House File 2302 - Reprinted HOUSE FILE 2302 BY COMMITTEE ON INFORMATION TECHNOLOGY (SUCCESSOR TO HSB 555) (As Amended and Passed by the House March 2, 2022 ) A BILL FOR An Act relating to affirmative defenses for entities using 1 cybersecurity programs. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 HF 2302 (5) 89 cm/jh/md
H.F. 2302 Section 1. Section 554D.103, subsections 4, 5, 8, 9, and 16, 1 Code 2022, are amended to read as follows: 2 4. “Contract” means the total legal obligation resulting 3 from the parties’ agreement as affected by this chapter and 4 other applicable law. “Contract” includes any contract secured 5 through distributed ledger technology and a smart contract. 6 5. “Distributed ledger technology” means an electronic 7 record of transactions or other data to which all of the 8 following apply: 9 a. The electronic record is uniformly ordered. 10 b. The electronic record is redundantly maintained or 11 processed by one or more computers or machines to guarantee the 12 consistency or nonrepudiation of the recorded transactions or 13 other data. 14 8. “Electronic record” means a record created, generated, 15 sent, communicated, received, or stored by electronic means. 16 “Electronic record” includes any record secured through 17 distributed ledger technology. 18 9. “Electronic signature” means an electronic sound, symbol, 19 or process attached to or logically associated with a record 20 and executed or adopted by a person with the intent to sign the 21 record. “Electronic signature” includes a signature that is 22 secured through distributed ledger technology. 23 16. “Smart contract” means an event-driven program or 24 computerized transaction protocol that runs on a distributed, 25 decentralized, shared, and replicated ledger that executes the 26 terms of a contract. For purposes of this subsection , “executes 27 the terms of a contract” may include taking custody over and 28 instructing the transfer of assets. 29 Sec. 2. Section 554D.108, subsection 2, Code 2022, is 30 amended to read as follows: 31 2. A contract shall not be denied legal effect or 32 enforceability solely because an electronic record was used in 33 its formation or because the contract is a smart contract or 34 contains a smart contract provision . 35 -1- HF 2302 (5) 89 cm/jh/md 1/ 9
H.F. 2302 Sec. 3. NEW SECTION . 554E.1 Definitions. 1 As used in this chapter: 2 1. “Account” means the same as defined in section 554.9102. 3 2. “Business” means any limited liability company, limited 4 liability partnership, corporation, sole proprietorship, 5 association, or other group, however organized and whether 6 operating for profit or not for profit, including a financial 7 institution organized, chartered, or holding a license 8 authorizing operation under the laws of this state, any other 9 state, the United States, or any other country, or the parent 10 or subsidiary of any of the foregoing. For purposes of this 11 subsection, “corporation” does not include a school corporation 12 organized pursuant to chapter 274 or a rural water association 13 organized as a nonprofit corporation pursuant to chapter 504. 14 3. “Contract” means the same as defined in section 554D.103. 15 4. “Covered entity” means a business that accesses, 16 receives, stores, maintains, communicates, or processes 17 personal information or restricted information in or through 18 one or more systems, networks, or services located in or 19 outside this state. 20 5. “Data breach” means an intentional or unintentional 21 action that could result in electronic records owned, licensed 22 to, or otherwise protected by a covered entity being viewed, 23 copied, modified, transmitted, or destroyed in a manner that 24 is reasonably believed to have or may cause material risk of 25 identity theft, fraud, or other injury or damage to person or 26 property. “Data breach” does not include any of the following: 27 a. Good-faith acquisition of personal information or 28 restricted information by the covered entity’s employee or 29 agent for the purposes of the covered entity, provided that 30 the personal information or restricted information is not used 31 for an unlawful purpose or subject to further unauthorized 32 disclosure. 33 b. Acquisition or disclosure of personal information or 34 restricted information pursuant to a search warrant, subpoena, 35 -2- HF 2302 (5) 89 cm/jh/md 2/ 9
H.F. 2302 or other court order, or pursuant to a subpoena, order, or duty 1 of a regulatory state agency. 2 6. “Distributed ledger technology” means an electronic 3 record of transactions or other data to which all of the 4 following apply: 5 a. The electronic record is uniformly ordered. 6 b. The electronic record is redundantly maintained or 7 processed by one or more computers or machines to guarantee the 8 consistency or nonrepudiation of the recorded transactions or 9 other data. 10 7. “Electronic” means the same as defined in section 11 554D.103. 12 8. “Electronic record” means the same as defined in section 13 554D.103. 14 9. “Encrypted” means the use of an algorithmic process to 15 transform data into a form for which there is a low probability 16 of assigning meaning without use of a confidential process or 17 key. 18 10. “Individual” means a natural person. 19 11. “Maximum probable loss” means the greatest damage 20 expectation that could reasonably occur from a data breach. 21 For purposes of this subsection, “damage expectation” means the 22 total value of possible damage multiplied by the probability 23 that damage would occur. 24 12. a. “Personal information” means any information 25 relating to an individual who can be identified, directly or 26 indirectly, in particular by reference to an identifier such 27 as a name, an identification number, social security number, 28 driver’s license number or state identification card number, 29 passport number, account number or credit or debit card number, 30 location data, biometric data, an online identifier, or to 31 one or more factors specific to the physical, physiological, 32 genetic, mental, economic, cultural, or social identity of that 33 individual. 34 b. “Personal information” does not include publicly 35 -3- HF 2302 (5) 89 cm/jh/md 3/ 9
