This year, the Iowa legislature turned its attention to a variety of cyber security issues including Senate File 262, a new Iowa privacy law, joining California, Colorado, Connecticut, Utah, and Virginia to broadly protect consumer data. In addition to this broader law, the Iowa legislature amended Iowa Code 554G.1 to include affirmative defenses in claims relating to data breaches.
When hackers attack, there are always multiple concerns for your business - operations, keeping your data intact, customer access, publicity, reputational damage, and more. While the new statute won’t help with the immediate chaos triggered by a ransomware attack, it can help down the road in the case of a customer lawsuit involving lost or compromised data. An affirmative defense allows you to say you did your best and should not be held liable.
While an affirmative defense can be incredibly useful, the downside of any codified affirmative defense is that in many instances, it could be used to argue about a standard for what your cybersecurity program should look like. This is especially true in cyber law As we have seen nationally, the laws rarely keep pace with the industry, sending courts non-codified standards in various cases. Failure to meet those unspecified standards can sometimes be used as an indication of liability.
Written Cybersecurity Programs
Section 554.G.2 states that to utilize an affirmative defense, the business “shall create, maintain and comply with a written cybersecurity program that contains administrative, technical, operational and physical safeguards for the protection of both personal information and restricted information.”
While this statement is derived from HIPAA standards, many businesses, particularly smaller businesses, may not have a written program. Moreover, the program must be in writing and cannot simply be something that IT knows, but never articulates. Compliant cybersecurity programs need to include all of the bullet points below, noting that if the covered entity satisfies all the requirements of this section, it is entitled to the affirmative defense for any action being filed in tort relating to the cybersecurity breach.
- “Continually evaluate and mitigate” internal or external hazards no less than annually.
- Perform a regular security assessment.
- Communicate to “affected parties” how they may mitigate their own risks.
There are additional guidelines, for any framework found in 554G.3 which include the utilization of national standards such as the National Institute of Standards and Technology, Special Publications 800-171.
Compliance Issues
A number of other compliance issues are listed within this section, and ultimately the statute states the defenses are available, “If the covered entity cybersecurity program reasonably confirms to a combination of industry-recognized cybersecurity frameworks, or complies with a standard …”. The statute also sets deadlines for changes in such standards and processes at no later than one year, and the amended statute indicates that 554G “shall not be construed to provide a private right of action, including a class action, with respect to any act or practice regulated under this Chapter.”
The Big Picture
This is an attempt to mitigate the risk that setting forth affirmative defenses in a statute somehow creates a baseline compliance mandate. However, given the increasing number and prevalence of ransomware attacks, and the fact that it merited the attention of the Iowa legislature, businesses should focus on creating an understanding of how their data networks flow, how information is shared, and how best to protect the privacy and security of this data. In particular, the need for businesses to create a current, regularly updated, and written framework has never been more important.
