Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Iowa residents.
Definition includes (i) unique electronic identifier or routing code in combination with any required security code, access code, or password permitting access to an individual’s account, and (ii) unique biometric data, such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data.
“Security Breach” means unauthorized acquisition of personal information maintained in computerized form that compromises the security, confidentiality, or integrity of the personal information.
Definition includes information maintained in any medium, including on paper, that was transferred by the person to that medium from computerized form.
“Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or legal business entity that owns or licenses computerized data that includes a consumer's personal information that is used in the course of business, vocation, occupation, or volunteer activities.
Third party recipients:
Any covered entity who maintains or otherwise possesses personal information on behalf of another covered entity must notify the owner or licensor of the information of any security breach of a consumer’s personal information immediately following discovery of security breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be given to any consumer whose personal information was included in the information that was breached in the most expeditious manner possible and without unreasonable delay, unless a law enforcement agency determines that notification will impede a criminal investigation and the agency has made a written request that the notification be delayed (in which case notification is delayed until authorized by law enforcement).
- Specific requirements for the content of the notice are detailed in the statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 300,000 persons, or covered entity does not have sufficient contact information.
- Notice not required if the covered entity determines, after appropriate investigation or after consultation with relevant federal, state, or local law enforcement agencies, that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was breached was encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable and the keys to unencrypt, unredact, or otherwise read the data elements have not been compromised.
Exemption for good faith acquisition of personal information by an employee of a covered entity for purposes of the covered entity so long as personal information is not used in violation of applicable law or in a manner that harms or poses a threat to the affected resident.
Iowa statute does not apply to a covered entity who complies with notification requirements imposed by its primary or functional federal regulator, or with other state or federal laws, that provide greater protection to personal information and at least as thorough disclosure requirements as required by the Iowa statute.
A covered entity who complies with the GLBA is exempt.
Notification to Regulator / Waiver
Director of Consumer Protection Division of attorney general must be notified within five (5) business days if giving notice of a security breach to more than 500 residents.
A determination of no likelihood of harm:
Does not require notification to attorney general for individuals or commercial entities.
Violation is an unlawful practice.
Attorney general may seek and obtain an order that a violator pay damages to the attorney general on behalf of a person injured by the violation.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute