House File 719 - Enrolled
House File 719
AN ACT
RELATING TO STANDARDS FOR DATA SECURITY, AND INVESTIGATIONS AND
NOTIFICATIONS OF CYBERSECURITY EVENTS, FOR CERTAIN LICENSEES
UNDER THE JURISDICTION OF THE COMMISSIONER OF INSURANCE,
MAKING PENALTIES APPLICABLE, AND INCLUDING EFFECTIVE DATE
PROVISIONS.
6 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 507F.1 Title.
2 This chapter may be cited as the “Insurance Data Security
3 Act”.
4 Sec. 2. NEW SECTION. 507F.2 Purpose and scope.
5 1. Notwithstanding any provision of law to the contrary,
6 this chapter establishes the exclusive state standards for
7 data security, and the investigation and notification of
8 cybersecurity events, applicable to licensees.
9 2. This chapter shall not be construed to create or imply
10 a private cause of action for a violation of its provisions,
11 and shall not be construed to curtail a private cause of action
12 that otherwise exists in the absence of this chapter.
13 Sec. 3. NEW SECTION. 507F.3 Definitions.
14 As used in this chapter, unless the context otherwise
15 requires:
16 1. “Authorized individual” means an individual known to
17 and screened by a licensee and determined to be necessary and
18 appropriate to have access to nonpublic information held by the
19 licensee and the licensee’s information system.
 House File 719, p. 2
20 2. “Commissioner” means the commissioner of insurance.
21 3. “Consumer” means an individual, including but not limited
22 to an applicant, policyholder, insured, beneficiary, claimant,
23 or certificate holder, who is a resident of this state and
24 whose nonpublic information is in a licensee’s possession,
25 custody, or control.
26 4. “Cybersecurity event” means an event resulting in
27 unauthorized access to, or the disruption or misuse of, an
28 information system or of nonpublic information stored on an
29 information system. “Cybersecurity event” does not include any
30 of the following:
31 a. The unauthorized acquisition of encrypted nonpublic
32 information if the encryption, process, or key is not also
33 acquired, released, or used without authorization.
34 b. An event for which a licensee has determined that the
35 nonpublic information accessed by an unauthorized person has
1 not been used or released, and the nonpublic information has
2 been returned or destroyed.
3 5. “Delivered by electronic means” means delivery to an
4 electronic mail address at which a consumer has consented to
5 receive notices or documents.
6 6. “Encrypted” means the transformation of data into a form
7 that results in a low probability of assigning meaning to the
8 data without the use of a protective process or key.
9 7. “Gramm-Leach-Bliley Act” means the Gramm-Leach-Bliley Act
10 of 1999, 15 U.S.C. §6801 et seq., including amendments thereto
11 and regulations promulgated thereunder.
12 8. “Health Insurance Portability and Accountability
13 Act” or “HIPAA” means the Health Insurance Portability and
14 Accountability Act of 1996, Pub. L. No. 104-191, including
15 amendments thereto and regulations promulgated thereunder.
16 9. “Home state” means the same as defined in section 522B.1.
17 10. “Information security program” means the administrative,
18 technical, and physical safeguards that a licensee uses
19 to access, collect, distribute, process, protect, store,
20 use, transmit, dispose of, or otherwise handle nonpublic
21 information.
22 11. “Information system” means a discrete set of electronic
23 information resources organized for the collection, processing,
 House File 719, p. 3
24 maintenance, use, sharing, dissemination, or disposition
25 of electronic nonpublic information, and any specialized
26 system such as an industrial or process controls system, a
27 telephone switching and private branch exchange system, or an
28 environmental control system.
29 12. “Insurer” means the same as defined in section 521A.1.
30 13. “Licensee” means a person licensed, authorized to
31 operate, or registered, or a person required to be licensed,
32 authorized to operate, or registered pursuant to the insurance
33 laws of this state. “Licensee” does not include a purchasing
34 group or a risk retention group chartered and licensed in a
35 state other than this state, or a person acting as an assuming
1 insurer that is domiciled in another state or jurisdiction.
2 14. “Multi-factor authentication” means authentication
3 through verification of at least two of the following types of
4 authentication factors:
5 a. A knowledge factor, such as a password.
6 b. A possession factor, such as a token or text message on a
7 mobile phone.
8 c. An inherence factor, such as a biometric characteristic.
9 15. “Nonpublic information” means electronic information
10 that is not publicly available information and that is any of
11 the following:
12 a. Business-related information of a licensee the tampering
13 of which, or unauthorized disclosure, access, or use of
14 which, will cause a material adverse impact to the business,
15 operations, or security of the licensee.
