House
Study
Bill
154
-
Introduced
HOUSE
FILE
_____
BY
(PROPOSED
COMMITTEE
ON
ECONOMIC
GROWTH
AND
TECHNOLOGY
BILL
BY
CHAIRPERSON
SORENSEN)
A
BILL
FOR
An
Act
relating
to
the
use
of
certain
technology,
including
the
1
legal
effect
of
the
use
of
distributed
ledger
technology
or
2
smart
contracts
and
affirmative
defenses
associated
with
the
3
use
of
cybersecurity
programs.
4
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
5
TLSB
1265YC
(3)
90
cm/ns
H.F.
_____
Section
1.
Section
554E.1,
Code
2023,
is
amended
by
striking
1
the
section
and
inserting
in
lieu
thereof
the
following:
2
554E.1
Definitions.
3
As
used
in
this
chapter:
4
1.
“Business”
means
any
limited
liability
company,
limited
5
liability
partnership,
corporation,
sole
proprietorship,
6
association,
or
other
group,
however
organized
and
whether
7
operating
for
profit
or
not
for
profit,
including
a
financial
8
institution
organized,
chartered,
or
holding
a
license
9
authorizing
operation
under
the
laws
of
this
state,
any
other
10
state,
the
United
States,
or
any
other
country,
or
the
parent
11
or
subsidiary
of
any
of
the
foregoing.
12
2.
“Contract”
means
the
same
as
defined
in
section
554D.103.
13
3.
“Covered
entity”
means
a
business
that
accesses,
14
receives,
stores,
maintains,
communicates,
or
processes
15
personal
information
or
restricted
information
in
or
through
16
one
or
more
systems,
networks,
or
services
located
in
or
17
outside
this
state.
18
4.
“Data
breach”
means
an
intentional
or
unintentional
19
action
that
could
result
in
electronic
records
owned,
licensed
20
to,
or
otherwise
protected
by
a
covered
entity
being
viewed,
21
copied,
modified,
transmitted,
or
destroyed
in
a
manner
that
22
is
reasonably
believed
to
have
or
may
cause
material
risk
of
23
identity
theft,
fraud,
or
other
injury
or
damage
to
person
or
24
property.
“Data
breach”
does
not
include
any
of
the
following:
25
a.
Good-faith
acquisition
of
personal
information
or
26
restricted
information
by
the
covered
entity’s
employee
or
27
agent
for
the
purposes
of
the
covered
entity,
provided
that
28
the
personal
information
or
restricted
information
is
not
used
29
for
an
unlawful
purpose
or
subject
to
further
unauthorized
30
disclosure.
31
b.
Acquisition
or
disclosure
of
personal
information
or
32
restricted
information
pursuant
to
a
search
warrant,
subpoena,
33
or
other
court
order,
or
pursuant
to
a
subpoena,
order,
or
duty
34
of
a
regulatory
state
agency.
35
-1-
LSB
1265YC
(3)
90
cm/ns
1/
9
H.F.
_____
5.
“Distributed
ledger
technology”
means
an
electronic
1
record
of
transactions
or
other
data
to
which
all
of
the
2
following
apply:
3
a.
The
electronic
record
is
uniformly
ordered.
4
b.
The
electronic
record
is
redundantly
maintained
or
5
processed
by
one
or
more
computers
or
machines
to
guarantee
the
6
consistency
or
nonrepudiation
of
the
recorded
transactions
or
7
other
data.
8
6.
“Electronic
record”
means
the
same
as
defined
in
section
9
554D.103.
10
7.
“Encrypted”
means
the
use
of
an
algorithmic
process
to
11
transform
data
into
a
form
for
which
there
is
a
low
probability
12
of
assigning
meaning
without
use
of
a
confidential
process
or
13
key.
14
8.
“Individual”
means
a
natural
person.
15
9.
“Maximum
probable
loss”
means
the
greatest
damage
16
expectation
that
could
reasonably
occur
from
a
data
breach.
17
For
purposes
of
this
subsection,
“damage
expectation”
means
the
18
total
value
of
possible
damage
multiplied
by
the
probability
19
that
damage
would
occur.
