|Security Breach Act (SF 2308)|
|CITATION||Iowa Code §. 715C.1|
Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security must give notice of the breach of security following discovery of such breach of security, or receipt of notification, to any consumer whose personal information was included in that breach.
The consumer notification must be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data. Any person who maintains or otherwise possesses personal information on behalf of another person shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach of security if a consumer’s personal information was included in the information that was breached.
The data covered is “Personal Information” which is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:
|PENALTIES||Violations are considered to be unlawful practices pursuant to the Iowa Consumer Fraud Law. The Attorney General may obtain an order requiring the violator to pay damages to the Attorney General on behalf of an injured person.|