Senate
File
495
-
Introduced
SENATE
FILE
495
BY
COMMITTEE
ON
TECHNOLOGY
(SUCCESSOR
TO
SSB
1095)
(COMPANION
TO
LSB
1265HV
BY
COMMITTEE
ON
ECONOMIC
GROWTH
AND
TECHNOLOGY)
A
BILL
FOR
An
Act
relating
to
affirmative
defenses
for
entities
using
1
cybersecurity
programs.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
1826SV
(2)
90
cm/ns
S.F.
495
Section
1.
NEW
SECTION
.
554G.1
Definitions.
1
As
used
in
this
chapter:
2
1.
“Business”
means
any
limited
liability
company,
limited
3
liability
partnership,
corporation,
sole
proprietorship,
4
association,
or
other
group,
however
organized
and
whether
5
operating
for
profit
or
not
for
profit,
including
a
financial
6
institution
organized,
chartered,
or
holding
a
license
7
authorizing
operation
under
the
laws
of
this
state,
any
other
8
state,
the
United
States,
or
any
other
country,
or
the
parent
9
or
subsidiary
of
any
of
the
foregoing,
including
an
entity
10
organized
under
chapter
28E.
“Business”
does
not
include
a
11
municipality
as
defined
in
section
670.1.
12
2.
“Contract”
means
the
same
as
defined
in
section
554D.103.
13
3.
“Covered
entity”
means
a
business
that
accesses,
14
receives,
stores,
maintains,
communicates,
or
processes
15
personal
information
or
restricted
information
in
or
through
16
one
or
more
systems,
networks,
or
services
located
in
or
17
outside
this
state.
18
4.
“Data
breach”
means
an
intentional
or
unintentional
19
action
that
could
result
in
electronic
records
owned,
licensed
20
to,
or
otherwise
protected
by
a
covered
entity
being
viewed,
21
copied,
modified,
transmitted,
or
destroyed
in
a
manner
that
22
is
reasonably
believed
to
have
or
may
cause
material
risk
of
23
identity
theft,
fraud,
or
other
injury
or
damage
to
person
or
24
property.
“Data
breach”
does
not
include
any
of
the
following:
25
a.
Good-faith
acquisition
of
personal
information
or
26
restricted
information
by
the
covered
entity’s
employee
or
27
agent
for
the
purposes
of
the
covered
entity,
provided
that
28
the
personal
information
or
restricted
information
is
not
used
29
for
an
unlawful
purpose
or
subject
to
further
unauthorized
30
disclosure.
31
b.
Acquisition
or
disclosure
of
personal
information
or
32
restricted
information
pursuant
to
a
search
warrant,
subpoena,
33
or
other
court
order,
or
pursuant
to
a
subpoena,
order,
or
duty
34
of
a
regulatory
state
agency.
35
-1-
LSB
1826SV
(2)
90
cm/ns
1/
8
S.F.
495
5.
“Distributed
ledger
technology”
means
the
same
as
defined
1
in
section
554E.1.
2
6.
“Electronic
record”
means
the
same
as
defined
in
section
3
554D.103.
4
7.
“Encrypted”
means
the
use
of
an
algorithmic
process
to
5
transform
data
into
a
form
for
which
there
is
a
low
probability
6
of
assigning
meaning
without
use
of
a
confidential
process
or
7
key.
8
8.
“Individual”
means
a
natural
person.
9
9.
“Maximum
probable
loss”
means
the
greatest
damage
10
expectation
that
could
reasonably
occur
from
a
data
breach.
11
For
purposes
of
this
subsection,
“damage
expectation”
means
the
12
total
value
of
possible
damage
multiplied
by
the
probability
13
that
damage
would
occur.
14
10.
a.
“Personal
information”
means
any
information
15
relating
to
an
individual
who
can
be
identified,
directly
or
16
indirectly,
in
particular
by
reference
to
an
identifier
such
17
as
a
name,
an
identification
number,
social
security
number,
18
driver’s
license
number
or
state
identification
card
number,
19
passport
number,
account
number
or
credit
or
debit
card
number,
20
location
data,
biometric
data,
an
online
identifier,
or
to
21
one
or
more
factors
specific
to
the
physical,
physiological,
22
genetic,
mental,
economic,
cultural,
or
social
identity
of
that
23
individual.
