House Study Bill 526 - Introduced SENATE/HOUSE FILE _____ BY (PROPOSED ATTORNEY GENERAL BILL) A BILL FOR An Act modifying certain provisions relating to personal 1 information security breach protection. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 TLSB 5338DP (4) 87 gh/rn
S.F. _____ H.F. _____ Section 1. Section 715C.1, subsections 1, 5, and 11, Code 1 2018, are amended to read as follows: 2 1. “Breach of security” means unauthorized acquisition , 3 or reasonable belief of unauthorized acquisition, of personal 4 information maintained in computerized any form , including 5 but not limited to electronic or paper form, by a person that 6 compromises the security, confidentiality, or integrity of 7 the personal information. “Breach of security” also means 8 unauthorized acquisition of personal information maintained 9 by a person in any medium, including on paper, that was 10 transferred by the person to that medium from computerized 11 form and that compromises the security, confidentiality, or 12 integrity of the personal information. Good faith acquisition 13 of personal information by a person or that person’s employee 14 or agent for a legitimate purpose of that person is not a 15 breach of security, provided that the personal information 16 is not used in violation of applicable law or in a manner 17 that harms or poses an actual threat to the security, 18 confidentiality, or integrity of the personal information. 19 5. “Encryption” means the use of an one-hundred-twenty- 20 eight-bit or higher algorithmic process to transform data into 21 a form in which the data is rendered unreadable or unusable 22 without the use of a confidential process or key. 23 11. a. “Personal information” means an individual’s first 24 name or first initial and last name in combination with any 25 one or more of the following data elements that relate to the 26 individual if any of the data elements are not encrypted, 27 redacted, or otherwise altered by any method or technology in 28 such a manner that the name or data elements are unreadable or 29 are encrypted, redacted, or otherwise altered by any method or 30 technology but the keys to unencrypt, unredact, or otherwise 31 read the data elements have been obtained through the breach 32 of security: 33 (1) Social security number. 34 (2) Driver’s license number or other unique identification 35 -1- LSB 5338DP (4) 87 gh/rn 1/ 7
S.F. _____ H.F. _____ number created or collected by a government body. 1 (3) Financial account number, credit card number, or debit 2 card number in combination with any required expiration date, 3 security code, access code, or password that would permit 4 access to an individual’s financial account . 5 (4) Unique electronic identifier or routing code, in 6 combination with any required security code, access code, or 7 password that would permit access to an individual’s financial 8 account. 9 (5) Unique biometric data, such as a fingerprint, retina or 10 iris image, or other unique physical representation or digital 11 representation of biometric data. 12 (6) Medical information, including but not limited to 13 information regarding an individual’s medical history, mental 14 or physical condition, or medical treatment or diagnosis by a 15 health care professional. 16 (7) Health insurance information, including but not limited 17 to an individual’s health insurance policy number, subscriber 18 identification number, or any unique identifier used by a 19 health insurer to identify an individual. 20 (8) Tax identification number. 21 b. “Personal information” also includes a financial account 22 number, credit card number, or debit card number alone. 23 c. “Personal information” also includes an account username 24 or electronic mail address, in combination with any required 25 password or account security information that would permit 26 access to an individual’s online account. 27 b. d. “Personal information” does not include information 28 that is lawfully obtained from publicly available sources, or 29 from federal, state, or local government records lawfully made 30 available to the general public. 31 Sec. 2. Section 715C.2, subsections 1, 6, 7, and 8, Code 32 2018, are amended to read as follows: 33 1. Any person who owns or licenses computerized data that 34 includes a consumer’s personal information that is used in 35 -2- LSB 5338DP (4) 87 gh/rn 2/ 7
S.F. _____ H.F. _____ the course of the person’s business, vocation, occupation, 1 or volunteer activities and that was subject to a breach 2 of security shall give notice of the breach of security 3 following discovery of such breach of security, or receipt 4 of notification under subsection 2 , to any consumer whose 5 personal information was included in the information that was 6 breached. The consumer notification shall be made in the most 7 expeditious manner possible and without unreasonable delay, 8 but no later than forty-five days after the discovery of such 9 breach of security or receipt of notification under subsection 10 2, consistent with the legitimate needs of law enforcement as 11 provided in subsection 3 , and consistent with any measures 12 necessary to sufficiently determine contact information for 13 the affected consumers, determine the scope of the breach, and 14 restore the reasonable integrity, security, and confidentiality 15 of the data. 16 6. a. Notwithstanding subsection 1 , notification is not 17 required if, after an appropriate investigation or after 18 consultation with the relevant federal, state, or local 19 agencies responsible for law enforcement, the person determined 20 that no reasonable likelihood of financial harm to the 21 consumers whose personal information has been acquired has 22 resulted or will result from the breach. Such a determination 23 must be documented in writing and the documentation must be 24 maintained for five years. 25 b. In the event that notification is not required pursuant 26 to this subsection, the person shall provide the written 27 determination required in paragraph “a” to the director of the 28 consumer protection division of the office of the attorney 29 general within five business days after documenting such 30 determination. 31 7. This section does Subsections 1 through 6 shall not apply 32 to any of the following: 33 a. A person who complies with notification requirements or 34 breach of security procedures that provide greater protection 35 -3- LSB 5338DP (4) 87 gh/rn 3/ 7
