On April 3, Iowa Governor Terry Branstad signed SF 2259, which amends the state’s data breach notice law to add a requirement that businesses that experience a data breach notify the state attorney general’s office within five days of discovering or being notified of the breach. Previously, state law required that businesses notify only consumers after discovery or notification. Several existing exemptions to the consumer notice requirement, including for businesses subject to Title V of the Gramm-Leach-Bliley Act, also apply to the attorney general notice requirement. SF 2259 also amends (i) the definition of “breach of security” to cover personal information maintained in any medium that was transferred to that medium from computerized form, e.g., printed records originally maintained in electronic form; and (ii) the definition of “personal information” to include encrypted, redacted, or otherwise protected data. The changes take effect July 1, 2014.