16 b. Information concerning a consumer which can be used to
17 identify the consumer due to a name, number, personal mark, or
18 other identifier, used in combination with any one or more of
19 the following data elements:
20 (1) A social security number.
21 (2) A driver’s license number or a nondriver identification
22 card number.
23 (3) A financial account number, a credit card number, or a
24 debit card number.
25 (4) A security code, an access code, or a password that will
26 permit access to a consumer’s financial accounts.
27 (5) A biometric record.
 House File 719, p. 4
28 c. Information or data, except age or gender, in any form or
29 medium created by or derived from a health care provider or a
30 consumer, and that relates to any of the following:
31 (1) The past, present, or future physical, mental or
32 behavioral health or condition of a consumer, or a member of
33 the consumer’s family.
34 (2) The provision of health care services to a consumer.
35 (3) Payment for the provision of health care services to a
1 consumer.
2 16. “Person” means an individual or a nongovernmental
3 entity, including but not limited to a nongovernmental
4 partnership, corporation, branch, agency, or association.
5 17. “Publicly available information” means information
6 that a licensee has a reasonable basis to believe is lawfully
7 made available to the general public from federal, state, or
8 local government records, by widely distributed media, or by
9 disclosure to the general public as required by federal, state,
10 or local law. For purposes of this definition, a licensee has
11 a reasonable basis to believe that information is lawfully made
12 available to the general public if the licensee has determined
13 all of the following:
14 a. That the information is of a type that is available to
15 the general public.
16 b. That if a consumer may direct that the information not
17 be made available to the general public, that the consumer has
18 not directed that the information not be made available to the
19 general public.
20 18. “Risk assessment” means the assessment that a licensee
21 is required to conduct pursuant to section 507F.4, subsection
22 3.
23 19. “Third-party service provider” means a person that is
24 not a licensee that contracts with a licensee to maintain,
25 process, store, or is otherwise permitted access to nonpublic
26 information through the person’s provision of services to the
27 licensee.
28 Sec. 4. NEW SECTION. 507F.4 Information security program.
29 1. a. Commensurate with the size and complexity of a
30 licensee, the nature and scope of a licensee’s activities
31 including the licensee’s use of third-party service providers,
 House File 719, p. 5
32 and the sensitivity of nonpublic information used by the
33 licensee or that is in the licensee’s possession, custody, or
34 control, the licensee shall develop, implement, and maintain a
35 comprehensive written information security program based on the
1 licensee’s risk assessment conducted pursuant to subsection 3.
2 b. This section shall not apply to any of the following:
3 (1) A licensee that meets any of the following criteria:
4 (a) Has fewer than twenty individuals on its workforce,
5 including employees and independent contractors.
6 (b) Has less than five million dollars in gross annual
7 revenue.
8 (c) Has less than ten million dollars in year-end total
9 assets.
10 (2) An employee, agent, representative, or designee of a
11 licensee, and the employee, agent, representative, or designee
12 is also a licensee, if the employee, agent, representative, or
13 designee is covered by the information security program of the
14 other licensee.
15 c. A licensee shall have one hundred eighty calendar days
16 from the date the licensee no longer qualifies for exemption
17 under paragraph “b” to comply with this section.
18 2. A licensee’s information security program must be
19 designed to do all of the following:
20 a. Protect the security and confidentiality of nonpublic
21 information and the security of the licensee’s information
22 system.
23 b. Protect against threats or hazards to the security
24 or integrity of nonpublic information and the licensee’s
25 information system.
26 c. Protect against unauthorized access to or the use of
27 nonpublic information, and minimize the likelihood of harm to
28 any consumer.
29 d. Define and periodically reevaluate a schedule for
30 retention of nonpublic information and a mechanism for the
31 destruction of nonpublic information if retention is no longer
32 necessary for the licensee’s business operations, or is no
33 longer required by applicable law.
34 3. A licensee shall conduct a risk assessment that
35 accomplishes all of the following:
 House File 719, p. 6
1 a. Designates one or more employees, an affiliate, or an
2 outside vendor to act on behalf of the licensee and that has
3 responsibility for the information security program.
4 b. Identifies reasonably foreseeable internal or external
5 threats that may result in unauthorized access, transmission,
6 disclosure, misuse, alteration, or destruction of nonpublic
7 information, including nonpublic information that is accessible
8 to, or held by, a third-party service provider.
9 c. Assesses the probability of, and the potential damage
10 caused by, the threats identified in paragraph “b”, taking into
11 consideration the sensitivity of nonpublic information.
12 d. Assesses the sufficiency of policies, procedures,
13 information systems, and other safeguards in place to manage
14 the threats identified in paragraph “b”. This assessment must
15 include consideration of threats identified in each relevant
16 area of the licensee’s operations, including all of the
17 following:
18 (1) Employee training and management.
