Bill Text: IA HF2423 | 2017-2018 | 87th General Assembly | Introduced
Bill Title: A bill for an act relating to consumer protection modifying provisions applicable to consumer security freezes and personal information security breach protection. (Formerly HSB 622.)
Sponsorship: Committee Bill
Status: (Introduced - Dead) 2018-03-01 - Withdrawn. H.J. 441. [HF2423 Detail]
Download: Iowa-2017-HF2423-Introduced.html
House File 2423 - Introduced HOUSE FILE BY COMMITTEE ON JUDICIARY (SUCCESSOR TO HSB 622) A BILL FOR 1 An Act relating to consumer protection modifying provisions 2 applicable to consumer security freezes and personal 3 information security breach protection. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: TLSB 6148HV (6) 87 gh/rn PAG LIN 1 1 Section 1. Section 714G.2, Code 2018, is amended to read as 1 2 follows: 1 3 714G.2 Security freeze. 1 4 1. A consumer may submitby certified mail to a consumer 1 5 reporting agencya written request for a security freeze to 1 6 a consumer reporting agency by first=class mail, telephone, 1 7 facsimile, secure internet connection, secure electronic mail, 1 8 or other secure electronic contact method. The consumer must 1 9 submit proper identificationand the applicable feewith the 1 10 request. Withinfivethree business days after receiving 1 11 the request, the consumer reporting agency shall commence 1 12 the security freeze. Withintenthree business days after 1 13 commencing the security freeze, the consumer reporting agency 1 14 shall send a written confirmation to the consumer of the 1 15 security freeze, a personal identification number or password, 1 16 other than the consumer's social security number, for the 1 17 consumer to use in authorizing the suspension or removal of 1 18 the security freeze, including information on how the security 1 19 freeze may be temporarily suspended. 1 20 2. a. If a consumer requests a security freeze from a 1 21 consumer reporting agency that compiles and maintains files 1 22 on a nationwide basis, the consumer may request to have the 1 23 security freeze applied to any other consumer reporting agency 1 24 that compiles and maintains files on consumers on a nationwide 1 25 basis. 1 26 b. For purposes of this subsection, "consumer reporting 1 27 agency that compiles and maintains files on a nationwide basis" 1 28 means the same as defined in 15 U.S.C. {1681a(p). 1 29 Sec. 2. Section 714G.3, subsection 1, Code 2018, is amended 1 30 to read as follows: 1 31 1. A consumer may request that a security freeze be 1 32 temporarily suspended to allow the consumer reporting agency to 1 33 release the consumer credit report for a specific time period. 1 34 The consumer reporting agencymayshall develop procedures 1 35 to expedite the receipt and processing of requestswhich may 2 1 involve the use of telephonesby first=class mail, telephone, 2 2 facsimiletransmissions,thesecure internet connection, secure 2 3 electronic mail, or other secure electronicmediacontact 2 4 method. The consumer reporting agency shall comply with 2 5 the request within three business days after receiving the 2 6 consumer's written request, or within fifteen minutes after 2 7 the consumer's request is received by the consumer reporting 2 8 agency through facsimile,thesecure internet connection, 2 9 secure electronic mail, or other secure electronic contact 2 10 methodchosen by the consumer reporting agency, or the use of 2 11 a telephone, during normal business hours. The consumer's 2 12 request shall include all of the following: 2 13 a. Proper identification. 2 14 b. The personal identification number or password provided 2 15 by the consumer reporting agency. 2 16 c. Explicit instructions of the specific time period 2 17 designated for suspension of the security freeze. 2 18d. Payment of the applicable fee.2 19 Sec. 3. Section 714G.4, unnumbered paragraph 1, Code 2018, 2 20 is amended to read as follows: 2 21 A security freeze remains in effect until the consumer 2 22 requests that the security freeze be removed. A consumer 2 23 reporting agency shall remove a security freeze within three 2 24 business days after receiving a request for removal that 2 25 includes proper identification of the consumer, and the 2 26 personal identification number or password provided by the 2 27 consumer reporting agency, and payment of the applicable fee. 2 28 Sec. 4. Section 714G.5, Code 2018, is amended to read as 2 29 follows: 2 30 714G.5 Fees prohibited. 