Sanctus Cybersecurity Sanctus Cybersecurity

Iowa Passed a Law That Could Protect Your Business After a Hack. Most Business Owners Have Never Heard of It.

February 18, 2026

This article is for informational purposes only and does not constitute legal advice. Consult an attorney regarding your specific situation.

Imagine this: your business gets hit by a cyberattack. Customer records are exposed. You notify the affected parties, bring in help to contain the damage, and start getting things back to normal. A few weeks later, a lawsuit arrives.

The question at the center of that lawsuit probably won't be whether you got hacked. Sophisticated attacks happen to prepared organizations every day. The question will be whether you took reasonable steps to protect the data before the breach occurred.

In Iowa, your answer to that question now has legal weight.

In 2023, Iowa Governor Kim Reynolds signed House File 553 into law. The legislation gives Iowa businesses an affirmative defense against certain tort lawsuits arising from data breaches, provided they had a documented cybersecurity program in place beforehand. Most Iowa business owners have never heard of it.

What Is HF553?

Iowa House File 553 was signed on May 3, 2023, and took effect July 1, 2023. Iowa was the fourth state in the country to pass this type of legislation, following Ohio (2018), Utah (2021), and Connecticut (2021).

The law applies to any "covered entity," defined as a business that accesses, receives, stores, or processes personal information or restricted information. That covers most businesses operating today. If you handle customer records, employee data, payment information, or sensitive vendor data, this law likely applies to you.

The core provision: a covered entity that maintains a qualifying cybersecurity program is entitled to use that fact as an affirmative defense against tort claims alleging that inadequate security controls led to a data breach.

An affirmative defense is not a guarantee of winning. It means you have a recognized legal argument that the court must consider. Think of it as the difference between walking into a lawsuit empty-handed and walking in with documented evidence that you took security seriously.

Why This Matters: The Legal Risk Most Businesses Overlook

When business owners think about the cost of a cyberattack, they usually think about downtime, recovery expenses, and notifying customers. Litigation rarely makes the list.

It should.

Data breach lawsuits are increasingly common, and they are not limited to large corporations. Plaintiffs' attorneys have become more aggressive in pursuing claims against businesses of all sizes following breaches that expose personal or financial information. Legal fees, settlements, and court costs can exceed the direct cost of the breach itself.

HF553 does not prevent you from being hacked. No law does. What it does is change your legal position after the fact. Businesses that can demonstrate they had a reasonable, documented security program in place have a meaningful defense that businesses without one simply do not have.

This protection is separate from regulatory obligations like HIPAA fines or PCI penalties. HF553 specifically addresses civil tort liability: the lawsuits filed by affected individuals or businesses claiming your security was inadequate.

What Makes Iowa's Law Different From Other States

Most cybersecurity safe harbor laws protect information tied to individual people. Iowa's version goes further.

Iowa's law defines "restricted information" to include information linked to businesses, not just individuals. If a breach exposes data that could be used to commit fraud against a business, such as vendor banking details, trade information, or proprietary financial records, Iowa's law covers that too.

Ohio, Utah, and Connecticut, the three states that passed similar legislation before Iowa, do not include this protection for business data. For Iowa companies in manufacturing, professional services, agriculture, construction, and any B2B industry where sensitive business information changes hands regularly, this distinction matters.

What a Qualifying Cybersecurity Program Looks Like

The law does not require perfection. It requires a reasonable, documented effort proportionate to the size and complexity of your business.

To qualify for the affirmative defense, your cybersecurity program must be written and must reasonably conform to one or more recognized frameworks. The law names several general industry frameworks:

  • NIST Cybersecurity Framework (widely recognized across industries)
  • NIST Special Publications 800-53 and 800-171 (more detailed control sets, common in government contracting)
  • CIS Critical Security Controls (often the most accessible starting point for small businesses, with a tiered approach designed for organizations with limited resources)
  • ISO/IEC 27000 family
  • FedRAMP Security Assessment Framework

For businesses already subject to specific regulations, reasonable conformance with those regulations also qualifies. These include the HIPAA Security Rule, the Gramm-Leach-Bliley Act (Title V), FISMA, HITECH, and Iowa's own insurance data security law. PCI DSS compliance also qualifies, but only when paired with another recognized framework.

In practical terms, most Iowa small businesses will find the CIS Critical Security Controls to be the most straightforward path. CIS organizes its controls into three implementation groups, with Implementation Group 1 (IG1) specifically designed for small organizations without dedicated security staff. It covers the essential hygiene that stops the most common attacks, and it maps cleanly to larger frameworks if your business grows into them later.

Annual Risk Assessment and the "Maximum Probable Loss" Requirement

Beyond choosing a framework, the law requires your program to include ongoing risk evaluation. Specifically, your business must evaluate no less than annually the "maximum probable loss" from a data breach, defined as the greatest damage expectation that could reasonably occur. The law states that the scale of your cybersecurity program is appropriate if the cost to operate it is no less than that calculated figure.

This provision is unique to Iowa among states with similar laws. In practice, it means your business should be able to show that it has thought seriously about what a breach would cost and that its security spending reflects that analysis. It does not require you to spend a fortune. It requires you to spend proportionally to your actual risk.

This is not a one-time exercise. Threats change, your business changes, and your risk profile changes with them. A documented annual review keeps your program current and your defense credible.

Where Most Iowa Businesses Fall Short

Here is the honest reality: having antivirus software, a firewall, and offsite backups does not constitute a documented cybersecurity program under HF553.

The most common gaps we see are:

  • No written security policy. Controls exist in practice but have never been formally documented.
  • No documented risk assessment. The business has never formally identified its most likely threats or evaluated potential losses.
  • No framework alignment. Security decisions have been made reactively, without reference to an established standard.

The encouraging part is that many businesses are closer than they think. They have reasonable controls in place. They have vendors managing key security functions. They just have not connected those pieces into something documented and defensible. That gap is usually smaller and faster to close than business owners expect.

The Practical Upside

It is worth stating plainly: the work required to qualify for HF553's protection is the same work that makes your business meaningfully harder to compromise. Documenting your security program, aligning with a recognized framework, conducting regular risk assessments. These are not just legal formalities. They are the practices that stop real attacks.

The affirmative defense is a valuable bonus on top of a stronger security posture, not the other way around.

What to Do Next

Iowa law gives businesses a meaningful legal protection that most of your competitors are not aware of and almost certainly do not have. That is worth taking seriously.

Sanctus offers security posture reviews designed for Iowa businesses exactly like yours: no enterprise price tag, no generic checklist. If you want to know whether your current program would hold up under HF553's requirements, we can tell you.

A conversation is a reasonable place to start. Contact Sanctus Cybersecurity to schedule one.

Sanctus Cybersecurity provides penetration testing, vulnerability assessments, and security posture reviews to Iowa small and medium businesses. We are based in Iowa and work exclusively with businesses in the region.

← Back to Blog

Ready to find out where you stand?

No pressure, no jargon — just a conversation about where you are and what would actually help.

Find Out Where You Stand