House File 335 - Introduced HOUSE FILE BY BAILEY Passed House, Date Passed Senate, Date Vote: Ayes Nays Vote: Ayes Nays Approved A BILL FOR 1 An Act relating to the privacy of social security numbers and 2 other personal information in public records, providing 3 remedies, and making penalties applicable. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 TLSB 1933HH 83 6 rh/rj/24 PAG LIN 1 1 Section 1. NEW SECTION. 22.21 SOCIAL SECURITY NUMBERS IN 1 2 PUBLIC RECORDS. 1 3 1. To the greatest extent feasible, a government body 1 4 shall not disclose a person's social security number unless 1 5 the disclosure is authorized by law. 1 6 2. A government body shall make reasonable efforts to 1 7 exclude social security numbers from public records, as 1 8 follows: 1 9 a. Exclude social security numbers on licenses, permits, 1 10 and other documents that may be readily observed by the 1 11 public. 1 12 b. Give individuals the option not to submit a social 1 13 security number to the government body. 1 14 c. Make any other efforts to prevent social security 1 15 numbers from being included in public records and to protect 1 16 such numbers from disclosure. 1 17 3. If a public record contains a social security number, 1 18 the government body shall determine a method to redact the 1 19 social security number prior to releasing the record if such 1 20 redaction does not materially affect the value of the public 1 21 record and is permitted by law. The redaction of a social 1 22 security number from a public record shall not delay public 1 23 access to the public record except for the time required to 1 24 perform the actual redaction. As used in this subsection, 1 25 "redact" means to render the social security number unreadable 1 26 or truncated so that no more than the last four digits of the 1 27 social security number may be accessed as part of the record. 1 28 4. This section shall not prohibit a government body from 1 29 lawfully obtaining a person's social security number. 1 30 5. A government body that solicits information containing 1 31 a person's social security number or that is the lawful 1 32 custodian of public records containing social security numbers 1 33 shall, if subject to chapter 17A, adopt rules or, if a 1 34 political subdivision or other public body, adopt guidelines 1 35 to administer the use and disclosure of social security 2 1 numbers consistent with this section. 2 2 Sec. 2. NEW SECTION. 22.22 PERSONAL INFORMATION == 2 3 BREACH OF SECURITY == NOTICE. 2 4 1. As used in this section: 2 5 a. "Breach of security" means the unauthorized access to 2 6 or acquisition of personal information that compromises the 2 7 security, confidentiality, or integrity of such personal 2 8 information. The unauthorized disclosure of personal 2 9 information subsequent to a good faith, authorized access or 2 10 acquisition of personal information constitutes a breach of 2 11 security. 2 12 b. "Personal information" means a person's first name or 2 13 first initial and last name in combination with any one or 2 14 more of the following data elements that relate to the person 2 15 if neither the name nor the data elements are encrypted, 2 16 redacted, or otherwise altered by any method or technology in 2 17 such a manner that the name or data elements are unreadable: 2 18 (1) Social security number. 2 19 (2) Driver's license number or other unique identification 2 20 number created or collected by a government body. 2 21 (3) Account number, credit card number, or debit card 2 22 number, in combination with any required security code, access 2 23 code, or password that would permit access to a person's 2 24 financial account. 2 25 (4) Unique electronic identifier or routing code, in 2 26 combination with any required security code, access code, or 2 27 password. 2 28 (5) Unique biometric data, such as a fingerprint, voice 2 29 print, retina or iris image, or other unique physical 2 30 representation. 2 31 2. When the government body that collects, maintains, or 2 32 possesses a public record containing personal information has 2 33 reason to believe that a breach of security may occur or has 2 34 occurred, the government body shall promptly investigate to 2 35 determine whether personal information has been or may be used 3 1 for an unauthorized purpose. If the government body finds 3 2 that such use has occurred or is likely to occur, the 3 3 government body shall give notice of the breach of security to 3 4 each affected person pursuant to this section. Notice shall 3 5 be made as soon as possible, consistent with the legitimate 3 6 needs of law enforcement as provided in subsection 3. 3 7 3. If requested by a law enforcement agency, the 3 8 government body shall delay giving notice if notice may impede 3 9 a criminal investigation or jeopardize national security. The 3 10 request by a law enforcement agency shall be in writing or 3 11 documented in writing by the government body. The written 3 12 request shall include the name of the law enforcement officer 3 13 making the request and the name of the officer's law 3 14 enforcement agency that is engaged in the investigation. 3 15 After the law enforcement agency notifies the government body 3 16 that notice of the breach of security will no longer impede 3 17 investigation or national security, the government body shall 3 18 give notice to the affected persons without unreasonable 3 19 delay. 3 20 4. The notice shall include, in a clear and conspicuous 3 21 manner, the following: 3 22 a. The incident causing the breach of security. 3 23 b. The type of personal information compromised by the 3 24 breach of security. 3 25 c. The acts taken by the government body to remedy the 3 26 breach of security. 3 27 d. If available, a telephone number that the person may 3 28 call for further information and assistance. 3 29 e. A statement advising the person to vigilantly review 3 30 account statements and monitor the person's credit report. 3 31 5. The government body shall provide notice using one of 3 32 the following methods: 3 33 a. Written notice to the last available address of record. 3 34 b. Electronic mail notice, if the recipient has agreed to 3 35 receive communications electronically and the notice complies 4 1 with chapter 554D and 15 U.S.C. } 7001 et seq. 4 2 c. Telephonic notice, if contact is made directly with the 4 3 affected person. 