Iowa Code chapter 507F, the Insurance Data Security Act, also known as the Cybersecurity Act, establishes the exclusive state standards for data security, and the investigation and notification of cybersecurity events, applicable to licensees.
Licensees who meet the requirements of Iowa Code section 507F.7(1) are required to notify the Division of a cybersecurity event no later than three business days from the date of the licensee’s confirmation of a cybersecurity event.
Licensees should also be aware of other statutory requirements that include, but are not limited to, developing, implementing, and maintaining an information security program by January 1, 2023. Insurers domiciled in Iowa are required to submit an annual certification of compliance to the commissioner on or before April 15. See Iowa Code section 507F.4.
For more information about reporting cybersecurity events or submitting the annual report, please contact the Company Regulation bureau at 515-654-6480.
Licensees are exempt from the requirements of Iowa Code chapter 507F if the licensee meets any of the following criteria:
- It has fewer than twenty individuals on its workforce, including employees and independent contractors.
- It has less than five million dollars in gross annual revenue.
- It has less than ten million dollars in year-end total assets.
- It is an employee, agent, representative, or designee of a licensee, and is covered by the information security program of another licensee.
- It is a licensee that is subject to, and in compliance with, the Health Insurance Portability and Accountability Act (HIPAA).
See Iowa Code sections 507F.4(1)(b) and 507F.13
HIPAA Compliant Licensees
HIPAA compliant licensees are also exempt and must provide a written certification of such compliance to the Division on an annual basis. The HIPAA Compliance Form is available at https://stateofiowa.seamlessdocs.com/f/HIPPACert
Please submit your form no later than December 1st of each year.
Please see Iowa Code chapter 507F for more details.
If you need additional assistance, please contact the Iowa Insurance Division.