Senate
File
2391
-
Reprinted
SENATE
FILE
2391
BY
COMMITTEE
ON
STATE
GOVERNMENT
(SUCCESSOR
TO
SF
2080)
(As
Amended
and
Passed
by
the
Senate
March
11,
2020
)
A
BILL
FOR
An
Act
prohibiting
the
state
or
a
political
subdivision
of
the
1
state
from
expending
revenue
received
from
taxpayers
for
2
payment
to
persons
responsible
for
ransomware
attacks,
and
3
including
effective
date
provisions.
4
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
5
SF
2391
(3)
88
ja/rn/mb
S.F.
2391
Section
1.
Section
8B.4,
Code
2020,
is
amended
by
adding
the
1
following
new
subsection:
2
NEW
SUBSECTION
.
17A.
Authorize
the
state
or
a
political
3
subdivision
of
the
state,
not
including
a
municipal
utility,
4
in
consultation
with
the
department
of
public
safety
and
the
5
department
of
homeland
security
and
emergency
management,
to
6
expend
revenue
received
from
taxpayers
for
payment
to
a
person
7
responsible
for,
or
reasonably
believed
to
be
responsible
for,
8
a
ransomware
attack
pursuant
to
section
8H.3.
9
Sec.
2.
NEW
SECTION
.
8H.1
Definitions.
10
As
used
in
this
chapter,
unless
the
context
otherwise
11
requires:
12
1.
“Critical
infrastructure”
means
the
same
as
defined
13
in
section
29C.24.
“Critical
infrastructure”
includes
real
14
and
personal
property
and
equipment
owned
or
used
to
provide
15
fire
fighting,
law
enforcement,
medical,
or
other
emergency
16
services.
17
2.
“Encryption”
means
the
use
of
an
algorithmic
process
18
to
transform
data
into
a
form
in
which
the
data
is
rendered
19
unreadable
or
unusable
without
the
use
of
a
confidential
20
process
or
key.
21
3.
“Political
subdivision”
means
a
city,
county,
township,
22
or
school
district.
“Political
subdivision”
does
not
include
a
23
municipal
utility.
24
4.
“Ransomware
attack”
means
carrying
out
until
payment
is
25
made,
or
threatening
to
carry
out
until
payment
is
made,
any
of
26
the
following
actions:
27
a.
An
act
declared
unlawful
pursuant
to
section
715.4.
28
b.
A
“breach
of
security”
as
defined
in
section
715C.1.
29
c.
The
use
of
any
form
of
software
that
results
in
the
30
unauthorized
encryption
of
data,
the
denial
of
access
to
data,
31
the
denial
of
access
to
a
computer,
or
the
denial
of
access
to
32
a
computer
system.
33
Sec.
3.
NEW
SECTION
.
8H.2
Requirement
to
report
a
34
ransomware
attack.
If
the
state
or
a
political
subdivision
of
35
-1-
SF
2391
(3)
88
ja/rn/mb
1/
4
S.F.
2391
the
state
is
subject
to
a
ransomware
attack,
the
state
or
the
1
political
subdivision
shall
provide
notice
of
the
ransomware
2
attack
to
the
office
of
the
chief
information
officer
following
3
discovery
of
the
ransomware
attack.
The
notice
shall
be
4
provided
in
the
most
expeditious
manner
possible
and
without
5
unreasonable
delay.
The
office
of
the
chief
information
6
officer
shall
adopt
rules
establishing
notification
procedures
7
pursuant
to
this
section.
8
Sec.
4.
NEW
SECTION
.
8H.3
Revenue
received
from
taxpayers
9
——
prohibition
——
ransomware.
10
1.
Except
as
provided
in
subsection
2
or
3,
the
state
or
a
11
political
subdivision
of
the
state
shall
not
expend
tax
revenue
12
received
from
taxpayers
for
payment
to
a
person
responsible
13
for,
or
reasonably
believed
to
be
responsible
for,
a
ransomware
14
attack.
15
2.
