Print
House Study Bill 622 - IntroducedA Bill ForAn Act 1relating to consumer protection modifying provisions
2applicable to consumer security freezes and personal
3information security breach protection.
4BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 714G.2, Code 2018, is amended to read as
2follows:
3714G.2 Security freeze.
41. A consumer may submit by certified mail to a consumer
5reporting agency a written request for a security freeze to
6a consumer reporting agency by first-class mail, telephone,
7facsimile, secure internet connection, secure electronic mail,
8or other secure electronic contact method. The consumer must
9submit proper identification and the applicable fee with the
10request. Within five three business days after receiving
11the request, the consumer reporting agency shall commence
12the security freeze. Within ten three business days after
13commencing the security freeze, the consumer reporting agency
14shall send a written confirmation to the consumer of the
15security freeze, a personal identification number or password,
16other than the consumer’s social security number, for the
17consumer to use in authorizing the suspension or removal of
18the security freeze, including information on how the security
19freeze may be temporarily suspended.
202. a. If a consumer requests a security freeze from a
21consumer reporting agency that compiles and maintains files
22on a nationwide basis, the consumer may request to have the
23security freeze applied to any other consumer reporting agency
24that compiles and maintains files on consumers on a nationwide
25basis.
26b. For purposes of this subsection, “consumer reporting
27agency that compiles and maintains files on a nationwide basis”
28 means the same as defined in 15 U.S.C. §1681a(p).
29 Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended
30to read as follows:
311. A consumer may request that a security freeze be
32temporarily suspended to allow the consumer reporting agency to
33release the consumer credit report for a specific time period.
34The consumer reporting agency may shall develop procedures
35to expedite the receipt and processing of requests which may
-1-1involve the use of telephones by first-class mail, telephone,
2facsimile transmissions, the secure internet connection, secure
3electronic mail, or other secure electronic media contact
4method. The consumer reporting agency shall comply with
5the request within three business days after receiving the
6consumer’s written request, or within fifteen minutes after
7the consumer’s request is received by the consumer reporting
8agency through facsimile, the secure internet connection,
9secure electronic mail, or other secure electronic contact
10method chosen by the consumer reporting agency, or the use of
11a telephone, during normal business hours. The consumer’s
12request shall include all of the following:
13a. Proper identification.
14b. The personal identification number or password provided
15by the consumer reporting agency.
16c. Explicit instructions of the specific time period
17designated for suspension of the security freeze.
18d. Payment of the applicable fee.
19 Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018,
20is amended to read as follows:
21A security freeze remains in effect until the consumer
22requests that the security freeze be removed. A consumer
23reporting agency shall remove a security freeze within three
24business days after receiving a request for removal that
25includes proper identification of the consumer, and the
26personal identification number or password provided by the
27consumer reporting agency, and payment of the applicable fee.
28 Sec. 4. Section 714G.5, Code 2018, is amended to read as
29follows:
30714G.5 Fees prohibited.
311. A consumer reporting agency shall not charge any fee to
32a consumer who is the victim of identity theft for commencing
33a security freeze, temporary suspension, or removal if with
34the initial security freeze request, the consumer submits a
35valid copy of the police report concerning the unlawful use of
-2-1identification information by another person.
22. A consumer reporting agency may charge a fee not to
3exceed ten dollars to a consumer who is not the victim of
4identity theft for each security freeze, removal, or for
5reissuing a personal identification number or password if the
6consumer fails to retain the original number. The consumer
7reporting agency may charge a fee not to exceed twelve dollars
8for each temporary suspension of a security freeze.
9A consumer reporting agency shall not charge a fee to a
10consumer for providing any service pursuant to this chapter,
11including but not limited to placing, removing, temporarily
12suspending, or reinstating a security freeze.
13 Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code
142018, is amended by striking the paragraph.
15 Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code
162018, is amended by striking the paragraph.
17 Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended
18to read as follows:
195. a. A consumer reporting agency may shall not charge
20a reasonable fee, not to exceed five dollars, for each the
21 placement, or removal, or reinstatement of a protected consumer
22security freeze. A consumer reporting agency may not charge
23any other fee for a service performed pursuant to this section.
