Senate
Study
Bill
1095
-
Introduced
SENATE
FILE
_____
BY
(PROPOSED
COMMITTEE
ON
TECHNOLOGY
BILL
BY
CHAIRPERSON
COURNOYER)
A
BILL
FOR
An
Act
relating
to
affirmative
defenses
for
entities
using
1
cybersecurity
programs
and
electronic
transactions
recorded
2
by
blockchain
technology.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
1826XC
(2)
90
cm/ns
S.F.
_____
Section
1.
Section
554D.103,
subsections
7,
8,
and
15,
Code
1
2023,
are
amended
to
read
as
follows:
2
7.
“Electronic
record”
means
a
record
created,
generated,
3
sent,
communicated,
received,
or
stored
by
electronic
means.
4
“Electronic
record”
includes
any
record
or
contract
secured
5
through
distributed
ledger
technology
or
blockchain
technology.
6
8.
“Electronic
signature”
means
an
electronic
sound,
symbol,
7
or
process
attached
to
or
logically
associated
with
a
record
8
and
executed
or
adopted
by
a
person
with
the
intent
to
sign
9
the
record.
“Electronic
signature”
includes
a
signature
that
10
is
secured
through
distributed
ledger
technology
or
blockchain
11
technology.
12
15.
“State”
means
a
state
of
the
United
States,
the
District
13
of
Columbia,
Puerto
Rico,
the
United
States
Virgin
Islands,
or
14
any
territory
or
insular
possession
subject
to
the
jurisdiction
15
of
the
United
States.
“State”
includes
an
Indian
tribe
or
16
band,
or
Alaskan
native
Native
village,
which
is
recognized
by
17
federal
law
or
formally
acknowledged
by
a
state.
18
Sec.
2.
NEW
SECTION
.
554G.1
Definitions.
19
As
used
in
this
chapter:
20
1.
“Business”
means
any
limited
liability
company,
limited
21
liability
partnership,
corporation,
sole
proprietorship,
22
association,
or
other
group,
however
organized
and
whether
23
operating
for
profit
or
not
for
profit,
including
a
financial
24
institution
organized,
chartered,
or
holding
a
license
25
authorizing
operation
under
the
laws
of
this
state,
any
other
26
state,
the
United
States,
or
any
other
country,
or
the
parent
27
or
subsidiary
of
any
of
the
foregoing.
28
2.
“Covered
entity”
means
a
business
that
accesses,
29
maintains,
communicates,
or
processes
personal
information
30
or
restricted
information
in
or
through
one
or
more
systems,
31
networks,
or
services
located
in
or
outside
this
state.
32
3.
“Data
breach”
means
unauthorized
access
to
and
33
acquisition
of
computerized
data
that
compromises
the
security
34
or
confidentiality
of
personal
information
or
restricted
35
-1-
LSB
1826XC
(2)
90
cm/ns
1/
8
S.F.
_____
information
owned
by
or
licensed
to
a
covered
entity
and
that
1
causes,
reasonably
is
believed
to
have
caused,
or
reasonably
is
2
believed
will
cause
a
material
risk
of
identity
theft
or
other
3
fraud
to
person
or
property.
“Data
breach”
does
not
include
any
4
of
the
following:
5
a.
Good-faith
acquisition
of
personal
information
or
6
restricted
information
by
the
covered
entity’s
employee
or
7
agent
for
the
purposes
of
the
covered
entity,
provided
that
8
the
personal
information
or
restricted
information
is
not
used
9
for
an
unlawful
purpose
or
subject
to
further
unauthorized
10
disclosure.
11
b.
Acquisition
of
personal
information
or
restricted
12
information
pursuant
to
a
search
warrant,
subpoena,
or
other
13
court
order,
or
pursuant
to
a
subpoena,
order,
or
duty
of
a
14
regulatory
state
agency.
15
4.
“Encrypted”
means
the
use
of
an
algorithmic
process
to
16
transform
data
into
a
form
in
which
there
is
a
low
probability
17
of
assigning
meaning
without
use
of
a
confidential
process
or
18
key.
19
5.
“Individual”
means
a
natural
person.
20
6.
a.
“Personal
information”
means
an
individual’s
name,
21
consisting
of
the
individual’s
first
name
or
first
initial
and
22
last
name,
in
combination
with
and
linked
to
any
one
or
more
23
of
the
following
data
elements,
when
the
data
elements
are
not
24
encrypted,
redacted,
or
altered
by
any
method
or
technology
in
25
such
a
manner
that
the
data
elements
are
unreadable:
26
(1)
Social
security
number.
