Senate File 495 - IntroducedA Bill ForAn Act 1relating to affirmative defenses for entities using
2cybersecurity programs.
1   Section 1.  NEW SECTION.  554G.1  Definitions.
   2As used in this chapter:
   31.  “Business” means any limited liability company, limited
4liability partnership, corporation, sole proprietorship,
5association, or other group, however organized and whether
6operating for profit or not for profit, including a financial
7institution organized, chartered, or holding a license
8authorizing operation under the laws of this state, any other
9state, the United States, or any other country, or the parent
10or subsidiary of any of the foregoing, including an entity
11organized under chapter 28E. “Business” does not include a
12municipality as defined in section 670.1.
   132.  “Contract” means the same as defined in section 554D.103.
   143.  “Covered entity” means a business that accesses,
15receives, stores, maintains, communicates, or processes
16personal information or restricted information in or through
17one or more systems, networks, or services located in or
18outside this state.
   194.  “Data breach” means an intentional or unintentional
20action that could result in electronic records owned, licensed
21to, or otherwise protected by a covered entity being viewed,
22copied, modified, transmitted, or destroyed in a manner that
23is reasonably believed to have or may cause material risk of
24identity theft, fraud, or other injury or damage to person or
25property. “Data breach” does not include any of the following:
   26a.  Good-faith acquisition of personal information or
27restricted information by the covered entity’s employee or
28agent for the purposes of the covered entity, provided that
29the personal information or restricted information is not used
30for an unlawful purpose or subject to further unauthorized
   32b.  Acquisition or disclosure of personal information or
33restricted information pursuant to a search warrant, subpoena,
34or other court order, or pursuant to a subpoena, order, or duty
35of a regulatory state agency.
   15.  “Distributed ledger technology” means the same as defined
2in section 554E.1.
   36.  “Electronic record” means the same as defined in section
   57.  “Encrypted” means the use of an algorithmic process to
6transform data into a form for which there is a low probability
7of assigning meaning without use of a confidential process or
   98.  “Individual” means a natural person.
   109.  “Maximum probable loss” means the greatest damage
11expectation that could reasonably occur from a data breach.
12For purposes of this subsection, “damage expectation” means the
13total value of possible damage multiplied by the probability
14that damage would occur.
   1510.  a.  “Personal information” means any information
16relating to an individual who can be identified, directly or
17indirectly, in particular by reference to an identifier such
18as a name, an identification number, social security number,
19driver’s license number or state identification card number,
20passport number, account number or credit or debit card number,
21location data, biometric data, an online identifier, or to
22one or more factors specific to the physical, physiological,
23genetic, mental, economic, cultural, or social identity of that
   25b.  “Personal information” does not include publicly
26available information that is lawfully made available to the
27general public from federal, state, or local government records
28or any of the following media that are widely distributed:
   29(1)  Any news, editorial, or advertising statement published
30in any bona fide newspaper, journal, or magazine, or broadcast
31over radio, television, or the internet.
   32(2)  Any gathering or furnishing of information or news by
33any bona fide reporter, correspondent, or news bureau to news
34media identified in this paragraph.
   35(3)  Any publication designed for and distributed to members
-2-1of any bona fide association or charitable or fraternal
2nonprofit business.
   3(4)  Any type of media similar in nature to any item, entity,
4or activity identified in this paragraph.
   511.  “Record” means the same as defined in section 554D.103.
   612.  “Redacted” means altered, truncated, or anonymized so
7that, when applied to personal information, the data can no
8longer be attributed to a specific individual without the use
9of additional information.
   1013.  “Restricted information” means any information about
11an individual, other than personal information, or business
12that, alone or in combination with other information, including
13personal information, can be used to distinguish or trace the
14identity of the individual or business, or that is linked or
15linkable to an individual or business, if the information is
16not encrypted, redacted, tokenized, or altered by any method or
17technology in such a manner that the information is anonymized,
18and the breach of which is likely to result in a material risk
19of identity theft or other fraud to person or property.
   2014.  “Smart contract” means the same as defined in section
   2215.  “Transaction” means a sale, trade, exchange, transfer,
23payment, or conversion of virtual currency or other digital
24asset or any other property or any other action or set of
25actions occurring between two or more persons relating to the
26conduct of business, commercial, or governmental affairs.
27   Sec. 2.  NEW SECTION.  554G.2  Affirmative defenses.
   281.  A covered entity seeking an affirmative defense under
29this chapter shall create, maintain, and comply with a written
30cybersecurity program that contains administrative, technical,
31operational, and physical safeguards for the protection of both
32personal information and restricted information.
   332.  A covered entity’s cybersecurity program shall be
34designed to do all of the following:
   35a.  Continually evaluate and mitigate any reasonably
-3-1anticipated internal or external threats or hazards that could
2lead to a data breach.
   3b.  Periodically evaluate no less than annually the maximum
4probable loss attainable from a data breach.
   5c.  Communicate to any affected parties the extent of any
6risk posed and any actions the affected parties could take to
7reduce any damages if a data breach is known to have occurred.
   83.  The scale and scope of a covered entity’s cybersecurity
9program is appropriate if the cost to operate the cybersecurity
10program is no less than the covered entity’s most recently
11calculated maximum probable loss value.
   124.  a.  A covered entity that satisfies all requirements
13of this section is entitled to an affirmative defense to any
14cause of action sounding in tort that is brought under the
15laws of this state or in the courts of this state and that
16alleges that the failure to implement reasonable information
17security controls resulted in a data breach concerning personal
18information or restricted information.
