Print
House Study Bill 691 - IntroducedA Bill ForAn Act 1prohibiting the state or a political subdivision of the
2state from expending revenue received from taxpayers for
3payment to persons responsible for ransomware attacks, and
4including effective date provisions.
5BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 8B.4, Code 2022, is amended by adding the
2following new subsection:
3 NEW SUBSECTION. 18A. Authorize the state or a political
4subdivision of the state, not including a municipal utility,
5in consultation with the department of public safety and the
6department of homeland security and emergency management, to
7expend revenue received from taxpayers for payment to a person
8responsible for, or reasonably believed to be responsible for,
9a ransomware attack pursuant to section 8H.3.
10 Sec. 2. NEW SECTION. 8H.1 Definitions.
11As used in this chapter, unless the context otherwise
12requires:
131. “Critical infrastructure” means the same as defined
14in section 29C.24. “Critical infrastructure” includes real
15and personal property and equipment owned or used to provide
16fire fighting, law enforcement, medical, or other emergency
17services.
182. “Encryption” means the use of an algorithmic process
19to transform data into a form in which the data is rendered
20unreadable or unusable without the use of a confidential
21process or key.
223. “Political subdivision” means a city, county, township,
23or school district. “Political subdivision” does not include a
24municipal utility.
254. “Ransomware attack” means carrying out until payment is
26made, or threatening to carry out until payment is made, any of
27the following actions:
28a. An act declared unlawful pursuant to section 715.4.
29b. A breach of security as defined in section 715C.1.
30c. The use of any form of software that results in the
31unauthorized encryption of data, the denial of access to data,
32the denial of access to a computer, or the denial of access to
33a computer system.
34 Sec. 3. NEW SECTION. 8H.2 Requirement to report a
35ransomware attack.
-1- 1If the state or a political subdivision of the state is
2subject to a ransomware attack, the state or the political
3subdivision shall provide notice of the ransomware attack to
4the office of the chief information officer following discovery
5of the ransomware attack. The notice shall be provided in
6the most expeditious manner possible and without unreasonable
7delay. The office of the chief information officer shall adopt
8rules establishing notification procedures pursuant to this
9section.
10 Sec. 4. NEW SECTION. 8H.3 Revenue received from taxpayers
11— prohibition — ransomware.
121. Except as provided in subsection 2 or 3, the state or a
13political subdivision of the state shall not expend tax revenue
14received from taxpayers for payment to a person responsible
15for, or reasonably believed to be responsible for, a ransomware
16attack.
172. The office of the chief information officer, in
18consultation with the department of public safety and the
19department of homeland security and emergency management, may
20authorize the state or a political subdivision of the state to
21expend tax revenue otherwise prohibited pursuant to subsection
221 in the event of any of the following:
23a. A critical or emergency situation as defined by the
24department of homeland security and emergency management,
25or when the department of homeland security and emergency
26management determines the expenditure of tax revenue is in the
27public interest.
28b. A ransomware attack affecting critical infrastructure
29within the state or a political subdivision of the state.
303. The state or a political subdivision of the state may
31expend tax revenue otherwise prohibited pursuant to subsection
321 in the event of a ransomware attack affecting an officer or
33employee of the judicial branch.
34 Sec. 5. NEW SECTION. 8H.4 Payments for insurance.
35The state or a political subdivision of the state may use
-2-1revenue received from taxpayers to pay premiums, deductibles,
2and other costs associated with an insurance policy related
3to cybersecurity or ransomware attacks only if the state or
4the political subdivision first exhausts all other reasonable
5means of mitigating a potential ransomware attack. Subject
6to section 8H.3, subsections 2 and 3, nothing in this section
7shall be construed to authorize the state or a political
8subdivision of the state to make a direct payment using
9revenue received from taxpayers to a person responsible for, or
10reasonably believed to be responsible for, a ransomware attack.
11 Sec. 6. NEW SECTION. 8H.5 Confidential records.
12Information related to all of the following shall be
13considered a confidential record under section 22.7:
141. Insurance coverage maintained by the state or a political
15subdivision of the state related to cybersecurity or a
16ransomware attack.