27
(2)
Driver’s
license
number
or
state
identification
card
28
number.
29
(3)
Account
number
or
credit
or
debit
card
number,
in
30
combination
with
and
linked
to
any
required
security
code,
31
access
code,
or
password
that
would
permit
access
to
an
32
individual’s
financial
account.
33
b.
“Personal
information”
does
not
include
publicly
34
available
information
that
is
lawfully
made
available
to
the
35
-2-
LSB
1826XC
(2)
90
cm/ns
2/
8
S.F.
_____
general
public
from
federal,
state,
or
local
government
records
1
or
any
of
the
following
media
that
are
widely
distributed:
2
(1)
Any
news,
editorial,
or
advertising
statement
published
3
in
any
bona
fide
newspaper,
journal,
or
magazine,
or
broadcast
4
over
radio
or
television.
5
(2)
Any
gathering
or
furnishing
of
information
or
news
by
6
any
bona
fide
reporter,
correspondent,
or
news
bureau
to
news
7
media
identified
in
this
paragraph.
8
(3)
Any
publication
designed
for
and
distributed
to
members
9
of
any
bona
fide
association
or
charitable
or
fraternal
10
nonprofit
corporation.
11
(4)
Any
type
of
media
similar
in
nature
to
any
item,
entity,
12
or
activity
identified
in
this
paragraph.
13
7.
“Redacted”
means
altered
or
truncated
so
that
no
more
14
than
the
last
four
digits
of
a
social
security
number,
driver’s
15
license
number,
state
identification
card
number,
account
16
number,
or
credit
or
debit
card
number
is
accessible
as
part
17
of
the
data.
18
8.
“Restricted
information”
means
any
information
about
19
an
individual,
other
than
personal
information,
that,
20
alone
or
in
combination
with
other
information,
including
21
personal
information,
can
be
used
to
distinguish
or
trace
the
22
individual’s
identity
or
that
is
linked
or
linkable
to
an
23
individual,
if
the
information
is
not
encrypted,
redacted,
or
24
altered
by
any
method
or
technology
in
such
a
manner
that
the
25
information
is
unreadable,
and
the
breach
of
which
is
likely
26
to
result
in
a
material
risk
of
identity
theft
or
other
fraud
27
to
person
or
property.
28
Sec.
3.
NEW
SECTION
.
554G.2
Affirmative
defenses.
29
1.
A
covered
entity
seeking
an
affirmative
defense
under
30
this
chapter
shall
do
one
of
the
following:
31
a.
Create,
maintain,
and
comply
with
a
written
cybersecurity
32
program
that
contains
administrative,
technical,
and
physical
33
safeguards
for
the
protection
of
personal
information
and
that
34
reasonably
conforms
to
an
industry-recognized
cybersecurity
35
-3-
LSB
1826XC
(2)
90
cm/ns
3/
8
S.F.
_____
framework,
as
described
in
section
554G.3.
1
b.
Create,
maintain,
and
comply
with
a
written
cybersecurity
2
program
that
contains
administrative,
technical,
and
physical
3
safeguards
for
the
protection
of
both
personal
information
4
and
restricted
information
and
that
reasonably
conforms
to
an
5
industry-recognized
cybersecurity
framework,
as
described
in
6
section
554G.3.
7
2.
A
covered
entity’s
cybersecurity
program
shall
be
8
designed
to
do
all
of
the
following
with
respect
to
the
9
information
described
in
subsection
1,
paragraph
“a”
or
“b”
,
as
10
applicable:
11
a.
Protect
the
security
and
confidentiality
of
the
12
information.
13
b.
Protect
against
any
anticipated
threats
or
hazards
to
the
14
security
or
integrity
of
the
information.
15
c.
Protect
against
unauthorized
access
to
and
acquisition
16
of
the
information
that
is
likely
to
result
in
a
material
risk
17
of
identity
theft
or
other
fraud
to
the
individual
to
whom
the
18
information
relates.
19
3.
The
scale
and
scope
of
a
covered
entity’s
cybersecurity
20
program
under
subsection
1,
paragraph
“a”
or
“b”
,
as
applicable,
21
is
appropriate
if
the
cybersecurity
program
is
based
on
all
of
22
the
following
factors:
23
a.
