House File 335 - Introduced
HOUSE FILE
BY BAILEY
Passed House, Date Passed Senate, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act relating to the privacy of social security numbers and
2 other personal information in public records, providing
3 remedies, and making penalties applicable.
4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
5 TLSB 1933HH 83
6 rh/rj/24
PAG LIN
1 1 Section 1. NEW SECTION. 22.21 SOCIAL SECURITY NUMBERS IN
1 2 PUBLIC RECORDS.
1 3 1. To the greatest extent feasible, a government body
1 4 shall not disclose a person's social security number unless
1 5 the disclosure is authorized by law.
1 6 2. A government body shall make reasonable efforts to
1 7 exclude social security numbers from public records, as
1 8 follows:
1 9 a. Exclude social security numbers on licenses, permits,
1 10 and other documents that may be readily observed by the
1 11 public.
1 12 b. Give individuals the option not to submit a social
1 13 security number to the government body.
1 14 c. Make any other efforts to prevent social security
1 15 numbers from being included in public records and to protect
1 16 such numbers from disclosure.
1 17 3. If a public record contains a social security number,
1 18 the government body shall determine a method to redact the
1 19 social security number prior to releasing the record if such
1 20 redaction does not materially affect the value of the public
1 21 record and is permitted by law. The redaction of a social
1 22 security number from a public record shall not delay public
1 23 access to the public record except for the time required to
1 24 perform the actual redaction. As used in this subsection,
1 25 "redact" means to render the social security number unreadable
1 26 or truncated so that no more than the last four digits of the
1 27 social security number may be accessed as part of the record.
1 28 4. This section shall not prohibit a government body from
1 29 lawfully obtaining a person's social security number.
1 30 5. A government body that solicits information containing
1 31 a person's social security number or that is the lawful
1 32 custodian of public records containing social security numbers
1 33 shall, if subject to chapter 17A, adopt rules or, if a
1 34 political subdivision or other public body, adopt guidelines
1 35 to administer the use and disclosure of social security
2 1 numbers consistent with this section.
2 2 Sec. 2. NEW SECTION. 22.22 PERSONAL INFORMATION ==
2 3 BREACH OF SECURITY == NOTICE.
2 4 1. As used in this section:
2 5 a. "Breach of security" means the unauthorized access to
2 6 or acquisition of personal information that compromises the
2 7 security, confidentiality, or integrity of such personal
2 8 information. The unauthorized disclosure of personal
2 9 information subsequent to a good faith, authorized access or
2 10 acquisition of personal information constitutes a breach of
2 11 security.
2 12 b. "Personal information" means a person's first name or
2 13 first initial and last name in combination with any one or
2 14 more of the following data elements that relate to the person
2 15 if neither the name nor the data elements are encrypted,
2 16 redacted, or otherwise altered by any method or technology in
2 17 such a manner that the name or data elements are unreadable:
2 18 (1) Social security number.
2 19 (2) Driver's license number or other unique identification
2 20 number created or collected by a government body.
2 21 (3) Account number, credit card number, or debit card
2 22 number, in combination with any required security code, access
2 23 code, or password that would permit access to a person's
2 24 financial account.
2 25 (4) Unique electronic identifier or routing code, in
2 26 combination with any required security code, access code, or
2 27 password.
2 28 (5) Unique biometric data, such as a fingerprint, voice
2 29 print, retina or iris image, or other unique physical
2 30 representation.
2 31 2. When the government body that collects, maintains, or
2 32 possesses a public record containing personal information has
2 33 reason to believe that a breach of security may occur or has
2 34 occurred, the government body shall promptly investigate to
2 35 determine whether personal information has been or may be used
3 1 for an unauthorized purpose. If the government body finds
3 2 that such use has occurred or is likely to occur, the
3 3 government body shall give notice of the breach of security to
3 4 each affected person pursuant to this section. Notice shall
3 5 be made as soon as possible, consistent with the legitimate
3 6 needs of law enforcement as provided in subsection 3.
3 7 3. If requested by a law enforcement agency, the
3 8 government body shall delay giving notice if notice may impede
3 9 a criminal investigation or jeopardize national security. The
3 10 request by a law enforcement agency shall be in writing or
3 11 documented in writing by the government body. The written
3 12 request shall include the name of the law enforcement officer
3 13 making the request and the name of the officer's law
3 14 enforcement agency that is engaged in the investigation.
3 15 After the law enforcement agency notifies the government body
3 16 that notice of the breach of security will no longer impede
3 17 investigation or national security, the government body shall
3 18 give notice to the affected persons without unreasonable
3 19 delay.
3 20 4. The notice shall include, in a clear and conspicuous
3 21 manner, the following:
3 22 a. The incident causing the breach of security.
3 23 b. The type of personal information compromised by the
3 24 breach of security.
3 25 c. The acts taken by the government body to remedy the
3 26 breach of security.
3 27 d. If available, a telephone number that the person may
3 28 call for further information and assistance.
3 29 e. A statement advising the person to vigilantly review
3 30 account statements and monitor the person's credit report.
3 31 5. The government body shall provide notice using one of
3 32 the following methods:
3 33 a. Written notice to the last available address of record.
3 34 b. Electronic mail notice, if the recipient has agreed to
3 35 receive communications electronically and the notice complies
4 1 with chapter 554D and 15 U.S.C. } 7001 et seq.
4 2 c. Telephonic notice, if contact is made directly with the
4 3 affected person.
4 4 d. Substitute notice, if the government body determines
4 5 that the cost of providing notice under paragraphs "a" through
4 6 "c" exceeds twenty=five thousand dollars, the number of
4 7 persons to be notified exceeds fifty thousand, or the
4 8 government body does not have sufficient contact information
4 9 needed to provide notice under paragraphs "a" through "c", as
4 10 follows:
4 11 (1) Electronic mail notice.