172. Payment by the state or a political subdivision of
18the state to a person responsible for, or believed to be
19responsible for, a ransomware attack pursuant to section 8H.3.
20 Sec. 7. LEGISLATIVE INTENT. It is the intent of the general
21assembly that the state and the political subdivisions of the
22state have tested cybersecurity mitigation plans and policies.
23 Sec. 8. RULEMAKING. The office of the chief information
24officer shall prepare a notice of intended action for the
25adoption of rules to administer this Act. The notice of
26intended action shall be submitted to the administrative
27rules coordinator and the administrative code editor as soon
28as practicable, but no later than October 1, 2022. However,
29nothing in this section authorizes the office of the chief
30information officer to adopt rules under section 17A.4,
31subsection 3, or section 17A.5, subsection 2, paragraph “b”.
32 Sec. 9. EFFECTIVE DATE.
331. Except as provided in subsection 2, this Act takes effect
34July 1, 2023.
352. The section of this Act requiring the office of the chief
-3-1information officer to prepare a notice of intended action for
2the adoption of rules to administer this Act, being deemed of
3immediate importance, takes effect upon enactment.
4EXPLANATION
5The inclusion of this explanation does not constitute agreement with
6the explanation’s substance by the members of the general assembly.
7This bill prohibits the state or a political subdivision of
8the state from expending revenue received from taxpayers for
9payment to persons responsible for ransomware attacks.
10The bill defines “critical infrastructure” to mean
11real and personal property and equipment owned or used by
12communication and video networks, gas distribution systems,
13water and wastewater pipeline systems, and electric generation,
14transmission, and distribution systems, including related
15support facilities, which network or system provides service
16to more than one customer or person as defined in Code section
1729C.24. “Critical infrastructure” includes but is not limited
18to buildings, structures, offices, lines, poles, pipes, and
19equipment, as well as real and personal property owned or
20used to provide fire fighting, law enforcement, medical, or
21other emergency services. The bill defines “encryption” as
22the use of an algorithmic process to transform data into a
23form in which the data is rendered unreadable or unusable
24without the use of a confidential process or key. The bill
25defines “political subdivision” as a city, county, township,
26or school district. The bill defines “ransomware attack” to
27mean carrying out until payment is made, or threatening to
28carry out until payment is made, including an act declared
29unlawful pursuant to Code section 715.4, a “breach of security”
30as defined in Code section 715C.1, or the use of any form
31of software that results in the unauthorized encryption of
32data, the denial of access to data, the denial of access to a
33computer, or the denial of access to a computer system.
34The bill requires that when the state or a political
35subdivision of the state is subject to a ransomware attack
-4-1and discovers the attack, the state or political subdivision
2shall expeditiously provide notice to the office of the chief
3information officer. The office of the chief information
4officer shall adopt rules establishing notification procedures.
5The bill provides that the state or a political subdivision
6of the state shall not expend revenue received from taxpayers
7for payment to a person responsible for, or reasonably believed
8to be responsible for, a ransomware attack.
9The bill allows the office of the chief information officer
10to authorize such expenditures in the event of a critical or
11emergency situation as determined by the department of homeland
12security and emergency management. The bill provides that
13information related to a political subdivision’s insurance
14coverage for cybersecurity or ransomware attack shall be
15considered confidential records.
16The bill provides that the state or a political subdivision
17of the state may use taxpayer revenue to pay for cybersecurity
18insurance or related ransomware insurance if the state or
19political subdivision first exhausts all other reasonable means
20of mitigating a potential ransomware attack.
21The bill includes a legislative intent section, which
22provides that it is the intent of the general assembly that
23the state and political subdivisions of the state have tested
24cybersecurity mitigation plans and policies.
25The bill takes effect July 1, 2023, except for the section
26of the bill requiring the office of the chief information
27officer to prepare a notice of intended action (NOIA) for the
28adoption of rules, which takes effect upon enactment. The NOIA
29must be submitted to the administrative rules coordinator and
30administrative code editor as soon as possible and no later
31than October 1, 2022. The bill does not authorize the office
32of the chief information officer to adopt emergency rules under
33Code section 17A.4(3) or Code section 17A.5(2)(b).
