Bill Text: IA SF2177 | 2017-2018 | 87th General Assembly | Enrolled


Bill Title: A bill for an act relating to consumer protection modifying provisions applicable to consumer security freezes and personal information security breach protection, and including effective date provisions. (Formerly SF 2054.) Various effective dates; see section 10 of bill.

Spectrum: Committee Bill

Status: (Passed) 2018-04-10 - Signed by Governor. S.J. 902. [SF2177 Detail]

Download: Iowa-2017-SF2177-Enrolled.html

Senate File 2177 - Enrolled




                              SENATE FILE       
                              BY  COMMITTEE ON COMMERCE

                              (SUCCESSOR TO SF 2054)
 \5
                                   A BILL FOR
 \1
                                       Senate File 2177

                             AN ACT
 RELATING TO CONSUMER PROTECTION MODIFYING PROVISIONS
    APPLICABLE TO CONSUMER SECURITY FREEZES AND PERSONAL
    INFORMATION SECURITY BREACH PROTECTION, AND INCLUDING
    EFFECTIVE DATE PROVISIONS.

 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
    Section 1.  Section 714G.2, Code 2018, is amended to read as
 follows:
    714G.2  Security freeze.
    1.  A consumer may submit by certified mail to a consumer
 reporting agency a written request for a security freeze to
 a consumer reporting agency by first=class mail, telephone,
 secure internet connection, or other secure electronic contact
 method designated by the consumer reporting agency. The
 consumer must submit proper identification and the applicable
 fee with the request. Within five three business days after
 receiving the request, the consumer reporting agency shall
 commence the security freeze. Within ten three business days
 after commencing the security freeze, the consumer reporting
 agency shall send a written confirmation to the consumer of the
 security freeze, a personal identification number or password,
 other than the consumer's social security number, for the
 consumer to use in authorizing the suspension or removal of
 the security freeze, including information on how the security
 freeze may be temporarily suspended.
    2.  a.  If a consumer requests a security freeze from a
 consumer reporting agency that compiles and maintains files
 on a nationwide basis, the consumer reporting agency shall
 identify, to the best of its knowledge, any other consumer
 reporting agency that compiles and maintains files on consumers
 on a nationwide basis and inform consumers of appropriate
 contact information that would permit the consumer to place,
 lift, or remove a security freeze from such other consumer
 reporting agency.
    b.  For purposes of this subsection, "consumer reporting
 agency that compiles and maintains files on a nationwide basis"
  means the same as defined in 15 U.S.C. {1681a(p).
    Sec. 2.  Section 714G.3, subsection 1, Code 2018, is amended
 to read as follows:
    1.  A consumer may request that a security freeze be
 temporarily suspended to allow the consumer reporting agency to
 release the consumer credit report for a specific time period.
 The consumer reporting agency may shall develop procedures
 to expedite the receipt and processing of requests which may
 involve the use of telephones by first=class mail, telephone,
 facsimile transmissions, the secure internet connection, or
 other secure electronic media contact method designated by
 the consumer reporting agency. The consumer reporting agency
 shall comply with the request within three business days
 after receiving the consumer's written request, or within
 fifteen minutes after the consumer's request is received by
 the consumer reporting agency through facsimile, the secure
  internet, connection or other secure electronic contact method
 chosen designated by the consumer reporting agency, or the use
 of a telephone, during normal business hours. The consumer's
 request shall include all of the following:
    a.  Proper identification.
    b.  The personal identification number or password provided
 by the consumer reporting agency.
    c.  Explicit instructions of the specific time period
 designated for suspension of the security freeze.
    d.  Payment of the applicable fee.
    Sec. 3.  Section 714G.4, unnumbered paragraph 1, Code 2018,
 is amended to read as follows:
    A security freeze remains in effect until the consumer
 requests that the security freeze be removed. A consumer
 reporting agency shall remove a security freeze within three
 business days after receiving a request for removal that
 includes proper identification of the consumer, and the
 personal identification number or password provided by the
 consumer reporting agency, and payment of the applicable fee.
    Sec. 4.  Section 714G.5, Code 2018, is amended to read as
 follows:
    714G.5  Fees prohibited.
    1.  A consumer reporting agency shall not charge any fee to
 a consumer who is the victim of identity theft for commencing
 a security freeze, temporary suspension, or removal if with
 the initial security freeze request, the consumer submits a
