Print
House File 2423 - IntroducedA Bill ForAn Act 1relating to consumer protection modifying provisions
2applicable to consumer security freezes and personal
3information security breach protection.
4BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 714G.2, Code 2018, is amended to read as
2follows:
3714G.2 Security freeze.
41. A consumer may submit by certified mail to a consumer
5reporting agency a written request for a security freeze to
6a consumer reporting agency by first-class mail, telephone,
7facsimile, secure internet connection, secure electronic mail,
8or other secure electronic contact method. The consumer must
9submit proper identification and the applicable fee with the
10request. Within five three business days after receiving
11the request, the consumer reporting agency shall commence
12the security freeze. Within ten three business days after
13commencing the security freeze, the consumer reporting agency
14shall send a written confirmation to the consumer of the
15security freeze, a personal identification number or password,
16other than the consumer’s social security number, for the
17consumer to use in authorizing the suspension or removal of
18the security freeze, including information on how the security
19freeze may be temporarily suspended.
202. a. If a consumer requests a security freeze from a
21consumer reporting agency that compiles and maintains files
22on a nationwide basis, the consumer may request to have the
23security freeze applied to any other consumer reporting agency
24that compiles and maintains files on consumers on a nationwide
25basis.
26b. For purposes of this subsection, “consumer reporting
27agency that compiles and maintains files on a nationwide basis”
28 means the same as defined in 15 U.S.C. §1681a(p).
29 Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended
30to read as follows:
311. A consumer may request that a security freeze be
32temporarily suspended to allow the consumer reporting agency to
33release the consumer credit report for a specific time period.
34The consumer reporting agency may shall develop procedures
35to expedite the receipt and processing of requests which may
-1-1involve the use of telephones by first-class mail, telephone,
2facsimile transmissions, the secure internet connection, secure
3electronic mail, or other secure electronic media contact
4method. The consumer reporting agency shall comply with
5the request within three business days after receiving the
6consumer’s written request, or within fifteen minutes after
7the consumer’s request is received by the consumer reporting
8agency through facsimile, the secure internet connection,
9secure electronic mail, or other secure electronic contact
10method chosen by the consumer reporting agency, or the use of
11a telephone, during normal business hours. The consumer’s
12request shall include all of the following:
13a. Proper identification.
14b. The personal identification number or password provided
15by the consumer reporting agency.
16c. Explicit instructions of the specific time period
17designated for suspension of the security freeze.
18d. Payment of the applicable fee.
19 Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018,
20is amended to read as follows:
21A security freeze remains in effect until the consumer
22requests that the security freeze be removed. A consumer
23reporting agency shall remove a security freeze within three
24business days after receiving a request for removal that
25includes proper identification of the consumer, and the
26personal identification number or password provided by the
27consumer reporting agency, and payment of the applicable fee.
28 Sec. 4. Section 714G.5, Code 2018, is amended to read as
29follows:
30714G.5 Fees prohibited.
311. A consumer reporting agency shall not charge any fee to
32a consumer who is the victim of identity theft for commencing
33a security freeze, temporary suspension, or removal if with
34the initial security freeze request, the consumer submits a
35valid copy of the police report concerning the unlawful use of
-2-1identification information by another person.
22. A consumer reporting agency may charge a fee not to
3exceed ten dollars to a consumer who is not the victim of
4identity theft for each security freeze, removal, or for
5reissuing a personal identification number or password if the
6consumer fails to retain the original number. The consumer
7reporting agency may charge a fee not to exceed twelve dollars
8for each temporary suspension of a security freeze.
9A consumer reporting agency shall not charge a fee to a
10consumer for providing any service pursuant to this chapter,
11including but not limited to placing, removing, temporarily
12suspending, or reinstating a security freeze.
13 Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code
142018, is amended by striking the paragraph.
15 Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code
162018, is amended by striking the paragraph.
17 Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended
18to read as follows:
195. a. A consumer reporting agency may shall not charge
20a reasonable fee, not to exceed five dollars, for each the
21 placement, or removal, or reinstatement of a protected consumer
22security freeze. A consumer reporting agency may not charge
23any other fee for a service performed pursuant to this section.
