Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- up to $40,000 per violation
None to minimal
A security breach that affects at least 500 Iowa residents, must provide written notice to the Attorney General’s Consumer Protection Division director within 5 business days after notifying affected people.
There are specific considerations when determining if a breach is reportable.
Notifications may only be given by specific methods.
Notifications must contain required information.
If notification is not required, then such a determination must be documented in writing and the documentation must be maintained for 5 years.
Violations of breach and notification laws are considered an unlawful act and may result in a penalty up to $40,000, per violation and/or a civil penalty of up to $5,000 for each day of intentional violation.
The administrator may bring a civil action against a person for all amounts of money, other than penalties, which a consumer or class of consumers has a right to recover. Unpaid fees acquire interest and could result in additional civil penalty.
A state credit union must maintain an information security response program, which includes procedures for notifying the credit union division, as soon as possible, after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information that would permit access to the member’s account.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using those states’ rules.
Statutes and Laws
IA Code § 715C Personal Information Security Breach Protection