Bill Text: IA SSB1071 | 2019-2020 | 88th General Assembly | Introduced


Bill Title: A bill for an act modifying certain provisions relating to personal information security breach protection.

Spectrum: Partisan Bill (? 1-0)

Status: (N/A) 2019-01-30 - Subcommittee: Zaun, Hogg and Whiting. [SSB1071 Detail]

Download: Iowa-2019-SSB1071-Introduced.html
Senate Study Bill 1071 - Introduced SENATE/HOUSE FILE _____ BY (PROPOSED ATTORNEY GENERAL BILL) A BILL FOR An Act modifying certain provisions relating to personal 1 information security breach protection. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 TLSB 1256DP (5) 88 gh/jh
S.F. _____ H.F. _____ Section 1. Section 715C.1, subsections 5 and 11, Code 2019, 1 are amended to read as follows: 2 5. “Encryption” means the use of an algorithmic process 3 pursuant to accepted industry standards , or any other accepted 4 industry standard process, to transform data into a form in 5 which the data is rendered unreadable or unusable without the 6 use of a confidential process or key. 7 11. a. “Personal information” means an individual’s first 8 name or first initial and last name in combination with any 9 one or more of the following data elements that relate to the 10 individual if any of the data elements are not encrypted, 11 redacted, or otherwise altered by any method or technology in 12 such a manner that the name or data elements are unreadable or 13 are encrypted, redacted, or otherwise altered by any method or 14 technology but the keys to unencrypt, unredact, or otherwise 15 read the data elements have been obtained through the breach 16 of security: 17 (1) Social security number. 18 (2) Driver’s license number or other unique identification 19 number created or collected by a government body. 20 (3) Financial account number, credit card number, or debit 21 card number in combination with any required expiration date, 22 security code, access code, or password that would permit 23 access to an individual’s financial account. 24 (4) Unique electronic identifier or routing code, in 25 combination with any required security code, access code, or 26 password that would permit access to an individual’s financial 27 account. 28 (5) Unique biometric data, such as a fingerprint, retina or 29 iris image, or other unique physical representation or digital 30 representation of biometric data. 31 (6) Medical history, medical treatment by a health care 32 professional, diagnosis of mental or physical condition by a 33 health care professional, or deoxyribonucleic acid profile. 34 (7) Health insurance policy number, subscriber 35 -1- LSB 1256DP (5) 88 gh/jh 1/ 8
S.F. _____ H.F. _____ identification number, or any other unique identifier used by a 1 health insurer to identify an individual. 2 (8) Taxpayer identification number. 3 (9) A private key that is unique to an individual and that 4 is used to authenticate or sign an electronic record. 5 (10) Passport number. 6 b. “Personal information” also includes an account username 7 or electronic mail address, in combination with any required 8 password or account security information that would permit 9 access to a consumer’s online account. 10 b. c. “Personal information” does not include information 11 that is lawfully obtained from a publicly available sources 12 source , or from federal, state, or local government records 13 lawfully made available to the general public. 14 Sec. 2. Section 715C.2, subsections 1, 6, and 8, Code 2019, 15 are amended to read as follows: 16 1. a. Any person who owns or licenses computerized data 17 that includes a consumer’s personal information that is used 18 in the course of the person’s business, vocation, occupation, 19 or volunteer activities and that was subject to a breach 20 of security shall give notice of the breach of security 21 following discovery of such breach of security, or receipt of 22 notification under subsection 2 , to any consumer whose personal 23 information was included in the information that was breached. 24 The consumer notification shall be made in the most expeditious 25 manner possible and without unreasonable delay, consistent 26 with but no later than forty-five days after the discovery 27 of such breach of security or receipt of notification under 28 subsection 2, unless a longer time is necessary because of the 29 legitimate needs of law enforcement as provided in subsection 30 3 , and consistent with any measures necessary to sufficiently 31 determine contact information for the affected consumers, 32 determine the scope of the breach, and restore the reasonable 33 integrity, security, and confidentiality of the data. 34 b. In the case of a breach of security involving personal 35 -2- LSB 1256DP (5) 88 gh/jh 2/ 8