24
b.
“Personal
information”
does
not
include
publicly
25
available
information
that
is
lawfully
made
available
to
the
26
general
public
from
federal,
state,
or
local
government
records
27
or
any
of
the
following
media
that
are
widely
distributed:
28
(1)
Any
news,
editorial,
or
advertising
statement
published
29
in
any
bona
fide
newspaper,
journal,
or
magazine,
or
broadcast
30
over
radio,
television,
or
the
internet.
31
(2)
Any
gathering
or
furnishing
of
information
or
news
by
32
any
bona
fide
reporter,
correspondent,
or
news
bureau
to
news
33
media
identified
in
this
paragraph.
34
(3)
Any
publication
designed
for
and
distributed
to
members
35
-2-
LSB
1826SV
(2)
90
cm/ns
2/
8
S.F.
495
of
any
bona
fide
association
or
charitable
or
fraternal
1
nonprofit
business.
2
(4)
Any
type
of
media
similar
in
nature
to
any
item,
entity,
3
or
activity
identified
in
this
paragraph.
4
11.
“Record”
means
the
same
as
defined
in
section
554D.103.
5
12.
“Redacted”
means
altered,
truncated,
or
anonymized
so
6
that,
when
applied
to
personal
information,
the
data
can
no
7
longer
be
attributed
to
a
specific
individual
without
the
use
8
of
additional
information.
9
13.
“Restricted
information”
means
any
information
about
10
an
individual,
other
than
personal
information,
or
business
11
that,
alone
or
in
combination
with
other
information,
including
12
personal
information,
can
be
used
to
distinguish
or
trace
the
13
identity
of
the
individual
or
business,
or
that
is
linked
or
14
linkable
to
an
individual
or
business,
if
the
information
is
15
not
encrypted,
redacted,
tokenized,
or
altered
by
any
method
or
16
technology
in
such
a
manner
that
the
information
is
anonymized,
17
and
the
breach
of
which
is
likely
to
result
in
a
material
risk
18
of
identity
theft
or
other
fraud
to
person
or
property.
19
14.
“Smart
contract”
means
the
same
as
defined
in
section
20
554E.1.
21
15.
“Transaction”
means
a
sale,
trade,
exchange,
transfer,
22
payment,
or
conversion
of
virtual
currency
or
other
digital
23
asset
or
any
other
property
or
any
other
action
or
set
of
24
actions
occurring
between
two
or
more
persons
relating
to
the
25
conduct
of
business,
commercial,
or
governmental
affairs.
26
Sec.
2.
NEW
SECTION
.
554G.2
Affirmative
defenses.
27
1.
A
covered
entity
seeking
an
affirmative
defense
under
28
this
chapter
shall
create,
maintain,
and
comply
with
a
written
29
cybersecurity
program
that
contains
administrative,
technical,
30
operational,
and
physical
safeguards
for
the
protection
of
both
31
personal
information
and
restricted
information.
32
2.
A
covered
entity’s
cybersecurity
program
shall
be
33
designed
to
do
all
of
the
following:
34
a.
Continually
evaluate
and
mitigate
any
reasonably
35
-3-
LSB
1826SV
(2)
90
cm/ns
3/
8
S.F.
495
anticipated
internal
or
external
threats
or
hazards
that
could
1
lead
to
a
data
breach.
2
b.
Periodically
evaluate
no
less
than
annually
the
maximum
3
probable
loss
attainable
from
a
data
breach.
4
c.
Communicate
to
any
affected
parties
the
extent
of
any
5
risk
posed
and
any
actions
the
affected
parties
could
take
to
6
reduce
any
damages
if
a
data
breach
is
known
to
have
occurred.
7
3.
The
scale
and
scope
of
a
covered
entity’s
cybersecurity
8
program
is
appropriate
if
the
cost
to
operate
the
cybersecurity
9
program
is
no
less
than
the
covered
entity’s
most
recently
10
calculated
maximum
probable
loss
value.
11
4.
a.
A
covered
entity
that
satisfies
all
requirements
12
of
this
section
is
entitled
to
an
affirmative
defense
to
any
13
cause
of
action
sounding
in
tort
that
is
brought
under
the
14
laws
of
this
state
or
in
the
courts
of
this
state
and
that
15
alleges
that
the
failure
to
implement
reasonable
information
16
security
controls
resulted
in
a
data
breach
concerning
personal
17
information
or
restricted
information.
