Senate File 2308 - Reprinted SENATE FILE BY COMMITTEE ON COMMERCE (SUCCESSOR TO SSB 3200) Passed Senate, Date Passed House, Date Vote: Ayes Nays Vote: Ayes Nays Approved A BILL FOR 1 An Act relating to identity theft by providing for the 2 notification of a breach in the security of personal 3 information requesting the establishment of an interim study 4 committee relating to disclosure of personal information by 5 public officials, entities, and affiliated organizations, and 6 providing penalties. 7 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 8 SF 2308 9 rn/nh/ml/12 PAG LIN 1 1 Section 1. NEW SECTION. 715C.1 DEFINITIONS. 1 2 As used in this chapter, unless the context otherwise 1 3 requires: 1 4 1. "Breach of security" means unauthorized acquisition of 1 5 personal information maintained 1 5 in computerized form 1 5 by a person that compromises 1 6 the security, confidentiality, or integrity of the personal 1 7 information. Good faith acquisition of personal information 1 8 by a person or that person's employee or agent for a 1 9 legitimate purpose of that person is not a breach of security, 1 10 provided that the personal information is not used in 1 11 violation of applicable law or in a manner that harms or poses 1 12 an actual threat to the security, confidentiality, or 1 13 integrity of the personal 1 13 information. 1 22 2. "Consumer" means an individual who is a resident of 1 23 this state. 1 24 3. "Consumer reporting agency" means the same as defined 1 25 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a. 1 26 4. "Debt" means the same as provided in section 537.7102. 1 27 5. "Encryption" means the use of an algorithmic process to 1 28 transform data into a form in which the data is rendered 1 29 unreadable or unusable without the use of a confidential 1 30 process or key. 1 31 6. "Extension of credit" means the right to defer payment 1 32 of debt or to incur debt and defer its payment offered or 1 33 granted primarily for personal, family, or household purposes. 1 34 7. "Financial institution" means the same as defined in 1 35 section 536C.2, subsection 6. 2 1 8. "Identity theft" means the same as provided in section 2 2 715A.8. 2 3 9. "Payment card" means the same as defined in section 2 4 715A.10, subsection 3, paragraph "b". 2 5 10. "Person" means an individual; corporation; business 2 6 trust; estate; trust; partnership; limited liability company; 2 7 association; joint venture; government; governmental 2 8 subdivision, agency, or instrumentality; public corporation; 2 9 or any other legal or commercial entity. 2 10 11. "Personal information" means an individual's first 2 11 name or first initial and last name in combination with any 2 12 one or more of the following data elements that relate to the 2 13 individual if any of the data elements are not encrypted, 2 14 redacted, or otherwise altered by any method or technology in 2 15 such a manner that the name or data elements are unreadable: 2 16 a. Social security number. 2 17 b. Driver's license number or other unique identification 2 18 number created or collected by a government body. 2 19 c. Financial account number, credit card number, or debit 2 20 card number in combination with any required security code, 2 21 access code, or password that would permit access to an 2 22 individual's financial account. 2 23 d. Unique electronic identifier or routing code, in 2 24 combination with any required security code, access code, or 2 25 password that would permit access to an individual's financial 2 26 account. 2 27 e. Unique biometric data, such as a fingerprint, 2 28 retina or iris image, or other unique 2 29 physical representation or digital representation of biometric 2 30 data. 2 31 "Personal information" does not include information that is 2 32 lawfully obtained from publicly available sources, or from 2 33 federal, state, or local government records lawfully made 2 34 available to the general public. 2 35 12. "Redacted" means altered or truncated so that no more 3 1 than five digits of a social security 3 1 number or the last four digits of other 3 2 numbers designated in section 715A.8, subsection 1, paragraph 3 3 "a", is accessible as part of the data. 3 4 Sec. 2. NEW SECTION. 715C.2 SECURITY BREACH == CONSUMER 3 5 NOTIFICATION == REMEDIES. 3 6 1. Any person who owns or licenses computerized 3 7 data that includes a consumer's personal information that is 3 8 used in the course of the person's business, vocation, 3 9 occupation, or volunteer activities and that was subject to a 3 10 breach of security shall give notice of the breach of security 3 11 following discovery of such breach of security, or receipt of 3 12 notification under subsection 2, to any consumer whose 3 13 personal information was included in the information that was 3 14 breached. The consumer notification shall be made in the most 3 15 expeditious manner possible and without unreasonable delay, 3 16 consistent with the legitimate needs of law enforcement as 3 17 provided in subsection 3, and consistent with any measures 3 18 necessary to sufficiently determine contact information for 3 19 the affected consumers, determine the scope of the breach, and 3 20 restore the reasonable integrity, security, and 3 21 confidentiality of the data. 3 22 2. Any person who maintains or otherwise possesses 3 23 personal information on behalf of another person shall notify 3 24 the owner or licensor of the information of any breach of 3 25 security immediately following discovery of such breach of 3 26 security if a consumer's personal information was included in 3 27 the information that was breached. 