House
File
2302
-
Introduced
HOUSE
FILE
2302
BY
COMMITTEE
ON
INFORMATION
TECHNOLOGY
(SUCCESSOR
TO
HSB
555)
A
BILL
FOR
An
Act
relating
to
affirmative
defenses
for
entities
using
1
cybersecurity
programs.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
5430HV
(4)
89
cm/jh
H.F.
2302
Section
1.
Section
554D.103,
subsections
4,
5,
8,
9,
and
16,
1
Code
2022,
are
amended
to
read
as
follows:
2
4.
“Contract”
means
the
total
legal
obligation
resulting
3
from
the
parties’
agreement
as
affected
by
this
chapter
and
4
other
applicable
law.
“Contract”
includes
any
contract
secured
5
through
distributed
ledger
technology
and
a
smart
contract.
6
5.
“Distributed
ledger
technology”
means
an
electronic
7
record
of
transactions
or
other
data
to
which
all
of
the
8
following
apply:
9
a.
The
electronic
record
is
uniformly
ordered.
10
b.
The
electronic
record
is
redundantly
maintained
or
11
processed
by
one
or
more
computers
or
machines
to
guarantee
the
12
consistency
or
nonrepudiation
of
the
recorded
transactions
or
13
other
data.
14
8.
“Electronic
record”
means
a
record
created,
generated,
15
sent,
communicated,
received,
or
stored
by
electronic
means.
16
“Electronic
record”
includes
any
record
secured
through
17
distributed
ledger
technology.
18
9.
“Electronic
signature”
means
an
electronic
sound,
symbol,
19
or
process
attached
to
or
logically
associated
with
a
record
20
and
executed
or
adopted
by
a
person
with
the
intent
to
sign
the
21
record.
“Electronic
signature”
includes
a
signature
that
is
22
secured
through
distributed
ledger
technology.
23
16.
“Smart
contract”
means
an
event-driven
program
or
24
computerized
transaction
protocol
that
runs
on
a
distributed,
25
decentralized,
shared,
and
replicated
ledger
that
executes
the
26
terms
of
a
contract.
For
purposes
of
this
subsection
,
“executes
27
the
terms
of
a
contract”
may
include
taking
custody
over
and
28
instructing
the
transfer
of
assets.
29
Sec.
2.
Section
554D.108,
subsection
2,
Code
2022,
is
30
amended
to
read
as
follows:
31
2.
A
contract
shall
not
be
denied
legal
effect
or
32
enforceability
solely
because
an
electronic
record
was
used
in
33
its
formation
or
because
the
contract
is
a
smart
contract
or
34
contains
a
smart
contract
provision
.
35
-1-
LSB
5430HV
(4)
89
cm/jh
1/
10
H.F.
2302
Sec.
3.
NEW
SECTION
.
554E.1
Definitions.
1
As
used
in
this
chapter:
2
1.
“Account”
means
the
same
as
defined
in
section
554.9102.
3
2.
“Business”
means
any
limited
liability
company,
limited
4
liability
partnership,
corporation,
sole
proprietorship,
5
association,
or
other
group,
however
organized
and
whether
6
operating
for
profit
or
not
for
profit,
including
a
financial
7
institution
organized,
chartered,
or
holding
a
license
8
authorizing
operation
under
the
laws
of
this
state,
any
other
9
state,
the
United
States,
or
any
other
country,
or
the
parent
10
or
subsidiary
of
any
of
the
foregoing.
11
3.
“Contract”
means
the
same
as
defined
in
section
554D.103.
12
4.
“Covered
entity”
means
a
business
that
accesses,
13
receives,
stores,
maintains,
communicates,
or
processes
14
personal
information
or
restricted
information
in
or
through
15
one
or
more
systems,
networks,
or
services
located
in
or
16
outside
this
state.
17
5.
“Data
breach”
means
an
intentional
or
unintentional
18
action
that
could
result
in
electronic
records
owned,
licensed
19
to,
or
otherwise
protected
by
a
covered
entity
being
viewed,
20
copied,
modified,
transmitted,
or
destroyed
in
a
manner
that
21
is
reasonably
believed
to
have
or
may
cause
material
risk
of
22
identity
theft,
fraud,
or
other
injury
or
damage
to
person
or
23
property.
“Data
breach”
does
not
include
any
of
the
following:
24
a.