24b. Notwithstanding paragraph “a”, a fee may not be charged
25by a consumer reporting agency pursuant to either of the
26following:
27(1) If the protected consumer’s representative has obtained
28a police report or affidavit of alleged identity theft under
29section 715A.8 and submits a copy of the report or affidavit to
30the consumer reporting agency.
31(2) A request for the commencement or removal of a protected
32consumer security freeze is for a protected consumer who is
33under the age of sixteen years at the time of the request and
34the consumer reporting agency has a consumer credit report
35pertaining to the protected consumer.
-3-1 Sec. 8. Section 715C.1, subsections 1 and 5, Code 2018, are
2amended to read as follows:
31. “Breach of security” means unauthorized acquisition,
4or reasonable belief of unauthorized acquisition, of personal
5information maintained in computerized any form, including
6but not limited to electronic or paper form, by a person that
7compromises the security, confidentiality, or integrity of
8the personal information. “Breach of security” also means
9unauthorized acquisition of personal information maintained
10by a person in any medium, including on paper, that was
11transferred by the person to that medium from computerized
12form and that compromises the security, confidentiality, or
13integrity of the personal information. Good faith acquisition
14of personal information by a person or that person’s employee
15or agent for a legitimate purpose of that person is not a
16breach of security, provided that the personal information
17is not used in violation of applicable law or in a manner
18that harms or poses an actual threat to the security,
19confidentiality, or integrity of the personal information.
205. “Encryption” means the use of an one-hundred-twenty-
21eight-bit or higher algorithmic process to transform data into
22a form in which the data is rendered unreadable or unusable
23without the use of a confidential process or key.
24 Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are
25amended to read as follows:
267. This section does Subsections 1 through 6 shall not apply
27to any of the following:
28a. A person who complies with notification requirements or
29breach of security procedures that provide greater protection
30to personal information and at least as thorough disclosure
31requirements than that provided by this section pursuant to
32the rules, regulations, procedures, guidance, or guidelines
33established by the person’s primary or functional federal
34regulator.
35b. A person who complies with a state or federal law
-4-1that provides greater protection to personal information and
2at least as thorough disclosure requirements for breach of
3security or personal information than that provided by this
4section.
5c. A person who is subject to and complies with
6regulations promulgated pursuant to Tit.V of the federal
7Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809.
8d. A person who is subject to and complies with regulations
9promulgated pursuant to Tit.II, subtit.F of the federal
10Health Insurance Portability and Accountability Act of 1996,
1142 U.S.C. §1320d – 1320d-9, and Tit.XIII, subtit.D of the
12federal Health Information Technology for Economic and Clinical
13Health Act of 2009, 42 U.S.C. §17921 – 17954.
148. Any person who owns or licenses computerized data
15that includes a consumer’s personal information that is
16used in the course of the person’s business, vocation,
17occupation, or volunteer activities and that was subject to a
18breach of security requiring notification to more than five
19hundred residents of this state consumers pursuant to this
20section subsection 1 or any of the laws, rules, regulations,
21procedures, guidance, or guidelines set forth in subsection
227 shall give written notice of the breach of security
23following discovery of such breach of security, or receipt
24of notification under subsection 2, to the director of the
25consumer protection division of the office of the attorney
26general within five business days after giving notice of the
27breach of security to any consumer pursuant to this section.
28EXPLANATION
29The inclusion of this explanation does not constitute agreement with
30the explanation’s substance by the members of the general assembly.
31This bill relates to consumer security freezes and personal
32information security breach protection.
33Current law permits a consumer to submit a request for a
34security freeze via certified mail. The bill expands the
35methods permitted for a consumer to submit a request for
-5-1a security freeze to allow such requests to be submitted
2via first-class mail, telephone, facsimile, secure internet
3connection, secure electronic mail, or other secure electronic
4contact method.
5The bill reduces the number of days by which a consumer
6reporting agency must commence a security freeze after
7receiving a request from five to three business days. The bill
8also reduces the number of days by which a consumer reporting
9agency must send written confirmation to a consumer after
10commencing a security freeze from ten to three business days.