20
10.
a.
“Personal
information”
means
any
information
21
relating
to
an
individual
who
can
be
identified,
directly
or
22
indirectly,
in
particular
by
reference
to
an
identifier
such
23
as
a
name,
an
identification
number,
social
security
number,
24
driver’s
license
number
or
state
identification
card
number,
25
passport
number,
account
number
or
credit
or
debit
card
number,
26
location
data,
biometric
data,
an
online
identifier,
or
to
27
one
or
more
factors
specific
to
the
physical,
physiological,
28
genetic,
mental,
economic,
cultural,
or
social
identity
of
that
29
individual.
30
b.
“Personal
information”
does
not
include
publicly
31
available
information
that
is
lawfully
made
available
to
the
32
general
public
from
federal,
state,
or
local
government
records
33
or
any
of
the
following
media
that
are
widely
distributed:
34
(1)
Any
news,
editorial,
or
advertising
statement
published
35
-2-
LSB
1265YC
(3)
90
cm/ns
2/
9
H.F.
_____
in
any
bona
fide
newspaper,
journal,
or
magazine,
or
broadcast
1
over
radio,
television,
or
the
internet.
2
(2)
Any
gathering
or
furnishing
of
information
or
news
by
3
any
bona
fide
reporter,
correspondent,
or
news
bureau
to
news
4
media
identified
in
this
paragraph.
5
(3)
Any
publication
designed
for
and
distributed
to
members
6
of
any
bona
fide
association
or
charitable
or
fraternal
7
nonprofit
business.
8
(4)
Any
type
of
media
similar
in
nature
to
any
item,
entity,
9
or
activity
identified
in
this
paragraph.
10
11.
“Record”
means
the
same
as
defined
in
section
554D.103.
11
12.
“Redacted”
means
altered,
truncated,
or
anonymized
so
12
that,
when
applied
to
personal
information,
the
data
can
no
13
longer
be
attributed
to
a
specific
individual
without
the
use
14
of
additional
information.
15
13.
“Restricted
information”
means
any
information
about
16
an
individual,
other
than
personal
information,
or
business
17
that,
alone
or
in
combination
with
other
information,
including
18
personal
information,
can
be
used
to
distinguish
or
trace
the
19
identity
of
the
individual
or
business,
or
that
is
linked
or
20
linkable
to
an
individual
or
business,
if
the
information
is
21
not
encrypted,
redacted,
tokenized,
or
altered
by
any
method
or
22
technology
in
such
a
manner
that
the
information
is
anonymized,
23
and
the
breach
of
which
is
likely
to
result
in
a
material
risk
24
of
identity
theft
or
other
fraud
to
person
or
property.
25
14.
“Smart
contract”
means
an
event-driven
program
or
26
computerized
transaction
protocol
that
runs
on
a
distributed,
27
decentralized,
shared,
and
replicated
ledger
that
executes
the
28
terms
of
a
contract.
For
purposes
of
this
subsection,
“executes
29
the
terms
of
a
contract”
may
include
taking
custody
over
and
30
instructing
the
transfer
of
assets.
31
15.
“Transaction”
means
a
sale,
trade,
exchange,
transfer,
32
payment,
or
conversion
of
virtual
currency
or
other
digital
33
asset
or
any
other
property
or
any
other
action
or
set
of
34
actions
occurring
between
two
or
more
persons
relating
to
the
35
-3-
LSB
1265YC
(3)
90
cm/ns
3/
9
H.F.
_____
conduct
of
business,
commercial,
or
governmental
affairs.
1
Sec.
2.
Section
554E.2,
Code
2023,
is
amended
by
striking
2
the
section
and
inserting
in
lieu
thereof
the
following:
3
554E.2
Legal
effect
——
distributed
ledger
technology
and
4
smart
contracts
——
ownership
of
information.
5
1.
A
record
shall
not
be
denied
legal
effect
or
6
enforceability
solely
because
the
record
is
created,
generated,
7
sent,
communicated,
received,
recorded,
or
stored
by
means
of
8
distributed
ledger
technology
or
a
smart
contract.
