House File 2353 - Introduced
HOUSE FILE
BY WHITAKER
Passed House, Date Passed Senate, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act relating to offenses against identity, by specifying a
2 procedure to secure credit information, providing for the
3 notification of a breach in the security of computerized data,
4 and providing penalties.
5 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
6 TLSB 5421YH 82
7 rn/nh/8
PAG LIN
1 1 DIVISION I
1 2 SECURITY FREEZE
1 3 Section 1. NEW SECTION. 714F.1 DEFINITIONS.
1 4 For the purposes of this chapter, unless the context
1 5 otherwise requires:
1 6 1. "Consumer" means an individual.
1 7 2. "Consumer report" means any information relating to the
1 8 creditworthiness of a consumer.
1 9 3. "Consumer reporting agency" means any person or entity
1 10 engaged in the practice of assembling or evaluating consumer
1 11 credit information for the purpose of furnishing a consumer
1 12 report to a third party. A consumer reporting agency shall
1 13 not include any of the following:
1 14 a. A check service or fraud prevention service company
1 15 that reports on incidents of fraud or issues authorizations
1 16 for the purpose of approving or processing negotiable
1 17 instruments, electronic fund transfers, or similar methods of
1 18 payment.
1 19 b. A deposit account information service company that
1 20 issues reports regarding account closures due to fraud,
1 21 overdrafts, automated teller machine abuse, or similar
1 22 negative information regarding a consumer to inquiring
1 23 financial institutions for use only in reviewing the
1 24 consumer's request for a deposit account at the inquiring
1 25 financial institution.
1 26 c. Any person or entity engaged in the practice of
1 27 assembling and merging information contained in a database of
1 28 one or more consumer reporting agencies and does not maintain
1 29 a permanent database of credit information from which new
1 30 consumer reports are produced.
1 31 4. "Identification information" means as defined in
1 32 section 715A.8.
1 33 5. "Identity theft" means as used in section 715A.8.
1 34 6. "Proper identification" means sufficient identification
1 35 information to ascertain that individual's identity.
2 1 7. "Security freeze" means a hold placed on a consumer
2 2 report that prevents a consumer reporting agency from
2 3 releasing a consumer report without first obtaining the
2 4 consumer's express authorization.
2 5 Sec. 2. NEW SECTION. 714F.2 SECURITY FREEZE.
2 6 A consumer may submit by certified mail to a consumer
2 7 reporting agency a written request for a security freeze. The
2 8 consumer must submit proper identification with the request.
2 9 Within five business days after receiving the request, the
2 10 consumer reporting agency shall commence the security freeze.
2 11 Within ten business days after commencing the security freeze,
2 12 the consumer reporting agency shall send a written
2 13 confirmation to the consumer of the security freeze, a
2 14 personal identification number or password, other than the
2 15 consumer's social security number, for the consumer to use in
2 16 authorizing the suspension or removal of the security freeze,
2 17 including information on how the security freeze may be
2 18 temporarily suspended.
2 19 Sec. 3. NEW SECTION. 714F.3 TEMPORARY SUSPENSION.
2 20 A consumer may request that a security freeze be
2 21 temporarily suspended to allow the consumer reporting agency
2 22 to release the consumer report for a specific time period or
2 23 to a specific third party. The consumer reporting agency may
2 24 develop procedures to expedite the receipt and processing of
2 25 requests which may involve the use of telephones, facsimile
2 26 transmissions, the internet, or other electronic media. The
2 27 consumer reporting agency shall comply with the request within
2 28 three business days after receiving the request. The
2 29 consumer's request shall include all of the following:
2 30 1. Proper identification.
2 31 2. The personal identification number or password provided
2 32 by the consumer reporting agency.
2 33 3. Explicit instructions of the specific time period or
2 34 specific third party designated for suspension of the security
2 35 freeze.
3 1 Sec. 4. NEW SECTION. 714F.4 REMOVAL.
3 2 A security freeze remains in effect until the consumer
3 3 requests that the security freeze be removed. A consumer
3 4 reporting agency shall remove a security freeze within three
3 5 business days after receiving a request for removal that
3 6 includes proper identification of the consumer and the
3 7 personal identification number or password provided by the
3 8 consumer reporting agency.
3 9 Sec. 5. NEW SECTION. 714F.5 FEES.
