Senate File 2308 - Introduced
SENATE FILE
BY COMMITTEE ON COMMERCE
(SUCCESSOR TO SSB 3200)
Passed Senate, Date Passed House, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act relating to identity theft by providing for the
2 notification of a breach in the security of computerized data
3 that includes personal information, and providing penalties.
4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
5 TLSB 6517SV 82
6 rn/nh/8
PAG LIN
1 1 Section 1. NEW SECTION. 715C.1 DEFINITIONS.
1 2 As used in this chapter, unless the context otherwise
1 3 requires:
1 4 1. "Breach of security" means unauthorized acquisition of
1 5 computerized data maintained by a person that compromises the
1 6 security, confidentiality, or integrity of personal
1 7 information maintained by the person. Good faith acquisition
1 8 of personal information by a person or that person's employee
1 9 or agent for a legitimate purpose of that person is not a
1 10 breach of security, provided that the personal information is
1 11 not used in violation of applicable law or in a manner that
1 12 harms or poses an actual threat to the security,
1 13 confidentiality, or integrity of the personal information.
1 14 2. "Consumer" means an individual who is a resident of
1 15 this state.
1 16 3. "Consumer reporting agency" means the same as defined
1 17 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a.
1 18 4. "Debt" means the same as provided in section 537.7102.
1 19 5. "Encryption" means the use of an algorithmic process to
1 20 transform data into a form in which the data is rendered
1 21 unreadable or unusable without the use of a confidential
1 22 process or key.
1 23 6. "Extension of credit" means the right to defer payment
1 24 of debt or to incur debt and defer its payment offered or
1 25 granted primarily for personal, family, or household purposes.
1 26 7. "Financial institution" means the same as defined in
1 27 section 536C.2, subsection 6.
1 28 8. "Identity theft" means the same as provided in section
1 29 715A.8.
1 30 9. "Payment card" means the same as defined in section
1 31 715A.10, subsection 3, paragraph "b".
1 32 10. "Person" means an individual; corporation; business
1 33 trust; estate; trust; partnership; limited liability company;
1 34 association; joint venture; government; governmental
1 35 subdivision, agency, or instrumentality; public corporation;
2 1 or any other legal or commercial entity.
2 2 11. "Personal information" means an individual's first
2 3 name or first initial and last name in combination with any
2 4 one or more of the following data elements that relate to the
2 5 individual if neither the name nor the data elements are
2 6 encrypted, redacted, or otherwise altered by any method or
2 7 technology in such a manner that the name or data elements are
2 8 unreadable:
2 9 a. Social security number.
2 10 b. Driver's license number or other unique identification
2 11 number created or collected by a government body.
2 12 c. Financial account number, credit card number, or debit
2 13 card number in combination with any required security code,
2 14 access code, or password that would permit access to an
2 15 individual's financial account.
2 16 d. Unique electronic identifier or routing code, in
2 17 combination with any required security code, access code, or
2 18 password.
2 19 e. Biometric identifier.
2 20 12. "Redacted" means altered or truncated so that no more
2 21 than the last four digits of a social security number or other
2 22 numbers designated in section 715A.8, subsection 1, paragraph
2 23 "a", is accessible as part of the data.
2 24 Sec. 2. NEW SECTION. 715C.2 SECURITY BREACH == CONSUMER
2 25 NOTIFICATION == REMEDIES.
2 26 1. Any person who owns, maintains, or otherwise possesses
2 27 data that includes a consumer's personal information that is
2 28 used in the course of the person's business, vocation,
2 29 occupation, or volunteer activities and who was subject to a
2 30 breach of security shall give notice of the breach of security
2 31 following discovery of such breach of security, or receipt of
2 32 notification under subsection 2, to any consumer whose
2 33 personal information was included in the information that was
2 34 breached. The consumer notification shall be made in the most
2 35 expeditious manner possible and without unreasonable delay,
3 1 consistent with the legitimate needs of law enforcement as
3 2 provided in subsection 3, and consistent with any measures
3 3 necessary to sufficiently determine contact information for
3 4 the affected consumers, determine the scope of the breach, and
3 5 restore the reasonable integrity, security, and
3 6 confidentiality of the data.
3 7 2. Any person who maintains or otherwise possesses
3 8 personal information on behalf of another person shall notify
3 9 the owner or licensor of the information of any breach of
3 10 security immediately following discovery of such breach of
3 11 security if a consumer's personal information was included in
3 12 the information that was breached.
3 13 3. The consumer notification requirements of this section
3 14 may be delayed if a law enforcement agency determines that the
3 15 notification will impede a criminal investigation and the
3 16 agency has made a written request that the notification be
3 17 delayed. The notification required by this section shall be
3 18 made after the law enforcement agency determines that the
3 19 notification will not compromise the investigation and
3 20 notifies the person required to give notice in writing.
3 21 4. For purposes of this section, notification to the
3 22 consumer may be provided by one of the following methods:
3 23 a. Written notice.
