DATA BREACH NOTIFICATION PACKET – STATE OF IOWA

(Template – Court-Ready Draft)

[// GUIDANCE: This packet provides two coordinated, Iowa-compliant notification letters—one for the Iowa Attorney General (“AG Notice”) and one for each affected Iowa resident (“Consumer Notice”). Draft both at the same time so dates, facts, and figures match exactly. Replace every bracketed term before release.]

//-------------------------------------------------------------

TABLE OF CONTENTS

1. Document Header
2. Definitions (Applicable to Both Notices)
3. Iowa Attorney General Notice
4. Iowa Consumer Notice
5. Exhibit A – Copy of Consumer Notice (enclose with AG Notice)
6. Exhibit B – Incident Chronology & Technical Findings (optional but recommended)
   //-------------------------------------------------------------

1. DOCUMENT HEADER

Re: Security Breach Notification – Iowa Code Chapter 715C Compliance
From:
    [LEGAL NAME OF ORGANIZATION] (“Company”)
    [Street Address] | [City, State ZIP] | [Phone] | [E-Mail]
Date: [DATE OF SIGNING]
To: See individual letter headings below
Jurisdiction: State of Iowa

[// GUIDANCE: Use the same header block in both letters; simply alter the “To:” line.]

2. DEFINITIONS

For purposes of these Notices, the following capitalized terms have the meanings set forth below. Terms used but not defined carry the meanings assigned under Iowa Code § 715C.1.

“Breach” – An unauthorized acquisition that compromises the security, confidentiality, or integrity of computerized Personal Information maintained by Company.
“Incident Date” – The first date on which Company reasonably believes the Breach occurred: [INCIDENT DATE].
“Notification Date” – The date the Company issues written notice to affected Iowa residents: [NOTIFICATION DATE].
“Personal Information” – [DESCRIBE SPECIFIC DATA ELEMENTS IMPACTED] relating to an Iowa resident and protected under Iowa Code § 715C.1(11).
“Residents Affected” – The best estimate, as of the Notification Date, of the number of Iowa residents whose Personal Information was or is reasonably believed to have been acquired by an unauthorized person: [NUMBER].

[// GUIDANCE: Update definitions if the investigation identifies additional data elements or higher/lower resident counts.]

3. IOWA ATTORNEY GENERAL NOTICE

To:
Office of the Iowa Attorney General – Consumer Protection Division
Hoover State Office Building
1305 E. Walnut Street
Des Moines, IA 50319

3.1 Purpose of Notice

Pursuant to Iowa Code Chapter 715C, Company hereby provides the Iowa Attorney General (“AG”) with timely written notification of a Breach involving the Personal Information of approximately [Residents Affected] Iowa residents.

3.2 Incident Summary

1. Incident Date: [Incident Date]
2. Discovery Date: [DATE DISCOVERED]
3. Breach Vector: [Phishing/Network Intrusion/Lost Device/etc.]
4. Systems Affected: [High-level description of impacted environment]
5. Date Breach Contained: [DATE]
6. Law-Enforcement Contact (if any): [Agency Name, Case No., Contact Person]

3.3 Personal Information Involved

• [List specific data elements—e.g., name in combination with SSN, driver’s license number, account number + access code, etc.]

3.4 Scope of Impact

• Total Iowa residents affected: [Residents Affected]
• Total U.S. residents affected (all jurisdictions): [TOTAL]

3.5 Consumer Notification Plan

1. Notification Method(s): First-class mail to last known address; substitute notice (if any) as described below.
2. Notification Date: [Notification Date] – no later than ___ days after completion of investigation and consistent with any law-enforcement holds.
3. Substitute Notice (if applicable): [Describe website posting, statewide media, or e-mail campaign per Iowa Code § 715C.2(5)].

3.6 Remediation & Mitigation

• Implemented [multi-factor authentication, forced password reset, endpoint hardening, etc.].
• Offering [12/24] months of complimentary credit monitoring and identity-theft protection through [SERVICE PROVIDER].
• Established dedicated call center: [TOLL-FREE NUMBER] operational from [HOURS, CENTRAL TIME].

