Iowa and Oklahoma Enact Data Breach Notification Laws

This posting was written by Thomas Long, Editor of CCH Privacy Law in Marketing.

New state laws requiring companies to notify consumers of data security breaches have been enacted in Iowa and Oklahoma.

Under the Iowa statute, businesses that own or license computerized data must give Iowa consumers notice of the breach of security by certain specified methods. The notification must be made in the most expeditious manner available and without unreasonable delay. The legislation also specifies acceptable methods of notification.

The measure requests Iowa's legislative council to establish an interim study committee to assess and review the extent to which public officials, entities, and affiliated organizations --which possess or have access to personal identifying information of an Iowa resident that could, if disclosed, render the resident vulnerable to identity theft --are disclosing or selling the information for compensation. The committee must issue a report of its recommendations to the General Assembly by Jan. 15, 2009.

The Iowa law (S.B. 2308) was signed May 13, 2008 and will be effective July 1. Text of the law appears at CCH Privacy Law in Marketing ¶31,500.

Oklahoma's Security Breach Notification Act provides that individuals and entities that maintain computerized data must notify affected residents if unencrypted or unredacted personal information has been accessed or acquired without authorization and if the entity reasonably believes that the access may result in identity theft or other fraud. Notice must be made without unreasonable delay; however, it may be delayed to identify the scope of the breach and restore system integrity or if a law-enforcement agency advises the entity that notice will impede a criminal or civil investigation.

Notice includes written notice mailed to the individual, telephone notice, or electronic notice. If the cost of providing notice would exceed $50,000 or the number of affected residents exceeds 100,000, substitute notice may be provided. Substitute notice consists of any two of the following: e-mail, conspicuous posting on the Internet website of the individual or entity, or notice to a major statewide media.

Failure to provide the required notice of a security breach may result in a civil penalty up to $150,000 per breach or series of breaches discovered by a single investigation. The Oklahoma Attorney General or a district attorney has the exclusive authority to bring an action.

The Oklahoma law (H.B. 2245) was approved April 28, 2008 and will take effect November 1. Text of the law appears at CCH Privacy Law in Marketing ¶33,602.