PROPOSED
HOUSE OF REPRESENTATIVES AMENDMENTS TO H.B. 2154
(Reference to printed bill)
Page 1, line 8, strike "of, or unauthorized access"
Line 10, strike "or" insert "and"; strike "data that includes"
Strike lines 20 through 26
Line 27, strike "encrypted" insert "Encrypt"; strike "an algorithmic" insert "a"
Between lines 32 and 33, insert:
"5. "Nationwide consumer reporting agency":
(a) Means a consumer reporting agency that complies and maintains files on consumers on a nationwide basis as defined in 15 United States Code section 1681a(p).
(b) Does not include a nationwide SPECIALTY consumer reporting agency as defined in 15 United States Code section 1681a(x)."
Renumber to conform
Lines 40 and 41, strike ":
(a)"
Line 42, strike "(i)" insert "(a)"
Line 43, after "more" insert "of the following"; strike the period insert "when the data is not encrypted and redacted:"
Line 44, strike "(ii)" insert "(i)"; strike "electronic signature" insert "social security number"
Page 2, strike lines 1 through 11, insert:
"(ii) The number on An individual's driver license issued pursuant to section 28-3166 or nonoperating identification license issued pursuant to section 28-3165.
(iii) An individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to an individual's financial account.
(iv) Unique biometric data generated from measurements or analysis of human body characteristics for purposes of authenticating the individual when the individual accesses an online account.
(v) An individual's health insurance identification number.
(vi) An individual's medical or mental health treatment or diagnosis by a health care professional."
Renumber to conform
Page 2, strike line 15
Line 21, strike "social security number,"
Strike line 22
Line 23, strike "financial account number or credit or debit card"; after "that" insert "both:
(a)"
Between lines 24 and 25, insert:
"(b) At least two digits have been removed."
Line 42, strike "or" insert "and"
Page 3, line 5, strike "thirty" insert "forty-five"
Line 6, after "determination" insert "and after restoring the integrity of the system"
Line 7, after "1." insert "If the personal information of one thousand or more individuals was breached,"; after "writing" insert "in a form as prescribed by the attorney general or attach a copy of the notification to the attorney general"
Line 10, strike "F" insert "E"
Line 11, strike "E" insert "D"
Line 15, strike "C." insert "3."
Reletter to conform
Page 3, strike lines 16 through 18, insert "individuals, notify the three largest nationwide"
Lines 19 and 20, strike "that compile and maintain files on consumers on a nationwide basis"
Line 21, strike "or" insert "and"
Line 22, strike "data that includes"
Line 23, after "own" insert "or license"; strike "immediately" insert ", as soon as PRACTICABLE,"
Line 28, strike "The"
Strike lines 29 and 30
Line 31, strike "subsections B and C of this section, as applicable."
Line 33, after "licensee" strike remainder of line
Line 34, strike "after discovering the breach but"; strike "notice to the"
Strike line 35
Line 36, strike "this"; strike "article" insert "the notifications required by subsection B of this section"
Line 38, strike "subsections" insert "subsection"; strike "and C" insert ", paragraphs 2 and 3"
Strike lines 44 and 45
Page 4, strike line 1
Line 2, strike "and without unreasonable delay" insert "make the required notifications, as applicable, within thirty days after notification by law enforcement"
Line 8, after "largest" insert "nationwide"
Line 13, after "G." insert "Except for a breach of personal information as prescribed in section 18-551, paragraph 7, subdivision (b),"
Between lines 33 and 34, insert:
"G. In the case of a breach that involves personal information as prescribed in section 18-551, paragraph 7, subdivision (b) for an online account and that does not involve personal information as defined in section 18-551, paragraph 7, subdivision (a), the person complies with this section by providing the notification in electronic or other form that directs the individual whose personal information has been breached to promptly change the individual's password and security question or answer, as applicable, or to take other steps that are appropriate to protect the online account with the person and all other online accounts for which the individual whose personal information has been breached uses the same user name and e-mail address and password or security question or answer. If the breach of personal information as prescribed in section 18-551, paragraph 7, subdivision (b) is for login credentials of an e-mail account furnished by the person, the person is not required to comply with this section by providing the notification to that e-mail address, but may comply with this section by providing notification by another method described in this subsection or by clear and conspicuous notification delivered to the individual online when the individual is connected to the online account from an internet protocol address or online location from which the person knows the individual customarily accesses the account."
Reletter to conform
Page 5, line 3, strike "subsection B of"
Line 4, after "to" strike remainder of line
Line 5, strike "affected individuals or consumer reporting agencies" insert "make the notification required by subsection B of this section"; strike "the person" insert "the person,"
Line 9, strike "occurred or" insert "resulted in and"; strike "occur" insert "result in financial fraud or identity theft"
Page 7, line 40, after "18-545" strike remainder of line
Line 41, strike "legal records" insert "18-551"
Amend title to conform