Indiana Data Disposal Law (Ind. Code §§ 24-4-14-8, Ind. Code § 24-4.9-3-3.5 - § 24-4.9-4-2)

Indiana Data Disposal Law

Ind. Code §§ 24-4-14-8,

Ind. Code § 24-4.9-3-3.5 - § 24-4.9-4-2

 

IC 24-4-14 Chapter 14. Persons Holding a Customer's Personal Information

24-4-14-1  Applicability

24-4-14-2  "Customer"

24-4-14-3  "Dispose of"

24-4-14-4  "Encrypted"

24-4-14-5  "Person"

24-4-14-6  "Personal information"

24-4-14-7  "Redacted"

24-4-14-8  Disposal of personal information; infraction

 

IC 24-4-14-1  Applicability

Sec. 1. This chapter does not apply to the following:

(1) The executive, judicial, or legislative department of state government or any political subdivision.

(2) A unit (as defined in IC 36-1-2-23).

(3) The office of county auditor.

(4) The office of county treasurer.

(5) The office of county recorder.

(6) The office of county surveyor.

(7) A county sheriff's department.

(8) The office of county coroner.

(9) The office of county assessor.

(10) A person who engages in the business of waste collection, except to the extent the person holds a customer's personal information directly in connection with the business of waste collection.

(11) A person who maintains and complies with a disposal program under:

(A) the federal USA Patriot Act (P.L.107-56);

(B) Executive Order 13224;

(C) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et seq.);

(D) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(E) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or

(F) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L.104-191);

if applicable.

As added by P.L.125-2006, SEC.5.

 

IC 24-4-14-2  "Customer"

Sec. 2. As used in this chapter, "customer" means a person who:

(1) has:

(A) received; or

(B) contracted for;

the direct or indirect provision of goods or services from another person holding the person's personal information; or

(2) provides the person's personal information to another person in connection with a transaction with a nonprofit corporation or charitable organization.

The term includes a person who pays a commission, a consignment fee, or another fee contingent on the completion of a transaction.

As added by P.L.125-2006, SEC.5.

 

IC 24-4-14-3  "Dispose of"

Sec. 3. As used in this chapter, "dispose of" means to discard or abandon the personal information of a customer in an area accessible to the public. The term includes placing the personal information in a container for trash collection.

As added by P.L.125-2006, SEC.5.

 

IC 24-4-14-4  "Encrypted"

Sec. 4. For purposes of this chapter, personal information is "encrypted" if the personal information:

(1) has been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or

(2) is secured by another method that renders the personal information unreadable or unusable.

As added by P.L.125-2006, SEC.5.

 

IC 24-4-14-5  "Person"

Sec. 5. As used in this chapter, "person" means an individual, a partnership, a corporation, a limited liability company, or another organization.

As added by P.L.125-2006, SEC.5.

 

IC 24-4-14-6  "Personal information"

Sec. 6. As used in this chapter, "personal information" has the meaning set forth in IC 24-4.9-2-10. The term includes information stored in a digital format.

As added by P.L.125-2006, SEC.5.

 

IC 24-4-14-7  "Redacted"

Sec. 7. (a) For purposes of this chapter, personal information is "redacted" if the personal information has been altered or truncated so that not more than the last four (4) digits of:

(1) a driver's license number;

(2) a state identification number; or

(3) an account number;

is accessible as part of personal information.

(b) For purposes of this chapter, personal information is "redacted" if the personal information has been altered or truncated so that not more than five (5) digits of a Social Security number are accessible as part of personal information.

As added by P.L.125-2006, SEC.5.

 

IC 24-4-14-8  Disposal of personal information; infraction

Sec. 8. A person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction. However, the offense is a Class A infraction if:

(1) the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or

(2) the person has a prior unrelated judgment for a violation of this section.

As added by P.L.125-2006, SEC.5.

 

 

IC 24-4.9-3-3.5  Duties of a data base owner; exceptions; health records; enforcement powers

Sec. 3.5. (a) Except as provided in subsection (b), this section does not apply to a data base owner that maintains its own data security procedures as part of an information privacy, security policy, or compliance plan under:

(1) the federal USA PATRIOT Act (P.L. 107-56);

(2) Executive Order 13224;

(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et seq.);

(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or

(6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);

if the data base owner's information privacy, security policy, or compliance plan requires the data base owner to maintain reasonable procedures to protect and safeguard from unlawful use or disclosure personal information of Indiana residents that is collected or maintained by the data base owner and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.

