Print
Senate File 2073 - IntroducedA Bill ForAn Act 1providing for an affirmative defense to certain claims
2relating to personal information security breach protection.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715C.2, subsection 9, paragraph a, Code
22020, is amended to read as follows:
3a. A violation of this chapter section is an unlawful
4practice pursuant to section 714.16 and, in addition to the
5remedies provided to the attorney general pursuant to section
6714.16, subsection 7, the attorney general may seek and obtain
7an order that a party held to violate this section pay damages
8to the attorney general on behalf of a person injured by the
9violation.
10 Sec. 2. NEW SECTION. 715C.3 Affirmative defense for
11implementation of cyber security program.
121. It is an affirmative defense to any claim or action
13alleging that a person’s failure to implement reasonable
14security measures resulted in a breach of security, that the
15person established, maintained, and complied with a written
16cyber security program that conforms to current and accepted
17industry standards regarding cyber security and personal
18information security breach protection, including the national
19institute of standards and technology’s framework for improving
20critical infrastructure cyber security.
212. An affirmative defense under this section shall be
22established by a preponderance of the evidence.
233. This section shall not be construed to create a private
24right of action with respect to a breach of security.
25EXPLANATION
26The inclusion of this explanation does not constitute agreement with
27the explanation’s substance by the members of the general assembly.
28This bill establishes an affirmative defense to any claim
29or action alleging that a person’s failure to implement
30security measures resulted in a breach of security that the
31person established, maintained, and complied with a cyber
32security program that conforms to current and accepted industry
33standards regarding cyber security, including the national
34institute of standards and technology’s framework for improving
35critical infrastructure cyber security.
-1- 1The bill provides that an affirmative defense under the bill
2shall be established by a preponderance of the evidence. The
3bill also provides that it shall not be construed to create a
4private right of action with respect to personal information
5security breaches.
-2-ja/rn
2relating to personal information security breach protection.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 715C.2, subsection 9, paragraph a, Code
22020, is amended to read as follows:
3a. A violation of this chapter section is an unlawful
4practice pursuant to section 714.16 and, in addition to the
5remedies provided to the attorney general pursuant to section
6714.16, subsection 7, the attorney general may seek and obtain
7an order that a party held to violate this section pay damages
8to the attorney general on behalf of a person injured by the
9violation.
10 Sec. 2. NEW SECTION. 715C.3 Affirmative defense for
11implementation of cyber security program.
121. It is an affirmative defense to any claim or action
13alleging that a person’s failure to implement reasonable
14security measures resulted in a breach of security, that the
15person established, maintained, and complied with a written
16cyber security program that conforms to current and accepted
17industry standards regarding cyber security and personal
18information security breach protection, including the national
19institute of standards and technology’s framework for improving
20critical infrastructure cyber security.
212. An affirmative defense under this section shall be
22established by a preponderance of the evidence.
233. This section shall not be construed to create a private
24right of action with respect to a breach of security.
25EXPLANATION
26The inclusion of this explanation does not constitute agreement with
27the explanation’s substance by the members of the general assembly.
28This bill establishes an affirmative defense to any claim
29or action alleging that a person’s failure to implement
30security measures resulted in a breach of security that the
31person established, maintained, and complied with a cyber
32security program that conforms to current and accepted industry
33standards regarding cyber security, including the national
34institute of standards and technology’s framework for improving
35critical infrastructure cyber security.
-1- 1The bill provides that an affirmative defense under the bill
2shall be established by a preponderance of the evidence. The
3bill also provides that it shall not be construed to create a
4private right of action with respect to personal information
5security breaches.
-2-ja/rn