108 Iowa L. Rev. 1503 (2023)
Cybercrime is on the rise, especially for the insurance industry, which collects massive amounts of sensitive data. In response, the National Association of Insurance Commissioners adopted the Model Insurance Data Security Act. This model law provides that state-licensed insurers must conduct a risk assessment as well as implement appropriate security measures, and it lays out when insurers must report data breaches to state insurance commissioners or consumers. As states have implemented their own versions of an Insurance Data Security Act, they have often modified it to make compliance easier for insurers, but in doing so have weakened its safeguards. Iowa’s Insurance Data Security Act broadened exemptions for small insurers significantly, creating a gap in privacy protection that leaves many consumers vulnerable to data breaches. This Note argues that Iowa should close this gap by amending the law to narrow the exemptions back to the model law’s original scope and help small insurers bear the significant costs of compliance by providing data privacy consultations, education, and/or lobbing the National Association of Insurance Commissioners to provide these necessary resources.