S.F. 495 Section 1. NEW SECTION . 554G.1 Definitions. 1 As used in this chapter: 2 1. “Business” means any limited liability company, limited 3 liability partnership, corporation, sole proprietorship, 4 association, or other group, however organized and whether 5 operating for profit or not for profit, including a financial 6 institution organized, chartered, or holding a license 7 authorizing operation under the laws of this state, any other 8 state, the United States, or any other country, or the parent 9 or subsidiary of any of the foregoing, including an entity 10 organized under chapter 28E. “Business” does not include a 11 municipality as defined in section 670.1. 12 2. “Contract” means the same as defined in section 554D.103. 13 3. “Covered entity” means a business that accesses, 14 receives, stores, maintains, communicates, or processes 15 personal information or restricted information in or through 16 one or more systems, networks, or services located in or 17 outside this state. 18 4. “Data breach” means an intentional or unintentional 19 action that could result in electronic records owned, licensed 20 to, or otherwise protected by a covered entity being viewed, 21 copied, modified, transmitted, or destroyed in a manner that 22 is reasonably believed to have or may cause material risk of 23 identity theft, fraud, or other injury or damage to person or 24 property. “Data breach” does not include any of the following: 25 a. Good-faith acquisition of personal information or 26 restricted information by the covered entity’s employee or 27 agent for the purposes of the covered entity, provided that 28 the personal information or restricted information is not used 29 for an unlawful purpose or subject to further unauthorized 30 disclosure. 31 b. Acquisition or disclosure of personal information or 32 restricted information pursuant to a search warrant, subpoena, 33 or other court order, or pursuant to a subpoena, order, or duty 34 of a regulatory state agency. 35 -1- LSB 1826SV (2) 90 cm/ns 1/ 8

S.F. 495 5. “Distributed ledger technology” means the same as defined 1 in section 554E.1. 2 6. “Electronic record” means the same as defined in section 3 554D.103. 4 7. “Encrypted” means the use of an algorithmic process to 5 transform data into a form for which there is a low probability 6 of assigning meaning without use of a confidential process or 7 key. 8 8. “Individual” means a natural person. 9 9. “Maximum probable loss” means the greatest damage 10 expectation that could reasonably occur from a data breach. 11 For purposes of this subsection, “damage expectation” means the 12 total value of possible damage multiplied by the probability 13 that damage would occur. 14 10. a. “Personal information” means any information 15 relating to an individual who can be identified, directly or 16 indirectly, in particular by reference to an identifier such 17 as a name, an identification number, social security number, 18 driver’s license number or state identification card number, 19 passport number, account number or credit or debit card number, 20 location data, biometric data, an online identifier, or to 21 one or more factors specific to the physical, physiological, 22 genetic, mental, economic, cultural, or social identity of that 23 individual. 24 b. “Personal information” does not include publicly 25 available information that is lawfully made available to the 26 general public from federal, state, or local government records 27 or any of the following media that are widely distributed: 28 (1) Any news, editorial, or advertising statement published 29 in any bona fide newspaper, journal, or magazine, or broadcast 30 over radio, television, or the internet. 31 (2) Any gathering or furnishing of information or news by 32 any bona fide reporter, correspondent, or news bureau to news 33 media identified in this paragraph. 34 (3) Any publication designed for and distributed to members 35 -2- LSB 1826SV (2) 90 cm/ns 2/ 8

