Your diet and fitness goals are not the only things scheduled to change come the New Year. On April 10, 2018, Iowa Governor Kim Reynolds signed Senate File 2177, which modified provisions applicable to consumer security freezes and personal information security breach protection. The Act, which goes into full effect on January 1, was proposed by the Iowa Attorney General’s office as well as state legislators to address certain changes in technology.

With respect to consumer security freezes, S.F. 2177:

  • eliminates the requirement for consumers to submit requests for security freezes through certified mail, and instead allows for such requests to be submitted by mail, telephone, email, or through a secure online connection;
  • requires consumer reporting agencies (“CRAs”) to commence security freezes within three business days after receiving a request, as opposed to the previous five days;
  • requires CRAs to identify for consumers, under certain circumstances, any other “consumer reporting agency that compiles and maintains files on consumers on a nationwide basis” (as defined by section 1681a(p) of the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.), and inform them of appropriate contact information that would permit the consumer to place, lift, or remove a security freeze from such other CRA; and
  • prohibits CRAs from charging a fee for placing, removing, temporarily suspending, or reinstating a security freeze.

CRAs will want to ensure their processes and procedures have been updated to account for such changes, and that employees have been trained to comply with them.

As noted above, S.F. 2177 also modified Iowa’s personal information security breach protection statute. Those changes, however, went into effect July 1, 2018, and include the following:

  • The definition of “encryption” was modified to mean only those certain algorithmic processes that meet accepted industry standards.
  • The Act clarified that the law does not apply to businesses that are subject to and comply with the Health Insurance Portability and Accountability Act of 1996, or “HIPAA.”
  • The Act now requires notification of a security breach to the Iowa Attorney General within five business days after giving notice of the breach of security to any consumer.

Companies tracking data breach notification requirements as part of their incident response plans, policies, and procedures should ensure their materials have been updated to account for such changes.