Iowa Broadens Security Breach Notification Provisions
On April 3, 2014, Iowa Governor Terry Branstad signed into law Senate File 2259, amending the state’s personal information security breach notification requirements. The revised Iowa Code Chapter 715C expands the definitions of key terms, including “breach of security” and “personal information,” and establishes an Attorney General notification requirement for certain breaches.
- “Breach of security” is now defined to encompass the “unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information.” This would include situations where a hard copy printout of personal information stored on a computer is stolen. Previously, only security compromises to data maintained in a computerized form could trigger breach notification requirements under this statute.
- “Personal information” is now defined to include name or data elements which are “encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security.” “Personal information” also includes expiration data in the list of possible elements that, when taken in combination with a financial account number, credit card number, or debit card number, would permit access to an individual’s financial account.
- The consumer notification provision was broadened to include notification to the Attorney General, as is required by several other states’ laws. Importantly, under the amended statute, the Director of the Consumer Protection Division of the Office of the Attorney General must be notified of breaches affecting more than 500 Iowa residents. This notification must be in writing and occur within five business days after giving notice of the breach to the affected consumers.
Health care organizations should review and update policies and procedures to address the recent changes. The amended provisions take effect July 1, 2014.
Laura A. Feldman