Current through Register Vol. 47, No. 11, December 11, 2024
Rule 721-29.3 - Cybersecurity incident or breach(1) A commissioner who identifies or suspects an actual or possible cybersecurity incident or breach shall report the incident within 24 hours to the state commissioner. Upon receiving the report, the state commissioner shall alert the appropriate state or federal law enforcement agencies, including but not limited to the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the OCIO, and the vendor responsible for maintaining the affected technology. The state commissioner may disseminate the information to other federal, state, and local agencies, or their designees, as the state commissioner deems necessary.(2) Information reported to the state commissioner under this rule shall be exempt from public records requests pursuant to Iowa Code section 22.7(50).(3) Nothing in this rule prohibits a commissioner from alerting local law enforcement prior to contacting the state commissioner in the event of an incident or breach.Iowa Admin. Code r. 721-29.3
Adopted by IAB October 24, 2018/Volume XLI, Number 9, effective 11/28/2018Amended by IAB May 6, 2020/Volume XLII, Number 23, effective 6/10/2020