Good-faith
acquisition
of
personal
information
or
25
restricted
information
by
the
covered
entity’s
employee
or
26
agent
for
the
purposes
of
the
covered
entity,
provided
that
27
the
personal
information
or
restricted
information
is
not
used
28
for
an
unlawful
purpose
or
subject
to
further
unauthorized
29
disclosure.
30
b.
Acquisition
or
disclosure
of
personal
information
or
31
restricted
information
pursuant
to
a
search
warrant,
subpoena,
32
or
other
court
order,
or
pursuant
to
a
subpoena,
order,
or
duty
33
of
a
regulatory
state
agency.
34
6.
“Distributed
ledger
technology”
means
an
electronic
35
-2-
LSB
5430HV
(4)
89
cm/jh
2/
10
H.F.
2302
record
of
transactions
or
other
data
to
which
all
of
the
1
following
apply:
2
a.
The
electronic
record
is
uniformly
ordered.
3
b.
The
electronic
record
is
redundantly
maintained
or
4
processed
by
one
or
more
computers
or
machines
to
guarantee
the
5
consistency
or
nonrepudiation
of
the
recorded
transactions
or
6
other
data.
7
7.
“Electronic”
means
the
same
as
defined
in
section
8
554D.103.
9
8.
“Electronic
record”
means
the
same
as
defined
in
section
10
554D.103.
11
9.
“Encrypted”
means
the
use
of
an
algorithmic
process
to
12
transform
data
into
a
form
for
which
there
is
a
low
probability
13
of
assigning
meaning
without
use
of
a
confidential
process
or
14
key.
15
10.
“Individual”
means
a
natural
person.
16
11.
“Maximum
probable
loss”
means
the
greatest
damage
17
expectation
that
could
reasonably
occur
from
a
data
breach.
18
For
purposes
of
this
subsection,
“damage
expectation”
means
the
19
total
value
of
possible
damage
multiplied
by
the
probability
20
that
damage
would
occur.
21
12.
a.
“Personal
information”
means
any
information
22
relating
to
an
individual
who
can
be
identified,
directly
or
23
indirectly,
in
particular
by
reference
to
an
identifier
such
24
as
a
name,
an
identification
number,
social
security
number,
25
driver’s
license
number
or
state
identification
card
number,
26
passport
number,
account
number
or
credit
or
debit
card
number,
27
location
data,
biometric
data,
an
online
identifier,
or
to
28
one
or
more
factors
specific
to
the
physical,
physiological,
29
genetic,
mental,
economic,
cultural,
or
social
identity
of
that
30
individual.
31
b.
“Personal
information”
does
not
include
publicly
32
available
information
that
is
lawfully
made
available
to
the
33
general
public
from
federal,
state,
or
local
government
records
34
or
any
of
the
following
media
that
are
widely
distributed:
35
-3-
LSB
5430HV
(4)
89
cm/jh
3/
10
H.F.
2302
(1)
Any
news,
editorial,
or
advertising
statement
published
1
in
any
bona
fide
newspaper,
journal,
or
magazine,
or
broadcast
2
over
radio,
television,
or
the
internet.
3
(2)
Any
gathering
or
furnishing
of
information
or
news
by
4
any
bona
fide
reporter,
correspondent,
or
news
bureau
to
news
5
media
identified
in
this
paragraph.
6
(3)
Any
publication
designed
for
and
distributed
to
members
7
of
any
bona
fide
association
or
charitable
or
fraternal
8
nonprofit
business.
9
(4)
Any
type
of
media
similar
in
nature
to
any
item,
entity,
10
or
activity
identified
in
this
paragraph.
11
13.
“Record”
means
the
same
as
defined
in
section
554D.103.
12
14.
“Redacted”
means
altered,
truncated,
or
anonymized
so
13
that,
when
applied
to
personal
information,
the
data
can
no
14
longer
be
attributed
to
a
specific
individual
without
the
use
15
of
additional
information.
16
15.
“Restricted
information”
means
any
information
about
17
an
individual,
other
than
personal
information,
or
business
18
that,
alone
or
in
combination
with
other
information,
including
19
personal
information,
can
be
used
to
distinguish
or
trace
the
20
identity
of
the
individual
or
business,
or
that
is
linked
or
21
linkable
to
an
individual
or
business,
if
the
information
is
22
not
encrypted,
redacted,
tokenized,
or
altered
by
any
method
or
23
technology
in
such
a
manner
that
the
information
is
anonymized,
24
and
the
breach
of
which
is
likely
to
result
in
a
material
risk
25
of
identity
theft
or
other
fraud
to
person
or
property.
26
16.