3 10 1. A consumer reporting agency shall not charge any fee to
3 11 a consumer who is the victim of identity theft for
3 12 effectuating a security freeze, temporary suspension, or
3 13 removal if with the initial security freeze request, the
3 14 consumer submits a valid copy of the police report,
3 15 investigative report, or complaint filed with a law
3 16 enforcement agency concerning the unlawful use of
3 17 identification information by another person.
3 18 2. A consumer reporting agency may charge a fee not to
3 19 exceed ten dollars to a consumer who is not the victim of
3 20 identity theft for each security freeze, removal, or for
3 21 reissuing a personal identification number or password if the
3 22 consumer fails to retain the original number. The consumer
3 23 reporting agency may charge a fee not to exceed twelve dollars
3 24 for each temporary suspension of a security freeze.
3 25 Sec. 6. NEW SECTION. 714F.6 THIRD PARTIES.
3 26 If a third party requests a consumer report that is subject
3 27 to a security freeze, the consumer reporting agency may advise
3 28 the third party that a security freeze is in effect. If the
3 29 consumer does not expressly authorize the third party to have
3 30 access to the consumer report through a temporary suspension
3 31 of the security freeze, the third party shall not be given
3 32 access to the consumer report but may treat a credit
3 33 application as incomplete.
3 34 Sec. 7. NEW SECTION. 714F.7 MISREPRESENTATION OF FACT.
3 35 A consumer reporting agency may suspend or remove a
4 1 security freeze upon a material misrepresentation of fact by
4 2 the consumer. However, the consumer reporting agency shall
4 3 notify the consumer in writing prior to suspending or removing
4 4 the security freeze.
4 5 Sec. 8. NEW SECTION. 714F.8 EXCEPTIONS.
4 6 A security freeze shall not apply to the following persons
4 7 or entities:
4 8 1. A person or person's subsidiary, affiliate, agent, or
4 9 assignee with which the consumer has or prior to assignment
4 10 had an account, contract, or debtor=creditor relationship for
4 11 the purposes of reviewing the account or collecting the
4 12 financial obligation owing for the account, contract, or debt,
4 13 or extending credit to a consumer with a prior or existing
4 14 account, contract, or debtor=creditor relationship.
4 15 "Reviewing the account" includes activities related to account
4 16 maintenance, monitoring, credit line increases, and account
4 17 upgrades and enhancements.
4 18 2. A subsidiary, affiliate, agent, assignee, or
4 19 prospective assignee of a person to whom access has been
4 20 granted under a temporary suspension for purposes of
4 21 facilitating the extension of credit or another permissible
4 22 use.
4 23 3. A person acting pursuant to a court order, warrant, or
4 24 subpoena.
4 25 4. Child support enforcement officials when investigating
4 26 a child support case pursuant to Title IV=D or Title XIX of
4 27 the federal Social Security Act.
4 28 5. The department of human services or its agents or
4 29 assignees acting to investigate fraud under the medical
4 30 assistance program.
4 31 6. The department of revenue or local taxing authorities;
4 32 or any of their agents or assignees, acting to investigate or
4 33 collect delinquent taxes or assessments, including interest
4 34 and penalties and unpaid court orders, or to fulfill any of
4 35 their other statutory or other responsibilities.
5 1 7. A person's use of credit information for prescreening
5 2 as provided by the federal Fair Credit Reporting Act.
5 3 8. A person for the sole purpose of providing a credit
5 4 file monitoring subscription service to which the consumer has
5 5 subscribed.
5 6 9. A consumer reporting agency for the sole purpose of
5 7 providing a consumer with a copy of the consumer's consumer
5 8 report upon the consumer's request.
5 9 Sec. 9. NEW SECTION. 714F.9 WRITTEN CONFIRMATION.
5 10 After a security freeze is in effect, a consumer reporting
5 11 agency may post a name, date of birth, social security number,
5 12 or address change in a consumer report provided written
5 13 confirmation is sent to the consumer within thirty days of
5 14 posting the change. For an address change, written
5 15 confirmation shall be sent to both the new and former
5 16 addresses. Written confirmation is not required to correct
5 17 spelling and typographical errors.
5 18 Sec. 10. NEW SECTION. 714F.10 APPLICATION.
5 19 An entity listed in section 714F.1, subsection 3, paragraph
5 20 "a", "b", or "c", shall be subject to a security freeze
5 21 commenced by a consumer reporting agency that obtains
5 22 information from such entity.
