Print
House Study Bill 555 - IntroducedA Bill ForAn Act 1relating to affirmative defenses for entities using
2cybersecurity programs and electronic transactions recorded
3by blockchain technology.
4BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 554D.103, subsections 8, 9, and 17, Code
22022, are amended to read as follows:
38. “Electronic record” means a record created, generated,
4sent, communicated, received, or stored by electronic means.
5“Electronic record” includes any record or contract secured
6through distributed ledger technology or blockchain technology.
79. “Electronic signature” means an electronic sound, symbol,
8or process attached to or logically associated with a record
9and executed or adopted by a person with the intent to sign
10the record. “Electronic signature” includes a signature that
11is secured through distributed ledger technology or blockchain
12technology.
1317. “State” means a state of the United States, the District
14of Columbia, Puerto Rico, the United States Virgin Islands, or
15any territory or insular possession subject to the jurisdiction
16of the United States. “State” includes an Indian tribe or
17band, or Alaskan native Native village, which is recognized by
18federal law or formally acknowledged by a state.
19 Sec. 2. NEW SECTION. 554E.1 Definitions.
20As used in this chapter:
211. “Business” means any limited liability company, limited
22liability partnership, corporation, sole proprietorship,
23association, or other group, however organized and whether
24operating for profit or not for profit, including a financial
25institution organized, chartered, or holding a license
26authorizing operation under the laws of this state, any other
27state, the United States, or any other country, or the parent
28or subsidiary of any of the foregoing.
292. “Covered entity” means a business that accesses,
30maintains, communicates, or processes personal information
31or restricted information in or through one or more systems,
32networks, or services located in or outside this state.
333. “Data breach” means unauthorized access to and
34acquisition of computerized data that compromises the security
35or confidentiality of personal information or restricted
-1-1information owned by or licensed to a covered entity and that
2causes, reasonably is believed to have caused, or reasonably is
3believed will cause a material risk of identity theft or other
4fraud to person or property. “Data breach” does not include any
5of the following:
6a. Good-faith acquisition of personal information or
7restricted information by the covered entity’s employee or
8agent for the purposes of the covered entity, provided that
9the personal information or restricted information is not used
10for an unlawful purpose or subject to further unauthorized
11disclosure.
12b. Acquisition of personal information or restricted
13information pursuant to a search warrant, subpoena, or other
14court order, or pursuant to a subpoena, order, or duty of a
15regulatory state agency.
164. “Encrypted” means the use of an algorithmic process to
17transform data into a form in which there is a low probability
18of assigning meaning without use of a confidential process or
19key.
205. “Individual” means a natural person.
216. “Personal information” means an individual’s name,
22consisting of the individual’s first name or first initial and
23last name, in combination with and linked to any one or more
24of the following data elements, when the data elements are not
25encrypted, redacted, or altered by any method or technology in
26such a manner that the data elements are unreadable:
27a. Social security number.
28b. Driver’s license number or state identification card
29number.
30c. Account number or credit or debit card number, in
31combination with and linked to any required security code,
32access code, or password that would permit access to an
33individual’s financial account.
34d. “Personal information” does not include publicly
35available information that is lawfully made available to the
-2-1general public from federal, state, or local government records
2or any of the following media that are widely distributed:
3(1) Any news, editorial, or advertising statement published
4in any bona fide newspaper, journal, or magazine, or broadcast
5over radio or television.
6(2) Any gathering or furnishing of information or news by
7any bona fide reporter, correspondent, or news bureau to news
8media identified in this paragraph.
9(3) Any publication designed for and distributed to members
10of any bona fide association or charitable or fraternal
11nonprofit corporation.
12(4) Any type of media similar in nature to any item, entity,
13or activity identified in this paragraph.
147. “Redacted” means altered or truncated so that no more
15than the last four digits of a social security number, driver’s
16license number, state identification card number, account
17number, or credit or debit card number is accessible as part
18of the data.
198. “Restricted information” means any information about
20an individual, other than personal information, that,
21alone or in combination with other information, including
22personal information, can be used to distinguish or trace the
23individual’s identity or that is linked or linkable to an
24individual, if the information is not encrypted, redacted, or
25altered by any method or technology in such a manner that the
26information is unreadable, and the breach of which is likely
27to result in a material risk of identity theft or other fraud
28to person or property.
29 Sec. 3. NEW SECTION. 554E.2 Affirmative defenses.
301. A covered entity seeking an affirmative defense under
31this chapter shall do one of the following:
32a. Create, maintain, and comply with a written cybersecurity
33program that contains administrative, technical, and physical
34safeguards for the protection of personal information and that
35reasonably conforms to an industry-recognized cybersecurity
-3-1framework, as described in section 554E.3.
