S.F. 2259 Section 1. Section 715C.1, subsection 1, Code 2014, is 1 amended to read as follows: 2 1. “Breach of security” means unauthorized acquisition 3 of personal information maintained in computerized form by 4 a person that compromises the security, confidentiality, or 5 integrity of the personal information. “Breach of security” 6 also means unauthorized acquisition of personal information 7 maintained by a person in any medium, including on paper, that 8 was transferred by the person to that medium from computerized 9 form. Good faith acquisition of personal information by a 10 person or that person’s employee or agent for a legitimate 11 purpose of that person is not a breach of security, provided 12 that the personal information is not used in violation of 13 applicable law or in a manner that harms or poses an actual 14 threat to the security, confidentiality, or integrity of the 15 personal information. 16 Sec. 2. Section 715C.1, subsection 11, unnumbered paragraph 17 1, Code 2014, is amended to read as follows: 18 “Personal information” means an individual’s first name or 19 first initial and last name in combination with any one or more 20 of the following data elements that relate to the individual 21 if any of the data elements are not encrypted, redacted, or 22 otherwise altered by any method or technology in such a manner 23 that the name or data elements are unreadable or are encrypted, 24 redacted, or otherwise altered by any method or technology but 25 the keys to unencrypt, unredact, or otherwise read the data 26 elements have been obtained through the breach of security : 27 Sec. 3. Section 715C.2, Code 2014, is amended to read as 28 follows: 29 715C.2 Security breach —— consumer notification requirements 30 —— remedies. 31 1. Any person who owns or licenses computerized data that 32 includes a consumer’s personal information that is used in 33 the course of the person’s business, vocation, occupation, 34 or volunteer activities and that was subject to a breach 35 -1- LSB 5294SV (2) 85 rn/nh 1/ 5

S.F. 2259 of security shall give notice of the breach of security 1 following discovery of such breach of security, or receipt of 2 notification under subsection 2 , to any consumer whose personal 3 information was included in the information that was breached. 4 The consumer notification shall be made in the most expeditious 5 manner possible and without unreasonable delay, consistent 6 with the legitimate needs of law enforcement as provided in 7 subsection 3 , and consistent with any measures necessary to 8 sufficiently determine contact information for the affected 9 consumers, determine the scope of the breach, and restore the 10 reasonable integrity, security, and confidentiality of the 11 data. 12 2. Any person who maintains or otherwise possesses personal 13 information on behalf of another person shall notify the owner 14 or licensor of the information of any breach of security 15 immediately following discovery of such breach of security if a 16 consumer’s personal information was included in the information 17 that was breached. 18 3. The consumer notification requirements of this section 19 may be delayed if a law enforcement agency determines that 20 the notification will impede a criminal investigation and 21 the agency has made a written request that the notification 22 be delayed. The notification required by this section shall 23 be made after the law enforcement agency determines that the 24 notification will not compromise the investigation and notifies 25 the person required to give notice in writing. 26 4. For purposes of this section , notification to the 27 consumer may be provided by one of the following methods: 28 a. Written notice to the last available address the person 29 has in the person’s records. 30 b. Electronic notice if the person’s customary method of 31 communication with the consumer is by electronic means or is 32 consistent with the provisions regarding electronic records and 33 signatures set forth in chapter 554D and the federal Electronic 34 Signatures in Global and National Commerce Act, 15 U.S.C. 35 -2- LSB 5294SV (2) 85 rn/nh 2/ 5

