As of now, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have implemented legislation that requires private or government entities to notify individuals if they have experienced a security breach. Alabama, New Mexico, and South Dakota are the three remaining states who don’t have official security breach notification laws. Even my Midwestern home-state of Iowa now has a mandatory data breach notification law.
Iowa Security Breach Notifications
Since we are a company based out of Iowa, we will focus on the specifics of a security breach and the laws that go along with one in Iowa. You can find the complete list of security breach notification laws by each state here.
Iowa law defines a security breach as any unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from a computerized form, and that compromises the security, confidentiality, or integrity of the personal information.
Personal information also known as personally identifiable information (PII) includes medical information, financial information such as a credit or debit card number, a Social Security number, or a driver’s license number. PII is intended to be encrypted; should this information be unencrypted or become readable, it has been done so through a data breach, and the mandatory reporting laws come into effect.
If a security breach occurs in Iowa, the following must happen:
Why is this information important? You should know your risk and what type of event will trigger reporting in your state. Failure to comply with these regulations will result in civil penalties that could be devastating to your company.