House
Study
Bill
691
-
Introduced
HOUSE
FILE
_____
BY
(PROPOSED
COMMITTEE
ON
INFORMATION
TECHNOLOGY
BILL
BY
CHAIRPERSON
LOHSE)
A
BILL
FOR
An
Act
prohibiting
the
state
or
a
political
subdivision
of
the
1
state
from
expending
revenue
received
from
taxpayers
for
2
payment
to
persons
responsible
for
ransomware
attacks,
and
3
including
effective
date
provisions.
4
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
5
TLSB
5429YC
(6)
89
es/rn
H.F.
_____
Section
1.
Section
8B.4,
Code
2022,
is
amended
by
adding
the
1
following
new
subsection:
2
NEW
SUBSECTION
.
18A.
Authorize
the
state
or
a
political
3
subdivision
of
the
state,
not
including
a
municipal
utility,
4
in
consultation
with
the
department
of
public
safety
and
the
5
department
of
homeland
security
and
emergency
management,
to
6
expend
revenue
received
from
taxpayers
for
payment
to
a
person
7
responsible
for,
or
reasonably
believed
to
be
responsible
for,
8
a
ransomware
attack
pursuant
to
section
8H.3.
9
Sec.
2.
NEW
SECTION
.
8H.1
Definitions.
10
As
used
in
this
chapter,
unless
the
context
otherwise
11
requires:
12
1.
“Critical
infrastructure”
means
the
same
as
defined
13
in
section
29C.24.
“Critical
infrastructure”
includes
real
14
and
personal
property
and
equipment
owned
or
used
to
provide
15
fire
fighting,
law
enforcement,
medical,
or
other
emergency
16
services.
17
2.
“Encryption”
means
the
use
of
an
algorithmic
process
18
to
transform
data
into
a
form
in
which
the
data
is
rendered
19
unreadable
or
unusable
without
the
use
of
a
confidential
20
process
or
key.
21
3.
“Political
subdivision”
means
a
city,
county,
township,
22
or
school
district.
“Political
subdivision”
does
not
include
a
23
municipal
utility.
24
4.
“Ransomware
attack”
means
carrying
out
until
payment
is
25
made,
or
threatening
to
carry
out
until
payment
is
made,
any
of
26
the
following
actions:
27
a.
An
act
declared
unlawful
pursuant
to
section
715.4.
28
b.
A
breach
of
security
as
defined
in
section
715C.1.
29
c.
The
use
of
any
form
of
software
that
results
in
the
30
unauthorized
encryption
of
data,
the
denial
of
access
to
data,
31
the
denial
of
access
to
a
computer,
or
the
denial
of
access
to
32
a
computer
system.
33
Sec.
3.
NEW
SECTION
.
8H.2
Requirement
to
report
a
34
ransomware
attack.
35
-1-
LSB
5429YC
(6)
89
es/rn
1/
5
H.F.
_____
If
the
state
or
a
political
subdivision
of
the
state
is
1
subject
to
a
ransomware
attack,
the
state
or
the
political
2
subdivision
shall
provide
notice
of
the
ransomware
attack
to
3
the
office
of
the
chief
information
officer
following
discovery
4
of
the
ransomware
attack.
The
notice
shall
be
provided
in
5
the
most
expeditious
manner
possible
and
without
unreasonable
6
delay.
The
office
of
the
chief
information
officer
shall
adopt
7
rules
establishing
notification
procedures
pursuant
to
this
8
section.
9
Sec.
4.
NEW
SECTION
.
8H.3
Revenue
received
from
taxpayers
10
——
prohibition
——
ransomware.
11
1.
Except
as
provided
in
subsection
2
or
3,
the
state
or
a
12
political
subdivision
of
the
state
shall
not
expend
tax
revenue
13
received
from
taxpayers
for
payment
to
a
person
responsible
14
for,
or
reasonably
believed
to
be
responsible
for,
a
ransomware
15
attack.
16
2.
The
office
of
the
chief
information
officer,
in
17
consultation
with
the
department
of
public
safety
and
the
18
department
of
homeland
security
and
emergency
management,
may
19
authorize
the
state
or
a
political
subdivision
of
the
state
to
20
expend
tax
revenue
otherwise
prohibited
pursuant
to
subsection
21
1
in
the
event
of
any
of
the
following:
22
a.
