Iowa Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Iowa's regulatory environment for cybersecurity and data privacy reached a significant milestone in 2023 when the state enacted the Iowa Consumer Data Protection Act, making Iowa one of a growing number of states with comprehensive consumer privacy legislation. Combined with the state's existing breach notification law and the industry-specific regulations that govern Iowa's dominant sectors — insurance, healthcare, agriculture, and manufacturing — organizations operating in Iowa now face a multilayered compliance landscape that requires careful attention.

This guide walks through the primary laws and compliance frameworks that Iowa businesses must navigate. Whether you are an insurance carrier in Des Moines, a precision agriculture company in Ames, or a manufacturer in Cedar Rapids, understanding these requirements is essential for avoiding enforcement actions and maintaining the trust of your customers and partners. For real-world examples of compliance failures, see our timeline of notable Iowa cybersecurity incidents.

Iowa's Primary Data Privacy & Cybersecurity Laws

Iowa Consumer Data Protection Act (SF 262, effective January 1, 2025)

The Iowa Consumer Data Protection Act (ICDPA) is Iowa's first comprehensive consumer privacy law. Signed by Governor Kim Reynolds in March 2023, the law took effect on January 1, 2025. It applies to businesses that control or process the personal data of 100,000 or more Iowa consumers, or 25,000 or more consumers if the business derives over 50% of gross revenue from the sale of personal data. The ICDPA grants Iowa consumers the right to confirm whether a controller is processing their personal data, access their data, delete their data, obtain a copy of their data in a portable format, and opt out of the sale of personal data and targeted advertising.

Unlike the CCPA, the ICDPA does not include a private right of action. Enforcement is exclusively through the Iowa Attorney General, who must provide a 90-day cure period before taking enforcement action. The law exempts data already regulated by HIPAA, GLBA, FCRA, FERPA, and several other federal statutes, as well as nonprofit organizations and institutions of higher education.

Personal Information Security Breach Protection Act (Iowa Code Chapter 715C)

Iowa's breach notification law requires any person or business that owns or licenses computerized personal information of Iowa residents to notify affected individuals following a breach. Notification must occur in the most expeditious manner possible and without unreasonable delay. If the breach affects 500 or more Iowa residents, the organization must notify the Iowa Attorney General within five business days of providing notice to individuals. The law was amended in 2022 to add biometric data to the definition of protected personal information.

Iowa Insurance Data Security Act (Iowa Code Chapter 523E)

Given Des Moines's role as a major insurance hub, Iowa enacted the Insurance Data Security Act based on the NAIC Insurance Data Security Model Law. The law requires Iowa-domiciled insurance companies and insurance producers to develop comprehensive information security programs, conduct regular risk assessments, implement access controls and encryption, and report cybersecurity events to the Iowa Insurance Division within 72 hours of determination that an event has occurred. This law represents one of the most sector-specific cybersecurity requirements in any state and reflects Iowa's economic dependence on the insurance industry.

Data Breach Notification Requirements in Iowa

Under Iowa Code Chapter 715C, notification to affected individuals must include a description of the breach, the types of personal information involved, steps the individual can take to protect themselves, and contact information for the business. Personal information includes an individual's name combined with Social Security numbers, driver's license numbers, financial account numbers with access credentials, unique biometric data, or a username or email address combined with a password or security question and answer that would permit access to an online account.

The 500-person threshold for Attorney General notification is lower than many states, making Iowa's law relatively strict in this regard. The five-business-day timeline for AG notification — measured from the date notice is provided to individuals, not from discovery of the breach — requires organizations to have their notification processes well-planned in advance. Notification may be delayed at the request of a law enforcement agency if disclosure would impede a criminal investigation.

Industry-Specific Compliance in Iowa

Insurance: NAIC Model Law and Iowa Insurance Data Security Act

Iowa-domiciled insurers face the most prescriptive cybersecurity requirements of any industry in the state. The Iowa Insurance Data Security Act requires a written information security program, a designated information security officer, regular risk assessments, controls over third-party service providers, incident response planning, and annual board reporting on the security program's status. Cybersecurity events must be reported to the Iowa Insurance Division within 72 hours. Carriers that fail to comply face regulatory sanctions, including fines and potential restrictions on their ability to conduct business in the state.

Healthcare: HIPAA and Iowa Breach Notification

Iowa's healthcare organizations must comply with both HIPAA and Iowa's breach notification law. HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic protected health information, while the Breach Notification Rule requires notification within 60 days for breaches affecting 500 or more individuals. Iowa's state law adds the requirement to notify the Attorney General within five business days of individual notification for breaches affecting 500 or more residents. Healthcare organizations must track both timelines and comply with whichever is more protective.

