Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $40,000 per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • A security breach that affects at least 500 Iowa residents, must provide written notice to the Attorney General’s Consumer Protection Division director within 5 business days after notifying affected people.
  • There are specific considerations when determining if a breach is reportable.
  • Notifications may only be given by specific methods.
  • Notifications must contain required information.
  • If notification is not required, then such a determination must be documented in writing and the documentation must be maintained for 5 years.
  • Violations of breach and notification laws are considered an unlawful act and may result in a penalty up to $40,000, per violation and/or a civil penalty of up to $5,000 for each day of intentional violation.
  • The administrator may bring a civil action against a person for all amounts of money, other than penalties, which a consumer or class of consumers has a right to recover. Unpaid fees acquire interest and could result in additional civil penalty.
  • A state credit union must maintain an information security response program, which includes procedures for notifying the credit union division, as soon as possible, after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information that would permit access to the member’s account.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using those states’ rules.
Statutes and Laws
  • IA Code § 715C Personal Information Security Breach Protection
  • IA Code § 715C.2 Security breach – notification requirement – remedies
  • IA Code § 533.331 Data breach – duty to notify
BAck to map