H.F. 2302 Section 1. Section 554D.103, subsections 4, 5, 8, 9, and 16, 1 Code 2022, are amended to read as follows: 2 4. “Contract” means the total legal obligation resulting 3 from the parties’ agreement as affected by this chapter and 4 other applicable law. “Contract” includes any contract secured 5 through distributed ledger technology and a smart contract. 6 5. “Distributed ledger technology” means an electronic 7 record of transactions or other data to which all of the 8 following apply: 9 a. The electronic record is uniformly ordered. 10 b. The electronic record is redundantly maintained or 11 processed by one or more computers or machines to guarantee the 12 consistency or nonrepudiation of the recorded transactions or 13 other data. 14 8. “Electronic record” means a record created, generated, 15 sent, communicated, received, or stored by electronic means. 16 “Electronic record” includes any record secured through 17 distributed ledger technology. 18 9. “Electronic signature” means an electronic sound, symbol, 19 or process attached to or logically associated with a record 20 and executed or adopted by a person with the intent to sign the 21 record. “Electronic signature” includes a signature that is 22 secured through distributed ledger technology. 23 16. “Smart contract” means an event-driven program or 24 computerized transaction protocol that runs on a distributed, 25 decentralized, shared, and replicated ledger that executes the 26 terms of a contract. For purposes of this subsection , “executes 27 the terms of a contract” may include taking custody over and 28 instructing the transfer of assets. 29 Sec. 2. Section 554D.108, subsection 2, Code 2022, is 30 amended to read as follows: 31 2. A contract shall not be denied legal effect or 32 enforceability solely because an electronic record was used in 33 its formation or because the contract is a smart contract or 34 contains a smart contract provision . 35 -1- LSB 5430HV (4) 89 cm/jh 1/ 10

H.F. 2302 Sec. 3. NEW SECTION . 554E.1 Definitions. 1 As used in this chapter: 2 1. “Account” means the same as defined in section 554.9102. 3 2. “Business” means any limited liability company, limited 4 liability partnership, corporation, sole proprietorship, 5 association, or other group, however organized and whether 6 operating for profit or not for profit, including a financial 7 institution organized, chartered, or holding a license 8 authorizing operation under the laws of this state, any other 9 state, the United States, or any other country, or the parent 10 or subsidiary of any of the foregoing. 11 3. “Contract” means the same as defined in section 554D.103. 12 4. “Covered entity” means a business that accesses, 13 receives, stores, maintains, communicates, or processes 14 personal information or restricted information in or through 15 one or more systems, networks, or services located in or 16 outside this state. 17 5. “Data breach” means an intentional or unintentional 18 action that could result in electronic records owned, licensed 19 to, or otherwise protected by a covered entity being viewed, 20 copied, modified, transmitted, or destroyed in a manner that 21 is reasonably believed to have or may cause material risk of 22 identity theft, fraud, or other injury or damage to person or 23 property. “Data breach” does not include any of the following: 24 a. Good-faith acquisition of personal information or 25 restricted information by the covered entity’s employee or 26 agent for the purposes of the covered entity, provided that 27 the personal information or restricted information is not used 28 for an unlawful purpose or subject to further unauthorized 29 disclosure. 30 b. Acquisition or disclosure of personal information or 31 restricted information pursuant to a search warrant, subpoena, 32 or other court order, or pursuant to a subpoena, order, or duty 33 of a regulatory state agency. 34 6. “Distributed ledger technology” means an electronic 35 -2- LSB 5430HV (4) 89 cm/jh 2/ 10

