Bill Text: IA SSB1071 | 2019-2020 | 88th General Assembly | Introduced
Bill Title: A bill for an act modifying certain provisions relating to personal information security breach protection.
Spectrum: Committee Bill
Status: (N/A - Dead) 2019-01-30 - Subcommittee: Zaun, Hogg and Whiting. [SSB1071 Detail]
Download: Iowa-2019-SSB1071-Introduced.html
Senate
Study
Bill
1071
-
Introduced
SENATE/HOUSE
FILE
_____
BY
(PROPOSED
ATTORNEY
GENERAL
BILL)
A
BILL
FOR
An
Act
modifying
certain
provisions
relating
to
personal
1
information
security
breach
protection.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
1256DP
(5)
88
gh/jh
S.F.
_____
H.F.
_____
Section
1.
Section
715C.1,
subsections
5
and
11,
Code
2019,
1
are
amended
to
read
as
follows:
2
5.
“Encryption”
means
the
use
of
an
algorithmic
process
3
pursuant
to
accepted
industry
standards
,
or
any
other
accepted
4
industry
standard
process,
to
transform
data
into
a
form
in
5
which
the
data
is
rendered
unreadable
or
unusable
without
the
6
use
of
a
confidential
process
or
key.
7
11.
a.
“Personal
information”
means
an
individual’s
first
8
name
or
first
initial
and
last
name
in
combination
with
any
9
one
or
more
of
the
following
data
elements
that
relate
to
the
10
individual
if
any
of
the
data
elements
are
not
encrypted,
11
redacted,
or
otherwise
altered
by
any
method
or
technology
in
12
such
a
manner
that
the
name
or
data
elements
are
unreadable
or
13
are
encrypted,
redacted,
or
otherwise
altered
by
any
method
or
14
technology
but
the
keys
to
unencrypt,
unredact,
or
otherwise
15
read
the
data
elements
have
been
obtained
through
the
breach
16
of
security:
17
(1)
Social
security
number.
18
(2)
Driver’s
license
number
or
other
unique
identification
19
number
created
or
collected
by
a
government
body.
20
(3)
Financial
account
number,
credit
card
number,
or
debit
21
card
number
in
combination
with
any
required
expiration
date,
22
security
code,
access
code,
or
password
that
would
permit
23
access
to
an
individual’s
financial
account.
24
(4)
Unique
electronic
identifier
or
routing
code,
in
25
combination
with
any
required
security
code,
access
code,
or
26
password
that
would
permit
access
to
an
individual’s
financial
27
account.
28
(5)
Unique
biometric
data,
such
as
a
fingerprint,
retina
or
29
iris
image,
or
other
unique
physical
representation
or
digital
30
representation
of
biometric
data.
31
(6)
Medical
history,
medical
treatment
by
a
health
care
32
professional,
diagnosis
of
mental
or
physical
condition
by
a
33
health
care
professional,
or
deoxyribonucleic
acid
profile.
34
(7)
Health
insurance
policy
number,
subscriber
35
-1-
LSB
1256DP
(5)
88
gh/jh
1/
8
S.F.
_____
H.F.
_____
identification
number,
or
any
other
unique
identifier
used
by
a
1
health
insurer
to
identify
an
individual.
2
(8)
Taxpayer
identification
number.
3
(9)
A
private
key
that
is
unique
to
an
individual
and
that
4
is
used
to
authenticate
or
sign
an
electronic
record.
5
(10)
Passport
number.
6
b.
“Personal
information”
also
includes
an
account
username
7
or
electronic
mail
address,
in
combination
with
any
required
8
password
or
account
security
information
that
would
permit
9
access
to
a
consumer’s
online
account.
10
b.
c.
“Personal
information”
does
not
include
information
11
that
is
lawfully
obtained
from
a
publicly
available
sources
12
source
,
or
from
federal,
state,
or
local
government
records
13
lawfully
made
available
to
the
general
public.
14
Sec.
2.
Section
715C.2,
subsections
1,
6,
and
8,
Code
2019,
15
are
amended
to
read
as
follows:
16
1.
a.
