The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Any individual; corporation; business trust; estate; trust; partnership; limited liability company; association; joint venture; government; governmental subdivision, agency, or instrumentality; public corporation; or any other legal or commercial entity that owns, licenses, or maintains personal information.
Consumer Notification: Notification must be provided to any Iowa resident whose “personal information in computerized form maintained in any medium, including on paper, that was transferred from computerized form, that compromises the security, confidentiality, or integrity of personal information” has been acquired without authorization.
Regulatory Notification: Notification must be provided to the Iowa Attorney General’s Consumer Protection Division if “more than 500 Iowa residents” are required to be notified of a breach.
Notification Timeline: Notification must be provided in the “most expeditious manner possible without unreasonable delay.”
Data Format: Electronic or hard copy transferred from computerized form.
Citations: Iowa Code §§ 715C.1, 715C.2.
- Breach: Unauthorized acquisition of personal information maintained in computerized form by an entity that compromises the security, confidentiality, or integrity of the personal information.
- Personal Information (PI): An individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have not been obtained through the breach of security:
- Social Security number;
- Driver’s license number or other unique identification number created or collected by a government body;
- Account number or credit card number or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account;
- Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
- Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required where the potentially impacted PI was encrypted, or otherwise altered in such a manner that it is unreadable, unless the keys to unencrypt or read the data element have also been obtained.
- Good Faith: Notification is not required if the personal information was acquired in good faith by a person or that person’s employee or agent for a legitimate purpose of that person.
- Risk of Harm: Add text here.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and the agency has made a written request that the notification be delayed.
- Timing: Notification must be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.
- Format: N/A
- Content: Notification must include, at a minimum, the following:
- A description of the breach of security.
- The approximate date of the breach of security.
- The type of personal information obtained as a result of the breach of security.
- Contact information for consumer reporting agencies.
- Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general.
- Method: Notification must be provided in writing or via email if the customary method of communication is by email or is consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001.
Substitute notice may be provided if the entity (1) demonstrates that the cost of providing notice will exceed $250,000, (2) that the affected class to be notified exceeds 350,000, or (3) does not have sufficient contact information to provide notice. Substitute notice must include (1) email notice when the entity has an email address for the affected individuals, (2) a conspicuous posting of the notice or a link to the notice on the site of the entity, if one is maintained and (3) notice to major statewide media.
Notification must be provided to the Iowa Attorney General where “more than 500 Iowa residents as the result of a single breach” are required to be notified. Such notice shall include: (1) description of the nature of the breach of security or unauthorized acquisition or use, (2) the number of Illinois residents affected by such incident at the time of notification, (3) any steps the data collector has taken or plans to take relating to the incident.
Credit Reporting Agencies Notice:
An entity that maintains PI on behalf of another entity, the entity that does not own must notify the owner or licensee of the PI of a “breach” immediately following discovery.
The statute does not apply to entities that are subject to and in compliance with HIPAA or a state or federal law or other breach of security procedure that provides greater protection to personal in-formation and at least as thorough disclosure requirements than that provided by Iowa statute.
- Iowa Code §§ 715C.1, 715C.2
Comprehensive Data Privacy Law
Iowa Act Relating to Consumer Data Protection
Iowa Code Ann. §§ 715D.1 to 715D.9
Persons or entities that conduct business in Iowa or produce products or services that target consumers who are Iowa residents and, during a calendar year, controls, or process Personal Data of:
- 100,000 or more consumers; or
- 25,000 or more consumers and derives over 50% of their gross revenue from Personal Data sales.
Among other exclusions, the ICDPA excludes state and local government; nonprofit organizations, financial institutions, institutions of higher education, employment-related data, and entities or data regulated by HIPAA, FCRA, and GLBA.
Covered Entity Obligations:
Controllers. ICDPA Controller duties include obligations to:
- Adopt and implement reasonable administrative, technical, and physical data security practices.
- Not process Sensitive Data without consumer consent and opportunity to opt-out.
- Not process Personal Data in violation of state and federal laws that prohibit unlawful discrimination.
- Not discriminate against a consumer for exercising consumer rights. However, controllers may offer incentives for voluntary participation in promotions.
- Provide reasonably accessible, clear, and meaningful privacy notice that includes: (i) categories of Personal Data processed; (ii) purpose for Processing Personal Data; (iii) how Consumers may exercise their rights; (iv) categories of Personal Data shared with third parties; (v) the categories of those third parties with whom Controllers shares Personal Data; and (vi) how Consumers can appeal a business’s refusal to take action on a Consumer request.
- Clearly and conspicuously disclose sales of Personal Data to third parties or use of targeted advertising and describe the manner in which a consumer may exercise the right to opt out of such activity.
- Enter into contractual agreements with processors that govern the processor’s data processing requirements and contain specific terms, including: instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.
Processors. ICDPA Processor duties include obligations to:
- Adhere to the instructions of a Controller.
- Reasonably assist the Controller in meeting its ICDPA obligations, including:
- Assisting the Controller in responding to Consumer rights requests; and
- Assisting the Controller in meeting its obligations to implement data security practices and breach notification.
- Enter into written contracts with any subcontractors engaged to Process Personal Data which meet the obligations of the Processor with respect to the Personal Data.
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
- Upon the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with its ICDPA obligations.
