Timing of Consumer Notification
“Most expeditious manner possible and without unreasonable delay.”
Method of Notice
Mail. Email permitted if complies with E-SIGN.
Breach Definition
Unauthorized acquisition of computerized personal information that compromises security, confidentiality, or integrity of personal information.
PII Definition

First name or first initial and last name in combination with any of these if not encrypted, redacted, or otherwise made unreadable:

  1. Social Security number;
  2. Driver’s license number;
  3. Financial account, debit or credit card number with required security code, access code, or password that would permit access to individual’s financial account;
  4. Unique electronic identifier or routing code with required code or password that would allow access to person’s financial account;
  5. Unique biometric data, including fingerprints, retina or iris prints.
Third Party Notice
If data collector maintains or possesses covered information for someone else, it must notify them immediately following discovery of breach.
How to Notify

Notice shall include:

  • Description of breach of security;
  • Approximate date of breach of security;
  • Type of personal information obtained as a result of breach;
  • Contact information for consumer reporting agencies;
  • Advice to consumer to report suspected incidents of identity theft to local law enforcement or attorney general.
Substitute Notice
a) Email if entity has email addresses for affected consumers; (b) conspicuous posting of notice or link to notice on website of entity if it maintains one; and (c) notification to major statewide media.
Credit Monitoring
Not required.
When to Notify Credit Agencies
Not required.
This State's Law
State Government Agency Notification Required
Yes, Iowa Attorney General, if more than 500 Iowa consumers are affected.