Any
person
who
owns
or
licenses
computerized
data
17
that
includes
a
consumer’s
personal
information
that
is
used
18
in
the
course
of
the
person’s
business,
vocation,
occupation,
19
or
volunteer
activities
and
that
was
subject
to
a
breach
20
of
security
shall
give
notice
of
the
breach
of
security
21
following
discovery
of
such
breach
of
security,
or
receipt
of
22
notification
under
subsection
2
,
to
any
consumer
whose
personal
23
information
was
included
in
the
information
that
was
breached.
24
The
consumer
notification
shall
be
made
in
the
most
expeditious
25
manner
possible
and
without
unreasonable
delay,
consistent
26
with
but
no
later
than
forty-five
days
after
the
discovery
27
of
such
breach
of
security
or
receipt
of
notification
under
28
subsection
2,
unless
a
longer
time
is
necessary
because
of
the
29
legitimate
needs
of
law
enforcement
as
provided
in
subsection
30
3
,
and
consistent
with
any
measures
necessary
to
sufficiently
31
determine
contact
information
for
the
affected
consumers,
32
determine
the
scope
of
the
breach,
and
restore
the
reasonable
33
integrity,
security,
and
confidentiality
of
the
data.
34
b.
In
the
case
of
a
breach
of
security
involving
personal
35
-2-
LSB
1256DP
(5)
88
gh/jh
2/
8
S.F.
_____
H.F.
_____
information
relating
to
a
consumer’s
online
account
as
1
described
in
section
715C.1,
subsection
11,
paragraph
“b”
,
2
and
no
other
personal
information
described
in
section
3
715C.1,
subsection
11,
the
person
or
business
may
comply
with
4
the
notification
requirements
of
this
section
by
providing
5
notification
of
the
security
breach
to
the
consumer
whose
6
personal
information
was
subject
to
the
breach
of
security,
7
in
electronic
or
other
form,
that
directs
the
consumer
to
8
promptly
change
the
consumer’s
password
or
account
security
9
information,
or
to
take
any
other
appropriate
steps
to
protect
10
the
consumer’s
online
account
with
the
person
or
business
and
11
all
other
online
accounts
for
which
the
consumer
uses
the
12
same
account
username
or
electronic
mail
address
and
password
13
or
account
security
information.
However,
in
providing
14
notification
of
a
breach
of
security
in
electronic
form
to
an
15
online
account
that
is
affected
or
compromised
by
the
breach
16
of
security,
a
person
or
business
may
provide
notification
17
by
such
method
only
when
the
consumer
is
connected
to
the
18
online
account
from
an
internet
protocol
address
or
online
19
location
from
which
the
person
or
business
knows
the
consumer
20
customarily
accesses
the
online
account,
and
the
notification
21
is
provided
to
the
consumer
in
a
clear
and
conspicuous
manner.
22
6.
a.
Notwithstanding
subsection
1
,
notification
is
23
not
required
if,
after
an
appropriate
investigation
or
24
after
consultation
with
the
relevant
federal,
state,
or
25
local
agencies
responsible
for
law
enforcement,
the
person
26
determined
that
no
reasonable
likelihood
of
financial
harm
to
27
the
consumers
whose
personal
information
has
been
acquired
has
28
resulted
or
will
result
from
the
breach.
Such
a
determination
29
must
be
documented
in
writing
and
the
documentation
must
be
30
maintained
for
five
years.
31
b.
In
the
event
that
notification
is
not
required
pursuant
32
to
this
subsection,
the
person
shall
provide
the
written
33
determination
required
in
paragraph
“a”
to
the
director
of
the
34
consumer
protection
division
of
the
office
of
the
attorney
35
-3-
LSB
1256DP
(5)
88
gh/jh
3/
8
S.F.
_____
H.F.
_____
general
within
five
business
days
after
documenting
such
1
determination.
2
8.
Any
person
who
owns
or
licenses
computerized
data
that
3
includes
a
consumer’s
personal
information
that
is
used
in
4
the
course
of
the
person’s
business,
vocation,
occupation,
5
or
volunteer
activities
and
that
was
subject
to
a
breach
of
6
security
requiring
notification
to
more
than
five
hundred
7
residents
of
this
state
consumers
pursuant
to
this
section
8
subsection
1,
or
any
of
the
laws,
rules,
regulations,
9
procedures,
guidance,
or
guidelines
set
forth
in
subsection
10
7,
shall
give
written
notice
of
the
breach
of
security
to
the
11
director
of
the
consumer
protection
division
of
the
office
of
12
the
attorney
general
within
five
business
days
after
giving
13
notice
of
the
breach
of
security
to
any
consumer
pursuant
to
14
this
section
.
