Iowa Code 554G.2 – Affirmative defenses
Current as of: 2024 | Check for updates
|
Other versions
Terms Used In Iowa Code 554G.2
- Damages: Money paid by defendants to successful plaintiffs in civil cases to compensate the plaintiffs for their injuries.
- following: when used by way of reference to a chapter or other part of a statute mean the next preceding or next following chapter or other part. See Iowa Code 4.1
- state: when applied to the different parts of the United States, includes the District of Columbia and the territories, and the words "United States" may include the said district and territories. See Iowa Code 4.1
- Tort: A civil wrong or breach of a duty to another person, as outlined by law. A very common tort is negligent operation of a motor vehicle that results in property damage and personal injury in an automobile accident.
554G.2 Affirmative defenses.
1. A covered entity seeking an affirmative defense under this chapter shall create,
maintain, and comply with a written cybersecurity program that contains administrative, technical, operational, and physical safeguards for the protection of both personal information and restricted information.
2. A covered entity’s cybersecurity program shall be designed to do all of the following:
a. Continually evaluate and mitigate any reasonably anticipated internal or external threats or hazards that could lead to a data breach.
b. Periodically evaluate no less than annually the maximum probable loss attainable from a data breach.
c. Communicate to any affected parties the extent of any risk posed and any actions the affected parties could take to reduce any damages if a data breach is known to have occurred.
3. The scale and scope of a covered entity’s cybersecurity program is appropriate if the cost to operate the cybersecurity program is no less than the covered entity’s most recently calculated maximum probable loss value.
4. a. A covered entity that satisfies all requirements of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.
b. A covered entity satisfies all requirements of this section if its cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework, as described in § 554G.3.
2023 Acts, ch 63, §2
Referred to in §554G.3
NEW section
1. A covered entity seeking an affirmative defense under this chapter shall create,
maintain, and comply with a written cybersecurity program that contains administrative, technical, operational, and physical safeguards for the protection of both personal information and restricted information.
2. A covered entity’s cybersecurity program shall be designed to do all of the following:
a. Continually evaluate and mitigate any reasonably anticipated internal or external threats or hazards that could lead to a data breach.
b. Periodically evaluate no less than annually the maximum probable loss attainable from a data breach.
c. Communicate to any affected parties the extent of any risk posed and any actions the affected parties could take to reduce any damages if a data breach is known to have occurred.
3. The scale and scope of a covered entity’s cybersecurity program is appropriate if the cost to operate the cybersecurity program is no less than the covered entity’s most recently calculated maximum probable loss value.
4. a. A covered entity that satisfies all requirements of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.
b. A covered entity satisfies all requirements of this section if its cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework, as described in § 554G.3.
2023 Acts, ch 63, §2
Referred to in §554G.3
NEW section