House Study Bill 691 - Introduced HOUSE FILE _____ BY (PROPOSED COMMITTEE ON INFORMATION TECHNOLOGY BILL BY CHAIRPERSON LOHSE) A BILL FOR An Act prohibiting the state or a political subdivision of the 1 state from expending revenue received from taxpayers for 2 payment to persons responsible for ransomware attacks, and 3 including effective date provisions. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 TLSB 5429YC (6) 89 es/rn

H.F. _____ Section 1. Section 8B.4, Code 2022, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 18A. Authorize the state or a political 3 subdivision of the state, not including a municipal utility, 4 in consultation with the department of public safety and the 5 department of homeland security and emergency management, to 6 expend revenue received from taxpayers for payment to a person 7 responsible for, or reasonably believed to be responsible for, 8 a ransomware attack pursuant to section 8H.3. 9 Sec. 2. NEW SECTION . 8H.1 Definitions. 10 As used in this chapter, unless the context otherwise 11 requires: 12 1. “Critical infrastructure” means the same as defined 13 in section 29C.24. “Critical infrastructure” includes real 14 and personal property and equipment owned or used to provide 15 fire fighting, law enforcement, medical, or other emergency 16 services. 17 2. “Encryption” means the use of an algorithmic process 18 to transform data into a form in which the data is rendered 19 unreadable or unusable without the use of a confidential 20 process or key. 21 3. “Political subdivision” means a city, county, township, 22 or school district. “Political subdivision” does not include a 23 municipal utility. 24 4. “Ransomware attack” means carrying out until payment is 25 made, or threatening to carry out until payment is made, any of 26 the following actions: 27 a. An act declared unlawful pursuant to section 715.4. 28 b. A breach of security as defined in section 715C.1. 29 c. The use of any form of software that results in the 30 unauthorized encryption of data, the denial of access to data, 31 the denial of access to a computer, or the denial of access to 32 a computer system. 33 Sec. 3. NEW SECTION . 8H.2 Requirement to report a 34 ransomware attack. 35 -1- LSB 5429YC (6) 89 es/rn 1/ 5

H.F. _____ If the state or a political subdivision of the state is 1 subject to a ransomware attack, the state or the political 2 subdivision shall provide notice of the ransomware attack to 3 the office of the chief information officer following discovery 4 of the ransomware attack. The notice shall be provided in 5 the most expeditious manner possible and without unreasonable 6 delay. The office of the chief information officer shall adopt 7 rules establishing notification procedures pursuant to this 8 section. 9 Sec. 4. NEW SECTION . 8H.3 Revenue received from taxpayers 10 —— prohibition —— ransomware. 11 1. Except as provided in subsection 2 or 3, the state or a 12 political subdivision of the state shall not expend tax revenue 13 received from taxpayers for payment to a person responsible 14 for, or reasonably believed to be responsible for, a ransomware 15 attack. 16 2. The office of the chief information officer, in 17 consultation with the department of public safety and the 18 department of homeland security and emergency management, may 19 authorize the state or a political subdivision of the state to 20 expend tax revenue otherwise prohibited pursuant to subsection 21 1 in the event of any of the following: 22 a. A critical or emergency situation as defined by the 23 department of homeland security and emergency management, 24 or when the department of homeland security and emergency 25 management determines the expenditure of tax revenue is in the 26 public interest. 27 b. A ransomware attack affecting critical infrastructure 28 within the state or a political subdivision of the state. 29 3. The state or a political subdivision of the state may 30 expend tax revenue otherwise prohibited pursuant to subsection 31 1 in the event of a ransomware attack affecting an officer or 32 employee of the judicial branch. 33 Sec. 5. NEW SECTION . 8H.4 Payments for insurance. 34 The state or a political subdivision of the state may use 35 -2- LSB 5429YC (6) 89 es/rn 2/ 5