-5-es/rn
2state from expending revenue received from taxpayers for
3payment to persons responsible for ransomware attacks, and
4including effective date provisions.
5BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 8B.4, Code 2022, is amended by adding the
2following new subsection:
3 NEW SUBSECTION. 18A. Authorize the state or a political
4subdivision of the state, not including a municipal utility,
5in consultation with the department of public safety and the
6department of homeland security and emergency management, to
7expend revenue received from taxpayers for payment to a person
8responsible for, or reasonably believed to be responsible for,
9a ransomware attack pursuant to section 8H.3.
10 Sec. 2. NEW SECTION. 8H.1 Definitions.
11As used in this chapter, unless the context otherwise
12requires:
131. “Critical infrastructure” means the same as defined
14in section 29C.24. “Critical infrastructure” includes real
15and personal property and equipment owned or used to provide
16fire fighting, law enforcement, medical, or other emergency
17services.
182. “Encryption” means the use of an algorithmic process
19to transform data into a form in which the data is rendered
20unreadable or unusable without the use of a confidential
21process or key.
223. “Political subdivision” means a city, county, township,
23or school district. “Political subdivision” does not include a
24municipal utility.
254. “Ransomware attack” means carrying out until payment is
26made, or threatening to carry out until payment is made, any of
27the following actions:
28a. An act declared unlawful pursuant to section 715.4.
29b. A breach of security as defined in section 715C.1.
30c. The use of any form of software that results in the
31unauthorized encryption of data, the denial of access to data,
32the denial of access to a computer, or the denial of access to
33a computer system.
34 Sec. 3. NEW SECTION. 8H.2 Requirement to report a
35ransomware attack.
-1- 1If the state or a political subdivision of the state is
2subject to a ransomware attack, the state or the political
3subdivision shall provide notice of the ransomware attack to
4the office of the chief information officer following discovery
5of the ransomware attack. The notice shall be provided in
6the most expeditious manner possible and without unreasonable
7delay. The office of the chief information officer shall adopt
8rules establishing notification procedures pursuant to this
9section.
10 Sec. 4. NEW SECTION. 8H.3 Revenue received from taxpayers
11— prohibition — ransomware.
121. Except as provided in subsection 2 or 3, the state or a
13political subdivision of the state shall not expend tax revenue
14received from taxpayers for payment to a person responsible
15for, or reasonably believed to be responsible for, a ransomware
16attack.
172. The office of the chief information officer, in
18consultation with the department of public safety and the
19department of homeland security and emergency management, may
20authorize the state or a political subdivision of the state to
21expend tax revenue otherwise prohibited pursuant to subsection
221 in the event of any of the following:
23a. A critical or emergency situation as defined by the
24department of homeland security and emergency management,
25or when the department of homeland security and emergency
26management determines the expenditure of tax revenue is in the
27public interest.
28b. A ransomware attack affecting critical infrastructure
29within the state or a political subdivision of the state.
303. The state or a political subdivision of the state may
31expend tax revenue otherwise prohibited pursuant to subsection
321 in the event of a ransomware attack affecting an officer or
33employee of the judicial branch.
34 Sec. 5. NEW SECTION. 8H.4 Payments for insurance.
35The state or a political subdivision of the state may use
-2-1revenue received from taxpayers to pay premiums, deductibles,
2and other costs associated with an insurance policy related
3to cybersecurity or ransomware attacks only if the state or
4the political subdivision first exhausts all other reasonable
5means of mitigating a potential ransomware attack. Subject
6to section 8H.3, subsections 2 and 3, nothing in this section
7shall be construed to authorize the state or a political
8subdivision of the state to make a direct payment using
9revenue received from taxpayers to a person responsible for, or
10reasonably believed to be responsible for, a ransomware attack.
11 Sec. 6. NEW SECTION. 8H.5 Confidential records.
12Information related to all of the following shall be
13considered a confidential record under section 22.7:
141. Insurance coverage maintained by the state or a political
15subdivision of the state related to cybersecurity or a
16ransomware attack.
