Senate File 2308 - Enrolled

PAG LIN



  1  1                                             SENATE FILE 2308
  1  2
  1  3                             AN ACT
  1  4 RELATING TO IDENTITY THEFT BY PROVIDING FOR THE NOTIFICATION
  1  5    OF A BREACH IN THE SECURITY OF PERSONAL INFORMATION,
  1  6    REQUESTING THE ESTABLISHMENT OF AN INTERIM STUDY COMMITTEE
  1  7    RELATING TO DISCLOSURE OF PERSONAL INFORMATION BY PUBLIC
  1  8    OFFICIALS, ENTITIES, AND AFFILIATED ORGANIZATIONS, AND
  1  9    PROVIDING PENALTIES.
  1 10
  1 11 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
  1 12
  1 13    Section 1.  NEW SECTION.  715C.1  DEFINITIONS.
  1 14    As used in this chapter, unless the context otherwise
  1 15 requires:
  1 16    1.  "Breach of security" means unauthorized acquisition of
  1 17 personal information maintained in computerized form by a
  1 18 person that compromises the security, confidentiality, or
  1 19 integrity of the personal information.  Good faith acquisition
  1 20 of personal information by a person or that person's employee
  1 21 or agent for a legitimate purpose of that person is not a
  1 22 breach of security, provided that the personal information is
  1 23 not used in violation of applicable law or in a manner that
  1 24 harms or poses an actual threat to the security,
  1 25 confidentiality, or integrity of the personal information.
  1 26    2.  "Consumer" means an individual who is a resident of
  1 27 this state.
  1 28    3.  "Consumer reporting agency" means the same as defined
  1 29 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a.
  1 30    4.  "Debt" means the same as provided in section 537.7102.
  1 31    5.  "Encryption" means the use of an algorithmic process to
  1 32 transform data into a form in which the data is rendered
  1 33 unreadable or unusable without the use of a confidential
  1 34 process or key.
  1 35    6.  "Extension of credit" means the right to defer payment
  2  1 of debt or to incur debt and defer its payment offered or
  2  2 granted primarily for personal, family, or household purposes.
  2  3    7.  "Financial institution" means the same as defined in
  2  4 section 536C.2, subsection 6.
  2  5    8.  "Identity theft" means the same as provided in section
  2  6 715A.8.
  2  7    9.  "Payment card" means the same as defined in section
  2  8 715A.10, subsection 3, paragraph "b".
  2  9    10.  "Person" means an individual; corporation; business
  2 10 trust; estate; trust; partnership; limited liability company;
  2 11 association; joint venture; government; governmental
  2 12 subdivision, agency, or instrumentality; public corporation;
  2 13 or any other legal or commercial entity.
  2 14    11.  "Personal information" means an individual's first
  2 15 name or first initial and last name in combination with any
  2 16 one or more of the following data elements that relate to the
  2 17 individual if any of the data elements are not encrypted,
  2 18 redacted, or otherwise altered by any method or technology in
  2 19 such a manner that the name or data elements are unreadable:
  2 20    a.  Social security number.
  2 21    b.  Driver's license number or other unique identification
  2 22 number created or collected by a government body.
  2 23    c.  Financial account number, credit card number, or debit
  2 24 card number in combination with any required security code,
  2 25 access code, or password that would permit access to an
  2 26 individual's financial account.
  2 27    d.  Unique electronic identifier or routing code, in
  2 28 combination with any required security code, access code, or
  2 29 password that would permit access to an individual's financial
  2 30 account.
  2 31    e.  Unique biometric data, such as a fingerprint, retina or
  2 32 iris image, or other unique physical representation or digital
  2 33 representation of biometric data.
  2 34    "Personal information" does not include information that is
  2 35 lawfully obtained from publicly available sources, or from
  3  1 federal, state, or local government records lawfully made
  3  2 available to the general public.
  3  3    12.  "Redacted" means altered or truncated so that no more
  3  4 than five digits of a social security number or the last four
  3  5 digits of other numbers designated in section 715A.8,
  3  6 subsection 1, paragraph "a", is accessible as part of the
  3  7 data.
  3  8    Sec. 2.  NEW SECTION.  715C.2  SECURITY BREACH == CONSUMER
  3  9 NOTIFICATION == REMEDIES.
  3 10    1.  Any person who owns or licenses computerized data that
  3 11 includes a consumer's personal information that is used in the
  3 12 course of the person's business, vocation, occupation, or
  3 13 volunteer activities and that was subject to a breach of
  3 14 security shall give notice of the breach of security following
  3 15 discovery of such breach of security, or receipt of
  3 16 notification under subsection 2, to any consumer whose
  3 17 personal information was included in the information that was
  3 18 breached.  The consumer notification shall be made in the most
  3 19 expeditious manner possible and without unreasonable delay,
  3 20 consistent with the legitimate needs of law enforcement as
  3 21 provided in subsection 3, and consistent with any measures
  3 22 necessary to sufficiently determine contact information for
  3 23 the affected consumers, determine the scope of the breach, and
  3 24 restore the reasonable integrity, security, and
  3 25 confidentiality of the data.
  3 26    2.  Any person who maintains or otherwise possesses
  3 27 personal information on behalf of another person shall notify
  3 28 the owner or licensor of the information of any breach of
  3 29 security immediately following discovery of such breach of
  3 30 security if a consumer's personal information was included in
  3 31 the information that was breached.
  3 32    3.  The consumer notification requirements of this section
  3 33 may be delayed if a law enforcement agency determines that the
  3 34 notification will impede a criminal investigation and the
  3 35 agency has made a written request that the notification be
  4  1 delayed.  The notification required by this section shall be
  4  2 made after the law enforcement agency determines that the
  4  3 notification will not compromise the investigation and
  4  4 notifies the person required to give notice in writing.