2b. Create, maintain, and comply with a written cybersecurity
3program that contains administrative, technical, and physical
4safeguards for the protection of both personal information
5and restricted information and that reasonably conforms to an
6industry-recognized cybersecurity framework, as described in
7section 554E.3.
82. A covered entity’s cybersecurity program shall be
9designed to do all of the following with respect to the
10information described in subsection 1, paragraph “a” or “b”, as
11applicable:
12a. Protect the security and confidentiality of the
13information.
14b. Protect against any anticipated threats or hazards to the
15security or integrity of the information.
16c. Protect against unauthorized access to and acquisition
17of the information that is likely to result in a material risk
18of identity theft or other fraud to the individual to whom the
19information relates.
203. The scale and scope of a covered entity’s cybersecurity
21program under subsection 1, paragraph “a” or “b”, as applicable,
22is appropriate if the cybersecurity program is based on all of
23the following factors:
24a. The size and complexity of the covered entity.
25b. The nature and scope of the activities of the covered
26entity.
27c. The sensitivity of the information to be protected.
28d. The cost and availability of tools to improve information
29security and reduce vulnerabilities.
30e. The resources available to the covered entity.
314. a. A covered entity that satisfies subsection 1,
32paragraph “a”, and subsections 2 and 3, is entitled to an
33affirmative defense to any cause of action sounding in tort
34that is brought under the laws of this state or in the courts
35of this state and that alleges that the failure to implement
-4-1reasonable information security controls resulted in a data
2breach concerning personal information.
3b. A covered entity that satisfies subsection 1, paragraph
4“b”, and subsections 2 and 3, is entitled to an affirmative
5defense to any cause of action sounding in tort that is brought
6under the laws of this state or in the courts of this state
7and that alleges that the failure to implement reasonable
8information security controls resulted in a data breach
9concerning personal information or restricted information.
10 Sec. 4. NEW SECTION. 554E.3 Cybersecurity program
11framework.
121. A covered entity’s cybersecurity program, as
13described in section 554E.2, reasonably conforms to an
14industry-recognized cybersecurity framework for purposes of
15section 554E.2 if any of the following are true:
16a. (1) The cybersecurity program reasonably conforms to the
17current version of any of the following or any combination of
18the following, subject to subparagraph (2) and subsection 2:
19(a) The framework for improving critical infrastructure
20cybersecurity developed by the national institute of standards
21and technology.
22(b) National institute of standards and technology special
23publication 800-171.
24(c) National institute of standards and technology special
25publications 800-53 and 800-53a.
26(d) The federal risk and authorization management program
27security assessment framework.
28(e) The center for internet security critical security
29controls for effective cyber defense.
30(f) The international organization for
31standardization/international electrotechnical commission 27000
32family — information security management systems.
33(2) When a final revision to a framework listed in
34subparagraph (1) is published, a covered entity whose
35cybersecurity program reasonably conforms to that framework
-5-1shall reasonably conform to the revised framework not later
2than one year after the publication date stated in the
3revision.
4b. (1) The covered entity is regulated by the state, by
5the federal government, or both, or is otherwise subject to
6the requirements of any of the laws or regulations listed
7below, and the cybersecurity program reasonably conforms to
8the entirety of the current version of any of the following,
9subject to subparagraph (2):
10(a) The security requirements of the federal Health
11Insurance Portability and Accountability Act of 1996, as set
12forth in 45 C.F.R.pt.164, subpt.C.
13(b) Title V of the federal Gramm-Leach-Bliley Act of 1999,
14Pub.L.No.106-102, as amended.
15(c) The federal Information Security Modernization Act of
162014, Pub.L.No.113-283.
17(d) The federal Health Information Technology for Economic
18and Clinical Health Act as set forth in 45 C.F.R.pt.162.
19(2) When a framework listed in subparagraph (1) is amended,
20a covered entity whose cybersecurity program reasonably
21conforms to that framework shall reasonably conform to the
22amended framework not later than one year after the effective
23date of the amended framework.
24c. (1) The cybersecurity program reasonably complies
25with both the current version of the payment card industry
26data security standard and conforms to the current version of
27another applicable industry-recognized cybersecurity framework
28listed in paragraph “a”, subject to subparagraph (2) and
29subsection 2.
30(2) When a final revision to the payment card industry
31data security standard is published, a covered entity whose
32cybersecurity program reasonably complies with that standard
33shall reasonably comply with the revised standard not later
34than one year after the publication date stated in the
35revision.