The
written
notice
shall
include
all
of
the
15
following:
16
a.
A
sample
copy
of
any
notification
sent
to
consumers.
17
b.
The
approximate
number
of
consumers
affected
or
18
potentially
affected
by
the
breach
of
security.
19
c.
A
description
of
any
services
offered
to
consumers
20
affected
or
potentially
affected
by
the
breach
of
security,
and
21
instructions
as
to
how
consumers
may
use
such
services.
22
d.
The
name,
address,
telephone
number,
and
electronic
mail
23
address
of
an
individual
who
may
be
contacted
by
the
consumer
24
protection
division
of
the
office
of
the
attorney
general
for
25
any
additional
information
about
the
breach
of
security.
26
Sec.
3.
Section
715C.2,
subsection
7,
unnumbered
paragraph
27
1,
Code
2019,
is
amended
to
read
as
follows:
28
This
section
does
Subsections
1
through
6
shall
not
apply
to
29
any
of
the
following:
30
Sec.
4.
Section
715C.2,
Code
2019,
is
amended
by
adding
the
31
following
new
subsection:
32
NEW
SUBSECTION
.
09.
a.
Any
employer
or
payroll
service
33
provider
that
owns
or
licenses
computerized
data
relating
to
34
income
tax
withholdings
shall
notify
the
consumer
protection
35
-4-
LSB
1256DP
(5)
88
gh/jh
4/
8
S.F.
_____
H.F.
_____
division
of
the
office
of
the
attorney
general
without
1
unreasonable
delay
after
discovery
or
notification
of
the
2
unauthorized
access
and
acquisition
of
unencrypted
computerized
3
data
of
a
taxpayer
identification
number
in
combination
with
4
the
income
tax
withholdings
for
that
taxpayer,
the
unauthorized
5
access
and
acquisition
of
which
gives
the
employer
or
payroll
6
service
provider
reason
to
believe
that
identity
theft
or
other
7
fraud
has
or
will
occur.
With
respect
to
an
employer,
this
8
subsection
applies
only
to
information
regarding
the
employer’s
9
employees,
and
does
not
apply
to
information
regarding
the
10
employer’s
customers
or
other
nonemployees.
11
b.
In
providing
notification
to
the
consumer
protection
12
division
of
the
office
of
the
attorney
general
pursuant
to
this
13
subsection,
the
employer
or
payroll
service
provider
shall
14
provide
the
name
and
federal
employer
identification
number
15
of
the
person
that
was
or
may
be
affected
by
the
breach
of
16
security.
Upon
receipt
of
such
notice,
the
consumer
protection
17
division
of
the
office
of
the
attorney
general
shall
notify
the
18
department
of
revenue
of
the
breach
of
security.
19
c.
Notwithstanding
any
other
provision
in
this
section,
a
20
breach
of
security
involving
information
described
in
paragraph
21
“a”
shall
be
subject
only
to
the
notification
requirements
22
contained
in
this
subsection.
23
EXPLANATION
24
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
25
the
explanation’s
substance
by
the
members
of
the
general
assembly.
26
This
bill
modifies
various
provisions
relating
to
personal
27
information
security
breach
protection.
28
The
bill
expands
the
definition
of
“encryption”
in
Code
29
section
715C.1
to
include,
in
addition
to
the
use
of
an
30
algorithmic
process
pursuant
to
accepted
industry
standards,
31
any
other
accepted
industry
standard
process.
The
bill
adds
32
certain
medical
information,
health
insurance
information,
33
tax
information,
passport
information,
and
electronic
account
34
information
to
the
definition
of
“personal
information”.
35
-5-
LSB
1256DP
(5)
88
gh/jh
5/
8
S.F.
_____
H.F.
_____
Current
law
requires
a
person
who
owns
or
licenses
personal
1
information
that
is
subject
to
a
breach
of
security
to
give
2
notice
to
affected
consumers
in
the
most
expeditious
manner
3
possible
and
without
unreasonable
delay.
The
bill
provides
4
that
such
notice
to
affected
consumers
must
occur
no
later
than
5
45
days
after
the
discovery
or
notification
of
the
breach
of
6
security,
unless
delayed
for
law
enforcement
reasons.
