Security Breach Notification Laws
Greg Edwards
Tech Entrepreneur & Innovator | Founder of WatchPoint IT, Axis Backup & Canauri | Speaker on Cybersecurity & AI Trends
As of now, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have implemented legislation that requires private or government entities to notify individuals if they have experienced a security breach. Alabama, New Mexico, and South Dakota are the three remaining states who don’t have official security breach notification laws. Even my Midwestern home-state of Iowa now has a mandatory data breach notification law.
Iowa Security Breach Notifications
Since we are a company based out of Iowa, we will focus on the specifics of a security breach and the laws that go along with one in Iowa. You can find the complete list of security breach notification laws by each state here.
Iowa law defines a security breach as any unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from a computerized form, and that compromises the security, confidentiality, or integrity of the personal information.
Personal information also known as personally identifiable information (PII) includes medical information, financial information such as a credit or debit card number, a Social Security number, or a driver’s license number. PII is intended to be encrypted; should this information be unencrypted or become readable, it has been done so through a data breach, and the mandatory reporting laws come into effect.
If a security breach occurs in Iowa, the following must happen:
- The residents affected by the breach must be notified.
- The notice must include a description and approximate date of the breach, as well as advice to the consumer to report suspected incidents of identity theft to local law enforcement or the Attorney General.
- The notice must be in writing to the last known address of those affected, or by electronic notice if this is the breached entity’s primary method of communication with its consumers.
- If more than 500 Iowa residents are affected and notified, the entity must notify the Attorney General’s Director of the Consumer Protection Division within five business days after giving notice to the consumers.
- The notification laws may be delayed if law enforcement determines that notification could interfere or impede with a formal investigation of the data breach.
Why is this information important? As a business owner, you should know what your risk is and what type of event will trigger reporting in your state. Failure to comply with these regulations will result in civil penalties that could be devastating to your company.