Can I use third-party customer service tools that collect personal information in Iowa? What are the requirements?

Using Third-Party Customer Service Tools that Collect Personal Information in Iowa

Yes, you can use third-party customer service tools that collect personal information in Iowa, but you must ensure compliance with the requirements for third-party service providers and personal information collection.

Requirements for Third-Party Service Providers

Licensees in Iowa are required to exercise due diligence in the selection of third-party service providers, conduct oversight of all third-party service provider arrangements, and require all third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the licensee’s third-party service providers ^[1.1].

If a licensee becomes aware of a cybersecurity event in an information system maintained by a third-party service provider of the licensee, the licensee shall comply with section 507F.7, or the licensee may obtain a written certification from the third-party service provider that the provider is in compliance with section 507F.7. If the third-party provider fails to provide written certification to the licensee, the licensee shall comply with section 507F.7 ^[1.2].

Personal Information Collection

Licensees in Iowa are required to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment conducted pursuant to subsection 3. The program must be designed to protect the security and confidentiality of nonpublic information and the security of the licensee’s information system. It must also protect against threats or hazards to the security or integrity of nonpublic information and the licensee’s information system, protect against unauthorized access to or the use of nonpublic information, and minimize the likelihood of harm to any consumer ^[1.3].

Additional Information

The context documents do not provide specific requirements for third-party customer service tools that collect personal information. However, it is recommended that you consult with a legal professional to ensure compliance with all relevant laws and regulations.

Source(s):

• [1.1] Third-party service provider arrangements.
• [1.2] Cybersecurity event — third-party service providers.
• [1.3] Information security program.

Jurisdiction

Iowa

• Privacy