2 311. A consumer reporting agency shall not charge any fee to 2 32 a consumer who is the victim of identity theft for commencing 2 33 a security freeze, temporary suspension, or removal if with 2 34 the initial security freeze request, the consumer submits a 2 35 valid copy of the police report concerning the unlawful use of 3 1 identification information by another person.3 22. A consumer reporting agency may charge a fee not to 3 3 exceed ten dollars to a consumer who is not the victim of 3 4 identity theft for each security freeze, removal, or for 3 5 reissuing a personal identification number or password if the 3 6 consumer fails to retain the original number. The consumer 3 7 reporting agency may charge a fee not to exceed twelve dollars 3 8 for each temporary suspension of a security freeze.3 9 A consumer reporting agency shall not charge a fee to a 3 10 consumer for providing any service pursuant to this chapter, 3 11 including but not limited to placing, removing, temporarily 3 12 suspending, or reinstating a security freeze. 3 13 Sec. 5. Section 714G.8A, subsection 1, paragraph d, Code 3 14 2018, is amended by striking the paragraph. 3 15 Sec. 6. Section 714G.8A, subsection 3, paragraph d, Code 3 16 2018, is amended by striking the paragraph. 3 17 Sec. 7. Section 714G.8A, subsection 5, Code 2018, is amended 3 18 to read as follows: 3 19 5.a.A consumer reporting agencymayshall not charge 3 20 areasonablefee, not to exceed five dollars,foreachthe 3 21 placement,orremoval, or reinstatement of a protected consumer 3 22 security freeze. A consumer reporting agency may not charge 3 23 any other fee for a service performed pursuant to this section. 3 24b. Notwithstanding paragraph "a", a fee may not be charged 3 25 by a consumer reporting agency pursuant to either of the 3 26 following:3 27(1) If the protected consumer's representative has obtained 3 28 a police report or affidavit of alleged identity theft under 3 29 section 715A.8 and submits a copy of the report or affidavit to 3 30 the consumer reporting agency.3 31(2) A request for the commencement or removal of a protected 3 32 consumer security freeze is for a protected consumer who is 3 33 under the age of sixteen years at the time of the request and 3 34 the consumer reporting agency has a consumer credit report 3 35 pertaining to the protected consumer.4 1 Sec. 8. Section 715C.1, subsections 1 and 5, Code 2018, are 4 2 amended to read as follows: 4 3 1. "Breach of security" means unauthorized acquisition, 4 4 or reasonable belief of unauthorized acquisition, of personal 4 5 information maintained in computerized form by a person that 4 6 compromises the security, confidentiality, or integrity of 4 7 the personal information."Breach of security" also means 4 8 unauthorized acquisition of personal information maintained 4 9 by a person in any medium, including on paper, that was 4 10 transferred by the person to that medium from computerized 4 11 form and that compromises the security, confidentiality, or 4 12 integrity of the personal information.Good faith acquisition 4 13 of personal information by a person or that person's employee 4 14 or agent for a legitimate purpose of that person is not a 4 15 breach of security, provided that the personal information 4 16 is not used in violation of applicable law or in a manner 4 17 that harms or poses an actual threat to the security, 4 18 confidentiality, or integrity of the personal information. 4 19 5. "Encryption" means the use of an algorithmic process 4 20 pursuant to accepted industry standards to transform data into 4 21 a form in which the data is rendered unreadable or unusable 4 22 without the use of a confidential process or key. 4 23 Sec. 9. Section 715C.2, subsections 7 and 8, Code 2018, are 4 24 amended to read as follows: 4 25 7. This section does not apply to any of the following: 4 26 a. A person who complies with notification requirements or 4 27 breach of security procedures that provide greater protection 4 28 to personal information and at least as thorough disclosure 4 29 requirements than that provided by this section pursuant to 4 30 the rules, regulations, procedures, guidance, or guidelines 4 31 established by the person's primary or functional federal 4 32 regulator. 4 33 b. A person who complies with a state or federal law 4 34 that provides greater protection to personal information and 4 35 at least as thorough disclosure requirements for breach of 5 1 security or personal information than that provided by this 5 2 section. 5 3 c. A person who is subject to and complies with regulations 5 4 promulgated pursuant to Tit. V of the federal 5 5 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. {6801 = 6809. 5 6 d. A person who is subject to and complies with regulations 5 7 promulgated pursuant to Tit. II, subtit. F of the federal 5 8 Health Insurance Portability and Accountability Act of 1996, 5 9 42 U.S.C. {1320d = 1320d=9, and Tit. XIII, subtit. D of the 5 10 federal Health Information Technology for Economic and Clinical 5 11 Health Act of 2009, 42 U.S.C. {17921 = 17954. 