Senate File 2073 - Introduced SENATE FILE 2073 BY NUNN A BILL FOR An Act providing for an affirmative defense to certain claims 1 relating to personal information security breach protection. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 TLSB 5597XS (1) 88 ja/rn

S.F. 2073 Section 1. Section 715C.2, subsection 9, paragraph a, Code 1 2020, is amended to read as follows: 2 a. A violation of this chapter section is an unlawful 3 practice pursuant to section 714.16 and, in addition to the 4 remedies provided to the attorney general pursuant to section 5 714.16, subsection 7 , the attorney general may seek and obtain 6 an order that a party held to violate this section pay damages 7 to the attorney general on behalf of a person injured by the 8 violation. 9 Sec. 2. NEW SECTION . 715C.3 Affirmative defense for 10 implementation of cyber security program. 11 1. It is an affirmative defense to any claim or action 12 alleging that a person’s failure to implement reasonable 13 security measures resulted in a breach of security, that the 14 person established, maintained, and complied with a written 15 cyber security program that conforms to current and accepted 16 industry standards regarding cyber security and personal 17 information security breach protection, including the national 18 institute of standards and technology’s framework for improving 19 critical infrastructure cyber security. 20 2. An affirmative defense under this section shall be 21 established by a preponderance of the evidence. 22 3. This section shall not be construed to create a private 23 right of action with respect to a breach of security. 24 EXPLANATION 25 The inclusion of this explanation does not constitute agreement with 26 the explanation’s substance by the members of the general assembly. 27 This bill establishes an affirmative defense to any claim 28 or action alleging that a person’s failure to implement 29 security measures resulted in a breach of security that the 30 person established, maintained, and complied with a cyber 31 security program that conforms to current and accepted industry 32 standards regarding cyber security, including the national 33 institute of standards and technology’s framework for improving 34 critical infrastructure cyber security. 35 -1- LSB 5597XS (1) 88 ja/rn 1/ 2

S.F. 2073 The bill provides that an affirmative defense under the bill 1 shall be established by a preponderance of the evidence. The 2 bill also provides that it shall not be construed to create a 3 private right of action with respect to personal information 4 security breaches. 5 -2- LSB 5597XS (1) 88 ja/rn 2/ 2