House File 554 - Introduced HOUSE FILE 554 BY COMMITTEE ON ECONOMIC GROWTH AND TECHNOLOGY (SUCCESSOR TO HSB 153) A BILL FOR An Act prohibiting the state or a political subdivision of the 1 state from expending revenue received from taxpayers for 2 payment to persons responsible for ransomware attacks, and 3 including effective date provisions. 4 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 5 TLSB 1269HV (3) 90 es/rn
H.F. 554 Section 1. Section 8B.4, Code 2023, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 18A. Authorize the state or a political 3 subdivision of the state, not including a municipal utility, 4 in consultation with the department of public safety and the 5 department of homeland security and emergency management, to 6 expend revenue received from taxpayers for payment to a person 7 responsible for, or reasonably believed to be responsible for, 8 a ransomware attack pursuant to section 8H.3. 9 Sec. 2. NEW SECTION . 8H.1 Definitions. 10 As used in this chapter, unless the context otherwise 11 requires: 12 1. Critical infrastructure means the same as defined 13 in section 29C.24. Critical infrastructure includes real 14 and personal property and equipment owned or used to provide 15 fire fighting, law enforcement, medical, or other emergency 16 services. 17 2. Encryption means the use of an algorithmic process 18 to transform data into a form in which the data is rendered 19 unreadable or unusable without the use of a confidential 20 process or key. 21 3. Political subdivision means a city, county, township, 22 or school district. Political subdivision does not include a 23 municipal utility. 24 4. Ransomware attack means carrying out until payment is 25 made, or threatening to carry out until payment is made, any of 26 the following actions: 27 a. An act declared unlawful pursuant to section 715.4. 28 b. A breach of security as defined in section 715C.1. 29 c. The use of any form of software that results in the 30 unauthorized encryption of data, the denial of access to data, 31 the denial of access to a computer, or the denial of access to 32 a computer system. 33 Sec. 3. NEW SECTION . 8H.2 Requirement to report a 34 ransomware attack. 35 -1- LSB 1269HV (3) 90 es/rn 1/ 5
H.F. 554 If the state or a political subdivision of the state is 1 subject to a ransomware attack, the state or the political 2 subdivision shall provide notice of the ransomware attack to 3 the office of the chief information officer following discovery 4 of the ransomware attack. The notice shall be provided in 5 the most expeditious manner possible and without unreasonable 6 delay. The office of the chief information officer shall adopt 7 rules establishing notification procedures pursuant to this 8 section. 9 Sec. 4. NEW SECTION . 8H.3 Revenue received from taxpayers 10 prohibition ransomware. 11 1. Except as provided in subsection 2 or 3, the state or a 12 political subdivision of the state shall not expend tax revenue 13 received from taxpayers for payment to a person responsible 14 for, or reasonably believed to be responsible for, a ransomware 15 attack. 16 2. The office of the chief information officer shall notify 17 the department of public safety and the department of homeland 18 security and emergency management, and may authorize the state 19 or a political subdivision of the state to expend tax revenue 20 otherwise prohibited pursuant to subsection 1 in the event of 21 any of the following: 22 a. A critical or emergency situation as defined by the 23 department of homeland security and emergency management, 24 or when the department of homeland security and emergency 25 management determines the expenditure of tax revenue is in the 26 public interest. 27 b. A ransomware attack affecting critical infrastructure 28 within the state or a political subdivision of the state. 29 3. The state or a political subdivision of the state may 30 expend tax revenue otherwise prohibited pursuant to subsection 31 1 in the event of a ransomware attack affecting an officer or 32 employee of the judicial branch. 33 Sec. 5. NEW SECTION . 8H.4 Payments for insurance. 34 The state or a political subdivision of the state may use 35 -2- LSB 1269HV (3) 90 es/rn 2/ 5
H.F. 554 revenue received from taxpayers to pay premiums, deductibles, 1 and other costs associated with an insurance policy at any 2 time related to cybersecurity or ransomware attacks only if 3 the state or the political subdivision first exhausts all 4 other reasonable means of mitigating a potential ransomware 5 attack. Subject to section 8H.3, subsections 2 and 3, nothing 6 in this section shall be construed to authorize the state or 7 a political subdivision of the state to make a direct payment 8 using revenue received from taxpayers to a person responsible 9 for, or reasonably believed to be responsible for, a ransomware 10 attack. 11 Sec. 6. NEW SECTION . 8H.5 Confidential records. 12 Information related to all of the following shall be 13 considered a confidential record under section 22.7: 14 1. Insurance coverage maintained by the state or a political 15 subdivision of the state related to cybersecurity or a 16 ransomware attack. 17 2. Payment by the state or a political subdivision of 18 the state to a person responsible for, or believed to be 19 responsible for, a ransomware attack pursuant to section 8H.3. 