Senate File 2308 - Reprinted
SENATE FILE
BY COMMITTEE ON COMMERCE
(SUCCESSOR TO SSB 3200)
Passed Senate, Date Passed House, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act relating to identity theft by providing for the
2 notification of a breach in the security of personal
3 information requesting the establishment of an interim study
4 committee relating to disclosure of personal information by
5 public officials, entities, and affiliated organizations, and
6 providing penalties.
7 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
8 SF 2308
9 rn/nh/ml/12
PAG LIN
1 1 Section 1. NEW SECTION. 715C.1 DEFINITIONS.
1 2 As used in this chapter, unless the context otherwise
1 3 requires:
1 4 1. "Breach of security" means unauthorized acquisition of
1 5 personal information maintained
1 5 in computerized form
1 5 by a person that compromises
1 6 the security, confidentiality, or integrity of the personal
1 7 information. Good faith acquisition of personal information
1 8 by a person or that person's employee or agent for a
1 9 legitimate purpose of that person is not a breach of security,
1 10 provided that the personal information is not used in
1 11 violation of applicable law or in a manner that harms or poses
1 12 an actual threat to the security, confidentiality, or
1 13 integrity of the personal
1 13 information.
1 22 2. "Consumer" means an individual who is a resident of
1 23 this state.
1 24 3. "Consumer reporting agency" means the same as defined
1 25 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a.
1 26 4. "Debt" means the same as provided in section 537.7102.
1 27 5. "Encryption" means the use of an algorithmic process to
1 28 transform data into a form in which the data is rendered
1 29 unreadable or unusable without the use of a confidential
1 30 process or key.
1 31 6. "Extension of credit" means the right to defer payment
1 32 of debt or to incur debt and defer its payment offered or
1 33 granted primarily for personal, family, or household purposes.
1 34 7. "Financial institution" means the same as defined in
1 35 section 536C.2, subsection 6.
2 1 8. "Identity theft" means the same as provided in section
2 2 715A.8.
2 3 9. "Payment card" means the same as defined in section
2 4 715A.10, subsection 3, paragraph "b".
2 5 10. "Person" means an individual; corporation; business
2 6 trust; estate; trust; partnership; limited liability company;
2 7 association; joint venture; government; governmental
2 8 subdivision, agency, or instrumentality; public corporation;
2 9 or any other legal or commercial entity.
2 10 11. "Personal information" means an individual's first
2 11 name or first initial and last name in combination with any
2 12 one or more of the following data elements that relate to the
2 13 individual if any of the data elements are not encrypted,
2 14 redacted, or otherwise altered by any method or technology in
2 15 such a manner that the name or data elements are unreadable:
2 16 a. Social security number.
2 17 b. Driver's license number or other unique identification
2 18 number created or collected by a government body.
2 19 c. Financial account number, credit card number, or debit
2 20 card number in combination with any required security code,
2 21 access code, or password that would permit access to an
2 22 individual's financial account.
2 23 d. Unique electronic identifier or routing code, in
2 24 combination with any required security code, access code, or
2 25 password that would permit access to an individual's financial
2 26 account.
2 27 e. Unique biometric data, such as a fingerprint,
2 28 retina or iris image, or other unique
2 29 physical representation or digital representation of biometric
2 30 data.
2 31 "Personal information" does not include information that is
2 32 lawfully obtained from publicly available sources, or from
2 33 federal, state, or local government records lawfully made
2 34 available to the general public.
2 35 12. "Redacted" means altered or truncated so that no more
3 1 than five digits of a social security
3 1 number or the last four digits of other
3 2 numbers designated in section 715A.8, subsection 1, paragraph
3 3 "a", is accessible as part of the data.
3 4 Sec. 2. NEW SECTION. 715C.2 SECURITY BREACH == CONSUMER
3 5 NOTIFICATION == REMEDIES.
3 6 1. Any person who owns or licenses computerized
3 7 data that includes a consumer's personal information that is
3 8 used in the course of the person's business, vocation,
3 9 occupation, or volunteer activities and that was subject to a
3 10 breach of security shall give notice of the breach of security
3 11 following discovery of such breach of security, or receipt of
3 12 notification under subsection 2, to any consumer whose
3 13 personal information was included in the information that was
3 14 breached. The consumer notification shall be made in the most
3 15 expeditious manner possible and without unreasonable delay,
3 16 consistent with the legitimate needs of law enforcement as
3 17 provided in subsection 3, and consistent with any measures
3 18 necessary to sufficiently determine contact information for
3 19 the affected consumers, determine the scope of the breach, and
3 20 restore the reasonable integrity, security, and
3 21 confidentiality of the data.
3 22 2. Any person who maintains or otherwise possesses
3 23 personal information on behalf of another person shall notify
3 24 the owner or licensor of the information of any breach of
3 25 security immediately following discovery of such breach of
3 26 security if a consumer's personal information was included in
3 27 the information that was breached.