S.F. 495 of any bona fide association or charitable or fraternal 1 nonprofit business. 2 (4) Any type of media similar in nature to any item, entity, 3 or activity identified in this paragraph. 4 11. “Record” means the same as defined in section 554D.103. 5 12. “Redacted” means altered, truncated, or anonymized so 6 that, when applied to personal information, the data can no 7 longer be attributed to a specific individual without the use 8 of additional information. 9 13. “Restricted information” means any information about 10 an individual, other than personal information, or business 11 that, alone or in combination with other information, including 12 personal information, can be used to distinguish or trace the 13 identity of the individual or business, or that is linked or 14 linkable to an individual or business, if the information is 15 not encrypted, redacted, tokenized, or altered by any method or 16 technology in such a manner that the information is anonymized, 17 and the breach of which is likely to result in a material risk 18 of identity theft or other fraud to person or property. 19 14. “Smart contract” means the same as defined in section 20 554E.1. 21 15. “Transaction” means a sale, trade, exchange, transfer, 22 payment, or conversion of virtual currency or other digital 23 asset or any other property or any other action or set of 24 actions occurring between two or more persons relating to the 25 conduct of business, commercial, or governmental affairs. 26 Sec. 2. NEW SECTION . 554G.2 Affirmative defenses. 27 1. A covered entity seeking an affirmative defense under 28 this chapter shall create, maintain, and comply with a written 29 cybersecurity program that contains administrative, technical, 30 operational, and physical safeguards for the protection of both 31 personal information and restricted information. 32 2. A covered entity’s cybersecurity program shall be 33 designed to do all of the following: 34 a. Continually evaluate and mitigate any reasonably 35 -3- LSB 1826SV (2) 90 cm/ns 3/ 8

S.F. 495 anticipated internal or external threats or hazards that could 1 lead to a data breach. 2 b. Periodically evaluate no less than annually the maximum 3 probable loss attainable from a data breach. 4 c. Communicate to any affected parties the extent of any 5 risk posed and any actions the affected parties could take to 6 reduce any damages if a data breach is known to have occurred. 7 3. The scale and scope of a covered entity’s cybersecurity 8 program is appropriate if the cost to operate the cybersecurity 9 program is no less than the covered entity’s most recently 10 calculated maximum probable loss value. 11 4. a. A covered entity that satisfies all requirements 12 of this section is entitled to an affirmative defense to any 13 cause of action sounding in tort that is brought under the 14 laws of this state or in the courts of this state and that 15 alleges that the failure to implement reasonable information 16 security controls resulted in a data breach concerning personal 17 information or restricted information. 18 b. A covered entity satisfies all requirements of this 19 section if its cybersecurity program reasonably conforms to an 20 industry-recognized cybersecurity framework, as described in 21 section 554G.3. 22 Sec. 3. NEW SECTION . 554G.3 Cybersecurity program 23 framework. 24 1. A covered entity’s cybersecurity program, as 25 described in section 554G.2, reasonably conforms to an 26 industry-recognized cybersecurity framework for purposes of 27 section 554G.2 if any of the following are true: 28 a. (1) The cybersecurity program reasonably conforms to the 29 current version of any of the following or any combination of 30 the following, subject to subparagraph (2) and subsection 2: 31 (a) The framework for improving critical infrastructure 32 cybersecurity developed by the national institute of standards 33 and technology. 34 (b) National institute of standards and technology special 35 -4- LSB 1826SV (2) 90 cm/ns 4/ 8

S.F. 495 publication 800-171. 1 (c) National institute of standards and technology special 2 publications 800-53 and 800-53a. 3 (d) The federal risk and authorization management program 4 security assessment framework. 5 (e) The center for internet security critical security 6 controls for effective cyber defense. 7 (f) The international organization for 8 standardization/international electrotechnical commission 27000 9 family —— information security management systems. 10 (2) When a final revision to a framework listed in 11 subparagraph (1) is published, a covered entity whose 12 cybersecurity program reasonably conforms to that framework 13 shall reasonably conform the elements of its cybersecurity 14 program to the revised framework within the time frame provided 15 in the relevant framework upon which the covered entity intends 16 to rely to support its affirmative defense, but in no event 17 later than one year after the publication date stated in the 18 revision. 19 b. (1) The covered entity is regulated by the state, by 20 the federal government, or both, or is otherwise subject to 21 the requirements of any of the laws or regulations listed 22 below, and the cybersecurity program reasonably conforms to 23 the entirety of the current version of any of the following, 24 subject to subparagraph (2): 25 (a) The security requirements of the federal Health 26 Insurance Portability and Accountability Act of 1996, as set 27 forth in 45 C.F.R. pt. 164, subpt. C. 28 (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, 29 Pub. L. No. 106-102, as amended. 30 (c) The federal Information Security Modernization Act of 31 2014, Pub. L. No. 113-283. 32 (d) The federal Health Information Technology for Economic 33 and Clinical Health Act as set forth in 45 C.F.R. pt. 162. 34 (e) Chapter 507F. 35 -5- LSB 1826SV (2) 90 cm/ns 5/ 8

