House Study Bill 198 - Introduced
SENATE/HOUSE FILE _____
BY (PROPOSED DEPARTMENT OF
COMMERCE/INSURANCE DIVISION
BILL)
A BILL FOR
1 An Act relating to standards for data security, and
2 investigations and notifications of cybersecurity events,
3 for certain licensees under the jurisdiction of the
4 commissioner of insurance, making penalties applicable, and
5 including effective date provisions.
6 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
TLSB 1335XD (6) 89
ko/rn
 S.F. _____ H.F. _____
1 Section 1. NEW SECTION. 507F.1 Title.
2 This chapter may be cited as the “Insurance Data Security
3 Act”.
4 Sec. 2. NEW SECTION. 507F.2 Purpose and scope.
5 1. Notwithstanding any provision of law to the contrary,
6 this chapter establishes the exclusive state standards for
7 data security, and the investigation and notification of
8 cybersecurity events, applicable to licensees.
9 2. This chapter shall not be construed to create or imply
10 a private cause of action for a violation of its provisions,
11 and shall not be construed to curtail a private cause of action
12 that otherwise exists in the absence of this chapter.
13 Sec. 3. NEW SECTION. 507F.3 Definitions.
14 As used in this chapter, unless the context otherwise
15 requires:
16 1. “Authorized individual” means an individual known to
17 and screened by a licensee and determined to be necessary and
18 appropriate to have access to nonpublic information held by the
19 licensee and the licensee’s information system.
20 2. “Commissioner” means the commissioner of insurance.
21 3. “Consumer” means an individual, including but not limited
22 to an applicant, policyholder, insured, beneficiary, claimant,
23 or certificate holder, who is a resident of this state and
24 whose nonpublic information is in a licensee’s possession,
25 custody, or control.
26 4. “Cybersecurity event” means an event resulting in
27 unauthorized access to, or the disruption or misuse of, an
28 information system or of nonpublic information stored on an
29 information system. “Cybersecurity event” does not include any
30 of the following:
31 a. The unauthorized acquisition of encrypted nonpublic
32 information if the encryption, process, or key is not also
33 acquired, released, or used without authorization.
34 b. An event for which a licensee has determined that the
35 nonpublic information accessed by an unauthorized person has
LSB 1335XD (6) 89
-1- ko/rn 1/26
 S.F. _____ H.F. _____
1 not been used or released, and the nonpublic information has
2 been returned or destroyed.
3 5. “Delivered by electronic means” means delivery to an
4 electronic mail address at which a consumer has consented to
5 receive notices or documents.
6 6. “Encrypted” means the transformation of data into a form
7 that results in a low probability of assigning meaning to the
8 data without the use of a protective process or key.
9 7. “Health Insurance Portability and Accountability
10 Act” or “HIPAA” means the Health Insurance Portability and
11 Accountability Act of 1996, Pub. L. No. 104-191, including
12 amendments thereto and regulations promulgated thereunder.
13 8. “Home state” means the same as defined in section 522B.1.
14 9. “Information security program” means the administrative,
15 technical, and physical safeguards that a licensee uses
16 to access, collect, distribute, process, protect, store,
17 use, transmit, dispose of, or otherwise handle nonpublic
18 information.
19 10. “Information system” means a discrete set of electronic
20 information resources organized for the collection, processing,
21 maintenance, use, sharing, dissemination, or disposition of
22 electronic information, and any specialized system such as an
23 industrial or process controls system, a telephone switching
24 and private branch exchange system, or an environmental control
25 system.
26 11. “Insurer” means the same as defined in section 521A.1.
27 12. “Licensee” means a person licensed, authorized to
28 operate, or registered, or a person required to be licensed,
29 authorized to operate, or registered pursuant to the insurance
30 laws of this state. “Licensee” does not include a purchasing
31 group or a risk retention group chartered and licensed in a
32 state other than this state, or a person acting as an assuming
33 insurer that is domiciled in another state or jurisdiction.
34 13. “Multi-factor authentication” means authentication
35 through verification of at least two of the following types of
LSB 1335XD (6) 89
-2- ko/rn 2/26
 S.F. _____ H.F. _____
1 authentication factors:
2 a. A knowledge factor, such as a password.
3 b. A possession factor, such as a token or text message on a
4 mobile phone.
5 c. An inherence factor, such as a biometric characteristic.
6 14. “Nonpublic information” means electronic information
7 that is not publicly available information and that is any of
8 the following:
9 a. Business-related information of a licensee the tampering
10 of which, or unauthorized disclosure, access, or use of
11 which, will cause a material adverse impact to the business,
12 operations, or security of the licensee.