5 23 Sec. 11. NEW SECTION. 714F.11 WAIVER VOID.
5 24 A waiver by a consumer of the provisions of this chapter is
5 25 contrary to public policy, and is void and unenforceable.
5 26 Sec. 12. NEW SECTION. 714F.12 ENFORCEMENT.
5 27 A person who violates this chapter violates section 714.16,
5 28 subsection 2, paragraph "a". All powers conferred upon the
5 29 attorney general to accomplish the objectives and carry out
5 30 the duties prescribed in section 714.16 are also conferred
5 31 upon the attorney general to enforce this chapter, including
5 32 but not limited to the power to issue subpoenas, adopt rules,
5 33 and seek injunctive relief and a monetary award for civil
5 34 penalties, attorney fees, and costs. Additionally, the
5 35 attorney general may seek and recover the greater of five
6 1 hundred dollars or actual damages for each customer injured by
6 2 a violation of this chapter.
6 3 DIVISION II
6 4 BREACH OF SECURITY
6 5 Sec. 13. NEW SECTION. 715C.1 DEFINITIONS.
6 6 As used in this chapter, unless the context otherwise
6 7 requires:
6 8 1. "Breach of security" means unauthorized acquisition of
6 9 computerized data maintained by a person that materially
6 10 compromises the security, confidentiality, or integrity of
6 11 personal information maintained by the person. Good faith
6 12 acquisition of personal information by a person or that
6 13 person's employee or agent for a legitimate purpose of that
6 14 person is not a breach of security, provided that the personal
6 15 information is not used in violation of applicable law or in a
6 16 manner that harms or poses an actual threat to the security,
6 17 confidentiality, or integrity of the personal information.
6 18 2. "Consumer" means an individual who is a resident of
6 19 this state.
6 20 3. "Consumer reporting agency" means the same as defined
6 21 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a.
6 22 4. "Debt" means the same as provided in section 537.7102.
6 23 5. "Encryption" means the use of an algorithmic process to
6 24 transform data into a form in which the data is rendered
6 25 unreadable or unusable without the use of a confidential
6 26 process or key.
6 27 6. "Extension of credit" means the right to defer payment
6 28 of debt or to incur debt and defer its payment offered or
6 29 granted primarily for personal, family, or household purposes.
6 30 7. "Financial institution" means the same as defined in
6 31 section 536C.2, subsection 6.
6 32 8. "Identity theft" means the same as provided in section
6 33 715A.8.
6 34 9. "Payment card" means the same as defined in section
6 35 715A.10, subsection 3, paragraph "b".
7 1 10. "Person" means an individual; corporation; business
7 2 trust; estate; trust; partnership; limited liability company;
7 3 association; joint venture; government; governmental
7 4 subdivision, agency, or instrumentality; public corporation;
7 5 or any other legal or commercial entity.
7 6 11. "Personal information" means the same as
7 7 "identification information" as defined in section 715A.8,
7 8 when not rendered unusable through encryption, redaction, or
7 9 other methods, or when encrypted and the encryption key has
7 10 also been acquired, if the information obtained would be
7 11 sufficient to permit a person to commit identity theft against
7 12 the consumer whose information was compromised. "Personal
7 13 information" does not include publicly available information
7 14 that is lawfully made available to the general public from
7 15 federal, state, or local government records.
7 16 12. "Redacted" means altered or truncated so that no more
7 17 than the last four digits of a social security number or other
7 18 numbers designated in section 715A.8, subsection 1, paragraph
7 19 "a", is accessible as part of the data.
7 20 Sec. 14. NEW SECTION. 715C.2 SECURITY BREACH == CONSUMER
7 21 NOTIFICATION == REMEDIES.
7 22 1. Any person who owns, maintains, or otherwise possesses
7 23 data that includes a consumer's personal information that is
7 24 used in the course of the person's business, vocation,
7 25 occupation, or volunteer activities and who was subject to a
7 26 breach of security shall give notice of the breach of security
7 27 following discovery of such breach of security, or receipt of
7 28 notification under subsection 2, to any consumer whose
7 29 personal information was included in the information that was
7 30 breached. The consumer notification shall be made in the most
7 31 expeditious manner possible and without unreasonable delay,
7 32 consistent with the legitimate needs of law enforcement as
7 33 provided in subsection 3, and consistent with any measures
7 34 necessary to sufficiently determine contact information for
7 35 the affected consumers, determine the scope of the breach, and
8 1 restore the reasonable integrity, security, and
8 2 confidentiality of the data.