A
critical
or
emergency
situation
as
defined
by
the
23
department
of
homeland
security
and
emergency
management,
24
or
when
the
department
of
homeland
security
and
emergency
25
management
determines
the
expenditure
of
tax
revenue
is
in
the
26
public
interest.
27
b.
A
ransomware
attack
affecting
critical
infrastructure
28
within
the
state
or
a
political
subdivision
of
the
state.
29
3.
The
state
or
a
political
subdivision
of
the
state
may
30
expend
tax
revenue
otherwise
prohibited
pursuant
to
subsection
31
1
in
the
event
of
a
ransomware
attack
affecting
an
officer
or
32
employee
of
the
judicial
branch.
33
Sec.
5.
NEW
SECTION
.
8H.4
Payments
for
insurance.
34
The
state
or
a
political
subdivision
of
the
state
may
use
35
-2-
LSB
5429YC
(6)
89
es/rn
2/
5
H.F.
_____
revenue
received
from
taxpayers
to
pay
premiums,
deductibles,
1
and
other
costs
associated
with
an
insurance
policy
related
2
to
cybersecurity
or
ransomware
attacks
only
if
the
state
or
3
the
political
subdivision
first
exhausts
all
other
reasonable
4
means
of
mitigating
a
potential
ransomware
attack.
Subject
5
to
section
8H.3,
subsections
2
and
3,
nothing
in
this
section
6
shall
be
construed
to
authorize
the
state
or
a
political
7
subdivision
of
the
state
to
make
a
direct
payment
using
8
revenue
received
from
taxpayers
to
a
person
responsible
for,
or
9
reasonably
believed
to
be
responsible
for,
a
ransomware
attack.
10
Sec.
6.
NEW
SECTION
.
8H.5
Confidential
records.
11
Information
related
to
all
of
the
following
shall
be
12
considered
a
confidential
record
under
section
22.7:
13
1.
Insurance
coverage
maintained
by
the
state
or
a
political
14
subdivision
of
the
state
related
to
cybersecurity
or
a
15
ransomware
attack.
16
2.
Payment
by
the
state
or
a
political
subdivision
of
17
the
state
to
a
person
responsible
for,
or
believed
to
be
18
responsible
for,
a
ransomware
attack
pursuant
to
section
8H.3.
19
Sec.
7.
LEGISLATIVE
INTENT.
It
is
the
intent
of
the
general
20
assembly
that
the
state
and
the
political
subdivisions
of
the
21
state
have
tested
cybersecurity
mitigation
plans
and
policies.
22
Sec.
8.
RULEMAKING.
The
office
of
the
chief
information
23
officer
shall
prepare
a
notice
of
intended
action
for
the
24
adoption
of
rules
to
administer
this
Act.
The
notice
of
25
intended
action
shall
be
submitted
to
the
administrative
26
rules
coordinator
and
the
administrative
code
editor
as
soon
27
as
practicable,
but
no
later
than
October
1,
2022.
However,
28
nothing
in
this
section
authorizes
the
office
of
the
chief
29
information
officer
to
adopt
rules
under
section
17A.4,
30
subsection
3,
or
section
17A.5,
subsection
2,
paragraph
“b”.
31
Sec.
9.
EFFECTIVE
DATE.
32
1.
Except
as
provided
in
subsection
2,
this
Act
takes
effect
33
July
1,
2023.
34
2.
The
section
of
this
Act
requiring
the
office
of
the
chief
35
-3-
LSB
5429YC
(6)
89
es/rn
3/
5
H.F.
_____
information
officer
to
prepare
a
notice
of
intended
action
for
1
the
adoption
of
rules
to
administer
this
Act,
being
deemed
of
2
immediate
importance,
takes
effect
upon
enactment.
3
EXPLANATION
4
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
5
the
explanation’s
substance
by
the
members
of
the
general
assembly.
6
This
bill
prohibits
the
state
or
a
political
subdivision
of
7
the
state
from
expending
revenue
received
from
taxpayers
for
8
payment
to
persons
responsible
for
ransomware
attacks.