-6- 12. If a covered entity’s cybersecurity program reasonably
2conforms to a combination of industry-recognized cybersecurity
3frameworks, or complies with a standard, as in the case of the
4payment card industry data security standard, as described in
5subsection 1, paragraph “a” or “c”, and two or more of those
6frameworks are revised, the covered entity whose cybersecurity
7program reasonably conforms to or complies with, as applicable,
8those frameworks shall reasonably conform to or comply with, as
9applicable, all of the revised frameworks not later than one
10year after the latest publication date stated in the revisions.
11 Sec. 5. NEW SECTION. 554E.4 Causes of actions.
12This chapter shall not be construed to provide a private
13right of action, including a class action, with respect to any
14act or practice regulated under those sections.
15EXPLANATION
16The inclusion of this explanation does not constitute agreement with
17the explanation’s substance by the members of the general assembly.
18This bill relates to cybersecurity programs and blockchain
19technology. The bill changes the definitions of “electronic
20record” and “electronic signature” in the uniform electronic
21transactions Act to include blockchain technology.
22The bill creates affirmative defenses for entities using
23cybersecurity programs and provides definitions. The
24bill provides that a covered entity seeking an affirmative
25defense must use a cybersecurity program for the protection
26of personal information or both personal information and
27restricted information and the cybersecurity program must
28reasonably conform to an industry-recognized cybersecurity
29framework. A cybersecurity program must protect the security
30and confidentiality of the information, protect against any
31anticipated threats to the information, and protect against
32unauthorized access to and acquisition of the information that
33is likely to result in a material risk of identity theft. A
34cybersecurity program scale and scope should be based upon
35the size and complexity of the covered entity, the nature
-7-1and scope of the covered entity’s activities, sensitivity
2of the information, and the cost and availability of tools
3and resources to improve information security. A covered
4entity that satisfies the above requirements is entitled to
5an affirmative defense to a tort claim that alleges that the
6failure to implement reasonable information security controls
7resulted in a data breach concerning personal information or
8restricted information.
9The bill provides industry-recognized cybersecurity
10frameworks that the covered entity should follow and reasonably
11comply to in order to qualify for the affirmative defense.
12The bill does not provide a private right to action,
13including a class action.
-8-cm/jh
2cybersecurity programs and electronic transactions recorded
3by blockchain technology.
4BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 554D.103, subsections 8, 9, and 17, Code
22022, are amended to read as follows:
38. “Electronic record” means a record created, generated,
4sent, communicated, received, or stored by electronic means.
5“Electronic record” includes any record or contract secured
6through distributed ledger technology or blockchain technology.
79. “Electronic signature” means an electronic sound, symbol,
8or process attached to or logically associated with a record
9and executed or adopted by a person with the intent to sign
10the record. “Electronic signature” includes a signature that
11is secured through distributed ledger technology or blockchain
12technology.
1317. “State” means a state of the United States, the District
14of Columbia, Puerto Rico, the United States Virgin Islands, or
15any territory or insular possession subject to the jurisdiction
16of the United States. “State” includes an Indian tribe or
17band, or Alaskan native Native village, which is recognized by
18federal law or formally acknowledged by a state.
19 Sec. 2. NEW SECTION. 554E.1 Definitions.
20As used in this chapter:
211. “Business” means any limited liability company, limited
22liability partnership, corporation, sole proprietorship,
23association, or other group, however organized and whether
24operating for profit or not for profit, including a financial
25institution organized, chartered, or holding a license
26authorizing operation under the laws of this state, any other
27state, the United States, or any other country, or the parent
28or subsidiary of any of the foregoing.
292. “Covered entity” means a business that accesses,
30maintains, communicates, or processes personal information
31or restricted information in or through one or more systems,
32networks, or services located in or outside this state.
333. “Data breach” means unauthorized access to and
34acquisition of computerized data that compromises the security
35or confidentiality of personal information or restricted
-1-1information owned by or licensed to a covered entity and that
2causes, reasonably is believed to have caused, or reasonably is
3believed will cause a material risk of identity theft or other
4fraud to person or property. “Data breach” does not include any
5of the following:
6a. Good-faith acquisition of personal information or
7restricted information by the covered entity’s employee or
8agent for the purposes of the covered entity, provided that
9the personal information or restricted information is not used
10for an unlawful purpose or subject to further unauthorized
11disclosure.
12b. Acquisition of personal information or restricted
13information pursuant to a search warrant, subpoena, or other
14court order, or pursuant to a subpoena, order, or duty of a
15regulatory state agency.
