On May 10th, Iowa Gov. Culver (D) signed a bill (S.F. 2308) that requires businesses and government agencies to notify state residents if the unauthorized access of their computerized personal information is likely to do financial harm.
The new Iowa data breach notification law takes effect July 1, 2011.
Iowa is the 43rd state with some sort of data breach law on the books.
Unlike most state data breach laws, S.F. 2308 does not exempt personal information that is encrypted or redacted from the types of computerized data requiring notice. The new Iowa law, however, contains a risk of harm trigger.
Under S.F. 2308, breach notice “is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.”
The proposed law would allow the state attorney general to seek actual damages on behalf of individuals affected by a data breach incident requiring notification.
A provision in the Iowa bill as introduced which would have made retailers liable to banks for their costs associated with breaches of credit and debit card transaction data was removed from the measure in committee before its formal introduction in the Senate.