9
2.
A
signature
shall
not
be
denied
legal
effect
or
10
enforceability
solely
because
the
signature
is
created,
11
generated,
sent,
communicated,
received,
recorded,
or
stored
by
12
means
of
distributed
ledger
technology
or
a
smart
contract.
13
3.
A
contract
shall
not
be
denied
legal
effect
or
14
enforceability
solely
for
any
of
the
following:
15
a.
The
contract
is
created,
generated,
sent,
communicated,
16
received,
executed,
signed,
adopted,
recorded,
or
stored
by
17
means
of
distributed
ledger
technology
or
a
smart
contract.
18
b.
The
contract
contains
a
smart
contract
term.
19
c.
An
electronic
record,
distributed
ledger
technology,
or
a
20
smart
contract
was
used
in
the
contract’s
formation.
21
4.
A
person
who,
in
engaging
in
or
affecting
interstate
22
or
foreign
commerce,
uses
distributed
ledger
technology
to
23
secure
information
that
the
person
owns
or
has
the
right
to
use
24
retains
the
same
rights
of
ownership
or
use
with
respect
to
25
such
information
as
before
the
person
secured
the
information
26
using
distributed
ledger
technology.
This
subsection
does
not
27
apply
to
the
use
of
distributed
ledger
technology
to
secure
28
information
in
connection
with
a
transaction
to
the
extent
that
29
the
terms
of
the
transaction
expressly
provide
for
the
transfer
30
of
rights
of
ownership
or
use
with
respect
to
such
information.
31
Sec.
3.
Section
554E.3,
Code
2023,
is
amended
by
striking
32
the
section
and
inserting
in
lieu
thereof
the
following:
33
554E.3
Affirmative
defenses.
34
1.
A
covered
entity
seeking
an
affirmative
defense
under
35
-4-
LSB
1265YC
(3)
90
cm/ns
4/
9
H.F.
_____
this
chapter
shall
create,
maintain,
and
comply
with
a
written
1
cybersecurity
program
that
contains
administrative,
technical,
2
operational,
and
physical
safeguards
for
the
protection
of
both
3
personal
information
and
restricted
information.
4
2.
A
covered
entity’s
cybersecurity
program
shall
be
5
designed
to
do
all
of
the
following:
6
a.
Continually
evaluate
and
mitigate
any
reasonably
7
anticipated
internal
or
external
threats
or
hazards
that
could
8
lead
to
a
data
breach.
9
b.
Periodically
evaluate
no
less
than
annually
the
maximum
10
probable
loss
attainable
from
a
data
breach.
11
c.
Communicate
to
any
affected
parties
the
extent
of
any
12
risk
posed
and
any
actions
the
affected
parties
could
take
to
13
reduce
any
damages
if
a
data
breach
is
known
to
have
occurred.
14
3.
The
scale
and
scope
of
a
covered
entity’s
cybersecurity
15
program
is
appropriate
if
the
cost
to
operate
the
cybersecurity
16
program
is
no
less
than
the
covered
entity’s
most
recently
17
calculated
maximum
probable
loss
value.
18
4.
a.
A
covered
entity
that
satisfies
all
requirements
19
of
this
section
is
entitled
to
an
affirmative
defense
to
any
20
cause
of
action
sounding
in
tort
that
is
brought
under
the
21
laws
of
this
state
or
in
the
courts
of
this
state
and
that
22
alleges
that
the
failure
to
implement
reasonable
information
23
security
controls
resulted
in
a
data
breach
concerning
personal
24
information
or
restricted
information.
25
b.
A
covered
entity
satisfies
all
requirements
of
this
26
section
if
its
cybersecurity
program
reasonably
conforms
to
an
27
industry-recognized
cybersecurity
framework,
as
described
in
28
section
554E.4.
29
Sec.
4.
Section
554E.4,
Code
2023,
is
amended
by
striking
30
the
section
and
inserting
in
lieu
thereof
the
following:
31
554E.4
Cybersecurity
program
framework.
32
1.
