New Iowa Cybersecurity Legislation

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C.

Iowa law could soon change to provide organizations that have a robust cybersecurity program an extra incentive to maintain and improve their program. Senate File 2073 would amend Iowa’s existing data breach notice statute to provide an “affirmative defense to any claim or action alleging that a person’s failure to implement reasonable security measures resulted in a breach of security . . . .” In order to take advantage of the affirmative defense, an organization would have to prove that it “established, maintained, and complied with a written cyber security program” that complies with industry standards for cybersecurity.

The bill also makes clear that by providing an affirmative defense, it does not mean to suggest that there is any private right of action in the first place.

This legislation mirrors an Ohio law that provides a similar incentive to organizations to develop a cybersecurity program that meets industry standards.

If the bill becomes law, organizations will have another reason to develop a cybersecurity program that protects personally identifiable information, financial assets, and trade secret information. Developing a program will not only provide security benefits, but also a potential defense to lawsuits.

The new law would not, however, prevent an organization from ever being named as a defendant in a lawsuit resulting from a cybersecurity incident. The affirmative defense could only be raised after an organization is sued, and then the organization will still have to prove its cybersecurity program met industry standards.

Furthermore, Iowa law likely will not be a defense to suits brought by residents of other states, unless the organization is able to establish that Iowa law applies to the case. This is important to keep in mind, because most organizations have personal information of at least a few, and often many, individuals who reside in other states.

The new Iowa law would provide a real benefit to organizations that implement a robust cybersecurity plan. Superficial plans designed to merely “check the box” on compliance will likely not provide either an affirmative defense or much of a security benefit. Organizations may want to compare their plans to one of the many standards available for cybersecurity. We previously covered assessment tools that organizations can use to evaluate their plans.

Regardless of whether the legislation becomes law, organizations still have many good reasons to develop and implement a cybersecurity program that protects personally identifiable information, financial assets, and trade secret information. We have covered dozens of lawsuits that resulted from inadequate cybersecurity.

Organizations should identify internal and external professionals with the knowledge and capability to help them develop the key technical, physical, and administrative safeguards for minimizing cybersecurity risk. After all, the best way to avoid the costs of a cybersecurity incident is to not have one in the first place.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson, Mackaman, Tyler & Hagen, P.C. | Attorney Advertising

Written by:

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.