18
b.
A
covered
entity
satisfies
all
requirements
of
this
19
section
if
its
cybersecurity
program
reasonably
conforms
to
an
20
industry-recognized
cybersecurity
framework,
as
described
in
21
section
554G.3.
22
Sec.
3.
NEW
SECTION
.
554G.3
Cybersecurity
program
23
framework.
24
1.
A
covered
entity’s
cybersecurity
program,
as
25
described
in
section
554G.2,
reasonably
conforms
to
an
26
industry-recognized
cybersecurity
framework
for
purposes
of
27
section
554G.2
if
any
of
the
following
are
true:
28
a.
(1)
The
cybersecurity
program
reasonably
conforms
to
the
29
current
version
of
any
of
the
following
or
any
combination
of
30
the
following,
subject
to
subparagraph
(2)
and
subsection
2:
31
(a)
The
framework
for
improving
critical
infrastructure
32
cybersecurity
developed
by
the
national
institute
of
standards
33
and
technology.
34
(b)
National
institute
of
standards
and
technology
special
35
-4-
LSB
1826SV
(2)
90
cm/ns
4/
8
S.F.
495
publication
800-171.
1
(c)
National
institute
of
standards
and
technology
special
2
publications
800-53
and
800-53a.
3
(d)
The
federal
risk
and
authorization
management
program
4
security
assessment
framework.
5
(e)
The
center
for
internet
security
critical
security
6
controls
for
effective
cyber
defense.
7
(f)
The
international
organization
for
8
standardization/international
electrotechnical
commission
27000
9
family
——
information
security
management
systems.
10
(2)
When
a
final
revision
to
a
framework
listed
in
11
subparagraph
(1)
is
published,
a
covered
entity
whose
12
cybersecurity
program
reasonably
conforms
to
that
framework
13
shall
reasonably
conform
the
elements
of
its
cybersecurity
14
program
to
the
revised
framework
within
the
time
frame
provided
15
in
the
relevant
framework
upon
which
the
covered
entity
intends
16
to
rely
to
support
its
affirmative
defense,
but
in
no
event
17
later
than
one
year
after
the
publication
date
stated
in
the
18
revision.
19
b.
(1)
The
covered
entity
is
regulated
by
the
state,
by
20
the
federal
government,
or
both,
or
is
otherwise
subject
to
21
the
requirements
of
any
of
the
laws
or
regulations
listed
22
below,
and
the
cybersecurity
program
reasonably
conforms
to
23
the
entirety
of
the
current
version
of
any
of
the
following,
24
subject
to
subparagraph
(2):
25
(a)
The
security
requirements
of
the
federal
Health
26
Insurance
Portability
and
Accountability
Act
of
1996,
as
set
27
forth
in
45
C.F.R.
pt.
164,
subpt.
C.
28
(b)
Title
V
of
the
federal
Gramm-Leach-Bliley
Act
of
1999,
29
Pub.
L.
No.
106-102,
as
amended.
30
(c)
The
federal
Information
Security
Modernization
Act
of
31
2014,
Pub.
L.
No.
113-283.
32
(d)
The
federal
Health
Information
Technology
for
Economic
33
and
Clinical
Health
Act
as
set
forth
in
45
C.F.R.
pt.
162.
34
(e)
Chapter
507F.
35
-5-
LSB
1826SV
(2)
90
cm/ns
5/
8
S.F.
495
(f)
Any
applicable
rules,
regulations,
or
guidelines
for
1
critical
infrastructure
protection
adopted
by
the
federal
2
environmental
protection
agency,
the
federal
cybersecurity
3
and
infrastructure
security
agency,
or
the
north
American
4
reliability
corporation.
5
(2)
When
a
framework
listed
in
subparagraph
(1)
is
amended,
6
a
covered
entity
whose
cybersecurity
program
reasonably
7
conforms
to
that
framework
shall
reasonably
conform
the
8
elements
of
its
cybersecurity
program
to
the
amended
framework
9
within
the
time
frame
provided
in
the
relevant
framework
10
upon
which
the
covered
entity
intends
to
rely
to
support
its
11
affirmative
defense,
but
in
no
event
later
than
one
year
after
12
the
effective
date
of
the
amended
framework.
