New Bill Proposes to Amend Iowa Breach Notification Act

Share this article on:

A new bill introduced by Iowa Attorney General Tom Miller will, if implemented, extend the definition of a data breach to include medical information, health insurance information and personal information that previously had to be combined with other individual identifiers before a breach was classified as a breach.

Since 2014, data breaches affecting more than five hundred Iowa residents have had to be reported to the director of the consumer protection division of the office of the Iowa Attorney General. More than 120 breaches have been notified in the past four years including those at Anthem Blue Cross, Banner Health and Medical Informatics Engineering.

The relatively low number of reported breaches implies that either the personal data of Iowa residents is remarkably secure, or that hacked entities are failing to notify the Attorney General´s office as required. AG Tom Miller intends to find out which by introducing an amendment to the state´s current Breach Notification Act that extends the definition of a data breach.

Medical and Health Insurance Information to be Included

Currently, entities experiencing a data breach only have to notify the Attorney General´s office if the data breached includes a social security number, a driver license number, or unique biometric data – or if the breach includes financial data that “in combination with any required expiration date, security code or password would permit access to an individual´s financial account”.

AG Miller´s amendment proposes to remove the “in combination with” requirement, so any breach of financial data is notifiable. It will also add medical information, health insurance information and personal information such as tax identification numbers to the list of notifiable breaches. There is also a proposal to change the current notification period of “without reasonable delay” to forty-five days.

Loopholes Closed over Encryption and Personal Harm Exclusions

Other proposed changes to the Iowa Breach Notification Act include closing some of the loopholes entities can use to avoid notifying the Attorney General´s office of a breach. Currently an entity does not have to report a breach if the accessed data is encrypted. If AG Miller´s proposals are enacted, this exclusion will only apply if data is encrypted to 128-bit standard or higher.

Entities can also avoid reporting a breach if it can be shown there is a reasonable likelihood the breach will not result in “financial harm” to individuals. The amendment proposes the removal of the word “financial” (so a breach with the potential for “any harm” now has to be notified) and stipulates that, if it is determined no harm is reasonably likely, a written justification of the determination should be sent to the Attorney General´s office within five days.

Will the Amendment Result in Better Protection for Iowa Residents?

Announcing the introduction of the amendment, assistant Iowa Attorney General Nathan Blake said; “We wanted to make sure the laws on the books are protecting consumers sufficiently.” However, rather than enhance consumer protection, the proposed amendment to the Iowa Breach Notification Act does little more than close loopholes that should not have been present in the original legislation.

The likely outcome is that Iowa residents will be no better protected against data theft than they are now, and that the number of data breaches reported in Iowa will increase. Quite possibly – in the long term – an increase in reported breaches may result in tougher data protection laws being introduced. However, in the short term, the only issue the amendment will resolve is whether there has been significant under-reporting of data breaches in Iowa since 2014.

Author: HIPAA Journal

Share This Post On