172. Payment by the state or a political subdivision of
18the state to a person responsible for, or believed to be
19responsible for, a ransomware attack pursuant to section 8H.3.
20 Sec. 7. LEGISLATIVE INTENT. It is the intent of the general
21assembly that the state and the political subdivisions of the
22state have tested cybersecurity mitigation plans and policies.
23 Sec. 8. RULEMAKING. The office of the chief information
24officer shall prepare a notice of intended action for the
25adoption of rules to administer this Act. The notice of
26intended action shall be submitted to the administrative
27rules coordinator and the administrative code editor as soon
28as practicable, but no later than October 1, 2022. However,
29nothing in this section authorizes the office of the chief
30information officer to adopt rules under section 17A.4,
31subsection 3, or section 17A.5, subsection 2, paragraph “b”.
32 Sec. 9. EFFECTIVE DATE.
331. Except as provided in subsection 2, this Act takes effect
34July 1, 2023.
352. The section of this Act requiring the office of the chief
-3-1information officer to prepare a notice of intended action for
2the adoption of rules to administer this Act, being deemed of
3immediate importance, takes effect upon enactment.
4EXPLANATION
5The inclusion of this explanation does not constitute agreement with
6the explanation’s substance by the members of the general assembly.
7This bill prohibits the state or a political subdivision of
8the state from expending revenue received from taxpayers for
9payment to persons responsible for ransomware attacks.
10The bill defines “critical infrastructure” to mean
11real and personal property and equipment owned or used by
12communication and video networks, gas distribution systems,
13water and wastewater pipeline systems, and electric generation,
14transmission, and distribution systems, including related
15support facilities, which network or system provides service
16to more than one customer or person as defined in Code section
1729C.24. “Critical infrastructure” includes but is not limited
18to buildings, structures, offices, lines, poles, pipes, and
19equipment, as well as real and personal property owned or
20used to provide fire fighting, law enforcement, medical, or
21other emergency services. The bill defines “encryption” as
22the use of an algorithmic process to transform data into a
23form in which the data is rendered unreadable or unusable
24without the use of a confidential process or key. The bill
25defines “political subdivision” as a city, county, township,
26or school district. The bill defines “ransomware attack” to
27mean carrying out until payment is made, or threatening to
28carry out until payment is made, including an act declared
29unlawful pursuant to Code section 715.4, a “breach of security”
30as defined in Code section 715C.1, or the use of any form
31of software that results in the unauthorized encryption of
32data, the denial of access to data, the denial of access to a
33computer, or the denial of access to a computer system.
34The bill requires that when the state or a political
35subdivision of the state is subject to a ransomware attack
-4-1and discovers the attack, the state or political subdivision
2shall expeditiously provide notice to the office of the chief
3information officer. The office of the chief information
4officer shall adopt rules establishing notification procedures.
5The bill provides that the state or a political subdivision
6of the state shall not expend revenue received from taxpayers
7for payment to a person responsible for, or reasonably believed
8to be responsible for, a ransomware attack.
9The bill allows the office of the chief information officer
10to authorize such expenditures in the event of a critical or
11emergency situation as determined by the department of homeland
12security and emergency management. The bill provides that
13information related to a political subdivision’s insurance
14coverage for cybersecurity or ransomware attack shall be
15considered confidential records.
16The bill provides that the state or a political subdivision
17of the state may use taxpayer revenue to pay for cybersecurity
18insurance or related ransomware insurance if the state or
19political subdivision first exhausts all other reasonable means
20of mitigating a potential ransomware attack.
21The bill includes a legislative intent section, which
22provides that it is the intent of the general assembly that
23the state and political subdivisions of the state have tested
24cybersecurity mitigation plans and policies.
25The bill takes effect July 1, 2023, except for the section
26of the bill requiring the office of the chief information
27officer to prepare a notice of intended action (NOIA) for the
28adoption of rules, which takes effect upon enactment. The NOIA
29must be submitted to the administrative rules coordinator and
30administrative code editor as soon as possible and no later
31than October 1, 2022. The bill does not authorize the office
32of the chief information officer to adopt emergency rules under
33Code section 17A.4(3) or Code section 17A.5(2)(b).
-5-es/rn