“Smart
contract”
means
an
event-driven
program
or
27
computerized
transaction
protocol
that
runs
on
a
distributed,
28
decentralized,
shared,
and
replicated
ledger
that
executes
the
29
terms
of
a
contract.
For
purposes
of
this
subsection,
“executes
30
the
terms
of
a
contract”
may
include
taking
custody
over
and
31
instructing
the
transfer
of
assets.
32
17.
“Transaction”
means
a
sale,
trade,
exchange,
transfer,
33
payment,
or
conversion
of
virtual
currency
or
other
digital
34
asset
or
any
other
property
or
any
other
action
or
set
of
35
-4-
LSB
5430HV
(4)
89
cm/jh
4/
10
H.F.
2302
actions
occurring
between
two
or
more
persons
relating
to
the
1
conduct
of
business,
commercial,
or
governmental
affairs.
2
Sec.
4.
NEW
SECTION
.
554E.2
Distributed
ledger
technology
3
——
ownership
of
information.
4
1.
A
record
shall
not
be
denied
legal
effect
or
5
enforceability
solely
because
the
record
is
created,
generated,
6
sent,
communicated,
received,
recorded,
or
stored
by
means
of
7
distributed
ledger
technology
or
a
smart
contract.
8
2.
A
signature
shall
not
be
denied
legal
effect
or
9
enforceability
solely
because
the
signature
is
created,
10
generated,
sent,
communicated,
received,
recorded,
or
stored
by
11
means
of
distributed
ledger
technology
or
a
smart
contract.
12
3.
A
contract
shall
not
be
denied
legal
effect
or
13
enforceability
solely
for
any
of
the
following:
14
a.
The
contract
is
created,
generated,
sent,
communicated,
15
received,
executed,
signed,
adopted,
recorded,
or
stored
by
16
means
of
distributed
ledger
technology
or
a
smart
contract.
17
b.
The
contract
contains
a
smart
contract
term.
18
c.
An
electronic
record,
distributed
ledger
technology,
or
19
smart
contract
was
used
in
the
contract’s
formation.
20
4.
A
person
who,
in
engaging
in
or
affecting
interstate
21
or
foreign
commerce,
uses
distributed
ledger
technology
to
22
secure
information
that
the
person
owns
or
has
the
right
to
use
23
retains
the
same
rights
of
ownership
or
use
with
respect
to
24
such
information
as
before
the
person
secured
the
information
25
using
distributed
ledger
technology.
This
subsection
does
not
26
apply
to
the
use
of
distributed
ledger
technology
to
secure
27
information
in
connection
with
a
transaction
to
the
extent
that
28
the
terms
of
the
transaction
expressly
provide
for
the
transfer
29
of
rights
of
ownership
or
use
with
respect
to
such
information.
30
Sec.
5.
NEW
SECTION
.
554E.3
Affirmative
defenses.
31
1.
A
covered
entity
seeking
an
affirmative
defense
under
32
this
chapter
shall
create,
maintain,
and
comply
with
a
written
33
cybersecurity
program
that
contains
administrative,
technical,
34
operational,
and
physical
safeguards
for
the
protection
of
both
35
-5-
LSB
5430HV
(4)
89
cm/jh
5/
10
H.F.
2302
personal
information
and
restricted
information.
1
2.
A
covered
entity’s
cybersecurity
program
shall
be
2
designed
to
do
all
of
the
following:
3
a.
Continually
evaluate
and
mitigate
any
reasonably
4
anticipated
internal
or
external
threats
or
hazards
that
could
5
lead
to
a
data
breach.
6
b.
Periodically
evaluate
no
less
than
annually
the
maximum
7
probable
loss
attainable
from
a
data
breach.
8
c.
Communicate
to
any
affected
parties
the
extent
of
any
9
risk
posed
and
any
actions
the
affected
parties
could
take
to
10
reduce
any
damages
if
a
data
breach
is
known
to
have
occurred.
11
3.
The
scale
and
scope
of
a
covered
entity’s
cybersecurity
12
program
is
appropriate
if
the
cost
to
operate
the
cybersecurity
13
program
is
no
less
than
the
covered
entity’s
most
recently
14
calculated
maximum
probable
loss
value.
15
4.
a.
A
covered
entity
that
satisfies
all
requirements
16
of
this
section
is
entitled
to
an
affirmative
defense
to
any
17
cause
of
action
sounding
in
tort
that
is
brought
under
the
18
laws
of
this
state
or
in
the
courts
of
this
state
and
that
19
alleges
that
the
failure
to
implement
reasonable
information
20
security
controls
resulted
in
a
data
breach
concerning
personal
21
information
or
restricted
information.