S.F. _____ H.F. _____ to personal information and at least as thorough disclosure 1 requirements than that provided by this section pursuant to 2 the rules, regulations, procedures, guidance, or guidelines 3 established by the person’s primary or functional federal 4 regulator. 5 b. A person who complies with a state or federal law 6 that provides greater protection to personal information and 7 at least as thorough disclosure requirements for breach of 8 security or personal information than that provided by this 9 section . 10 c. A person who is subject to and complies with regulations 11 promulgated pursuant to Tit. V of the Gramm-Leach-Bliley Act of 12 1999, 15 U.S.C. §6801 6809. 13 8. Any person who owns or licenses computerized data 14 that includes a consumer’s personal information that is 15 used in the course of the person’s business, vocation, 16 occupation, or volunteer activities and that was subject to a 17 breach of security requiring notification to more than five 18 hundred residents of this state consumers pursuant to this 19 section subsection 1 or any of the laws, rules, regulations, 20 procedures, guidance, or guidelines set forth in subsection 21 7 shall give written notice of the breach of security 22 following discovery of such breach of security, or receipt 23 of notification under subsection 2 , to the director of the 24 consumer protection division of the office of the attorney 25 general within five business days after giving notice of the 26 breach of security to any consumer pursuant to this section . 27 The written notice shall include the following: 28 a. A sample copy of any notification sent to consumers. 29 b. The approximate number of consumers affected or 30 potentially affected by the breach of security. 31 c. A description of any services offered to consumers 32 affected or potentially affected by the breach of security, and 33 instructions as to how consumers may use such services. 34 d. The name, address, telephone number, and electronic mail 35 -4- LSB 5338DP (4) 87 gh/rn 4/ 7
S.F. _____ H.F. _____ address of an individual who may be contacted by the consumer 1 protection division of the office of the attorney general for 2 any additional information about the breach of security. 3 e. The federal employer identification number of the 4 person, which the consumer protection division of the office of 5 the attorney general may share with any state agency for the 6 purpose of fraud detection. Notwithstanding chapter 22 or any 7 other provision of law to the contrary, the federal employer 8 identification number shall be maintained in a separate 9 confidential file or other confidential medium. 10 EXPLANATION 11 The inclusion of this explanation does not constitute agreement with 12 the explanation’s substance by the members of the general assembly. 13 This bill modifies various provisions relating to personal 14 information security breach protection. 15 The bill makes several changes to the definitions listed 16 in Code section 715C.1. The bill expands the definition of 17 “breach of security” to include the reasonable belief of 18 unauthorized acquisition of personal information, which may 19 be in any form, including electronic or paper form. However, 20 the bill removes the unauthorized acquisition of personal 21 information that was transferred from computerized form to 22 another medium from the definition of “breach of security”. 23 The definition of “encryption” is modified to mean the use of 24 an 128-bit or higher algorithmic process. The bill modifies 25 the definition of “personal information” by providing that 26 it may include a financial account number, credit card 27 number, or debit card number alone. The bill also includes 28 certain medical information, health insurance information, 29 tax information, and electronic account information in the 30 definition of “personal information”. 31 Current law requires a person who owns or licenses personal 32 information that is subject to a breach of security to give 33 notice to affected consumers in the most expeditious manner 34 possible and without unreasonable delay. The bill provides 35 -5- LSB 5338DP (4) 87 gh/rn 5/ 7
S.F. _____ H.F. _____ that such notice to affected consumers must occur no later than 1 45 days after the discovery of the breach of security. 2 Current law provides that a person who owns or licenses 3 personal information that is subject to breach of security does 4 not need to provide notification of the security breach to 5 affected consumers if the person makes a written determination 6 that there is no reasonable likelihood of financial harm to 7 affected consumers. The bill removes the term “financial”, 8 allowing a person to refrain from providing notification if 9 the person makes a written determination that there is no 10 reasonable likelihood of harm to affected consumers. The 11 bill also requires a person who makes such a determination 12 to provide this written determination to the director of the 13 consumer protection division of the office of the attorney 14 general within five business days after documenting the 15 determination. 16 Current law requires a person who owns or licenses personal 17 information that is subject to a breach of security requiring 18 notification to more than 500 consumers in the state, as 19 required by Code section 715C.2, to give written notice 20 of the breach of security to the director of the consumer 21 protection division of the office of the attorney general. 22 The bill provides that written notification to the attorney 23 general is also required for breaches of security where 24 written notification to more than 500 consumers in the state 25 is required by a person’s primary or functional federal 26 regulator, a state or federal law that gives greater protection 27 to personal information than provided in Code section 715C.2, 28 or certain federal law. The bill also specifies that written 29 notification to the attorney general must include a sample 30 copy of any notification sent to consumers, the approximate 31 number of affected or potentially affected consumers, a 32 description of any services offered to affected consumers, 33 contact information for an individual who may be contacted 34 for additional information regarding the breach of security, 35 -6- LSB 5338DP (4) 87 gh/rn 6/ 7
S.F. _____ H.F. _____ and a federal employer identification number, which will be 1 maintained in a confidential file. 2 -7- LSB 5338DP (4) 87 gh/rn 7/ 7