House File 2302 - ReprintedA Bill ForAn Act 1relating to affirmative defenses for entities using
2cybersecurity programs.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1   Section 1.  Section 554D.103, subsections 4, 5, 8, 9, and 16,
2Code 2022, are amended to read as follows:
   34.  “Contract” means the total legal obligation resulting
4from the parties’ agreement as affected by this chapter and
5other applicable law. “Contract” includes any contract secured
6through distributed ledger technology and a smart contract.

   75.  “Distributed ledger technology” means an electronic
8record of transactions or other data to which all of the
9following apply:
   10a.  The electronic record is uniformly ordered.
   11b.  The electronic record is redundantly maintained or
12processed by one or more computers or machines to guarantee the
13consistency or nonrepudiation of the recorded transactions or
14other data.
   158.  “Electronic record” means a record created, generated,
16sent, communicated, received, or stored by electronic means.
17“Electronic record” includes any record secured through
18distributed ledger technology.

   199.  “Electronic signature” means an electronic sound, symbol,
20or process attached to or logically associated with a record
21and executed or adopted by a person with the intent to sign the
22record. “Electronic signature” includes a signature that is
23secured through distributed ledger technology.

   2416.  “Smart contract” means an event-driven program or
25computerized transaction protocol that runs on a distributed,
26decentralized, shared, and replicated ledger that executes the
27terms of a contract. For purposes of this subsection, “executes
28the terms of a contract”
may include taking custody over and
29instructing the transfer of assets.
30   Sec. 2.  Section 554D.108, subsection 2, Code 2022, is
31amended to read as follows:
   322.  A contract shall not be denied legal effect or
33enforceability solely because an electronic record was used in
34its formation or because the contract is a smart contract or
35contains a smart contract provision
.
-1-
1   Sec. 3.  NEW SECTION.  554E.1  Definitions.
   2As used in this chapter:
   31.  “Account” means the same as defined in section 554.9102.
   42.  “Business” means any limited liability company, limited
5liability partnership, corporation, sole proprietorship,
6association, or other group, however organized and whether
7operating for profit or not for profit, including a financial
8institution organized, chartered, or holding a license
9authorizing operation under the laws of this state, any other
10state, the United States, or any other country, or the parent
11or subsidiary of any of the foregoing. For purposes of this
12subsection, “corporation” does not include a school corporation
13organized pursuant to chapter 274 or a rural water association
14organized as a nonprofit corporation pursuant to chapter 504.
   153.  “Contract” means the same as defined in section 554D.103.
   164.  “Covered entity” means a business that accesses,
17receives, stores, maintains, communicates, or processes
18personal information or restricted information in or through
19one or more systems, networks, or services located in or
20outside this state.
   215.  “Data breach” means an intentional or unintentional
22action that could result in electronic records owned, licensed
23to, or otherwise protected by a covered entity being viewed,
24copied, modified, transmitted, or destroyed in a manner that
25is reasonably believed to have or may cause material risk of
26identity theft, fraud, or other injury or damage to person or
27property. “Data breach” does not include any of the following:
   28a.  Good-faith acquisition of personal information or
29restricted information by the covered entity’s employee or
30agent for the purposes of the covered entity, provided that
31the personal information or restricted information is not used
32for an unlawful purpose or subject to further unauthorized
33disclosure.
   34b.  Acquisition or disclosure of personal information or
35restricted information pursuant to a search warrant, subpoena,
-2-1or other court order, or pursuant to a subpoena, order, or duty
2of a regulatory state agency.
   36.  “Distributed ledger technology” means an electronic
4record of transactions or other data to which all of the
5following apply:
   6a.  The electronic record is uniformly ordered.
   7b.  The electronic record is redundantly maintained or
8processed by one or more computers or machines to guarantee the
9consistency or nonrepudiation of the recorded transactions or
10other data.
   117.  “Electronic” means the same as defined in section
12554D.103.
   138.  “Electronic record” means the same as defined in section
14554D.103.
   159.  “Encrypted” means the use of an algorithmic process to
16transform data into a form for which there is a low probability
17of assigning meaning without use of a confidential process or
18key.
   1910.  “Individual” means a natural person.
   2011.  “Maximum probable loss” means the greatest damage
21expectation that could reasonably occur from a data breach.
22For purposes of this subsection, “damage expectation” means the
23total value of possible damage multiplied by the probability
24that damage would occur.