 valid copy of the police report concerning the unlawful use of
 identification information by another person.
    2.  A consumer reporting agency may charge a fee not to
 exceed ten dollars to a consumer who is not the victim of
 identity theft for each security freeze, removal, or for
 reissuing a personal identification number or password if the
 consumer fails to retain the original number. The consumer
 reporting agency may charge a fee not to exceed twelve dollars
 for each temporary suspension of a security freeze. 
    A consumer reporting agency shall not charge a fee to a
 consumer for providing any service pursuant to this chapter,
 including but not limited to placing, removing, temporarily
 suspending, or reinstating a security freeze.
    Sec. 5.  Section 714G.8A, subsection 1, paragraph d, Code
 2018, is amended by striking the paragraph.
    Sec. 6.  Section 714G.8A, subsection 3, paragraph d, Code
 2018, is amended by striking the paragraph.
    Sec. 7.  Section 714G.8A, subsection 5, Code 2018, is amended
 to read as follows:
    5.  a.  A consumer reporting agency may shall not charge
 a reasonable fee, not to exceed five dollars, for each the
  placement, or removal, or reinstatement of a protected consumer
 security freeze. A consumer reporting agency may not charge
 any other fee for a service performed pursuant to this section.
    b.  Notwithstanding paragraph "a", a fee may not be charged
 by a consumer reporting agency pursuant to either of the
 following:
    (1)  If the protected consumer's representative has obtained
 a police report or affidavit of alleged identity theft under
 section 715A.8 and submits a copy of the report or affidavit to
 the consumer reporting agency.
    (2)  A request for the commencement or removal of a protected
 consumer security freeze is for a protected consumer who is
 under the age of sixteen years at the time of the request and
 the consumer reporting agency has a consumer credit report
 pertaining to the protected consumer.
    Sec. 8.  Section 715C.1, subsection 5, Code 2018, is amended
 to read as follows:
    5.  "Encryption" means the use of an algorithmic process
 pursuant to accepted industry standards to transform data into
 a form in which the data is rendered unreadable or unusable
 without the use of a confidential process or key.
    Sec. 9.  Section 715C.2, subsections 7 and 8, Code 2018, are
 amended to read as follows:
    7.  This section does not apply to any of the following:
    a.  A person who complies with notification requirements or
 breach of security procedures that provide greater protection
 to personal information and at least as thorough disclosure
 requirements than that provided by this section pursuant to
 the rules, regulations, procedures, guidance, or guidelines
 established by the person's primary or functional federal
 regulator.
    b.  A person who complies with a state or federal law
 that provides greater protection to personal information and
 at least as thorough disclosure requirements for breach of
 security or personal information than that provided by this
 section.
    c.  A person who is subject to and complies with regulations
 promulgated pursuant to Tit. V of the federal
 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. {6801 = 6809.
    d.  A person who is subject to and complies with regulations
 promulgated pursuant to Tit. II, subtit. F of the federal
 Health Insurance Portability and Accountability Act of 1996,
 42 U.S.C. {1320d = 1320d=9, and Tit. XIII, subtit. D of the
 federal Health Information Technology for Economic and Clinical
 Health Act of 2009, 42 U.S.C. {17921 = 17954.
    8.  Any person who owns or licenses computerized data that
 includes a consumer's personal information that is used in
 the course of the person's business, vocation, occupation,
 or volunteer activities and that was subject to a breach of
 security requiring notification to more than five hundred
 residents of this state pursuant to this section shall give
 written notice of the breach of security following discovery
 of such breach of security, or receipt of notification under
 subsection 2, to the director of the consumer protection
 division of the office of the attorney general within five
 business days after giving notice of the breach of security to
 any consumer pursuant to this section.
    Sec. 10.  EFFECTIVE DATE.  The following take effect January
 1, 2019:
    1.  The section of this Act amending section 714G.2.
    2.  The section of this Act amending section 714G.3,
 subsection 1.
    3.  The section of this Act amending section 714G.4,
 unnumbered paragraph 1.


                                                                                            CHARLES SCHNEIDE


                                                                                            LINDA UPMEYER


                                                                                            W. CHARLES SMITH


                                                                                            KIM REYNOLDS

                             -1-
feedback