S.F. _____ H.F. _____ information relating to a consumer’s online account as 1 described in section 715C.1, subsection 11, paragraph “b” , 2 and no other personal information described in section 3 715C.1, subsection 11, the person or business may comply with 4 the notification requirements of this section by providing 5 notification of the security breach to the consumer whose 6 personal information was subject to the breach of security, 7 in electronic or other form, that directs the consumer to 8 promptly change the consumer’s password or account security 9 information, or to take any other appropriate steps to protect 10 the consumer’s online account with the person or business and 11 all other online accounts for which the consumer uses the 12 same account username or electronic mail address and password 13 or account security information. However, in providing 14 notification of a breach of security in electronic form to an 15 online account that is affected or compromised by the breach 16 of security, a person or business may provide notification 17 by such method only when the consumer is connected to the 18 online account from an internet protocol address or online 19 location from which the person or business knows the consumer 20 customarily accesses the online account, and the notification 21 is provided to the consumer in a clear and conspicuous manner. 22 6. a. Notwithstanding subsection 1 , notification is 23 not required if, after an appropriate investigation or 24 after consultation with the relevant federal, state, or 25 local agencies responsible for law enforcement, the person 26 determined that no reasonable likelihood of financial harm to 27 the consumers whose personal information has been acquired has 28 resulted or will result from the breach. Such a determination 29 must be documented in writing and the documentation must be 30 maintained for five years. 31 b. In the event that notification is not required pursuant 32 to this subsection, the person shall provide the written 33 determination required in paragraph “a” to the director of the 34 consumer protection division of the office of the attorney 35 -3- LSB 1256DP (5) 88 gh/jh 3/ 8
S.F. _____ H.F. _____ general within five business days after documenting such 1 determination. 2 8. Any person who owns or licenses computerized data that 3 includes a consumer’s personal information that is used in 4 the course of the person’s business, vocation, occupation, 5 or volunteer activities and that was subject to a breach of 6 security requiring notification to more than five hundred 7 residents of this state consumers pursuant to this section 8 subsection 1, or any of the laws, rules, regulations, 9 procedures, guidance, or guidelines set forth in subsection 10 7, shall give written notice of the breach of security to the 11 director of the consumer protection division of the office of 12 the attorney general within five business days after giving 13 notice of the breach of security to any consumer pursuant to 14 this section . The written notice shall include all of the 15 following: 16 a. A sample copy of any notification sent to consumers. 17 b. The approximate number of consumers affected or 18 potentially affected by the breach of security. 19 c. A description of any services offered to consumers 20 affected or potentially affected by the breach of security, and 21 instructions as to how consumers may use such services. 22 d. The name, address, telephone number, and electronic mail 23 address of an individual who may be contacted by the consumer 24 protection division of the office of the attorney general for 25 any additional information about the breach of security. 26 Sec. 3. Section 715C.2, subsection 7, unnumbered paragraph 27 1, Code 2019, is amended to read as follows: 28 This section does Subsections 1 through 6 shall not apply to 29 any of the following: 30 Sec. 4. Section 715C.2, Code 2019, is amended by adding the 31 following new subsection: 32 NEW SUBSECTION . 09. a. Any employer or payroll service 33 provider that owns or licenses computerized data relating to 34 income tax withholdings shall notify the consumer protection 35 -4- LSB 1256DP (5) 88 gh/jh 4/ 8
S.F. _____ H.F. _____ division of the office of the attorney general without 1 unreasonable delay after discovery or notification of the 2 unauthorized access and acquisition of unencrypted computerized 3 data of a taxpayer identification number in combination with 4 the income tax withholdings for that taxpayer, the unauthorized 5 access and acquisition of which gives the employer or payroll 6 service provider reason to believe that identity theft or other 7 fraud has or will occur. With respect to an employer, this 8 subsection applies only to information regarding the employer’s 9 employees, and does not apply to information regarding the 10 employer’s customers or other nonemployees. 11 b. In providing notification to the consumer protection 12 division of the office of the attorney general pursuant to this 13 subsection, the employer or payroll service provider shall 14 provide the name and federal employer identification number 15 of the person that was or may be affected by the breach of 16 security. Upon receipt of such notice, the consumer protection 17 division of the office of the attorney general shall notify the 18 department of revenue of the breach of security. 19 c. Notwithstanding any other provision in this section, a 20 breach of security involving information described in paragraph 21 “a” shall be subject only to the notification requirements 22 contained in this subsection. 23 EXPLANATION 24 The inclusion of this explanation does not constitute agreement with 25 the explanation’s substance by the members of the general assembly. 26 This bill modifies various provisions relating to personal 27 information security breach protection. 28 The bill expands the definition of “encryption” in Code 29 section 715C.1 to include, in addition to the use of an 30 algorithmic process pursuant to accepted industry standards, 31 any other accepted industry standard process. The bill adds 32 certain medical information, health insurance information, 33 tax information, passport information, and electronic account 34 information to the definition of “personal information”. 35 -5- LSB 1256DP (5) 88 gh/jh 5/ 8
