House File 2302 - IntroducedA Bill ForAn Act 1relating to affirmative defenses for entities using
2cybersecurity programs.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1   Section 1.  Section 554D.103, subsections 4, 5, 8, 9, and 16,
2Code 2022, are amended to read as follows:
   34.  “Contract” means the total legal obligation resulting
4from the parties’ agreement as affected by this chapter and
5other applicable law. “Contract” includes any contract secured
6through distributed ledger technology and a smart contract.

   75.  “Distributed ledger technology” means an electronic
8record of transactions or other data to which all of the
9following apply:
   10a.  The electronic record is uniformly ordered.
   11b.  The electronic record is redundantly maintained or
12processed by one or more computers or machines to guarantee the
13consistency or nonrepudiation of the recorded transactions or
14other data.
   158.  “Electronic record” means a record created, generated,
16sent, communicated, received, or stored by electronic means.
17“Electronic record” includes any record secured through
18distributed ledger technology.

   199.  “Electronic signature” means an electronic sound, symbol,
20or process attached to or logically associated with a record
21and executed or adopted by a person with the intent to sign the
22record. “Electronic signature” includes a signature that is
23secured through distributed ledger technology.

   2416.  “Smart contract” means an event-driven program or
25computerized transaction protocol that runs on a distributed,
26decentralized, shared, and replicated ledger that executes the
27terms of a contract. For purposes of this subsection, “executes
28the terms of a contract”
may include taking custody over and
29instructing the transfer of assets.
30   Sec. 2.  Section 554D.108, subsection 2, Code 2022, is
31amended to read as follows:
   322.  A contract shall not be denied legal effect or
33enforceability solely because an electronic record was used in
34its formation or because the contract is a smart contract or
35contains a smart contract provision
.
-1-
1   Sec. 3.  NEW SECTION.  554E.1  Definitions.
   2As used in this chapter:
   31.  “Account” means the same as defined in section 554.9102.
   42.  “Business” means any limited liability company, limited
5liability partnership, corporation, sole proprietorship,
6association, or other group, however organized and whether
7operating for profit or not for profit, including a financial
8institution organized, chartered, or holding a license
9authorizing operation under the laws of this state, any other
10state, the United States, or any other country, or the parent
11or subsidiary of any of the foregoing.
   123.  “Contract” means the same as defined in section 554D.103.
   134.  “Covered entity” means a business that accesses,
14receives, stores, maintains, communicates, or processes
15personal information or restricted information in or through
16one or more systems, networks, or services located in or
17outside this state.
   185.  “Data breach” means an intentional or unintentional
19action that could result in electronic records owned, licensed
20to, or otherwise protected by a covered entity being viewed,
21copied, modified, transmitted, or destroyed in a manner that
22is reasonably believed to have or may cause material risk of
23identity theft, fraud, or other injury or damage to person or
24property. “Data breach” does not include any of the following:
   25a.  Good-faith acquisition of personal information or
26restricted information by the covered entity’s employee or
27agent for the purposes of the covered entity, provided that
28the personal information or restricted information is not used
29for an unlawful purpose or subject to further unauthorized
30disclosure.
   31b.  Acquisition or disclosure of personal information or
32restricted information pursuant to a search warrant, subpoena,
33or other court order, or pursuant to a subpoena, order, or duty
34of a regulatory state agency.
   356.  “Distributed ledger technology” means an electronic
-2-1record of transactions or other data to which all of the
2following apply:
   3a.  The electronic record is uniformly ordered.
   4b.  The electronic record is redundantly maintained or
5processed by one or more computers or machines to guarantee the
6consistency or nonrepudiation of the recorded transactions or
7other data.
   87.  “Electronic” means the same as defined in section
9554D.103.
   108.  “Electronic record” means the same as defined in section
11554D.103.
   129.  “Encrypted” means the use of an algorithmic process to
13transform data into a form for which there is a low probability
14of assigning meaning without use of a confidential process or
15key.
   1610.  “Individual” means a natural person.
   1711.  “Maximum probable loss” means the greatest damage
18expectation that could reasonably occur from a data breach.
19For purposes of this subsection, “damage expectation” means the
20total value of possible damage multiplied by the probability
21that damage would occur.
   2212.  a.  “Personal information” means any information
23relating to an individual who can be identified, directly or
24indirectly, in particular by reference to an identifier such
25as a name, an identification number, social security number,
26driver’s license number or state identification card number,
27passport number, account number or credit or debit card number,
28location data, biometric data, an online identifier, or to
29one or more factors specific to the physical, physiological,
30genetic, mental, economic, cultural, or social identity of that
31individual.
   32b.  “Personal information” does not include publicly
33available information that is lawfully made available to the
34general public from federal, state, or local government records
35or any of the following media that are widely distributed:
-3-
   1(1)  Any news, editorial, or advertising statement published
2in any bona fide newspaper, journal, or magazine, or broadcast
3over radio, television, or the internet.
   4(2)  Any gathering or furnishing of information or news by
5any bona fide reporter, correspondent, or news bureau to news
6media identified in this paragraph.
