House Study Bill 555 - Introduced HOUSE FILE _____ BY (PROPOSED COMMITTEE ON INFORMATION TECHNOLOGY BILL BY CHAIRPERSON LOHSE) A BILL FOR An Act relating to affirmative defenses for entities using 1 cybersecurity programs and electronic transactions recorded 2 by blockchain technology. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 5430YC (4) 89 cm/jh
H.F. _____ Section 1. Section 554D.103, subsections 8, 9, and 17, Code 1 2022, are amended to read as follows: 2 8. “Electronic record” means a record created, generated, 3 sent, communicated, received, or stored by electronic means. 4 “Electronic record” includes any record or contract secured 5 through distributed ledger technology or blockchain technology . 6 9. “Electronic signature” means an electronic sound, symbol, 7 or process attached to or logically associated with a record 8 and executed or adopted by a person with the intent to sign 9 the record. “Electronic signature” includes a signature that 10 is secured through distributed ledger technology or blockchain 11 technology . 12 17. “State” means a state of the United States, the District 13 of Columbia, Puerto Rico, the United States Virgin Islands, or 14 any territory or insular possession subject to the jurisdiction 15 of the United States. “State” includes an Indian tribe or 16 band, or Alaskan native Native village, which is recognized by 17 federal law or formally acknowledged by a state. 18 Sec. 2. NEW SECTION . 554E.1 Definitions. 19 As used in this chapter: 20 1. “Business” means any limited liability company, limited 21 liability partnership, corporation, sole proprietorship, 22 association, or other group, however organized and whether 23 operating for profit or not for profit, including a financial 24 institution organized, chartered, or holding a license 25 authorizing operation under the laws of this state, any other 26 state, the United States, or any other country, or the parent 27 or subsidiary of any of the foregoing. 28 2. “Covered entity” means a business that accesses, 29 maintains, communicates, or processes personal information 30 or restricted information in or through one or more systems, 31 networks, or services located in or outside this state. 32 3. “Data breach” means unauthorized access to and 33 acquisition of computerized data that compromises the security 34 or confidentiality of personal information or restricted 35 -1- LSB 5430YC (4) 89 cm/jh 1/ 8
H.F. _____ information owned by or licensed to a covered entity and that 1 causes, reasonably is believed to have caused, or reasonably is 2 believed will cause a material risk of identity theft or other 3 fraud to person or property. “Data breach” does not include any 4 of the following: 5 a. Good-faith acquisition of personal information or 6 restricted information by the covered entity’s employee or 7 agent for the purposes of the covered entity, provided that 8 the personal information or restricted information is not used 9 for an unlawful purpose or subject to further unauthorized 10 disclosure. 11 b. Acquisition of personal information or restricted 12 information pursuant to a search warrant, subpoena, or other 13 court order, or pursuant to a subpoena, order, or duty of a 14 regulatory state agency. 15 4. “Encrypted” means the use of an algorithmic process to 16 transform data into a form in which there is a low probability 17 of assigning meaning without use of a confidential process or 18 key. 19 5. “Individual” means a natural person. 20 6. “Personal information” means an individual’s name, 21 consisting of the individual’s first name or first initial and 22 last name, in combination with and linked to any one or more 23 of the following data elements, when the data elements are not 24 encrypted, redacted, or altered by any method or technology in 25 such a manner that the data elements are unreadable: 26 a. Social security number. 27 b. Driver’s license number or state identification card 28 number. 29 c. Account number or credit or debit card number, in 30 combination with and linked to any required security code, 31 access code, or password that would permit access to an 32 individual’s financial account. 33 d. “Personal information” does not include publicly 34 available information that is lawfully made available to the 35 -2- LSB 5430YC (4) 89 cm/jh 2/ 8
