Iowa Gives Cyber-Ready Businesses a
Legal Shield in Court

HF 553 provides companies with a full affirmative defense in data breach lawsuits — if they maintain and invest in a qualifying cybersecurity program.

Effective July 1, 2023 · Iowa Code § 554G

The Law

What HF 553 Does for You

If your business suffers a data breach and faces a lawsuit in Iowa, HF 553 gives you a full affirmative defense — as long as you had a qualifying written cybersecurity program in place. The defense applies to tort claims, including:

Negligence

Alleging you failed to implement reasonable security controls.

Privacy Invasion

Alleging unauthorized access compromised personal or restricted information.

Other Tort Claims

Any tort-based action arising from a data breach concerning protected information.

How to Qualify

What Your Program Needs

Iowa takes a uniquely quantitative approach — your cybersecurity investment must match your calculated risk. Four conditions:

1

Written Cybersecurity Program

Administrative, technical, operational, and physical safeguards protecting personal and restricted information.

2

Conformance to a Recognized Framework

Reasonable conformance to the current version of one or more recognized frameworks listed below.

3

Annual Maximum Probable Loss Evaluation

Evaluate the greatest damage expectation from a data breach at least once per year.

4

Invest at the Level of Your Risk

Your cybersecurity program cost must meet or exceed your calculated maximum probable loss value.

NIST CSF
NIST 800-171
NIST 800-53
FedRAMP
CIS Controls
ISO 27000
PCI DSS*
HIPAA
GLBA
FISMA
HITECH

* PCI DSS must be used in conjunction with a general framework.

Common Concern

Maximum Probable Loss Sounds Expensive

MPL Is About Proportionate Investment, Not Unlimited Spending

The maximum probable loss calculation factors in both the total value of possible damage and the probability it would occur. A small business with limited sensitive data will have a proportionately low MPL — and a proportionately low spending requirement. The math works in your favor.

What the defense doesn't cover: contract claims, statutory claims, regulatory enforcement actions, or claims brought outside Iowa courts. The defense applies only to tort claims under Iowa law.

How SignumCyber Helps

Every Requirement. One Platform.

HF 553 Requires How We Help

Written program with safeguards

73-domain assessment + policy creation wizard to build your program

Framework conformance

NIST CSF, ISO 27001, SOC 2, HIPAA & PCI DSS

Annual maximum probable loss evaluation

FAIR risk quantification in dollars with ongoing reassessment

Invest at the level of your risk

ROI-driven roadmap that demonstrates proportionate investment

Threat evaluation & breach communication

Prioritized recommendations, incident response policy & evidence

Bigger Picture

A Growing National Movement

Seven states and counting. The program you build for Iowa qualifies you elsewhere too.

Ohio 2018
Utah 2021
Connecticut 2021
Iowa 2023
Tennessee 2024
Oregon 2024
Texas 2025

Ready to Build Your Defense?

See how SignumCyber helps you qualify for safe harbor protection — and turn security into a business advantage.

Request a Demo →

30 minutes. No pressure. Just clarity.

This page is general information about Iowa's cybersecurity safe harbor law (HF 553), not legal advice. Consult a qualified attorney for guidance specific to your organization.