Iowa’s governor recently signed into law S.F. 2259, which amends Iowa’s data breach notification law.  Under the amendment, entities that suffer breaches of personal information that are required to notify more than 500 state residents will also be required to notify the state’s attorney general.  The notice to the attorney general must be provided within five days after residents are notified. 

The amendment also expands the definition of “breach of security,” which had previously been limited to incidents affecting “personal information maintained in computerized form.”  The amendment broadens the definition to include information maintained “in any medium, including on paper, that was transferred by the person to that medium from computerized form.” 

The amendment takes effect on July 1, 2014.