaining the
  9 16 individual's express authorization.  This "security freeze"
  9 17 may be temporarily suspended to allow a consumer reporting
  9 18 agency to release a consumer report for a specific time period
  9 19 or to a specific third party.  A security freeze remains in
  9 20 effect until the individual requests its removal.
  9 21    The bill provides that a consumer reporting agency cannot
  9 22 charge any fees to an individual who is the victim of identify
  9 23 theft.  Other individuals pay a fee up to $10 per security
  9 24 freeze, removal, or for reissuing a necessary password if the
  9 25 individual fails to retain it, and up to $12 per temporary
  9 26 suspension request.
  9 27    The bill addresses third parties that seek a consumer
  9 28 report, misrepresentation of a material fact by an individual,
  9 29 and lists exceptions to the security freeze, including a
  9 30 person with a prior debtor=creditor relationship.  The bill
  9 31 provides for changes in the consumer report and makes certain
  9 32 entities also subject to a security freeze.
  9 33    Both parts of the bill provide that a waiver of the
  9 34 protections offered by the security breach notification and
  9 35 the security freeze provisions is void and unenforceable.
 10  1    Both parts of the bill contain enforcement provisions.  A
 10  2 violation is an offense under Code section 714.16 and is
 10  3 subject to enforcement, including injunctive relief and money
 10  4 damages, by the attorney general.
 10  5 LSB 5469DP 81
 10  6 eg:rj/gg/14