Des Moines City Data Breach Reporting Guide

Technology and Data Iowa 3 Minutes Read ยท published February 10, 2026 Flag of Iowa

In Des Moines, Iowa, city staff, contractors, and residents must follow prescribed steps when municipal systems or records containing personal data are compromised. This guide explains who to notify, how the city and state rules apply, evidence preservation, timelines for notifying affected individuals, and where to find official forms and contacts. It is written for records custodians, IT staff, elected officials, vendors, and residents who need clear, actionable steps to report incidents and meet notice obligations under city procedures and Iowa law.

Reporting overview

Report suspected or confirmed security incidents immediately to the City of Des Moines Information Technology security team or designated incident response contact, and to the City Clerk for public records implications. Include a brief summary of the incident, systems affected, data types involved, known or suspected timeline, and any containment steps already taken. Use official reporting channels to preserve chain of custody for logs and evidence. For official reporting guidance and contacts see the city incident reporting page City IT Incident Reporting[1].

Report immediately to city IT and your supervisor to limit exposure.

Penalties & Enforcement

The City of Des Moines enforces municipal policies and applicable state laws for mishandling or failing to report breaches. Specific monetary fines and penalty amounts for municipal data breaches are not specified on the cited municipal pages; consult the cited state statute for statutory notice obligations and the city for internal discipline and contract remedies Des Moines Municipal Code[2].

  • Fine amounts: not specified on the cited municipal page; see state statute for consumer-notification requirements and possible civil remedies.
  • Escalation: whether first, repeat, or continuing offences trigger larger penalties is not specified on the cited city pages.
  • Non-monetary sanctions: the city may seek administrative discipline, contract termination, corrective orders, or referral to civil or criminal authorities as appropriate.
  • Enforcer: City of Des Moines Information Technology department and the City Clerk coordinate investigations; law enforcement or the Iowa Attorney General may be involved for statewide consumer protection matters.
  • Complaint and inspection pathways: submit incident reports via the city IT incident page or contact the City Clerk for records-related breaches.
  • Appeals and review: appeal routes for administrative actions are handled under city personnel or contract processes; specific appeal time limits are not specified on the cited city pages.
  • Defences and discretion: lawful defenses, documented authorizations, and valid contracts or variances may apply; check city policy and consult legal counsel.
Monetary penalties for municipal breach notification are not detailed on the city's public code pages.

Applications & Forms

The city does not publish a separate public "breach notification" form; use the IT incident reporting contact and retain required records. For statutory consumer-notification templates and timing rules see Iowa Code chapter 715C Iowa Code 715C[3]. Current as of February 2026.

How-To

  1. Detect and document: preserve logs, take screenshots, record timestamps, and limit further access.
  2. Report internally: notify City IT and your supervisor immediately using official channels and include the incident summary.
  3. Preserve evidence: do not alter affected devices; follow chain-of-custody steps and back up volatile logs.
  4. Assess scope: identify categories of personal data, number of affected individuals, and potential harm.
  5. Notify affected individuals: follow timing and content requirements in Iowa law and city procedure; confirm delivery methods.
  6. Coordinate with authorities: involve law enforcement, the Iowa Attorney General, and other regulators when required.
  7. Remediate and review: implement fixes, update policies, and conduct a lessons-learned review.
Preserve evidence before notifying outside parties to maintain investigation integrity.

FAQ

Who must report a city data breach?
The responsible department head, affected staff, or contracted vendor must report incidents to City IT and the City Clerk as soon as they are detected.
How soon must affected individuals be notified?
Follow Iowa Code 715C timing and content requirements for consumer notification; consult the cited statute and city guidance for specifics.
Is there a city form to submit a breach report?
No dedicated public breach form is published; use the city IT incident reporting channel and retain required documentation.
Who enforces penalties for failure to report?
Enforcement may involve the City of Des Moines for local policy breaches and state authorities for statutory violations.

Key Takeaways

  • Report quickly using city IT channels to contain incidents.
  • Preserve logs and evidence to support investigation and legal obligations.
  • Follow Iowa Code 715C notice rules when personal data is affected.

Help and Support / Resources

  1. [1] City of Des Moines - Information Technology incident reporting
  2. [2] City of Des Moines - Municipal Code (Municode)
  3. [3] Iowa Code chapter 715C - Security Breach Notification (current as of February 2026)

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data