House File 2517 - Introduced
HOUSE FILE
BY DEYOE, LUKAN, SODERBERG,
WINDSCHITL, ALONS, L. MILLER,
FORRISTALL, ARNOLD, RASMUSSEN,
HEATON, VAN ENGELENHOVEN,
GRANZOW, S. OLSON, HOFFMAN,
CHAMBERS, DRAKE, and UPMEYER
Passed House, Date Passed Senate, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act relating to the protection of personal information,
2 specifying notice procedures following a breach of security,
3 and providing a penalty.
4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
5 TLSB 6179YH 82
6 md/nh/5
PAG LIN
1 1 Section 1. NEW SECTION. 23.1 DEFINITIONS.
1 2 1. "Breach of security" means the unauthorized access and
1 3 acquisition of unencrypted or unredacted personal information
1 4 that compromises the security, confidentiality, or integrity
1 5 of an individual's personal information maintained by a person
1 6 and that causes, or the person reasonably believes has caused
1 7 or will cause, identity theft to the individual. Good faith
1 8 acquisition of personal information by a person or a person's
1 9 agent is not a breach of security, provided the personal
1 10 information is not used for or is not subject to further
1 11 unauthorized disclosure.
1 12 2. "Person" means any individual, partnership,
1 13 corporation, trust, estate, cooperative, association, other
1 14 entity, or government body as defined in section 22.1.
1 15 3. "Personal information" means an individual's first name
1 16 or first initial and last name in combination with any one or
1 17 more of the following data elements that relate to the
1 18 individual if neither the name nor the data elements are
1 19 encrypted, redacted, or otherwise altered by any method or
1 20 technology in such a manner that the name or data elements are
1 21 unreadable:
1 22 a. Social security number.
1 23 b. Driver's license number or other unique identification
1 24 number.
1 25 c. Financial account number, credit card number, or debit
1 26 card number in combination with any required security code,
1 27 access code, or password that would permit access to an
1 28 individual's financial account.
1 29 d. Unique electronic identifier or routing code, in
1 30 combination with any required security code, access code, or
1 31 password.
1 32 e. Unique biometric data, such as a fingerprint, voice
1 33 print or recording, retina or iris image, or other unique
1 34 physical representation or digital representation of the
1 35 biometric data.
2 1 4. "Record" means information that is inscribed on a
2 2 tangible medium, or that is stored in an electronic or other
2 3 medium and is retrievable in perceivable form.
2 4 5. "Redact" means alteration or truncation of data such
2 5 that no more than any of the following are accessible as part
2 6 of the personal information:
2 7 a. Five digits of a social security number.
2 8 b. The last four digits of any account or identification
2 9 number specified under subsection 3.
2 10 Sec. 2. NEW SECTION. 23.2 BREACH OF SECURITY == NOTICE.
2 11 1. a. A person that collects, maintains, licenses, or
2 12 processes a record containing personal information shall
2 13 disclose any breach of security to each affected individual
2 14 upon discovery of the breach of security. Notice of the
2 15 breach of security shall also be provided to an appropriate
2 16 law enforcement agency. Notice to the affected individual
2 17 shall be made in the most expedient time and manner possible
2 18 and without unreasonable delay, consistent with any measures
2 19 necessary to determine the scope of the breach of security and
2 20 with the legitimate needs of law enforcement as provided in
2 21 subsection 2.
2 22 b. If the affected individual is a minor, the person shall
2 23 provide notice to the minor's parent or guardian.
2 24 c. In the event that a person discovers circumstances
2 25 requiring notification pursuant to this section of more than
2 26 one thousand individuals at one time, the person shall also
2 27 notify, without unreasonable delay, all consumer reporting
2 28 agencies that compile and maintain files on individuals on a
2 29 nationwide basis, as defined by 15 U.S.C. } 1681a(p), of the
2 30 timing, distribution, and content of the notice provided to
2 31 the affected individuals.
2 32 d. A person that is regulated by state or federal law and
2 33 that maintains procedures for a breach of the security
2 34 pursuant to the rules, regulations, or guidelines established
2 35 by the person's state or federal regulator is deemed to be in
3 1 compliance with this section. This section shall not relieve
3 2 a person from a duty to comply with other requirements of
3 3 state or federal law regarding the protection and privacy of
3 4 personal information.
3 5 2. If requested by a law enforcement agency, the person
3 6 shall delay giving notice to the affected individual if notice
3 7 may impede a criminal investigation or endanger state or
3 8 national security. The request by a law enforcement agency
3 9 shall be in writing or documented in writing by the person.
3 10 After the law enforcement agency notifies the person that
3 11 notice of the breach of security will no longer impede the
3 12 investigation or endanger state or national security, the
3 13 person shall give notice to the affected individuals without
3 14 unreasonable delay.
