House Study Bill 15 - Introduced HOUSE FILE _____ BY (PROPOSED COMMITTEE ON ECONOMIC GROWTH AND TECHNOLOGY BILL BY CHAIRPERSON SORENSEN) A BILL FOR An Act creating a cybersecurity unit within the office of the 1 chief information officer. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 TLSB 1268YC (1) 90 es/rn

H.F. _____ Section 1. Section 8B.4, Code 2023, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 18A. Administer the cybersecurity unit 3 established in section 8B.34. 4 Sec. 2. NEW SECTION . 8B.34 Cybersecurity unit. 5 1. As used in this section, unless the context otherwise 6 requires, “cybersecurity incident” means a violation, or 7 imminent threat of violation, of computer security policies, 8 acceptable use policies, or cybersecurity practices. 9 2. A cybersecurity unit is created for the purpose of 10 monitoring, managing, coordinating, and reporting cybersecurity 11 incidents occurring within the state or a political subdivision 12 of the state within the office of the chief information 13 officer. The unit shall be administered by the chief 14 information officer as provided in section 8B.4. 15 3. On or before December 31 of each year, and when requested 16 by the general assembly, the cybersecurity unit shall provide 17 a report to members of the general assembly containing the 18 number and nature of incidents reported to the unit during 19 the preceding calendar year or since the most recent report 20 and making recommendations to the general assembly regarding 21 cybersecurity standards for the state. If a request is made by 22 the general assembly, a report shall be provided within thirty 23 days of receipt of the request. 24 4. Qualified cybersecurity incidents shall be reported by a 25 state agency or political subdivision to the cybersecurity unit 26 no later than ten days following a determination that the state 27 or political subdivision of the state experienced a qualified 28 cybersecurity incident. A qualified cybersecurity incident 29 shall meet at least one of the following criteria: 30 a. A state or federal law requires the reporting of the 31 incident to regulatory or law enforcement agencies or affected 32 citizens. 33 b. The ability of the state or political subdivision that 34 experienced the incident to conduct business is substantially 35 -1- LSB 1268YC (1) 90 es/rn 1/ 3

H.F. _____ affected. 1 c. The incident would be classified as emergency, severe, or 2 high risk by the U.S. cybersecurity and infrastructure security 3 agency. 4 5. The report of the cybersecurity incident to the 5 cybersecurity unit shall include: 6 a. The approximate date of the incident. 7 b. The date the incident was discovered. 8 c. The nature of any data that may have been illegally 9 obtained or accessed. 10 d. A list of the state and federal regulatory agencies, 11 self-regulatory bodies, and foreign regulatory agencies to whom 12 a notification has been or will be provided by the state agency 13 or political subdivision. 14 e. Additional information to the extent available. 15 6. The unit shall make available information regarding 16 recent or ongoing qualified cybersecurity incidents to 17 political subdivisions of the state and businesses operating in 18 the state. The information shall include: 19 a. The nature of the cybersecurity attack. 20 b. The actor or actors perpetrating the cybersecurity 21 attack. 22 c. Other relevant details that would assist a political 23 subdivision or business in addressing or securing their systems 24 against cybersecurity attacks. 25 7. Procedures for reporting a cybersecurity incident 26 shall be established by the office by rule, made available on 27 the office’s internet site, and distributed to the state and 28 political subdivisions of the state. 29 EXPLANATION 30 The inclusion of this explanation does not constitute agreement with 31 the explanation’s substance by the members of the general assembly. 32 This bill creates a cybersecurity unit under the office 33 of the chief information officer. The office shall be 34 administered by the chief information officer. 35 -2- LSB 1268YC (1) 90 es/rn 2/ 3

H.F. _____ The bill defines “cybersecurity incident” to mean a 1 violation, or imminent threat of violation, of computer 2 security policies, acceptable use policies, or cybersecurity 3 practices. 4 The bill provides that the cybersecurity unit shall be 5 responsible for managing and coordinating cyber and computer 6 security for the state and political subdivisions of the state. 7 Annually or at the request of the general assembly, the unit 8 will provide a report including the number of cybersecurity 9 incidents since the last report and updated recommendations for 10 cybersecurity practices. If a request is made by the general 11 assembly, the unit shall provide a report within 30 days of the 12 receipt of the request. 13 The bill provides a reporting mechanism and criteria for 14 the state or political subdivisions of the state to inform the 15 cybersecurity unit of cybersecurity incidents. Cybersecurity 16 incidents shall be reported to the office no later than 10 days 17 following an incident. The bill provides that the office shall 18 provide information to political subdivisions or businesses 19 operating in the state regarding cybersecurity incidents. The 20 information shall include the nature of the cybersecurity 21 attack, the actors perpetrating the attack, and other relevant 22 information businesses or political subdivisions should be 23 aware of to protect information systems. The office shall 24 establish reporting procedures required by rule and distribute 25 the procedures to the state and political subdivisions of the 26 state. 27 -3- LSB 1268YC (1) 90 es/rn 3/ 3