- Recently proposed updates to Iowa’s data breach bill would include medical information and health insurance information under the definition of “personal information.” Organizations would also need to provide notification within 45 days, according to House Study Bill 526.
The Iowa Attorney General’s Office introduced the bill, which also requires organizations to use 128-bit data encryption to be considered for exemption from the data breach notification process. This is a higher level of encryption than was previously mandated.
“The bill expands the definition of ‘breach of security’ to include the reasonable belief of unauthorized acquisition of personal information, which may be in any form, including electronic or paper form,” the bill states. “However, the bill removes the unauthorized acquisition of personal information that was transferred from computerized form to another medium from the definition of “breach of security.”
“Personal information” is an individual’s first and last name in combination with any of the following:
- Social Security number
- Driver’s license number or other unique identification number created by a government body
- Financial account number, credit card number, or debit card number
- Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Unique biometric data (i.e., fingerprint, retina image) or other unique physical representation or digital representation of biometric data
- Medical information, including but not limited to information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance information, including but not limited to an individual’s health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify an individual
- Tax identification number.
Account usernames or email addresses that are combined with any required password or account security information that allows access to an individual’s online account are also considered personal information under the updated law.
One of the key updates to the legislation is that it does not strictly apply to electronic data. If an organization has data in paper form and it becomes compromised, that entity may be required to provide notification.
Currently, Iowa state law requires that if a breach of security requires notification to more than 500 individuals, written notice must be given “to the director of the consumer protection division of the office of the attorney general.”
“The bill provides that written notification to the attorney general is also required for breaches of security where written notification to more than 500 consumers in the state is required by a person’s primary or functional federal regulator, a state or federal law that gives greater protection to personal information than provided in Code section 715C.2, or certain federal law,” the legislation reads.
Similar to other states that have either updated or proposed updates to their data breach laws, Iowa was fueled by the 2017 Equifax data breach.
Iowa Attorney General Tom Miller joined 32 states and Washington, D.C. in September 2017 in writing a letter to Equifax explaining their concern.
“Early indications are the breach was caused by Equifax’s failure to apply a necessary patch to its software,” read the letter, signed by the attorneys general. “The breach has exposed the personal information of as many as half the consumers residing in the United States and its territories. Our concerns have only been heightened by Equifax’s conduct since its disclosure of the breach.”
The personal information of 1.1 million Iowans was involved in the incident, according to a statement from Miller’s office.
“This data breach is astonishing, not only because of the number of consumers that it impacts, but also because of the key personal information that it exposed,” Miller explained in a separate September 2017 statement. “Unfortunately, a criminal who gets a hold of this kind of personal information really hits the identity theft jackpot, and I’m concerned about the potential long-term impact this could have on countless consumers here in Iowa and across the country.”
The Equifax data breach also spurred Rhode Island Congressman Jim Langevin to reintroduce the Personal Data Notification and Protection Act in September 2017. The Act would create a single national data breach notification standard, replacing the existing state notification laws.
Langevin maintained that the legislation is necessary to combat current cybersecurity threats and that clear communication is essential for data security incidents.
READ MORE: How Data Encryption Benefits Data Security
“This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” Langevin said. “Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure.”