Agriculture and Manufacturing: Emerging Requirements

While Iowa's agriculture and manufacturing sectors do not face sector-specific state cybersecurity laws, federal requirements are increasingly relevant. The FDA's food safety modernization efforts include expectations for cybersecurity in food processing, and manufacturers with Department of Defense contracts must comply with NIST SP 800-171 and prepare for CMMC certification. Agricultural technology companies that collect data from farmers may also be subject to the ICDPA if they meet the processing thresholds. Companies in these sectors benefit from managed IT services for manufacturing to navigate these evolving requirements.

Financial Services: GLBA and State Requirements

Iowa's financial institutions, including the many banks, credit unions, and financial advisors that support the insurance industry, must comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, which was significantly updated in 2023. The revised rule requires designated qualified individuals responsible for security programs, regular risk assessments, access controls, encryption, multi-factor authentication, and continuous monitoring. Iowa financial institutions must also comply with examination guidance from their prudential regulators, which increasingly emphasizes cybersecurity preparedness.

Iowa Compliance Checklist for Businesses

• Determine ICDPA applicability: Assess whether your organization meets the processing thresholds for the Iowa Consumer Data Protection Act (100,000 consumers, or 25,000 with over 50% revenue from data sales). If applicable, implement mechanisms for consumer rights requests and opt-out preferences.

• Establish a breach notification procedure: Create a written process that accounts for Iowa's five-business-day AG notification requirement and the 500-resident threshold. Ensure the process is integrated with your incident response plan.

• Comply with sector-specific requirements: Insurance companies must meet the Iowa Insurance Data Security Act requirements. Healthcare organizations must comply with HIPAA. Financial institutions must meet the GLBA Safeguards Rule.

• Implement reasonable security measures: Both Iowa's breach notification law and the ICDPA expect organizations to maintain security practices appropriate to the nature and volume of personal data they handle.

• Conduct annual risk assessments: Required by the Insurance Data Security Act, HIPAA, GLBA, and recommended as a best practice for all Iowa businesses.

• Train employees on data handling and security: Security awareness training is explicitly required by the Insurance Data Security Act and HIPAA, and is a practical necessity for meeting the reasonable security expectations of Iowa law.

• Review vendor and third-party security: Iowa's Insurance Data Security Act specifically requires oversight of third-party service providers. All businesses should ensure that vendor contracts include appropriate security requirements.

How Businesses Stay Compliant

Iowa's compliance landscape has grown more complex with the addition of the ICDPA to the existing framework of sector-specific requirements. Organizations that operate across multiple sectors — such as an insurance company that also processes health data — may face overlapping obligations that require careful coordination. The key to managing this complexity is treating compliance as a continuous program rather than a periodic project.

Many Iowa organizations, particularly mid-size businesses that lack large compliance teams, find that partnering with a managed IT security services provider is the most effective way to maintain continuous compliance. A qualified provider can manage the monitoring, logging, vulnerability scanning, and reporting that multiple frameworks require, reducing the burden on internal staff. For organizations exploring this approach, our overview of what managed IT services include explains the core capabilities and how they map to common compliance requirements.

Frequently Asked Questions

What is the Iowa Consumer Data Protection Act?

The ICDPA is Iowa's comprehensive consumer privacy law, effective January 1, 2025. It grants consumers rights to access, delete, and port their personal data, and to opt out of data sales and targeted advertising. It applies to businesses processing data of 100,000 or more Iowa consumers, or 25,000 consumers if more than 50% of revenue comes from data sales.

How quickly must Iowa businesses notify the Attorney General of a breach?

Iowa businesses must notify the Attorney General within five business days of providing notification to affected individuals, when the breach affects 500 or more Iowa residents. This is one of the stricter AG notification timelines among state breach notification laws.

Does the ICDPA include a private right of action?

No. The ICDPA is enforced exclusively by the Iowa Attorney General. There is no private right of action for individuals. The AG must provide a 90-day cure period before taking enforcement action, giving businesses an opportunity to address violations.

What special cybersecurity requirements apply to Iowa insurance companies?

Iowa-domiciled insurers must comply with the Iowa Insurance Data Security Act, which requires a written information security program, designated security officer, risk assessments, third-party oversight, incident response planning, board reporting, and 72-hour incident notification to the Iowa Insurance Division. These requirements are among the most prescriptive in any state.

Are Iowa nonprofits subject to the ICDPA?

No. The Iowa Consumer Data Protection Act explicitly exempts nonprofit organizations. However, Iowa nonprofits remain subject to the state's breach notification law if they hold personal information of Iowa residents, and may face additional requirements under HIPAA, PCI DSS, or other federal regulations depending on the data they handle.

How does Iowa's breach notification law define personal information?

Iowa Code Chapter 715C defines personal information as an individual's name combined with one or more of the following: Social Security number, driver's license number, financial account number with access credentials, unique biometric data, or a username/email combined with a password or security question that permits online account access. The 2022 amendment added biometric data and online account credentials to this definition.