Data security incidents are so commonplace that it is really a matter of when—not if—a business will be impacted. The Iowa Legislature recently provided a bit of good news for businesses grappling with protecting against cyber-attacks and attempting to comply with the myriad of applicable laws and regulations.
Iowa Code Chapter 554G, Tort Liability—Cybersecurity Programs, introduced a new affirmative defense to tort liability arising from data breaches. Chapter 554G defines a “covered entity” as a business that accesses, receives, stores, maintains, communicates, or processes personal information using systems located in or outside of Iowa. Similarly, a “data breach” refers to an intentional or unintentional action by a covered entity that results in a person’s electronic records being “viewed, copied, modified, transmitted, or destroyed in a manner that is reasonably believed to have or may cause material risk of identity theft, fraud, or other injury or damage to person or property.”
For a covered entity to qualify for this new affirmative defense, it must follow certain requirements, specifically:
- Create, maintain, and comply with a written cybersecurity program
- The cybersecurity program must:
- Continually access and mitigate potential risks
- Evaluate at least annually the maximum probable loss in the event of a breach; and
- Communicate with affected individuals about the risks if a breach occurs and steps they could take to reduce harm from the breach.
A covered entity’s cybersecurity program is considered appropriately scaled and scoped if its operating cost is at least equal to the “maximum probable loss” of a breach, defined as the total value of possible damage from a breach multiplied by the probability that such damage would occur.
Finally, a covered entity’s cybersecurity program must substantively align with recognized industry frameworks (NIST, ISO, CIS), certain federal or state regulations (HIPAA, GLBA), or the Payment Card Industry Data Security Standard. The program must be updated to conform with revisions to these frameworks within the required timeframe, but no later than one year after the revision's publication.
A covered entity that fully complies with the requirements above is entitled to assert an affirmative defense against tort claims brought in Iowa alleging a failure to implement reasonable information security measures. While this new affirmative defense is a welcome step to help protect businesses, it does not apply to data security obligations businesses assume contractually. So, it remains important to carefully negotiate contracts covering data security, such as services agreements, data processing agreements, and the like.
If you have any questions regarding this new affirmative defense—or other cybersecurity or data privacy issues—please contact Brian McCormac or your BrownWinick attorney. Special thanks to summer associate Mia Savicevic for her assistance with this article.
