Print
House Study Bill 14 - IntroducedA Bill ForAn Act 1modifying certain provisions relating to personal
2information security breach protection.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715C.1, subsections 5 and 11, Code 2019,
2are amended to read as follows:
35. “Encryption” means the use of an algorithmic process
4pursuant to accepted industry standards, or any other accepted
5industry standard process, to transform data into a form in
6which the data is rendered unreadable or unusable without the
7use of a confidential process or key.
811. a. “Personal information” means an individual’s first
9name or first initial and last name in combination with any
10one or more of the following data elements that relate to the
11individual if any of the data elements are not encrypted,
12redacted, or otherwise altered by any method or technology in
13such a manner that the name or data elements are unreadable or
14are encrypted, redacted, or otherwise altered by any method or
15technology but the keys to unencrypt, unredact, or otherwise
16read the data elements have been obtained through the breach
17of security:
18(1) Social security number.
19(2) Driver’s license number or other unique identification
20number created or collected by a government body.
21(3) Financial account number, credit card number, or debit
22card number in combination with any required expiration date,
23security code, access code, or password that would permit
24access to an individual’s financial account.
25(4) Unique electronic identifier or routing code, in
26combination with any required security code, access code, or
27password that would permit access to an individual’s financial
28account.
29(5) Unique biometric data, such as a fingerprint, retina or
30iris image, or other unique physical representation or digital
31representation of biometric data.
32(6) Medical history, medical treatment by a health care
33professional, diagnosis of mental or physical condition by a
34health care professional, or deoxyribonucleic acid profile.
35(7) Health insurance policy number, subscriber
-1-1identification number, or any other unique identifier used by a
2health insurer to identify an individual.
3(8) Taxpayer identification number.
4(9) A private key that is unique to an individual and that
5is used to authenticate or sign an electronic record.
6(10) Passport number.
7b. “Personal information” also includes an account username
8or electronic mail address, in combination with any required
9password or account security information that would permit
10access to a consumer’s online account.
11b. c. “Personal information” does not include information
12that is lawfully obtained from a publicly available sources
13 source, or from federal, state, or local government records
14lawfully made available to the general public.
15 Sec. 2. Section 715C.2, subsections 1, 6, and 8, Code 2019,
16are amended to read as follows:
171. a. Any person who owns or licenses computerized data
18that includes a consumer’s personal information that is used
19in the course of the person’s business, vocation, occupation,
20or volunteer activities and that was subject to a breach
21of security shall give notice of the breach of security
22following discovery of such breach of security, or receipt of
23notification under subsection 2, to any consumer whose personal
24information was included in the information that was breached.
25The consumer notification shall be made in the most expeditious
26manner possible and without unreasonable delay, consistent
27with but no later than forty-five days after the discovery
28of such breach of security or receipt of notification under
29subsection 2, unless a longer time is necessary because of the
30legitimate needs of law enforcement as provided in subsection
313, and consistent with any measures necessary to sufficiently
32determine contact information for the affected consumers,
33determine the scope of the breach, and restore the reasonable
34integrity, security, and confidentiality of the data.
35b. In the case of a breach of security involving personal
-2-1information relating to a consumer’s online account as
2described in section 715C.1, subsection 11, paragraph “b”,
3and no other personal information described in section
4715C.1, subsection 11, the person or business may comply with
5the notification requirements of this section by providing
6notification of the security breach to the consumer whose
7personal information was subject to the breach of security,
8in electronic or other form, that directs the consumer to
9promptly change the consumer’s password or account security
10information, or to take any other appropriate steps to protect
11the consumer’s online account with the person or business and
12all other online accounts for which the consumer uses the
13same account username or electronic mail address and password
14or account security information. However, in providing
15notification of a breach of security in electronic form to an
16online account that is affected or compromised by the breach
17of security, a person or business may provide notification
18by such method only when the consumer is connected to the
19online account from an internet protocol address or online
20location from which the person or business knows the consumer
21customarily accesses the online account, and the notification
22is provided to the consumer in a clear and conspicuous manner.