S.F. 2259 § 7001. 1 c. Substitute notice, if the person demonstrates that 2 the cost of providing notice would exceed two hundred fifty 3 thousand dollars, that the affected class of consumers to be 4 notified exceeds three hundred fifty thousand persons, or 5 if the person does not have sufficient contact information 6 to provide notice. Substitute notice shall consist of the 7 following: 8 (1) Electronic mail notice when the person has an electronic 9 mail address for the affected consumers. 10 (2) Conspicuous posting of the notice or a link to the 11 notice on the internet site of the person if the person 12 maintains an internet site. 13 (3) Notification to major statewide media. 14 5. Notice pursuant to this section shall include, at a 15 minimum, all of the following: 16 a. A description of the breach of security. 17 b. The approximate date of the breach of security. 18 c. The type of personal information obtained as a result of 19 the breach of security. 20 d. Contact information for consumer reporting agencies. 21 e. Advice to the consumer to report suspected incidents 22 of identity theft to local law enforcement or the attorney 23 general. 24 6. Notwithstanding subsection 1 , notification is not 25 required if, after an appropriate investigation or after 26 consultation with the relevant federal, state, or local 27 agencies responsible for law enforcement, the person determined 28 that no reasonable likelihood of financial harm to the 29 consumers whose personal information has been acquired has 30 resulted or will result from the breach. Such a determination 31 must be documented in writing and the documentation must be 32 maintained for five years. 33 7. This section does not apply to any of the following: 34 a. A person who complies with notification requirements or 35 -3- LSB 5294SV (2) 85 rn/nh 3/ 5

S.F. 2259 breach of security procedures that provide greater protection 1 to personal information and at least as thorough disclosure 2 requirements than that provided by this section pursuant to 3 the rules, regulations, procedures, guidance, or guidelines 4 established by the person’s primary or functional federal 5 regulator. 6 b. A person who complies with a state or federal law 7 that provides greater protection to personal information and 8 at least as thorough disclosure requirements for breach of 9 security or personal information than that provided by this 10 section . 11 c. A person who is subject to and complies with regulations 12 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act 13 of 1999, 15 U.S.C. § 6801 – 6809. 14 8. Any person who owns or licenses computerized data that 15 includes a consumer’s personal information that is used in 16 the course of the person’s business, vocation, occupation, 17 or volunteer activities and that was subject to a breach of 18 security requiring notification to more than five hundred 19 persons pursuant to this section shall give written notice of 20 the breach of security following discovery of such breach of 21 security, or receipt of notification under subsection 2, to the 22 director of the consumer protection division of the office of 23 the attorney general within three business days after giving 24 notice of the breach of security to any consumer pursuant to 25 this section. 26 8. 9. a. A violation of this chapter is an unlawful 27 practice pursuant to section 714.16 and, in addition to the 28 remedies provided to the attorney general pursuant to section 29 714.16, subsection 7 , the attorney general may seek and obtain 30 an order that a party held to violate this section pay damages 31 to the attorney general on behalf of a person injured by the 32 violation. 33 b. The rights and remedies available under this section are 34 cumulative to each other and to any other rights and remedies 35 -4- LSB 5294SV (2) 85 rn/nh 4/ 5

S.F. 2259 available under the law. 1 EXPLANATION 2 The inclusion of this explanation does not constitute agreement with 3 the explanation’s substance by the members of the general assembly. 4 This bill relates to notification requirements applicable 5 to security breaches involving consumer personal information 6 contained in Code chapter 715C. 7 The bill includes within the definition of a “breach of 8 security” the unauthorized acquisition of personal information 9 maintained by a person in any medium, including on paper, that 10 was transferred by the person to that medium from computerized 11 form. The bill modifies the definition of “personal 12 information” to add that designated data elements relating to 13 the individual constitute personal information if they are 14 encrypted, redacted, or otherwise altered by any method or 15 technology but the keys to unencrpyt, unredact, or otherwise 16 read the data elements have been obtained through a security 17 breach. 18 The bill also requires a person subject to the Code chapter’s 19 consumer notification requirements who was subject to a breach 20 of security requiring notification of more than 500 persons 21 to give written notice of the breach to the director of the 22 consumer protection division of the office of the attorney 23 general. The notice must be given within three business days 24 after giving notice of the breach to an impacted consumer. 25 Existing penalty provisions regarding unlawful practice 26 and damages for violations of the consumer notification 27 requirements would be applicable to the failure to provide 28 notice of a breach of security as specified in the bill. 29 -5- LSB 5294SV (2) 85 rn/nh 5/ 5