Bill Text: IA SF204 | 2019-2020 | 88th General Assembly | Introduced
Bill Title: A bill for an act providing for an affirmative defense to certain claims relating to personal information security breach protection.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2019-02-25 - Subcommittee Meeting: 02/27/2019 11:00AM Senate Lobbyist Lounge. [SF204 Detail]
Download: Iowa-2019-SF204-Introduced.html
Senate
File
204
-
Introduced
SENATE
FILE
204
BY
NUNN
A
BILL
FOR
An
Act
providing
for
an
affirmative
defense
to
certain
claims
1
relating
to
personal
information
security
breach
protection.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
2293XS
(2)
88
gh/rn
S.F.
204
Section
1.
Section
715C.2,
subsection
9,
paragraph
a,
Code
1
2019,
is
amended
to
read
as
follows:
2
a.
A
violation
of
this
chapter
section
is
an
unlawful
3
practice
pursuant
to
section
714.16
and,
in
addition
to
the
4
remedies
provided
to
the
attorney
general
pursuant
to
section
5
714.16,
subsection
7
,
the
attorney
general
may
seek
and
obtain
6
an
order
that
a
party
held
to
violate
this
section
pay
damages
7
to
the
attorney
general
on
behalf
of
a
person
injured
by
the
8
violation.
9
Sec.
2.
NEW
SECTION
.
715C.3
Affirmative
defense
for
10
implementation
of
cyber
security
program.
11
1.
It
is
an
affirmative
defense
to
any
claim
or
action
12
alleging
that
a
person’s
failure
to
implement
reasonable
13
security
measures
resulted
in
a
breach
of
security,
that
the
14
person
established,
maintained,
and
complied
with
a
cyber
15
security
program
which
meets
all
of
the
following
conditions:
16
a.
The
program
contains
administrative,
technical,
and
17
physical
safeguards
for
the
protection
of
personal
information.
18
b.
The
program
conforms
to
current
and
accepted
industry
19
standards
regarding
cyber
security
and
personal
information
20
security
breach
protection.
21
c.
The
program
is
designed
to
protect
the
security
and
22
confidentiality
of
personal
information.
23
d.
The
program
is
designed
to
protect
against
any
24
anticipated
threats
or
hazards
to
the
security
or
integrity
of
25
personal
information.
26
e.
The
program
is
designed
to
protect
against
unauthorized
27
access
to
and
acquisition
of
personal
information
that
is
28
likely
to
result
in
a
material
risk
of
identity
theft
or
other
29
fraud
to
the
individual
to
whom
such
personal
information
30
relates.
31
2.
An
affirmative
defense
under
this
section
shall
be
32
established
by
a
preponderance
of
the
evidence.
33
3.
This
section
shall
not
be
construed
to
create
a
private
34
right
of
action
with
respect
to
a
breach
of
security.
35
-1-
LSB
2293XS
(2)
88
gh/rn
1/
2
S.F.
204
EXPLANATION
1
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
2
the
explanation’s
substance
by
the
members
of
the
general
assembly.
3
This
bill
establishes
an
affirmative
defense
to
any
claim
or
4
action
alleging
that
a
person’s
failure
to
implement
security
5
measures
resulted
in
a
breach
of
security;
that
the
person
6
established,
maintained,
and
complied
with
a
cyber
security
7
program
that
contains
administrative,
technical,
and
physical
8
safeguards;
conforms
to
current
and
accepted
industry
standards
9
regarding
cyber
security;
is
designed
to
protect
the
security
10
and
confidentiality
of
personal
information;
is
designed
to
11
protect
against
any
anticipated
threats
or
hazards
to
personal
12
information;
and
is
designed
to
protect
against
unauthorized
13
access
to
and
acquisition
of
personal
information.
14
The
bill
provides
that
an
affirmative
defense
under
the
bill
15
shall
be
established
by
a
preponderance
of
the
evidence.
The
16
bill
also
provides
that
it
shall
not
be
construed
to
create
a
17
private
right
of
action
with
respect
to
personal
information
18
security
breaches.
19
-2-
LSB
2293XS
(2)
88
gh/rn
2/
2