Text: SSB1046
Text: SSB1048
Senate Study Bill 1047
SENATE FILE
BY (PROPOSED COMMITTEE ON
COMMERCE BILL BY
CHAIRPERSON McCOY)
A BILL FOR
1 An Act establishing data security compliance requirements
2 in relation to payment card transactions, and providing
3 penalties.
4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
TLSB 1395XC (1) 85
rn/nh
PAG LIN
1 1 Section 1. Section 715C.2, subsection 8, Code 2013, is
1 2 amended by striking the subsection.
1 3 Sec. 2. NEW SECTION. 715C.3 Personal information ====
1 4 business duty to safeguard ==== remedies.
1 5 1. Any person who accepts a payment card in connection
1 6 with transactions occurring in the ordinary course of business
1 7 has a duty to comply with or adhere to payment card industry
1 8 data security standards. A financial institution may bring an
1 9 action against a person who is subject to a breach of security
1 10 if the person is found at the time of the breach to have engaged
1 11 in or violated such data security standards.
1 12 2. In an action commenced by a financial institution
1 13 to recover damages pursuant to subsection 1, the financial
1 14 institution shall submit in writing a request that the person
1 15 alleged to have violated this section certify compliance with
1 16 the standards pursuant to a payment card industry=approved
1 17 independent auditor or another person authorized to issue such
1 18 a certification. A presumption of compliance shall exist if
1 19 a person contracts for or utilizes the services of a third
1 20 party to collect, maintain, or store personal information used
1 21 in connection with a payment card, and contractually requires
1 22 that the third party ensure compliance with the standards on
1 23 an ongoing basis.
1 24 3. a. A financial institution prevailing in an action for
1 25 failure to safeguard personal information against a breach
1 26 of security may recover actual damages arising from the
1 27 failure. Actual damages shall include any costs incurred by
1 28 the financial institution in relation to the following:
1 29 (1) Cancellation or reissuance of a payment card affected
1 30 by the security breach.
1 31 (2) Closing of a deposit, transaction, share draft, or other
1 32 account affected by the security breach and any action to stop
1 33 payment or block a transaction with respect to the account.
1 34 (3) Opening or reopening of a deposit, transaction, share
1 35 draft, or other account affected by the security breach.
2 1 (4) Refunding or crediting made to an account holder to
2 2 cover the cost of any unauthorized transaction relating to the
2 3 breach of security.
2 4 (5) Notification to account holders affected by the breach
2 5 of security pursuant to section 715C.2.
2 6 b. Reasonable attorney fees and costs shall be awarded to
2 7 the prevailing party, with the exception that an award shall
2 8 not be made to a person who failed to submit certification as
2 9 required in subsection 2.
2 10 c. An action pursuant to this section shall not be commenced
2 11 against any person other than a person who has been found to
2 12 have violated this section.
2 13 Sec. 3. NEW SECTION. 715C.4 Penalties.
2 14 1. A violation of this chapter is an unlawful practice
2 15 pursuant to section 714.16 and, in addition to the remedies
2 16 provided to the attorney general pursuant to section 714.16,
2 17 subsection 7, the attorney general may seek and obtain an
2 18 order that a party held to violate this chapter pay damages
2 19 to the attorney general on behalf of a person injured by the
2 20 violation.
2 21 2. The rights and remedies available under this chapter are
2 22 cumulative to each other and to any other rights and remedies
2 23 available under the law.
2 24 EXPLANATION
2 25 This bill establishes data security compliance requirements
2 26 in relation to payment card transactions.
2 27 Current provisions in Code chapter 715C prescribe consumer
2 28 notification requirements applicable to security breaches
2 29 involving consumer personal information used in the course
2 30 of a person's business, vocation, occupation, or volunteer
2 31 activities. This bill establishes requirements and remedies
2 32 available to a financial institution in the event a security
2 33 breach occurs and a person who accepts a payment card in
2 34 connection with transactions occurring in the ordinary course
2 35 of business has failed to comply with or adhere to payment card
3 1 industry data security standards.
3 2 The bill provides that a financial institution may bring
3 3 an action against a person who is subject to a breach of
3 4 security if the person is found at the time of the breach
3 5 to have engaged in or violated data security standards. The
3 6 financial institution shall be required to submit in writing a
3 7 request that the person alleged to have violated the standards
3 8 certify compliance with the standards pursuant to a payment
3 9 card industry=approved independent auditor or another person
3 10 authorized to issue such a certification. The bill states that
3 11 a presumption of compliance shall exist if a person contracts
3 12 for or utilizes the services of a third party to collect,
3 13 maintain, or store personal information used in connection with
3 14 a payment card, and contractually requires that the third party
3 15 ensure compliance with the standards on an ongoing basis.
3 16 The bill provides that a financial institution prevailing in
3 17 an action for failure to safeguard personal information against
3 18 a breach of security may recover actual damages, as specified
3 19 in the bill, arising from the failure.
3 20 The bill makes existing unlawful practice penalty provisions
3 21 for violations of Code section 715C.2 also applicable to data
3 22 security compliance violations.
LSB 1395XC (1) 85
rn/nh
Text: SSB1046
Text: SSB1048