Data breach notification not only for Equifax-like catastrophes

Bryan O'Neill, Dickinson Law Firm, Iowa Cybersecurity Law, Des Moines Iowa

Posted on 09/25/2017 at 10:43 AM by Bryan O'Neill

The news is abound recently with seemingly endless stories of data breaches both in Iowa and nationally – the Equifax breach chief among them. However, data breach issues do not always arise in the form of outside cyberattackers gaining access to a company’s computer systems. This blog previously covered  how employees can intentionally help fraudster steal.

Employees can also take data for themselves. Take, for example, the hypothetical in which an employee emails himself copies of an employer’s customer lists, which include customer names and social security numbers, prior to departing his employment. Iowa Code section 715C directs when notification to a consumer needs to occur in the event of a security breach.

Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business . . . and that was subject to a breach of security shall give notice of the breach . . . to any consumer whose personal information was included in the information that was breached.

“Breach of security” is defined as “unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.” Under the above scenario, a security breach notification would be triggered. The employee has acquired the customer names and social security numbers in a manner that was not authorized by the company. Regardless of the number of customers who were compromised, a security breach notification would be mandatory. Employers would be wise to have in place internal protocols that would prevent the unauthorized distribution of customers’ personal information and specific guidelines for how employees are to handle customer’s personal information.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed. 

- Bryan O'Neill 


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.

There are no comments yet.
Add Comment

* Indicates a required field