11The bill provides that if a consumer requests a security
12freeze from a consumer reporting agency that compiles and
13maintains files on a nationwide basis, as defined in the bill,
14the consumer may request to have the security freeze applied to
15any other similar consumer reporting agency.
16The bill requires consumer reporting agencies to develop
17procedures to expedite the receipt and processing of security
18freeze suspension requests received via the same methods
19permitted for consumers to submit such requests. The bill
20requires a consumer reporting agency to commence a security
21freeze suspension within 15 minutes after receiving a request
22through telephone, facsimile, secure internet connection,
23secure electronic mail, or other secure electronic contact
24method.
25The bill prohibits consumer reporting agencies from charging
26fees to consumers for providing any service pursuant to Code
27chapter 714G, including but not limited to placing, removing,
28temporarily suspending, or reinstating a security freeze. The
29bill also prohibits consumer reporting agencies from charging
30fees for placing or removing a protected consumer security
31freeze pursuant to Code section 714G.8A. The bill removes
32several references to payment of fees in Code chapter 714G.
33The bill also modifies various provisions relating to
34personal information security breach protection in Code
35chapter 715C. The bill expands the definition of “breach of
-6-1security” to include the reasonable belief of unauthorized
2acquisition of personal information, which may be in any
3form, including electronic or paper form. However, the bill
4removes the unauthorized acquisition of personal information
5that was transferred from computerized form to another medium
6from the definition of “breach of security”. The definition
7of “encryption” is modified to mean the use of an 128-bit or
8higher algorithmic process.
9The bill exempts from the consumer notification requirements
10persons who are subject to and comply with specified federal
11health information laws.
12Current law requires a person who owns or licenses personal
13information that is subject to a breach of security requiring
14notification to more than 500 consumers in the state, as
15required by Code section 715C.2, to give written notice of the
16breach of security to the director of the consumer protection
17division of the office of the attorney general. The bill
18provides that written notification to the attorney general
19is also required for breaches of security where written
20notification to more than 500 consumers in the state is
21required by a person’s primary or functional federal regulator,
22a state or federal law that gives greater protection to
23personal information than provided in Code section 715C.2, or
24certain federal law.
-7-gh/rn
2applicable to consumer security freezes and personal
3information security breach protection.
4BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 714G.2, Code 2018, is amended to read as
2follows:
3714G.2 Security freeze.
41. A consumer may submit by certified mail to a consumer
5reporting agency a written request for a security freeze to
6a consumer reporting agency by first-class mail, telephone,
7facsimile, secure internet connection, secure electronic mail,
8or other secure electronic contact method. The consumer must
9submit proper identification and the applicable fee with the
10request. Within five three business days after receiving
11the request, the consumer reporting agency shall commence
12the security freeze. Within ten three business days after
13commencing the security freeze, the consumer reporting agency
14shall send a written confirmation to the consumer of the
15security freeze, a personal identification number or password,
16other than the consumer’s social security number, for the
17consumer to use in authorizing the suspension or removal of
18the security freeze, including information on how the security
19freeze may be temporarily suspended.
202. a. If a consumer requests a security freeze from a
21consumer reporting agency that compiles and maintains files
22on a nationwide basis, the consumer may request to have the
23security freeze applied to any other consumer reporting agency
24that compiles and maintains files on consumers on a nationwide
25basis.
26b. For purposes of this subsection, “consumer reporting
27agency that compiles and maintains files on a nationwide basis”
28 means the same as defined in 15 U.S.C. §1681a(p).
29 Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended
30to read as follows:
311. A consumer may request that a security freeze be
32temporarily suspended to allow the consumer reporting agency to
33release the consumer credit report for a specific time period.
34The consumer reporting agency may shall develop procedures
35to expedite the receipt and processing of requests which may
-1-1involve the use of telephones by first-class mail, telephone,
2facsimile transmissions, the secure internet connection, secure
3electronic mail, or other secure electronic media contact
4method. The consumer reporting agency shall comply with
5the request within three business days after receiving the
6consumer’s written request, or within fifteen minutes after
7the consumer’s request is received by the consumer reporting
8agency through facsimile, the secure internet connection,
9secure electronic mail, or other secure electronic contact
10method chosen by the consumer reporting agency, or the use of
11a telephone, during normal business hours. The consumer’s
12request shall include all of the following:
13a. Proper identification.
