Iowa Code chapter 507F, the Insurance Data Security Act, also known as the Cybersecurity Act, establishes the exclusive state standards for data security, and the investigation and notification of cybersecurity events, applicable to licensees.
Licensees who meet the requirements of Iowa Code section 507F.7(1) are required to notify the Division of a cybersecurity event no later than three business days from the date of the licensee's confirmation of a cybersecurity event. Licensees should utilize the Notice of Cybersecurity Event form. Please note that licensees have a continuing obligation to update and supplement this form regarding material changes to information previously provided relating to the cybersecurity event. Submission of the form and supplemental information should be submitted to cybersecurityforms@iid.iowa.gov. All documents, materials, or other information that is provided to or requested by the Division related to the Notice of Cybersecurity Event is confidential pursuant to Iowa Code section 507F.12.
Licensees should also be aware of other statutory requirements that include, but are not limited to, developing, implementing, and maintaining an information security program by January 1, 2023. Insurers domiciled in Iowa are required to submit the Iowa Insurance Data Security Law Annual Certification Form to the commissioner on or before April 15. See Iowa Code section 507F.4. The form should be submitted to cybersecurityforms@iid.iowa.gov.
For more information about reporting cybersecurity events or submitting the annual report, please contact the Company Regulation bureau at 515-654-6480.
Exempt Licensees
Licensees are exempt from the requirements of Iowa Code chapter 507F if the licensee meets any of the following criteria:
- It has fewer than twenty individuals on its workforce, including employees and independent contractors.
- It has less than five million dollars in gross annual revenue.
- It has less than ten million dollars in year-end total assets.
- It is an employee, agent, representative, or designee of a licensee, and is covered by the information security program of another licensee.
- It is a licensee that is owned or controlled by a federally insured depository institution that is subject to, and in compliance with, the Gramm-Leach-Bliley Act or comparable federal law and corresponding regulations.
- It is a licensee that is subject to, and in compliance with, the Health Insurance Portability and Accountability Act (HIPAA).
See Iowa Code sections 507F.4(1)(b) and 507F.13
Exempt licensees that are subject to, and in compliance with, HIPAA are required to submit the Exception Certification Form below. All other exempt licensees are not required to submit a form to claim their exempt status with the Division. An exempt licensee must be able to provide documentation supporting a qualifying exemption upon request of the Division.
HIPAA Compliant Licensees
HIPAA compliant licensees exempt from the requirements of Iowa Code chapter 507F must provide a written certification of such compliance to the Division on an annual basis. The HIPAA Compliance Form is available at Iowa Insurance Data Security Law Exception Certification Form.
Please submit your form no later than April 15th of each year. The form should be submitted to cybersecurityforms@iid.iowa.gov. Please see Iowa Code chapter 507F for more details.
If you need additional assistance, please contact the Iowa Insurance Division.