House Study Bill 154 - Introduced HOUSE FILE _____ BY (PROPOSED COMMITTEE ON ECONOMIC GROWTH AND TECHNOLOGY BILL BY CHAIRPERSON SORENSEN) A BILL FOR An Act relating to the use of certain technology, including the 1 legal effect of the use of distributed ledger technology or 2 smart contracts and affirmative defenses associated with the 3 use of cybersecurity programs. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 TLSB 1265YC (3) 90 cm/ns

H.F. _____ Section 1. Section 554E.1, Code 2023, is amended by striking 1 the section and inserting in lieu thereof the following: 2 554E.1 Definitions. 3 As used in this chapter: 4 1. “Business” means any limited liability company, limited 5 liability partnership, corporation, sole proprietorship, 6 association, or other group, however organized and whether 7 operating for profit or not for profit, including a financial 8 institution organized, chartered, or holding a license 9 authorizing operation under the laws of this state, any other 10 state, the United States, or any other country, or the parent 11 or subsidiary of any of the foregoing. 12 2. “Contract” means the same as defined in section 554D.103. 13 3. “Covered entity” means a business that accesses, 14 receives, stores, maintains, communicates, or processes 15 personal information or restricted information in or through 16 one or more systems, networks, or services located in or 17 outside this state. 18 4. “Data breach” means an intentional or unintentional 19 action that could result in electronic records owned, licensed 20 to, or otherwise protected by a covered entity being viewed, 21 copied, modified, transmitted, or destroyed in a manner that 22 is reasonably believed to have or may cause material risk of 23 identity theft, fraud, or other injury or damage to person or 24 property. “Data breach” does not include any of the following: 25 a. Good-faith acquisition of personal information or 26 restricted information by the covered entity’s employee or 27 agent for the purposes of the covered entity, provided that 28 the personal information or restricted information is not used 29 for an unlawful purpose or subject to further unauthorized 30 disclosure. 31 b. Acquisition or disclosure of personal information or 32 restricted information pursuant to a search warrant, subpoena, 33 or other court order, or pursuant to a subpoena, order, or duty 34 of a regulatory state agency. 35 -1- LSB 1265YC (3) 90 cm/ns 1/ 9

H.F. _____ 5. “Distributed ledger technology” means an electronic 1 record of transactions or other data to which all of the 2 following apply: 3 a. The electronic record is uniformly ordered. 4 b. The electronic record is redundantly maintained or 5 processed by one or more computers or machines to guarantee the 6 consistency or nonrepudiation of the recorded transactions or 7 other data. 8 6. “Electronic record” means the same as defined in section 9 554D.103. 10 7. “Encrypted” means the use of an algorithmic process to 11 transform data into a form for which there is a low probability 12 of assigning meaning without use of a confidential process or 13 key. 14 8. “Individual” means a natural person. 15 9. “Maximum probable loss” means the greatest damage 16 expectation that could reasonably occur from a data breach. 17 For purposes of this subsection, “damage expectation” means the 18 total value of possible damage multiplied by the probability 19 that damage would occur. 20 10. a. “Personal information” means any information 21 relating to an individual who can be identified, directly or 22 indirectly, in particular by reference to an identifier such 23 as a name, an identification number, social security number, 24 driver’s license number or state identification card number, 25 passport number, account number or credit or debit card number, 26 location data, biometric data, an online identifier, or to 27 one or more factors specific to the physical, physiological, 28 genetic, mental, economic, cultural, or social identity of that 29 individual. 30 b. “Personal information” does not include publicly 31 available information that is lawfully made available to the 32 general public from federal, state, or local government records 33 or any of the following media that are widely distributed: 34 (1) Any news, editorial, or advertising statement published 35 -2- LSB 1265YC (3) 90 cm/ns 2/ 9

H.F. _____ in any bona fide newspaper, journal, or magazine, or broadcast 1 over radio, television, or the internet. 2 (2) Any gathering or furnishing of information or news by 3 any bona fide reporter, correspondent, or news bureau to news 4 media identified in this paragraph. 5 (3) Any publication designed for and distributed to members 6 of any bona fide association or charitable or fraternal 7 nonprofit business. 8 (4) Any type of media similar in nature to any item, entity, 9 or activity identified in this paragraph. 10 11. “Record” means the same as defined in section 554D.103. 11 12. “Redacted” means altered, truncated, or anonymized so 12 that, when applied to personal information, the data can no 13 longer be attributed to a specific individual without the use 14 of additional information. 15 13. “Restricted information” means any information about 16 an individual, other than personal information, or business 17 that, alone or in combination with other information, including 18 personal information, can be used to distinguish or trace the 19 identity of the individual or business, or that is linked or 20 linkable to an individual or business, if the information is 21 not encrypted, redacted, tokenized, or altered by any method or 22 technology in such a manner that the information is anonymized, 23 and the breach of which is likely to result in a material risk 24 of identity theft or other fraud to person or property. 25 14. “Smart contract” means an event-driven program or 26 computerized transaction protocol that runs on a distributed, 27 decentralized, shared, and replicated ledger that executes the 28 terms of a contract. For purposes of this subsection, “executes 29 the terms of a contract” may include taking custody over and 30 instructing the transfer of assets. 31 15. “Transaction” means a sale, trade, exchange, transfer, 32 payment, or conversion of virtual currency or other digital 33 asset or any other property or any other action or set of 34 actions occurring between two or more persons relating to the 35 -3- LSB 1265YC (3) 90 cm/ns 3/ 9