4 12 (2) Conspicuous notice posted on the government body's
4 13 internet site, if available.
4 14 (3) Notification to major statewide media.
4 15 6. Notwithstanding the notice requirements of this
4 16 section, a government body that has developed its own
4 17 notification procedures for a breach of security and timely
4 18 complies with such procedures is deemed to be in compliance
4 19 with this section.
4 20 Sec. 3. NEW SECTION. 22.23 REMEDIES FOR PRIVACY
4 21 VIOLATIONS.
4 22 1. Any person who is injured by a violation of section
4 23 22.21 or 22.22 may institute a civil action to recover actual
4 24 damages, court costs, interest, and attorney fees and to seek
4 25 judicial enforcement of the requirements of section 22.21 or
4 26 22.22 in an action brought against the government body and any
4 27 other persons who would be appropriate defendants under the
4 28 circumstances. The attorney general or any county attorney
4 29 may seek judicial enforcement of section 22.21 or 22.22.
4 30 Suits shall be brought in the district court for the county in
4 31 which the government body has its principal place of business.
4 32 2. The rights and remedies available under this section
4 33 are cumulative to any other rights and remedies available by
4 34 law.
4 35 Sec. 4. Sections 22.3A, subsection 2, unnumbered paragraph
5 1 1; 22.3A, subsection 2, paragraph "a"; 22.7, subsections 27,
5 2 31, and 35; section 22.7, subsection 52, paragraph "c"; 22.8,
5 3 subsections 3 and 4; and 22.10; Code 2009, are amended by
5 4 striking from the applicable section, subsection, or paragraph
5 5 the word "chapter" and inserting in lieu thereof the
5 6 following: "subchapter".
5 7 Sec. 5. CODE EDITOR DIRECTIVE. The Code editor shall to
5 8 the extent possible establish the following subchapters in
5 9 chapter 22:
5 10 1. Subchapter I, entitled "definitions", shall be
5 11 comprised of section 22.1.
5 12 2. Subchapter II, entitled "access to public records",
5 13 shall be comprised of sections 22.2 through 22.14.
5 14 3. Subchapter III, entitled "privacy", shall be comprised
5 15 of sections 22.21 through 22.23.
5 16 EXPLANATION
5 17 This bill amends the "Open Records Act", Code chapter 22,
5 18 as follows:
5 19 1. New Code section 22.21. While government bodies may
5 20 lawfully obtain a person's social security number, the bill
5 21 specifically directs government bodies not to disclose a
5 22 person's social security number and to take steps to exclude
5 23 social security numbers from public records. For social
5 24 security numbers contained in public records, the bill
5 25 requires the government body to redact such numbers prior to
5 26 the public's access to that record. The bill further directs
5 27 the government body to adopt rules or guidelines, as
5 28 appropriate, to administer the use and disclosure of social
5 29 security numbers.
5 30 2. New Code section 22.22. The bill provides that if the
5 31 security of personal information, as defined, is breached by
5 32 the unauthorized access to or acquisition of such information,
5 33 the government body shall investigate the breach to determine
5 34 whether personal information has been or may be used for an
5 35 unauthorized purpose. If such use has occurred or is likely
6 1 to occur, the government body is required to give notice,
6 2 consistent with law enforcement needs, to each affected
6 3 person. The bill outlines the information required in the
6 4 notice and the methods for accomplishing notice. A government
6 5 body that has its own notice procedures may use such
6 6 procedures in lieu of the bill's notice requirement.
6 7 3. New Code section 22.23. The bill provides remedies to
6 8 enforce the requirements of and provide redress for violations
6 9 of Code sections 22.21 and 22.22, above. Existing enforcement
6 10 and penalty provisions in Code sections 22.5 and 22.6,
6 11 respectively, will also apply to redress violations of Code
6 12 sections 22.21 and 22.22.
6 13 4. The bill includes a Code editor directive to create
6 14 subchapters in Code chapter 22.
6 15 The following Code sections are amended by striking from
6 16 the applicable section, subsection, or paragraph the word
6 17 "chapter" and inserting in lieu thereof the word "subchapter":
6 18 1. Code section 22.3A, subsection 2, concerning access and
6 19 fees for access to public records which are combined with a
6 20 government body's data processing software.
6 21 2. Code section 22.7, subsections 27, 31, 35, and
6 22 subsection 52, paragraph "c", identifying various public
6 23 records that are to be kept confidential.
6 24 3. Code section 22.8, subsections 3 and 4, pertaining to
6 25 actions to restrain the examination of a public record and
6 26 grounds for reasonable delay by a lawful custodian in
6 27 permitting access to a public record.
6 28 4. Code section 22.10 pertaining to civil enforcement
6 29 actions when a lawful custodian has refused to give access to
6 30 public records in violation of the open records Act.
6 31 "Chapter" is the appropriate word in the following Code
6 32 sections as such Code sections would apply to the entire
6 33 chapter:
6 34 1. Code section 22.4 concerning the office hours of the
6 35 lawful custodian of public records.
7 1 2. Code section 22.5 concerning enforcement of the rights
7 2 of persons by mandamus or injunction.
7 3 3. Code section 22.6 concerning the imposition of a
7 4 criminal penalty for knowing violations or attempts to violate
7 5 any provision of Code chapter 22 (simple misdemeanor).
7 6 4. Code section 22.9 providing that if federal funds or
7 7 services would be denied because of a provision of Code
7 8 chapter 22, the provision must be suspended only to the extent
7 9 necessary.
7 10 LSB 1933HH 83
7 11 rh/rj/24