H.F. _____ revenue received from taxpayers to pay premiums, deductibles, 1 and other costs associated with an insurance policy related 2 to cybersecurity or ransomware attacks only if the state or 3 the political subdivision first exhausts all other reasonable 4 means of mitigating a potential ransomware attack. Subject 5 to section 8H.3, subsections 2 and 3, nothing in this section 6 shall be construed to authorize the state or a political 7 subdivision of the state to make a direct payment using 8 revenue received from taxpayers to a person responsible for, or 9 reasonably believed to be responsible for, a ransomware attack. 10 Sec. 6. NEW SECTION . 8H.5 Confidential records. 11 Information related to all of the following shall be 12 considered a confidential record under section 22.7: 13 1. Insurance coverage maintained by the state or a political 14 subdivision of the state related to cybersecurity or a 15 ransomware attack. 16 2. Payment by the state or a political subdivision of 17 the state to a person responsible for, or believed to be 18 responsible for, a ransomware attack pursuant to section 8H.3. 19 Sec. 7. LEGISLATIVE INTENT. It is the intent of the general 20 assembly that the state and the political subdivisions of the 21 state have tested cybersecurity mitigation plans and policies. 22 Sec. 8. RULEMAKING. The office of the chief information 23 officer shall prepare a notice of intended action for the 24 adoption of rules to administer this Act. The notice of 25 intended action shall be submitted to the administrative 26 rules coordinator and the administrative code editor as soon 27 as practicable, but no later than October 1, 2022. However, 28 nothing in this section authorizes the office of the chief 29 information officer to adopt rules under section 17A.4, 30 subsection 3, or section 17A.5, subsection 2, paragraph “b”. 31 Sec. 9. EFFECTIVE DATE. 32 1. Except as provided in subsection 2, this Act takes effect 33 July 1, 2023. 34 2. The section of this Act requiring the office of the chief 35 -3- LSB 5429YC (6) 89 es/rn 3/ 5

H.F. _____ information officer to prepare a notice of intended action for 1 the adoption of rules to administer this Act, being deemed of 2 immediate importance, takes effect upon enactment. 3 EXPLANATION 4 The inclusion of this explanation does not constitute agreement with 5 the explanation’s substance by the members of the general assembly. 6 This bill prohibits the state or a political subdivision of 7 the state from expending revenue received from taxpayers for 8 payment to persons responsible for ransomware attacks. 9 The bill defines “critical infrastructure” to mean 10 real and personal property and equipment owned or used by 11 communication and video networks, gas distribution systems, 12 water and wastewater pipeline systems, and electric generation, 13 transmission, and distribution systems, including related 14 support facilities, which network or system provides service 15 to more than one customer or person as defined in Code section 16 29C.24. “Critical infrastructure” includes but is not limited 17 to buildings, structures, offices, lines, poles, pipes, and 18 equipment, as well as real and personal property owned or 19 used to provide fire fighting, law enforcement, medical, or 20 other emergency services. The bill defines “encryption” as 21 the use of an algorithmic process to transform data into a 22 form in which the data is rendered unreadable or unusable 23 without the use of a confidential process or key. The bill 24 defines “political subdivision” as a city, county, township, 25 or school district. The bill defines “ransomware attack” to 26 mean carrying out until payment is made, or threatening to 27 carry out until payment is made, including an act declared 28 unlawful pursuant to Code section 715.4, a “breach of security” 29 as defined in Code section 715C.1, or the use of any form 30 of software that results in the unauthorized encryption of 31 data, the denial of access to data, the denial of access to a 32 computer, or the denial of access to a computer system. 33 The bill requires that when the state or a political 34 subdivision of the state is subject to a ransomware attack 35 -4- LSB 5429YC (6) 89 es/rn 4/ 5

H.F. _____ and discovers the attack, the state or political subdivision 1 shall expeditiously provide notice to the office of the chief 2 information officer. The office of the chief information 3 officer shall adopt rules establishing notification procedures. 4 The bill provides that the state or a political subdivision 5 of the state shall not expend revenue received from taxpayers 6 for payment to a person responsible for, or reasonably believed 7 to be responsible for, a ransomware attack. 8 The bill allows the office of the chief information officer 9 to authorize such expenditures in the event of a critical or 10 emergency situation as determined by the department of homeland 11 security and emergency management. The bill provides that 12 information related to a political subdivision’s insurance 13 coverage for cybersecurity or ransomware attack shall be 14 considered confidential records. 15 The bill provides that the state or a political subdivision 16 of the state may use taxpayer revenue to pay for cybersecurity 17 insurance or related ransomware insurance if the state or 18 political subdivision first exhausts all other reasonable means 19 of mitigating a potential ransomware attack. 20 The bill includes a legislative intent section, which 21 provides that it is the intent of the general assembly that 22 the state and political subdivisions of the state have tested 23 cybersecurity mitigation plans and policies. 24 The bill takes effect July 1, 2023, except for the section 25 of the bill requiring the office of the chief information 26 officer to prepare a notice of intended action (NOIA) for the 27 adoption of rules, which takes effect upon enactment. The NOIA 28 must be submitted to the administrative rules coordinator and 29 administrative code editor as soon as possible and no later 30 than October 1, 2022. The bill does not authorize the office 31 of the chief information officer to adopt emergency rules under 32 Code section 17A.4(3) or Code section 17A.5(2)(b). 33 -5- LSB 5429YC (6) 89 es/rn 5/ 5