Bill Text: IA SF2259 | 2013-2014 | 85th General Assembly | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: A bill for an act modifying provisions applicable to personal information security breach notification requirements, and making penalties applicable. (Formerly SSB 3040.) Effective 7-1-14.
Spectrum: Committee Bill
Status: (Passed) 2014-04-03 - Signed by Governor. S.J. 719. [SF2259 Detail]
Download: Iowa-2013-SF2259-Introduced.html
Bill Title: A bill for an act modifying provisions applicable to personal information security breach notification requirements, and making penalties applicable. (Formerly SSB 3040.) Effective 7-1-14.
Spectrum: Committee Bill
Status: (Passed) 2014-04-03 - Signed by Governor. S.J. 719. [SF2259 Detail]
Download: Iowa-2013-SF2259-Introduced.html
Senate
File
2259
-
Introduced
SENATE
FILE
2259
BY
COMMITTEE
ON
JUDICIARY
(SUCCESSOR
TO
SSB
3040)
A
BILL
FOR
An
Act
modifying
provisions
applicable
to
personal
information
1
security
breach
notification
requirements,
and
making
2
penalties
applicable.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
5294SV
(2)
85
rn/nh
S.F.
2259
Section
1.
Section
715C.1,
subsection
1,
Code
2014,
is
1
amended
to
read
as
follows:
2
1.
“Breach
of
security”
means
unauthorized
acquisition
3
of
personal
information
maintained
in
computerized
form
by
4
a
person
that
compromises
the
security,
confidentiality,
or
5
integrity
of
the
personal
information.
“Breach
of
security”
6
also
means
unauthorized
acquisition
of
personal
information
7
maintained
by
a
person
in
any
medium,
including
on
paper,
that
8
was
transferred
by
the
person
to
that
medium
from
computerized
9
form.
Good
faith
acquisition
of
personal
information
by
a
10
person
or
that
person’s
employee
or
agent
for
a
legitimate
11
purpose
of
that
person
is
not
a
breach
of
security,
provided
12
that
the
personal
information
is
not
used
in
violation
of
13
applicable
law
or
in
a
manner
that
harms
or
poses
an
actual
14
threat
to
the
security,
confidentiality,
or
integrity
of
the
15
personal
information.
16
Sec.
2.
Section
715C.1,
subsection
11,
unnumbered
paragraph
17
1,
Code
2014,
is
amended
to
read
as
follows:
18
“Personal
information”
means
an
individual’s
first
name
or
19
first
initial
and
last
name
in
combination
with
any
one
or
more
20
of
the
following
data
elements
that
relate
to
the
individual
21
if
any
of
the
data
elements
are
not
encrypted,
redacted,
or
22
otherwise
altered
by
any
method
or
technology
in
such
a
manner
23
that
the
name
or
data
elements
are
unreadable
or
are
encrypted,
24
redacted,
or
otherwise
altered
by
any
method
or
technology
but
25
the
keys
to
unencrypt,
unredact,
or
otherwise
read
the
data
26
elements
have
been
obtained
through
the
breach
of
security
:
27
Sec.
3.
Section
715C.2,
Code
2014,
is
amended
to
read
as
28
follows:
29
715C.2
Security
breach
——
consumer
notification
requirements
30
——
remedies.
31
1.
Any
person
who
owns
or
licenses
computerized
data
that
32
includes
a
consumer’s
personal
information
that
is
used
in
33
the
course
of
the
person’s
business,
vocation,
occupation,
34
or
volunteer
activities
and
that
was
subject
to
a
breach
35
-1-
LSB
5294SV
(2)
85
rn/nh
1/
5
S.F.
2259
of
security
shall
give
notice
of
the
breach
of
security
1
following
discovery
of
such
breach
of
security,
or
receipt
of
2
notification
under
subsection
2
,
to
any
consumer
whose
personal
3
information
was
included
in
the
information
that
was
breached.
