H.F. 2423 Section 1. Section 714G.2, Code 2018, is amended to read as 1 follows: 2 714G.2 Security freeze. 3 1. A consumer may submit by certified mail to a consumer 4 reporting agency a written request for a security freeze to 5 a consumer reporting agency by first-class mail, telephone, 6 facsimile, secure internet connection, secure electronic mail, 7 or other secure electronic contact method . The consumer must 8 submit proper identification and the applicable fee with the 9 request. Within five three business days after receiving 10 the request, the consumer reporting agency shall commence 11 the security freeze. Within ten three business days after 12 commencing the security freeze, the consumer reporting agency 13 shall send a written confirmation to the consumer of the 14 security freeze, a personal identification number or password, 15 other than the consumer’s social security number, for the 16 consumer to use in authorizing the suspension or removal of 17 the security freeze, including information on how the security 18 freeze may be temporarily suspended. 19 2. a. If a consumer requests a security freeze from a 20 consumer reporting agency that compiles and maintains files 21 on a nationwide basis, the consumer may request to have the 22 security freeze applied to any other consumer reporting agency 23 that compiles and maintains files on consumers on a nationwide 24 basis. 25 b. For purposes of this subsection, “consumer reporting 26 agency that compiles and maintains files on a nationwide basis” 27 means the same as defined in 15 U.S.C. §1681a(p). 28 Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended 29 to read as follows: 30 1. A consumer may request that a security freeze be 31 temporarily suspended to allow the consumer reporting agency to 32 release the consumer credit report for a specific time period. 33 The consumer reporting agency may shall develop procedures 34 to expedite the receipt and processing of requests which may 35 -1- LSB 6148HV (6) 87 gh/rn 1/ 7

H.F. 2423 involve the use of telephones by first-class mail, telephone , 1 facsimile transmissions , the secure internet connection , secure 2 electronic mail, or other secure electronic media contact 3 method . The consumer reporting agency shall comply with 4 the request within three business days after receiving the 5 consumer’s written request, or within fifteen minutes after 6 the consumer’s request is received by the consumer reporting 7 agency through facsimile, the secure internet connection , 8 secure electronic mail, or other secure electronic contact 9 method chosen by the consumer reporting agency , or the use of 10 a telephone, during normal business hours. The consumer’s 11 request shall include all of the following: 12 a. Proper identification. 13 b. The personal identification number or password provided 14 by the consumer reporting agency. 15 c. Explicit instructions of the specific time period 16 designated for suspension of the security freeze. 17 d. Payment of the applicable fee. 18 Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018, 19 is amended to read as follows: 20 A security freeze remains in effect until the consumer 21 requests that the security freeze be removed. A consumer 22 reporting agency shall remove a security freeze within three 23 business days after receiving a request for removal that 24 includes proper identification of the consumer, and the 25 personal identification number or password provided by the 26 consumer reporting agency , and payment of the applicable fee . 27 Sec. 4. Section 714G.5, Code 2018, is amended to read as 28 follows: 29 714G.5 Fees prohibited . 30 1. A consumer reporting agency shall not charge any fee to 31 a consumer who is the victim of identity theft for commencing 32 a security freeze, temporary suspension, or removal if with 33 the initial security freeze request, the consumer submits a 34 valid copy of the police report concerning the unlawful use of 35 -2- LSB 6148HV (6) 87 gh/rn 2/ 7

H.F. 2423 identification information by another person. 1 2. A consumer reporting agency may charge a fee not to 2 exceed ten dollars to a consumer who is not the victim of 3 identity theft for each security freeze, removal, or for 4 reissuing a personal identification number or password if the 5 consumer fails to retain the original number. The consumer 6 reporting agency may charge a fee not to exceed twelve dollars 7 for each temporary suspension of a security freeze. 8 A consumer reporting agency shall not charge a fee to a 9 consumer for providing any service pursuant to this chapter, 10 including but not limited to placing, removing, temporarily 11 suspending, or reinstating a security freeze. 12 Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code 13 2018, is amended by striking the paragraph. 14 Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code 15 2018, is amended by striking the paragraph. 16 Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended 17 to read as follows: 18 5. a. A consumer reporting agency may shall not charge 19 a reasonable fee , not to exceed five dollars, for each the 20 placement , or removal , or reinstatement of a protected consumer 21 security freeze. A consumer reporting agency may not charge 22 any other fee for a service performed pursuant to this section . 23 b. Notwithstanding paragraph “a” , a fee may not be charged 24 by a consumer reporting agency pursuant to either of the 25 following: 26 (1) If the protected consumer’s representative has obtained 27 a police report or affidavit of alleged identity theft under 28 section 715A.8 and submits a copy of the report or affidavit to 29 the consumer reporting agency. 30 (2) A request for the commencement or removal of a protected 31 consumer security freeze is for a protected consumer who is 32 under the age of sixteen years at the time of the request and 33 the consumer reporting agency has a consumer credit report 34 pertaining to the protected consumer. 35 -3- LSB 6148HV (6) 87 gh/rn 3/ 7