The
size
and
complexity
of
the
covered
entity.
24
b.
The
nature
and
scope
of
the
activities
of
the
covered
25
entity.
26
c.
The
sensitivity
of
the
information
to
be
protected.
27
d.
The
cost
and
availability
of
tools
to
improve
information
28
security
and
reduce
vulnerabilities.
29
e.
The
resources
available
to
the
covered
entity.
30
4.
a.
A
covered
entity
that
satisfies
subsection
1,
31
paragraph
“a”
,
and
subsections
2
and
3,
is
entitled
to
an
32
affirmative
defense
to
any
cause
of
action
sounding
in
tort
33
that
is
brought
under
the
laws
of
this
state
or
in
the
courts
34
of
this
state
and
that
alleges
that
the
failure
to
implement
35
-4-
LSB
1826XC
(2)
90
cm/ns
4/
8
S.F.
_____
reasonable
information
security
controls
resulted
in
a
data
1
breach
concerning
personal
information.
2
b.
A
covered
entity
that
satisfies
subsection
1,
paragraph
3
“b”
,
and
subsections
2
and
3,
is
entitled
to
an
affirmative
4
defense
to
any
cause
of
action
sounding
in
tort
that
is
brought
5
under
the
laws
of
this
state
or
in
the
courts
of
this
state
6
and
that
alleges
that
the
failure
to
implement
reasonable
7
information
security
controls
resulted
in
a
data
breach
8
concerning
personal
information
or
restricted
information.
9
Sec.
4.
NEW
SECTION
.
554G.3
Cybersecurity
program
10
framework.
11
1.
A
covered
entity’s
cybersecurity
program,
as
12
described
in
section
554G.2,
reasonably
conforms
to
an
13
industry-recognized
cybersecurity
framework
for
purposes
of
14
section
554G.2
if
any
of
the
following
are
true:
15
a.
(1)
The
cybersecurity
program
reasonably
conforms
to
the
16
current
version
of
any
of
the
following
or
any
combination
of
17
the
following,
subject
to
subparagraph
(2)
and
subsection
2:
18
(a)
The
framework
for
improving
critical
infrastructure
19
cybersecurity
developed
by
the
national
institute
of
standards
20
and
technology.
21
(b)
National
institute
of
standards
and
technology
special
22
publication
800-171.
23
(c)
National
institute
of
standards
and
technology
special
24
publications
800-53
and
800-53a.
25
(d)
The
federal
risk
and
authorization
management
program
26
security
assessment
framework.
27
(e)
The
center
for
internet
security
critical
security
28
controls
for
effective
cyber
defense.
29
(f)
The
international
organization
for
30
standardization/international
electrotechnical
commission
27000
31
family
——
information
security
management
systems.
32
(2)
When
a
final
revision
to
a
framework
listed
in
33
subparagraph
(1)
is
published,
a
covered
entity
whose
34
cybersecurity
program
reasonably
conforms
to
that
framework
35
-5-
LSB
1826XC
(2)
90
cm/ns
5/
8
S.F.
_____
shall
reasonably
conform
to
the
revised
framework
not
later
1
than
one
year
after
the
publication
date
stated
in
the
2
revision.
3
b.
(1)
The
covered
entity
is
regulated
by
the
state,
by
4
the
federal
government,
or
both,
or
is
otherwise
subject
to
5
the
requirements
of
any
of
the
laws
or
regulations
listed
6
below,
and
the
cybersecurity
program
reasonably
conforms
to
7
the
entirety
of
the
current
version
of
any
of
the
following,
8
subject
to
subparagraph
(2):
9
(a)
The
security
requirements
of
the
federal
Health
10
Insurance
Portability
and
Accountability
Act
of
1996,
as
set
11
forth
in
45
C.F.R.
pt.
164,
subpt.
C.
12
(b)
Title
V
of
the
federal
Gramm-Leach-Bliley
Act
of
1999,
13
Pub.
L.
No.
106-102,
as
amended.
14
(c)
The
federal
Information
Security
Modernization
Act
of
15
2014,
Pub.
L.
No.
113-283.
16
(d)
The
federal
Health
Information
Technology
for
Economic
17
and
Clinical
Health
Act
as
set
forth
in
45
C.F.R.
pt.
162.
