House Study Bill 154 - IntroducedA Bill ForAn Act 1relating to the use of certain technology, including the
2legal effect of the use of distributed ledger technology or
3smart contracts and affirmative defenses associated with the
4use of cybersecurity programs.
5BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1   Section 1.  Section 554E.1, Code 2023, is amended by striking
2the section and inserting in lieu thereof the following:
   3554E.1  Definitions.
   4As used in this chapter:
   51.  “Business” means any limited liability company, limited
6liability partnership, corporation, sole proprietorship,
7association, or other group, however organized and whether
8operating for profit or not for profit, including a financial
9institution organized, chartered, or holding a license
10authorizing operation under the laws of this state, any other
11state, the United States, or any other country, or the parent
12or subsidiary of any of the foregoing.
   132.  “Contract” means the same as defined in section 554D.103.
   143.  “Covered entity” means a business that accesses,
15receives, stores, maintains, communicates, or processes
16personal information or restricted information in or through
17one or more systems, networks, or services located in or
18outside this state.
   194.  “Data breach” means an intentional or unintentional
20action that could result in electronic records owned, licensed
21to, or otherwise protected by a covered entity being viewed,
22copied, modified, transmitted, or destroyed in a manner that
23is reasonably believed to have or may cause material risk of
24identity theft, fraud, or other injury or damage to person or
25property. “Data breach” does not include any of the following:
   26a.  Good-faith acquisition of personal information or
27restricted information by the covered entity’s employee or
28agent for the purposes of the covered entity, provided that
29the personal information or restricted information is not used
30for an unlawful purpose or subject to further unauthorized
31disclosure.
   32b.  Acquisition or disclosure of personal information or
33restricted information pursuant to a search warrant, subpoena,
34or other court order, or pursuant to a subpoena, order, or duty
35of a regulatory state agency.
-1-
   15.  “Distributed ledger technology” means an electronic
2record of transactions or other data to which all of the
3following apply:
   4a.  The electronic record is uniformly ordered.
   5b.  The electronic record is redundantly maintained or
6processed by one or more computers or machines to guarantee the
7consistency or nonrepudiation of the recorded transactions or
8other data.
   96.  “Electronic record” means the same as defined in section
10554D.103.
   117.  “Encrypted” means the use of an algorithmic process to
12transform data into a form for which there is a low probability
13of assigning meaning without use of a confidential process or
14key.
   158.  “Individual” means a natural person.
   169.  “Maximum probable loss” means the greatest damage
17expectation that could reasonably occur from a data breach.
18For purposes of this subsection, “damage expectation” means the
19total value of possible damage multiplied by the probability
20that damage would occur.
   2110.  a.  “Personal information” means any information
22relating to an individual who can be identified, directly or
23indirectly, in particular by reference to an identifier such
24as a name, an identification number, social security number,
25driver’s license number or state identification card number,
26passport number, account number or credit or debit card number,
27location data, biometric data, an online identifier, or to
28one or more factors specific to the physical, physiological,
29genetic, mental, economic, cultural, or social identity of that
30individual.
   31b.  “Personal information” does not include publicly
32available information that is lawfully made available to the
33general public from federal, state, or local government records
34or any of the following media that are widely distributed:
   35(1)  Any news, editorial, or advertising statement published
-2-1in any bona fide newspaper, journal, or magazine, or broadcast
2over radio, television, or the internet.
   3(2)  Any gathering or furnishing of information or news by
4any bona fide reporter, correspondent, or news bureau to news
5media identified in this paragraph.
   6(3)  Any publication designed for and distributed to members
7of any bona fide association or charitable or fraternal
8nonprofit business.
   9(4)  Any type of media similar in nature to any item, entity,
10or activity identified in this paragraph.
   1111.  “Record” means the same as defined in section 554D.103.
   1212.  “Redacted” means altered, truncated, or anonymized so
13that, when applied to personal information, the data can no
14longer be attributed to a specific individual without the use
15of additional information.
   1613.  “Restricted information” means any information about
17an individual, other than personal information, or business
18that, alone or in combination with other information, including
19personal information, can be used to distinguish or trace the
20identity of the individual or business, or that is linked or
21linkable to an individual or business, if the information is
22not encrypted, redacted, tokenized, or altered by any method or
23technology in such a manner that the information is anonymized,
24and the breach of which is likely to result in a material risk
25of identity theft or other fraud to person or property.
   2614.  “Smart contract” means an event-driven program or
27computerized transaction protocol that runs on a distributed,
28decentralized, shared, and replicated ledger that executes the
29terms of a contract. For purposes of this subsection, “executes
30the terms of a contract”
may include taking custody over and
31instructing the transfer of assets.