S.F. _____ H.F. _____ Current law requires a person who owns or licenses personal 1 information that is subject to a breach of security to give 2 notice to affected consumers in the most expeditious manner 3 possible and without unreasonable delay. The bill provides 4 that such notice to affected consumers must occur no later than 5 45 days after the discovery or notification of the breach of 6 security, unless delayed for law enforcement reasons. 7 The bill provides that, in the case of a security breach 8 only involving personal information about a consumer’s online 9 account, a person or business may comply with the notification 10 requirements of Code section 715C.2 by providing notification 11 to the consumer whose personal information was subject to the 12 security breach, in electronic or other form, that directs 13 the consumer to take certain steps to protect the consumer’s 14 online account with that person or business and all other 15 online accounts for which the same account information is 16 used. However, in providing notification of a security breach 17 in electronic form to an online account that is affected or 18 compromised by the security breach, a person or business may 19 only do so when the consumer is connected to the online account 20 from an internet protocol address or online location from which 21 the person or business knows the customer customarily accesses 22 the account, and the notification is provided in a clear and 23 conspicuous manner. 24 Current law provides that a person who owns or licenses 25 personal information that is subject to breach of security does 26 not need to provide notification of the security breach to 27 affected consumers if the person makes a written determination 28 that there is no reasonable likelihood of financial harm to 29 affected consumers. The bill requires a person who makes 30 such a determination to provide this written determination 31 to the director of the consumer protection division of the 32 office of the attorney general within five business days after 33 documenting the determination. 34 Current law requires a person who owns or licenses personal 35 -6- LSB 1256DP (5) 88 gh/jh 6/ 8
S.F. _____ H.F. _____ information that is subject to a breach of security requiring 1 notification to more than 500 consumers in the state, as 2 required by Code section 715C.2, to give written notice 3 of the breach of security to the director of the consumer 4 protection division of the office of the attorney general. 5 The bill provides that written notification to the attorney 6 general is also required for breaches of security where 7 written notification to more than 500 consumers in the state 8 is required by a person’s primary or functional federal 9 regulator, a state or federal law that gives greater protection 10 to personal information than provided in Code section 715C.2, 11 or certain federal law. The bill also specifies that written 12 notification to the attorney general must include a sample 13 copy of any notification sent to consumers, the approximate 14 number of affected or potentially affected consumers, a 15 description of any services offered to affected consumers, and 16 contact information for an individual who may be contacted for 17 additional information regarding the breach of security. 18 The bill provides that any employer or payroll service 19 provider that owns or licenses computerized data relating 20 to income tax withholdings shall notify the consumer 21 protection division without unreasonable delay after discovery 22 or notification of the breach of security of a taxpayer 23 identification number in combination with the income tax 24 withholdings for that taxpayer, the security breach of which 25 gives the employer or payroll service provider reason to 26 believe that identify theft or other fraud has or will occur. 27 With respect to an employer, such notification requirements 28 only apply to information regarding the employer’s employees. 29 In providing notification to the consumer protection division, 30 the employer or payroll service provider shall provide the 31 name and federal employer identification number of the person 32 affected. Upon receiving the notice, the consumer protection 33 division shall notify the department of revenue of the 34 security breach. The bill specifies that no other notification 35 -7- LSB 1256DP (5) 88 gh/jh 7/ 8
S.F. _____ H.F. _____ requirements apply to a security breach of this nature. 1 -8- LSB 1256DP (5) 88 gh/jh 8/ 8
feedback