On April 3, Iowa expanded the reach of its data breach notification law. First, entities that suffer breaches of personal information that are required to notify more than 500 state residents will now be required to notify the state’s attorney general within five days after residents are notified. Previous state law required only consumer notification. Exemptions to the consumer notice requirement also apply to the attorney general notice requirement. Second, the definition of “breach of security,” which had previously been limited to incidents affecting personal information maintained in computerized form has been broadened to include information maintained in any medium, including on paper, that was transferred by the person to that medium from computerized form. Finally, the definition of “personal information” has been broadened to include encrypted, redacted, or otherwise protected data where the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security. The changes take effect on July 1, 2014. Here is the link to SF2259.
Insights & Opinions from McGrath North