On May 10, Iowa enacted its own breach notification law, becoming the 42nd US state to do so. The bill will come into effect on July 1.

Bill S.F. 2308 requires businesses and government agencies to notify residents if their personal information has been accessed (if it is likely to do financial harm). Notice is not required if an investigation by the law enforcement agencies deems no financial harm can come of the risk. Encrypted information is not exempt from the notification requirement, unlike in many states. Given that many data breaches can be ruled out if they pose no risk for financial harm, it is my opinion that there will be a lot of public criticism of breaches when they do come to light. Such an investigation will likely delay the breach notification, which inevitably increases public scrutiny after a breach incident.

If you were to plot the adoption of data breach notification laws against time, the remaining states should all adopt their own law by some time in late 2011. Check out the graph here, realizing (of course) that statistics cannot be depended on to accurately gauge when (if ever) all states will adopt such a law.

I think it would be interesting, statistically speaking, to see if the trends in data breaches and legislative maneuvering could predict when one of the many data breach bills would pass at the national level.

Via emergent chaos, electran Tags: iowa, breach, breach notification, breach law, legislature, legal system, business, security, personal information