24b. Notwithstanding paragraph “a”, a fee may not be charged
25by a consumer reporting agency pursuant to either of the
26following:
27(1) If the protected consumer’s representative has obtained
28a police report or affidavit of alleged identity theft under
29section 715A.8 and submits a copy of the report or affidavit to
30the consumer reporting agency.
31(2) A request for the commencement or removal of a protected
32consumer security freeze is for a protected consumer who is
33under the age of sixteen years at the time of the request and
34the consumer reporting agency has a consumer credit report
35pertaining to the protected consumer.
-3-1 Sec. 8. Section 715C.1, subsections 1 and 5, Code 2018, are
2amended to read as follows:
31. “Breach of security” means unauthorized acquisition,
4or reasonable belief of unauthorized acquisition, of personal
5information maintained in computerized form by a person that
6compromises the security, confidentiality, or integrity of
7the personal information. “Breach of security” also means
8unauthorized acquisition of personal information maintained
9by a person in any medium, including on paper, that was
10transferred by the person to that medium from computerized
11form and that compromises the security, confidentiality, or
12integrity of the personal information. Good faith acquisition
13of personal information by a person or that person’s employee
14or agent for a legitimate purpose of that person is not a
15breach of security, provided that the personal information
16is not used in violation of applicable law or in a manner
17that harms or poses an actual threat to the security,
18confidentiality, or integrity of the personal information.
195. “Encryption” means the use of an algorithmic process
20pursuant to accepted industry standards to transform data into
21a form in which the data is rendered unreadable or unusable
22without the use of a confidential process or key.
23 Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are
24amended to read as follows:
257. This section does not apply to any of the following:
26a. A person who complies with notification requirements or
27breach of security procedures that provide greater protection
28to personal information and at least as thorough disclosure
29requirements than that provided by this section pursuant to
30the rules, regulations, procedures, guidance, or guidelines
31established by the person’s primary or functional federal
32regulator.
33b. A person who complies with a state or federal law
34that provides greater protection to personal information and
35at least as thorough disclosure requirements for breach of
-4-1security or personal information than that provided by this
2section.
3c. A person who is subject to and complies with regulations
4promulgated pursuant to Tit.V of the federal
5Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809.
6d. A person who is subject to and complies with regulations
7promulgated pursuant to Tit.II, subtit.F of the federal
8Health Insurance Portability and Accountability Act of 1996,
942 U.S.C. §1320d – 1320d-9, and Tit.XIII, subtit.D of the
10federal Health Information Technology for Economic and Clinical
11Health Act of 2009, 42 U.S.C. §17921 – 17954.
128. Any person who owns or licenses computerized data that
13includes a consumer’s personal information that is used in
14the course of the person’s business, vocation, occupation,
15or volunteer activities and that was subject to a breach of
16security requiring notification to more than five hundred
17residents of this state pursuant to this section shall give
18written notice of the breach of securityfollowing discovery
19of such breach of security, or receipt of notification under
20subsection 2, to the director of the consumer protection
21division of the office of the attorney general within five
22business days after giving notice of the breach of security to
23any consumer pursuant to this section.
24EXPLANATION
25The inclusion of this explanation does not constitute agreement with
26the explanation’s substance by the members of the general assembly.
27This bill relates to consumer security freezes and personal
28information security breach protection.
29Current law permits a consumer to submit a request for a
30security freeze via certified mail. The bill expands the
31methods permitted for a consumer to submit a request for
32a security freeze to allow such requests to be submitted
33via first-class mail, telephone, facsimile, secure internet
34connection, secure electronic mail, or other secure electronic
35contact method.
-5- 1The bill reduces the number of days by which a consumer
2reporting agency must commence a security freeze after
3receiving a request from five to three business days. The bill
4also reduces the number of days by which a consumer reporting
5agency must send written confirmation to a consumer after
6commencing a security freeze from ten to three business days.