3 24 b. Electronic notice if the person's customary method of
3 25 communication with the consumer is by electronic means or is
3 26 consistent with the provisions regarding electronic records
3 27 and signatures set forth in chapter 554D and the federal
3 28 Electronic Signatures in Global and National Commerce Act, 15
3 29 U.S.C. } 7001.
3 30 c. Substitute notice, if the person demonstrates that the
3 31 cost of providing notice would exceed two hundred fifty
3 32 thousand dollars, that the affected class of consumers to be
3 33 notified exceeds three hundred fifty thousand persons, or if
3 34 the person does not have sufficient contact information to
3 35 provide notice. Substitute notice shall consist of the
4 1 following:
4 2 (1) Electronic mail notice when the person has an
4 3 electronic mail address for the affected consumers.
4 4 (2) Conspicuous posting of the notice or a link to the
4 5 notice on the internet web site of the person if the person
4 6 maintains an internet web site.
4 7 (3) Notification to major statewide media.
4 8 5. Notice pursuant to this section shall include, at a
4 9 minimum, all of the following:
4 10 a. A description of the breach of security.
4 11 b. The approximate date of the breach of security.
4 12 c. The type of personal information obtained as a result
4 13 of the breach of security.
4 14 d. Contact information for consumer reporting agencies.
4 15 e. Advice to the consumer to report suspected incidents of
4 16 identity theft to local law enforcement or the attorney
4 17 general.
4 18 6. Notwithstanding subsection 1, notification is not
4 19 required if, after an appropriate investigation or after
4 20 consultation with the relevant federal, state, or local
4 21 agencies responsible for law enforcement, the person
4 22 determined that no reasonable likelihood of harm to the
4 23 consumers whose personal information has been acquired has
4 24 resulted or will result from the breach. Such a determination
4 25 must be documented in writing and the documentation must be
4 26 maintained for five years.
4 27 7. This section does not apply to any of the following:
4 28 a. A person who complies with notification requirements or
4 29 breach of security procedures that provide greater protection
4 30 to personal information and at least as thorough disclosure
4 31 requirements than that provided by this section pursuant to
4 32 the rules, regulations, procedures, guidance, or guidelines
4 33 established by the person's primary or functional federal
4 34 regulator.
4 35 b. A person who complies with a state or federal law that
5 1 provides greater protection to personal information and at
5 2 least as thorough disclosure requirements for breach of
5 3 security or personal information than that provided by this
5 4 section.
5 5 c. A person who is subject to and complies with
5 6 regulations promulgated pursuant to Title V of the
5 7 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. } 6801=6809.
5 8 8. a. A violation of this chapter is an unlawful practice
5 9 pursuant to section 714.16 and, in addition to the remedies
5 10 provided to the attorney general pursuant to section 714.16,
5 11 subsection 7, the attorney general may seek and obtain an
5 12 order that a party held to violate this section pay damages to
5 13 the attorney general on behalf of a person injured by the
5 14 violation.
5 15 b. The rights and remedies available under this section
5 16 are cumulative to each other and to any other rights and
5 17 remedies available under the law.
5 18 EXPLANATION
5 19 This bill provides for the notification of a breach in the
5 20 security of computerized data of personal information.
5 21 The bill requires a person who owns, maintains, or
5 22 otherwise possesses computerized data that includes personal
5 23 information to provide notice of any breach of the person's
5 24 security of the data to those residents of this state whose
5 25 personal information was or may have been acquired by an
5 26 unauthorized person. The bill also requires a person who
5 27 maintains computerized data that includes personal information
5 28 that the person does not own to notify the owner of the data
5 29 of any breach in the security of the data. A "person" is
5 30 defined in the bill to include persons that conduct business
5 31 in this state and state agencies. The notice shall be
5 32 provided immediately unless a law enforcement agency
5 33 determines that the notification will impede a criminal
5 34 investigation. The notice may be made in writing, through
5 35 electronic means, or by substitute notice, as defined in the
6 1 bill, and must contain information regarding a description of
6 2 the breach of security, the approximate date of the breach,
6 3 the type of personal information obtained, contact information
6 4 for consumer reporting agencies, and consumer reporting
6 5 advice.
6 6 The bill provides that notification will not be required if
6 7 an investigation or consultation with law enforcement agencies
6 8 determines that no reasonable likelihood of harm has or will
6 9 result from the breach, and that the bill's provisions do not
6 10 apply to persons complying with specified requirements or
6 11 breach of security procedures that provide greater protection
6 12 to personal information and at least as thorough disclosure
6 13 requirements as provided pursuant to the bill.
6 14 The bill provides that a violation of the bill is an
6 15 unlawful practice pursuant to Code section 714.16, and, in
6 16 addition, the attorney general may bring a civil action on
6 17 behalf of an injured person.
6 18 LSB 6517SV 82
6 19 rn/nh/8