Iowa made changes to its breach notification law (Iowa Code § 715C.1 et seq.) when the state’s Governor, Terry Branstad, signed S.F. 2259 into law. The amendment makes the following key changes which become effective July 1, 2014:

  1. The existing law applies to “computerized” personal information. The amendment clarifies that this includes personal information maintained in any medium, including paper, transferred to that medium from computerized form. So, paper files printed from a computer that contain the elements that constitute personal information (e.g., name and Social Security number) can trigger a notification obligation under Iowa law. The breach notification statute in Indiana has a similar rule.
  2. For breaches that affect more than 500 residents of the state, the statute now requires notice must also be made to the Director of the Consumer Protection Division of the Office of the Attorney General, in addition to the affected individuals. A similar change was made in California.

The nuances of breach notification laws across the country continue to grow in number and further complicate responding to multi-state breaches. Whether a national standard will resolve this challenge remains to be seen. In the meantime, companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided.