Senate File 2259 - Reprinted SENATE FILE 2259 BY COMMITTEE ON JUDICIARY (SUCCESSOR TO SSB 3040) (As Amended and Passed by the Senate February 26, 2014 ) A BILL FOR An Act modifying provisions applicable to personal information 1 security breach notification requirements, and making 2 penalties applicable. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 SF 2259 (3) 85 rn/nh/jh

S.F. 2259 Section 1. Section 715C.1, subsection 1, Code 2014, is 1 amended to read as follows: 2 1. “Breach of security” means unauthorized acquisition 3 of personal information maintained in computerized form by 4 a person that compromises the security, confidentiality, or 5 integrity of the personal information. “Breach of security” 6 also means unauthorized acquisition of personal information 7 maintained by a person in any medium, including on paper, that 8 was transferred by the person to that medium from computerized 9 form. Good faith acquisition of personal information by a 10 person or that person’s employee or agent for a legitimate 11 purpose of that person is not a breach of security, provided 12 that the personal information is not used in violation of 13 applicable law or in a manner that harms or poses an actual 14 threat to the security, confidentiality, or integrity of the 15 personal information. 16 Sec. 2. Section 715C.1, subsection 11, unnumbered paragraph 17 1, Code 2014, is amended to read as follows: 18 “Personal information” means an individual’s first name or 19 first initial and last name in combination with any one or more 20 of the following data elements that relate to the individual 21 if any of the data elements are not encrypted, redacted, or 22 otherwise altered by any method or technology in such a manner 23 that the name or data elements are unreadable or are encrypted, 24 redacted, or otherwise altered by any method or technology but 25 the keys to unencrypt, unredact, or otherwise read the data 26 elements have been obtained through the breach of security : 27 Sec. 3. Section 715C.1, subsection 11, paragraph c, Code 28 2014, is amended to read as follows: 29 c. Financial account number, credit card number, or debit 30 card number in combination with any required expiration date, 31 security code, access code, or password that would permit 32 access to an individual’s financial account. 33 Sec. 4. Section 715C.2, Code 2014, is amended to read as 34 follows: 35 -1- SF 2259 (3) 85 rn/nh/jh 1/ 5

S.F. 2259 715C.2 Security breach —— consumer notification requirements 1 —— remedies. 2 1. Any person who owns or licenses computerized data that 3 includes a consumer’s personal information that is used in 4 the course of the person’s business, vocation, occupation, 5 or volunteer activities and that was subject to a breach 6 of security shall give notice of the breach of security 7 following discovery of such breach of security, or receipt of 8 notification under subsection 2 , to any consumer whose personal 9 information was included in the information that was breached. 10 The consumer notification shall be made in the most expeditious 11 manner possible and without unreasonable delay, consistent 12 with the legitimate needs of law enforcement as provided in 13 subsection 3 , and consistent with any measures necessary to 14 sufficiently determine contact information for the affected 15 consumers, determine the scope of the breach, and restore the 16 reasonable integrity, security, and confidentiality of the 17 data. 18 2. Any person who maintains or otherwise possesses personal 19 information on behalf of another person shall notify the owner 20 or licensor of the information of any breach of security 21 immediately following discovery of such breach of security if a 22 consumer’s personal information was included in the information 23 that was breached. 24 3. The consumer notification requirements of this section 25 may be delayed if a law enforcement agency determines that 26 the notification will impede a criminal investigation and 27 the agency has made a written request that the notification 28 be delayed. The notification required by this section shall 29 be made after the law enforcement agency determines that the 30 notification will not compromise the investigation and notifies 31 the person required to give notice in writing. 32 4. For purposes of this section , notification to the 33 consumer may be provided by one of the following methods: 34 a. Written notice to the last available address the person 35 -2- SF 2259 (3) 85 rn/nh/jh 2/ 5

S.F. 2259 has in the person’s records. 1 b. Electronic notice if the person’s customary method of 2 communication with the consumer is by electronic means or is 3 consistent with the provisions regarding electronic records and 4 signatures set forth in chapter 554D and the federal Electronic 5 Signatures in Global and National Commerce Act, 15 U.S.C. 6 § 7001. 7 c. Substitute notice, if the person demonstrates that 8 the cost of providing notice would exceed two hundred fifty 9 thousand dollars, that the affected class of consumers to be 10 notified exceeds three hundred fifty thousand persons, or 11 if the person does not have sufficient contact information 12 to provide notice. Substitute notice shall consist of the 13 following: 14 (1) Electronic mail notice when the person has an electronic 15 mail address for the affected consumers. 16 (2) Conspicuous posting of the notice or a link to the 17 notice on the internet site of the person if the person 18 maintains an internet site. 19 (3) Notification to major statewide media. 20 5. Notice pursuant to this section shall include, at a 21 minimum, all of the following: 22 a. A description of the breach of security. 23 b. The approximate date of the breach of security. 24 c. The type of personal information obtained as a result of 25 the breach of security. 26 d. Contact information for consumer reporting agencies. 27 e. Advice to the consumer to report suspected incidents 28 of identity theft to local law enforcement or the attorney 29 general. 30 6. Notwithstanding subsection 1 , notification is not 31 required if, after an appropriate investigation or after 32 consultation with the relevant federal, state, or local 33 agencies responsible for law enforcement, the person determined 34 that no reasonable likelihood of financial harm to the 35 -3- SF 2259 (3) 85 rn/nh/jh 3/ 5

S.F. 2259 consumers whose personal information has been acquired has 1 resulted or will result from the breach. Such a determination 2 must be documented in writing and the documentation must be 3 maintained for five years. 4 7. This section does not apply to any of the following: 5 a. A person who complies with notification requirements or 6 breach of security procedures that provide greater protection 7 to personal information and at least as thorough disclosure 8 requirements than that provided by this section pursuant to 9 the rules, regulations, procedures, guidance, or guidelines 10 established by the person’s primary or functional federal 11 regulator. 12 b. A person who complies with a state or federal law 13 that provides greater protection to personal information and 14 at least as thorough disclosure requirements for breach of 15 security or personal information than that provided by this 16 section . 17 c. A person who is subject to and complies with regulations 18 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act 19 of 1999, 15 U.S.C. § 6801 – 6809. 20 8. Any person who owns or licenses computerized data that 21 includes a consumer’s personal information that is used in 22 the course of the person’s business, vocation, occupation, 23 or volunteer activities and that was subject to a breach of 24 security requiring notification to more than five hundred 25 residents of this state pursuant to this section shall give 26 written notice of the breach of security following discovery 27 of such breach of security, or receipt of notification under 28 subsection 2, to the director of the consumer protection 29 division of the office of the attorney general within three 30 business days after giving notice of the breach of security to 31 any consumer pursuant to this section. 32 8. 9. a. A violation of this chapter is an unlawful 33 practice pursuant to section 714.16 and, in addition to the 34 remedies provided to the attorney general pursuant to section 35 -4- SF 2259 (3) 85 rn/nh/jh 4/ 5

S.F. 2259 714.16, subsection 7 , the attorney general may seek and obtain 1 an order that a party held to violate this section pay damages 2 to the attorney general on behalf of a person injured by the 3 violation. 4 b. The rights and remedies available under this section are 5 cumulative to each other and to any other rights and remedies 6 available under the law. 7 -5- SF 2259 (3) 85 rn/nh/jh 5/ 5