House, Senate committee changes help elevate technology topics

The Technology Association of Iowa’s priority bills centered on cybersecurity issues are moving through the Iowa Legislature this year as the first deadline to have bills out of House and Senate committees approaches on March 3.

The three bills TAI has proposed make the use of ransomware illegal in Iowa; establish a consumer right to personal data; and provide organizations that follow industry standards some legal protection after a data breach.

Mollie Ross
, vice president of operations at TAI, said the statewide organization proposed the same bills last year, and is “optimistic” about their progress during this legislative session.

Here are more details on the bills and where they stand:

House File 143 and Senate File 203 make the use of ransomware illegal in Iowa and outline criminal penalties. The bills make exceptions for education, research, training and law enforcement purposes. The House passed the bill 97-1. The Senate’s bill has passed out of the subcommittee and has been introduced to the full Senate Technology Committee.

Consumer data privacy: 
House Study Bill 12 and Senate File 262 provide consumers the right to know what personal data of theirs companies have processed. The bill would apply to businesses in Iowa that annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50% of gross revenue derived from the sale of the personal data. If passed, the requirement would go into effect on Jan. 1, 2025. The Senate bill has passed out of the Senate Technology Committee and has been introduced to the full chamber. A House subcommittee passed the bill 3-0.

Affirmative defense:
 Senate Study Bill 1095 says if an entity’s cybersecurity protections follow a set of industry-recognized frameworks and the entity experiences a data breach, it qualifies for protection from a tort claim alleging that the entity’s failure to implement reasonable information security controls resulted in a data breach exposing personal or restricted information. The bill was introduced to a Senate subcommittee on Feb. 6 and tabled for a future meeting.

Additional cybersecurity bills introduced this session include House File 139, which would establish and provide funding for a cybersecurity simulation training center at Iowa State University, and House Study Bill 15, which proposes adding a cybersecurity unit to the Iowa Office of the Chief Information Officer.

Doug Jacobson, director of the Iowa State University Center for Cybersecurity Outreach and Innovation and an Iowa State cybersecurity professor, has spearheaded the effort to launch the training center, called CySim. The facility would provide students and businesses the opportunity to walk step-by-step through a cyber event. For businesses, he said the simulation could engage everyone in the organization and help build collaboration and communication between company executives and the IT leaders and teams. If the bill passes, Jacobson said he aims to start running pilots in early 2024.

Why Iowa is taking action

States have typically relied on the federal government for cybersecurity guidance and best practices rather than passing “50 laws that are all different,” Jacobson said.

But state governments are recognizing where their involvement can help address cybersecurity threats. Ross said TAI’s bills are trying to lay the groundwork with standards and courses of action not yet codified in Iowa.

Without a law in place, Ross said using ransomware is “perfectly legal” in Iowa and leaves law enforcement with no recourse if they identify a suspect in a ransomware attack.

Also, knowing any organization can be the target of ransomware, TAI focused its bill on prevention.

“When we look at these threats across the state, it was how can we help, and it’s not always helping the victims, but if there’s anything we can do to prevent it,” Ross said.

On data privacy, multiple states are taking action themselves to fill a need that hasn’t been addressed by the federal government. Ross said TAI’s members expressed a preference for “federal uniformity” on data privacy, but working with about 40 of its members, TAI aligned its bill with other states’ laws to ease compliance for companies operating in multiple states.

Ross said the affirmative defense bill intends to incentivize businesses that need help getting started or improving their businesses cybersecurity protections. Organizations qualify for some legal protection if they adhere to the cybersecurity framework set out by the National Institute of Standards and Technology.

“It also gives organizations, especially a smaller [or] medium-sized business, who may not even know where to start … a framework for at least where to get started and a little bit of incentive to do so,” she said.

Although legislation this year proposes new actions for Iowa, state government has led prior efforts on cybersecurity. Gov. Terry Branstad issued an executive order in 2015 establishing a multi-agency partnership including the OCIO, the Iowa National Guard and the Department of Public Safety that developed the state’s first comprehensive cybersecurity strategy in 2016. An updated strategy was issued in 2019.

Last week, Iowa’s Chief Information Officer Matt Behrens gave a presentation to the Senate Technology Committee that listed refreshing the state’s cybersecurity strategy again as a priority of the OCIO in FY2024.

Iowa is doing well on cybersecurity compared with other states, according to Jacobson, and it is collaborative partnerships that set the state apart.

“Iowa’s doing a good job of collaborating in cybersecurity, which is what we have to do,” he said. “The OCIO can’t be separate from private industry and can’t be separate from the universities producing the workforce. … There are some things that can be improved, but we’re better than a lot of places. We’re not fighting with each other. We’re playing together.”

Committee changes elevate technology issues

Recent changes to the committees overseeing technology-related legislation in both the House and Senate are helping elevate discussions about technology topics like cybersecurity and the role they have in supporting the state’s economy.

The Senate Technology Committee is new this year and chaired by Sen. Chris Cournoyer, R-Le Claire. The House added the Information Technology Committee last year, and this year decided to wrap technology in with economic growth to form the Economic Growth and Technology Committee, which is chaired by Rep. Ray Sorensen, R-Adair.

“The fact that we now have a committee in the Iowa Senate dedicated to technology-related issues our state faces demonstrates a commitment to not only protecting the privacy rights and data of our citizens, but also putting guidelines in place to support innovation and creativity in our tech and business sector,” Cournoyer wrote in an email.

On cybersecurity specifically, Sorensen wrote that the House committee is open-minded to “what state government can do to better position our public and private individuals and entities against attacks and strengthen our cybersecurity code and best practices.”

Committees dedicated to technology issues have bolstered the relationships and conversations developed by TAI over the past year, Ross said.

She also said a significant increase in technology-related bills in recent years was a driver for the committee changes.

“It is a recognition of not only the number of bills, but of cybersecurity specifically [and] the great need that everyone is experiencing, trying to figure out what we can do,” she said. “We certainly recognize with all of these bills, there is no silver bullet that is just going to make this stop … but this helps put a big focus on that at the Capitol.”

Related article: 
Navigating cyber risk