164. “Encrypted” means the use of an algorithmic process to
17transform data into a form in which there is a low probability
18of assigning meaning without use of a confidential process or
19key.
205. “Individual” means a natural person.
216. “Personal information” means an individual’s name,
22consisting of the individual’s first name or first initial and
23last name, in combination with and linked to any one or more
24of the following data elements, when the data elements are not
25encrypted, redacted, or altered by any method or technology in
26such a manner that the data elements are unreadable:
27a. Social security number.
28b. Driver’s license number or state identification card
29number.
30c. Account number or credit or debit card number, in
31combination with and linked to any required security code,
32access code, or password that would permit access to an
33individual’s financial account.
34d. “Personal information” does not include publicly
35available information that is lawfully made available to the
-2-1general public from federal, state, or local government records
2or any of the following media that are widely distributed:
3(1) Any news, editorial, or advertising statement published
4in any bona fide newspaper, journal, or magazine, or broadcast
5over radio or television.
6(2) Any gathering or furnishing of information or news by
7any bona fide reporter, correspondent, or news bureau to news
8media identified in this paragraph.
9(3) Any publication designed for and distributed to members
10of any bona fide association or charitable or fraternal
11nonprofit corporation.
12(4) Any type of media similar in nature to any item, entity,
13or activity identified in this paragraph.
147. “Redacted” means altered or truncated so that no more
15than the last four digits of a social security number, driver’s
16license number, state identification card number, account
17number, or credit or debit card number is accessible as part
18of the data.
198. “Restricted information” means any information about
20an individual, other than personal information, that,
21alone or in combination with other information, including
22personal information, can be used to distinguish or trace the
23individual’s identity or that is linked or linkable to an
24individual, if the information is not encrypted, redacted, or
25altered by any method or technology in such a manner that the
26information is unreadable, and the breach of which is likely
27to result in a material risk of identity theft or other fraud
28to person or property.
29 Sec. 3. NEW SECTION. 554E.2 Affirmative defenses.
301. A covered entity seeking an affirmative defense under
31this chapter shall do one of the following:
32a. Create, maintain, and comply with a written cybersecurity
33program that contains administrative, technical, and physical
34safeguards for the protection of personal information and that
35reasonably conforms to an industry-recognized cybersecurity
-3-1framework, as described in section 554E.3.
2b. Create, maintain, and comply with a written cybersecurity
3program that contains administrative, technical, and physical
4safeguards for the protection of both personal information
5and restricted information and that reasonably conforms to an
6industry-recognized cybersecurity framework, as described in
7section 554E.3.
82. A covered entity’s cybersecurity program shall be
9designed to do all of the following with respect to the
10information described in subsection 1, paragraph “a” or “b”, as
11applicable:
12a. Protect the security and confidentiality of the
13information.
14b. Protect against any anticipated threats or hazards to the
15security or integrity of the information.
16c. Protect against unauthorized access to and acquisition
17of the information that is likely to result in a material risk
18of identity theft or other fraud to the individual to whom the
19information relates.
203. The scale and scope of a covered entity’s cybersecurity
21program under subsection 1, paragraph “a” or “b”, as applicable,
22is appropriate if the cybersecurity program is based on all of
23the following factors:
24a. The size and complexity of the covered entity.
25b. The nature and scope of the activities of the covered
26entity.
27c. The sensitivity of the information to be protected.
28d. The cost and availability of tools to improve information
29security and reduce vulnerabilities.
30e. The resources available to the covered entity.
314. a. A covered entity that satisfies subsection 1,
32paragraph “a”, and subsections 2 and 3, is entitled to an
33affirmative defense to any cause of action sounding in tort
34that is brought under the laws of this state or in the courts
35of this state and that alleges that the failure to implement
-4-1reasonable information security controls resulted in a data
2breach concerning personal information.
3b. A covered entity that satisfies subsection 1, paragraph
4“b”, and subsections 2 and 3, is entitled to an affirmative
5defense to any cause of action sounding in tort that is brought
6under the laws of this state or in the courts of this state
7and that alleges that the failure to implement reasonable
8information security controls resulted in a data breach
9concerning personal information or restricted information.
10 Sec. 4. NEW SECTION. 554E.3 Cybersecurity program
11framework.