7The bill provides that if a consumer requests a security
8freeze from a consumer reporting agency that compiles and
9maintains files on a nationwide basis, as defined in the bill,
10the consumer may request to have the security freeze applied to
11any other similar consumer reporting agency.
12The bill requires consumer reporting agencies to develop
13procedures to expedite the receipt and processing of security
14freeze suspension requests received via the same methods
15permitted for consumers to submit such requests. The bill
16requires a consumer reporting agency to commence a security
17freeze suspension within 15 minutes after receiving a request
18through telephone, facsimile, secure internet connection,
19secure electronic mail, or other secure electronic contact
20method.
21The bill prohibits consumer reporting agencies from charging
22fees to consumers for providing any service pursuant to Code
23chapter 714G, including but not limited to placing, removing,
24temporarily suspending, or reinstating a security freeze. The
25bill also prohibits consumer reporting agencies from charging
26fees for placing or removing a protected consumer security
27freeze pursuant to Code section 714G.8A. The bill removes
28several references to payment of fees in Code chapter 714G.
29The bill also modifies various provisions relating to
30personal information security breach protection in Code
31chapter 715C. The bill expands the definition of “breach of
32security” to include the reasonable belief of unauthorized
33acquisition of personal information. However, the bill removes
34the unauthorized acquisition of personal information that was
35transferred from computerized form to another medium from
-6-1the definition of “breach of security”. The definition of
2“encryption” is modified to mean the use of an algorithmic
3process pursuant to accepted industry standards.
4The bill exempts from the consumer notification requirements
5persons who are subject to and comply with specified federal
6health information laws.
7Current law requires a person who owns or licenses personal
8information that is subject to a breach of security requiring
9notification to more than 500 consumers in the state, as
10required by Code section 715C.2, to give written notice of the
11breach of security to the director of the consumer protection
12division of the office of the attorney general within five
13business days after giving notice of the security breach to any
14consumer. The bill removes language stating that a person give
15such written notice following the discovery of the breach or
16receipt of notification.
-7-gh/rn
2applicable to consumer security freezes and personal
3information security breach protection.
4BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 714G.2, Code 2018, is amended to read as
2follows:
3714G.2 Security freeze.
41. A consumer may submit by certified mail to a consumer
5reporting agency a written request for a security freeze to
6a consumer reporting agency by first-class mail, telephone,
7facsimile, secure internet connection, secure electronic mail,
8or other secure electronic contact method. The consumer must
9submit proper identification and the applicable fee with the
10request. Within five three business days after receiving
11the request, the consumer reporting agency shall commence
12the security freeze. Within ten three business days after
13commencing the security freeze, the consumer reporting agency
14shall send a written confirmation to the consumer of the
15security freeze, a personal identification number or password,
16other than the consumer’s social security number, for the
17consumer to use in authorizing the suspension or removal of
18the security freeze, including information on how the security
19freeze may be temporarily suspended.
202. a. If a consumer requests a security freeze from a
21consumer reporting agency that compiles and maintains files
22on a nationwide basis, the consumer may request to have the
23security freeze applied to any other consumer reporting agency
24that compiles and maintains files on consumers on a nationwide
25basis.
26b. For purposes of this subsection, “consumer reporting
27agency that compiles and maintains files on a nationwide basis”
28 means the same as defined in 15 U.S.C. §1681a(p).
29 Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended
30to read as follows:
311. A consumer may request that a security freeze be
32temporarily suspended to allow the consumer reporting agency to
33release the consumer credit report for a specific time period.
34The consumer reporting agency may shall develop procedures
35to expedite the receipt and processing of requests which may
-1-1involve the use of telephones by first-class mail, telephone,
2facsimile transmissions, the secure internet connection, secure
3electronic mail, or other secure electronic media contact
4method. The consumer reporting agency shall comply with
5the request within three business days after receiving the
6consumer’s written request, or within fifteen minutes after
7the consumer’s request is received by the consumer reporting
8agency through facsimile, the secure internet connection,
9secure electronic mail, or other secure electronic contact
10method chosen by the consumer reporting agency, or the use of
11a telephone, during normal business hours. The consumer’s
12request shall include all of the following:
13a. Proper identification.
