Bill Text: IA SSB3040 | 2013-2014 | 85th General Assembly | Introduced

Bill Title: A study bill for an act modifying provisions applicable to personal information security breach notification requirements, and making penalties applicable.

Spectrum: Unknown

Status: (N/A - Dead) 2014-01-17 - In Judiciary [SSB3040 Detail]

Download: Iowa-2013-SSB3040-Introduced.html
Senate Study Bill 3040 - Introduced SENATE/HOUSE FILE _____ BY (PROPOSED ATTORNEY GENERAL BILL) A BILL FOR An Act modifying provisions applicable to personal information 1 security breach notification requirements, and making 2 penalties applicable. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 5294DP (6) 85 rn/nh
S.F. _____ H.F. _____ Section 1. Section 715C.1, subsection 1, Code 2014, is 1 amended to read as follows: 2 1. “Breach of security” means unauthorized acquisition 3 of personal information maintained in computerized form by 4 a person that compromises the security, confidentiality, or 5 integrity of the personal information. “Breach of security” 6 also means unauthorized acquisition of personal information 7 maintained by a person in any medium, including on paper, that 8 was transferred by the person to that medium from computerized 9 form. Good faith acquisition of personal information by a 10 person or that person’s employee or agent for a legitimate 11 purpose of that person is not a breach of security, provided 12 that the personal information is not used in violation of 13 applicable law or in a manner that harms or poses an actual 14 threat to the security, confidentiality, or integrity of the 15 personal information. 16 Sec. 2. Section 715C.1, subsection 5, Code 2014, is amended 17 to read as follows: 18 5. “Encryption” means the use of an algorithmic process 19 to transform data into a form in which the data is rendered 20 unreadable or unusable without the use of a confidential 21 process or key. For purposes of this chapter, personal 22 information shall not be considered encrypted when a key to 23 unencrypt the information has been acquired in the breach of 24 security by which the personal information was acquired. 25 Sec. 3. Section 715C.1, subsection 11, paragraphs c and d, 26 Code 2014, are amended to read as follows: 27 c. Financial account number, credit card number, or debit 28 card number alone or in combination with any required security 29 code, access code, or password that would permit access to an 30 individual’s financial account. 31 d. Unique electronic identifier or routing code, alone or in 32 combination with any required security code, access code, or 33 password that would permit access to an individual’s financial 34 account. 35 -1- LSB 5294DP (6) 85 rn/nh 1/ 6
S.F. _____ H.F. _____ Sec. 4. Section 715C.1, subsection 12, Code 2014, is amended 1 to read as follows: 2 12. “Redacted” means altered or truncated so that no more 3 than five digits of a social security number or the last 4 four digits of other numbers designated in section 715A.8, 5 subsection 1 , paragraph “a” , are accessible as part of the data. 6 For purposes of this chapter, personal information shall not be 7 considered redacted when a key to unredact the information has 8 been acquired in the breach of security by which the personal 9 information was acquired. 10 Sec. 5. Section 715C.2, Code 2014, is amended to read as 11 follows: 12 715C.2 Security breach —— consumer notification requirements 13 —— remedies. 14 1. Any person who owns or licenses computerized data that 15 includes a consumer’s personal information that is used in 16 the course of the person’s business, vocation, occupation, 17 or volunteer activities and that was subject to a breach 18 of security shall give notice of the breach of security 19 following discovery of such breach of security, or receipt of 20 notification under subsection 2 , to any consumer whose personal 21 information was included in the information that was breached. 22 The consumer notification shall be made in the most expeditious 23 manner possible and without unreasonable delay, consistent 24 with the legitimate needs of law enforcement as provided in 25 subsection 3 , and consistent with any measures necessary to 26 sufficiently determine contact information for the affected 27 consumers, determine the scope of the breach, and restore the 28 reasonable integrity, security, and confidentiality of the 29 data. 30 2. Any person who maintains or otherwise possesses personal 31 information on behalf of another person shall notify the owner 32 or licensor of the information of any breach of security 33 immediately following discovery of such breach of security if a 34 consumer’s personal information was included in the information 35 -2- LSB 5294DP (6) 85 rn/nh 2/ 6
S.F. _____ H.F. _____ that was breached. 1 3. The consumer notification requirements of this section 2 may be delayed if a law enforcement agency determines that 3 the notification will impede a criminal investigation and 4 the agency has made a written request that the notification 5 be delayed. The notification required by this section shall 6 be made after the law enforcement agency determines that the 7 notification will not compromise the investigation and notifies 8 the person required to give notice in writing. 9 4. For purposes of this section , notification to the 10 consumer may be provided by one of the following methods: 11 a. Written notice to the last available address the person 12 has in the person’s records. 13 b. Electronic notice if the person’s customary method of 14 communication with the consumer is by electronic means or is 15 consistent with the provisions regarding electronic records and 16 signatures set forth in chapter 554D and the federal Electronic 17 Signatures in Global and National Commerce Act, 15 U.S.C. 18 § 7001. 19 c. Substitute notice, if the person demonstrates that 20 the cost of providing notice would exceed two hundred fifty 21 thousand dollars, that the affected class of consumers to be 22 notified exceeds three hundred fifty thousand persons, or 23 if the person does not have sufficient contact information 24 to provide notice. Substitute notice shall consist of the 25 following: 26 (1) Electronic mail notice when the person has an electronic 27 mail address for the affected consumers. 28 (2) Conspicuous posting of the notice or a link to the 29 notice on the internet site of the person if the person 30 maintains an internet site. 31 (3) Notification to major statewide media. 32 5. Notice pursuant to this section shall include, at a 33 minimum, all of the following: 34 a. A description of the breach of security. 35 -3- LSB 5294DP (6) 85 rn/nh 3/ 6