A
covered
entity’s
cybersecurity
program,
as
33
described
in
section
554E.3,
reasonably
conforms
to
an
34
industry-recognized
cybersecurity
framework
for
purposes
of
35
-5-
LSB
1265YC
(3)
90
cm/ns
5/
9
H.F.
_____
section
554E.3
if
any
of
the
following
are
true:
1
a.
(1)
The
cybersecurity
program
reasonably
conforms
to
the
2
current
version
of
any
of
the
following
or
any
combination
of
3
the
following,
subject
to
subparagraph
(2)
and
subsection
2:
4
(a)
The
framework
for
improving
critical
infrastructure
5
cybersecurity
developed
by
the
national
institute
of
standards
6
and
technology.
7
(b)
National
institute
of
standards
and
technology
special
8
publication
800-171.
9
(c)
National
institute
of
standards
and
technology
special
10
publications
800-53
and
800-53a.
11
(d)
The
federal
risk
and
authorization
management
program
12
security
assessment
framework.
13
(e)
The
center
for
internet
security
critical
security
14
controls
for
effective
cyber
defense.
15
(f)
The
international
organization
for
16
standardization/international
electrotechnical
commission
27000
17
family
——
information
security
management
systems.
18
(2)
When
a
final
revision
to
a
framework
listed
in
19
subparagraph
(1)
is
published,
a
covered
entity
whose
20
cybersecurity
program
reasonably
conforms
to
that
framework
21
shall
reasonably
conform
the
elements
of
its
cybersecurity
22
program
to
the
revised
framework
within
the
time
frame
provided
23
in
the
relevant
framework
upon
which
the
covered
entity
intends
24
to
rely
to
support
its
affirmative
defense,
but
in
no
event
25
later
than
one
year
after
the
publication
date
stated
in
the
26
revision.
27
b.
(1)
The
covered
entity
is
regulated
by
the
state,
by
28
the
federal
government,
or
both,
or
is
otherwise
subject
to
29
the
requirements
of
any
of
the
laws
or
regulations
listed
30
below,
and
the
cybersecurity
program
reasonably
conforms
to
31
the
entirety
of
the
current
version
of
any
of
the
following,
32
subject
to
subparagraph
(2):
33
(a)
The
security
requirements
of
the
federal
Health
34
Insurance
Portability
and
Accountability
Act
of
1996,
as
set
35
-6-
LSB
1265YC
(3)
90
cm/ns
6/
9
H.F.
_____
forth
in
45
C.F.R.
pt.
164,
subpt.
C.
1
(b)
Title
V
of
the
federal
Gramm-Leach-Bliley
Act
of
1999,
2
Pub.
L.
No.
106-102,
as
amended.
3
(c)
The
federal
Information
Security
Modernization
Act
of
4
2014,
Pub.
L.
No.
113-283.
5
(d)
The
federal
Health
Information
Technology
for
Economic
6
and
Clinical
Health
Act
as
set
forth
in
45
C.F.R.
pt.
162.
7
(2)
When
a
framework
listed
in
subparagraph
(1)
is
amended,
8
a
covered
entity
whose
cybersecurity
program
reasonably
9
conforms
to
that
framework
shall
reasonably
conform
the
10
elements
of
its
cybersecurity
program
to
the
amended
framework
11
within
the
time
frame
provided
in
the
relevant
framework
12
upon
which
the
covered
entity
intends
to
rely
to
support
its
13
affirmative
defense,
but
in
no
event
later
than
one
year
after
14
the
effective
date
of
the
amended
framework.
15
c.
(1)
The
cybersecurity
program
reasonably
complies
16
with
both
the
current
version
of
the
payment
card
industry
17
data
security
standard
and
conforms
to
the
current
version
of
18
another
applicable
industry-recognized
cybersecurity
framework
19
listed
in
paragraph
“a”
,
subject
to
subparagraph
(2)
and
20
subsection
2.
21
(2)
When
a
final
revision
to
the
payment
card
industry
22
data
security
standard
is
published,
a
covered
entity
whose
23
cybersecurity
program
reasonably
complies
with
that
standard
24
shall
reasonably
comply
the
elements
of
its
cybersecurity
25
program
with
the
revised
standard
within
the
time
frame
26
provided
in
the
relevant
framework
upon
which
the
covered
27
entity
intends
to
rely
to
support
its
affirmative
defense,
but
28
in
no
event
later
than
one
year
after
the
publication
date
29
stated
in
the
revision.
