Senate File 2308 - Introduced SENATE FILE BY COMMITTEE ON COMMERCE (SUCCESSOR TO SSB 3200) Passed Senate, Date Passed House, Date Vote: Ayes Nays Vote: Ayes Nays Approved A BILL FOR 1 An Act relating to identity theft by providing for the 2 notification of a breach in the security of computerized data 3 that includes personal information, and providing penalties. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 TLSB 6517SV 82 6 rn/nh/8 PAG LIN 1 1 Section 1. NEW SECTION. 715C.1 DEFINITIONS. 1 2 As used in this chapter, unless the context otherwise 1 3 requires: 1 4 1. "Breach of security" means unauthorized acquisition of 1 5 computerized data maintained by a person that compromises the 1 6 security, confidentiality, or integrity of personal 1 7 information maintained by the person. Good faith acquisition 1 8 of personal information by a person or that person's employee 1 9 or agent for a legitimate purpose of that person is not a 1 10 breach of security, provided that the personal information is 1 11 not used in violation of applicable law or in a manner that 1 12 harms or poses an actual threat to the security, 1 13 confidentiality, or integrity of the personal information. 1 14 2. "Consumer" means an individual who is a resident of 1 15 this state. 1 16 3. "Consumer reporting agency" means the same as defined 1 17 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a. 1 18 4. "Debt" means the same as provided in section 537.7102. 1 19 5. "Encryption" means the use of an algorithmic process to 1 20 transform data into a form in which the data is rendered 1 21 unreadable or unusable without the use of a confidential 1 22 process or key. 1 23 6. "Extension of credit" means the right to defer payment 1 24 of debt or to incur debt and defer its payment offered or 1 25 granted primarily for personal, family, or household purposes. 1 26 7. "Financial institution" means the same as defined in 1 27 section 536C.2, subsection 6. 1 28 8. "Identity theft" means the same as provided in section 1 29 715A.8. 1 30 9. "Payment card" means the same as defined in section 1 31 715A.10, subsection 3, paragraph "b". 1 32 10. "Person" means an individual; corporation; business 1 33 trust; estate; trust; partnership; limited liability company; 1 34 association; joint venture; government; governmental 1 35 subdivision, agency, or instrumentality; public corporation; 2 1 or any other legal or commercial entity. 2 2 11. "Personal information" means an individual's first 2 3 name or first initial and last name in combination with any 2 4 one or more of the following data elements that relate to the 2 5 individual if neither the name nor the data elements are 2 6 encrypted, redacted, or otherwise altered by any method or 2 7 technology in such a manner that the name or data elements are 2 8 unreadable: 2 9 a. Social security number. 2 10 b. Driver's license number or other unique identification 2 11 number created or collected by a government body. 2 12 c. Financial account number, credit card number, or debit 2 13 card number in combination with any required security code, 2 14 access code, or password that would permit access to an 2 15 individual's financial account. 2 16 d. Unique electronic identifier or routing code, in 2 17 combination with any required security code, access code, or 2 18 password. 2 19 e. Biometric identifier. 2 20 12. "Redacted" means altered or truncated so that no more 2 21 than the last four digits of a social security number or other 2 22 numbers designated in section 715A.8, subsection 1, paragraph 2 23 "a", is accessible as part of the data. 2 24 Sec. 2. NEW SECTION. 715C.2 SECURITY BREACH == CONSUMER 2 25 NOTIFICATION == REMEDIES. 2 26 1. Any person who owns, maintains, or otherwise possesses 2 27 data that includes a consumer's personal information that is 2 28 used in the course of the person's business, vocation, 2 29 occupation, or volunteer activities and who was subject to a 2 30 breach of security shall give notice of the breach of security 2 31 following discovery of such breach of security, or receipt of 2 32 notification under subsection 2, to any consumer whose 2 33 personal information was included in the information that was 2 34 breached. The consumer notification shall be made in the most 2 35 expeditious manner possible and without unreasonable delay, 3 1 consistent with the legitimate needs of law enforcement as 3 2 provided in subsection 3, and consistent with any measures 3 3 necessary to sufficiently determine contact information for 3 4 the affected consumers, determine the scope of the breach, and 3 5 restore the reasonable integrity, security, and 3 6 confidentiality of the data. 3 7 2. Any person who maintains or otherwise possesses 3 8 personal information on behalf of another person shall notify 3 9 the owner or licensor of the information of any breach of 3 10 security immediately following discovery of such breach of 3 11 security if a consumer's personal information was included in 3 12 the information that was breached. 3 13 3. The consumer notification requirements of this section 3 14 may be delayed if a law enforcement agency determines that the 3 15 notification will impede a criminal investigation and the 3 16 agency has made a written request that the notification be 3 17 delayed. The notification required by this section shall be 3 18 made after the law enforcement agency determines that the 3 19 notification will not compromise the investigation and 3 20 notifies the person required to give notice in writing. 3 21 4. For purposes of this section, notification to the 3 22 consumer may be provided by one of the following methods: 3 23 a. Written notice. 