19 (2) Information systems, including network and software
20 design; and information classification, governance, processing,
21 storage, transmission, and disposal.
22 (3) Detection, prevention, and response to an attack,
23 intrusion, or other system failure.
24 e. Implements information safeguards to manage threats
25 identified in the licensee’s ongoing risk assessments and, at
26 least annually, assesses the effectiveness of the information
27 safeguards’ key controls, systems, and procedures.
28 4. Based on the risk assessment conducted pursuant to
29 subsection 3, a licensee shall do all of the following:
30 a. Develop, implement, and maintain an information security
31 program as described in subsections 1 and 2.
32 b. Determine which of the following security measures are
33 appropriate and implement each appropriate security measure:
34 (1) Place access controls on information systems, including
35 controls to authenticate and permit access only to authorized
1 individuals to protect against the unauthorized acquisition of
2 nonpublic information.
3 (2) Identify and manage the data, personnel, devices,
4 systems, and facilities that enable the licensee to achieve
 House File 719, p. 7
5 its business purposes in accordance with the data, personnel,
6 devices, systems, and facilities relative importance to the
7 licensee’s business objectives and risk strategy.
8 (3) Restrict access of nonpublic information stored in or at
9 physical locations to authorized individuals only.
10 (4) Protect by encryption or other appropriate means,
11 all nonpublic information while the nonpublic information
12 is transmitted over an external network, and all nonpublic
13 information that is stored on a laptop computer, a portable
14 computing or storage device, or portable computing or storage
15 media.
16 (5) Adopt secure development practices for in-house
17 developed applications utilized by the licensee, and procedures
18 for evaluating, assessing, and testing the security of
19 externally developed applications utilized by the licensee.
20 (6) Modify information systems in accordance with the
21 licensee’s information security program.
22 (7) Utilize effective controls, which may include
23 multi-factor authentication procedures for authorized
24 individuals accessing nonpublic information.
25 (8) Regularly test and monitor systems and procedures to
26 detect actual and attempted attacks on, or intrusions into,
27 information systems.
28 (9) Include audit trails within the information security
29 program designed to detect and respond to cybersecurity events,
30 and designed to reconstruct material financial transactions
31 sufficient to support the normal business operations and
32 obligations of the licensee.
33 (10) Implement measures to protect against the destruction,
34 loss, or damage of nonpublic information due to environmental
35 hazards, natural disasters, catastrophes, or technological
1 failures.
2 (11) Develop, implement, and maintain procedures for the
3 secure disposal of nonpublic information that is contained in
4 any format.
5 c. Include cybersecurity risks in the licensee’s
6 enterprise-wide risk management process.
7 d. Maintain knowledge and understanding of emerging threats
8 or vulnerabilities and utilize reasonable security measures,
 House File 719, p. 8
9 relative to the character of the sharing and the type of
10 information being shared, when sharing information.
11 e. Provide the licensee’s personnel with cybersecurity
12 awareness training that is updated as necessary to reflect
13 risks identified by the licensee’s risk assessment.
14 5. a. If a licensee has a board of directors, the board
15 or an appropriate committee of the board shall at a minimum
16 require the licensee’s executive management or the executive
17 management’s delegates to:
18 (1) Develop, implement, and maintain the licensee’s
19 information security program.
20 (2) Provide a written report to the board, at least
21 annually, that documents all of the following:
22 (a) The overall status of the licensee’s information
23 security program and the licensee’s compliance with this
24 chapter.
25 (b) Material matters related to the licensee’s information
26 security program including issues such as risk assessment; risk
27 management and control decisions; third-party service provider
28 arrangements; results of testing, cybersecurity events, or
29 violations; management’s response to cybersecurity events or
30 violations; and recommendations for changes in the licensee’s
31 information security program.
32 b. If a licensee’s executive management delegates any of its
33 responsibilities under this section the executive management
34 shall oversee the delegate’s development, implementation, and
35 maintenance of the licensee’s information security program, and
1 shall require the delegate to submit an annual written report
2 to executive management that contains the information required
3 under paragraph “a”, subparagraph (2). If the licensee has a
4 board of directors, the executive management shall provide a
5 copy of the report to the board.
6 6. A licensee shall monitor, evaluate, and adjust the
7 licensee’s information security program consistent with
8 relevant changes in technology, the sensitivity of the
9 licensee’s nonpublic information, changes to the licensee’s
10 information systems, internal or external threats to the
11 licensee’s nonpublic information, and the licensee’s changing
12 business arrangements, including but not limited to mergers and
 House File 719, p. 9
13 acquisitions, alliances and joint ventures, and o