April 8 --Iowa Gov. Terry Branstad (R) recently signed legislation (S.F. 2259) that amends the state's data breach notification law to require covered entities to notify the state attorney general of breaches affecting more than 500 Iowans.
Under the measure, covered entities must notify the attorney general within five business days after notifying affected individuals.
S.F. 2259, which was signed by the governor April 3, will take effect July 1.
S. 2259 expands the scope of the state's data breach notice law beyond coverage for breaches affecting unencrypted computerized data to now include personal information in any form, including paper.
The legislation, which passed both houses of the Iowa General Assembly unanimously, is a “second-generation’’ data breach law, William Brauch, director of the office's Consumer Protection Division, told Bloomberg BNA April 8. Brauch said that his office proposed the law because of its own experiences with businesses reporting breaches.
Iowa enacted the underlying data breach notice law in May 2008 (7 PVLR 757, 5/19/08).
Brauch said a printout of personal information taken from a computer and then stolen will now be considered a security breach.
Brauch said the mandate that the attorney general be notified is important to allow his office to investigate and better protect consumers. If a resident calls and says others are applying for credit in his or her name, the Office of the Attorney General would be well-served to know a breach has occurred, he said.
The five-day time limit was a compromise, Brauch said, as some businesses said they couldn't report their concerns to his office any sooner than that.
He said his office isn't always apprised of breaches by companies that have them. Instead, he said, it sometimes hears of them from consumers and sometimes from other states that have notification requirements.
To contact the reporter on this story: Mark Wolski in St. Paul, Minn., at firstname.lastname@example.org
To contact the editor responsible for this story: Katie W. Johnson at email@example.com
S.F. 2259, as signed into law, is available at http://coolice.legis.iowa.gov/linc/85/external/govbills/SF2259.pdf.
To view additional stories from Privacy & Security Law Report® register for a free trial now