Proposed Amendments to the Iowa Breach Notification Act

Breach Notification

Iowa Attorney General introduced a new bill that proposes changes to the Iowa Breach Notification Act. Since 2014, data breaches reported to the director of the consumer protection division of the Iowa Attorney General’s office include only those impacting over 500. The number of data breaches reported for the past four years is only approximately 120. This low number can only mean two things. Either the personal information of Iowa residents is very secure or hacked entities were not notifying the Attorney General’s office. Attorney General Tom Miller would like to find out the reason behind the low number of data breaches reported. That is why he introduced the new bill.  

Currently, data breaches are reported if the compromised data includes:

  • a Social Security number, unique biometric data or a driver’s license number
  • or financial data “in combination with any required expiration date, security code or password that would permit access to an individual’s financial account.”

In the proposed amended bill, AG Miller removed the “in combination with” requirement. This makes any breach of financial data notifiable. Medical information, health insurance information and personal information like tax identification numbers are also added to the list of notifiable breaches. Another proposal is the change of notification period from “without reasonable delay” to 45 days.

Other proposed bill amendments include dealing with the loopholes that entities use to avoid having to submit a breach notification. For example:

  • The rule that entities do not need to report access of encrypted data as a breach will be changed. The proposed rule is entities don’t need to report a breach if data is encrypted to 128-bit standard or higher.
  • The rule that entities do not need to report a breach if there’s reasonable likelihood that it will not result to financial harm. The proposed amendment is to remove the word “financial”, so entities don’t need to report a breach if it will not result to any harm. This requires a written justification submitted to the attorney general’s office in 5 days.

Assistant Iowa Attorney General Nathan Blake said that the proposed amendment will probably result in increased number of reported data breaches resolving the under-reporting of data breaches since 2014. But it doesn’t mean that residents are better protected. It’s possible that in the long term there’ll be tougher data protection laws.