H.F. 2302 available information that is lawfully made available to the 1 general public from federal, state, or local government records 2 or any of the following media that are widely distributed: 3 (1) Any news, editorial, or advertising statement published 4 in any bona fide newspaper, journal, or magazine, or broadcast 5 over radio, television, or the internet. 6 (2) Any gathering or furnishing of information or news by 7 any bona fide reporter, correspondent, or news bureau to news 8 media identified in this paragraph. 9 (3) Any publication designed for and distributed to members 10 of any bona fide association or charitable or fraternal 11 nonprofit business. 12 (4) Any type of media similar in nature to any item, entity, 13 or activity identified in this paragraph. 14 13. “Record” means the same as defined in section 554D.103. 15 14. “Redacted” means altered, truncated, or anonymized so 16 that, when applied to personal information, the data can no 17 longer be attributed to a specific individual without the use 18 of additional information. 19 15. “Restricted information” means any information about 20 an individual, other than personal information, or business 21 that, alone or in combination with other information, including 22 personal information, can be used to distinguish or trace the 23 identity of the individual or business, or that is linked or 24 linkable to an individual or business, if the information is 25 not encrypted, redacted, tokenized, or altered by any method or 26 technology in such a manner that the information is anonymized, 27 and the breach of which is likely to result in a material risk 28 of identity theft or other fraud to person or property. 29 16. “Smart contract” means an event-driven program or 30 computerized transaction protocol that runs on a distributed, 31 decentralized, shared, and replicated ledger that executes the 32 terms of a contract. For purposes of this subsection, “executes 33 the terms of a contract” may include taking custody over and 34 instructing the transfer of assets. 35 -4- HF 2302 (5) 89 cm/jh/md 4/ 9
H.F. 2302 17. “Transaction” means a sale, trade, exchange, transfer, 1 payment, or conversion of virtual currency or other digital 2 asset or any other property or any other action or set of 3 actions occurring between two or more persons relating to the 4 conduct of business, commercial, or governmental affairs. 5 Sec. 4. NEW SECTION . 554E.2 Distributed ledger technology 6 —— ownership of information. 7 1. A record shall not be denied legal effect or 8 enforceability solely because the record is created, generated, 9 sent, communicated, received, recorded, or stored by means of 10 distributed ledger technology or a smart contract. 11 2. A signature shall not be denied legal effect or 12 enforceability solely because the signature is created, 13 generated, sent, communicated, received, recorded, or stored by 14 means of distributed ledger technology or a smart contract. 15 3. A contract shall not be denied legal effect or 16 enforceability solely for any of the following: 17 a. The contract is created, generated, sent, communicated, 18 received, executed, signed, adopted, recorded, or stored by 19 means of distributed ledger technology or a smart contract. 20 b. The contract contains a smart contract term. 21 c. An electronic record, distributed ledger technology, or 22 smart contract was used in the contract’s formation. 23 4. A person who, in engaging in or affecting interstate 24 or foreign commerce, uses distributed ledger technology to 25 secure information that the person owns or has the right to use 26 retains the same rights of ownership or use with respect to 27 such information as before the person secured the information 28 using distributed ledger technology. This subsection does not 29 apply to the use of distributed ledger technology to secure 30 information in connection with a transaction to the extent that 31 the terms of the transaction expressly provide for the transfer 32 of rights of ownership or use with respect to such information. 33 Sec. 5. NEW SECTION . 554E.3 Affirmative defenses. 34 1. A covered entity seeking an affirmative defense under 35 -5- HF 2302 (5) 89 cm/jh/md 5/ 9
H.F. 2302 this chapter shall create, maintain, and comply with a written 1 cybersecurity program that contains administrative, technical, 2 operational, and physical safeguards for the protection of both 3 personal information and restricted information. 4 2. A covered entity’s cybersecurity program shall be 5 designed to do all of the following: 6 a. Continually evaluate and mitigate any reasonably 7 anticipated internal or external threats or hazards that could 8 lead to a data breach. 9 b. Periodically evaluate no less than annually the maximum 10 probable loss attainable from a data breach. 11 c. Communicate to any affected parties the extent of any 12 risk posed and any actions the affected parties could take to 13 reduce any damages if a data breach is known to have occurred. 14 3. The scale and scope of a covered entity’s cybersecurity 15 program is appropriate if the cost to operate the cybersecurity 16 program is no less than the covered entity’s most recently 17 calculated maximum probable loss value. 