Can I avoid having a data breach response plan in Iowa? What are the requirements?

Data Breach Response Plan Requirements in Iowa

If you own or license computerized data that includes a consumer’s personal information that is used in the course of your business, vocation, occupation, or volunteer activities and that was subject to a breach of security, you are required to have a data breach response plan in Iowa ^[1.1].

The plan should include the following:

• Notification requirements: You must give notice of the breach of security following discovery of such breach of security, or receipt of notification under subsection 2, to any consumer whose personal information was included in the information that was breached. The consumer notification shall be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection 3, and consistent with any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.
• Delayed notification: The consumer notification requirements of this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and the agency has made a written request that the notification be delayed. The notification required by this section shall be made after the law enforcement agency determines that the notification will not compromise the investigation and notifies the person required to give notice in writing.
• Methods of notification: Notification to the consumer may be provided by written notice, electronic notice, or substitute notice, depending on the circumstances.
• Contents of the notice: Notice pursuant to this section shall include, at a minimum, a description of the breach of security, the approximate date of the breach of security, the type of personal information obtained as a result of the breach of security, contact information for consumer reporting agencies, and advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general.

Failure to comply with the data breach response plan requirements may result in legal consequences ^[1.1].

Cybersecurity Event Reinsurers and Third-Party Service Providers

In addition to the above requirements, if a cybersecurity event involves nonpublic information used by, or that is in the possession, custody, or control of, a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with consumers affected by the cybersecurity event, the assuming insurer shall notify each of the assuming insurer’s affected ceding insurers and the commissioner of the assuming insurer’s state of domicile within three business days of determining that a cybersecurity event has occurred ^[3.1].

If a licensee becomes aware of a cybersecurity event in an information system maintained by a third-party service provider of the licensee, the licensee shall comply with section 507F.7, or the licensee may obtain a written certification from the third-party service provider that the provider is in compliance with section 507F.7 ^[3.2].

A licensee shall notify the commissioner no later than three business days from the date of the licensee’s confirmation of a cybersecurity event if any of the following conditions apply: the licensee is an insurer who is domiciled in this state, or is a producer whose home state is this state, and any of the following apply: (1) The laws of this state or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body. (2) The cybersecurity event has a reasonable likelihood of causing material harm to a material part of the normal business, operations, or security of the licensee ^[3.3].

Therefore, it is not possible to avoid having a data breach response plan in Iowa if you own or license computerized data that includes a consumer’s personal information that is used in the course of your business, vocation, occupation, or volunteer activities and that was subject to a breach of security. Additionally, there are specific requirements for notifying reinsurers and third-party service providers in the event of a cybersecurity event, as well as notifying the commissioner in certain circumstances.

Source(s):

• [1.1] Security breach — notification requirements — remedies.
• [3.1] Cybersecurity event reinsurers.
• [3.2] Cybersecurity event — third-party service providers.
• [3.3] Cybersecurity event — notification and report to the commissioner.

Jurisdiction

Iowa

• Privacy