4
The
consumer
notification
shall
be
made
in
the
most
expeditious
5
manner
possible
and
without
unreasonable
delay,
consistent
6
with
the
legitimate
needs
of
law
enforcement
as
provided
in
7
subsection
3
,
and
consistent
with
any
measures
necessary
to
8
sufficiently
determine
contact
information
for
the
affected
9
consumers,
determine
the
scope
of
the
breach,
and
restore
the
10
reasonable
integrity,
security,
and
confidentiality
of
the
11
data.
12
2.
Any
person
who
maintains
or
otherwise
possesses
personal
13
information
on
behalf
of
another
person
shall
notify
the
owner
14
or
licensor
of
the
information
of
any
breach
of
security
15
immediately
following
discovery
of
such
breach
of
security
if
a
16
consumer’s
personal
information
was
included
in
the
information
17
that
was
breached.
18
3.
The
consumer
notification
requirements
of
this
section
19
may
be
delayed
if
a
law
enforcement
agency
determines
that
20
the
notification
will
impede
a
criminal
investigation
and
21
the
agency
has
made
a
written
request
that
the
notification
22
be
delayed.
The
notification
required
by
this
section
shall
23
be
made
after
the
law
enforcement
agency
determines
that
the
24
notification
will
not
compromise
the
investigation
and
notifies
25
the
person
required
to
give
notice
in
writing.
26
4.
For
purposes
of
this
section
,
notification
to
the
27
consumer
may
be
provided
by
one
of
the
following
methods:
28
a.
Written
notice
to
the
last
available
address
the
person
29
has
in
the
person’s
records.
30
b.
Electronic
notice
if
the
person’s
customary
method
of
31
communication
with
the
consumer
is
by
electronic
means
or
is
32
consistent
with
the
provisions
regarding
electronic
records
and
33
signatures
set
forth
in
chapter
554D
and
the
federal
Electronic
34
Signatures
in
Global
and
National
Commerce
Act,
15
U.S.C.
35
-2-
LSB
5294SV
(2)
85
rn/nh
2/
5
S.F.
2259
§
7001.
1
c.
Substitute
notice,
if
the
person
demonstrates
that
2
the
cost
of
providing
notice
would
exceed
two
hundred
fifty
3
thousand
dollars,
that
the
affected
class
of
consumers
to
be
4
notified
exceeds
three
hundred
fifty
thousand
persons,
or
5
if
the
person
does
not
have
sufficient
contact
information
6
to
provide
notice.
Substitute
notice
shall
consist
of
the
7
following:
8
(1)
Electronic
mail
notice
when
the
person
has
an
electronic
9
mail
address
for
the
affected
consumers.
10
(2)
Conspicuous
posting
of
the
notice
or
a
link
to
the
11
notice
on
the
internet
site
of
the
person
if
the
person
12
maintains
an
internet
site.
13
(3)
Notification
to
major
statewide
media.
14
5.
Notice
pursuant
to
this
section
shall
include,
at
a
15
minimum,
all
of
the
following:
16
a.
A
description
of
the
breach
of
security.
17
b.
The
approximate
date
of
the
breach
of
security.
18
c.
The
type
of
personal
information
obtained
as
a
result
of
19
the
breach
of
security.
20
d.
Contact
information
for
consumer
reporting
agencies.
21
e.
Advice
to
the
consumer
to
report
suspected
incidents
22
of
identity
theft
to
local
law
enforcement
or
the
attorney
23
general.
24
6.
Notwithstanding
subsection
1
,
notification
is
not
25
required
if,
after
an
appropriate
investigation
or
after
26
consultation
with
the
relevant
federal,
state,
or
local
27
agencies
responsible
for
law
enforcement,
the
person
determined
28
that
no
reasonable
likelihood
of
financial
harm
to
the
29
consumers
whose
personal
information
has
been
acquired
has
30
resulted
or
will
result
from
the
breach.
Such
a
determination
31
must
be
documented
in
writing
and
the
documentation
must
be
32
maintained
for
five
years.
33
7.
This
section
does
not
apply
to
any
of
the
following:
34
a.
A
person
who
complies
with
notification
requirements
or
35
-3-
LSB
5294SV
(2)
85
rn/nh
3/
5
S.F.