   7(3)  Any publication designed for and distributed to members
8of any bona fide association or charitable or fraternal
9nonprofit business.
   10(4)  Any type of media similar in nature to any item, entity,
11or activity identified in this paragraph.
   1213.  “Record” means the same as defined in section 554D.103.
   1314.  “Redacted” means altered, truncated, or anonymized so
14that, when applied to personal information, the data can no
15longer be attributed to a specific individual without the use
16of additional information.
   1715.  “Restricted information” means any information about
18an individual, other than personal information, or business
19that, alone or in combination with other information, including
20personal information, can be used to distinguish or trace the
21identity of the individual or business, or that is linked or
22linkable to an individual or business, if the information is
23not encrypted, redacted, tokenized, or altered by any method or
24technology in such a manner that the information is anonymized,
25and the breach of which is likely to result in a material risk
26of identity theft or other fraud to person or property.
   2716.  “Smart contract” means an event-driven program or
28computerized transaction protocol that runs on a distributed,
29decentralized, shared, and replicated ledger that executes the
30terms of a contract. For purposes of this subsection, “executes
31the terms of a contract”
may include taking custody over and
32instructing the transfer of assets.
   3317.  “Transaction” means a sale, trade, exchange, transfer,
34payment, or conversion of virtual currency or other digital
35asset or any other property or any other action or set of
-4-1actions occurring between two or more persons relating to the
2conduct of business, commercial, or governmental affairs.
3   Sec. 4.  NEW SECTION.  554E.2  Distributed ledger technology
4— ownership of information.
   51.  A record shall not be denied legal effect or
6enforceability solely because the record is created, generated,
7sent, communicated, received, recorded, or stored by means of
8distributed ledger technology or a smart contract.
   92.  A signature shall not be denied legal effect or
10enforceability solely because the signature is created,
11generated, sent, communicated, received, recorded, or stored by
12means of distributed ledger technology or a smart contract.
   133.  A contract shall not be denied legal effect or
14enforceability solely for any of the following:
   15a.  The contract is created, generated, sent, communicated,
16received, executed, signed, adopted, recorded, or stored by
17means of distributed ledger technology or a smart contract.
   18b.  The contract contains a smart contract term.
   19c.  An electronic record, distributed ledger technology, or
20smart contract was used in the contract’s formation.
   214.  A person who, in engaging in or affecting interstate
22or foreign commerce, uses distributed ledger technology to
23secure information that the person owns or has the right to use
24retains the same rights of ownership or use with respect to
25such information as before the person secured the information
26using distributed ledger technology. This subsection does not
27apply to the use of distributed ledger technology to secure
28information in connection with a transaction to the extent that
29the terms of the transaction expressly provide for the transfer
30of rights of ownership or use with respect to such information.
31   Sec. 5.  NEW SECTION.  554E.3  Affirmative defenses.
   321.  A covered entity seeking an affirmative defense under
33this chapter shall create, maintain, and comply with a written
34cybersecurity program that contains administrative, technical,
35operational, and physical safeguards for the protection of both
-5-1personal information and restricted information.
   22.  A covered entity’s cybersecurity program shall be
3designed to do all of the following:
   4a.  Continually evaluate and mitigate any reasonably
5anticipated internal or external threats or hazards that could
6lead to a data breach.
   7b.  Periodically evaluate no less than annually the maximum
8probable loss attainable from a data breach.
   9c.  Communicate to any affected parties the extent of any
10risk posed and any actions the affected parties could take to
11reduce any damages if a data breach is known to have occurred.
   123.  The scale and scope of a covered entity’s cybersecurity
13program is appropriate if the cost to operate the cybersecurity
14program is no less than the covered entity’s most recently
15calculated maximum probable loss value.
   164.  a.  A covered entity that satisfies all requirements
17of this section is entitled to an affirmative defense to any
18cause of action sounding in tort that is brought under the
19laws of this state or in the courts of this state and that
20alleges that the failure to implement reasonable information
21security controls resulted in a data breach concerning personal
22information or restricted information.
   23b.  A covered entity satisfies all requirements of this
24section if its cybersecurity program reasonably conforms to an
25industry-recognized cybersecurity framework, as described in
26section 554E.4.
27   Sec. 6.  NEW SECTION.  554E.4  Cybersecurity program
28framework.
   291.  A covered entity’s cybersecurity program, as
30described in section 554E.3, reasonably conforms to an
31industry-recognized cybersecurity framework for purposes of
32section 554E.3 if any of the following are true:
   33a.  (1)  The cybersecurity program reasonably conforms to the
34current version of any of the following or any combination of
35the following, subject to subparagraph (2) and subsection 2:
-6-
   1(a)  The framework for improving critical infrastructure
2cybersecurity developed by the national institute of standards
3and technology.
   4(b)  National institute of standards and technology special
5publication 800-171.
   6(c)  National institute of standards and technology special
7publications 800-53 and 800-53a.
   8(d)  The federal risk and authorization management program
9security assessment framework.
   10(e)  The center for internet security critical security
11controls for effective cyber defense.