H.F. _____ general public from federal, state, or local government records 1 or any of the following media that are widely distributed: 2 (1) Any news, editorial, or advertising statement published 3 in any bona fide newspaper, journal, or magazine, or broadcast 4 over radio or television. 5 (2) Any gathering or furnishing of information or news by 6 any bona fide reporter, correspondent, or news bureau to news 7 media identified in this paragraph. 8 (3) Any publication designed for and distributed to members 9 of any bona fide association or charitable or fraternal 10 nonprofit corporation. 11 (4) Any type of media similar in nature to any item, entity, 12 or activity identified in this paragraph. 13 7. “Redacted” means altered or truncated so that no more 14 than the last four digits of a social security number, driver’s 15 license number, state identification card number, account 16 number, or credit or debit card number is accessible as part 17 of the data. 18 8. “Restricted information” means any information about 19 an individual, other than personal information, that, 20 alone or in combination with other information, including 21 personal information, can be used to distinguish or trace the 22 individual’s identity or that is linked or linkable to an 23 individual, if the information is not encrypted, redacted, or 24 altered by any method or technology in such a manner that the 25 information is unreadable, and the breach of which is likely 26 to result in a material risk of identity theft or other fraud 27 to person or property. 28 Sec. 3. NEW SECTION . 554E.2 Affirmative defenses. 29 1. A covered entity seeking an affirmative defense under 30 this chapter shall do one of the following: 31 a. Create, maintain, and comply with a written cybersecurity 32 program that contains administrative, technical, and physical 33 safeguards for the protection of personal information and that 34 reasonably conforms to an industry-recognized cybersecurity 35 -3- LSB 5430YC (4) 89 cm/jh 3/ 8
H.F. _____ framework, as described in section 554E.3. 1 b. Create, maintain, and comply with a written cybersecurity 2 program that contains administrative, technical, and physical 3 safeguards for the protection of both personal information 4 and restricted information and that reasonably conforms to an 5 industry-recognized cybersecurity framework, as described in 6 section 554E.3. 7 2. A covered entity’s cybersecurity program shall be 8 designed to do all of the following with respect to the 9 information described in subsection 1, paragraph “a” or “b” , as 10 applicable: 11 a. Protect the security and confidentiality of the 12 information. 13 b. Protect against any anticipated threats or hazards to the 14 security or integrity of the information. 15 c. Protect against unauthorized access to and acquisition 16 of the information that is likely to result in a material risk 17 of identity theft or other fraud to the individual to whom the 18 information relates. 19 3. The scale and scope of a covered entity’s cybersecurity 20 program under subsection 1, paragraph “a” or “b” , as applicable, 21 is appropriate if the cybersecurity program is based on all of 22 the following factors: 23 a. The size and complexity of the covered entity. 24 b. The nature and scope of the activities of the covered 25 entity. 26 c. The sensitivity of the information to be protected. 27 d. The cost and availability of tools to improve information 28 security and reduce vulnerabilities. 29 e. The resources available to the covered entity. 30 4. a. A covered entity that satisfies subsection 1, 31 paragraph “a” , and subsections 2 and 3, is entitled to an 32 affirmative defense to any cause of action sounding in tort 33 that is brought under the laws of this state or in the courts 34 of this state and that alleges that the failure to implement 35 -4- LSB 5430YC (4) 89 cm/jh 4/ 8
H.F. _____ reasonable information security controls resulted in a data 1 breach concerning personal information. 2 b. A covered entity that satisfies subsection 1, paragraph 3 “b” , and subsections 2 and 3, is entitled to an affirmative 4 defense to any cause of action sounding in tort that is brought 5 under the laws of this state or in the courts of this state 6 and that alleges that the failure to implement reasonable 7 information security controls resulted in a data breach 8 concerning personal information or restricted information. 9 Sec. 4. NEW SECTION . 554E.3 Cybersecurity program 10 framework. 11 1. A covered entity’s cybersecurity program, as 12 described in section 554E.2, reasonably conforms to an 13 industry-recognized cybersecurity framework for purposes of 14 section 554E.2 if any of the following are true: 15 a. (1) The cybersecurity program reasonably conforms to the 16 current version of any of the following or any combination of 17 the following, subject to subparagraph (2) and subsection 2: 18 (a) The framework for improving critical infrastructure 19 cybersecurity developed by the national institute of standards 20 and technology. 21 (b) National institute of standards and technology special 22 publication 800-171. 23 (c) National institute of standards and technology special 24 publications 800-53 and 800-53a. 25 (d) The federal risk and authorization management program 26 security assessment framework. 27 (e) The center for internet security critical security 28 controls for effective cyber defense. 29 (f) The international organization for 30 standardization/international electrotechnical commission 27000 31 family —— information security management systems. 32 (2) When a final revision to a framework listed in 33 subparagraph (1) is published, a covered entity whose 34 cybersecurity program reasonably conforms to that framework 35 -5- LSB 5430YC (4) 89 cm/jh 5/ 8
