A security breach that affects at least 500 Iowa residents, requires written notice to the Attorney General’s Consumer Protection Division within 5 business days after notifying affected individuals. There are specific considerations when determining if a breach is reportable. Notifications may only be given by specific methods. Notifications must contain the required information. If notification is not required, then such a determination must be documented in writing and the documentation must be maintained for 5 years.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

A state credit union must maintain an information security response program, which includes procedures for notifying the credit union division, as soon as possible, after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information that would permit access to the member’s account. Iowa passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective January 1, 2022, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.

Organizations may be fined or penalized for Vendor violations. Violations of breach and notification laws are considered an unlawful act and may result in a penalty of up to $40,000, per violation and/or a civil penalty of up to $5,000 for each day of intentional violation.

Iowa passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective January 2, 2022, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.