14b. The personal identification number or password provided
15by the consumer reporting agency.
16c. Explicit instructions of the specific time period
17designated for suspension of the security freeze.
18d. Payment of the applicable fee.
19 Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018,
20is amended to read as follows:
21A security freeze remains in effect until the consumer
22requests that the security freeze be removed. A consumer
23reporting agency shall remove a security freeze within three
24business days after receiving a request for removal that
25includes proper identification of the consumer, and the
26personal identification number or password provided by the
27consumer reporting agency, and payment of the applicable fee.
28 Sec. 4. Section 714G.5, Code 2018, is amended to read as
29follows:
30714G.5 Fees prohibited.
311. A consumer reporting agency shall not charge any fee to
32a consumer who is the victim of identity theft for commencing
33a security freeze, temporary suspension, or removal if with
34the initial security freeze request, the consumer submits a
35valid copy of the police report concerning the unlawful use of
-2-1identification information by another person.
22. A consumer reporting agency may charge a fee not to
3exceed ten dollars to a consumer who is not the victim of
4identity theft for each security freeze, removal, or for
5reissuing a personal identification number or password if the
6consumer fails to retain the original number. The consumer
7reporting agency may charge a fee not to exceed twelve dollars
8for each temporary suspension of a security freeze.
9A consumer reporting agency shall not charge a fee to a
10consumer for providing any service pursuant to this chapter,
11including but not limited to placing, removing, temporarily
12suspending, or reinstating a security freeze.
13 Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code
142018, is amended by striking the paragraph.
15 Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code
162018, is amended by striking the paragraph.
17 Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended
18to read as follows:
195. a. A consumer reporting agency may shall not charge
20a reasonable fee, not to exceed five dollars, for each the
21 placement, or removal, or reinstatement of a protected consumer
22security freeze. A consumer reporting agency may not charge
23any other fee for a service performed pursuant to this section.
24b. Notwithstanding paragraph “a”, a fee may not be charged
25by a consumer reporting agency pursuant to either of the
26following:
27(1) If the protected consumer’s representative has obtained
28a police report or affidavit of alleged identity theft under
29section 715A.8 and submits a copy of the report or affidavit to
30the consumer reporting agency.
31(2) A request for the commencement or removal of a protected
32consumer security freeze is for a protected consumer who is
33under the age of sixteen years at the time of the request and
34the consumer reporting agency has a consumer credit report
35pertaining to the protected consumer.
-3-1 Sec. 8. Section 715C.1, subsections 1 and 5, Code 2018, are
2amended to read as follows:
31. “Breach of security” means unauthorized acquisition,
4or reasonable belief of unauthorized acquisition, of personal
5information maintained in computerized form by a person that
6compromises the security, confidentiality, or integrity of
7the personal information. “Breach of security” also means
8unauthorized acquisition of personal information maintained
9by a person in any medium, including on paper, that was
10transferred by the person to that medium from computerized
11form and that compromises the security, confidentiality, or
12integrity of the personal information. Good faith acquisition
13of personal information by a person or that person’s employee
14or agent for a legitimate purpose of that person is not a
15breach of security, provided that the personal information
16is not used in violation of applicable law or in a manner
17that harms or poses an actual threat to the security,
18confidentiality, or integrity of the personal information.
195. “Encryption” means the use of an algorithmic process
20pursuant to accepted industry standards to transform data into
21a form in which the data is rendered unreadable or unusable
22without the use of a confidential process or key.
23 Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are
24amended to read as follows:
257. This section does not apply to any of the following:
26a. A person who complies with notification requirements or
27breach of security procedures that provide greater protection
28to personal information and at least as thorough disclosure
29requirements than that provided by this section pursuant to
30the rules, regulations, procedures, guidance, or guidelines
31established by the person’s primary or functional federal
32regulator.