4 4 d. Substitute notice, if the government body determines 4 5 that the cost of providing notice under paragraphs "a" through 4 6 "c" exceeds twenty=five thousand dollars, the number of 4 7 persons to be notified exceeds fifty thousand, or the 4 8 government body does not have sufficient contact information 4 9 needed to provide notice under paragraphs "a" through "c", as 4 10 follows: 4 11 (1) Electronic mail notice. 4 12 (2) Conspicuous notice posted on the government body's 4 13 internet site, if available. 4 14 (3) Notification to major statewide media. 4 15 6. Notwithstanding the notice requirements of this 4 16 section, a government body that has developed its own 4 17 notification procedures for a breach of security and timely 4 18 complies with such procedures is deemed to be in compliance 4 19 with this section. 4 20 Sec. 3. NEW SECTION. 22.23 REMEDIES FOR PRIVACY 4 21 VIOLATIONS. 4 22 1. Any person who is injured by a violation of section 4 23 22.21 or 22.22 may institute a civil action to recover actual 4 24 damages, court costs, interest, and attorney fees and to seek 4 25 judicial enforcement of the requirements of section 22.21 or 4 26 22.22 in an action brought against the government body and any 4 27 other persons who would be appropriate defendants under the 4 28 circumstances. The attorney general or any county attorney 4 29 may seek judicial enforcement of section 22.21 or 22.22. 4 30 Suits shall be brought in the district court for the county in 4 31 which the government body has its principal place of business. 4 32 2. The rights and remedies available under this section 4 33 are cumulative to any other rights and remedies available by 4 34 law. 4 35 Sec. 4. Sections 22.3A, subsection 2, unnumbered paragraph 5 1 1; 22.3A, subsection 2, paragraph "a"; 22.7, subsections 27, 5 2 31, and 35; section 22.7, subsection 52, paragraph "c"; 22.8, 5 3 subsections 3 and 4; and 22.10; Code 2009, are amended by 5 4 striking from the applicable section, subsection, or paragraph 5 5 the word "chapter" and inserting in lieu thereof the 5 6 following: "subchapter". 5 7 Sec. 5. CODE EDITOR DIRECTIVE. The Code editor shall to 5 8 the extent possible establish the following subchapters in 5 9 chapter 22: 5 10 1. Subchapter I, entitled "definitions", shall be 5 11 comprised of section 22.1. 5 12 2. Subchapter II, entitled "access to public records", 5 13 shall be comprised of sections 22.2 through 22.14. 5 14 3. Subchapter III, entitled "privacy", shall be comprised 5 15 of sections 22.21 through 22.23. 5 16 EXPLANATION 5 17 This bill amends the "Open Records Act", Code chapter 22, 5 18 as follows: 5 19 1. New Code section 22.21. While government bodies may 5 20 lawfully obtain a person's social security number, the bill 5 21 specifically directs government bodies not to disclose a 5 22 person's social security number and to take steps to exclude 5 23 social security numbers from public records. For social 5 24 security numbers contained in public records, the bill 5 25 requires the government body to redact such numbers prior to 5 26 the public's access to that record. The bill further directs 5 27 the government body to adopt rules or guidelines, as 5 28 appropriate, to administer the use and disclosure of social 5 29 security numbers. 5 30 2. New Code section 22.22. The bill provides that if the 5 31 security of personal information, as defined, is breached by 5 32 the unauthorized access to or acquisition of such information, 5 33 the government body shall investigate the breach to determine 5 34 whether personal information has been or may be used for an 5 35 unauthorized purpose. If such use has occurred or is likely 6 1 to occur, the government body is required to give notice, 6 2 consistent with law enforcement needs, to each affected 6 3 person. The bill outlines the information required in the 6 4 notice and the methods for accomplishing notice. A government 6 5 body that has its own notice procedures may use such 6 6 procedures in lieu of the bill's notice requirement. 6 7 3. New Code section 22.23. The bill provides remedies to 6 8 enforce the requirements of and provide redress for violations 6 9 of Code sections 22.21 and 22.22, above. Existing enforcement 6 10 and penalty provisions in Code sections 22.5 and 22.6, 6 11 respectively, will also apply to redress violations of Code 6 12 sections 22.21 and 22.22. 6 13 4. The bill includes a Code editor directive to create 6 14 subchapters in Code chapter 22. 6 15 The following Code sections are amended by striking from 6 16 the applicable section, subsection, or paragraph the word 6 17 "chapter" and inserting in lieu thereof the word "subchapter": 6 18 1. Code section 22.3A, subsection 2, concerning access and 6 19 fees for access to public records which are combined with a 6 20 government body's data processing software. 6 21 2. Code section 22.7, subsections 27, 31, 35, and 6 22 subsection 52, paragraph "c", identifying various public 6 23 records that are to be kept confidential. 6 24 3. Code section 22.8, subsections 3 and 4, pertaining to 6 25 actions to restrain the examination of a public record and 6 26 grounds for reasonable delay by a lawful custodian in 6 27 permitting access to a public record. 6 28 4. Code section 22.10 pertaining to civil enforcement 6 29 actions when a lawful custodian has refused to give access to 6 30 public records in violation of the open records Act. 6 31 "Chapter" is the appropriate word in the following Code 6 32 sections as such Code sections would apply to the entire 6 33 chapter: 6 34 1. Code section 22.4 concerning the office hours of the 6 35 lawful custodian of public records. 7 1 2. Code section 22.5 concerning enforcement of the rights 7 2 of persons by mandamus or injunction. 7 3 3. Code section 22.6 concerning the imposition of a 7 4 criminal penalty for knowing violations or attempts to violate 7 5 any provision of Code chapter 22 (simple misdemeanor). 7 6 4. Code section 22.9 providing that if federal funds or 7 7 services would be denied because of a provision of Code 7 8 chapter 22, the provision must be suspended only to the extent 7 9 necessary. 7 10 LSB 1933HH 83 7 11 rh/rj/24