H.F. 2302 record of transactions or other data to which all of the 1 following apply: 2 a. The electronic record is uniformly ordered. 3 b. The electronic record is redundantly maintained or 4 processed by one or more computers or machines to guarantee the 5 consistency or nonrepudiation of the recorded transactions or 6 other data. 7 7. “Electronic” means the same as defined in section 8 554D.103. 9 8. “Electronic record” means the same as defined in section 10 554D.103. 11 9. “Encrypted” means the use of an algorithmic process to 12 transform data into a form for which there is a low probability 13 of assigning meaning without use of a confidential process or 14 key. 15 10. “Individual” means a natural person. 16 11. “Maximum probable loss” means the greatest damage 17 expectation that could reasonably occur from a data breach. 18 For purposes of this subsection, “damage expectation” means the 19 total value of possible damage multiplied by the probability 20 that damage would occur. 21 12. a. “Personal information” means any information 22 relating to an individual who can be identified, directly or 23 indirectly, in particular by reference to an identifier such 24 as a name, an identification number, social security number, 25 driver’s license number or state identification card number, 26 passport number, account number or credit or debit card number, 27 location data, biometric data, an online identifier, or to 28 one or more factors specific to the physical, physiological, 29 genetic, mental, economic, cultural, or social identity of that 30 individual. 31 b. “Personal information” does not include publicly 32 available information that is lawfully made available to the 33 general public from federal, state, or local government records 34 or any of the following media that are widely distributed: 35 -3- LSB 5430HV (4) 89 cm/jh 3/ 10

H.F. 2302 (1) Any news, editorial, or advertising statement published 1 in any bona fide newspaper, journal, or magazine, or broadcast 2 over radio, television, or the internet. 3 (2) Any gathering or furnishing of information or news by 4 any bona fide reporter, correspondent, or news bureau to news 5 media identified in this paragraph. 6 (3) Any publication designed for and distributed to members 7 of any bona fide association or charitable or fraternal 8 nonprofit business. 9 (4) Any type of media similar in nature to any item, entity, 10 or activity identified in this paragraph. 11 13. “Record” means the same as defined in section 554D.103. 12 14. “Redacted” means altered, truncated, or anonymized so 13 that, when applied to personal information, the data can no 14 longer be attributed to a specific individual without the use 15 of additional information. 16 15. “Restricted information” means any information about 17 an individual, other than personal information, or business 18 that, alone or in combination with other information, including 19 personal information, can be used to distinguish or trace the 20 identity of the individual or business, or that is linked or 21 linkable to an individual or business, if the information is 22 not encrypted, redacted, tokenized, or altered by any method or 23 technology in such a manner that the information is anonymized, 24 and the breach of which is likely to result in a material risk 25 of identity theft or other fraud to person or property. 26 16. “Smart contract” means an event-driven program or 27 computerized transaction protocol that runs on a distributed, 28 decentralized, shared, and replicated ledger that executes the 29 terms of a contract. For purposes of this subsection, “executes 30 the terms of a contract” may include taking custody over and 31 instructing the transfer of assets. 32 17. “Transaction” means a sale, trade, exchange, transfer, 33 payment, or conversion of virtual currency or other digital 34 asset or any other property or any other action or set of 35 -4- LSB 5430HV (4) 89 cm/jh 4/ 10

H.F. 2302 actions occurring between two or more persons relating to the 1 conduct of business, commercial, or governmental affairs. 2 Sec. 4. NEW SECTION . 554E.2 Distributed ledger technology 3 —— ownership of information. 4 1. A record shall not be denied legal effect or 5 enforceability solely because the record is created, generated, 6 sent, communicated, received, recorded, or stored by means of 7 distributed ledger technology or a smart contract. 8 2. A signature shall not be denied legal effect or 9 enforceability solely because the signature is created, 10 generated, sent, communicated, received, recorded, or stored by 11 means of distributed ledger technology or a smart contract. 12 3. A contract shall not be denied legal effect or 13 enforceability solely for any of the following: 14 a. The contract is created, generated, sent, communicated, 15 received, executed, signed, adopted, recorded, or stored by 16 means of distributed ledger technology or a smart contract. 17 b. The contract contains a smart contract term. 18 c. An electronic record, distributed ledger technology, or 19 smart contract was used in the contract’s formation. 20 4. A person who, in engaging in or affecting interstate 21 or foreign commerce, uses distributed ledger technology to 22 secure information that the person owns or has the right to use 23 retains the same rights of ownership or use with respect to 24 such information as before the person secured the information 25 using distributed ledger technology. This subsection does not 26 apply to the use of distributed ledger technology to secure 27 information in connection with a transaction to the extent that 28 the terms of the transaction expressly provide for the transfer 29 of rights of ownership or use with respect to such information. 30 Sec. 5. NEW SECTION . 554E.3 Affirmative defenses. 31 1. A covered entity seeking an affirmative defense under 32 this chapter shall create, maintain, and comply with a written 33 cybersecurity program that contains administrative, technical, 34 operational, and physical safeguards for the protection of both 35 -5- LSB 5430HV (4) 89 cm/jh 5/ 10