13
c.
(1)
The
cybersecurity
program
reasonably
complies
14
with
both
the
current
version
of
the
payment
card
industry
15
data
security
standard
and
conforms
to
the
current
version
of
16
another
applicable
industry-recognized
cybersecurity
framework
17
listed
in
paragraph
“a”
,
subject
to
subparagraph
(2)
and
18
subsection
2.
19
(2)
When
a
final
revision
to
the
payment
card
industry
20
data
security
standard
is
published,
a
covered
entity
whose
21
cybersecurity
program
reasonably
complies
with
that
standard
22
shall
reasonably
comply
the
elements
of
its
cybersecurity
23
program
with
the
revised
standard
within
the
time
frame
24
provided
in
the
relevant
framework
upon
which
the
covered
25
entity
intends
to
rely
to
support
its
affirmative
defense,
but
26
in
no
event
later
than
one
year
after
the
publication
date
27
stated
in
the
revision.
28
2.
If
a
covered
entity’s
cybersecurity
program
reasonably
29
conforms
to
a
combination
of
industry-recognized
cybersecurity
30
frameworks,
or
complies
with
a
standard,
as
in
the
case
of
the
31
payment
card
industry
data
security
standard,
as
described
in
32
subsection
1,
paragraph
“a”
or
“c”
,
and
two
or
more
of
those
33
frameworks
are
revised,
the
covered
entity
whose
cybersecurity
34
program
reasonably
conforms
to
or
complies
with,
as
applicable,
35
-6-
LSB
1826SV
(2)
90
cm/ns
6/
8
S.F.
495
those
frameworks
shall
reasonably
conform
the
elements
of
its
1
cybersecurity
program
to
or
comply
with,
as
applicable,
all
of
2
the
revised
frameworks
within
the
time
frames
provided
in
the
3
relevant
frameworks
but
in
no
event
later
than
one
year
after
4
the
latest
publication
date
stated
in
the
revisions.
5
Sec.
4.
NEW
SECTION
.
554G.4
Causes
of
action.
6
This
chapter
shall
not
be
construed
to
provide
a
private
7
right
of
action,
including
a
class
action,
with
respect
to
any
8
act
or
practice
regulated
under
this
chapter.
9
EXPLANATION
10
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
11
the
explanation’s
substance
by
the
members
of
the
general
assembly.
12
This
bill
creates
affirmative
defenses
for
entities
using
13
cybersecurity
programs.
The
bill
provides
that
a
covered
14
entity
seeking
an
affirmative
defense
must
use
a
cybersecurity
15
program
for
the
protection
of
personal
information
and
16
restricted
information
and
the
cybersecurity
program
must
17
reasonably
conform
to
an
industry-recognized
cybersecurity
18
framework.
A
cybersecurity
program
must
continually
evaluate
19
and
mitigate
reasonably
anticipated
threats,
periodically
20
evaluate
the
maximum
probable
loss
attainable
from
a
data
21
breach,
and
communicate
to
affected
parties
the
risk
posed
22
and
actions
the
affected
parties
could
take
to
reduce
damages
23
if
a
data
breach
has
occurred.
The
scale
and
scope
of
a
24
cybersecurity
program
is
appropriate
if
the
cost
to
operate
the
25
program
is
no
less
than
the
covered
entity’s
maximum
probable
26
loss
value.
A
covered
entity
that
satisfies
these
requirements
27
and
that
reasonably
conforms
to
an
industry-recognized
28
cybersecurity
framework
is
entitled
to
an
affirmative
defense
29
to
a
tort
claim
that
alleges
that
the
failure
to
implement
30
reasonable
information
security
controls
resulted
in
a
31
data
breach
concerning
personal
information
or
restricted
32
information.
33
The
bill
details
industry-recognized
cybersecurity
34
frameworks
that
the
covered
entity
may
follow
and
reasonably
35
-7-
LSB
1826SV
(2)
90
cm/ns
7/
8
S.F.
495
comply
with
in
order
to
qualify
for
the
affirmative
defense.
1
The
bill
does
not
provide
a
private
right
of
action,
2
including
a
class
action.
3
-8-
LSB
1826SV
(2)
90
cm/ns
8/
8