30
2.
If
a
covered
entity’s
cybersecurity
program
reasonably
31
conforms
to
a
combination
of
industry-recognized
cybersecurity
32
frameworks,
or
complies
with
a
standard,
as
in
the
case
of
the
33
payment
card
industry
data
security
standard,
as
described
in
34
subsection
1,
paragraph
“a”
or
“c”
,
and
two
or
more
of
those
35
-7-
LSB
1265YC
(3)
90
cm/ns
7/
9
H.F.
_____
frameworks
are
revised,
the
covered
entity
whose
cybersecurity
1
program
reasonably
conforms
to
or
complies
with,
as
applicable,
2
those
frameworks
shall
reasonably
conform
the
elements
of
its
3
cybersecurity
program
to
or
comply
with,
as
applicable,
all
of
4
the
revised
frameworks
within
the
time
frames
provided
in
the
5
relevant
frameworks
but
in
no
event
later
than
one
year
after
6
the
latest
publication
date
stated
in
the
revisions.
7
Sec.
5.
NEW
SECTION
.
554E.5
Causes
of
actions.
8
This
chapter
shall
not
be
construed
to
provide
a
private
9
right
of
action,
including
a
class
action,
with
respect
to
any
10
act
or
practice
regulated
under
this
chapter.
11
EXPLANATION
12
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
13
the
explanation’s
substance
by
the
members
of
the
general
assembly.
14
This
bill
relates
to
the
use
of
certain
technology.
15
The
bill
provides
that
a
record,
signature,
or
contract
16
shall
not
be
denied
legal
effect
because
it
is
created
or
17
stored
by
means
of
distributed
ledger
technology
or
a
smart
18
contract,
as
those
terms
are
defined
in
the
bill.
The
bill
19
provides
that
the
ownership
of
the
secure
information
remains
20
with
the
original
owner
of
the
information,
not
the
distributed
21
ledger
technology
owner,
unless
specifically
provided
22
otherwise.
23
The
bill
creates
affirmative
defenses
for
entities
using
24
cybersecurity
programs.
The
bill
provides
that
a
covered
25
entity
seeking
an
affirmative
defense
must
use
a
cybersecurity
26
program
for
the
protection
of
personal
information
and
27
restricted
information
and
the
cybersecurity
program
must
28
reasonably
conform
to
an
industry-recognized
cybersecurity
29
framework.
A
cybersecurity
program
must
continually
evaluate
30
and
mitigate
reasonably
anticipated
threats,
periodically
31
evaluate
the
maximum
probable
loss
attainable
from
a
data
32
breach,
and
communicate
to
affected
parties
the
risk
posed
33
and
actions
the
affected
parties
could
take
to
reduce
damages
34
if
a
data
breach
has
occurred.
The
scale
and
scope
of
a
35
-8-
LSB
1265YC
(3)
90
cm/ns
8/
9
H.F.
_____
cybersecurity
program
is
appropriate
if
the
cost
to
operate
the
1
program
is
no
less
than
the
covered
entity’s
maximum
probable
2
loss
value.
A
covered
entity
that
satisfies
these
requirements
3
and
that
reasonably
conforms
to
an
industry-recognized
4
cybersecurity
framework
is
entitled
to
an
affirmative
defense
5
to
a
tort
claim
that
alleges
that
the
failure
to
implement
6
reasonable
information
security
controls
resulted
in
a
7
data
breach
concerning
personal
information
or
restricted
8
information.
9
The
bill
details
industry-recognized
cybersecurity
10
frameworks
that
the
covered
entity
may
follow
and
reasonably
11
comply
with
in
order
to
qualify
for
the
affirmative
defense.
12
The
bill
does
not
provide
a
private
right
of
action,
13
including
a
class
action.
14
-9-
LSB
1265YC
(3)
90
cm/ns
9/
9