9
The
bill
defines
“critical
infrastructure”
to
mean
10
real
and
personal
property
and
equipment
owned
or
used
by
11
communication
and
video
networks,
gas
distribution
systems,
12
water
and
wastewater
pipeline
systems,
and
electric
generation,
13
transmission,
and
distribution
systems,
including
related
14
support
facilities,
which
network
or
system
provides
service
15
to
more
than
one
customer
or
person
as
defined
in
Code
section
16
29C.24.
“Critical
infrastructure”
includes
but
is
not
limited
17
to
buildings,
structures,
offices,
lines,
poles,
pipes,
and
18
equipment,
as
well
as
real
and
personal
property
owned
or
19
used
to
provide
fire
fighting,
law
enforcement,
medical,
or
20
other
emergency
services.
The
bill
defines
“encryption”
as
21
the
use
of
an
algorithmic
process
to
transform
data
into
a
22
form
in
which
the
data
is
rendered
unreadable
or
unusable
23
without
the
use
of
a
confidential
process
or
key.
The
bill
24
defines
“political
subdivision”
as
a
city,
county,
township,
25
or
school
district.
The
bill
defines
“ransomware
attack”
to
26
mean
carrying
out
until
payment
is
made,
or
threatening
to
27
carry
out
until
payment
is
made,
including
an
act
declared
28
unlawful
pursuant
to
Code
section
715.4,
a
“breach
of
security”
29
as
defined
in
Code
section
715C.1,
or
the
use
of
any
form
30
of
software
that
results
in
the
unauthorized
encryption
of
31
data,
the
denial
of
access
to
data,
the
denial
of
access
to
a
32
computer,
or
the
denial
of
access
to
a
computer
system.
33
The
bill
requires
that
when
the
state
or
a
political
34
subdivision
of
the
state
is
subject
to
a
ransomware
attack
35
-4-
LSB
5429YC
(6)
89
es/rn
4/
5
H.F.
_____
and
discovers
the
attack,
the
state
or
political
subdivision
1
shall
expeditiously
provide
notice
to
the
office
of
the
chief
2
information
officer.
The
office
of
the
chief
information
3
officer
shall
adopt
rules
establishing
notification
procedures.
4
The
bill
provides
that
the
state
or
a
political
subdivision
5
of
the
state
shall
not
expend
revenue
received
from
taxpayers
6
for
payment
to
a
person
responsible
for,
or
reasonably
believed
7
to
be
responsible
for,
a
ransomware
attack.
8
The
bill
allows
the
office
of
the
chief
information
officer
9
to
authorize
such
expenditures
in
the
event
of
a
critical
or
10
emergency
situation
as
determined
by
the
department
of
homeland
11
security
and
emergency
management.
The
bill
provides
that
12
information
related
to
a
political
subdivision’s
insurance
13
coverage
for
cybersecurity
or
ransomware
attack
shall
be
14
considered
confidential
records.
15
The
bill
provides
that
the
state
or
a
political
subdivision
16
of
the
state
may
use
taxpayer
revenue
to
pay
for
cybersecurity
17
insurance
or
related
ransomware
insurance
if
the
state
or
18
political
subdivision
first
exhausts
all
other
reasonable
means
19
of
mitigating
a
potential
ransomware
attack.
20
The
bill
includes
a
legislative
intent
section,
which
21
provides
that
it
is
the
intent
of
the
general
assembly
that
22
the
state
and
political
subdivisions
of
the
state
have
tested
23
cybersecurity
mitigation
plans
and
policies.
24
The
bill
takes
effect
July
1,
2023,
except
for
the
section
25
of
the
bill
requiring
the
office
of
the
chief
information
26
officer
to
prepare
a
notice
of
intended
action
(NOIA)
for
the
27
adoption
of
rules,
which
takes
effect
upon
enactment.
The
NOIA
28
must
be
submitted
to
the
administrative
rules
coordinator
and
29
administrative
code
editor
as
soon
as
possible
and
no
later
30
than
October
1,
2022.
The
bill
does
not
authorize
the
office
31
of
the
chief
information
officer
to
adopt
emergency
rules
under
32
Code
section
17A.4(3)
or
Code
section
17A.5(2)(b).
33
-5-
LSB
5429YC
(6)
89
es/rn
5/
5