2259
breach
of
security
procedures
that
provide
greater
protection
1
to
personal
information
and
at
least
as
thorough
disclosure
2
requirements
than
that
provided
by
this
section
pursuant
to
3
the
rules,
regulations,
procedures,
guidance,
or
guidelines
4
established
by
the
person’s
primary
or
functional
federal
5
regulator.
6
b.
A
person
who
complies
with
a
state
or
federal
law
7
that
provides
greater
protection
to
personal
information
and
8
at
least
as
thorough
disclosure
requirements
for
breach
of
9
security
or
personal
information
than
that
provided
by
this
10
section
.
11
c.
A
person
who
is
subject
to
and
complies
with
regulations
12
promulgated
pursuant
to
Title
V
of
the
Gramm-Leach-Bliley
Act
13
of
1999,
15
U.S.C.
§
6801
–
6809.
14
8.
Any
person
who
owns
or
licenses
computerized
data
that
15
includes
a
consumer’s
personal
information
that
is
used
in
16
the
course
of
the
person’s
business,
vocation,
occupation,
17
or
volunteer
activities
and
that
was
subject
to
a
breach
of
18
security
requiring
notification
to
more
than
five
hundred
19
persons
pursuant
to
this
section
shall
give
written
notice
of
20
the
breach
of
security
following
discovery
of
such
breach
of
21
security,
or
receipt
of
notification
under
subsection
2,
to
the
22
director
of
the
consumer
protection
division
of
the
office
of
23
the
attorney
general
within
three
business
days
after
giving
24
notice
of
the
breach
of
security
to
any
consumer
pursuant
to
25
this
section.
26
8.
9.
a.
A
violation
of
this
chapter
is
an
unlawful
27
practice
pursuant
to
section
714.16
and,
in
addition
to
the
28
remedies
provided
to
the
attorney
general
pursuant
to
section
29
714.16,
subsection
7
,
the
attorney
general
may
seek
and
obtain
30
an
order
that
a
party
held
to
violate
this
section
pay
damages
31
to
the
attorney
general
on
behalf
of
a
person
injured
by
the
32
violation.
33
b.
The
rights
and
remedies
available
under
this
section
are
34
cumulative
to
each
other
and
to
any
other
rights
and
remedies
35
-4-
LSB
5294SV
(2)
85
rn/nh
4/
5
S.F.
2259
available
under
the
law.
1
EXPLANATION
2
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
3
the
explanation’s
substance
by
the
members
of
the
general
assembly.
4
This
bill
relates
to
notification
requirements
applicable
5
to
security
breaches
involving
consumer
personal
information
6
contained
in
Code
chapter
715C.
7
The
bill
includes
within
the
definition
of
a
“breach
of
8
security”
the
unauthorized
acquisition
of
personal
information
9
maintained
by
a
person
in
any
medium,
including
on
paper,
that
10
was
transferred
by
the
person
to
that
medium
from
computerized
11
form.
The
bill
modifies
the
definition
of
“personal
12
information”
to
add
that
designated
data
elements
relating
to
13
the
individual
constitute
personal
information
if
they
are
14
encrypted,
redacted,
or
otherwise
altered
by
any
method
or
15
technology
but
the
keys
to
unencrpyt,
unredact,
or
otherwise
16
read
the
data
elements
have
been
obtained
through
a
security
17
breach.
18
The
bill
also
requires
a
person
subject
to
the
Code
chapter’s
19
consumer
notification
requirements
who
was
subject
to
a
breach
20
of
security
requiring
notification
of
more
than
500
persons
21
to
give
written
notice
of
the
breach
to
the
director
of
the
22
consumer
protection
division
of
the
office
of
the
attorney
23
general.
The
notice
must
be
given
within
three
business
days
24
after
giving
notice
of
the
breach
to
an
impacted
consumer.
25
Existing
penalty
provisions
regarding
unlawful
practice
26
and
damages
for
violations
of
the
consumer
notification
27
requirements
would
be
applicable
to
the
failure
to
provide
28
notice
of
a
breach
of
security
as
specified
in
the
bill.
29
-5-
LSB
5294SV
(2)
85
rn/nh
5/
5