Bill Text: IA SF2259 | 2013-2014 | 85th General Assembly | Enrolled

Bill Title: A bill for an act modifying provisions applicable to personal information security breach notification requirements, and making penalties applicable. (Formerly SSB 3040.) Effective 7-1-14.

Spectrum: Committee Bill

Status: (Passed) 2014-04-03 - Signed by Governor. S.J. 719. [SF2259 Detail]

Download: Iowa-2013-SF2259-Enrolled.html
Senate File 2259 AN ACT MODIFYING PROVISIONS APPLICABLE TO PERSONAL INFORMATION SECURITY BREACH NOTIFICATION REQUIREMENTS, AND MAKING PENALTIES APPLICABLE. BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: Section 1. Section 715C.1, subsection 1, Code 2014, is amended to read as follows: 1. “Breach of security” means unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. “Breach of security” also means unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person’s employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.
Senate File 2259, p. 2 Sec. 2. Section 715C.1, subsection 11, unnumbered paragraph 1, Code 2014, is amended to read as follows: “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security : Sec. 3. Section 715C.1, subsection 11, paragraph c, Code 2014, is amended to read as follows: c. Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account. Sec. 4. Section 715C.2, Code 2014, is amended to read as follows: 715C.2 Security breach —— consumer notification requirements —— remedies. 1. Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security following discovery of such breach of security, or receipt of notification under subsection 2 , to any consumer whose personal information was included in the information that was breached. The consumer notification shall be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection 3 , and consistent with any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data. 2. Any person who maintains or otherwise possesses personal information on behalf of another person shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach of security if a consumer’s personal information was included in the information that was breached.
Senate File 2259, p. 3 3. The consumer notification requirements of this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and the agency has made a written request that the notification be delayed. The notification required by this section shall be made after the law enforcement agency determines that the notification will not compromise the investigation and notifies the person required to give notice in writing. 4. For purposes of this section , notification to the consumer may be provided by one of the following methods: a. Written notice to the last available address the person has in the person’s records. b. Electronic notice if the person’s customary method of communication with the consumer is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in chapter 554D and the federal Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001. c. Substitute notice, if the person demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, that the affected class of consumers to be notified exceeds three hundred fifty thousand persons, or if the person does not have sufficient contact information to provide notice. Substitute notice shall consist of the following: (1) Electronic mail notice when the person has an electronic mail address for the affected consumers. (2) Conspicuous posting of the notice or a link to the notice on the internet site of the person if the person maintains an internet site. (3) Notification to major statewide media. 5. Notice pursuant to this section shall include, at a minimum, all of the following: a. A description of the breach of security. b. The approximate date of the breach of security. c. The type of personal information obtained as a result of the breach of security. d. Contact information for consumer reporting agencies. e. Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general. 6. Notwithstanding subsection 1 , notification is not required if, after an appropriate investigation or after
Senate File 2259, p. 4 consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years. 7. This section does not apply to any of the following: a. A person who complies with notification requirements or breach of security procedures that provide greater protection to personal information and at least as thorough disclosure requirements than that provided by this section pursuant to the rules, regulations, procedures, guidance, or guidelines established by the person’s primary or functional federal regulator. b. A person who complies with a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breach of security or personal information than that provided by this section . c. A person who is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. § 6801 6809. 8. Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security requiring notification to more than five hundred residents of this state pursuant to this section shall give written notice of the breach of security following discovery of such breach of security, or receipt of notification under subsection 2, to the director of the consumer protection division of the office of the attorney general within five business days after giving notice of the breach of security to any consumer pursuant to this section. 8. 9. a. A violation of this chapter is an unlawful practice pursuant to section 714.16 and, in addition to the remedies provided to the attorney general pursuant to section 714.16, subsection 7 , the attorney general may seek and obtain an order that a party held to violate this section pay damages to the attorney general on behalf of a person injured by the violation. b. The rights and remedies available under this section are
Senate File 2259, p. 5 cumulative to each other and to any other rights and remedies available under the law. ______________________________ PAM JOCHUM President of the Senate ______________________________ KRAIG PAULSEN Speaker of the House I hereby certify that this bill originated in the Senate and is known as Senate File 2259, Eighty-fifth General Assembly. ______________________________ MICHAEL E. MARSHALL Secretary of the Senate Approved _______________, 2014 ______________________________ TERRY E. BRANSTAD Governor

LegiScan Search

View Top 50 Searches

Select area of search.
Find an exact bill number.
Search bill text and data. [help]
Reset

LegiScan Trends

View Top 50 National

CA AB2226 Elementary education: kindergarten.
MN HF4772 Elections policy and finance bill.
MD HB149 Medical Records - Destruction - Notice and Retrieval
IL SB2879 FIRE DIST-COMPETITIVE BIDDING
CA AB2215 Criminal procedure: arrests.
US HB8854 To amend title 38, United States Code, to authorize the provision of certain...
LA HB974 Provides relative to qualifications for library directors
LA HB868 Provides relative to standards for psychiatric hospitals and residential...
CA AB2498 Housing: the California Housing Security Act.
HI HB2070 Relating To Procurement.
feedback