13 b. Information concerning a consumer which can be used to
14 identify the consumer due to a name, number, personal mark, or
15 other identifier, used in combination with any one or more of
16 the following data elements:
17 (1) A social security number.
18 (2) A driver’s license number or a nondriver identification
19 card number.
20 (3) A financial account number, a credit card number, or a
21 debit card number.
22 (4) A security code, an access code, or a password that will
23 permit access to a consumer’s financial accounts.
24 (5) A biometric record.
25 c. Information or data, except age or gender, in any form or
26 medium created by or derived from a health care provider or a
27 consumer, and that relates to any of the following:
28 (1) The past, present, or future physical, mental or
29 behavioral health or condition of a consumer, or a member of
30 the consumer’s family.
31 (2) The provision of health care services to a consumer.
32 (3) Payment for the provision of health care services to a
33 consumer.
34 15. “Person” means an individual or a nongovernmental
35 entity, including but not limited to a nongovernmental
LSB 1335XD (6) 89
-3- ko/rn 3/26
 S.F. _____ H.F. _____
1 partnership, corporation, branch, agency, or association.
2 16. “Publicly available information” means information
3 that a licensee has a reasonable basis to believe is lawfully
4 made available to the general public from federal, state, or
5 local government records, by widely distributed media, or by
6 disclosure to the general public as required by federal, state,
7 or local law. For purposes of this definition, a licensee has
8 a reasonable basis to believe that information is lawfully made
9 available to the general public if the licensee has determined
10 all of the following:
11 a. That the information is of a type that is available to
12 the general public.
13 b. That if a consumer may direct that the information not
14 be made available to the general public, that the consumer has
15 not directed that the information not be made available to the
16 general public.
17 17. “Risk assessment” means the assessment that a licensee
18 is required to conduct pursuant to section 507F.4, subsection
19 3.
20 18. “Third-party service provider” means a person that is
21 not a licensee that contracts with a licensee to maintain,
22 process, store, or is otherwise permitted access to nonpublic
23 information through the person’s provision of services to the
24 licensee.
25 Sec. 4. NEW SECTION. 507F.4 Information security program.
26 1. a. Commensurate with the size and complexity of a
27 licensee, the nature and scope of a licensee’s activities
28 including the licensee’s use of third-party service providers,
29 and the sensitivity of nonpublic information used by the
30 licensee or that is in the licensee’s possession, custody, or
31 control, the licensee shall develop, implement, and maintain a
32 comprehensive written information security program based on the
33 licensee’s risk assessment conducted pursuant to subsection 3.
34 b. This section shall not apply to any of the following:
35 (1) A licensee that meets any of the following criteria:
LSB 1335XD (6) 89
-4- ko/rn 4/26
 S.F. _____ H.F. _____
1 (a) Has fewer than ten individuals on its workforce,
2 including employees and independent contractors.
3 (b) Has less than five million dollars in gross annual
4 revenue.
5 (c) Has less than ten million dollars in year-end total
6 assets.
7 (2) An employee, agent, representative, or designee of a
8 licensee, and the employee, agent, representative, or designee
9 is also a licensee, if the employee, agent, representative, or
10 designee is covered by the information security program of the
11 other licensee.
12 c. A licensee shall have one hundred eighty calendar days
13 from the date the licensee no longer qualifies for exemption
14 under paragraph “b” to comply with this section.
15 2. A licensee’s information security program must be
16 designed to do all of the following:
17 a. Protect the security and confidentiality of nonpublic
18 information and the security of the licensee’s information
19 system.
20 b. Protect against threats or hazards to the security
21 or integrity of nonpublic information and the licensee’s
22 information system.
23 c. Protect against unauthorized access to or the use of
24 nonpublic information, and minimize the likelihood of harm to
25 any consumer.
26 d. Define and periodically reevaluate a schedule for
27 retention of nonpublic information and a mechanism for the
28 destruction of nonpublic information if retention is no longer
29 necessary for the licensee’s business operations, or is no
30 longer required by applicable law.
31 3. A licensee shall conduct a risk assessment that
32 accomplishes all of the following:
33 a. Designates one or more employees, an affiliate, or an
34 outside vendor to act on behalf of the licensee and that has
35 responsibility for the information security program.
LSB 1335XD (6) 89
-5- ko/rn 5/26
 S.F. _____ H.F. _____
1 b. Identifies reasonably foreseeable internal or external
2 threats that may result in unauthorized access, transmission,
3 disclosure, misuse, alteration, or destruction of nonpublic
4 information, including nonpublic information that is accessible
5 to, or held by, a third-party service provider.