S.F. 495 (f) Any applicable rules, regulations, or guidelines for 1 critical infrastructure protection adopted by the federal 2 environmental protection agency, the federal cybersecurity 3 and infrastructure security agency, or the north American 4 reliability corporation. 5 (2) When a framework listed in subparagraph (1) is amended, 6 a covered entity whose cybersecurity program reasonably 7 conforms to that framework shall reasonably conform the 8 elements of its cybersecurity program to the amended framework 9 within the time frame provided in the relevant framework 10 upon which the covered entity intends to rely to support its 11 affirmative defense, but in no event later than one year after 12 the effective date of the amended framework. 13 c. (1) The cybersecurity program reasonably complies 14 with both the current version of the payment card industry 15 data security standard and conforms to the current version of 16 another applicable industry-recognized cybersecurity framework 17 listed in paragraph “a” , subject to subparagraph (2) and 18 subsection 2. 19 (2) When a final revision to the payment card industry 20 data security standard is published, a covered entity whose 21 cybersecurity program reasonably complies with that standard 22 shall reasonably comply the elements of its cybersecurity 23 program with the revised standard within the time frame 24 provided in the relevant framework upon which the covered 25 entity intends to rely to support its affirmative defense, but 26 in no event later than one year after the publication date 27 stated in the revision. 28 2. If a covered entity’s cybersecurity program reasonably 29 conforms to a combination of industry-recognized cybersecurity 30 frameworks, or complies with a standard, as in the case of the 31 payment card industry data security standard, as described in 32 subsection 1, paragraph “a” or “c” , and two or more of those 33 frameworks are revised, the covered entity whose cybersecurity 34 program reasonably conforms to or complies with, as applicable, 35 -6- LSB 1826SV (2) 90 cm/ns 6/ 8

S.F. 495 those frameworks shall reasonably conform the elements of its 1 cybersecurity program to or comply with, as applicable, all of 2 the revised frameworks within the time frames provided in the 3 relevant frameworks but in no event later than one year after 4 the latest publication date stated in the revisions. 5 Sec. 4. NEW SECTION . 554G.4 Causes of action. 6 This chapter shall not be construed to provide a private 7 right of action, including a class action, with respect to any 8 act or practice regulated under this chapter. 9 EXPLANATION 10 The inclusion of this explanation does not constitute agreement with 11 the explanation’s substance by the members of the general assembly. 12 This bill creates affirmative defenses for entities using 13 cybersecurity programs. The bill provides that a covered 14 entity seeking an affirmative defense must use a cybersecurity 15 program for the protection of personal information and 16 restricted information and the cybersecurity program must 17 reasonably conform to an industry-recognized cybersecurity 18 framework. A cybersecurity program must continually evaluate 19 and mitigate reasonably anticipated threats, periodically 20 evaluate the maximum probable loss attainable from a data 21 breach, and communicate to affected parties the risk posed 22 and actions the affected parties could take to reduce damages 23 if a data breach has occurred. The scale and scope of a 24 cybersecurity program is appropriate if the cost to operate the 25 program is no less than the covered entity’s maximum probable 26 loss value. A covered entity that satisfies these requirements 27 and that reasonably conforms to an industry-recognized 28 cybersecurity framework is entitled to an affirmative defense 29 to a tort claim that alleges that the failure to implement 30 reasonable information security controls resulted in a 31 data breach concerning personal information or restricted 32 information. 33 The bill details industry-recognized cybersecurity 34 frameworks that the covered entity may follow and reasonably 35 -7- LSB 1826SV (2) 90 cm/ns 7/ 8