33b. A person who complies with a state or federal law
34that provides greater protection to personal information and
35at least as thorough disclosure requirements for breach of
-4-1security or personal information than that provided by this
2section.
3c. A person who is subject to and complies with regulations
4promulgated pursuant to Tit.V of the federal
5Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 – 6809.
6d. A person who is subject to and complies with regulations
7promulgated pursuant to Tit.II, subtit.F of the federal
8Health Insurance Portability and Accountability Act of 1996,
942 U.S.C. §1320d – 1320d-9, and Tit.XIII, subtit.D of the
10federal Health Information Technology for Economic and Clinical
11Health Act of 2009, 42 U.S.C. §17921 – 17954.
128. Any person who owns or licenses computerized data that
13includes a consumer’s personal information that is used in
14the course of the person’s business, vocation, occupation,
15or volunteer activities and that was subject to a breach of
16security requiring notification to more than five hundred
17residents of this state pursuant to this section shall give
18written notice of the breach of securityfollowing discovery
19of such breach of security, or receipt of notification under
20subsection 2, to the director of the consumer protection
21division of the office of the attorney general within five
22business days after giving notice of the breach of security to
23any consumer pursuant to this section.
24EXPLANATION
25The inclusion of this explanation does not constitute agreement with
26the explanation’s substance by the members of the general assembly.
27This bill relates to consumer security freezes and personal
28information security breach protection.
29Current law permits a consumer to submit a request for a
30security freeze via certified mail. The bill expands the
31methods permitted for a consumer to submit a request for
32a security freeze to allow such requests to be submitted
33via first-class mail, telephone, facsimile, secure internet
34connection, secure electronic mail, or other secure electronic
35contact method.
-5- 1The bill reduces the number of days by which a consumer
2reporting agency must commence a security freeze after
3receiving a request from five to three business days. The bill
4also reduces the number of days by which a consumer reporting
5agency must send written confirmation to a consumer after
6commencing a security freeze from ten to three business days.
7The bill provides that if a consumer requests a security
8freeze from a consumer reporting agency that compiles and
9maintains files on a nationwide basis, as defined in the bill,
10the consumer may request to have the security freeze applied to
11any other similar consumer reporting agency.
12The bill requires consumer reporting agencies to develop
13procedures to expedite the receipt and processing of security
14freeze suspension requests received via the same methods
15permitted for consumers to submit such requests. The bill
16requires a consumer reporting agency to commence a security
17freeze suspension within 15 minutes after receiving a request
18through telephone, facsimile, secure internet connection,
19secure electronic mail, or other secure electronic contact
20method.
21The bill prohibits consumer reporting agencies from charging
22fees to consumers for providing any service pursuant to Code
23chapter 714G, including but not limited to placing, removing,
24temporarily suspending, or reinstating a security freeze. The
25bill also prohibits consumer reporting agencies from charging
26fees for placing or removing a protected consumer security
27freeze pursuant to Code section 714G.8A. The bill removes
28several references to payment of fees in Code chapter 714G.
29The bill also modifies various provisions relating to
30personal information security breach protection in Code
31chapter 715C. The bill expands the definition of “breach of
32security” to include the reasonable belief of unauthorized
33acquisition of personal information. However, the bill removes
34the unauthorized acquisition of personal information that was
35transferred from computerized form to another medium from
-6-1the definition of “breach of security”. The definition of
2“encryption” is modified to mean the use of an algorithmic
3process pursuant to accepted industry standards.
4The bill exempts from the consumer notification requirements
5persons who are subject to and comply with specified federal
6health information laws.
7Current law requires a person who owns or licenses personal
8information that is subject to a breach of security requiring
9notification to more than 500 consumers in the state, as
10required by Code section 715C.2, to give written notice of the
11breach of security to the director of the consumer protection
12division of the office of the attorney general within five
13business days after giving notice of the security breach to any
14consumer. The bill removes language stating that a person give
15such written notice following the discovery of the breach or
16receipt of notification.
-7-gh/rn