236. a. Notwithstanding subsection 1, notification is
24not required if, after an appropriate investigation or
25after consultation with the relevant federal, state, or
26local agencies responsible for law enforcement, the person
27determined that no reasonable likelihood of financial harm to
28the consumers whose personal information has been acquired has
29resulted or will result from the breach. Such a determination
30must be documented in writing and the documentation must be
31maintained for five years.
32b. In the event that notification is not required pursuant
33to this subsection, the person shall provide the written
34determination required in paragraph “a” to the director of the
35consumer protection division of the office of the attorney
-3-1general within five business days after documenting such
2determination.
38. Any person who owns or licenses computerized data that
4includes a consumer’s personal information that is used in
5the course of the person’s business, vocation, occupation,
6or volunteer activities and that was subject to a breach of
7security requiring notification to more than five hundred
8residents of this state consumers pursuant to this section
9subsection 1, or any of the laws, rules, regulations,
10procedures, guidance, or guidelines set forth in subsection
117, shall give written notice of the breach of security to the
12director of the consumer protection division of the office of
13the attorney general within five business days after giving
14notice of the breach of security to any consumer pursuant to
15this section. The written notice shall include all of the
16following:
17a. A sample copy of any notification sent to consumers.
18b. The approximate number of consumers affected or
19potentially affected by the breach of security.
20c. A description of any services offered to consumers
21affected or potentially affected by the breach of security, and
22instructions as to how consumers may use such services.
23d. The name, address, telephone number, and electronic mail
24address of an individual who may be contacted by the consumer
25protection division of the office of the attorney general for
26any additional information about the breach of security.
27 Sec. 3. Section 715C.2, subsection 7, unnumbered paragraph
281, Code 2019, is amended to read as follows:
29This section does Subsections 1 through 6 shall not apply to
30any of the following:
31 Sec. 4. Section 715C.2, Code 2019, is amended by adding the
32following new subsection:
33 NEW SUBSECTION. 09. a. Any employer or payroll service
34provider that owns or licenses computerized data relating to
35income tax withholdings shall notify the consumer protection
-4-1division of the office of the attorney general without
2unreasonable delay after discovery or notification of the
3unauthorized access and acquisition of unencrypted computerized
4data of a taxpayer identification number in combination with
5the income tax withholdings for that taxpayer, the unauthorized
6access and acquisition of which gives the employer or payroll
7service provider reason to believe that identity theft or other
8fraud has or will occur. With respect to an employer, this
9subsection applies only to information regarding the employer’s
10employees, and does not apply to information regarding the
11employer’s customers or other nonemployees.
12b. In providing notification to the consumer protection
13division of the office of the attorney general pursuant to this
14subsection, the employer or payroll service provider shall
15provide the name and federal employer identification number
16of the person that was or may be affected by the breach of
17security. Upon receipt of such notice, the consumer protection
18division of the office of the attorney general shall notify the
19department of revenue of the breach of security.
20c. Notwithstanding any other provision in this section, a
21breach of security involving information described in paragraph
22“a” shall be subject only to the notification requirements
23contained in this subsection.
24EXPLANATION
25The inclusion of this explanation does not constitute agreement with
26the explanation’s substance by the members of the general assembly.
27This bill modifies various provisions relating to personal
28information security breach protection.
29The bill expands the definition of “encryption” in Code
30section 715C.1 to include, in addition to the use of an
31algorithmic process pursuant to accepted industry standards,
32any other accepted industry standard process. The bill adds
33certain medical information, health insurance information,
34tax information, passport information, and electronic account
35information to the definition of “personal information”.
-5- 1Current law requires a person who owns or licenses personal
2information that is subject to a breach of security to give
3notice to affected consumers in the most expeditious manner
4possible and without unreasonable delay. The bill provides
5that such notice to affected consumers must occur no later than
645 days after the discovery or notification of the breach of
7security, unless delayed for law enforcement reasons.
8The bill provides that, in the case of a security breach
9only involving personal information about a consumer’s online
10account, a person or business may comply with the notification
11requirements of Code section 715C.2 by providing notification
12to the consumer whose personal information was subject to the
13security breach, in electronic or other form, that directs
14the consumer to take certain steps to protect the consumer’s
15online account with that person or business and all other
16online accounts for which the same account information is
17used. However, in providing notification of a security breach
18in electronic form to an online account that is affected or
19compromised by the security breach, a person or business may
20only do so when the consumer is connected to the online account
21from an internet protocol address or online location from which
22the person or business knows the customer customarily accesses
23the account, and the notification is provided in a clear and
24conspicuous manner.
