Iowa becomes the fourth U.S. state to provide an affirmative defense for companies that adopt a cybersecurity framework
Iowa is the fourth state—following Ohio, Connecticut, and Utah—to provide a statutory incentive for companies to align their cybersecurity practices to one of several common cybersecurity frameworks. The new Iowa law, House File 553,[1] provides an affirmative defense to companies that maintain a cybersecurity program that includes administrative, technical, operational, and physical safeguards for the protection of "personal information" and "restricted information,"[2] and is designed to: (a) continually evaluate and mitigate reasonably anticipated cyber risks; (b) evaluate at least annually the "maximum probable loss" from a data breach; and (c) communicate to parties affected by a data breach about the resulting risks and steps those parties can take to protect themselves. The new law went into effect on July 1, 2023.
The affirmative defense provided by the law applies to any tort claim brought under Iowa law or in Iowa courts alleging that a failure to adopt reasonable security measures resulted in a data breach. To be clear, the law does not require companies to maintain a compliant cybersecurity program, but rather provides the affirmative defense as an incentive to do so.
The clearest way a business can establish its eligibility for the safe harbor is to maintain a cybersecurity program that "reasonably conforms" to one of the following industry-recognized cybersecurity frameworks:
- National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (commonly known as the "NIST Cybersecurity Framework" or "NIST CSF")
- NIST Special Publication (SP) 800-171
- NIST SPs 800-53 and 800-53a
- Federal Risk and Authorization Management Program (FedRAMP) security assessment framework
- Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS Controls)
- International Organization of Standardization (ISO) 27000 family – Information Security Management Systems
Companies are not required to adopt any of these frameworks to avail themselves of the affirmative defense. They can instead seek to establish in response to a tort claim that they have satisfied the safeguards and risk management requirements of the statute. But a much clearer and more predictable way to invoke the affirmative defense is to show that their cybersecurity program "reasonably conforms" to one of these established and widely accepted frameworks.
Alternatively, if a business is subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH), Title V of the Gramm-Leach-Bliley Act (GLBA), the federal Information Security Modernization Act (ISMA), Iowa's insurance data security law, or critical infrastructure protection rules issued by the U.S. Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), or the North American Electric Reliability Corporation (NERC), and if the business's cybersecurity program "reasonably conforms" to those laws and regulations, the business is deemed to have a compliant cybersecurity program under the new Iowa law and thus eligible for the safe harbor. Businesses also may reasonably comply with the Payment Card Industry Data Security Standard (PCI DSS), but only are entitled to the affirmative defense if they comply with PCI DSS in combination with one of the frameworks listed above.[3]
In 2018, Ohio passed the first legislation of this kind, creating an affirmative defense for companies that conform their cybersecurity programs to a cybersecurity framework. Utah and Connecticut followed suit in 2021. The laws enacted in Utah, Connecticut, and Iowa are modeled after the Ohio statute, although the specific provisions under each law vary.
The Iowa law has several distinct features that set it apart from its predecessors. Notably, the Iowa law's definition of covered "restricted information" applies to information that identifies or can be linked to businesses, the breach of which is likely to result in a material risk of fraud. The Ohio, Utah, and Connecticut laws do not apply to information pertaining to businesses.[4] The inclusion of business-related information, in addition to personal information, in the Iowa law cuts both ways for businesses: the law requires that businesses protect both personal information and restricted information, while granting an affirmative defense to claims arising out of a breach of either one. As a result, businesses must protect a broader swath of information to comply with the Iowa law, but also receive a broader affirmative defense in return.
Additionally, the Iowa law appears to give businesses more discretion to right-size their cybersecurity programs. The Iowa law states plainly that a business's cybersecurity program is "appropriate" if the cost to operate the program is no less than the business's most recently calculated "maximum probable loss" value.[5] The law defines "maximum probable loss" as "the greatest damage expectation that could reasonably occur from a data breach," and "damage expectation" as "the total value of possible damage multiplied by the probability
that damage would occur." This provision gives companies a clear measuring stick for how much they should spend on their cybersecurity programs. Notably, however, the law does not expressly require companies to meet this spending requirement to establish the affirmative defense (i.e., there is no requirement that a compliant security program be "appropriate"), so it is unclear whether companies may lose the affirmative defense if their spending falls short of their "maximum probable loss" figure.
In contrast to the Iowa law's spending provision, the Ohio, Utah, and Connecticut laws simply provide a list of several factors that businesses must consider to determine whether their cybersecurity programs are appropriate, such as the size and complexity of the business and the sensitivity of the information to be protected.
Other states, including New Jersey, Georgia, and Illinois have proposed similar safe harbor laws. As more states adopt such laws, companies will have growing incentives to invest in robust cybersecurity controls to comply with common industry-recognized cybersecurity frameworks.
[1] "An Act Relating to Affirmative Defenses for Entities Using Cybersecurity Programs," 2023 Ia. Legis. Serv. H.F. 553 (West).
[2] The law requires a business's cybersecurity program to protect both "personal information," which is information that relates to an identifiable individual, "in particular by reference to an identifier" including name, social security number, payment card number, etc., and to "restricted information," which is information of either an individual or a business that can be linked to the individual or business, the breach of which is "likely to result in material risk of identity theft or other fraud to person or property."
[3] If any of the listed industry-recognized cybersecurity frameworks or laws and regulations are amended or revised, businesses have one year thereafter to reasonably conform their cybersecurity program to the revision or amendment in order to continue enjoying the benefits of the safe harbor.
[4] These other laws apply to "restricted information" as well; however, they define "restricted information" only to include information that identifies or that can be linked to individuals.
[5] The law does not specify how frequently a company must evaluate the cost of maintaining their cyber program. However, it requires that companies calculate their maximum probable loss value at least annually, suggesting that the costs of maintaining the company's cyber program should be calculated on a similar frequency.
[View source.]
