Bill Text: IA HSB137 | 2013-2014 | 85th General Assembly | Introduced
Bill Title: A study bill for establishing data security compliance requirements in relation to payment card transactions, and providing penalties.
Spectrum: Unknown
Status: (N/A - Dead) 2013-02-13 - Commerce: Grassley Chair,Hall, and Fisher. [HSB137 Detail]
Download: Iowa-2013-HSB137-Introduced.html
House
Study
Bill
137
-
Introduced
HOUSE
FILE
_____
BY
(PROPOSED
COMMITTEE
ON
COMMERCE
BILL
BY
CHAIRPERSON
COWNIE)
A
BILL
FOR
An
Act
establishing
data
security
compliance
requirements
1
in
relation
to
payment
card
transactions,
and
providing
2
penalties.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
1395YC
(2)
85
rn/nh
H.F.
_____
Section
1.
Section
715C.2,
subsection
8,
Code
2013,
is
1
amended
by
striking
the
subsection.
2
Sec.
2.
NEW
SECTION
.
715C.3
Personal
information
——
3
business
duty
to
safeguard
——
remedies.
4
1.
Any
person
who
accepts
a
payment
card
in
connection
5
with
transactions
occurring
in
the
ordinary
course
of
business
6
has
a
duty
to
comply
with
or
adhere
to
payment
card
industry
7
data
security
standards.
A
financial
institution
may
bring
an
8
action
against
a
person
who
is
subject
to
a
breach
of
security
9
if
the
person
is
found
at
the
time
of
the
breach
to
have
engaged
10
in
or
violated
such
data
security
standards.
11
2.
In
an
action
commenced
by
a
financial
institution
12
to
recover
damages
pursuant
to
subsection
1,
the
financial
13
institution
shall
submit
in
writing
a
request
that
the
person
14
alleged
to
have
violated
this
section
certify
compliance
with
15
the
standards
pursuant
to
a
payment
card
industry-approved
16
independent
auditor
or
another
person
authorized
to
issue
such
17
a
certification.
A
presumption
of
compliance
shall
exist
if
18
a
person
contracts
for
or
utilizes
the
services
of
a
third
19
party
to
collect,
maintain,
or
store
personal
information
used
20
in
connection
with
a
payment
card,
and
contractually
requires
21
that
the
third
party
ensure
compliance
with
the
standards
on
22
an
ongoing
basis.
23
3.
a.
A
financial
institution
prevailing
in
an
action
for
24
failure
to
safeguard
personal
information
against
a
breach
25
of
security
may
recover
actual
damages
arising
from
the
26
failure.
Actual
damages
shall
include
any
costs
incurred
by
27
the
financial
institution
in
relation
to
the
following:
28
(1)
Cancellation
or
reissuance
of
a
payment
card
affected
29
by
the
security
breach.
30
(2)
Closing
of
a
deposit,
transaction,
share
draft,
or
other
31
account
affected
by
the
security
breach
and
any
action
to
stop
32
payment
or
block
a
transaction
with
respect
to
the
account.
33
(3)
Opening
or
reopening
of
a
deposit,
transaction,
share
34
draft,
or
other
account
affected
by
the
security
breach.
35
-1-
LSB
1395YC
(2)
85
rn/nh
1/
3
H.F.
_____
(4)
Refunding
or
crediting
made
to
an
account
holder
to
1
cover
the
cost
of
any
unauthorized
transaction
relating
to
the
2
breach
of
security.
3
(5)
Notification
to
account
holders
affected
by
the
breach
4
of
security
pursuant
to
section
715C.2.
5
b.
Reasonable
attorney
fees
and
costs
shall
be
awarded
to
6
the
prevailing
party,
with
the
exception
that
an
award
shall
7
not
be
made
to
a
person
who
failed
to
submit
certification
as
8
required
in
subsection
2.
9
c.
An
action
pursuant
to
this
section
shall
not
be
commenced
10
against
any
person
other
than
a
person
who
has
been
found
to
11
have
violated
this
section.
12
Sec.
3.
NEW
SECTION
.
715C.4
Penalties.
13
1.
A
violation
of
this
chapter
is
an
unlawful
practice
14
pursuant
to
section
714.16
and,
in
addition
to
the
remedies
15
provided
to
the
attorney
general
pursuant
to
section
714.16,
16
subsection
7,
the
attorney
general
may
seek
and
obtain
an
17
order
that
a
party
held
to
violate
this
chapter
pay
damages
18
to
the
attorney
general
on
behalf
of
a
person
injured
by
the
19
violation.
20
2.
The
rights
and
remedies
available
under
this
chapter
are
21
cumulative
to
each
other
and
to
any
other
rights
and
remedies
22
available
under
the
law.
23
EXPLANATION
24
This
bill
establishes
data
security
compliance
requirements
25
in
relation
to
payment
card
transactions.
26
Current
provisions
in
Code
chapter
715C
prescribe
consumer
27
notification
requirements
applicable
to
security
breaches
28
involving
consumer
personal
information
used
in
the
course
29
of
a
person’s
business,
vocation,
occupation,
or
volunteer
30
activities.
This
bill
establishes
requirements
and
remedies
31
available
to
a
financial
institution
in
the
event
a
security
32
breach
occurs
and
a
person
who
accepts
a
payment
card
in
33
connection
with
transactions
occurring
in
the
ordinary
course
34
of
business
has
failed
to
comply
with
or
adhere
to
payment
card
35
-2-
LSB
1395YC
(2)
85
rn/nh
2/
3
H.F.
_____
industry
data
security
standards.
1
The
bill
provides
that
a
financial
institution
may
bring
2
an
action
against
a
person
who
is
subject
to
a
breach
of
3
security
if
the
person
is
found
at
the
time
of
the
breach
4
to
have
engaged
in
or
violated
data
security
standards.
The
5
financial
institution
shall
be
required
to
submit
in
writing
a
6
request
that
the
person
alleged
to
have
violated
the
standards
7
certify
compliance
with
the
standards
pursuant
to
a
payment
8
card
industry-approved
independent
auditor
or
another
person
9
authorized
to
issue
such
a
certification.
The
bill
states
that
10
a
presumption
of
compliance
shall
exist
if
a
person
contracts
11
for
or
utilizes
the
services
of
a
third
party
to
collect,
12
maintain,
or
store
personal
information
used
in
connection
with
13
a
payment
card,
and
contractually
requires
that
the
third
party
14
ensure
compliance
with
the
standards
on
an
ongoing
basis.
15
The
bill
provides
that
a
financial
institution
prevailing
in
16
an
action
for
failure
to
safeguard
personal
information
against
17
a
breach
of
security
may
recover
actual
damages,
as
specified
18
in
the
bill,
arising
from
the
failure.
19
The
bill
makes
existing
unlawful
practice
penalty
provisions
20
for
violations
of
Code
section
715C.2
also
applicable
to
data
21
security
compliance
violations.
22
-3-
LSB
1395YC
(2)
85
rn/nh
3/
3