25Current law provides that a person who owns or licenses
26personal information that is subject to breach of security does
27not need to provide notification of the security breach to
28affected consumers if the person makes a written determination
29that there is no reasonable likelihood of financial harm to
30affected consumers. The bill requires a person who makes
31such a determination to provide this written determination
32to the director of the consumer protection division of the
33office of the attorney general within five business days after
34documenting the determination.
35Current law requires a person who owns or licenses personal
-6-1information that is subject to a breach of security requiring
2notification to more than 500 consumers in the state, as
3required by Code section 715C.2, to give written notice
4of the breach of security to the director of the consumer
5protection division of the office of the attorney general.
6The bill provides that written notification to the attorney
7general is also required for breaches of security where
8written notification to more than 500 consumers in the state
9is required by a person’s primary or functional federal
10regulator, a state or federal law that gives greater protection
11to personal information than provided in Code section 715C.2,
12or certain federal law. The bill also specifies that written
13notification to the attorney general must include a sample
14copy of any notification sent to consumers, the approximate
15number of affected or potentially affected consumers, a
16description of any services offered to affected consumers, and
17contact information for an individual who may be contacted for
18additional information regarding the breach of security.
19The bill provides that any employer or payroll service
20provider that owns or licenses computerized data relating
21to income tax withholdings shall notify the consumer
22protection division without unreasonable delay after discovery
23or notification of the breach of security of a taxpayer
24identification number in combination with the income tax
25withholdings for that taxpayer, the security breach of which
26gives the employer or payroll service provider reason to
27believe that identify theft or other fraud has or will occur.
28With respect to an employer, such notification requirements
29only apply to information regarding the employer’s employees.
30In providing notification to the consumer protection division,
31the employer or payroll service provider shall provide the
32name and federal employer identification number of the person
33affected. Upon receiving the notice, the consumer protection
34division shall notify the department of revenue of the
35security breach. The bill specifies that no other notification
-7-1requirements apply to a security breach of this nature.
-8-gh/jh
2information security breach protection.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715C.1, subsections 5 and 11, Code 2019,
2are amended to read as follows:
35. “Encryption” means the use of an algorithmic process
4pursuant to accepted industry standards, or any other accepted
5industry standard process, to transform data into a form in
6which the data is rendered unreadable or unusable without the
7use of a confidential process or key.
811. a. “Personal information” means an individual’s first
9name or first initial and last name in combination with any
10one or more of the following data elements that relate to the
11individual if any of the data elements are not encrypted,
12redacted, or otherwise altered by any method or technology in
13such a manner that the name or data elements are unreadable or
14are encrypted, redacted, or otherwise altered by any method or
15technology but the keys to unencrypt, unredact, or otherwise
16read the data elements have been obtained through the breach
17of security:
18(1) Social security number.
19(2) Driver’s license number or other unique identification
20number created or collected by a government body.
21(3) Financial account number, credit card number, or debit
22card number in combination with any required expiration date,
23security code, access code, or password that would permit
24access to an individual’s financial account.
25(4) Unique electronic identifier or routing code, in
26combination with any required security code, access code, or
27password that would permit access to an individual’s financial
28account.
29(5) Unique biometric data, such as a fingerprint, retina or
30iris image, or other unique physical representation or digital
31representation of biometric data.
32(6) Medical history, medical treatment by a health care
33professional, diagnosis of mental or physical condition by a
34health care professional, or deoxyribonucleic acid profile.
35(7) Health insurance policy number, subscriber
-1-1identification number, or any other unique identifier used by a
2health insurer to identify an individual.
3(8) Taxpayer identification number.
4(9) A private key that is unique to an individual and that
5is used to authenticate or sign an electronic record.
6(10) Passport number.
7b. “Personal information” also includes an account username
8or electronic mail address, in combination with any required
9password or account security information that would permit
10access to a consumer’s online account.
11b. c. “Personal information” does not include information
12that is lawfully obtained from a publicly available sources
13 source, or from federal, state, or local government records
14lawfully made available to the general public.