H.F. _____ conduct of business, commercial, or governmental affairs. 1 Sec. 2. Section 554E.2, Code 2023, is amended by striking 2 the section and inserting in lieu thereof the following: 3 554E.2 Legal effect —— distributed ledger technology and 4 smart contracts —— ownership of information. 5 1. A record shall not be denied legal effect or 6 enforceability solely because the record is created, generated, 7 sent, communicated, received, recorded, or stored by means of 8 distributed ledger technology or a smart contract. 9 2. A signature shall not be denied legal effect or 10 enforceability solely because the signature is created, 11 generated, sent, communicated, received, recorded, or stored by 12 means of distributed ledger technology or a smart contract. 13 3. A contract shall not be denied legal effect or 14 enforceability solely for any of the following: 15 a. The contract is created, generated, sent, communicated, 16 received, executed, signed, adopted, recorded, or stored by 17 means of distributed ledger technology or a smart contract. 18 b. The contract contains a smart contract term. 19 c. An electronic record, distributed ledger technology, or a 20 smart contract was used in the contract’s formation. 21 4. A person who, in engaging in or affecting interstate 22 or foreign commerce, uses distributed ledger technology to 23 secure information that the person owns or has the right to use 24 retains the same rights of ownership or use with respect to 25 such information as before the person secured the information 26 using distributed ledger technology. This subsection does not 27 apply to the use of distributed ledger technology to secure 28 information in connection with a transaction to the extent that 29 the terms of the transaction expressly provide for the transfer 30 of rights of ownership or use with respect to such information. 31 Sec. 3. Section 554E.3, Code 2023, is amended by striking 32 the section and inserting in lieu thereof the following: 33 554E.3 Affirmative defenses. 34 1. A covered entity seeking an affirmative defense under 35 -4- LSB 1265YC (3) 90 cm/ns 4/ 9

H.F. _____ this chapter shall create, maintain, and comply with a written 1 cybersecurity program that contains administrative, technical, 2 operational, and physical safeguards for the protection of both 3 personal information and restricted information. 4 2. A covered entity’s cybersecurity program shall be 5 designed to do all of the following: 6 a. Continually evaluate and mitigate any reasonably 7 anticipated internal or external threats or hazards that could 8 lead to a data breach. 9 b. Periodically evaluate no less than annually the maximum 10 probable loss attainable from a data breach. 11 c. Communicate to any affected parties the extent of any 12 risk posed and any actions the affected parties could take to 13 reduce any damages if a data breach is known to have occurred. 14 3. The scale and scope of a covered entity’s cybersecurity 15 program is appropriate if the cost to operate the cybersecurity 16 program is no less than the covered entity’s most recently 17 calculated maximum probable loss value. 18 4. a. A covered entity that satisfies all requirements 19 of this section is entitled to an affirmative defense to any 20 cause of action sounding in tort that is brought under the 21 laws of this state or in the courts of this state and that 22 alleges that the failure to implement reasonable information 23 security controls resulted in a data breach concerning personal 24 information or restricted information. 25 b. A covered entity satisfies all requirements of this 26 section if its cybersecurity program reasonably conforms to an 27 industry-recognized cybersecurity framework, as described in 28 section 554E.4. 29 Sec. 4. Section 554E.4, Code 2023, is amended by striking 30 the section and inserting in lieu thereof the following: 31 554E.4 Cybersecurity program framework. 32 1. A covered entity’s cybersecurity program, as 33 described in section 554E.3, reasonably conforms to an 34 industry-recognized cybersecurity framework for purposes of 35 -5- LSB 1265YC (3) 90 cm/ns 5/ 9

H.F. _____ section 554E.3 if any of the following are true: 1 a. (1) The cybersecurity program reasonably conforms to the 2 current version of any of the following or any combination of 3 the following, subject to subparagraph (2) and subsection 2: 4 (a) The framework for improving critical infrastructure 5 cybersecurity developed by the national institute of standards 6 and technology. 7 (b) National institute of standards and technology special 8 publication 800-171. 9 (c) National institute of standards and technology special 10 publications 800-53 and 800-53a. 11 (d) The federal risk and authorization management program 12 security assessment framework. 13 (e) The center for internet security critical security 14 controls for effective cyber defense. 15 (f) The international organization for 16 standardization/international electrotechnical commission 27000 17 family —— information security management systems. 18 (2) When a final revision to a framework listed in 19 subparagraph (1) is published, a covered entity whose 20 cybersecurity program reasonably conforms to that framework 21 shall reasonably conform the elements of its cybersecurity 22 program to the revised framework within the time frame provided 23 in the relevant framework upon which the covered entity intends 24 to rely to support its affirmative defense, but in no event 25 later than one year after the publication date stated in the 26 revision. 27 b. (1) The covered entity is regulated by the state, by 28 the federal government, or both, or is otherwise subject to 29 the requirements of any of the laws or regulations listed 30 below, and the cybersecurity program reasonably conforms to 31 the entirety of the current version of any of the following, 32 subject to subparagraph (2): 33 (a) The security requirements of the federal Health 34 Insurance Portability and Accountability Act of 1996, as set 35 -6- LSB 1265YC (3) 90 cm/ns 6/ 9