121. A covered entity’s cybersecurity program, as
13described in section 554E.2, reasonably conforms to an
14industry-recognized cybersecurity framework for purposes of
15section 554E.2 if any of the following are true:
16a. (1) The cybersecurity program reasonably conforms to the
17current version of any of the following or any combination of
18the following, subject to subparagraph (2) and subsection 2:
19(a) The framework for improving critical infrastructure
20cybersecurity developed by the national institute of standards
21and technology.
22(b) National institute of standards and technology special
23publication 800-171.
24(c) National institute of standards and technology special
25publications 800-53 and 800-53a.
26(d) The federal risk and authorization management program
27security assessment framework.
28(e) The center for internet security critical security
29controls for effective cyber defense.
30(f) The international organization for
31standardization/international electrotechnical commission 27000
32family — information security management systems.
33(2) When a final revision to a framework listed in
34subparagraph (1) is published, a covered entity whose
35cybersecurity program reasonably conforms to that framework
-5-1shall reasonably conform to the revised framework not later
2than one year after the publication date stated in the
3revision.
4b. (1) The covered entity is regulated by the state, by
5the federal government, or both, or is otherwise subject to
6the requirements of any of the laws or regulations listed
7below, and the cybersecurity program reasonably conforms to
8the entirety of the current version of any of the following,
9subject to subparagraph (2):
10(a) The security requirements of the federal Health
11Insurance Portability and Accountability Act of 1996, as set
12forth in 45 C.F.R.pt.164, subpt.C.
13(b) Title V of the federal Gramm-Leach-Bliley Act of 1999,
14Pub.L.No.106-102, as amended.
15(c) The federal Information Security Modernization Act of
162014, Pub.L.No.113-283.
17(d) The federal Health Information Technology for Economic
18and Clinical Health Act as set forth in 45 C.F.R.pt.162.
19(2) When a framework listed in subparagraph (1) is amended,
20a covered entity whose cybersecurity program reasonably
21conforms to that framework shall reasonably conform to the
22amended framework not later than one year after the effective
23date of the amended framework.
24c. (1) The cybersecurity program reasonably complies
25with both the current version of the payment card industry
26data security standard and conforms to the current version of
27another applicable industry-recognized cybersecurity framework
28listed in paragraph “a”, subject to subparagraph (2) and
29subsection 2.
30(2) When a final revision to the payment card industry
31data security standard is published, a covered entity whose
32cybersecurity program reasonably complies with that standard
33shall reasonably comply with the revised standard not later
34than one year after the publication date stated in the
35revision.
-6- 12. If a covered entity’s cybersecurity program reasonably
2conforms to a combination of industry-recognized cybersecurity
3frameworks, or complies with a standard, as in the case of the
4payment card industry data security standard, as described in
5subsection 1, paragraph “a” or “c”, and two or more of those
6frameworks are revised, the covered entity whose cybersecurity
7program reasonably conforms to or complies with, as applicable,
8those frameworks shall reasonably conform to or comply with, as
9applicable, all of the revised frameworks not later than one
10year after the latest publication date stated in the revisions.
11 Sec. 5. NEW SECTION. 554E.4 Causes of actions.
12This chapter shall not be construed to provide a private
13right of action, including a class action, with respect to any
14act or practice regulated under those sections.
15EXPLANATION
16The inclusion of this explanation does not constitute agreement with
17the explanation’s substance by the members of the general assembly.
18This bill relates to cybersecurity programs and blockchain
19technology. The bill changes the definitions of “electronic
20record” and “electronic signature” in the uniform electronic
21transactions Act to include blockchain technology.
22The bill creates affirmative defenses for entities using
23cybersecurity programs and provides definitions. The
24bill provides that a covered entity seeking an affirmative
25defense must use a cybersecurity program for the protection
26of personal information or both personal information and
27restricted information and the cybersecurity program must
28reasonably conform to an industry-recognized cybersecurity
29framework. A cybersecurity program must protect the security
30and confidentiality of the information, protect against any
31anticipated threats to the information, and protect against
32unauthorized access to and acquisition of the information that
33is likely to result in a material risk of identity theft. A
34cybersecurity program scale and scope should be based upon
35the size and complexity of the covered entity, the nature
-7-1and scope of the covered entity’s activities, sensitivity
2of the information, and the cost and availability of tools
3and resources to improve information security. A covered
4entity that satisfies the above requirements is entitled to
5an affirmative defense to a tort claim that alleges that the
6failure to implement reasonable information security controls
7resulted in a data breach concerning personal information or
8restricted information.
9The bill provides industry-recognized cybersecurity
10frameworks that the covered entity should follow and reasonably
11comply to in order to qualify for the affirmative defense.
12The bill does not provide a private right to action,
13including a class action.
-8-cm/jh