22
b.
A
covered
entity
satisfies
all
requirements
of
this
23
section
if
its
cybersecurity
program
reasonably
conforms
to
an
24
industry-recognized
cybersecurity
framework,
as
described
in
25
section
554E.4.
26
Sec.
6.
NEW
SECTION
.
554E.4
Cybersecurity
program
27
framework.
28
1.
A
covered
entity’s
cybersecurity
program,
as
29
described
in
section
554E.3,
reasonably
conforms
to
an
30
industry-recognized
cybersecurity
framework
for
purposes
of
31
section
554E.3
if
any
of
the
following
are
true:
32
a.
(1)
The
cybersecurity
program
reasonably
conforms
to
the
33
current
version
of
any
of
the
following
or
any
combination
of
34
the
following,
subject
to
subparagraph
(2)
and
subsection
2:
35
-6-
LSB
5430HV
(4)
89
cm/jh
6/
10
H.F.
2302
(a)
The
framework
for
improving
critical
infrastructure
1
cybersecurity
developed
by
the
national
institute
of
standards
2
and
technology.
3
(b)
National
institute
of
standards
and
technology
special
4
publication
800-171.
5
(c)
National
institute
of
standards
and
technology
special
6
publications
800-53
and
800-53a.
7
(d)
The
federal
risk
and
authorization
management
program
8
security
assessment
framework.
9
(e)
The
center
for
internet
security
critical
security
10
controls
for
effective
cyber
defense.
11
(f)
The
international
organization
for
12
standardization/international
electrotechnical
commission
27000
13
family
——
information
security
management
systems.
14
(2)
When
a
final
revision
to
a
framework
listed
in
15
subparagraph
(1)
is
published,
a
covered
entity
whose
16
cybersecurity
program
reasonably
conforms
to
that
framework
17
shall
reasonably
conform
the
elements
of
its
cybersecurity
18
program
to
the
revised
framework
within
the
time
frame
provided
19
in
the
relevant
framework
upon
which
the
covered
entity
intends
20
to
rely
to
support
its
affirmative
defense,
but
in
no
event
21
later
than
one
year
after
the
publication
date
stated
in
the
22
revision.
23
b.
(1)
The
covered
entity
is
regulated
by
the
state,
by
24
the
federal
government,
or
both,
or
is
otherwise
subject
to
25
the
requirements
of
any
of
the
laws
or
regulations
listed
26
below,
and
the
cybersecurity
program
reasonably
conforms
to
27
the
entirety
of
the
current
version
of
any
of
the
following,
28
subject
to
subparagraph
(2):
29
(a)
The
security
requirements
of
the
federal
Health
30
Insurance
Portability
and
Accountability
Act
of
1996,
as
set
31
forth
in
45
C.F.R.
pt.
164,
subpt.
C.
32
(b)
Title
V
of
the
federal
Gramm-Leach-Bliley
Act
of
1999,
33
Pub.
L.
No.
106-102,
as
amended.
34
(c)
The
federal
Information
Security
Modernization
Act
of
35
-7-
LSB
5430HV
(4)
89
cm/jh
7/
10
H.F.
2302
2014,
Pub.
L.
No.
113-283.
1
(d)
The
federal
Health
Information
Technology
for
Economic
2
and
Clinical
Health
Act
as
set
forth
in
45
C.F.R.
pt.
162.
3
(2)
When
a
framework
listed
in
subparagraph
(1)
is
amended,
4
a
covered
entity
whose
cybersecurity
program
reasonably
5
conforms
to
that
framework
shall
reasonably
conform
the
6
elements
of
its
cybersecurity
program
to
the
amended
framework
7
within
the
time
frame
provided
in
the
relevant
framework
8
upon
which
the
covered
entity
intends
to
rely
to
support
its
9
affirmative
defense,
but
in
no
event
later
than
one
year
after
10
the
effective
date
of
the
amended
framework.
11
c.
(1)
The
cybersecurity
program
reasonably
complies
12
with
both
the
current
version
of
the
payment
card
industry
13
data
security
standard
and
conforms
to
the
current
version
of
14
another
applicable
industry-recognized
cybersecurity
framework
15
listed
in
paragraph
“a”
,
subject
to
subparagraph
(2)
and
16
subsection
2.