H.F. 2423 Sec. 8. Section 715C.1, subsections 1 and 5, Code 2018, are 1 amended to read as follows: 2 1. “Breach of security” means unauthorized acquisition , 3 or reasonable belief of unauthorized acquisition, of personal 4 information maintained in computerized form by a person that 5 compromises the security, confidentiality, or integrity of 6 the personal information. “Breach of security” also means 7 unauthorized acquisition of personal information maintained 8 by a person in any medium, including on paper, that was 9 transferred by the person to that medium from computerized 10 form and that compromises the security, confidentiality, or 11 integrity of the personal information. Good faith acquisition 12 of personal information by a person or that person’s employee 13 or agent for a legitimate purpose of that person is not a 14 breach of security, provided that the personal information 15 is not used in violation of applicable law or in a manner 16 that harms or poses an actual threat to the security, 17 confidentiality, or integrity of the personal information. 18 5. “Encryption” means the use of an algorithmic process 19 pursuant to accepted industry standards to transform data into 20 a form in which the data is rendered unreadable or unusable 21 without the use of a confidential process or key. 22 Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are 23 amended to read as follows: 24 7. This section does not apply to any of the following: 25 a. A person who complies with notification requirements or 26 breach of security procedures that provide greater protection 27 to personal information and at least as thorough disclosure 28 requirements than that provided by this section pursuant to 29 the rules, regulations, procedures, guidance, or guidelines 30 established by the person’s primary or functional federal 31 regulator. 32 b. A person who complies with a state or federal law 33 that provides greater protection to personal information and 34 at least as thorough disclosure requirements for breach of 35 -4- LSB 6148HV (6) 87 gh/rn 4/ 7

H.F. 2423 security or personal information than that provided by this 1 section . 2 c. A person who is subject to and complies with regulations 3 promulgated pursuant to Tit. V of the federal 4 Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809. 5 d. A person who is subject to and complies with regulations 6 promulgated pursuant to Tit. II, subtit. F of the federal 7 Health Insurance Portability and Accountability Act of 1996, 8 42 U.S.C. §1320d – 1320d-9, and Tit. XIII, subtit. D of the 9 federal Health Information Technology for Economic and Clinical 10 Health Act of 2009, 42 U.S.C. §17921 – 17954. 11 8. Any person who owns or licenses computerized data that 12 includes a consumer’s personal information that is used in 13 the course of the person’s business, vocation, occupation, 14 or volunteer activities and that was subject to a breach of 15 security requiring notification to more than five hundred 16 residents of this state pursuant to this section shall give 17 written notice of the breach of security following discovery 18 of such breach of security, or receipt of notification under 19 subsection 2 , to the director of the consumer protection 20 division of the office of the attorney general within five 21 business days after giving notice of the breach of security to 22 any consumer pursuant to this section . 23 EXPLANATION 24 The inclusion of this explanation does not constitute agreement with 25 the explanation’s substance by the members of the general assembly. 26 This bill relates to consumer security freezes and personal 27 information security breach protection. 28 Current law permits a consumer to submit a request for a 29 security freeze via certified mail. The bill expands the 30 methods permitted for a consumer to submit a request for 31 a security freeze to allow such requests to be submitted 32 via first-class mail, telephone, facsimile, secure internet 33 connection, secure electronic mail, or other secure electronic 34 contact method. 35 -5- LSB 6148HV (6) 87 gh/rn 5/ 7

H.F. 2423 The bill reduces the number of days by which a consumer 1 reporting agency must commence a security freeze after 2 receiving a request from five to three business days. The bill 3 also reduces the number of days by which a consumer reporting 4 agency must send written confirmation to a consumer after 5 commencing a security freeze from ten to three business days. 6 The bill provides that if a consumer requests a security 7 freeze from a consumer reporting agency that compiles and 8 maintains files on a nationwide basis, as defined in the bill, 9 the consumer may request to have the security freeze applied to 10 any other similar consumer reporting agency. 11 The bill requires consumer reporting agencies to develop 12 procedures to expedite the receipt and processing of security 13 freeze suspension requests received via the same methods 14 permitted for consumers to submit such requests. The bill 15 requires a consumer reporting agency to commence a security 16 freeze suspension within 15 minutes after receiving a request 17 through telephone, facsimile, secure internet connection, 18 secure electronic mail, or other secure electronic contact 19 method. 20 The bill prohibits consumer reporting agencies from charging 21 fees to consumers for providing any service pursuant to Code 22 chapter 714G, including but not limited to placing, removing, 23 temporarily suspending, or reinstating a security freeze. The 24 bill also prohibits consumer reporting agencies from charging 25 fees for placing or removing a protected consumer security 26 freeze pursuant to Code section 714G.8A. The bill removes 27 several references to payment of fees in Code chapter 714G. 28 The bill also modifies various provisions relating to 29 personal information security breach protection in Code 30 chapter 715C. The bill expands the definition of “breach of 31 security” to include the reasonable belief of unauthorized 32 acquisition of personal information. However, the bill removes 33 the unauthorized acquisition of personal information that was 34 transferred from computerized form to another medium from 35 -6- LSB 6148HV (6) 87 gh/rn 6/ 7

H.F. 2423 the definition of “breach of security”. The definition of 1 “encryption” is modified to mean the use of an algorithmic 2 process pursuant to accepted industry standards. 3 The bill exempts from the consumer notification requirements 4 persons who are subject to and comply with specified federal 5 health information laws. 6 Current law requires a person who owns or licenses personal 7 information that is subject to a breach of security requiring 8 notification to more than 500 consumers in the state, as 9 required by Code section 715C.2, to give written notice of the 10 breach of security to the director of the consumer protection 11 division of the office of the attorney general within five 12 business days after giving notice of the security breach to any 13 consumer. The bill removes language stating that a person give 14 such written notice following the discovery of the breach or 15 receipt of notification. 16 -7- LSB 6148HV (6) 87 gh/rn 7/ 7