8 3 2. Any person who maintains or otherwise possesses
8 4 personal information on behalf of another person shall notify
8 5 the owner or licensor of the information of any breach of
8 6 security immediately following discovery of such breach of
8 7 security if a consumer's personal information was included in
8 8 the information that was breached.
8 9 3. The consumer notification requirements of this section
8 10 may be delayed if a law enforcement agency determines that the
8 11 notification will impede a criminal investigation and the
8 12 agency has made a written request that the notification be
8 13 delayed. The notification required by this section shall be
8 14 made after the law enforcement agency determines that the
8 15 notification will not compromise the investigation and
8 16 notifies the person required to give notice in writing.
8 17 4. For purposes of this section, notification to the
8 18 consumer may be provided by one of the following methods:
8 19 a. Written notice.
8 20 b. Electronic notice if the person's customary method of
8 21 communication with the consumer is by electronic means or is
8 22 consistent with the provisions regarding electronic records
8 23 and signatures set forth in chapter 554D and the federal
8 24 Electronic Signatures in Global and National Commerce Act, 15
8 25 U.S.C. } 7001.
8 26 c. Telephone notice, provided that the contact is made
8 27 directly with the affected consumer.
8 28 d. Substitute notice, if the person demonstrates that the
8 29 cost of providing notice would exceed two hundred fifty
8 30 thousand dollars, that the affected class of consumers to be
8 31 notified exceeds three hundred fifty thousand persons, or if
8 32 the person does not have sufficient contact information to
8 33 provide notice. Substitute notice shall consist of the
8 34 following:
8 35 (1) Electronic mail notice when the person has an
9 1 electronic mail address for the affected consumers.
9 2 (2) Conspicuous posting of the notice or a link to the
9 3 notice on the internet web site of the person if the person
9 4 maintains an internet web site.
9 5 (3) Notification to major statewide media.
9 6 5. Notice pursuant to this section shall include, at a
9 7 minimum, all of the following:
9 8 a. A description of the breach of security.
9 9 b. The approximate date of the breach of security.
9 10 c. The type of personal information obtained as a result
9 11 of the breach of security.
9 12 d. Contact information for consumer reporting agencies,
9 13 and advice and an offer of assistance in remedying credit
9 14 problems resulting from the breach of security.
9 15 e. Advice to the consumer to report suspected incidents of
9 16 identity theft to law enforcement, including the Federal Trade
9 17 Commission.
9 18 6. If a person discovers a breach of security affecting
9 19 more than one thousand consumers that requires disclosure
9 20 pursuant to this section, the person shall notify, without
9 21 unreasonable delay, all consumer reporting agencies that
9 22 compile and maintain reports on consumers on a nationwide
9 23 basis of the timing, distribution, and content of the
9 24 notification given by the person to the consumers. In no case
9 25 shall a person that is required to make a notification to
9 26 consumers pursuant to this section delay any notification in
9 27 order to make the notification to the consumer reporting
9 28 agencies. The person shall include the police report number,
9 29 if available, in its notification to the consumer reporting
9 30 agencies.
9 31 7. Notwithstanding subsection 1, notification is not
9 32 required if, after an appropriate investigation or after
9 33 consultation with the relevant federal, state, or local
9 34 agencies responsible for law enforcement, the person
9 35 determined that no reasonable likelihood of harm to the
10 1 consumers whose personal information has been acquired has
10 2 resulted or will result from the breach. Such a determination
10 3 must be documented in writing and the documentation must be
10 4 maintained for five years.
10 5 8. This section does not apply to any of the following:
10 6 a. A person who complies with notification requirements or
10 7 breach of security procedures that provide greater protection
10 8 to personal information and at least as thorough disclosure
10 9 requirements than that provided by this section pursuant to
10 10 the rules, regulations, procedures, guidance, or guidelines
10 11 established by the person's primary or functional federal
10 12 regulator.
10 13 b. A person who complies with a state or federal law that
10 14 provides greater protection to personal information and at
10 15 least as thorough disclosure requirements for breach of
10 16 security or personal information than that provided by this
10 17 section.