18 4. a. A covered entity that satisfies all requirements 19 of this section is entitled to an affirmative defense to any 20 cause of action sounding in tort that is brought under the 21 laws of this state or in the courts of this state and that 22 alleges that the failure to implement reasonable information 23 security controls resulted in a data breach concerning personal 24 information or restricted information. 25 b. A covered entity satisfies all requirements of this 26 section if its cybersecurity program reasonably conforms to an 27 industry-recognized cybersecurity framework, as described in 28 section 554E.4. 29 Sec. 6. NEW SECTION . 554E.4 Cybersecurity program 30 framework. 31 1. A covered entity’s cybersecurity program, as 32 described in section 554E.3, reasonably conforms to an 33 industry-recognized cybersecurity framework for purposes of 34 section 554E.3 if any of the following are true: 35 -6- HF 2302 (5) 89 cm/jh/md 6/ 9
H.F. 2302 a. (1) The cybersecurity program reasonably conforms to the 1 current version of any of the following or any combination of 2 the following, subject to subparagraph (2) and subsection 2: 3 (a) The framework for improving critical infrastructure 4 cybersecurity developed by the national institute of standards 5 and technology. 6 (b) National institute of standards and technology special 7 publication 800-171. 8 (c) National institute of standards and technology special 9 publications 800-53 and 800-53a. 10 (d) The federal risk and authorization management program 11 security assessment framework. 12 (e) The center for internet security critical security 13 controls for effective cyber defense. 14 (f) The international organization for 15 standardization/international electrotechnical commission 27000 16 family —— information security management systems. 17 (2) When a final revision to a framework listed in 18 subparagraph (1) is published, a covered entity whose 19 cybersecurity program reasonably conforms to that framework 20 shall reasonably conform the elements of its cybersecurity 21 program to the revised framework within the time frame provided 22 in the relevant framework upon which the covered entity intends 23 to rely to support its affirmative defense, but in no event 24 later than one year after the publication date stated in the 25 revision. 26 b. (1) The covered entity is regulated by the state, by 27 the federal government, or both, or is otherwise subject to 28 the requirements of any of the laws or regulations listed 29 below, and the cybersecurity program reasonably conforms to 30 the entirety of the current version of any of the following, 31 subject to subparagraph (2): 32 (a) The security requirements of the federal Health 33 Insurance Portability and Accountability Act of 1996, as set 34 forth in 45 C.F.R. pt. 164, subpt. C. 35 -7- HF 2302 (5) 89 cm/jh/md 7/ 9
H.F. 2302 (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, 1 Pub. L. No. 106-102, as amended. 2 (c) The federal Information Security Modernization Act of 3 2014, Pub. L. No. 113-283. 4 (d) The federal Health Information Technology for Economic 5 and Clinical Health Act as set forth in 45 C.F.R. pt. 162. 6 (2) When a framework listed in subparagraph (1) is amended, 7 a covered entity whose cybersecurity program reasonably 8 conforms to that framework shall reasonably conform the 9 elements of its cybersecurity program to the amended framework 10 within the time frame provided in the relevant framework 11 upon which the covered entity intends to rely to support its 12 affirmative defense, but in no event later than one year after 13 the effective date of the amended framework. 14 c. (1) The cybersecurity program reasonably complies 15 with both the current version of the payment card industry 16 data security standard and conforms to the current version of 17 another applicable industry-recognized cybersecurity framework 18 listed in paragraph “a” , subject to subparagraph (2) and 19 subsection 2. 20 (2) When a final revision to the payment card industry 21 data security standard is published, a covered entity whose 22 cybersecurity program reasonably complies with that standard 23 shall reasonably comply the elements of its cybersecurity 24 program with the revised standard within the time frame 25 provided in the relevant framework upon which the covered 26 entity intends to rely to support its affirmative defense, but 27 in no event later than one year after the publication date 28 stated in the revision. 29 2. If a covered entity’s cybersecurity program reasonably 30 conforms to a combination of industry-recognized cybersecurity 31 frameworks, or complies with a standard, as in the case of the 32 payment card industry data security standard, as described in 33 subsection 1, paragraph “a” or “c” , and two or more of those 34 frameworks are revised, the covered entity whose cybersecurity 35 -8- HF 2302 (5) 89 cm/jh/md 8/ 9
H.F. 2302 program reasonably conforms to or complies with, as applicable, 1 those frameworks shall reasonably conform the elements of its 2 cybersecurity program to or comply with, as applicable, all of 3 the revised frameworks within the time frames provided in the 4 relevant frameworks but in no event later than one year after 5 the latest publication date stated in the revisions. 6 Sec. 7. NEW SECTION . 554E.5 Causes of actions. 7 This chapter shall not be construed to provide a private 8 right of action, including a class action, with respect to any 9 act or practice regulated under those sections. 10 Sec. 8. REPEAL. Section 554D.106A, Code 2022, is repealed. 11 -9- HF 2302 (5) 89 cm/jh/md 9/ 9