Iowa Breach Notification Bill; Emphasizes Need for Documented Security Policies and Breach Plans & Establishes “Identity Theft Passport”

An omnibus data security bill, H.F. 655 was introduced March 5 in the Iowa House by representatives Beth Wessel-Kroeschell (D) and Paul Shomshor (D).

This bill would require businesses and state agencies to provide notice to state residents of the breach of unencrypted personal information and establish a unique system to allow all state residents to place a security alert, but only identity theft victims to place security freezes on their consumer credit reports. The bill would also would authorize the state attorney general to issue “identity theft passports” to identity theft victims as a means of proving their status to law enforcement and creditors.
The bill only applies to digital forms of personally identifiable information (PII). “Personal information” under this bill means the same as “identification information” which includes each of the following: the name, address, date of birth, telephone number, driver’s license number, nonoperator’s identification number, social security number, place of employment, employee identification number, parent’s legal surname prior to marriage, demand deposit account number, savings or checking account number, credit card number of a person, state identification, student number, regular or electronic signature, electronic identifier or screen name, biometric and genetic information, financial information, or a logo, symbol or trademark, or military, alien or citizenship status.
The covered entities for this bill include any person (organization) “that owns or licenses computerized data that includes personal information.”
This bill contains some interesting wording missing from most other breach notice laws; a safe harbor for having a documented information security policy that includes privacy breach notification:

“a person [business] that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notice requirements of subsection 1 if the person notifies subject persons in accordance with the person’s policies in the event of a breach of security of the system.”

It is good they are clearly stating the need for documented security policies, and that they need to include breach notice plans.
Notice could be made in writing or “electronically” “consistent with the provisions regarding electronic records and signatures required in chapter 554D and 15 U.S.C. 7001.”
If the cost of providing notice exceeded $250,000, or more than 500,000 individuals had to be notified, substitute notice by e-mail, posting an announcement on the covered entity’s Web site, or notifying major statewide media would be allowed.
I’ve written several times and blogged about the problems involved with providing notification by email.
The state attorney general (AG) would be authorized to prosecute violations of the law. The bill also would allow an individual to file a lawsuit to seek actual damages.
Unlike most states that have adopted, or are considering ,measures to cut off opportunities for identity thieves to establish new credit by allowing all state residents to limit the information that credit reporting firms may release, the Iowa bill limits the credit security freeze mechanism to identity theft victims.
However, H.F. 655 would establish a system by which all state residents could require credit reporting firms to quickly place an alert on their consumer credit report, which would require that they be contacted whenever someone attempted to establish a new credit account in their name. The alert would last for 90 days and could be renewed as many times as wanted by a consumer. Firms would have two business days after receiving a request to implement the alert.
The bill would allow an individual to file a lawsuit to recover any actual damages incurred as a result of identity theft tied to the failure of the firm to implement the credit security alert.
The bill would allow Iowa residents who have filed with the police that they have been the victim of identity theft to place a “block” on their credit report and request a temporary lift of that block for a specific credit purpose.
Firms would have five business days after receiving a request for a block to place the security block on the credit report, but the bill does not specify a time limit for firms to implement a request to temporarily lift a security.
Firms would be allowed to impose and undefined “reasonable charge” for placing a security block.
Violations of the security blcok provisions of the bill would be considered an unlawful practice under the state consumer fraud statute, and would be enforceable by the Iowa AG.
The bill provides several interesting exemptions to the security block requirement as follows:

“7. EXEMPTIONS FROM BLOCK. The provisions of this section do not apply to any of the following:
a. A state or local governmental entity, including a law enforcement agency or private collection agency, if the entity or agency is acting under a court order, warrant, subpoena, or administrative subpoena.
b. A consumer reporting agency that acts as a reseller of credit information by assembling and merging information contained in the databases of other consumer reporting agencies, and that does not maintain a permanent database of credit information from which new consumer reports are produced.
c. A check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar payment methods.
d. A demand deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automatic teller machine abuse, or similar negative information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a demand deposit account at the inquiring bank or financial institution.”

The bill would allow residents that are identity theft victims and have filed a police report to be issued an “identity theft passport” by the state AG. The passport would allow individuals to prove to courts, law enforcement officials and creditors that they had their identity stolen and that crimes or debts attributed to them may have been the work of the identity thief.
The bill would require businesses to remove electronic records relating to a dishonored check within 30 days of both the individual and the business agreeing that the information in the electronic records is incorrect. The same 30 day time limit would apply if the individual presented the businesses with a law enforcement report or any other written notice stating that the dishonored check was not authorized by the consumer.
The bill would prohibit debt collectors from pursuing collection against an identity theft victim.
If passed, Iowa will become the 37th state to enact a breach notice law. On March 1, 2007 Wyoming became the 36th state to pass a breach notice law. Nine other states are currently considering breach notice bills.
We really do need a *GOOD* federal data protection law that includes data breach notice provisions not only so that information security and privacy practitioners do not have to spend inordinate amounts of time trying to figure out the hodge-podge of laws that exist, but also so that PII can be safeguarded consistently and in the most appropriate ways no matter where individuals live within the U.S.

Tags: , , , , , , , , , , ,

Leave a Reply