   19b.  A covered entity satisfies all requirements of this
20section if its cybersecurity program reasonably conforms to an
21industry-recognized cybersecurity framework, as described in
22section 554G.3.
23   Sec. 3.  NEW SECTION.  554G.3  Cybersecurity program
   251.  A covered entity’s cybersecurity program, as
26described in section 554G.2, reasonably conforms to an
27industry-recognized cybersecurity framework for purposes of
28section 554G.2 if any of the following are true:
   29a.  (1)  The cybersecurity program reasonably conforms to the
30current version of any of the following or any combination of
31the following, subject to subparagraph (2) and subsection 2:
   32(a)  The framework for improving critical infrastructure
33cybersecurity developed by the national institute of standards
34and technology.
   35(b)  National institute of standards and technology special
-4-1publication 800-171.
   2(c)  National institute of standards and technology special
3publications 800-53 and 800-53a.
   4(d)  The federal risk and authorization management program
5security assessment framework.
   6(e)  The center for internet security critical security
7controls for effective cyber defense.
   8(f)  The international organization for
9standardization/international electrotechnical commission 27000
10family — information security management systems.
   11(2)  When a final revision to a framework listed in
12subparagraph (1) is published, a covered entity whose
13cybersecurity program reasonably conforms to that framework
14shall reasonably conform the elements of its cybersecurity
15program to the revised framework within the time frame provided
16in the relevant framework upon which the covered entity intends
17to rely to support its affirmative defense, but in no event
18later than one year after the publication date stated in the
   20b.  (1)  The covered entity is regulated by the state, by
21the federal government, or both, or is otherwise subject to
22the requirements of any of the laws or regulations listed
23below, and the cybersecurity program reasonably conforms to
24the entirety of the current version of any of the following,
25subject to subparagraph (2):
   26(a)  The security requirements of the federal Health
27Insurance Portability and Accountability Act of 1996, as set
28forth in 45 C.F.R. pt.164, subpt.C.
   29(b)  Title V of the federal Gramm-Leach-Bliley Act of 1999,
30Pub.L. No.106-102, as amended.
   31(c)  The federal Information Security Modernization Act of
322014, Pub.L. No.113-283.
   33(d)  The federal Health Information Technology for Economic
34and Clinical Health Act as set forth in 45 C.F.R. pt.162.
   35(e)  Chapter 507F.
   1(f)  Any applicable rules, regulations, or guidelines for
2critical infrastructure protection adopted by the federal
3environmental protection agency, the federal cybersecurity
4and infrastructure security agency, or the north American
5reliability corporation.
   6(2)  When a framework listed in subparagraph (1) is amended,
7a covered entity whose cybersecurity program reasonably
8conforms to that framework shall reasonably conform the
9elements of its cybersecurity program to the amended framework
10within the time frame provided in the relevant framework
11upon which the covered entity intends to rely to support its
12affirmative defense, but in no event later than one year after
13the effective date of the amended framework.
   14c.  (1)  The cybersecurity program reasonably complies
15with both the current version of the payment card industry
16data security standard and conforms to the current version of
17another applicable industry-recognized cybersecurity framework
18listed in paragraph “a”, subject to subparagraph (2) and
19subsection 2.
   20(2)  When a final revision to the payment card industry
21data security standard is published, a covered entity whose
22cybersecurity program reasonably complies with that standard
23shall reasonably comply the elements of its cybersecurity
24program with the revised standard within the time frame
25provided in the relevant framework upon which the covered
26entity intends to rely to support its affirmative defense, but
27in no event later than one year after the publication date
28stated in the revision.
   292.  If a covered entity’s cybersecurity program reasonably
30conforms to a combination of industry-recognized cybersecurity
31frameworks, or complies with a standard, as in the case of the
32payment card industry data security standard, as described in
33subsection 1, paragraph “a” or “c”, and two or more of those
34frameworks are revised, the covered entity whose cybersecurity
35program reasonably conforms to or complies with, as applicable,
-6-1those frameworks shall reasonably conform the elements of its
2cybersecurity program to or comply with, as applicable, all of
3the revised frameworks within the time frames provided in the
4relevant frameworks but in no event later than one year after
5the latest publication date stated in the revisions.
6   Sec. 4.  NEW SECTION.  554G.4  Causes of action.
   7This chapter shall not be construed to provide a private
8right of action, including a class action, with respect to any
9act or practice regulated under this chapter.
11The inclusion of this explanation does not constitute agreement with
12the explanation’s substance by the members of the general assembly.
   13This bill creates affirmative defenses for entities using
14cybersecurity programs. The bill provides that a covered
15entity seeking an affirmative defense must use a cybersecurity
16program for the protection of personal information and
17restricted information and the cybersecurity program must
18reasonably conform to an industry-recognized cybersecurity
19framework. A cybersecurity program must continually evaluate
20and mitigate reasonably anticipated threats, periodically
21evaluate the maximum probable loss attainable from a data
22breach, and communicate to affected parties the risk posed
23and actions the affected parties could take to reduce damages
24if a data breach has occurred. The scale and scope of a
25cybersecurity program is appropriate if the cost to operate the
26program is no less than the covered entity’s maximum probable
27loss value. A covered entity that satisfies these requirements
28and that reasonably conforms to an industry-recognized
29cybersecurity framework is entitled to an affirmative defense
30to a tort claim that alleges that the failure to implement
31reasonable information security controls resulted in a
32data breach concerning personal information or restricted
   34The bill details industry-recognized cybersecurity
35frameworks that the covered entity may follow and reasonably
-7-1comply with in order to qualify for the affirmative defense.
   2The bill does not provide a private right of action,
3including a class action.