7
The
bill
provides
that,
in
the
case
of
a
security
breach
8
only
involving
personal
information
about
a
consumer’s
online
9
account,
a
person
or
business
may
comply
with
the
notification
10
requirements
of
Code
section
715C.2
by
providing
notification
11
to
the
consumer
whose
personal
information
was
subject
to
the
12
security
breach,
in
electronic
or
other
form,
that
directs
13
the
consumer
to
take
certain
steps
to
protect
the
consumer’s
14
online
account
with
that
person
or
business
and
all
other
15
online
accounts
for
which
the
same
account
information
is
16
used.
However,
in
providing
notification
of
a
security
breach
17
in
electronic
form
to
an
online
account
that
is
affected
or
18
compromised
by
the
security
breach,
a
person
or
business
may
19
only
do
so
when
the
consumer
is
connected
to
the
online
account
20
from
an
internet
protocol
address
or
online
location
from
which
21
the
person
or
business
knows
the
customer
customarily
accesses
22
the
account,
and
the
notification
is
provided
in
a
clear
and
23
conspicuous
manner.
24
Current
law
provides
that
a
person
who
owns
or
licenses
25
personal
information
that
is
subject
to
breach
of
security
does
26
not
need
to
provide
notification
of
the
security
breach
to
27
affected
consumers
if
the
person
makes
a
written
determination
28
that
there
is
no
reasonable
likelihood
of
financial
harm
to
29
affected
consumers.
The
bill
requires
a
person
who
makes
30
such
a
determination
to
provide
this
written
determination
31
to
the
director
of
the
consumer
protection
division
of
the
32
office
of
the
attorney
general
within
five
business
days
after
33
documenting
the
determination.
34
Current
law
requires
a
person
who
owns
or
licenses
personal
35
-6-
LSB
1256DP
(5)
88
gh/jh
6/
8
S.F.
_____
H.F.
_____
information
that
is
subject
to
a
breach
of
security
requiring
1
notification
to
more
than
500
consumers
in
the
state,
as
2
required
by
Code
section
715C.2,
to
give
written
notice
3
of
the
breach
of
security
to
the
director
of
the
consumer
4
protection
division
of
the
office
of
the
attorney
general.
5
The
bill
provides
that
written
notification
to
the
attorney
6
general
is
also
required
for
breaches
of
security
where
7
written
notification
to
more
than
500
consumers
in
the
state
8
is
required
by
a
person’s
primary
or
functional
federal
9
regulator,
a
state
or
federal
law
that
gives
greater
protection
10
to
personal
information
than
provided
in
Code
section
715C.2,
11
or
certain
federal
law.
The
bill
also
specifies
that
written
12
notification
to
the
attorney
general
must
include
a
sample
13
copy
of
any
notification
sent
to
consumers,
the
approximate
14
number
of
affected
or
potentially
affected
consumers,
a
15
description
of
any
services
offered
to
affected
consumers,
and
16
contact
information
for
an
individual
who
may
be
contacted
for
17
additional
information
regarding
the
breach
of
security.
18
The
bill
provides
that
any
employer
or
payroll
service
19
provider
that
owns
or
licenses
computerized
data
relating
20
to
income
tax
withholdings
shall
notify
the
consumer
21
protection
division
without
unreasonable
delay
after
discovery
22
or
notification
of
the
breach
of
security
of
a
taxpayer
23
identification
number
in
combination
with
the
income
tax
24
withholdings
for
that
taxpayer,
the
security
breach
of
which
25
gives
the
employer
or
payroll
service
provider
reason
to
26
believe
that
identify
theft
or
other
fraud
has
or
will
occur.
27
With
respect
to
an
employer,
such
notification
requirements
28
only
apply
to
information
regarding
the
employer’s
employees.
29
In
providing
notification
to
the
consumer
protection
division,
30
the
employer
or
payroll
service
provider
shall
provide
the
31
name
and
federal
employer
identification
number
of
the
person
32
affected.
Upon
receiving
the
notice,
the
consumer
protection
33
division
shall
notify
the
department
of
revenue
of
the
34
security
breach.
The
bill
specifies
that
no
other
notification
35
-7-
LSB
1256DP
(5)
88
gh/jh
7/
8
S.F.
_____
H.F.
_____
requirements
apply
to
a
security
breach
of
this
nature.
1
-8-
LSB
1256DP
(5)
88
gh/jh
8/
8