   12(f)  The international organization for
13standardization/international electrotechnical commission 27000
14family — information security management systems.
   15(2)  When a final revision to a framework listed in
16subparagraph (1) is published, a covered entity whose
17cybersecurity program reasonably conforms to that framework
18shall reasonably conform the elements of its cybersecurity
19program to the revised framework within the time frame provided
20in the relevant framework upon which the covered entity intends
21to rely to support its affirmative defense, but in no event
22later than one year after the publication date stated in the
23revision.
   24b.  (1)  The covered entity is regulated by the state, by
25the federal government, or both, or is otherwise subject to
26the requirements of any of the laws or regulations listed
27below, and the cybersecurity program reasonably conforms to
28the entirety of the current version of any of the following,
29subject to subparagraph (2):
   30(a)  The security requirements of the federal Health
31Insurance Portability and Accountability Act of 1996, as set
32forth in 45 C.F.R. pt.164, subpt.C.
   33(b)  Title V of the federal Gramm-Leach-Bliley Act of 1999,
34Pub.L. No.106-102, as amended.
   35(c)  The federal Information Security Modernization Act of
-7-12014, Pub.L. No.113-283.
   2(d)  The federal Health Information Technology for Economic
3and Clinical Health Act as set forth in 45 C.F.R. pt.162.
   4(2)  When a framework listed in subparagraph (1) is amended,
5a covered entity whose cybersecurity program reasonably
6conforms to that framework shall reasonably conform the
7elements of its cybersecurity program to the amended framework
8within the time frame provided in the relevant framework
9upon which the covered entity intends to rely to support its
10affirmative defense, but in no event later than one year after
11the effective date of the amended framework.
   12c.  (1)  The cybersecurity program reasonably complies
13with both the current version of the payment card industry
14data security standard and conforms to the current version of
15another applicable industry-recognized cybersecurity framework
16listed in paragraph “a”, subject to subparagraph (2) and
17subsection 2.
   18(2)  When a final revision to the payment card industry
19data security standard is published, a covered entity whose
20cybersecurity program reasonably complies with that standard
21shall reasonably comply the elements of its cybersecurity
22program with the revised standard within the time frame
23provided in the relevant framework upon which the covered
24entity intends to rely to support its affirmative defense, but
25in no event later than one year after the publication date
26stated in the revision.
   272.  If a covered entity’s cybersecurity program reasonably
28conforms to a combination of industry-recognized cybersecurity
29frameworks, or complies with a standard, as in the case of the
30payment card industry data security standard, as described in
31subsection 1, paragraph “a” or “c”, and two or more of those
32frameworks are revised, the covered entity whose cybersecurity
33program reasonably conforms to or complies with, as applicable,
34those frameworks shall reasonably conform the elements of its
35cybersecurity program to or comply with, as applicable, all of
-8-1the revised frameworks within the time frames provided in the
2relevant frameworks but in no event later than one year after
3the latest publication date stated in the revisions.
4   Sec. 7.  NEW SECTION.  554E.5  Causes of actions.
   5This chapter shall not be construed to provide a private
6right of action, including a class action, with respect to any
7act or practice regulated under those sections.
8   Sec. 8.  REPEAL.  Section 554D.106A, Code 2022, is repealed.
9EXPLANATION
10The inclusion of this explanation does not constitute agreement with
11the explanation’s substance by the members of the general assembly.
   12This bill relates to cybersecurity programs, affirmative
13defenses, and distributed ledger technology.
   14The bill provides that a record or signature shall not be
15denied legal effect because it is created or stored by means of
16distributed ledger technology or smart contract, as those terms
17are defined in the bill. The bill provides in new Code section
18554E.2 that the ownership of the secure information remains
19with the person who provided the signature, not the distributed
20ledger technology owner, and repeals a similar provision in
21Code section 554D.106A.
   22The bill creates affirmative defenses for entities using
23cybersecurity programs and provides definitions. The bill
24provides that a covered entity seeking an affirmative defense
25must use a cybersecurity program for the protection of personal
26information and restricted information and the cybersecurity
27program must reasonably conform to an industry-recognized
28cybersecurity framework. A cybersecurity program must
29continually evaluate and mitigate reasonably anticipated
30threats, periodically evaluate the maximum probable loss
31attainable from a data breach, and communicate to affected
32parties the risk posed and actions the affected parties could
33take to reduce damages if a data breach has occurred. The
34scale and scope of a cybersecurity program is appropriate if
35the cost to operate the program is no less than the covered
-9-1entity’s maximum probable loss value. A covered entity that
2satisfies these requirements and that reasonably conforms to
3an industry-recognized cybersecurity framework is entitled to
4an affirmative defense to a tort claim that alleges that the
5failure to implement reasonable information security controls
6resulted in a data breach concerning personal information or
7restricted information.
   8The bill details industry-recognized cybersecurity
9frameworks that the covered entity may follow and reasonably
10comply to in order to qualify for the affirmative defense.
   11The bill does not provide a private right to action,
12including a class action.
-10-
cm/jh