Iowa law could soon change to provide organizations that have a robust cybersecurity program an extra incentive to maintain and improve their program. Senate File 2073 would amend Iowa’s existing data breach notice statute to provide an “affirmative defense to any claim or action alleging that a person’s failure to implement reasonable security measures resulted in a breach of security . . . .” In order to take advantage of the affirmative defense, an organization would have to prove that it “established, maintained, and complied with a written cyber security program” that complies with industry standards for cybersecurity.
The bill also makes clear that by providing an affirmative defense, it does not mean to suggest that there is any private right of action in the first place.
This legislation mirrors an Ohio law that provides a similar incentive to organizations to develop a cybersecurity program that meets industry standards.
If the bill becomes law, organizations will have another reason to develop a cybersecurity program that protects personally identifiable information, financial assets, and trade secret information. Developing a program will not only provide security benefits, but also a potential defense to lawsuits.
The new law would not, however, prevent an organization from ever being named as a defendant in a lawsuit resulting from a cybersecurity incident. The affirmative defense could only be raised after an organization is sued, and then the organization will still have to prove its cybersecurity program met industry standards.
Furthermore, Iowa law likely will not be a defense to suits brought by residents of other states, unless the organization is able to establish that Iowa law applies to the case. This is important to keep in mind, because most organizations have personal information of at least a few, and often many, individuals who reside in other states.
The new Iowa law would provide a real benefit to organizations that implement a robust cybersecurity plan. Superficial plans designed to merely “check the box” on compliance will likely not provide either an affirmative defense or much of a security benefit. Organizations may want to compare their plans to one of the many standards available for cybersecurity. We previously covered assessment tools that organizations can use to evaluate their plans.
Regardless of whether the legislation becomes law, organizations still have many good reasons to develop and implement a cybersecurity program that protects personally identifiable information, financial assets, and trade secret information. We have covered dozens of lawsuits that resulted from inadequate cybersecurity.
Organizations should identify internal and external professionals with the knowledge and capability to help them develop the key technical, physical, and administrative safeguards for minimizing cybersecurity risk. After all, the best way to avoid the costs of a cybersecurity incident is to not have one in the first place.