14b. The personal identification number or password provided
15by the consumer reporting agency.
16c. Explicit instructions of the specific time period
17designated for suspension of the security freeze.
18d. Payment of the applicable fee.
19 Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018,
20is amended to read as follows:
21A security freeze remains in effect until the consumer
22requests that the security freeze be removed. A consumer
23reporting agency shall remove a security freeze within three
24business days after receiving a request for removal that
25includes proper identification of the consumer, and the
26personal identification number or password provided by the
27consumer reporting agency, and payment of the applicable fee.
28 Sec. 4. Section 714G.5, Code 2018, is amended to read as
29follows:
30714G.5 Fees prohibited.
311. A consumer reporting agency shall not charge any fee to
32a consumer who is the victim of identity theft for commencing
33a security freeze, temporary suspension, or removal if with
34the initial security freeze request, the consumer submits a
35valid copy of the police report concerning the unlawful use of
-2-1identification information by another person.
22. A consumer reporting agency may charge a fee not to
3exceed ten dollars to a consumer who is not the victim of
4identity theft for each security freeze, removal, or for
5reissuing a personal identification number or password if the
6consumer fails to retain the original number. The consumer
7reporting agency may charge a fee not to exceed twelve dollars
8for each temporary suspension of a security freeze.
9A consumer reporting agency shall not charge a fee to a
10consumer for providing any service pursuant to this chapter,
11including but not limited to placing, removing, temporarily
12suspending, or reinstating a security freeze.
13 Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code
142018, is amended by striking the paragraph.
15 Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code
162018, is amended by striking the paragraph.
17 Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended
18to read as follows:
195. a. A consumer reporting agency may shall not charge
20a reasonable fee, not to exceed five dollars, for each the
21 placement, or removal, or reinstatement of a protected consumer
22security freeze. A consumer reporting agency may not charge
23any other fee for a service performed pursuant to this section.
24b. Notwithstanding paragraph “a”, a fee may not be charged
25by a consumer reporting agency pursuant to either of the
26following:
27(1) If the protected consumer’s representative has obtained
28a police report or affidavit of alleged identity theft under
29section 715A.8 and submits a copy of the report or affidavit to
30the consumer reporting agency.
31(2) A request for the commencement or removal of a protected
32consumer security freeze is for a protected consumer who is
33under the age of sixteen years at the time of the request and
34the consumer reporting agency has a consumer credit report
35pertaining to the protected consumer.
-3-1 Sec. 8. Section 715C.1, subsections 1 and 5, Code 2018, are
2amended to read as follows:
31. “Breach of security” means unauthorized acquisition,
4or reasonable belief of unauthorized acquisition, of personal
5information maintained in computerized any form, including
6but not limited to electronic or paper form, by a person that
7compromises the security, confidentiality, or integrity of
8the personal information. “Breach of security” also means
9unauthorized acquisition of personal information maintained
10by a person in any medium, including on paper, that was
11transferred by the person to that medium from computerized
12form and that compromises the security, confidentiality, or
13integrity of the personal information. Good faith acquisition
14of personal information by a person or that person’s employee
15or agent for a legitimate purpose of that person is not a
16breach of security, provided that the personal information
17is not used in violation of applicable law or in a manner
18that harms or poses an actual threat to the security,
19confidentiality, or integrity of the personal information.
205. “Encryption” means the use of an one-hundred-twenty-
21eight-bit or higher algorithmic process to transform data into
22a form in which the data is rendered unreadable or unusable
23without the use of a confidential process or key.
24 Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are
25amended to read as follows:
267. This section does Subsections 1 through 6 shall not apply
27to any of the following:
28a. A person who complies with notification requirements or
29breach of security procedures that provide greater protection
30to personal information and at least as thorough disclosure
31requirements than that provided by this section pursuant to
32the rules, regulations, procedures, guidance, or guidelines
33established by the person’s primary or functional federal
34regulator.
35b. A person who complies with a state or federal law
-4-1that provides greater protection to personal information and
2at least as thorough disclosure requirements for breach of
3security or personal information than that provided by this
4section.
