Skip to main content
CourtGPT logoCourtGPT
Directory
Law
For Attorneys
Blog
AppointmentsSign InSign Up
§ 554g-3 — Iowa Law | CourtGPT
  1. Home/
  2. Laws/
  3. Iowa/
  4. Title Xiii - Commerce/
  5. Chapter 554g - Tort Liability — Cybersecurity Programs/
  6. § 554g-3
Iowa Legal Code

§ 554g-3

Ask AI about this
554G.3 Cybersecurity program framework. 1. A covered entity’s cybersecurity program, as described in section 554G.2, reasonably conforms to an industry-recognized cybersecurity framework for purposes of section 554G.2if any of the following are true: a. (1) The cybersecurity program reasonably conforms to the current version of any of the following or any combination of the following, subject to subparagraph (2) and subsection 2: (a) The framework for improving critical infrastructure cybersecurity developed by the national institute of standards and technology. (b) National institute of standards and technology special publication 800-171.(c) National institute of standards and technology special publications 800-53 and 800-53a. (d) The federal risk and authorization management program security assessment framework. (e) The center for internet security critical security controls for effective cyber defense.(f) The international organization for standardization/international electrotechnical commission 27000 family — information security management systems. (2) When a final revision to a framework listed in subparagraph (1) is published, a covered entity whose cybersecurity

ctrotechnical commission 27000 family — information security management systems. (2) When a final revision to a framework listed in subparagraph (1) is published, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonablyconform the elements of its cybersecurity program to the revised framework within the timeframe provided in the relevant framework upon which the covered entity intends to rely tosupport its affirmative defense, but in no event later than one year after the publication datestated in the revision. b. (1) The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, andthe cybersecurity program reasonably conforms to the entirety of the current version of anyof the following, subject to subparagraph (2): (a) The security requirements of the federal Health Insurance Portability and Accountability Act of 1996, as set forth in 45 C.F.R. pt. 164, subpt. C. (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended. (c) The federal Information Security Modernization Act of 2014, Pub. L.

rth in 45 C.F.R. pt. 164, subpt. C. (b) Title V of the federal Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended. (c) The federal Information Security Modernization Act of 2014, Pub. L. No. 113-283.(d) The federal Health Information Technology for Economic and Clinical Health Act as set forth in 45 C.F.R. pt. 162. (e) Chapter 507F.(f) Any applicable rules, regulations, or guidelines for critical infrastructure protection adopted by the federal environmental protection agency, the federal cybersecurity andinfrastructure security agency, or the north American reliability corporation. (2) When a framework listed in subparagraph (1) is amended, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conformthe elements of its cybersecurity program to the amended framework within the time frameprovided in the relevant framework upon which the covered entity intends to rely to supportits affirmative defense, but in no event later than one year after the effective date of theamended framework. c. (1) The cybersecurity program reasonably complies with both the current version of the payment card industry data security standard and

n one year after the effective date of theamended framework. c. (1) The cybersecurity program reasonably complies with both the current version of the payment card industry data security standard and conforms to the current version of anotherapplicable industry-recognized cybersecurity framework listed in paragraph 'a', subject tosubparagraph (2) and subsection 2. (2) When a final revision to the payment card industry data security standard is published, a covered entity whose cybersecurity program reasonably complies with that standard shallreasonably comply the elements of its cybersecurity program with the revised standard withinthe time frame provided in the relevant framework upon which the covered entity intends torely to support its affirmative defense, but not later than the effective date for compliance. 2. If a covered entity’s cybersecurity program reasonably conforms to a combination of industry-recognized cybersecurity frameworks, or complies with a standard, as in thecase of the payment card industry data security standard, as described in subsection 1, Sat Dec 23 11:04:10 2023 Iowa Code 2024, Section 554G.3 (0, 0) §554G.3, TORT LIABILITY — CYBERSECURITY PROGRAMS 2

se of the payment card industry data security standard, as described in subsection 1, Sat Dec 23 11:04:10 2023 Iowa Code 2024, Section 554G.3 (0, 0) §554G.3, TORT LIABILITY — CYBERSECURITY PROGRAMS 2 paragraph 'a' or 'c', and two or more of those frameworks are revised, the covered entitywhose cybersecurity program reasonably conforms to or complies with, as applicable,those frameworks shall reasonably conform the elements of its cybersecurity program to orcomply with, as applicable, all of the revised frameworks within the time frames provided inthe relevant frameworks but in no event later than one year after the latest publication datestated in the revisions. 2023 Acts, ch 63, §3Referred to in §554G.2NEW section Sat Dec 23 11:04:10 2023 Iowa Code 2024, Section 554G.3 (0, 0)