Skip to main content


Iowa Cybersecurity Bill Introduces Affirmative Defense

Iowa Cybersecurity Bill Introduces Affirmative Defense

Iowa SF 2252

A new Iowa law could quickly dictate the level of responsibility your organization has following a data breach. Introduced in January 2020 as Senate File (SF) 2073 and recommended for approval as SF 2252, this new bill states “It is an affirmative defense to any claim or action alleging that a person’s failure to implement reasonable security measures resulted in a breach of security, that the person established, maintained, and complied with a written cyber security program.”


What is Affirmative Defense?

Affirmative defense is a set of facts that defeat or mitigate the legal consequences of the defendant’s otherwise unlawful act. An organization can admit to guilt, but they can use an explanation or justification to mitigate the legal penalty stemming from a cyber incident. In this case, the defense will be a formal (written) cybersecurity program that “conforms to current and accepted industry standards regarding cyber security and personal information security protection,” including the NIST Cybersecurity Framework (CSF).

Iowa SF 2252 would not preclude an organization from being named a party to a lawsuit; however, the law does provide a potential defense in the event an organization has developed a strong cybersecurity program, but still suffers a data breach.

Senate File 2252 would amend Iowa’s existing data breach notice regulation.


Not the First Cyber Safe Harbor Law

Iowa would not be the first state with this type of legislation. In August 2018, the Ohio legislature passed Senate Bill 220, which took effect on November 2, 2018. Ohio SB 220 is very similar to Iowa SF 2252, as it provides safe harbor (affirmative defense) to Ohio covered entities that implement and comply with a cybersecurity program based upon industry best-practice cybersecurity frameworks.

Ohio SB 220 has two caveats, however. The first is that SB 220 only applies to tort claims, and the second is that such tort claims are based on Ohio law or brought to an Ohio court.


More to Come?

Such affirmative defense laws are likely to gain traction in other states as well. Not only does this type of law encourage organizations to create, maintain, and comply with a strong cybersecurity program that will lead to better cybersecurity protections for everyone, these laws will also provide a defense for organizations that are compromised despite having solid cybersecurity controls in place. There is no such thing as 100% secure in today’s cybersecurity landscape, even with a strong cybersecurity program.

SBS CyberSecurity has been helping organizations from all industries build, maintain, comply-with, and test cybersecurity programs for the past 15 years. If your organization is looking to understand your cyber risk, create a cybersecurity program, and make more intelligent cybersecurity business decisions, SBS can help.



Written by: 
Edin Y Cordona and Jon Waldman
SBS CyberSecurity


SBS Resources: 

  • {Service} Digital Forensics and Incident Response: From malware to attacker network penetration and insider threat - organizations must be prepared to detect incidents and respond appropriately. Staying current with threat protection, detection, and recovery tactics requires a specific set of training and expertise that not all organizations are able to handle on their own. The SBS Digital Forensics and Incident Response (DFIR) team can help you better prepare for an incident or assist with an active incident. Learn more

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager   Certified Banking Incident Handler

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, April 30, 2020
Categories: Blog