Text: SSB1046            Text: SSB1048


Senate Study Bill 1047

SENATE FILE BY (PROPOSED COMMITTEE ON COMMERCE BILL BY CHAIRPERSON McCOY) A BILL FOR 1 An Act establishing data security compliance requirements 2 in relation to payment card transactions, and providing 3 penalties. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: TLSB 1395XC (1) 85 rn/nh PAG LIN 1 1 Section 1. Section 715C.2, subsection 8, Code 2013, is 1 2 amended by striking the subsection. 1 3 Sec. 2. NEW SECTION. 715C.3 Personal information ==== 1 4 business duty to safeguard ==== remedies. 1 5 1. Any person who accepts a payment card in connection 1 6 with transactions occurring in the ordinary course of business 1 7 has a duty to comply with or adhere to payment card industry 1 8 data security standards. A financial institution may bring an 1 9 action against a person who is subject to a breach of security 1 10 if the person is found at the time of the breach to have engaged 1 11 in or violated such data security standards. 1 12 2. In an action commenced by a financial institution 1 13 to recover damages pursuant to subsection 1, the financial 1 14 institution shall submit in writing a request that the person 1 15 alleged to have violated this section certify compliance with 1 16 the standards pursuant to a payment card industry=approved 1 17 independent auditor or another person authorized to issue such 1 18 a certification. A presumption of compliance shall exist if 1 19 a person contracts for or utilizes the services of a third 1 20 party to collect, maintain, or store personal information used 1 21 in connection with a payment card, and contractually requires 1 22 that the third party ensure compliance with the standards on 1 23 an ongoing basis. 1 24 3. a. A financial institution prevailing in an action for 1 25 failure to safeguard personal information against a breach 1 26 of security may recover actual damages arising from the 1 27 failure. Actual damages shall include any costs incurred by 1 28 the financial institution in relation to the following: 1 29 (1) Cancellation or reissuance of a payment card affected 1 30 by the security breach. 1 31 (2) Closing of a deposit, transaction, share draft, or other 1 32 account affected by the security breach and any action to stop 1 33 payment or block a transaction with respect to the account. 1 34 (3) Opening or reopening of a deposit, transaction, share 1 35 draft, or other account affected by the security breach. 2 1 (4) Refunding or crediting made to an account holder to 2 2 cover the cost of any unauthorized transaction relating to the 2 3 breach of security. 2 4 (5) Notification to account holders affected by the breach 2 5 of security pursuant to section 715C.2. 2 6 b. Reasonable attorney fees and costs shall be awarded to 2 7 the prevailing party, with the exception that an award shall 2 8 not be made to a person who failed to submit certification as 2 9 required in subsection 2. 2 10 c. An action pursuant to this section shall not be commenced 2 11 against any person other than a person who has been found to 2 12 have violated this section. 2 13 Sec. 3. NEW SECTION. 715C.4 Penalties. 2 14 1. A violation of this chapter is an unlawful practice 2 15 pursuant to section 714.16 and, in addition to the remedies 2 16 provided to the attorney general pursuant to section 714.16, 2 17 subsection 7, the attorney general may seek and obtain an 2 18 order that a party held to violate this chapter pay damages 2 19 to the attorney general on behalf of a person injured by the 2 20 violation. 2 21 2. The rights and remedies available under this chapter are 2 22 cumulative to each other and to any other rights and remedies 2 23 available under the law. 2 24 EXPLANATION 2 25 This bill establishes data security compliance requirements 2 26 in relation to payment card transactions. 2 27 Current provisions in Code chapter 715C prescribe consumer 2 28 notification requirements applicable to security breaches 2 29 involving consumer personal information used in the course 2 30 of a person's business, vocation, occupation, or volunteer 2 31 activities. This bill establishes requirements and remedies 2 32 available to a financial institution in the event a security 2 33 breach occurs and a person who accepts a payment card in 2 34 connection with transactions occurring in the ordinary course 2 35 of business has failed to comply with or adhere to payment card 3 1 industry data security standards. 3 2 The bill provides that a financial institution may bring 3 3 an action against a person who is subject to a breach of 3 4 security if the person is found at the time of the breach 3 5 to have engaged in or violated data security standards. The 3 6 financial institution shall be required to submit in writing a 3 7 request that the person alleged to have violated the standards 3 8 certify compliance with the standards pursuant to a payment 3 9 card industry=approved independent auditor or another person 3 10 authorized to issue such a certification. The bill states that 3 11 a presumption of compliance shall exist if a person contracts 3 12 for or utilizes the services of a third party to collect, 3 13 maintain, or store personal information used in connection with 3 14 a payment card, and contractually requires that the third party 3 15 ensure compliance with the standards on an ongoing basis. 3 16 The bill provides that a financial institution prevailing in 3 17 an action for failure to safeguard personal information against 3 18 a breach of security may recover actual damages, as specified 3 19 in the bill, arising from the failure. 3 20 The bill makes existing unlawful practice penalty provisions 3 21 for violations of Code section 715C.2 also applicable to data 3 22 security compliance violations. LSB 1395XC (1) 85 rn/nh
Text: SSB1046            Text: SSB1048