6 c. Assesses the probability of, and the potential damage
7 caused by, the threats identified in paragraph “b”, taking into
8 consideration the sensitivity of nonpublic information.
9 d. Assesses the sufficiency of policies, procedures,
10 information systems, and other safeguards in place to manage
11 the threats identified in paragraph “b”. This assessment must
12 include consideration of threats identified in each relevant
13 area of the licensee’s operations, including all of the
14 following:
15 (1) Employee training and management.
16 (2) Information systems, including network and software
17 design; and information classification, governance, processing,
18 storage, transmission, and disposal.
19 (3) Detection, prevention, and response to an attack,
20 intrusion, or other system failure.
21 e. Implements information safeguards to manage threats
22 identified in the licensee’s ongoing risk assessments and, at
23 least annually, assesses the effectiveness of the information
24 safeguards’ key controls, systems, and procedures.
25 4. Based on the risk assessment conducted pursuant to
26 subsection 3, a licensee shall do all of the following:
27 a. Develop, implement, and maintain an information security
28 program as described in subsections 1 and 2.
29 b. Determine which of the following security measures are
30 appropriate and implement each appropriate security measure:
31 (1) Place access controls on information systems, including
32 controls to authenticate and permit access only to authorized
33 individuals to protect against the unauthorized acquisition of
34 nonpublic information.
35 (2) Identify and manage the data, personnel, devices,
LSB 1335XD (6) 89
-6- ko/rn 6/26
 S.F. _____ H.F. _____
1 systems, and facilities that enable the licensee to achieve
2 its business purposes in accordance with the data, personnel,
3 devices, systems, and facilities relative importance to the
4 licensee’s business objectives and risk strategy.
5 (3) Restrict access of nonpublic information stored in or at
6 physical locations to authorized individuals only.
7 (4) Protect by encryption or other appropriate means,
8 all nonpublic information while the nonpublic information
9 is transmitted over an external network, and all nonpublic
10 information that is stored on a laptop computer, a portable
11 computing or storage device, or portable computing or storage
12 media.
13 (5) Adopt secure development practices for in-house
14 developed applications utilized by the licensee, and procedures
15 for evaluating, assessing, and testing the security of
16 externally developed applications utilized by the licensee.
17 (6) Modify information systems in accordance with the
18 licensee’s information security program.
19 (7) Utilize effective controls, which may include
20 multi-factor authentication procedures for authorized
21 individuals accessing nonpublic information.
22 (8) Regularly test and monitor systems and procedures to
23 detect actual and attempted attacks on, or intrusions into,
24 information systems.
25 (9) Include audit trails within the information security
26 program designed to detect and respond to cybersecurity events,
27 and designed to reconstruct material financial transactions
28 sufficient to support the normal business operations and
29 obligations of the licensee.
30 (10) Implement measures to protect against the destruction,
31 loss, or damage of nonpublic information due to environmental
32 hazards, natural disasters, catastrophes, or technological
33 failures.
34 (11) Develop, implement, and maintain procedures for the
35 secure disposal of nonpublic information that is contained in
LSB 1335XD (6) 89
-7- ko/rn 7/26
 S.F. _____ H.F. _____
1 any format.
2 c. Include cybersecurity risks in the licensee’s
3 enterprise-wide risk management process.
4 d. Maintain knowledge and understanding of emerging threats
5 or vulnerabilities and utilize reasonable security measures,
6 relative to the character of the sharing and the type of
7 information being shared, when sharing information.
8 e. Provide the licensee’s personnel with cybersecurity
9 awareness training that is updated as necessary to reflect
10 risks identified by the licensee’s risk assessment.
11 5. a. If a licensee has a board of directors, the board
12 or an appropriate committee of the board shall at a minimum
13 require the licensee’s executive management or the executive
14 management’s delegates to:
15 (1) Develop, implement, and maintain the licensee’s
16 information security program.
17 (2) Provide a written report to the board, at least
18 annually, that documents all of the following:
19 (a) The overall status of the licensee’s information
20 security program and the licensee’s compliance with this
21 chapter.
22 (b) Material matters related to the licensee’s information
23 security program including issues such as risk assessment; risk
24 management and control decisions; third-party service provider
25 arrangements; results of testing, cybersecurity events, or
26 violations; management’s response to cybersecurity events or
27 violations; and recommendations for changes in the licensee’s
28 information security program.
29 b. If a licensee’s executive management delegates any of its
30 responsibilities under this section the executive management
31 shall oversee the delegate’s development, implementation, and
32 maintenance of the licensee’s information security progra