Bill Text: IA HF554 | 2023-2024 | 90th General Assembly | Introduced
Bill Title: A bill for an act prohibiting the state or a political subdivision of the state from expending revenue received from taxpayers for payment to persons responsible for ransomware attacks, and including effective date provisions.(Formerly HSB 153.)
Spectrum: Committee Bill
Status: (Introduced - Dead) 2024-02-01 - Subcommittee recommends passage. Vote Total: 2-1. [HF554 Detail]
Download: Iowa-2023-HF554-Introduced.html
House
File
554
-
Introduced
HOUSE
FILE
554
BY
COMMITTEE
ON
ECONOMIC
GROWTH
AND
TECHNOLOGY
(SUCCESSOR
TO
HSB
153)
A
BILL
FOR
An
Act
prohibiting
the
state
or
a
political
subdivision
of
the
1
state
from
expending
revenue
received
from
taxpayers
for
2
payment
to
persons
responsible
for
ransomware
attacks,
and
3
including
effective
date
provisions.
4
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
5
TLSB
1269HV
(3)
90
es/rn
H.F.
554
Section
1.
Section
8B.4,
Code
2023,
is
amended
by
adding
the
1
following
new
subsection:
2
NEW
SUBSECTION
.
18A.
Authorize
the
state
or
a
political
3
subdivision
of
the
state,
not
including
a
municipal
utility,
4
in
consultation
with
the
department
of
public
safety
and
the
5
department
of
homeland
security
and
emergency
management,
to
6
expend
revenue
received
from
taxpayers
for
payment
to
a
person
7
responsible
for,
or
reasonably
believed
to
be
responsible
for,
8
a
ransomware
attack
pursuant
to
section
8H.3.
9
Sec.
2.
NEW
SECTION
.
8H.1
Definitions.
10
As
used
in
this
chapter,
unless
the
context
otherwise
11
requires:
12
1.
“Critical
infrastructure”
means
the
same
as
defined
13
in
section
29C.24.
“Critical
infrastructure”
includes
real
14
and
personal
property
and
equipment
owned
or
used
to
provide
15
fire
fighting,
law
enforcement,
medical,
or
other
emergency
16
services.
17
2.
“Encryption”
means
the
use
of
an
algorithmic
process
18
to
transform
data
into
a
form
in
which
the
data
is
rendered
19
unreadable
or
unusable
without
the
use
of
a
confidential
20
process
or
key.
21
3.
“Political
subdivision”
means
a
city,
county,
township,
22
or
school
district.
“Political
subdivision”
does
not
include
a
23
municipal
utility.
24
4.
“Ransomware
attack”
means
carrying
out
until
payment
is
25
made,
or
threatening
to
carry
out
until
payment
is
made,
any
of
26
the
following
actions:
27
a.
An
act
declared
unlawful
pursuant
to
section
715.4.
28
b.
A
breach
of
security
as
defined
in
section
715C.1.
29
c.
The
use
of
any
form
of
software
that
results
in
the
30
unauthorized
encryption
of
data,
the
denial
of
access
to
data,
31
the
denial
of
access
to
a
computer,
or
the
denial
of
access
to
32
a
computer
system.
33
Sec.
3.
NEW
SECTION
.
8H.2
Requirement
to
report
a
34
ransomware
attack.
35
-1-
LSB
1269HV
(3)
90
es/rn
1/
5
H.F.
554
If
the
state
or
a
political
subdivision
of
the
state
is
1
subject
to
a
ransomware
attack,
the
state
or
the
political
2
subdivision
shall
provide
notice
of
the
ransomware
attack
to
3
the
office
of
the
chief
information
officer
following
discovery
4
of
the
ransomware
attack.
The
notice
shall
be
provided
in
5
the
most
expeditious
manner
possible
and
without
unreasonable
6
delay.
The
office
of
the
chief
information
officer
shall
adopt
7
rules
establishing
notification
procedures
pursuant
to
this
8
section.
9
Sec.
4.
NEW
SECTION
.
8H.3
Revenue
received
from
taxpayers
10
——
prohibition
——
ransomware.
11
1.
Except
as
provided
in
subsection
2
or
3,
the
state
or
a
12
political
subdivision
of
the
state
shall
not
expend
tax
revenue
13
received
from
taxpayers
for
payment
to
a
person
responsible
14
for,
or
reasonably
believed
to
be
responsible
for,
a
ransomware
15
attack.
16
2.