20 Sec. 7. LEGISLATIVE INTENT. It is the intent of the general 21 assembly that the state and the political subdivisions of the 22 state have tested cybersecurity mitigation plans and policies. 23 Sec. 8. RULEMAKING. The office of the chief information 24 officer shall prepare a notice of intended action for the 25 adoption of rules to administer this Act. The notice of 26 intended action shall be submitted to the administrative 27 rules coordinator and the administrative code editor as soon 28 as practicable, but no later than October 1, 2023. However, 29 nothing in this section authorizes the office of the chief 30 information officer to adopt rules under section 17A.4, 31 subsection 3, or section 17A.5, subsection 2, paragraph b. 32 Sec. 9. EFFECTIVE DATE. 33 1. Except as provided in subsection 2, this Act takes effect 34 July 1, 2024. 35 -3- LSB 1269HV (3) 90 es/rn 3/ 5
H.F. 554 2. The section of this Act requiring the office of the chief 1 information officer to prepare a notice of intended action for 2 the adoption of rules to administer this Act, being deemed of 3 immediate importance, takes effect upon enactment. 4 EXPLANATION 5 The inclusion of this explanation does not constitute agreement with 6 the explanations substance by the members of the general assembly. 7 This bill prohibits the state or a political subdivision of 8 the state from expending revenue received from taxpayers for 9 payment to persons responsible for ransomware attacks. 10 The bill defines critical infrastructure to mean 11 real and personal property and equipment owned or used by 12 communication and video networks, gas distribution systems, 13 water and wastewater pipeline systems, and electric generation, 14 transmission, and distribution systems, including related 15 support facilities, which network or system provides service 16 to more than one customer or person as defined in Code section 17 29C.24. Critical infrastructure includes but is not limited 18 to buildings, structures, offices, lines, poles, pipes, and 19 equipment, as well as real and personal property owned or 20 used to provide fire fighting, law enforcement, medical, or 21 other emergency services. The bill defines encryption as 22 the use of an algorithmic process to transform data into a 23 form in which the data is rendered unreadable or unusable 24 without the use of a confidential process or key. The bill 25 defines political subdivision as a city, county, township, 26 or school district. The bill defines ransomware attack to 27 mean carrying out until payment is made, or threatening to 28 carry out until payment is made, including an act declared 29 unlawful pursuant to Code section 715.4, a breach of security 30 as defined in Code section 715C.1, or the use of any form 31 of software that results in the unauthorized encryption of 32 data, the denial of access to data, the denial of access to a 33 computer, or the denial of access to a computer system. 34 The bill requires that when the state or a political 35 -4- LSB 1269HV (3) 90 es/rn 4/ 5
H.F. 554 subdivision of the state is subject to a ransomware attack 1 and discovers the attack, the state or political subdivision 2 shall expeditiously provide notice to the office of the chief 3 information officer. The office of the chief information 4 officer shall adopt rules establishing notification procedures. 5 The bill provides that the state or a political subdivision 6 of the state shall not expend revenue received from taxpayers 7 for payment to a person responsible for, or reasonably believed 8 to be responsible for, a ransomware attack. 9 The bill allows the office of the chief information officer 10 to authorize such expenditures in the event of a critical or 11 emergency situation as determined by the department of homeland 12 security and emergency management and requires the office of 13 the chief information officer to notify the departments of the 14 expenditures. The bill provides that information related to a 15 political subdivisions insurance coverage for cybersecurity or 16 ransomware attack shall be considered confidential records. 17 The bill provides that the state or a political subdivision 18 of the state may use taxpayer revenue to pay for cybersecurity 19 insurance or related ransomware insurance at any time if 20 the state or political subdivision first exhausts all other 21 reasonable means of mitigating a potential ransomware attack. 22 The bill includes a legislative intent section, which 23 provides that it is the intent of the general assembly that 24 the state and political subdivisions of the state have tested 25 cybersecurity mitigation plans and policies. 26 The bill takes effect July 1, 2024, except for the section 27 of the bill requiring the office of the chief information 28 officer to prepare a notice of intended action (NOIA) for the 29 adoption of rules, which takes effect upon enactment. The NOIA 30 must be submitted to the administrative rules coordinator and 31 administrative code editor as soon as possible and no later 32 than October 1, 2023. The bill does not authorize the office 33 of the chief information officer to adopt emergency rules under 34 Code section 17A.4(3) or Code section 17A.5(2)(b). 35 -5- LSB 1269HV (3) 90 es/rn 5/ 5