721—29.3(47) Cybersecurity incident or breach.
- 29.3(1) A commissioner who identifies or suspects an actual or possible cybersecurity incident or breach shall report the incident within 24 hours to the state commissioner. Upon receiving the report, the state commissioner shall alert the appropriate state or federal law enforcement agencies, including but not limited to the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the OCIO, and the vendor responsible for maintaining the affected technology. The state commissioner may disseminate the information to other federal, state, and local agencies, or their designees, as the state commissioner deems necessary.
- 29.3(2) Information reported to the state commissioner under this rule shall be exempt from public records requests pursuant to Iowa Code section 22.7(50).
- 29.3(3) Nothing in this rule prohibits a commissioner from alerting local law enforcement prior to contacting the state commissioner in the event of an incident or breach.
[ARC 4103C, IAB 10/24/18, effective 11/28/18; ARC 5036C, IAB 5/6/20, effective 6/10/20]