Iowa Personal Information Security Breach Protection
Iowa Code § 715C.1 - § 715C.2
SUMMARY:
EFFECTIVE. July 1, 2008
WHO DOES THIS LAW APPLY TO. (1) Any person or business that owns or licenses computerized data that includes Personal Information of any Iowa resident; and (2) any person or business maintaining information on behalf of another that includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of computerized data and data in any medium including on paper which was transferred by said person to computerized form that compromises the security, integrity, or confidentiality of the Personal Information.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable, but the keys to unencrypt, unredact, or otherwise read the data elements have also been obtained through the breach:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to the individual’s financial account.
-
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Unique biometric data including fingerprint, retina, or iris image or other unique physical or digital representation of biometric data.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Iowa residents affected, consistent with the needs of law enforcement. If more than 500 Iowa residents are affected, the entity will give written notice to the Attorney General’s Office, within 5 business days of giving notice to any Iowa resident.
No notification is required if after a reasonable investigation or consulting with the appropriate federal, state, or local agencies responsible for law enforcement, determines that the breach has no reasonable likelihood of financial harm to the Iowa residents whose Personal Information was acquired. Such a determination must be documented in writing and maintained for five years.
EXCEPTION. This Section does not apply to the following:
-
Does not apply to information that is encrypted, redacted, or otherwise altered in such a manner that it is unreadable, unless the keys to unencrypt or read the data elements have been obtained.
-
A good faith acquisition of Personal Information by an employee or agent for legitimate purposes is not a breach, if the Personal Information is not used in violation of applicable law or poses and an actual threat to the security, confidentiality, or integrity of the Personal Information.
-
Own Notification Policy exception. A person or business which maintains its own security breach procedures that provide greater protection to Personal Information and has at least as thorough of disclosure requirements as this section.
-
This section does not apply to an entity that complies with State or Federal law or Federal Regulator, that provides greater protection to Personal Information, and at least as thorough disclosure requirements as this section.
-
Gramm-Leach-Bliley Act exception. This section does not apply to an Entity that is subject to, and in compliance with, the privacy and security requirements of Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et.al.
WHEN TO NOTIFY OF THE BREACH. Notification shall be made in the most expedient manner possible and without unreasonable delay consistent with measures necessary to determine the nature and scope of the breach, to identify the individual affected and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation, and such request is made in writing by law enforcement. In that instance, notification will be made as soon as possible following written clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written, to the last available address in the entity’s records.
-
Electronic (if it is the primary means of communication and consistent with 15 U.S.C. § 7001).
-
Substitute notice as provided below.
The notice shall be clear and conspicuous and include all of the following:
-
Description of the breach.
-
Approximate date of the breach.
-
Type of Personal Information that was accessed or acquired.
-
Contact information for consumer reporting agencies.
-
Advice to report suspected incidents of identity theft to local law enforcement or the Attorney General.
SUBSTITUTE NOTICE AVAILABLE. If the entity can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 350,000, or the entity has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the entity has an email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the entity, if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If an entity maintains or otherwise possesses data that includes Personal Information that they do not own, then the entity shall, immediately upon discovery, give the breach notification to the owner or licensor.
CONSEQUENCES FOR FAILING TO NOTIFY. Any violation of this Section is considered an unlawful practice per Section 714.16. In addition to the penalties provided in Section 714.16(7), the Attorney General may pursue damages. The party would pay damages to the Attorney General on behalf of the person injured. The rights and remedies available under this section are in addition to each other, as well as to any other rights and remedies available under Iowa law.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
2007 S.F. 2308 – Signed into law on 5/9/2008, Effective 7/1/2008.
S.F. 2259 – Signed into law on 4/3/2014, Effective 7/1/2014.
S.F. 2177 – Signed into law on 4/10/2018, Effective 7/1/2018.
For more information, see here: https://www.iowaattorneygeneral.gov/for-consumers/security-breach-notifications
AND
https://www.legis.iowa.gov/docs/code/715c.pdf
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.