Senate File 2207 - Introduced SENATE FILE 2207 BY NUNN A BILL FOR An Act prohibiting the state and political subdivisions of the 1 state from expending public moneys for payment to persons 2 responsible for ransomware attacks. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 5735SS (2) 89 es/rn

S.F. 2207 Section 1. NEW SECTION . 8H.1 Definitions. 1 As used in this section, unless the context otherwise 2 requires: 3 1. “Encryption” means the use of an algorithmic process 4 to transform data into a form in which the data is rendered 5 unreadable or unusable without the use of a confidential 6 process or key. 7 2. “Political subdivision” means a city, county, township, 8 or school district. 9 3. “Ransomware attack” means carrying out until payment is 10 made, or threatening to carry out until payment is made, any of 11 the following actions: 12 a. An act declared unlawful pursuant to section 715.4. 13 b. A “breach of security” as defined in section 715C.1. 14 c. The use of any form of software that results in the 15 unauthorized encryption of data, the denial of access to data, 16 the denial of access to a computer, or the denial of access to 17 a computer system. 18 Sec. 2. NEW SECTION . 8H.2 Public moneys —— prohibition —— 19 ransomware. 20 The state or a political subdivision of the state shall not 21 expend public moneys for payment to a person responsible for, 22 or reasonably believed to be responsible for, a ransomware 23 attack. 24 EXPLANATION 25 The inclusion of this explanation does not constitute agreement with 26 the explanation’s substance by the members of the general assembly. 27 This bill prohibits the state and a political subdivision of 28 the state from expending public moneys for payment to persons 29 responsible for ransomware attacks. 30 The bill defines “encryption” as the use of an algorithmic 31 process to transform data into a form in which the data 32 is rendered unreadable or unusable without the use of a 33 confidential process or key. The bill defines “political 34 subdivision” as a city, county, township, or school district. 35 -1- LSB 5735SS (2) 89 es/rn 1/ 2

S.F. 2207 The bill defines “ransomware attack” to mean carrying out until 1 payment is made, or threatening to carry out until payment is 2 made, any of the following: an act declared unlawful pursuant 3 to Code section 715.4; a “breach of security” as defined in 4 Code section 715C.1; or the use of any form of software that 5 results in the unauthorized encryption of data, the denial of 6 access to data, the denial of access to a computer, or the 7 denial of access to a computer system. 8 The bill provides that the state and a political subdivision 9 of the state shall not expend public moneys for payment 10 to a person responsible for, or reasonably believed to be 11 responsible for, a ransomware attack. 12 -2- LSB 5735SS (2) 89 es/rn 2/ 2