Security Breach Notice Requirements in the State of Iowa

Iowa Code §§ 715C.1, 715C.2 is a data breach notification law that was passed in the U.S. state of Iowa in 2008 and was recently amended in 2018. As is the case with other such legislation that has been passed around the U.S. as it relates to security breaches, Iowa Code §§ 715C.1, 715C.2 establishes the legal requirements that businesses and organizations within the state of Iowa must follow in the event that they experience a data breach that leads to the personal information of citizens of the state being compromised. Furthermore, the law also sets forth the punishments that can be imposed against those who are found to be in non-compliance.

How is a security breach defined under Iowa Code §§ 715C.1, 715C.2?

Under Iowa Code §§ 715C.1, 715C.2, a security breach is defined as the “unauthorized acquisition of PI maintained in computerized form by an Entity that compromises the security, confidentiality, or integrity of the PI. Also, unauthorized acquisition of PI maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the PI.” Alternatively, the “good-faith acquisition of PI by an Entity or that Entity’s employee or agent for a legitimate purpose of that Entity is not a breach of security, provided that the PI is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the PI.”

What are the requirements of businesses and organizations under Iowa Code §§ 715C.1, 715C.2?

Under Iowa Code §§ 715C.1, 715C.2, businesses and organizations that collect the personal information of Iowa residents during the course of their respective operations are required to provide said residents with data breach notices in the event that their information is compromised as a result of a security breach. These notices must provide Iowa residents with information concerning the categories of personal information that were compromised as a result of the breach, as well as the scope and extent of the breach, among other pertinent details. Moreover, these notices must be provided to individuals “in the most expeditious manner possible and without unreasonable delay.”

What’s more, in instances where a business or organization within Iowa experiences a security breach that affects more than 500 residents within the state, said entity is also required to provide a data breach notification to the Iowa Attorney General’s Office. Additionally, third parties that conduct business on behalf of businesses and organizations within Iowa are also required to comply with the provisions of Iowa Code §§ 715C.1, 715C.2. In terms of the methods that businesses and organizations are permitted to utilize when providing individuals with data breach notices, such notices can be in written form, or electronic form, in instances where an “entity’s customary method of communication with the resident is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).”

What categories of personal information are covered under Iowa Code §§ 715C.1, 715C.2?

Under Iowa Code §§ 715C.1, 715C.2, the following categories of personal information are legally protected in accordance with the provisions of the law, in conjunction with an Iowa resident’s first name or initial and last name, permitted this information has not been redacted, encrypted, or otherwise altered by any other form of technology or method:

• Social security numbers.
• Driver license numbers and unique identification numbers that have been created or collected by a government agency within Iowa.
• Account numbers, credit card numbers, and debit card numbers, as well as any passwords, access codes, expiration dates, or security codes that could be used to grant access to an individual’s financial account.
• Unique electronic identifier or routing codes in connection with any required security codes, access codes, or passwords that could be used to gain access to an individual’s financial account.
• “Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.”

What are the penalties for violating Iowa Code §§ 715C.1, 715C.2?

In terms of the penalties and sanctions that can be imposed against business entities and organizations within the state of Iowa that fail to comply with the law, Iowa Code §§ 715C.1, 715C.2 is enforced by the Iowa Attorney General. To this point, “a violation or an unlawful practice could result in the attorney general seeking damages from the person held responsible for the security breach on behalf of the consumer injured by the violation.” To illustrate the potential scope and severity of such punishments, mutual insurance company Nationwide was ordered to pay $5.5 million as a part of a multi-state settlement as a result of a data breach that affected more than a million customers, which included a “$321,837 payment to Iowa’s consumer education and litigation fund.”

Through amendments that were made to Iowa Code §§ 715C.1, 715C.2 in 2018, residents of the state were provided with updated protections as it relates to data breach incidents. As Iowa has yet to pass a comprehensive state data privacy law, and the U.S. as a nation has yet to pass such a law on the federal level, legislation such as Iowa Code §§ 715C.1, 715C.2 represent the foremost means by which the average American citizen can ensure that their personal information remains protected in the event that said information is compromised as a result of a security breach.