H.F. _____ shall reasonably conform to the revised framework not later 1 than one year after the publication date stated in the 2 revision. 3 b. (1) The covered entity is regulated by the state, by 4 the federal government, or both, or is otherwise subject to 5 the requirements of any of the laws or regulations listed 6 below, and the cybersecurity program reasonably conforms to 7 the entirety of the current version of any of the following, 8 subject to subparagraph (2): 9 (a) The security requirements of the federal Health 10 Insurance Portability and Accountability Act of 1996, as set 11 forth in 45 C.F.R. pt. 164, subpt. C. 12 (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, 13 Pub. L. No. 106-102, as amended. 14 (c) The federal Information Security Modernization Act of 15 2014, Pub. L. No. 113-283. 16 (d) The federal Health Information Technology for Economic 17 and Clinical Health Act as set forth in 45 C.F.R. pt. 162. 18 (2) When a framework listed in subparagraph (1) is amended, 19 a covered entity whose cybersecurity program reasonably 20 conforms to that framework shall reasonably conform to the 21 amended framework not later than one year after the effective 22 date of the amended framework. 23 c. (1) The cybersecurity program reasonably complies 24 with both the current version of the payment card industry 25 data security standard and conforms to the current version of 26 another applicable industry-recognized cybersecurity framework 27 listed in paragraph “a” , subject to subparagraph (2) and 28 subsection 2. 29 (2) When a final revision to the payment card industry 30 data security standard is published, a covered entity whose 31 cybersecurity program reasonably complies with that standard 32 shall reasonably comply with the revised standard not later 33 than one year after the publication date stated in the 34 revision. 35 -6- LSB 5430YC (4) 89 cm/jh 6/ 8
H.F. _____ 2. If a covered entity’s cybersecurity program reasonably 1 conforms to a combination of industry-recognized cybersecurity 2 frameworks, or complies with a standard, as in the case of the 3 payment card industry data security standard, as described in 4 subsection 1, paragraph “a” or “c” , and two or more of those 5 frameworks are revised, the covered entity whose cybersecurity 6 program reasonably conforms to or complies with, as applicable, 7 those frameworks shall reasonably conform to or comply with, as 8 applicable, all of the revised frameworks not later than one 9 year after the latest publication date stated in the revisions. 10 Sec. 5. NEW SECTION . 554E.4 Causes of actions. 11 This chapter shall not be construed to provide a private 12 right of action, including a class action, with respect to any 13 act or practice regulated under those sections. 14 EXPLANATION 15 The inclusion of this explanation does not constitute agreement with 16 the explanation’s substance by the members of the general assembly. 17 This bill relates to cybersecurity programs and blockchain 18 technology. The bill changes the definitions of “electronic 19 record” and “electronic signature” in the uniform electronic 20 transactions Act to include blockchain technology. 21 The bill creates affirmative defenses for entities using 22 cybersecurity programs and provides definitions. The 23 bill provides that a covered entity seeking an affirmative 24 defense must use a cybersecurity program for the protection 25 of personal information or both personal information and 26 restricted information and the cybersecurity program must 27 reasonably conform to an industry-recognized cybersecurity 28 framework. A cybersecurity program must protect the security 29 and confidentiality of the information, protect against any 30 anticipated threats to the information, and protect against 31 unauthorized access to and acquisition of the information that 32 is likely to result in a material risk of identity theft. A 33 cybersecurity program scale and scope should be based upon 34 the size and complexity of the covered entity, the nature 35 -7- LSB 5430YC (4) 89 cm/jh 7/ 8
H.F. _____ and scope of the covered entity’s activities, sensitivity 1 of the information, and the cost and availability of tools 2 and resources to improve information security. A covered 3 entity that satisfies the above requirements is entitled to 4 an affirmative defense to a tort claim that alleges that the 5 failure to implement reasonable information security controls 6 resulted in a data breach concerning personal information or 7 restricted information. 8 The bill provides industry-recognized cybersecurity 9 frameworks that the covered entity should follow and reasonably 10 comply to in order to qualify for the affirmative defense. 11 The bill does not provide a private right to action, 12 including a class action. 13 -8- LSB 5430YC (4) 89 cm/jh 8/ 8