The
office
of
the
chief
information
officer
shall
notify
17
the
department
of
public
safety
and
the
department
of
homeland
18
security
and
emergency
management,
and
may
authorize
the
state
19
or
a
political
subdivision
of
the
state
to
expend
tax
revenue
20
otherwise
prohibited
pursuant
to
subsection
1
in
the
event
of
21
any
of
the
following:
22
a.
A
critical
or
emergency
situation
as
defined
by
the
23
department
of
homeland
security
and
emergency
management,
24
or
when
the
department
of
homeland
security
and
emergency
25
management
determines
the
expenditure
of
tax
revenue
is
in
the
26
public
interest.
27
b.
A
ransomware
attack
affecting
critical
infrastructure
28
within
the
state
or
a
political
subdivision
of
the
state.
29
3.
The
state
or
a
political
subdivision
of
the
state
may
30
expend
tax
revenue
otherwise
prohibited
pursuant
to
subsection
31
1
in
the
event
of
a
ransomware
attack
affecting
an
officer
or
32
employee
of
the
judicial
branch.
33
Sec.
5.
NEW
SECTION
.
8H.4
Payments
for
insurance.
34
The
state
or
a
political
subdivision
of
the
state
may
use
35
-2-
LSB
1269HV
(3)
90
es/rn
2/
5
H.F.
554
revenue
received
from
taxpayers
to
pay
premiums,
deductibles,
1
and
other
costs
associated
with
an
insurance
policy
at
any
2
time
related
to
cybersecurity
or
ransomware
attacks
only
if
3
the
state
or
the
political
subdivision
first
exhausts
all
4
other
reasonable
means
of
mitigating
a
potential
ransomware
5
attack.
Subject
to
section
8H.3,
subsections
2
and
3,
nothing
6
in
this
section
shall
be
construed
to
authorize
the
state
or
7
a
political
subdivision
of
the
state
to
make
a
direct
payment
8
using
revenue
received
from
taxpayers
to
a
person
responsible
9
for,
or
reasonably
believed
to
be
responsible
for,
a
ransomware
10
attack.
11
Sec.
6.
NEW
SECTION
.
8H.5
Confidential
records.
12
Information
related
to
all
of
the
following
shall
be
13
considered
a
confidential
record
under
section
22.7:
14
1.
Insurance
coverage
maintained
by
the
state
or
a
political
15
subdivision
of
the
state
related
to
cybersecurity
or
a
16
ransomware
attack.
17
2.
Payment
by
the
state
or
a
political
subdivision
of
18
the
state
to
a
person
responsible
for,
or
believed
to
be
19
responsible
for,
a
ransomware
attack
pursuant
to
section
8H.3.
20
Sec.
7.
LEGISLATIVE
INTENT.
It
is
the
intent
of
the
general
21
assembly
that
the
state
and
the
political
subdivisions
of
the
22
state
have
tested
cybersecurity
mitigation
plans
and
policies.
23
Sec.
8.
RULEMAKING.
The
office
of
the
chief
information
24
officer
shall
prepare
a
notice
of
intended
action
for
the
25
adoption
of
rules
to
administer
this
Act.
The
notice
of
26
intended
action
shall
be
submitted
to
the
administrative
27
rules
coordinator
and
the
administrative
code
editor
as
soon
28
as
practicable,
but
no
later
than
October
1,
2023.
However,
29
nothing
in
this
section
authorizes
the
office
of
the
chief
30
information
officer
to
adopt
rules
under
section
17A.4,
31
subsection
3,
or
section
17A.5,
subsection
2,
paragraph
“b”.
32
Sec.
9.
EFFECTIVE
DATE.
33
1.
Except
as
provided
in
subsection
2,
this
Act
takes
effect
34
July
1,
2024.
35
-3-
LSB
1269HV
(3)
90
es/rn
3/
5
H.F.
554
2.
The
section
of
this
Act
requiring
the
office
of
the
chief
1
information
officer
to
prepare
a
notice
of
intended
action
for
2
the
adoption
of
rules
to
administer
this
Act,
being
deemed
of
3
immediate
importance,
takes
effect
upon
enactment.
4
EXPLANATION
5
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
6
the
explanation’s
substance
by
the
members
of
the
general
assembly.
7
This
bill
prohibits
the
state
or
a
political
subdivision
of
8
the
state
from
expending
revenue
received
from
taxpayers
for
9
payment
to
persons
responsible
for
ransomware
attacks.