3 28 3. The consumer notification requirements of this section
3 29 may be delayed if a law enforcement agency determines that the
3 30 notification will impede a criminal investigation and the
3 31 agency has made a written request that the notification be
3 32 delayed. The notification required by this section shall be
3 33 made after the law enforcement agency determines that the
3 34 notification will not compromise the investigation and
3 35 notifies the person required to give notice in writing.
4 1 4. For purposes of this section, notification to the
4 2 consumer may be provided by one of the following methods:
4 3 a. Written notice
4 3 to the last available
4 3 address the person has in the person's records.
4 4 b. Electronic notice if the person's customary method of
4 5 communication with the consumer is by electronic means or is
4 6 consistent with the provisions regarding electronic records
4 7 and signatures set forth in chapter 554D and the federal
4 8 Electronic Signatures in Global and National Commerce Act, 15
4 9 U.S.C. } 7001.
4 10 c. Substitute notice, if the person demonstrates that the
4 11 cost of providing notice would exceed two hundred fifty
4 12 thousand dollars, that the affected class of consumers to be
4 13 notified exceeds three hundred fifty thousand persons, or if
4 14 the person does not have sufficient contact information to
4 15 provide notice. Substitute notice shall consist of the
4 16 following:
4 17 (1) Electronic mail notice when the person has an
4 18 electronic mail address for the affected consumers.
4 19 (2) Conspicuous posting of the notice or a link to the
4 20 notice on the internet web site of the person if the person
4 21 maintains an internet web site.
4 22 (3) Notification to major statewide media.
4 23 5. Notice pursuant to this section shall include, at a
4 24 minimum, all of the following:
4 25 a. A description of the breach of security.
4 26 b. The approximate date of the breach of security.
4 27 c. The type of personal information obtained as a result
4 28 of the breach of security.
4 29 d. Contact information for consumer reporting agencies.
4 30 e. Advice to the consumer to report suspected incidents of
4 31 identity theft to local law enforcement or the attorney
4 32 general.
4 33 6. Notwithstanding subsection 1, notification is not
4 34 required if, after an appropriate investigation or after
4 35 consultation with the relevant federal, state, or local
5 1 agencies responsible for law enforcement, the person
5 2 determined that no reasonable likelihood of
5 2 financial
5 2 harm to the
5 3 consumers whose personal information has been acquired has
5 4 resulted or will result from the breach. Such a determination
5 5 must be documented in writing and the documentation must be
5 6 maintained for five years.
5 7 7. This section does not apply to any of the following:
5 8 a. A person who complies with notification requirements or
5 9 breach of security procedures that provide greater protection
5 10 to personal information and at least as thorough disclosure
5 11 requirements than that provided by this section pursuant to
5 12 the rules, regulations, procedures, guidance, or guidelines
5 13 established by the person's primary or functional federal
5 14 regulator.
5 15 b. A person who complies with a state or federal law that
5 16 provides greater protection to personal information and at
5 17 least as thorough disclosure requirements for breach of
5 18 security or personal information than that provided by this
5 19 section.
5 20 c. A person who is subject to and complies with
5 21 regulations promulgated pursuant to Title V of the
5 22 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. } 6801=6809.
5 23 8. a. A violation of this chapter is an unlawful practice
5 24 pursuant to section 714.16 and, in addition to the remedies
5 25 provided to the attorney general pursuant to section 714.16,
5 26 subsection 7, the attorney general may seek and obtain an
5 27 order that a party held to violate this section pay damages to
5 28 the attorney general on behalf of a person injured by the
5 29 violation.
5 30 b. The rights and remedies available under this section
5 31 are cumulative to each other and to any other rights and
5 32 remedies available under the law.
5 32 Sec. 3. DISCLOSURE OF PERSONAL INFORMATION BY
5 32 PUBLIC OFFICIALS, ENTITIES, OR AFFILIATED
5 32 ORGANIZATIONS == INTERIM STUDY COMMITTEE REQUESTED.
5 32 The legislative council is requested to establish
5 32 an interim study committee to assess and review the
5 32 extent to which public officials, entities, and
5 32 affiliated organizations in possession of or with
5 32 access to personal identifying information of a
5 32 resident of this state which could, if disclosed,
5 32 render the resident vulnerable to identity theft, are
5 32 disclosing or selling such information for
5 32 compensation. Based upon this assessment and review,
5 32 the committee shall develop recommendations relating
5 32 to these practices. The committee shall be composed
5 32 of ten members representing both political parties and
5 32 both houses of the general assembly. Five members
5 32 shall be members of the senate, three of whom shall be
5 32 appointed by the majority leader of the senate and two
5 32 of whom shall be appointed by the minority leader of
5 32 the senate. The other five members shall be members
5 32 of the house of representatives, three of whom shall
5 32 be appointed by the speaker of the house of
5 32 representatives and two of whom shall be appointed by
5 32 the minority leader of the house of representatives.
5 32 The committee shall issue a report of its
5 32 recommendations to the general assembly by January 15,
5 32 2009.
5 33 SF 2308
5 34 rn/nh/ml/12