Government

Bill updates Iowa's data security protections

Iowa Attorney General proposed HSB 526 after Equifax data security breach

(File photo) Iowa Attorney General Tom Miller speaks during a news conference at the Cedar Rapids Fire Department Central Fire Station in southeast Cedar Rapids, Iowa, on Wednesday, Oct. 4, 2017. (Jim Slosiarek/The Gazette)
(File photo) Iowa Attorney General Tom Miller speaks during a news conference at the Cedar Rapids Fire Department Central Fire Station in southeast Cedar Rapids, Iowa, on Wednesday, Oct. 4, 2017. (Jim Slosiarek/The Gazette)

Data security breaches at big corporations, including Equifax and Target, spurred the Iowa Attorney General’s Office to seek changes to Iowa law to further protect consumers.

House Study Bill 526, discussed in a Judiciary subcommittee Tuesday, would update Iowa’s data breach notification act, which requires businesses, nonprofits and other entities hit by hackers to alert consumers and the state.

The update adds new categories of data, such as medical records. And although the law already requires reporting of information breaches “without reasonable delay,” the bill would add a 45-day maximum on reporting. Now, entities with encrypted data don’t have to report breaches, but HSB 526 would require higher level — 128-bit — encryption for this exemption.

“We wanted to make sure the laws on the books are protecting consumers sufficiently,” said Nathan Blake, an assistant Iowa Attorney General.

The AG’s office reported in September more than 1 million Iowans — and 143 million people nationwide — were affected by a major data breach of credit-reporting company Equifax. Social Security numbers, birth dates, addresses and, for some, credit card numbers were exposed.

The Iowa AG’s office is investigating whether Equifax is in violation of Iowa’s civil fraud act, Blake said.

Consumer fraud investigations often are resolved through settlements in which the company commits to making changes and paying states, he said.

ARTICLE CONTINUES BELOW ADVERTISEMENT

The Target Corporation agreed last spring to an $18.5 million settlement with 47 states, including Iowa, over the retail chain’s massive data breach in 2013. Iowa got $229,000.

l Comments: (319) 339-3157; erin.jordan@thegazette.com

CONTINUE READING

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.