The
office
of
the
chief
information
officer,
in
16
consultation
with
the
department
of
public
safety
and
the
17
department
of
homeland
security
and
emergency
management,
may
18
authorize
the
state
or
a
political
subdivision
of
the
state
to
19
expend
tax
revenue
otherwise
prohibited
pursuant
to
subsection
20
1
in
the
event
of
any
of
the
following:
21
a.
A
critical
or
emergency
situation
as
defined
by
the
22
department
of
homeland
security
and
emergency
management,
23
or
when
the
department
of
homeland
security
and
emergency
24
management
determines
the
expenditure
of
tax
revenue
is
in
the
25
public
interest.
26
b.
A
ransomware
attack
affecting
critical
infrastructure
27
within
the
state
or
a
political
subdivision
of
the
state.
28
3.
The
state
or
a
political
subdivision
of
the
state
may
29
expend
tax
revenue
otherwise
prohibited
pursuant
to
subsection
30
1
in
the
event
of
a
ransomware
attack
affecting
an
officer
or
31
employee
of
the
judicial
branch.
32
Sec.
5.
NEW
SECTION
.
8H.4
Payments
for
insurance.
33
The
state
or
a
political
subdivision
of
the
state
may
use
34
revenue
received
from
taxpayers
to
pay
premiums,
deductibles,
35
-2-
SF
2391
(3)
88
ja/rn/mb
2/
4
S.F.
2391
and
other
costs
associated
with
an
insurance
policy
related
1
to
cybersecurity
or
ransomware
attacks
only
if
the
state
or
2
the
political
subdivision
first
exhausts
all
other
reasonable
3
means
of
mitigating
a
potential
ransomware
attack.
Subject
4
to
section
8H.3,
subsections
2
and
3,
nothing
in
this
section
5
shall
be
construed
to
authorize
the
state
or
a
political
6
subdivision
of
the
state
to
make
a
direct
payment
using
7
revenue
received
from
taxpayers
to
a
person
responsible
for,
or
8
reasonably
believed
to
be
responsible
for,
a
ransomware
attack.
9
Sec.
6.
NEW
SECTION
.
8H.5
Confidential
records.
10
Information
related
to
all
of
the
following
shall
be
11
considered
a
confidential
record
under
section
22.7:
12
1.
Insurance
coverage
maintained
by
the
state
or
a
political
13
subdivision
of
the
state
related
to
cybersecurity
or
a
14
ransomware
attack.
15
2.
Payment
by
the
state
or
a
political
subdivision
of
16
the
state
to
a
person
responsible
for,
or
believed
to
be
17
responsible
for,
a
ransomware
attack
pursuant
to
section
8H.3.
18
Sec.
7.
LEGISLATIVE
INTENT.
It
is
the
intent
of
the
general
19
assembly
that
the
state
and
the
political
subdivisions
of
the
20
state
have
tested
cybersecurity
mitigation
plans
and
policies.
21
Sec.
8.
RULEMAKING.
The
office
of
the
chief
information
22
officer
shall
prepare
a
notice
of
intended
action
for
the
23
adoption
of
rules
to
administer
this
Act.
The
notice
of
24
intended
action
shall
be
submitted
to
the
administrative
25
rules
coordinator
and
the
administrative
code
editor
as
soon
26
as
practicable,
but
no
later
than
October
1,
2020.
However,
27
nothing
in
this
section
authorizes
the
office
of
the
chief
28
information
officer
to
adopt
rules
under
section
17A.4,
29
subsection
3,
or
section
17A.5,
subsection
2,
paragraph
“b”.
30
Sec.
9.
EFFECTIVE
DATE.
31
1.
Except
as
provided
in
subsection
2,
this
Act
takes
effect
32
July
1,
2021.
33
2.
The
section
of
this
Act
requiring
the
office
of
the
chief
34
information
officer
to
prepare
a
notice
of
intended
action
for
35
-3-
SF
2391
(3)
88
ja/rn/mb
3/
4
S.F.
2391
the
adoption
of
rules
to
administer
this
Act
takes
effect
upon
1
enactment.
2
-4-
SF
2391
(3)
88
ja/rn/mb
4/
4