By Iowa Automobile Dealers Association
Note: This article is being re-shared by ComplyAuto with permission from the Iowa Automobile Dealers Association.
Iowa’s Data Breach Notification Law requires businesses, including automobile dealerships, to notify affected individuals if a breach of data containing personal information that is unencrypted or unredacted occurs and the breach is reasonably likely to cause harm—even if only a single customer is affected.
“Personal information” includes a customer’s first name or initial and last name in combination with one or more of the following:
- Social Security number
- Driver’s license or state ID number
- Financial account, credit, or debit card number plus any required security code or password
A breach is not limited to cyber attacks—it also includes lost, stolen, or improperly accessed paper documents. The law applies to any format of data, including computer systems and paper files. This may include documents related to vehicle sales, titling, financing, and registration that contain “personal information.”
Notification to the Iowa Attorney General is required if more than 500 Iowa residents are affected.
Resources:
- Data Breach Response: A Guide for Business from the FTC
- Security Breach Notifications from the Iowa Attorney General’s Office