17
(2)
When
a
final
revision
to
the
payment
card
industry
18
data
security
standard
is
published,
a
covered
entity
whose
19
cybersecurity
program
reasonably
complies
with
that
standard
20
shall
reasonably
comply
the
elements
of
its
cybersecurity
21
program
with
the
revised
standard
within
the
time
frame
22
provided
in
the
relevant
framework
upon
which
the
covered
23
entity
intends
to
rely
to
support
its
affirmative
defense,
but
24
in
no
event
later
than
one
year
after
the
publication
date
25
stated
in
the
revision.
26
2.
If
a
covered
entity’s
cybersecurity
program
reasonably
27
conforms
to
a
combination
of
industry-recognized
cybersecurity
28
frameworks,
or
complies
with
a
standard,
as
in
the
case
of
the
29
payment
card
industry
data
security
standard,
as
described
in
30
subsection
1,
paragraph
“a”
or
“c”
,
and
two
or
more
of
those
31
frameworks
are
revised,
the
covered
entity
whose
cybersecurity
32
program
reasonably
conforms
to
or
complies
with,
as
applicable,
33
those
frameworks
shall
reasonably
conform
the
elements
of
its
34
cybersecurity
program
to
or
comply
with,
as
applicable,
all
of
35
-8-
LSB
5430HV
(4)
89
cm/jh
8/
10
H.F.
2302
the
revised
frameworks
within
the
time
frames
provided
in
the
1
relevant
frameworks
but
in
no
event
later
than
one
year
after
2
the
latest
publication
date
stated
in
the
revisions.
3
Sec.
7.
NEW
SECTION
.
554E.5
Causes
of
actions.
4
This
chapter
shall
not
be
construed
to
provide
a
private
5
right
of
action,
including
a
class
action,
with
respect
to
any
6
act
or
practice
regulated
under
those
sections.
7
Sec.
8.
REPEAL.
Section
554D.106A,
Code
2022,
is
repealed.
8
EXPLANATION
9
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
10
the
explanation’s
substance
by
the
members
of
the
general
assembly.
11
This
bill
relates
to
cybersecurity
programs,
affirmative
12
defenses,
and
distributed
ledger
technology.
13
The
bill
provides
that
a
record
or
signature
shall
not
be
14
denied
legal
effect
because
it
is
created
or
stored
by
means
of
15
distributed
ledger
technology
or
smart
contract,
as
those
terms
16
are
defined
in
the
bill.
The
bill
provides
in
new
Code
section
17
554E.2
that
the
ownership
of
the
secure
information
remains
18
with
the
person
who
provided
the
signature,
not
the
distributed
19
ledger
technology
owner,
and
repeals
a
similar
provision
in
20
Code
section
554D.106A.
21
The
bill
creates
affirmative
defenses
for
entities
using
22
cybersecurity
programs
and
provides
definitions.
The
bill
23
provides
that
a
covered
entity
seeking
an
affirmative
defense
24
must
use
a
cybersecurity
program
for
the
protection
of
personal
25
information
and
restricted
information
and
the
cybersecurity
26
program
must
reasonably
conform
to
an
industry-recognized
27
cybersecurity
framework.
A
cybersecurity
program
must
28
continually
evaluate
and
mitigate
reasonably
anticipated
29
threats,
periodically
evaluate
the
maximum
probable
loss
30
attainable
from
a
data
breach,
and
communicate
to
affected
31
parties
the
risk
posed
and
actions
the
affected
parties
could
32
take
to
reduce
damages
if
a
data
breach
has
occurred.
The
33
scale
and
scope
of
a
cybersecurity
program
is
appropriate
if
34
the
cost
to
operate
the
program
is
no
less
than
the
covered
35
-9-
LSB
5430HV
(4)
89
cm/jh
9/
10
H.F.
2302
entity’s
maximum
probable
loss
value.
A
covered
entity
that
1
satisfies
these
requirements
and
that
reasonably
conforms
to
2
an
industry-recognized
cybersecurity
framework
is
entitled
to
3
an
affirmative
defense
to
a
tort
claim
that
alleges
that
the
4
failure
to
implement
reasonable
information
security
controls
5
resulted
in
a
data
breach
concerning
personal
information
or
6
restricted
information.
7
The
bill
details
industry-recognized
cybersecurity
8
frameworks
that
the
covered
entity
may
follow
and
reasonably
9
comply
to
in
order
to
qualify
for
the
affirmative
defense.
10
The
bill
does
not
provide
a
private
right
to
action,
11
including
a
class
action.
12
-10-
LSB
5430HV
(4)
89
cm/jh
10/
10