3.7 Enclosures

• Exhibit A – Copy of Consumer Notice (as required).
• Exhibit B – Incident Chronology & Technical Findings (optional; provided to facilitate AG review).

3.8 Contact for Follow-Up

[NAME, TITLE]
[Direct Phone] | [E-Mail]

Respectfully,

    _______
    [AUTHORIZED SIGNATORY NAME]
    [Title]
    For [Company]

4. IOWA CONSUMER NOTICE

To: [CONSUMER NAME]
[Street Address]
[City, State ZIP]

Dear [Consumer Name]:

4.1 What Happened?

On [Incident Date], Company determined that an unauthorized actor [brief, plain-language description—e.g., “gained access to a Company e-mail account”]. The intrusion was contained on [DATE]. Our investigation, completed on [DATE], revealed that certain personal information concerning you may have been acquired without authorization.

4.2 What Information Was Involved?

The following data elements related to you were or are reasonably believed to have been involved in the Breach:
• [e.g., Full name]
• [Social Security number]
• [Driver’s license or state identification number]
• [Financial account number + access code]

4.3 What We Are Doing

• Engaged leading cybersecurity forensics firm [NAME] to investigate and remediate.
• Notified law enforcement and are cooperating fully.
• Strengthened security controls, including [specific steps].
• Offering you [12/24] months of complimentary credit monitoring and identity-theft protection through [SERVICE PROVIDER] at no cost. Enclosed is an enrollment instruction sheet containing your unique activation code.

4.4 What You Can Do

We recommend that you:
1. Register for the complimentary credit-monitoring service no later than [ENROLLMENT DEADLINE].
2. Review your account statements and credit reports for suspicious activity. Under federal law, you are entitled to one free credit report from each of the three nationwide consumer reporting agencies every 12 months.
3. Consider placing a fraud alert or security freeze on your credit files. Contact information for the major agencies is below:

• Equifax: 888-298-0045 | www.equifax.com
• Experian: 888-397-3742 | www.experian.com
• TransUnion: 800-680-7289 | www.transunion.com

Additional resources, including guidance from the Iowa Attorney General and the Federal Trade Commission, are provided on the attached “Identity-Theft Protection Resources” sheet.

4.5 For More Information

If you have questions, please call [TOLL-FREE NUMBER] Monday through Friday, [HOURS, CENTRAL TIME], or e-mail us at [BREACH-RESPONSE EMAIL].

We sincerely regret any inconvenience or concern this incident may cause and remain committed to safeguarding your information.

Sincerely,

    _______
    [AUTHORIZED SIGNATORY NAME]
    [Title]
    For [Company]

5. EXHIBIT A – COPY OF CONSUMER NOTICE

[Attach exact final Consumer Notice sent to residents.]

6. EXHIBIT B – INCIDENT CHRONOLOGY & TECHNICAL FINDINGS (Optional)

[Internal timeline, attack vector details, forensic evidence, remedial controls implemented.]

ADDITIONAL DRAFTING / COMPLIANCE NOTES

[// GUIDANCE:
1. Timing: Iowa requires notice “without unreasonable delay.” Aim for 30 days or fewer unless law enforcement requests a delay. Document any such request in Exhibit B.
2. AG Threshold: Notify the AG if the Breach affects any Iowa residents and exceeds 500 residents (best practice: notify regardless of count to demonstrate transparency).
3. Content Requirements: Both notices must include: (a) incident description; (b) types of Personal Information; (c) steps taken; (d) steps consumer should take; (e) contact information.
4. Substitute Notice: If more than 5,000 residents’ notices would cost over $250,000 or addresses are insufficient, comply with Iowa Code § 715C.2(5) by combining e-mail, conspicuous website posting, and statewide media.
5. Record Retention: Retain copies of all notices and investigative materials for at least five years to evidence compliance.
6. Multi-State Impact: If the Breach impacts residents of other states, confirm and incorporate each jurisdiction’s content and timing mandates before issuing any notice.
]

(End of Template)