15 Sec. 2. Section 715C.2, subsections 1, 6, and 8, Code 2019,
16are amended to read as follows:
171. a. Any person who owns or licenses computerized data
18that includes a consumer’s personal information that is used
19in the course of the person’s business, vocation, occupation,
20or volunteer activities and that was subject to a breach
21of security shall give notice of the breach of security
22following discovery of such breach of security, or receipt of
23notification under subsection 2, to any consumer whose personal
24information was included in the information that was breached.
25The consumer notification shall be made in the most expeditious
26manner possible and without unreasonable delay, consistent
27with but no later than forty-five days after the discovery
28of such breach of security or receipt of notification under
29subsection 2, unless a longer time is necessary because of the
30legitimate needs of law enforcement as provided in subsection
313, and consistent with any measures necessary to sufficiently
32determine contact information for the affected consumers,
33determine the scope of the breach, and restore the reasonable
34integrity, security, and confidentiality of the data.
35b. In the case of a breach of security involving personal
-2-1information relating to a consumer’s online account as
2described in section 715C.1, subsection 11, paragraph “b”,
3and no other personal information described in section
4715C.1, subsection 11, the person or business may comply with
5the notification requirements of this section by providing
6notification of the security breach to the consumer whose
7personal information was subject to the breach of security,
8in electronic or other form, that directs the consumer to
9promptly change the consumer’s password or account security
10information, or to take any other appropriate steps to protect
11the consumer’s online account with the person or business and
12all other online accounts for which the consumer uses the
13same account username or electronic mail address and password
14or account security information. However, in providing
15notification of a breach of security in electronic form to an
16online account that is affected or compromised by the breach
17of security, a person or business may provide notification
18by such method only when the consumer is connected to the
19online account from an internet protocol address or online
20location from which the person or business knows the consumer
21customarily accesses the online account, and the notification
22is provided to the consumer in a clear and conspicuous manner.
236. a. Notwithstanding subsection 1, notification is
24not required if, after an appropriate investigation or
25after consultation with the relevant federal, state, or
26local agencies responsible for law enforcement, the person
27determined that no reasonable likelihood of financial harm to
28the consumers whose personal information has been acquired has
29resulted or will result from the breach. Such a determination
30must be documented in writing and the documentation must be
31maintained for five years.
32b. In the event that notification is not required pursuant
33to this subsection, the person shall provide the written
34determination required in paragraph “a” to the director of the
35consumer protection division of the office of the attorney
-3-1general within five business days after documenting such
2determination.
38. Any person who owns or licenses computerized data that
4includes a consumer’s personal information that is used in
5the course of the person’s business, vocation, occupation,
6or volunteer activities and that was subject to a breach of
7security requiring notification to more than five hundred
8residents of this state consumers pursuant to this section
9subsection 1, or any of the laws, rules, regulations,
10procedures, guidance, or guidelines set forth in subsection
117, shall give written notice of the breach of security to the
12director of the consumer protection division of the office of
13the attorney general within five business days after giving
14notice of the breach of security to any consumer pursuant to
15this section. The written notice shall include all of the
16following:
17a. A sample copy of any notification sent to consumers.
18b. The approximate number of consumers affected or
19potentially affected by the breach of security.
20c. A description of any services offered to consumers
21affected or potentially affected by the breach of security, and
22instructions as to how consumers may use such services.
23d. The name, address, telephone number, and electronic mail
24address of an individual who may be contacted by the consumer
25protection division of the office of the attorney general for
26any additional information about the breach of security.
27 Sec. 3. Section 715C.2, subsection 7, unnumbered paragraph
281, Code 2019, is amended to read as follows:
29This section does Subsections 1 through 6 shall not apply to
30any of the following:
31 Sec. 4. Section 715C.2, Code 2019, is amended by adding the
32following new subsection:
33 NEW SUBSECTION. 09. a. Any employer or payroll service
34provider that owns or licenses computerized data relating to
35income tax withholdings shall notify the consumer protection
-4-1division of the office of the attorney general without
2unreasonable delay after discovery or notification of the
3unauthorized access and acquisition of unencrypted computerized
4data of a taxpayer identification number in combination with
5the income tax withholdings for that taxpayer, the unauthorized
6access and acquisition of which gives the employer or payroll
7service provider reason to believe that identity theft or other
8fraud has or will occur. With respect to an employer, this
9subsection applies only to information regarding the employer’s
10employees, and does not apply to information regarding the
11employer’s customers or other nonemployees.