10 18 c. A person who is subject to and complies with
10 19 regulations promulgated pursuant to Title V of the
10 20 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. } 6801 == 6809.
10 21 9. a. A person injured by a violation of this section may
10 22 bring a civil action for an injunction, actual damages,
10 23 attorney fees, interest, and court costs.
10 24 b. The attorney general may bring an action on behalf of
10 25 an injured person for an injunction, actual damages incurred
10 26 by the person, attorney fees, interest, and court costs.
10 27 c. The rights and remedies available under this section
10 28 are cumulative to each other and to any other rights and
10 29 remedies available under the law.
10 30 EXPLANATION
10 31 This bill concerns the protection of a person's identity.
10 32 The bill creates new Code chapter 714F that allows an
10 33 individual, the consumer, to place a hold on the individual's
10 34 consumer report to prevent a consumer reporting agency from
10 35 releasing any information relating to the individual's
11 1 creditworthiness without first obtaining the individual's
11 2 express authorization. This "security freeze" may be
11 3 temporarily suspended to allow a consumer reporting agency to
11 4 release a consumer report for a specific time period or to a
11 5 specific third party. A security freeze remains in effect
11 6 until the individual requests its removal.
11 7 The bill provides that a consumer reporting agency cannot
11 8 charge any fees to an individual who is the victim of identify
11 9 theft. Other individuals pay a fee up to $10 per security
11 10 freeze, removal, or for reissuing a necessary password if the
11 11 individual fails to retain it, and up to $12 per temporary
11 12 suspension request.
11 13 The bill addresses third parties that seek a consumer
11 14 report, misrepresentation of a material fact by an individual,
11 15 and lists exceptions to the security freeze, including a
11 16 person with a prior debtor=creditor relationship. The bill
11 17 provides for changes in the consumer report and makes certain
11 18 entities also subject to a security freeze.
11 19 The bill provides that a waiver of the protection offered
11 20 by the security freeze provision is void and unenforceable.
11 21 The bill contains enforcement provisions. A violation of
11 22 new Code chapter 714F is an offense under Code section 714.16
11 23 and is subject to enforcement, including injunctive relief and
11 24 money damages, by the attorney general.
11 25 The bill additionally provides for the notification of a
11 26 breach in the security of computerized data of personal
11 27 information in new Code chapter 715C.
11 28 The bill requires a person who owns, maintains, or
11 29 otherwise possesses computerized data that includes personal
11 30 information to provide notice of any breach of the person's
11 31 security of the data to those residents of this state whose
11 32 personal information was or may have been acquired by an
11 33 unauthorized person. The bill also requires a person who
11 34 maintains computerized data that includes personal information
11 35 that the person does not own to notify the owner of the data
12 1 of any breach in the security of the data. A "person" is
12 2 defined in the bill to include persons that conduct business
12 3 in this state and state agencies. The notice shall be
12 4 provided immediately unless a law enforcement agency
12 5 determines that the notification will impede a criminal
12 6 investigation. The notice may be made in writing, through
12 7 electronic means, or by substitute notice, as defined in the
12 8 bill, and must contain information regarding a description of
12 9 the breach of security, the approximate date of the breach,
12 10 the type of personal information obtained, contact information
12 11 for consumer reporting agencies and an offer of assistance in
12 12 remedying credit problems, and consumer reporting advice. In
12 13 the event a breach affects more than 1,000 consumers and
12 14 requires disclosure, the person discovering the breach is
12 15 required to notify all consumer reporting agencies that
12 16 compile and maintain reports on consumers on a nationwide
12 17 basis of the timing, distribution, and content of the
12 18 notification given to the consumers.
12 19 The bill provides that notification will not be required if
12 20 an investigation or consultation with law enforcement agencies
12 21 determines that no reasonable likelihood of harm has or will
12 22 result from the breach, and that the bill's provisions do not
12 23 apply to persons complying with specified requirements or
12 24 breach of security procedures that provide greater protection
12 25 to personal information and at least as thorough disclosure
12 26 requirements as provided pursuant to the bill.
12 27 The bill provides that a person who is injured by the
12 28 failure to notify of a security breach required by the bill
12 29 may file a civil action for an injunction, actual damages,
12 30 attorney fees, interest, and court costs. The attorney
12 31 general may also bring a civil action on behalf of an injured
12 32 person.
12 33 LSB 5421YH 82
12 34 rn/nh/8