5c. A person who is subject to and complies with
6regulations promulgated pursuant to Tit.V of the federal
7Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809.
8d. A person who is subject to and complies with regulations
9promulgated pursuant to Tit.II, subtit.F of the federal
10Health Insurance Portability and Accountability Act of 1996,
1142 U.S.C. §1320d – 1320d-9, and Tit.XIII, subtit.D of the
12federal Health Information Technology for Economic and Clinical
13Health Act of 2009, 42 U.S.C. §17921 – 17954.
148. Any person who owns or licenses computerized data
15that includes a consumer’s personal information that is
16used in the course of the person’s business, vocation,
17occupation, or volunteer activities and that was subject to a
18breach of security requiring notification to more than five
19hundred residents of this state consumers pursuant to this
20section subsection 1 or any of the laws, rules, regulations,
21procedures, guidance, or guidelines set forth in subsection
227 shall give written notice of the breach of security
23following discovery of such breach of security, or receipt
24of notification under subsection 2, to the director of the
25consumer protection division of the office of the attorney
26general within five business days after giving notice of the
27breach of security to any consumer pursuant to this section.
28EXPLANATION
29The inclusion of this explanation does not constitute agreement with
30the explanation’s substance by the members of the general assembly.
31This bill relates to consumer security freezes and personal
32information security breach protection.
33Current law permits a consumer to submit a request for a
34security freeze via certified mail. The bill expands the
35methods permitted for a consumer to submit a request for
-5-1a security freeze to allow such requests to be submitted
2via first-class mail, telephone, facsimile, secure internet
3connection, secure electronic mail, or other secure electronic
4contact method.
5The bill reduces the number of days by which a consumer
6reporting agency must commence a security freeze after
7receiving a request from five to three business days. The bill
8also reduces the number of days by which a consumer reporting
9agency must send written confirmation to a consumer after
10commencing a security freeze from ten to three business days.
11The bill provides that if a consumer requests a security
12freeze from a consumer reporting agency that compiles and
13maintains files on a nationwide basis, as defined in the bill,
14the consumer may request to have the security freeze applied to
15any other similar consumer reporting agency.
16The bill requires consumer reporting agencies to develop
17procedures to expedite the receipt and processing of security
18freeze suspension requests received via the same methods
19permitted for consumers to submit such requests. The bill
20requires a consumer reporting agency to commence a security
21freeze suspension within 15 minutes after receiving a request
22through telephone, facsimile, secure internet connection,
23secure electronic mail, or other secure electronic contact
24method.
25The bill prohibits consumer reporting agencies from charging
26fees to consumers for providing any service pursuant to Code
27chapter 714G, including but not limited to placing, removing,
28temporarily suspending, or reinstating a security freeze. The
29bill also prohibits consumer reporting agencies from charging
30fees for placing or removing a protected consumer security
31freeze pursuant to Code section 714G.8A. The bill removes
32several references to payment of fees in Code chapter 714G.
33The bill also modifies various provisions relating to
34personal information security breach protection in Code
35chapter 715C. The bill expands the definition of “breach of
-6-1security” to include the reasonable belief of unauthorized
2acquisition of personal information, which may be in any
3form, including electronic or paper form. However, the bill
4removes the unauthorized acquisition of personal information
5that was transferred from computerized form to another medium
6from the definition of “breach of security”. The definition
7of “encryption” is modified to mean the use of an 128-bit or
8higher algorithmic process.
9The bill exempts from the consumer notification requirements
10persons who are subject to and comply with specified federal
11health information laws.
12Current law requires a person who owns or licenses personal
13information that is subject to a breach of security requiring
14notification to more than 500 consumers in the state, as
15required by Code section 715C.2, to give written notice of the
16breach of security to the director of the consumer protection
17division of the office of the attorney general. The bill
18provides that written notification to the attorney general
19is also required for breaches of security where written
20notification to more than 500 consumers in the state is
21required by a person’s primary or functional federal regulator,
22a state or federal law that gives greater protection to
23personal information than provided in Code section 715C.2, or
24certain federal law.
-7-gh/rn