   2512.  a.  “Personal information” means any information
26relating to an individual who can be identified, directly or
27indirectly, in particular by reference to an identifier such
28as a name, an identification number, social security number,
29driver’s license number or state identification card number,
30passport number, account number or credit or debit card number,
31location data, biometric data, an online identifier, or to
32one or more factors specific to the physical, physiological,
33genetic, mental, economic, cultural, or social identity of that
34individual.
   35b.  “Personal information” does not include publicly
-3-1available information that is lawfully made available to the
2general public from federal, state, or local government records
3or any of the following media that are widely distributed:
   4(1)  Any news, editorial, or advertising statement published
5in any bona fide newspaper, journal, or magazine, or broadcast
6over radio, television, or the internet.
   7(2)  Any gathering or furnishing of information or news by
8any bona fide reporter, correspondent, or news bureau to news
9media identified in this paragraph.
   10(3)  Any publication designed for and distributed to members
11of any bona fide association or charitable or fraternal
12nonprofit business.
   13(4)  Any type of media similar in nature to any item, entity,
14or activity identified in this paragraph.
   1513.  “Record” means the same as defined in section 554D.103.
   1614.  “Redacted” means altered, truncated, or anonymized so
17that, when applied to personal information, the data can no
18longer be attributed to a specific individual without the use
19of additional information.
   2015.  “Restricted information” means any information about
21an individual, other than personal information, or business
22that, alone or in combination with other information, including
23personal information, can be used to distinguish or trace the
24identity of the individual or business, or that is linked or
25linkable to an individual or business, if the information is
26not encrypted, redacted, tokenized, or altered by any method or
27technology in such a manner that the information is anonymized,
28and the breach of which is likely to result in a material risk
29of identity theft or other fraud to person or property.
   3016.  “Smart contract” means an event-driven program or
31computerized transaction protocol that runs on a distributed,
32decentralized, shared, and replicated ledger that executes the
33terms of a contract. For purposes of this subsection, “executes
34the terms of a contract”
may include taking custody over and
35instructing the transfer of assets.
-4-
   117.  “Transaction” means a sale, trade, exchange, transfer,
2payment, or conversion of virtual currency or other digital
3asset or any other property or any other action or set of
4actions occurring between two or more persons relating to the
5conduct of business, commercial, or governmental affairs.
6   Sec. 4.  NEW SECTION.  554E.2  Distributed ledger technology
7— ownership of information.
   81.  A record shall not be denied legal effect or
9enforceability solely because the record is created, generated,
10sent, communicated, received, recorded, or stored by means of
11distributed ledger technology or a smart contract.
   122.  A signature shall not be denied legal effect or
13enforceability solely because the signature is created,
14generated, sent, communicated, received, recorded, or stored by
15means of distributed ledger technology or a smart contract.
   163.  A contract shall not be denied legal effect or
17enforceability solely for any of the following:
   18a.  The contract is created, generated, sent, communicated,
19received, executed, signed, adopted, recorded, or stored by
20means of distributed ledger technology or a smart contract.
   21b.  The contract contains a smart contract term.
   22c.  An electronic record, distributed ledger technology, or
23smart contract was used in the contract’s formation.
   244.  A person who, in engaging in or affecting interstate
25or foreign commerce, uses distributed ledger technology to
26secure information that the person owns or has the right to use
27retains the same rights of ownership or use with respect to
28such information as before the person secured the information
29using distributed ledger technology. This subsection does not
30apply to the use of distributed ledger technology to secure
31information in connection with a transaction to the extent that
32the terms of the transaction expressly provide for the transfer
33of rights of ownership or use with respect to such information.
34   Sec. 5.  NEW SECTION.  554E.3  Affirmative defenses.
   351.  A covered entity seeking an affirmative defense under
-5-1this chapter shall create, maintain, and comply with a written
2cybersecurity program that contains administrative, technical,
3operational, and physical safeguards for the protection of both
4personal information and restricted information.
   52.  A covered entity’s cybersecurity program shall be
6designed to do all of the following:
   7a.  Continually evaluate and mitigate any reasonably
8anticipated internal or external threats or hazards that could
9lead to a data breach.
   10b.  Periodically evaluate no less than annually the maximum
11probable loss attainable from a data breach.
   12c.  Communicate to any affected parties the extent of any
13risk posed and any actions the affected parties could take to
14reduce any damages if a data breach is known to have occurred.
   153.  The scale and scope of a covered entity’s cybersecurity
16program is appropriate if the cost to operate the cybersecurity
17program is no less than the covered entity’s most recently
18calculated maximum probable loss value.