12b. In providing notification to the consumer protection
13division of the office of the attorney general pursuant to this
14subsection, the employer or payroll service provider shall
15provide the name and federal employer identification number
16of the person that was or may be affected by the breach of
17security. Upon receipt of such notice, the consumer protection
18division of the office of the attorney general shall notify the
19department of revenue of the breach of security.
20c. Notwithstanding any other provision in this section, a
21breach of security involving information described in paragraph
22“a” shall be subject only to the notification requirements
23contained in this subsection.
24EXPLANATION
25The inclusion of this explanation does not constitute agreement with
26the explanation’s substance by the members of the general assembly.
27This bill modifies various provisions relating to personal
28information security breach protection.
29The bill expands the definition of “encryption” in Code
30section 715C.1 to include, in addition to the use of an
31algorithmic process pursuant to accepted industry standards,
32any other accepted industry standard process. The bill adds
33certain medical information, health insurance information,
34tax information, passport information, and electronic account
35information to the definition of “personal information”.
-5- 1Current law requires a person who owns or licenses personal
2information that is subject to a breach of security to give
3notice to affected consumers in the most expeditious manner
4possible and without unreasonable delay. The bill provides
5that such notice to affected consumers must occur no later than
645 days after the discovery or notification of the breach of
7security, unless delayed for law enforcement reasons.
8The bill provides that, in the case of a security breach
9only involving personal information about a consumer’s online
10account, a person or business may comply with the notification
11requirements of Code section 715C.2 by providing notification
12to the consumer whose personal information was subject to the
13security breach, in electronic or other form, that directs
14the consumer to take certain steps to protect the consumer’s
15online account with that person or business and all other
16online accounts for which the same account information is
17used. However, in providing notification of a security breach
18in electronic form to an online account that is affected or
19compromised by the security breach, a person or business may
20only do so when the consumer is connected to the online account
21from an internet protocol address or online location from which
22the person or business knows the customer customarily accesses
23the account, and the notification is provided in a clear and
24conspicuous manner.
25Current law provides that a person who owns or licenses
26personal information that is subject to breach of security does
27not need to provide notification of the security breach to
28affected consumers if the person makes a written determination
29that there is no reasonable likelihood of financial harm to
30affected consumers. The bill requires a person who makes
31such a determination to provide this written determination
32to the director of the consumer protection division of the
33office of the attorney general within five business days after
34documenting the determination.
35Current law requires a person who owns or licenses personal
-6-1information that is subject to a breach of security requiring
2notification to more than 500 consumers in the state, as
3required by Code section 715C.2, to give written notice
4of the breach of security to the director of the consumer
5protection division of the office of the attorney general.
6The bill provides that written notification to the attorney
7general is also required for breaches of security where
8written notification to more than 500 consumers in the state
9is required by a person’s primary or functional federal
10regulator, a state or federal law that gives greater protection
11to personal information than provided in Code section 715C.2,
12or certain federal law. The bill also specifies that written
13notification to the attorney general must include a sample
14copy of any notification sent to consumers, the approximate
15number of affected or potentially affected consumers, a
16description of any services offered to affected consumers, and
17contact information for an individual who may be contacted for
18additional information regarding the breach of security.
19The bill provides that any employer or payroll service
20provider that owns or licenses computerized data relating
21to income tax withholdings shall notify the consumer
22protection division without unreasonable delay after discovery
23or notification of the breach of security of a taxpayer
24identification number in combination with the income tax
25withholdings for that taxpayer, the security breach of which
26gives the employer or payroll service provider reason to
27believe that identify theft or other fraud has or will occur.
28With respect to an employer, such notification requirements
29only apply to information regarding the employer’s employees.
30In providing notification to the consumer protection division,
31the employer or payroll service provider shall provide the
32name and federal employer identification number of the person
33affected. Upon receiving the notice, the consumer protection
34division shall notify the department of revenue of the
35security breach. The bill specifies that no other notification
-7-1requirements apply to a security breach of this nature.
-8-gh/jh