S.F. _____ H.F. _____ b. The approximate date of the breach of security. 1 c. The type of personal information obtained as a result of 2 the breach of security. 3 d. Contact information for consumer reporting agencies. 4 e. Advice to the consumer to report suspected incidents 5 of identity theft to local law enforcement or the attorney 6 general. 7 6. Notwithstanding subsection 1 , notification is not 8 required if, after an appropriate investigation or after 9 consultation with the relevant federal, state, or local 10 agencies responsible for law enforcement, the person determined 11 that no reasonable likelihood of financial harm to the 12 consumers whose personal information has been acquired has 13 resulted or will result from the breach. Such a determination 14 must be documented in writing and the documentation must be 15 maintained for five years. 16 7. This section does not apply to any of the following: 17 a. A person who complies with notification requirements or 18 breach of security procedures that provide greater protection 19 to personal information and at least as thorough disclosure 20 requirements than that provided by this section pursuant to 21 the rules, regulations, procedures, guidance, or guidelines 22 established by the person’s primary or functional federal 23 regulator. 24 b. A person who complies with a state or federal law 25 that provides greater protection to personal information and 26 at least as thorough disclosure requirements for breach of 27 security or personal information than that provided by this 28 section . 29 c. A person who is subject to and complies with regulations 30 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act 31 of 1999, 15 U.S.C. § 6801 6809. 32 8. Any person who owns or licenses computerized data that 33 includes a consumer’s personal information that is used in 34 the course of the person’s business, vocation, occupation, 35 -4- LSB 5294DP (6) 85 rn/nh 4/ 6
S.F. _____ H.F. _____ or volunteer activities and that was subject to a breach of 1 security shall give written notice of the breach of security 2 following discovery of such breach of security, or receipt 3 of notification under subsection 2, to the director of the 4 consumer protection division of the office of the attorney 5 general prior to giving notice of the breach of security to 6 any consumer. The requirement to provide notice pursuant to 7 this subsection shall not be subject to a request to delay as 8 provided in subsection 3, and shall apply regardless of whether 9 the person is otherwise excused from giving notice to consumers 10 pursuant to subsection 6 or 7. 11 8. 9. a. A violation of this chapter is an unlawful 12 practice pursuant to section 714.16 and, in addition to the 13 remedies provided to the attorney general pursuant to section 14 714.16, subsection 7 , the attorney general may seek and obtain 15 an order that a party held to violate this section pay damages 16 to the attorney general on behalf of a person injured by the 17 violation. 18 b. The rights and remedies available under this section are 19 cumulative to each other and to any other rights and remedies 20 available under the law. 21 EXPLANATION 22 The inclusion of this explanation does not constitute agreement with 23 the explanation’s substance by the members of the general assembly. 24 This bill relates to notification requirements applicable 25 to security breaches involving consumer personal information 26 contained in Code chapter 715C. 27 The bill modifies several definitions contained in the 28 Code chapter. The bill includes within the definition of a 29 “breach of security” the unauthorized acquisition of personal 30 information maintained by a person in any medium, including on 31 paper, that was transferred by the person to that medium from 32 computerized form. 33 The definitions of “encryption” and “redacted” are amended 34 to add that personal information shall not be considered 35 -5- LSB 5294DP (6) 85 rn/nh 5/ 6
S.F. _____ H.F. _____ encrypted or redacted when a key to unencrypt or unredact the 1 information has been acquired in the breach of security by 2 which the personal information was acquired. 3 Currently, personal information is defined in the Code 4 chapter to include an individual’s first name or first initial 5 and last name together with a financial account number, credit 6 card number, debit card number, or unique electronic identifier 7 or routing code, in combination with any required security 8 code, access code, or password that would permit access to 9 an individual’s financial account. The bill provides that 10 a financial account number, credit card number, debit card 11 number, or unique electronic identifier or routing code alone, 12 or in addition to any required security code, access code, or 13 password that would permit access to an individual’s financial 14 account, may be considered personal information when combined 15 with an individual’s first name or first initial and last name. 16 The bill also requires a person subject to the chapter’s 17 consumer notification requirements to notify the director of 18 the consumer protection division of the office of the attorney 19 general prior to giving the required notice of the breach 20 of security to any consumer. The bill provides that this 21 requirement shall not be subject to delay upon the request of 22 law enforcement personnel otherwise applicable to consumer 23 notification, and further shall apply regardless of whether a 24 person is otherwise excused from giving notice pursuant to the 25 chapter’s provisions. Existing penalty provisions regarding 26 unlawful practice and damages for violations of the consumer 27 notification requirements would be applicable to the failure 28 to provide notice of a breach of security to the director of 29 the consumer protection division of the office of the attorney 30 general. 31 -6- LSB 5294DP (6) 85 rn/nh 6/ 6

LegiScan Search

View Top 50 Searches

Select area of search.
Find an exact bill number.
Search bill text and data. [help]
Reset

LegiScan Trends

View Top 50 National

SC S1378 Lewisville HS softball champs
CA AB2169 Prescription drug coverage: dose adjustments.
CT HB05411 An Act Concerning Requests For Health Records And The Fees Charged For...
SC S1377 Mae Stevenson 80th Birthday
SC S1374 Waste and Recycling Workers Week
RI H7830 Allows the attorney general to investigate and bring an enforcement action...
SC S1372 Booker T. Washington High School Foundation 50th Anniversary
SC S1379 Mary E, Prailleau, sympathy
CA AB1900 Consumer refunds: nondisclosure agreements.
CA SCR155 Breast Cancer Awareness and Prevention Month.
feedback