Data security breaches at big corporations, including Equifax and Target, spurred the Iowa Attorney General’s Office to seek changes to Iowa law to further protect consumers.

House Study Bill 526, discussed in a Judiciary subcommittee Tuesday, would update Iowa’s data breach notification act, which requires businesses, nonprofits and other entities hit by hackers to alert consumers and the state.

The update adds new categories of data, such as medical records. And although the law already requires reporting of information breaches “without reasonable delay,” the bill would add a 45-day maximum on reporting. Now, entities with encrypted data don’t have to report breaches, but HSB 526 would require higher level — 128-bit — encryption for this exemption.

“We wanted to make sure the laws on the books are protecting consumers sufficiently,” said Nathan Blake, an assistant Iowa Attorney General.

The AG’s office reported in September more than 1 million Iowans — and 143 million people nationwide — were affected by a major data breach of credit-reporting company Equifax. Social Security numbers, birth dates, addresses and, for some, credit card numbers were exposed.

The Iowa AG’s office is investigating whether Equifax is in violation of Iowa’s civil fraud act, Blake said.

Consumer fraud investigations often are resolved through settlements in which the company commits to making changes and paying states, he said.

ARTICLE CONTINUES BELOW ADVERTISEMENT

The Target Corporation agreed last spring to an $18.5 million settlement with 47 states, including Iowa, over the retail chain’s massive data breach in 2013. Iowa got $229,000.

l Comments: (319) 339-3157; erin.jordan@thegazette.com