2023 Cybersecurity Provisions in Iowa: What Your Business Should Be DoingOctober 20, 2023

As previously discussed, in March of 2023, Iowa’s Governor signed into law a new comprehensive state privacy law. Just over six months after SF 262 was signed and during cybersecurity awareness month, we would like to focus on the cybersecurity provisions introduces in SF 262. Key changes to Iowa’s laws include amendments to Iowa Code 554G.1, making affirmative defenses to cybersecurity breaches available to organizations. If your business experiences a cyber incident that compromises personal data, you may be liable for the results of that breach. An affirmative defense in this context serves as a legal “shield” minimizing potential liability stemming from an incident, whereby an organization can limit its liability if it can show that it took certain measures to prevent an incident.

More particularly, Iowa code requires that organizations seeking an affirmative defense must maintain a written cybersecurity program covering “administrative, technical, operational, and physical safeguards for the protection of both personal information and restricted information.” In addition to a written program, businesses must continually evaluate and mitigate potential threats annually, perform regular security assessments, and have communicated to risk mitigation efforts to affected parties, e.g., individuals whose data has been compromised.

Generally, a business can comply with such requirements by identifying and following specific, standard cybersecurity guidelines. For example, compliance with National Institute of Standards and Technology (NIST) standards and cybersecurity framework is widely accepted as a best practice set of standards in the U.S. Compliance with NIST and other frameworks can be time-consuming and confusion if your business is just beginning its data privacy and cybersecurity journey. However, given the escalating likelihood of legal liability stemming from cyber incidents—and the loss of customer trust and standing in your industry—it is much more effective for businesses to prevent or minimize incidents (through creating or updating their data practices, security framework, and incident response plans) rather than be unprepared for the aftermath of an incident.

Sarah M.D. Luth is an Intellectual Property Attorney in the MVS Biotechnology & Chemical Practice Group. She is also Co-Chair of the MVS Data Privacy and Cybersecurity Practice Group. To learn more, visit our MVS website.