   3215.  “Transaction” means a sale, trade, exchange, transfer,
33payment, or conversion of virtual currency or other digital
34asset or any other property or any other action or set of
35actions occurring between two or more persons relating to the
-3-1conduct of business, commercial, or governmental affairs.
2   Sec. 2.  Section 554E.2, Code 2023, is amended by striking
3the section and inserting in lieu thereof the following:
   4554E.2  Legal effect — distributed ledger technology and
5smart contracts — ownership of information.
   61.  A record shall not be denied legal effect or
7enforceability solely because the record is created, generated,
8sent, communicated, received, recorded, or stored by means of
9distributed ledger technology or a smart contract.
   102.  A signature shall not be denied legal effect or
11enforceability solely because the signature is created,
12generated, sent, communicated, received, recorded, or stored by
13means of distributed ledger technology or a smart contract.
   143.  A contract shall not be denied legal effect or
15enforceability solely for any of the following:
   16a.  The contract is created, generated, sent, communicated,
17received, executed, signed, adopted, recorded, or stored by
18means of distributed ledger technology or a smart contract.
   19b.  The contract contains a smart contract term.
   20c.  An electronic record, distributed ledger technology, or a
21smart contract was used in the contract’s formation.
   224.  A person who, in engaging in or affecting interstate
23or foreign commerce, uses distributed ledger technology to
24secure information that the person owns or has the right to use
25retains the same rights of ownership or use with respect to
26such information as before the person secured the information
27using distributed ledger technology. This subsection does not
28apply to the use of distributed ledger technology to secure
29information in connection with a transaction to the extent that
30the terms of the transaction expressly provide for the transfer
31of rights of ownership or use with respect to such information.
32   Sec. 3.  Section 554E.3, Code 2023, is amended by striking
33the section and inserting in lieu thereof the following:
   34554E.3  Affirmative defenses.
   351.  A covered entity seeking an affirmative defense under
-4-1this chapter shall create, maintain, and comply with a written
2cybersecurity program that contains administrative, technical,
3operational, and physical safeguards for the protection of both
4personal information and restricted information.
   52.  A covered entity’s cybersecurity program shall be
6designed to do all of the following:
   7a.  Continually evaluate and mitigate any reasonably
8anticipated internal or external threats or hazards that could
9lead to a data breach.
   10b.  Periodically evaluate no less than annually the maximum
11probable loss attainable from a data breach.
   12c.  Communicate to any affected parties the extent of any
13risk posed and any actions the affected parties could take to
14reduce any damages if a data breach is known to have occurred.
   153.  The scale and scope of a covered entity’s cybersecurity
16program is appropriate if the cost to operate the cybersecurity
17program is no less than the covered entity’s most recently
18calculated maximum probable loss value.
   194.  a.  A covered entity that satisfies all requirements
20of this section is entitled to an affirmative defense to any
21cause of action sounding in tort that is brought under the
22laws of this state or in the courts of this state and that
23alleges that the failure to implement reasonable information
24security controls resulted in a data breach concerning personal
25information or restricted information.
   26b.  A covered entity satisfies all requirements of this
27section if its cybersecurity program reasonably conforms to an
28industry-recognized cybersecurity framework, as described in
29section 554E.4.
30   Sec. 4.  Section 554E.4, Code 2023, is amended by striking
31the section and inserting in lieu thereof the following:
   32554E.4  Cybersecurity program framework.
   331.  A covered entity’s cybersecurity program, as
34described in section 554E.3, reasonably conforms to an
35industry-recognized cybersecurity framework for purposes of
-5-1section 554E.3 if any of the following are true:
   2a.  (1)  The cybersecurity program reasonably conforms to the
3current version of any of the following or any combination of
4the following, subject to subparagraph (2) and subsection 2:
   5(a)  The framework for improving critical infrastructure
6cybersecurity developed by the national institute of standards
7and technology.
   8(b)  National institute of standards and technology special
9publication 800-171.
   10(c)  National institute of standards and technology special
11publications 800-53 and 800-53a.
   12(d)  The federal risk and authorization management program
13security assessment framework.
   14(e)  The center for internet security critical security
15controls for effective cyber defense.
   16(f)  The international organization for
17standardization/international electrotechnical commission 27000
18family — information security management systems.