10
The
bill
defines
“critical
infrastructure”
to
mean
11
real
and
personal
property
and
equipment
owned
or
used
by
12
communication
and
video
networks,
gas
distribution
systems,
13
water
and
wastewater
pipeline
systems,
and
electric
generation,
14
transmission,
and
distribution
systems,
including
related
15
support
facilities,
which
network
or
system
provides
service
16
to
more
than
one
customer
or
person
as
defined
in
Code
section
17
29C.24.
“Critical
infrastructure”
includes
but
is
not
limited
18
to
buildings,
structures,
offices,
lines,
poles,
pipes,
and
19
equipment,
as
well
as
real
and
personal
property
owned
or
20
used
to
provide
fire
fighting,
law
enforcement,
medical,
or
21
other
emergency
services.
The
bill
defines
“encryption”
as
22
the
use
of
an
algorithmic
process
to
transform
data
into
a
23
form
in
which
the
data
is
rendered
unreadable
or
unusable
24
without
the
use
of
a
confidential
process
or
key.
The
bill
25
defines
“political
subdivision”
as
a
city,
county,
township,
26
or
school
district.
The
bill
defines
“ransomware
attack”
to
27
mean
carrying
out
until
payment
is
made,
or
threatening
to
28
carry
out
until
payment
is
made,
including
an
act
declared
29
unlawful
pursuant
to
Code
section
715.4,
a
“breach
of
security”
30
as
defined
in
Code
section
715C.1,
or
the
use
of
any
form
31
of
software
that
results
in
the
unauthorized
encryption
of
32
data,
the
denial
of
access
to
data,
the
denial
of
access
to
a
33
computer,
or
the
denial
of
access
to
a
computer
system.
34
The
bill
requires
that
when
the
state
or
a
political
35
-4-
LSB
1269HV
(3)
90
es/rn
4/
5
H.F.
554
subdivision
of
the
state
is
subject
to
a
ransomware
attack
1
and
discovers
the
attack,
the
state
or
political
subdivision
2
shall
expeditiously
provide
notice
to
the
office
of
the
chief
3
information
officer.
The
office
of
the
chief
information
4
officer
shall
adopt
rules
establishing
notification
procedures.
5
The
bill
provides
that
the
state
or
a
political
subdivision
6
of
the
state
shall
not
expend
revenue
received
from
taxpayers
7
for
payment
to
a
person
responsible
for,
or
reasonably
believed
8
to
be
responsible
for,
a
ransomware
attack.
9
The
bill
allows
the
office
of
the
chief
information
officer
10
to
authorize
such
expenditures
in
the
event
of
a
critical
or
11
emergency
situation
as
determined
by
the
department
of
homeland
12
security
and
emergency
management
and
requires
the
office
of
13
the
chief
information
officer
to
notify
the
departments
of
the
14
expenditures.
The
bill
provides
that
information
related
to
a
15
political
subdivision’s
insurance
coverage
for
cybersecurity
or
16
ransomware
attack
shall
be
considered
confidential
records.
17
The
bill
provides
that
the
state
or
a
political
subdivision
18
of
the
state
may
use
taxpayer
revenue
to
pay
for
cybersecurity
19
insurance
or
related
ransomware
insurance
at
any
time
if
20
the
state
or
political
subdivision
first
exhausts
all
other
21
reasonable
means
of
mitigating
a
potential
ransomware
attack.
22
The
bill
includes
a
legislative
intent
section,
which
23
provides
that
it
is
the
intent
of
the
general
assembly
that
24
the
state
and
political
subdivisions
of
the
state
have
tested
25
cybersecurity
mitigation
plans
and
policies.
26
The
bill
takes
effect
July
1,
2024,
except
for
the
section
27
of
the
bill
requiring
the
office
of
the
chief
information
28
officer
to
prepare
a
notice
of
intended
action
(NOIA)
for
the
29
adoption
of
rules,
which
takes
effect
upon
enactment.
The
NOIA
30
must
be
submitted
to
the
administrative
rules
coordinator
and
31
administrative
code
editor
as
soon
as
possible
and
no
later
32
than
October
1,
2023.
The
bill
does
not
authorize
the
office
33
of
the
chief
information
officer
to
adopt
emergency
rules
under
34
Code
section
17A.4(3)
or
Code
section
17A.5(2)(b).
35
-5-
LSB
1269HV
(3)
90
es/rn
5/
5