H.F. 2302 personal information and restricted information. 1 2. A covered entity’s cybersecurity program shall be 2 designed to do all of the following: 3 a. Continually evaluate and mitigate any reasonably 4 anticipated internal or external threats or hazards that could 5 lead to a data breach. 6 b. Periodically evaluate no less than annually the maximum 7 probable loss attainable from a data breach. 8 c. Communicate to any affected parties the extent of any 9 risk posed and any actions the affected parties could take to 10 reduce any damages if a data breach is known to have occurred. 11 3. The scale and scope of a covered entity’s cybersecurity 12 program is appropriate if the cost to operate the cybersecurity 13 program is no less than the covered entity’s most recently 14 calculated maximum probable loss value. 15 4. a. A covered entity that satisfies all requirements 16 of this section is entitled to an affirmative defense to any 17 cause of action sounding in tort that is brought under the 18 laws of this state or in the courts of this state and that 19 alleges that the failure to implement reasonable information 20 security controls resulted in a data breach concerning personal 21 information or restricted information. 22 b. A covered entity satisfies all requirements of this 23 section if its cybersecurity program reasonably conforms to an 24 industry-recognized cybersecurity framework, as described in 25 section 554E.4. 26 Sec. 6. NEW SECTION . 554E.4 Cybersecurity program 27 framework. 28 1. A covered entity’s cybersecurity program, as 29 described in section 554E.3, reasonably conforms to an 30 industry-recognized cybersecurity framework for purposes of 31 section 554E.3 if any of the following are true: 32 a. (1) The cybersecurity program reasonably conforms to the 33 current version of any of the following or any combination of 34 the following, subject to subparagraph (2) and subsection 2: 35 -6- LSB 5430HV (4) 89 cm/jh 6/ 10

H.F. 2302 (a) The framework for improving critical infrastructure 1 cybersecurity developed by the national institute of standards 2 and technology. 3 (b) National institute of standards and technology special 4 publication 800-171. 5 (c) National institute of standards and technology special 6 publications 800-53 and 800-53a. 7 (d) The federal risk and authorization management program 8 security assessment framework. 9 (e) The center for internet security critical security 10 controls for effective cyber defense. 11 (f) The international organization for 12 standardization/international electrotechnical commission 27000 13 family —— information security management systems. 14 (2) When a final revision to a framework listed in 15 subparagraph (1) is published, a covered entity whose 16 cybersecurity program reasonably conforms to that framework 17 shall reasonably conform the elements of its cybersecurity 18 program to the revised framework within the time frame provided 19 in the relevant framework upon which the covered entity intends 20 to rely to support its affirmative defense, but in no event 21 later than one year after the publication date stated in the 22 revision. 23 b. (1) The covered entity is regulated by the state, by 24 the federal government, or both, or is otherwise subject to 25 the requirements of any of the laws or regulations listed 26 below, and the cybersecurity program reasonably conforms to 27 the entirety of the current version of any of the following, 28 subject to subparagraph (2): 29 (a) The security requirements of the federal Health 30 Insurance Portability and Accountability Act of 1996, as set 31 forth in 45 C.F.R. pt. 164, subpt. C. 32 (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, 33 Pub. L. No. 106-102, as amended. 34 (c) The federal Information Security Modernization Act of 35 -7- LSB 5430HV (4) 89 cm/jh 7/ 10