   19(2)  When a final revision to a framework listed in
20subparagraph (1) is published, a covered entity whose
21cybersecurity program reasonably conforms to that framework
22shall reasonably conform the elements of its cybersecurity
23program to the revised framework within the time frame provided
24in the relevant framework upon which the covered entity intends
25to rely to support its affirmative defense, but in no event
26later than one year after the publication date stated in the
27revision.
   28b.  (1)  The covered entity is regulated by the state, by
29the federal government, or both, or is otherwise subject to
30the requirements of any of the laws or regulations listed
31below, and the cybersecurity program reasonably conforms to
32the entirety of the current version of any of the following,
33subject to subparagraph (2):
   34(a)  The security requirements of the federal Health
35Insurance Portability and Accountability Act of 1996, as set
-6-1forth in 45 C.F.R. pt.164, subpt.C.
   2(b)  Title V of the federal Gramm-Leach-Bliley Act of 1999,
3Pub.L. No.106-102, as amended.
   4(c)  The federal Information Security Modernization Act of
52014, Pub.L. No.113-283.
   6(d)  The federal Health Information Technology for Economic
7and Clinical Health Act as set forth in 45 C.F.R. pt.162.
   8(2)  When a framework listed in subparagraph (1) is amended,
9a covered entity whose cybersecurity program reasonably
10conforms to that framework shall reasonably conform the
11elements of its cybersecurity program to the amended framework
12within the time frame provided in the relevant framework
13upon which the covered entity intends to rely to support its
14affirmative defense, but in no event later than one year after
15the effective date of the amended framework.
   16c.  (1)  The cybersecurity program reasonably complies
17with both the current version of the payment card industry
18data security standard and conforms to the current version of
19another applicable industry-recognized cybersecurity framework
20listed in paragraph “a”, subject to subparagraph (2) and
21subsection 2.
   22(2)  When a final revision to the payment card industry
23data security standard is published, a covered entity whose
24cybersecurity program reasonably complies with that standard
25shall reasonably comply the elements of its cybersecurity
26program with the revised standard within the time frame
27provided in the relevant framework upon which the covered
28entity intends to rely to support its affirmative defense, but
29in no event later than one year after the publication date
30stated in the revision.
   312.  If a covered entity’s cybersecurity program reasonably
32conforms to a combination of industry-recognized cybersecurity
33frameworks, or complies with a standard, as in the case of the
34payment card industry data security standard, as described in
35subsection 1, paragraph “a” or “c”, and two or more of those
-7-1frameworks are revised, the covered entity whose cybersecurity
2program reasonably conforms to or complies with, as applicable,
3those frameworks shall reasonably conform the elements of its
4cybersecurity program to or comply with, as applicable, all of
5the revised frameworks within the time frames provided in the
6relevant frameworks but in no event later than one year after
7the latest publication date stated in the revisions.
8   Sec. 5.  NEW SECTION.  554E.5  Causes of actions.
   9This chapter shall not be construed to provide a private
10right of action, including a class action, with respect to any
11act or practice regulated under this chapter.
12EXPLANATION
13The inclusion of this explanation does not constitute agreement with
14the explanation’s substance by the members of the general assembly.
   15This bill relates to the use of certain technology.
   16The bill provides that a record, signature, or contract
17shall not be denied legal effect because it is created or
18stored by means of distributed ledger technology or a smart
19contract, as those terms are defined in the bill. The bill
20provides that the ownership of the secure information remains
21with the original owner of the information, not the distributed
22ledger technology owner, unless specifically provided
23otherwise.
   24The bill creates affirmative defenses for entities using
25cybersecurity programs. The bill provides that a covered
26entity seeking an affirmative defense must use a cybersecurity
27program for the protection of personal information and
28restricted information and the cybersecurity program must
29reasonably conform to an industry-recognized cybersecurity
30framework. A cybersecurity program must continually evaluate
31and mitigate reasonably anticipated threats, periodically
32evaluate the maximum probable loss attainable from a data
33breach, and communicate to affected parties the risk posed
34and actions the affected parties could take to reduce damages
35if a data breach has occurred. The scale and scope of a
-8-1cybersecurity program is appropriate if the cost to operate the
2program is no less than the covered entity’s maximum probable
3loss value. A covered entity that satisfies these requirements
4and that reasonably conforms to an industry-recognized
5cybersecurity framework is entitled to an affirmative defense
6to a tort claim that alleges that the failure to implement
7reasonable information security controls resulted in a
8data breach concerning personal information or restricted
9information.
   10The bill details industry-recognized cybersecurity
11frameworks that the covered entity may follow and reasonably
12comply with in order to qualify for the affirmative defense.
   13The bill does not provide a private right of action,
14including a class action.
-9-
cm/ns