   194.  a.  A covered entity that satisfies all requirements
20of this section is entitled to an affirmative defense to any
21cause of action sounding in tort that is brought under the
22laws of this state or in the courts of this state and that
23alleges that the failure to implement reasonable information
24security controls resulted in a data breach concerning personal
25information or restricted information.
   26b.  A covered entity satisfies all requirements of this
27section if its cybersecurity program reasonably conforms to an
28industry-recognized cybersecurity framework, as described in
29section 554E.4.
30   Sec. 6.  NEW SECTION.  554E.4  Cybersecurity program
31framework.
   321.  A covered entity’s cybersecurity program, as
33described in section 554E.3, reasonably conforms to an
34industry-recognized cybersecurity framework for purposes of
35section 554E.3 if any of the following are true:
-6-
   1a.  (1)  The cybersecurity program reasonably conforms to the
2current version of any of the following or any combination of
3the following, subject to subparagraph (2) and subsection 2:
   4(a)  The framework for improving critical infrastructure
5cybersecurity developed by the national institute of standards
6and technology.
   7(b)  National institute of standards and technology special
8publication 800-171.
   9(c)  National institute of standards and technology special
10publications 800-53 and 800-53a.
   11(d)  The federal risk and authorization management program
12security assessment framework.
   13(e)  The center for internet security critical security
14controls for effective cyber defense.
   15(f)  The international organization for
16standardization/international electrotechnical commission 27000
17family — information security management systems.
   18(2)  When a final revision to a framework listed in
19subparagraph (1) is published, a covered entity whose
20cybersecurity program reasonably conforms to that framework
21shall reasonably conform the elements of its cybersecurity
22program to the revised framework within the time frame provided
23in the relevant framework upon which the covered entity intends
24to rely to support its affirmative defense, but in no event
25later than one year after the publication date stated in the
26revision.
   27b.  (1)  The covered entity is regulated by the state, by
28the federal government, or both, or is otherwise subject to
29the requirements of any of the laws or regulations listed
30below, and the cybersecurity program reasonably conforms to
31the entirety of the current version of any of the following,
32subject to subparagraph (2):
   33(a)  The security requirements of the federal Health
34Insurance Portability and Accountability Act of 1996, as set
35forth in 45 C.F.R. pt.164, subpt.C.
-7-
   1(b)  Title V of the federal Gramm-Leach-Bliley Act of 1999,
2Pub.L. No.106-102, as amended.
   3(c)  The federal Information Security Modernization Act of
42014, Pub.L. No.113-283.
   5(d)  The federal Health Information Technology for Economic
6and Clinical Health Act as set forth in 45 C.F.R. pt.162.
   7(2)  When a framework listed in subparagraph (1) is amended,
8a covered entity whose cybersecurity program reasonably
9conforms to that framework shall reasonably conform the
10elements of its cybersecurity program to the amended framework
11within the time frame provided in the relevant framework
12upon which the covered entity intends to rely to support its
13affirmative defense, but in no event later than one year after
14the effective date of the amended framework.
   15c.  (1)  The cybersecurity program reasonably complies
16with both the current version of the payment card industry
17data security standard and conforms to the current version of
18another applicable industry-recognized cybersecurity framework
19listed in paragraph “a”, subject to subparagraph (2) and
20subsection 2.
   21(2)  When a final revision to the payment card industry
22data security standard is published, a covered entity whose
23cybersecurity program reasonably complies with that standard
24shall reasonably comply the elements of its cybersecurity
25program with the revised standard within the time frame
26provided in the relevant framework upon which the covered
27entity intends to rely to support its affirmative defense, but
28in no event later than one year after the publication date
29stated in the revision.
   302.  If a covered entity’s cybersecurity program reasonably
31conforms to a combination of industry-recognized cybersecurity
32frameworks, or complies with a standard, as in the case of the
33payment card industry data security standard, as described in
34subsection 1, paragraph “a” or “c”, and two or more of those
35frameworks are revised, the covered entity whose cybersecurity
-8-1program reasonably conforms to or complies with, as applicable,
2those frameworks shall reasonably conform the elements of its
3cybersecurity program to or comply with, as applicable, all of
4the revised frameworks within the time frames provided in the
5relevant frameworks but in no event later than one year after
6the latest publication date stated in the revisions.
7   Sec. 7.  NEW SECTION.  554E.5  Causes of actions.
   8This chapter shall not be construed to provide a private
9right of action, including a class action, with respect to any
10act or practice regulated under those sections.
11   Sec. 8.  REPEAL.  Section 554D.106A, Code 2022, is repealed.
cm/jh/md