Senate
File
2391
-
Introduced
SENATE
FILE
2391
BY
COMMITTEE
ON
STATE
GOVERNMENT
(SUCCESSOR
TO
SF
2080)
A
BILL
FOR
An
Act
prohibiting
the
state
and
political
subdivisions
of
the
1
state
from
expending
public
moneys
for
payment
to
persons
2
responsible
for
ransomware
attacks.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
5609SV
(2)
88
ja/rn
S.F.
2391
Section
1.
Section
8B.4,
Code
2020,
is
amended
by
adding
the
1
following
new
subsection:
2
NEW
SUBSECTION
.
17A.
Authorize
the
state
or
a
political
3
subdivision
of
the
state
to
expend
public
moneys
for
payment
4
to
a
person
responsible
for,
or
reasonably
believed
to
be
5
responsible
for,
a
ransomware
attack
pursuant
to
section
8H.2.
6
Sec.
2.
NEW
SECTION
.
8H.1
Definitions.
7
As
used
in
this
chapter,
unless
the
context
otherwise
8
requires:
9
1.
“Encryption”
means
the
use
of
an
algorithmic
process
10
to
transform
data
into
a
form
in
which
the
data
is
rendered
11
unreadable
or
unusable
without
the
use
of
a
confidential
12
process
or
key.
13
2.
“Political
subdivision”
means
a
city,
county,
township,
14
or
school
district.
15
3.
“Ransomware
attack”
means
carrying
out
until
payment
is
16
made,
or
threatening
to
carry
out
until
payment
is
made,
any
of
17
the
following
actions:
18
a.
An
act
declared
unlawful
pursuant
to
section
715.4.
19
b.
A
“breach
of
security”
as
defined
in
section
715C.1.
20
c.
The
use
of
any
form
of
software
that
results
in
the
21
unauthorized
encryption
of
data,
the
denial
of
access
to
data,
22
the
denial
of
access
to
a
computer,
or
the
denial
of
access
to
23
a
computer
system.
24
Sec.
3.
NEW
SECTION
.
8H.2
Public
moneys
——
prohibition
——
25
ransomware
——
confidential
records.
26
1.
Except
as
provided
in
subsection
2,
the
state
or
a
27
political
subdivision
of
the
state
shall
not
expend
public
28
moneys
for
payment
to
a
person
responsible
for,
or
reasonably
29
believed
to
be
responsible
for,
a
ransomware
attack.
30
2.
Notwithstanding
subsection
1,
the
office
of
the
chief
31
information
officer
may
authorize
the
state
or
a
political
32
subdivision
of
the
state
to
expend
public
moneys
for
payment
33
to
a
person
responsible
for,
or
reasonably
believed
to
be
34
responsible
for,
a
ransomware
attack
in
the
event
of
a
critical
35
-1-
LSB
5609SV
(2)
88
ja/rn
1/
3
S.F.
2391
or
emergency
situation
as
determined
by
the
department
of
1
homeland
security
and
emergency
management
created
in
section
2
29C.5.
3
3.
Information
related
to
a
political
subdivision’s
4
insurance
coverage
for
cybersecurity
or
a
ransomware
attack
5
shall
be
considered
confidential
records
under
section
22.7.
6
Sec.
4.
LEGISLATIVE
INTENT.
It
is
the
intent
of
the
general
7
assembly
that
the
state
and
the
political
subdivisions
of
the
8
state
have
tested
cybersecurity
mitigation
plans
and
policies.
9
EXPLANATION
10
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
11
the
explanation’s
substance
by
the
members
of
the
general
assembly.
12
This
bill
prohibits
the
state
and
a
political
subdivision
of
13
the
state
from
expending
public
moneys
for
payment
to
persons
14
responsible
for
ransomware
attacks.
15
The
bill
defines
“encryption”
as
the
use
of
an
algorithmic
16
process
to
transform
data
into
a
form
in
which
the
data
17
is
rendered
unreadable
or
unusable
without
the
use
of
a
18
confidential
process
or
key.
The
bill
defines
“political
19
subdivision”
as
a
city,
county,
township,
or
school
district.
20
The
bill
defines
“ransomware
attack”
to
mean
carrying
out
until
21
payment
is
made,
or
threatening
to
carry
out
until
payment
is
22
made,
any
of
the
following:
an
act
declared
unlawful
pursuant
23
to
Code
section
715.4;
a
“breach
of
security”
as
defined
in
24
Code
section
715C.1;
or
the
use
of
any
form
of
software
that
25
results
in
the
unauthorized
encryption
of
data,
the
denial
of
26
access
to
data,
the
denial
of
access
to
a
computer,
or
the
27
denial
of
access
to
a
computer
system.
28
The
bill
provides
that
the
state
and
a
political
subdivision
29
of
the
state
shall
not
expend
public
moneys
for
payment
30
to
a
person
responsible
for,
or
reasonably
believed
to
be
31
responsible
for,
a
ransomware
attack.
32
The
bill
allows
the
office
of
the
chief
information
officer
33
to
authorize
such
expenditures
in
the
event
of
a
critical
or
34
emergency
situation
as
determined
by
the
department
of
homeland
35
-2-
LSB
5609SV
(2)
88
ja/rn
2/
3
S.F.
2391
security
and
emergency
management.
The
bill
provides
that
1
information
related
to
a
political
subdivision’s
insurance
2
coverage
for
cybersecurity
or
ransomware
attack
shall
be
3
considered
confidential
records
under
Code
section
22.7.
4
The
bill
includes
a
legislative
intent
section,
which
5
provides
that
it
is
the
intent
of
the
general
assembly
that
6
the
state
and
political
subdivisions
of
the
state
have
tested
7
cybersecurity
mitigation
plans
and
policies.
8
-3-
LSB
5609SV
(2)
88
ja/rn
3/
3