Businesses must respond without undue delay and within 90 days (with an additional 45-day extension if reasonably necessary) to verified consumer requests regarding the processing of Personal Data and Sensitive Personal Data, including consumers’:
- Right to confirm whether a Controller is Processing Personal Data and to access Personal Data;
- Right to request deletion of Personal Data provided by the consumer;
- Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable;
- Right to opt out of Personal Data sales.
Additionally, a Controller shall establish a process for the consumer to appeal the Controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision. The appeal process must be made conspicuously available and similar to the process for submitting requests to initiate action. The Controller is required to take action within sixty (60) days of receipt of an appeal and inform the consumer in writing of action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions, as well as provide a mechanism for them to contact the Attorney General if the appeal is denied.
- Consumer: A natural person who is a resident of Iowa acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.
- Controller: A person that, alone or jointly with others, determines the purposes and means for Processing Personal Data.
- Personal Data: Any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal Data excludes de-identified or aggregate data or publicly available information.
- Processing: Any operation or set of operations performed, whether by manual or automated means, on Personal Data or on sets of Personal Data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data.
- Processor: A person that Processes Personal Data on behalf of a Controller.
- Sale of Personal Data: The exchange of Personal Data for monetary consideration by the Controller to a third party. The ICDPA excludes the following disclosures from this definition: (i) disclosures to a Processor that Processes Personal Data on behalf of the Controller; (ii) disclosures to a third party for purposes of providing a product or service requested by the Consumer; (iii) disclosure to an affiliate of the Controller; (iv) disclosure that Consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience; (v) disclosure or transfer when a consumer uses or directs a Controller to intentionally disclose Personal Data or intentionally interact with a third party; (vi) a disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the Controller’s assets.
- Sensitive Personal Data: Personal Data revealing: racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, or citizenship/immigration status, as well as genetic and biometric data, precise geolocation data, and Personal Data collected from a known child.
Violations of the ICDPA may be enforced by the Iowa Attorney General. The maximum civil penalty for violations is $7,500 per violation after a 90-day cure period.
January 1, 2025
Insurance Data Security Statute
Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Iowa, not including a purchasing group or a risk retention group chartered and licensed in a state other than Iowa or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems. Certain licensees may be exempt as set forth in Iowa Code Ann. § 507E4 and below.
Consumer Notification: A licensee shall comply with Iowa Code Ann. § 715C.2 – Security Breach – Notification Requirements, as applicable.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: No later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: Iowa Code Ann. §§ 507F.1 to 507F.16
- Consumer: An individual, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of Iowa and whose nonpublic information is in a licensee’s possession, custody, or control.
- Cybersecurity Event: An event resulting in unauthorized access to, or the disruption or misuse of, an information system or of nonpublic information stored on an information system. It does not include unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released or used without authorization; or an event for which a licensee has determined that the nonpublic information accessed has not been used or released, and it has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or a person required to be licensed, authorized to operate, or registered pursuant to the insurance laws of Iowa, not including a purchasing group or a risk retention group chartered and licensed in a state other than Iowa or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction. Licensees are exempt from the requirements of Section 507F if they meet any of the following criteria:
- It has fewer than 20 individuals on its workforce, including employees and independent contractors.
- It has less than $5,000,000 in gross annual revenue.
- It has less than $10,000,000 in year-end total assets.
- It is an employee, agent, representative, or designee of a licensee, and is covered by the information security program of another licensee.
- It is a licensee that is owned or controlled by a federally insured depository institution that is subject to, and in compliance with, the Gramm-Leach-Bliley Act or comparable federal law and corresponding regulations.
- It is a licensee that is subject to, and in compliance with, the Health Insurance Portability and Accountability Act (HIPAA).
- Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
- Business-related information of a licensee the tampering of which, or unauthorized disclosure, access, or use of which, will cause a material adverse impact to the business, operations, or security of the licensee.
- Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Financial account number or credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records.
- Any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
- The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
A licensee shall notify the Commissioner of Insurance no later than 3 business days from a determination that a cybersecurity event if any of the following conditions apply:
- The licensee is an insurer who is domiciled in Iowa, or is a producer whose home state is Iowa, and any of the following apply:
- The laws of Iowa or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body, or
- The cybersecurity event has a reasonable likelihood of causing material harm to a material part of the normal business, operations, or security of the licensee.
- The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing in Iowa and the cybersecurity event is either:
- A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law, or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Iowa or a material part of licensee’s operations.
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event.
- A description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers, if any.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
- A description of the specific types of nonpublic information that were lost, stolen, or breached.
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee becomes aware of a cybersecurity event by a third-party service provider, the licensee shall comply with Section 507F.7, unless the licensee obtains a written certification from the third-party service provider that the provider is in compliance with Section 507F.7. The licensee's deadlines pursuant to Section 507F.7 shall begin on the business day after the date on which the licensee's third-party service provider notifies the licensee of a cybersecurity event, or the date on which the licensee has actual knowledge of the cybersecurity event, whichever date is earlier.
A licensee that violates this chapter shall be subject to penalties pursuant to Iowa Section 505.7A and chapter 507B.
HIPAA compliant licensees exempt from the requirements of Iowa Code chapter 507F must provide a written certification of such compliance to the Division on an annual basis. See Iowa Code sections 507F.4(1)(b) and 507F.13.