18
(2)
When
a
framework
listed
in
subparagraph
(1)
is
amended,
19
a
covered
entity
whose
cybersecurity
program
reasonably
20
conforms
to
that
framework
shall
reasonably
conform
to
the
21
amended
framework
not
later
than
one
year
after
the
effective
22
date
of
the
amended
framework.
23
c.
(1)
The
cybersecurity
program
reasonably
complies
24
with
both
the
current
version
of
the
payment
card
industry
25
data
security
standard
and
conforms
to
the
current
version
of
26
another
applicable
industry-recognized
cybersecurity
framework
27
listed
in
paragraph
“a”
,
subject
to
subparagraph
(2)
and
28
subsection
2.
29
(2)
When
a
final
revision
to
the
payment
card
industry
30
data
security
standard
is
published,
a
covered
entity
whose
31
cybersecurity
program
reasonably
complies
with
that
standard
32
shall
reasonably
comply
with
the
revised
standard
not
later
33
than
one
year
after
the
publication
date
stated
in
the
34
revision.
35
-6-
LSB
1826XC
(2)
90
cm/ns
6/
8
S.F.
_____
2.
If
a
covered
entity’s
cybersecurity
program
reasonably
1
conforms
to
a
combination
of
industry-recognized
cybersecurity
2
frameworks,
or
complies
with
a
standard,
as
in
the
case
of
the
3
payment
card
industry
data
security
standard,
as
described
in
4
subsection
1,
paragraph
“a”
or
“c”
,
and
two
or
more
of
those
5
frameworks
are
revised,
the
covered
entity
whose
cybersecurity
6
program
reasonably
conforms
to
or
complies
with,
as
applicable,
7
those
frameworks
shall
reasonably
conform
to
or
comply
with,
as
8
applicable,
all
of
the
revised
frameworks
not
later
than
one
9
year
after
the
latest
publication
date
stated
in
the
revisions.
10
Sec.
5.
NEW
SECTION
.
554G.4
Causes
of
actions.
11
This
chapter
shall
not
be
construed
to
provide
a
private
12
right
of
action,
including
a
class
action,
with
respect
to
any
13
act
or
practice
regulated
under
those
sections.
14
EXPLANATION
15
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
16
the
explanation’s
substance
by
the
members
of
the
general
assembly.
17
This
bill
relates
to
cybersecurity
programs
and
blockchain
18
technology.
The
bill
changes
the
definitions
of
“electronic
19
record”
and
“electronic
signature”
in
the
uniform
electronic
20
transactions
Act
to
include
blockchain
technology.
21
The
bill
creates
affirmative
defenses
for
entities
using
22
cybersecurity
programs
and
provides
definitions.
The
23
bill
provides
that
a
covered
entity
seeking
an
affirmative
24
defense
must
use
a
cybersecurity
program
for
the
protection
25
of
personal
information
or
both
personal
information
and
26
restricted
information
and
the
cybersecurity
program
must
27
reasonably
conform
to
an
industry-recognized
cybersecurity
28
framework.
A
cybersecurity
program
must
protect
the
security
29
and
confidentiality
of
the
information,
protect
against
any
30
anticipated
threats
to
the
information,
and
protect
against
31
unauthorized
access
to
and
acquisition
of
the
information
that
32
is
likely
to
result
in
a
material
risk
of
identity
theft.
A
33
cybersecurity
program
scale
and
scope
should
be
based
upon
34
the
size
and
complexity
of
the
covered
entity,
the
nature
35
-7-
LSB
1826XC
(2)
90
cm/ns
7/
8
S.F.
_____
and
scope
of
the
covered
entity’s
activities,
sensitivity
1
of
the
information,
and
the
cost
and
availability
of
tools
2
and
resources
to
improve
information
security.
A
covered
3
entity
that
satisfies
the
above
requirements
is
entitled
to
4
an
affirmative
defense
to
a
tort
claim
that
alleges
that
the
5
failure
to
implement
reasonable
information
security
controls
6
resulted
in
a
data
breach
concerning
personal
information
or
7
restricted
information.
8
The
bill
provides
industry-recognized
cybersecurity
9
frameworks
that
the
covered
entity
should
follow
and
reasonably
10
comply
to
in
order
to
qualify
for
the
affirmative
defense.
11
The
bill
does
not
provide
a
private
right
to
action,
12
including
a
class
action.
13
-8-
LSB
1826XC
(2)
90
cm/ns
8/
8