H.F. 2302 2014, Pub. L. No. 113-283. 1 (d) The federal Health Information Technology for Economic 2 and Clinical Health Act as set forth in 45 C.F.R. pt. 162. 3 (2) When a framework listed in subparagraph (1) is amended, 4 a covered entity whose cybersecurity program reasonably 5 conforms to that framework shall reasonably conform the 6 elements of its cybersecurity program to the amended framework 7 within the time frame provided in the relevant framework 8 upon which the covered entity intends to rely to support its 9 affirmative defense, but in no event later than one year after 10 the effective date of the amended framework. 11 c. (1) The cybersecurity program reasonably complies 12 with both the current version of the payment card industry 13 data security standard and conforms to the current version of 14 another applicable industry-recognized cybersecurity framework 15 listed in paragraph “a” , subject to subparagraph (2) and 16 subsection 2. 17 (2) When a final revision to the payment card industry 18 data security standard is published, a covered entity whose 19 cybersecurity program reasonably complies with that standard 20 shall reasonably comply the elements of its cybersecurity 21 program with the revised standard within the time frame 22 provided in the relevant framework upon which the covered 23 entity intends to rely to support its affirmative defense, but 24 in no event later than one year after the publication date 25 stated in the revision. 26 2. If a covered entity’s cybersecurity program reasonably 27 conforms to a combination of industry-recognized cybersecurity 28 frameworks, or complies with a standard, as in the case of the 29 payment card industry data security standard, as described in 30 subsection 1, paragraph “a” or “c” , and two or more of those 31 frameworks are revised, the covered entity whose cybersecurity 32 program reasonably conforms to or complies with, as applicable, 33 those frameworks shall reasonably conform the elements of its 34 cybersecurity program to or comply with, as applicable, all of 35 -8- LSB 5430HV (4) 89 cm/jh 8/ 10

H.F. 2302 the revised frameworks within the time frames provided in the 1 relevant frameworks but in no event later than one year after 2 the latest publication date stated in the revisions. 3 Sec. 7. NEW SECTION . 554E.5 Causes of actions. 4 This chapter shall not be construed to provide a private 5 right of action, including a class action, with respect to any 6 act or practice regulated under those sections. 7 Sec. 8. REPEAL. Section 554D.106A, Code 2022, is repealed. 8 EXPLANATION 9 The inclusion of this explanation does not constitute agreement with 10 the explanation’s substance by the members of the general assembly. 11 This bill relates to cybersecurity programs, affirmative 12 defenses, and distributed ledger technology. 13 The bill provides that a record or signature shall not be 14 denied legal effect because it is created or stored by means of 15 distributed ledger technology or smart contract, as those terms 16 are defined in the bill. The bill provides in new Code section 17 554E.2 that the ownership of the secure information remains 18 with the person who provided the signature, not the distributed 19 ledger technology owner, and repeals a similar provision in 20 Code section 554D.106A. 21 The bill creates affirmative defenses for entities using 22 cybersecurity programs and provides definitions. The bill 23 provides that a covered entity seeking an affirmative defense 24 must use a cybersecurity program for the protection of personal 25 information and restricted information and the cybersecurity 26 program must reasonably conform to an industry-recognized 27 cybersecurity framework. A cybersecurity program must 28 continually evaluate and mitigate reasonably anticipated 29 threats, periodically evaluate the maximum probable loss 30 attainable from a data breach, and communicate to affected 31 parties the risk posed and actions the affected parties could 32 take to reduce damages if a data breach has occurred. The 33 scale and scope of a cybersecurity program is appropriate if 34 the cost to operate the program is no less than the covered 35 -9- LSB 5430HV (4) 89 cm/jh 9/ 10

H.F. 2302 entity’s maximum probable loss value. A covered entity that 1 satisfies these requirements and that reasonably conforms to 2 an industry-recognized cybersecurity framework is entitled to 3 an affirmative defense to a tort claim that alleges that the 4 failure to implement reasonable information security controls 5 resulted in a data breach concerning personal information or 6 restricted information. 7 The bill details industry-recognized cybersecurity 8 frameworks that the covered entity may follow and reasonably 9 comply to in order to qualify for the affirmative defense. 10 The bill does not provide a private right to action, 11 including a class action. 12 -10- LSB 5430HV (4) 89 cm/jh 10/ 10