[co-author: Kathryn Smith*]
Iowa recently became the fifth state to offer businesses a safe harbor if they have a written cybersecurity program. Others are Connecticut (October 1, 2021), Ohio (effective November 2, 2018), Oregon (effective January 1, 2020), and Utah (effective March 5, 2021). Like these, as of July 1, 2023, businesses that have a written cybersecurity program and suffer a breach may have an affirmative defense in Iowa against tort claims for inadequate security measures.
To take advantage of the safe harbor, the company must have a written cybersecurity program that contains certain elements. The program must, inter alia:
- Evaluate and mitigate anticipated risks on a continual basis
- Be of an appropriate scope and scale, measured by it costing “no less than [the company’s] most recently calculated maximum probable loss value”
- Assess -at least annually- the potential maximum probable loss from a breach
- In the event of a breach, provide that the company will tell impacted parties what steps they can take “to reduce any damages”
These elements mirror those expected under other state safe harbor laws, but are more detailed than we have seen in the past. Program that reasonably conform to an industry recognized cybersecurity framework will be deemed to have a qualifying program.[1] These industry programs include the NIST Cybersecurity Framework, FedRAMP and ISO/IEC 2700. Businesses regulated by -and adhering to- several well-known laws will also be viewed as having a sufficient program. These include both HIPAA And GLBA.
*Kathryn Smith is a fellow in the firm’s Chicago office.
Putting it into Practice: Iowa’s safe harbor law picks up from similar provisions last passed by a state in 2021 (Connecticut). As the cost of breach-related lawsuits continues to rise, these provisions can offer some comfort to companies. We will be watching to see if other states begin incorporating similar provisions in their breach notice laws.
[1] 554G.3(1).