  4  5    4.  For purposes of this section, notification to the
  4  6 consumer may be provided by one of the following methods:
  4  7    a.  Written notice to the last available address the person
  4  8 has in the person's records.
  4  9    b.  Electronic notice if the person's customary method of
  4 10 communication with the consumer is by electronic means or is
  4 11 consistent with the provisions regarding electronic records
  4 12 and signatures set forth in chapter 554D and the federal
  4 13 Electronic Signatures in Global and National Commerce Act, 15
  4 14 U.S.C. } 7001.
  4 15    c.  Substitute notice, if the person demonstrates that the
  4 16 cost of providing notice would exceed two hundred fifty
  4 17 thousand dollars, that the affected class of consumers to be
  4 18 notified exceeds three hundred fifty thousand persons, or if
  4 19 the person does not have sufficient contact information to
  4 20 provide notice.  Substitute notice shall consist of the
  4 21 following:
  4 22    (1)  Electronic mail notice when the person has an
  4 23 electronic mail address for the affected consumers.
  4 24    (2)  Conspicuous posting of the notice or a link to the
  4 25 notice on the internet web site of the person if the person
  4 26 maintains an internet web site.
  4 27    (3)  Notification to major statewide media.
  4 28    5.  Notice pursuant to this section shall include, at a
  4 29 minimum, all of the following:
  4 30    a.  A description of the breach of security.
  4 31    b.  The approximate date of the breach of security.
  4 32    c.  The type of personal information obtained as a result
  4 33 of the breach of security.
  4 34    d.  Contact information for consumer reporting agencies.
  4 35    e.  Advice to the consumer to report suspected incidents of
  5  1 identity theft to local law enforcement or the attorney
  5  2 general.
  5  3    6.  Notwithstanding subsection 1, notification is not
  5  4 required if, after an appropriate investigation or after
  5  5 consultation with the relevant federal, state, or local
  5  6 agencies responsible for law enforcement, the person
  5  7 determined that no reasonable likelihood of financial harm to
  5  8 the consumers whose personal information has been acquired has
  5  9 resulted or will result from the breach.  Such a determination
  5 10 must be documented in writing and the documentation must be
  5 11 maintained for five years.
  5 12    7.  This section does not apply to any of the following:
  5 13    a.  A person who complies with notification requirements or
  5 14 breach of security procedures that provide greater protection
  5 15 to personal information and at least as thorough disclosure
  5 16 requirements than that provided by this section pursuant to
  5 17 the rules, regulations, procedures, guidance, or guidelines
  5 18 established by the person's primary or functional federal
  5 19 regulator.
  5 20    b.  A person who complies with a state or federal law that
  5 21 provides greater protection to personal information and at
  5 22 least as thorough disclosure requirements for breach of
  5 23 security or personal information than that provided by this
  5 24 section.
  5 25    c.  A person who is subject to and complies with
  5 26 regulations promulgated pursuant to Title V of the
  5 27 Gramm=Leach=Bliley Act of 1999, 15 U.S.C. } 6801=6809.
  5 28    8.  a.  A violation of this chapter is an unlawful practice
  5 29 pursuant to section 714.16 and, in addition to the remedies
  5 30 provided to the attorney general pursuant to section 714.16,
  5 31 subsection 7, the attorney general may seek and obtain an
  5 32 order that a party held to violate this section pay damages to
  5 33 the attorney general on behalf of a person injured by the
  5 34 violation.
  5 35    b.  The rights and remedies available under this section
  6  1 are cumulative to each other and to any other rights and
  6  2 remedies available under the law.
  6  3    Sec. 3.  DISCLOSURE OF PERSONAL INFORMATION BY PUBLIC
  6  4 OFFICIALS, ENTITIES, OR AFFILIATED ORGANIZATIONS == INTERIM
  6  5 STUDY COMMITTEE REQUESTED.  The legislative council is
  6  6 requested to establish an interim study committee to assess
  6  7 and review the extent to which public officials, entities, and
  6  8 affiliated organizations in possession of or with access to
  6  9 personal identifying information of a resident of this state
  6 10 which could, if disclosed, render the resident vulnerable to
  6 11 identity theft, are disclosing or selling such information for
  6 12 compensation.  Based upon this assessment and review, the
  6 13 committee shall develop recommendations relating to these
  6 14 practices.  The committee shall be composed of ten members
  6 15 representing both political parties and both houses of the
  6 16 general assembly.  Five members shall be members of the
  6 17 senate, three of whom shall be appointed by the majority
  6 18 leader of the senate and two of whom shall be appointed by the
  6 19 minority leader of the senate.  The other five members shall
  6 20 be members of the house of representatives, three of whom
  6 21 shall be appointed by the speaker of the house of
  6 22 representatives and two of whom shall be appointed by the
  6 23 minority leader of the house of representatives.  The
  6 24 committee shall issue a report of its recommendations to the
  6 25 general assembly by January 15, 2009.
  6 26
  6 27
  6 28                                                             
  6 29                               JOHN P. KIBBIE
  6 30                               President of the Senate
  6 31
  6 32
  6 33                                                             
  6 34                               PATRICK J. MURPHY
  6 35                               Speaker of the House
  7  1
  7  2    I hereby certify that this bill originated in the Senate and
  7  3 is known as Senate File 2308, Eighty=second General Assembly.
  7  4
  7  5
  7  6                                                             
  7  7                               MICHAEL E. MARSHALL
  7  8                               Secretary of the Senate
  7  9 Approved                , 2008
  7 10
  7 11
  7 12                                
  7 13 CHESTER J. CULVER
  7 14 Governor