Iowa Passes Cybersecurity Affirmative Defense Law
On May 3, 2023, Iowa became the fourth state to pass a law providing companies with an affirmative defense against suits alleging that the organization failed to implement reasonable information security controls which then led to, or resulted in, a data security breach. The other states that have passed similar affirmative defenses include: Connecticut, Ohio, and Utah.
The affirmative defense requires companies to meet certain cybersecurity requirements and standards.
The law specifies the following cybersecurity standards:
(a) The framework for improving critical infrastructure cybersecurity developed by the national institute of standards and technology.
(b) National institute of standards and technology special publication 800-171.
(c) National institute of standards and technology special publications 800-53 and 800-53a.
(d) The federal risk and authorization management program security assessment framework.
(e) The center for internet security critical security controls for effective cyber defense.
(f) The international organization for standardization/international electrotechnical commission 27000 family — information security management systems.
The law also recognizes federal cybersecurity standards:
(a) The security requirements of the federal Health Insurance Portability and Accountability Act of 1996, as set forth in 45 C.F.R. pt. 164, subpt. C.
(b) Title V of the federal Gramm- Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended.
(c) The federal Information Security Modernization Act of 2014, Pub. L. No. 113-283.
(d) The federal Health Information Technology for Economic and Clinical Health Act as set forth in 45 C.F.R. pt. 162.
(e) Chapter 507F.
The law allows the organization to become compliant with a framework with twelve months of the framework being finalized, or within twelve months of the framework being revised or updated.
The organization must have policies that include “administrative, technical, and operational” security controls, and provide for continually evaluating and mitigating any reasonably anticipated internal or external threats.
The law allows a company to have a program tailored to the size of the organization, so long as the “cost to operate the cybersecurity program is no less than the covered entity’s most recently calculated maximum probable loss value.”
Notably, the defense is only available if the suit is brought under Iowa tort law or in an Iowa court.
A number of other states are considering similar legislation, including Georgia, Illinois, Michigan, and New Jersey.
 Iowa House File Section 3, 554G.3 Cybersecurity Program Framework (1.)(a.)(1)(a).
 The framework is also known as the Cybersecurity Framework, https://www.nist.gov/cyberframework.
 The framework is also known as FedRAMP, https://www.fedramp.gov/program-basics/.
 The framework is also known as CIS Controls v8, https://www.cisecurity.org/controls.
 The framework is also known as ISO/IEC 27001, https://www.iso.org/standard/27001.
 The Iowa Insurance Data Security, §507F.2, https://www.legis.iowa.gov/docs/code/507f.pdf.
 Sec. 2. NEW SECTION. 554G.2 Affirmative defenses, (3).