Iowa
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay
FINES & PENALTIES – Violations
Attorney General may bring action

Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Not Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Iowa Privacy Law Information
A security breach that affects at least 500 Iowa residents, requires written notice to the Attorney General’s Consumer Protection Division within 5 business days after notifying affected individuals. There are specific considerations when determining if a breach is reportable. Notifications may only be given by specific methods. Notifications must contain the required information. If notification is not required, then such a determination must be documented in writing and the documentation must be maintained for 5 years.
If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
A state credit union must maintain an information security response program, which includes procedures for notifying the credit union division, as soon as possible, after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information that would permit access to the member’s account. Iowa passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective January 1, 2022, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.
Organizations may be fined or penalized for Vendor violations. Violations of breach and notification laws are considered an unlawful act and may result in a penalty of up to $40,000, per violation and/or a civil penalty of up to $5,000 for each day of intentional violation.
Iowa passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective January 2, 2022, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
Iowa Statutes and Laws
Insurance Data Security Act
Data breach – duty to notify
Security breach – notification requirement – remedies
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.