Senate File 2391 - Introduced SENATE FILE 2391 BY COMMITTEE ON STATE GOVERNMENT (SUCCESSOR TO SF 2080) A BILL FOR An Act prohibiting the state and political subdivisions of the 1 state from expending public moneys for payment to persons 2 responsible for ransomware attacks. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 5609SV (2) 88 ja/rn

S.F. 2391 Section 1. Section 8B.4, Code 2020, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 17A. Authorize the state or a political 3 subdivision of the state to expend public moneys for payment 4 to a person responsible for, or reasonably believed to be 5 responsible for, a ransomware attack pursuant to section 8H.2. 6 Sec. 2. NEW SECTION . 8H.1 Definitions. 7 As used in this chapter, unless the context otherwise 8 requires: 9 1. “Encryption” means the use of an algorithmic process 10 to transform data into a form in which the data is rendered 11 unreadable or unusable without the use of a confidential 12 process or key. 13 2. “Political subdivision” means a city, county, township, 14 or school district. 15 3. “Ransomware attack” means carrying out until payment is 16 made, or threatening to carry out until payment is made, any of 17 the following actions: 18 a. An act declared unlawful pursuant to section 715.4. 19 b. A “breach of security” as defined in section 715C.1. 20 c. The use of any form of software that results in the 21 unauthorized encryption of data, the denial of access to data, 22 the denial of access to a computer, or the denial of access to 23 a computer system. 24 Sec. 3. NEW SECTION . 8H.2 Public moneys —— prohibition —— 25 ransomware —— confidential records. 26 1. Except as provided in subsection 2, the state or a 27 political subdivision of the state shall not expend public 28 moneys for payment to a person responsible for, or reasonably 29 believed to be responsible for, a ransomware attack. 30 2. Notwithstanding subsection 1, the office of the chief 31 information officer may authorize the state or a political 32 subdivision of the state to expend public moneys for payment 33 to a person responsible for, or reasonably believed to be 34 responsible for, a ransomware attack in the event of a critical 35 -1- LSB 5609SV (2) 88 ja/rn 1/ 3

S.F. 2391 or emergency situation as determined by the department of 1 homeland security and emergency management created in section 2 29C.5. 3 3. Information related to a political subdivision’s 4 insurance coverage for cybersecurity or a ransomware attack 5 shall be considered confidential records under section 22.7. 6 Sec. 4. LEGISLATIVE INTENT. It is the intent of the general 7 assembly that the state and the political subdivisions of the 8 state have tested cybersecurity mitigation plans and policies. 9 EXPLANATION 10 The inclusion of this explanation does not constitute agreement with 11 the explanation’s substance by the members of the general assembly. 12 This bill prohibits the state and a political subdivision of 13 the state from expending public moneys for payment to persons 14 responsible for ransomware attacks. 15 The bill defines “encryption” as the use of an algorithmic 16 process to transform data into a form in which the data 17 is rendered unreadable or unusable without the use of a 18 confidential process or key. The bill defines “political 19 subdivision” as a city, county, township, or school district. 20 The bill defines “ransomware attack” to mean carrying out until 21 payment is made, or threatening to carry out until payment is 22 made, any of the following: an act declared unlawful pursuant 23 to Code section 715.4; a “breach of security” as defined in 24 Code section 715C.1; or the use of any form of software that 25 results in the unauthorized encryption of data, the denial of 26 access to data, the denial of access to a computer, or the 27 denial of access to a computer system. 28 The bill provides that the state and a political subdivision 29 of the state shall not expend public moneys for payment 30 to a person responsible for, or reasonably believed to be 31 responsible for, a ransomware attack. 32 The bill allows the office of the chief information officer 33 to authorize such expenditures in the event of a critical or 34 emergency situation as determined by the department of homeland 35 -2- LSB 5609SV (2) 88 ja/rn 2/ 3

S.F. 2391 security and emergency management. The bill provides that 1 information related to a political subdivision’s insurance 2 coverage for cybersecurity or ransomware attack shall be 3 considered confidential records under Code section 22.7. 4 The bill includes a legislative intent section, which 5 provides that it is the intent of the general assembly that 6 the state and political subdivisions of the state have tested 7 cybersecurity mitigation plans and policies. 8 -3- LSB 5609SV (2) 88 ja/rn 3/ 3