Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations. On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa Code §§ 715C.1–715C.2) to require that written notice be provided to the director of the consumer protection division of the office of the Iowa Attorney General regarding a breach of security affecting 500 or more Iowa residents no later than five business days after providing notice of the breach to any affected Iowa residents under the statute. S.F. 2259 also expands the scope of the statute’s definition of the term “breach of security” to include unauthorized acquisition of personal information “maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form.” Further, S.F. 2259 clarifies that “personal information” includes information that is encrypted, redacted, or otherwise altered such that it is unreadable if the keys to unencrypt, unredact, or otherwise read the information have also been obtained through a breach of security, and specifies that an individual’s financial account number, credit card number, or debit card number in combination with a required “expiration date” or other password or security code that would permit access to an individual’s financial account can qualify as personal information capable of triggering notification obligations.

These changes take effect July 1, 2014.