3 28 3. The consumer notification requirements of this section 3 29 may be delayed if a law enforcement agency determines that the 3 30 notification will impede a criminal investigation and the 3 31 agency has made a written request that the notification be 3 32 delayed. The notification required by this section shall be 3 33 made after the law enforcement agency determines that the 3 34 notification will not compromise the investigation and 3 35 notifies the person required to give notice in writing. 4 1 4. For purposes of this section, notification to the 4 2 consumer may be provided by one of the following methods: 4 3 a. Written notice 4 3 to the last available 4 3 address the person has in the person's records. 4 4 b. Electronic notice if the person's customary method of 4 5 communication with the consumer is by electronic means or is 4 6 consistent with the provisions regarding electronic records 4 7 and signatures set forth in chapter 554D and the federal 4 8 Electronic Signatures in Global and National Commerce Act, 15 4 9 U.S.C. } 7001. 4 10 c. Substitute notice, if the person demonstrates that the 4 11 cost of providing notice would exceed two hundred fifty 4 12 thousand dollars, that the affected class of consumers to be 4 13 notified exceeds three hundred fifty thousand persons, or if 4 14 the person does not have sufficient contact information to 4 15 provide notice. Substitute notice shall consist of the 4 16 following: 4 17 (1) Electronic mail notice when the person has an 4 18 electronic mail address for the affected consumers. 4 19 (2) Conspicuous posting of the notice or a link to the 4 20 notice on the internet web site of the person if the person 4 21 maintains an internet web site. 4 22 (3) Notification to major statewide media. 4 23 5. Notice pursuant to this section shall include, at a 4 24 minimum, all of the following: 4 25 a. A description of the breach of security. 4 26 b. The approximate date of the breach of security. 4 27 c. The type of personal information obtained as a result 4 28 of the breach of security. 4 29 d. Contact information for consumer reporting agencies. 4 30 e. Advice to the consumer to report suspected incidents of 4 31 identity theft to local law enforcement or the attorney 4 32 general. 4 33 6. Notwithstanding subsection 1, notification is not 4 34 required if, after an appropriate investigation or after 4 35 consultation with the relevant federal, state, or local 5 1 agencies responsible for law enforcement, the person 5 2 determined that no reasonable likelihood of 5 2 financial 5 2 harm to the 5 3 consumers whose personal information has been acquired has 5 4 resulted or will result from the breach. Such a determination 5 5 must be documented in writing and the documentation must be 5 6 maintained for five years. 5 7 7. This section does not apply to any of the following: 5 8 a. A person who complies with notification requirements or 5 9 breach of security procedures that provide greater protection 5 10 to personal information and at least as thorough disclosure 5 11 requirements than that provided by this section pursuant to 5 12 the rules, regulations, procedures, guidance, or guidelines 5 13 established by the person's primary or functional federal 5 14 regulator. 5 15 b. A person who complies with a state or federal law that 5 16 provides greater protection to personal information and at 5 17 least as thorough disclosure requirements for breach of 5 18 security or personal information than that provided by this 5 19 section. 5 20 c. A person who is subject to and complies with 5 21 regulations promulgated pursuant to Title V of the 5 22 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. } 6801=6809. 5 23 8. a. A violation of this chapter is an unlawful practice 5 24 pursuant to section 714.16 and, in addition to the remedies 5 25 provided to the attorney general pursuant to section 714.16, 5 26 subsection 7, the attorney general may seek and obtain an 5 27 order that a party held to violate this section pay damages to 5 28 the attorney general on behalf of a person injured by the 5 29 violation. 5 30 b. The rights and remedies available under this section 5 31 are cumulative to each other and to any other rights and 5 32 remedies available under the law. 5 32 Sec. 3. DISCLOSURE OF PERSONAL INFORMATION BY 5 32 PUBLIC OFFICIALS, ENTITIES, OR AFFILIATED 5 32 ORGANIZATIONS == INTERIM STUDY COMMITTEE REQUESTED. 5 32 The legislative council is requested to establish 5 32 an interim study committee to assess and review the 5 32 extent to which public officials, entities, and 5 32 affiliated organizations in possession of or with 5 32 access to personal identifying information of a 5 32 resident of this state which could, if disclosed, 5 32 render the resident vulnerable to identity theft, are 5 32 disclosing or selling such information for 5 32 compensation. Based upon this assessment and review, 5 32 the committee shall develop recommendations relating 5 32 to these practices. The committee shall be composed 5 32 of ten members representing both political parties and 5 32 both houses of the general assembly. Five members 5 32 shall be members of the senate, three of whom shall be 5 32 appointed by the majority leader of the senate and two 5 32 of whom shall be appointed by the minority leader of 5 32 the senate. The other five members shall be members 5 32 of the house of representatives, three of whom shall 5 32 be appointed by the speaker of the house of 5 32 representatives and two of whom shall be appointed by 5 32 the minority leader of the house of representatives. 5 32 The committee shall issue a report of its 5 32 recommendations to the general assembly by January 15, 5 32 2009. 5 33 SF 2308 5 34 rn/nh/ml/12