5 12 8. Any person who owns or licenses computerized data that 5 13 includes a consumer's personal information that is used in 5 14 the course of the person's business, vocation, occupation, 5 15 or volunteer activities and that was subject to a breach of 5 16 security requiring notification to more than five hundred 5 17 residents of this state pursuant to this section shall give 5 18 written notice of the breach of securityfollowing discovery 5 19 of such breach of security, or receipt of notification under 5 20 subsection 2,to the director of the consumer protection 5 21 division of the office of the attorney general within five 5 22 business days after giving notice of the breach of security to 5 23 any consumer pursuant to this section. 5 24 EXPLANATION 5 25 The inclusion of this explanation does not constitute agreement with 5 26 the explanation's substance by the members of the general assembly. 5 27 This bill relates to consumer security freezes and personal 5 28 information security breach protection. 5 29 Current law permits a consumer to submit a request for a 5 30 security freeze via certified mail. The bill expands the 5 31 methods permitted for a consumer to submit a request for 5 32 a security freeze to allow such requests to be submitted 5 33 via first=class mail, telephone, facsimile, secure internet 5 34 connection, secure electronic mail, or other secure electronic 5 35 contact method. 6 1 The bill reduces the number of days by which a consumer 6 2 reporting agency must commence a security freeze after 6 3 receiving a request from five to three business days. The bill 6 4 also reduces the number of days by which a consumer reporting 6 5 agency must send written confirmation to a consumer after 6 6 commencing a security freeze from ten to three business days. 6 7 The bill provides that if a consumer requests a security 6 8 freeze from a consumer reporting agency that compiles and 6 9 maintains files on a nationwide basis, as defined in the bill, 6 10 the consumer may request to have the security freeze applied to 6 11 any other similar consumer reporting agency. 6 12 The bill requires consumer reporting agencies to develop 6 13 procedures to expedite the receipt and processing of security 6 14 freeze suspension requests received via the same methods 6 15 permitted for consumers to submit such requests. The bill 6 16 requires a consumer reporting agency to commence a security 6 17 freeze suspension within 15 minutes after receiving a request 6 18 through telephone, facsimile, secure internet connection, 6 19 secure electronic mail, or other secure electronic contact 6 20 method. 6 21 The bill prohibits consumer reporting agencies from charging 6 22 fees to consumers for providing any service pursuant to Code 6 23 chapter 714G, including but not limited to placing, removing, 6 24 temporarily suspending, or reinstating a security freeze. The 6 25 bill also prohibits consumer reporting agencies from charging 6 26 fees for placing or removing a protected consumer security 6 27 freeze pursuant to Code section 714G.8A. The bill removes 6 28 several references to payment of fees in Code chapter 714G. 6 29 The bill also modifies various provisions relating to 6 30 personal information security breach protection in Code 6 31 chapter 715C. The bill expands the definition of "breach of 6 32 security" to include the reasonable belief of unauthorized 6 33 acquisition of personal information. However, the bill removes 6 34 the unauthorized acquisition of personal information that was 6 35 transferred from computerized form to another medium from 7 1 the definition of "breach of security". The definition of 7 2 "encryption" is modified to mean the use of an algorithmic 7 3 process pursuant to accepted industry standards. 7 4 The bill exempts from the consumer notification requirements 7 5 persons who are subject to and comply with specified federal 7 6 health information laws. 7 7 Current law requires a person who owns or licenses personal 7 8 information that is subject to a breach of security requiring 7 9 notification to more than 500 consumers in the state, as 7 10 required by Code section 715C.2, to give written notice of the 7 11 breach of security to the director of the consumer protection 7 12 division of the office of the attorney general within five 7 13 business days after giving notice of the security breach to any 7 14 consumer. The bill removes language stating that a person give 7 15 such written notice following the discovery of the breach or 7 16 receipt of notification. LSB 6148HV (6) 87 gh/rn