3 24 b. Electronic notice if the person's customary method of 3 25 communication with the consumer is by electronic means or is 3 26 consistent with the provisions regarding electronic records 3 27 and signatures set forth in chapter 554D and the federal 3 28 Electronic Signatures in Global and National Commerce Act, 15 3 29 U.S.C. } 7001. 3 30 c. Substitute notice, if the person demonstrates that the 3 31 cost of providing notice would exceed two hundred fifty 3 32 thousand dollars, that the affected class of consumers to be 3 33 notified exceeds three hundred fifty thousand persons, or if 3 34 the person does not have sufficient contact information to 3 35 provide notice. Substitute notice shall consist of the 4 1 following: 4 2 (1) Electronic mail notice when the person has an 4 3 electronic mail address for the affected consumers. 4 4 (2) Conspicuous posting of the notice or a link to the 4 5 notice on the internet web site of the person if the person 4 6 maintains an internet web site. 4 7 (3) Notification to major statewide media. 4 8 5. Notice pursuant to this section shall include, at a 4 9 minimum, all of the following: 4 10 a. A description of the breach of security. 4 11 b. The approximate date of the breach of security. 4 12 c. The type of personal information obtained as a result 4 13 of the breach of security. 4 14 d. Contact information for consumer reporting agencies. 4 15 e. Advice to the consumer to report suspected incidents of 4 16 identity theft to local law enforcement or the attorney 4 17 general. 4 18 6. Notwithstanding subsection 1, notification is not 4 19 required if, after an appropriate investigation or after 4 20 consultation with the relevant federal, state, or local 4 21 agencies responsible for law enforcement, the person 4 22 determined that no reasonable likelihood of harm to the 4 23 consumers whose personal information has been acquired has 4 24 resulted or will result from the breach. Such a determination 4 25 must be documented in writing and the documentation must be 4 26 maintained for five years. 4 27 7. This section does not apply to any of the following: 4 28 a. A person who complies with notification requirements or 4 29 breach of security procedures that provide greater protection 4 30 to personal information and at least as thorough disclosure 4 31 requirements than that provided by this section pursuant to 4 32 the rules, regulations, procedures, guidance, or guidelines 4 33 established by the person's primary or functional federal 4 34 regulator. 4 35 b. A person who complies with a state or federal law that 5 1 provides greater protection to personal information and at 5 2 least as thorough disclosure requirements for breach of 5 3 security or personal information than that provided by this 5 4 section. 5 5 c. A person who is subject to and complies with 5 6 regulations promulgated pursuant to Title V of the 5 7 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. } 6801=6809. 5 8 8. a. A violation of this chapter is an unlawful practice 5 9 pursuant to section 714.16 and, in addition to the remedies 5 10 provided to the attorney general pursuant to section 714.16, 5 11 subsection 7, the attorney general may seek and obtain an 5 12 order that a party held to violate this section pay damages to 5 13 the attorney general on behalf of a person injured by the 5 14 violation. 5 15 b. The rights and remedies available under this section 5 16 are cumulative to each other and to any other rights and 5 17 remedies available under the law. 5 18 EXPLANATION 5 19 This bill provides for the notification of a breach in the 5 20 security of computerized data of personal information. 5 21 The bill requires a person who owns, maintains, or 5 22 otherwise possesses computerized data that includes personal 5 23 information to provide notice of any breach of the person's 5 24 security of the data to those residents of this state whose 5 25 personal information was or may have been acquired by an 5 26 unauthorized person. The bill also requires a person who 5 27 maintains computerized data that includes personal information 5 28 that the person does not own to notify the owner of the data 5 29 of any breach in the security of the data. A "person" is 5 30 defined in the bill to include persons that conduct business 5 31 in this state and state agencies. The notice shall be 5 32 provided immediately unless a law enforcement agency 5 33 determines that the notification will impede a criminal 5 34 investigation. The notice may be made in writing, through 5 35 electronic means, or by substitute notice, as defined in the 6 1 bill, and must contain information regarding a description of 6 2 the breach of security, the approximate date of the breach, 6 3 the type of personal information obtained, contact information 6 4 for consumer reporting agencies, and consumer reporting 6 5 advice. 6 6 The bill provides that notification will not be required if 6 7 an investigation or consultation with law enforcement agencies 6 8 determines that no reasonable likelihood of harm has or will 6 9 result from the breach, and that the bill's provisions do not 6 10 apply to persons complying with specified requirements or 6 11 breach of security procedures that provide greater protection 6 12 to personal information and at least as thorough disclosure 6 13 requirements as provided pursuant to the bill. 6 14 The bill provides that a violation of the bill is an 6 15 unlawful practice pursuant to Code section 714.16, and, in 6 16 addition, the attorney general may bring a civil action on 6 17 behalf of an injured person. 6 18 LSB 6517SV 82 6 19 rn/nh/8