3 15 Sec. 3. NEW SECTION. 23.3 FORM OF NOTICE.
3 16 1. Notice provided to an affected individual pursuant to
3 17 section 23.2 shall be clear and conspicuous and shall include
3 18 all of the following:
3 19 a. A description of the incident causing the breach of
3 20 security.
3 21 b. The type of personal information compromised by the
3 22 breach of security.
3 23 c. A description of any remedial action taken by the
3 24 person.
3 25 d. Contact information for the person with whom the
3 26 affected individual may communicate in order to receive
3 27 further information and assistance.
3 28 e. A statement advising the affected individual to
3 29 thoroughly and continually review financial account
3 30 information and credit reports.
3 31 2. Notice to an affected individual pursuant to section
3 32 23.2 shall be provided by at least one of the following:
3 33 a. Written notice to the affected individual's last
3 34 address of record.
3 35 b. Electronic mail notice, if the affected individual has
4 1 agreed to receive communications electronically from the
4 2 person.
4 3 c. Telephonic notice, if the communication is made
4 4 directly with the affected individual.
4 5 d. Substitute notice, if the person determines that the
4 6 cost of providing notice to all affected individuals under
4 7 paragraphs "a" through "c" exceeds one hundred thousand
4 8 dollars, that the number of affected individuals exceeds five
4 9 thousand, or that the person does not have sufficient contact
4 10 information needed to provide notice under paragraphs "a"
4 11 through "c". Substitute notice shall consist of any of the
4 12 following:
4 13 (1) Electronic mail notice.
4 14 (2) Conspicuous notice posted on the person's web site.
4 15 (3) Notification through local or statewide media.
4 16 Sec. 4. NEW SECTION. 23.4 ENFORCEMENT BY ATTORNEY
4 17 GENERAL == PENALTY.
4 18 1. A person, other than a government body, who violates
4 19 this chapter is subject to a civil penalty not to exceed ten
4 20 thousand dollars for each breach of security unless the person
4 21 is subject to a civil penalty for the same breach of security
4 22 under another provision of state or federal law.
4 23 2. The office of attorney general shall initiate an action
4 24 against a person who violates this chapter to enforce payment
4 25 of a civil penalty.
4 26 3. A civil penalty imposed under this section shall not
4 27 preclude a civil action filed by an affected individual.
4 28 EXPLANATION
4 29 This bill requires a person, as defined in the bill, that
4 30 collects, maintains, licenses, or processes a record
4 31 containing personal information to disclose any breach of
4 32 security to an affected individual upon discovery of the
4 33 breach. The bill also requires notice of the breach to be
4 34 provided to an appropriate law enforcement agency.
4 35 Disclosure of the breach of security shall be in the form
5 1 of notice and shall be made in the most expedient time and
5 2 manner possible. Notice shall also be consistent with any
5 3 measures necessary to determine the scope of the breach and
5 4 with the legitimate needs of law enforcement. The bill
5 5 provides that if requested by a law enforcement agency, the
5 6 person shall delay giving notice if doing so would impede a
5 7 criminal investigation or endanger state or national security.
5 8 The bill requires the notice provided to an affected
5 9 individual to be clear, conspicuous, and include a description
5 10 of the incident causing the breach, the type of personal
5 11 information compromised by the breach, a description of any
5 12 remedial action taken by the person, contact information where
5 13 the affected individual may call for further information and
5 14 assistance, and a statement advising the affected individual
5 15 to thoroughly and continually review financial account
5 16 information and credit reports.
5 17 The bill provides three methods by which notice may be
5 18 given. The three methods are written notice to the affected
5 19 individual's last address of record, electronic mail notice if
5 20 the affected individual has agreed to receive communications
5 21 electronically, and telephonic notice if the communication is
5 22 directly with the affected individual. The bill also provides
5 23 for substitute notice under certain specified circumstances.
5 24 If a breach of security affects more than 1,000
5 25 individuals, the bill requires the person to also notify all
5 26 consumer reporting agencies that compile and maintain files on
5 27 individuals on a nationwide basis, as defined by 15 U.S.C. }
5 28 1681a(p).
5 29 The bill imposes a civil penalty not to exceed $10,000 for
5 30 each breach of security unless the person is subject to a
5 31 civil penalty under another provision of state or federal law
5 32 for the same breach of security. The bill exempts government
5 33 bodies from the civil penalty provisions established in new
5 34 Code section 23.4. A civil penalty imposed under the bill
5 35 does not preclude a civil action filed by an affected
6 1 individual.
6 2 LSB 6179YH 82
6 3 md/nh/5