H.F. _____ forth in 45 C.F.R. pt. 164, subpt. C. 1 (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, 2 Pub. L. No. 106-102, as amended. 3 (c) The federal Information Security Modernization Act of 4 2014, Pub. L. No. 113-283. 5 (d) The federal Health Information Technology for Economic 6 and Clinical Health Act as set forth in 45 C.F.R. pt. 162. 7 (2) When a framework listed in subparagraph (1) is amended, 8 a covered entity whose cybersecurity program reasonably 9 conforms to that framework shall reasonably conform the 10 elements of its cybersecurity program to the amended framework 11 within the time frame provided in the relevant framework 12 upon which the covered entity intends to rely to support its 13 affirmative defense, but in no event later than one year after 14 the effective date of the amended framework. 15 c. (1) The cybersecurity program reasonably complies 16 with both the current version of the payment card industry 17 data security standard and conforms to the current version of 18 another applicable industry-recognized cybersecurity framework 19 listed in paragraph “a” , subject to subparagraph (2) and 20 subsection 2. 21 (2) When a final revision to the payment card industry 22 data security standard is published, a covered entity whose 23 cybersecurity program reasonably complies with that standard 24 shall reasonably comply the elements of its cybersecurity 25 program with the revised standard within the time frame 26 provided in the relevant framework upon which the covered 27 entity intends to rely to support its affirmative defense, but 28 in no event later than one year after the publication date 29 stated in the revision. 30 2. If a covered entity’s cybersecurity program reasonably 31 conforms to a combination of industry-recognized cybersecurity 32 frameworks, or complies with a standard, as in the case of the 33 payment card industry data security standard, as described in 34 subsection 1, paragraph “a” or “c” , and two or more of those 35 -7- LSB 1265YC (3) 90 cm/ns 7/ 9

H.F. _____ frameworks are revised, the covered entity whose cybersecurity 1 program reasonably conforms to or complies with, as applicable, 2 those frameworks shall reasonably conform the elements of its 3 cybersecurity program to or comply with, as applicable, all of 4 the revised frameworks within the time frames provided in the 5 relevant frameworks but in no event later than one year after 6 the latest publication date stated in the revisions. 7 Sec. 5. NEW SECTION . 554E.5 Causes of actions. 8 This chapter shall not be construed to provide a private 9 right of action, including a class action, with respect to any 10 act or practice regulated under this chapter. 11 EXPLANATION 12 The inclusion of this explanation does not constitute agreement with 13 the explanation’s substance by the members of the general assembly. 14 This bill relates to the use of certain technology. 15 The bill provides that a record, signature, or contract 16 shall not be denied legal effect because it is created or 17 stored by means of distributed ledger technology or a smart 18 contract, as those terms are defined in the bill. The bill 19 provides that the ownership of the secure information remains 20 with the original owner of the information, not the distributed 21 ledger technology owner, unless specifically provided 22 otherwise. 23 The bill creates affirmative defenses for entities using 24 cybersecurity programs. The bill provides that a covered 25 entity seeking an affirmative defense must use a cybersecurity 26 program for the protection of personal information and 27 restricted information and the cybersecurity program must 28 reasonably conform to an industry-recognized cybersecurity 29 framework. A cybersecurity program must continually evaluate 30 and mitigate reasonably anticipated threats, periodically 31 evaluate the maximum probable loss attainable from a data 32 breach, and communicate to affected parties the risk posed 33 and actions the affected parties could take to reduce damages 34 if a data breach has occurred. The scale and scope of a 35 -8- LSB 1265YC (3) 90 cm/ns 8/ 9

H.F. _____ cybersecurity program is appropriate if the cost to operate the 1 program is no less than the covered entity’s maximum probable 2 loss value. A covered entity that satisfies these requirements 3 and that reasonably conforms to an industry-recognized 4 cybersecurity framework is entitled to an affirmative defense 5 to a tort claim that alleges that the failure to implement 6 reasonable information security controls resulted in a 7 data breach concerning personal information or restricted 8 information. 9 The bill details industry-recognized cybersecurity 10 frameworks that the covered entity may follow and reasonably 11 comply with in order to qualify for the affirmative defense. 12 The bill does not provide a private right of action, 13 including a class action. 14 -9- LSB 1265YC (3) 90 cm/ns 9/ 9