(b) This section applies to a current or former health care provider (as defined by IC 4-6-14-2) who is a data base owner or former data base owner:

(1) to which an exemption under subsection (a)(6) applies or applied; and

(2) whose information privacy, security policy, or compliance plan:

(A) does not require the data base owner or former data base owner to maintain and implement reasonable procedures; or

(B) is not implemented by the data base owner or former data base owner;

to ensure that the personal information described in subsection (a), including health records (as defined by IC 4-6-14-2.5), is protected and safeguarded from unlawful use or disclosure after the data base owner or former data base owner ceases to be a covered entity under the federal Health Insurance Portability and Accountability Act (P.L. 104-191).

(c) A data base owner shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the data base owner.

(d) A data base owner shall not dispose of or abandon records or documents containing unencrypted and unredacted personal information of Indiana residents without shredding, incinerating, mutilating, erasing, or otherwise rendering the personal information illegible or unusable.

(e) A person that knowingly or intentionally fails to comply with any provision of this section commits a deceptive act that is actionable only by the attorney general under this section.

(f) The attorney general may bring an action under this section to obtain any or all of the following:

(1) An injunction to enjoin further violations of this section.

(2) A civil penalty of not more than five thousand dollars ($5,000) per deceptive act.

(3) The attorney general's reasonable costs in:

(A) the investigation of the deceptive act; and

(B) maintaining the action.

(g) A failure to comply with subsection (c) or (d) in connection with related acts or omissions constitutes one (1) deceptive act.

As added by P.L.137-2009, SEC.5. Amended by P.L.76-2017, SEC.4.

 

IC 24-4.9-3-4   Method of disclosure; exceptions

Sec. 4. (a) Except as provided in subsection (b), a data base owner required to make a disclosure under this chapter shall make the disclosure using one (1) of the following methods:

(1) Mail.

(2) Telephone.

(3) Facsimile (fax).

(4) Electronic mail, if the data base owner has the electronic mail address of the affected Indiana resident.

(b) If a data base owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the data base owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the data base owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods:

(1) Conspicuous posting of the notice on the web site of the data base owner, if the data base owner maintains a web site.

(2) Notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside.

(c) A data base owner that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under this chapter if the data base owner's information privacy policy or security policy is at least as stringent as the disclosure requirements described in:

(1) sections 1 through 4(b) of this chapter;

(2) subsection (d); or

(3) subsection (e).

(d) A data base owner that maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan under:

(1) the federal USA PATRIOT Act (P.L. 107-56);

(2) Executive Order 13224;

(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et seq.);

(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or

(6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);

is not required to make a disclosure under this chapter if the data base owner's information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of data without unreasonable delay and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.

(e) A financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or the Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, as applicable, is not required to make a disclosure under this chapter.

(f) A person required to make a disclosure under this chapter may elect to make all or part of the disclosure in accordance with subsection (a) even if the person could make the disclosure in accordance with subsection (b).

As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009, SEC.6.

 

 

IC 24-4.9-4  Chapter 4. Enforcement

24-4.9-4-1  Failure to disclose or notify; deceptive act

24-4.9-4-2  Action by attorney general

 

IC 24-4.9-4-1  Failure to disclose or notify; deceptive act

Sec. 1. (a) A person that is required to make a disclosure or notification in accordance with IC 24-4.9-3 and that fails to comply with any provision of this article commits a deceptive act that is actionable only by the attorney general under this chapter.

(b) A failure to make a required disclosure or notification in connection with a related series of breaches of the security of data constitutes one (1) deceptive act.

As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009, SEC.7.

 

IC 24-4.9-4-2  Action by attorney general

Sec. 2. The attorney general may bring an action under this chapter to obtain any or all of the following:

(1) An injunction to enjoin future violations of IC 24-4.9-3.

(2) A civil penalty of not more than one hundred fifty thousand dollars ($150,000) per deceptive act.

(3) The attorney general's reasonable costs in:

(A) the investigation of the deceptive act; and

(B) maintaining the action.

As added by P.L.125-2006, SEC.6.

 

 

For more information, see here:  http://iga.in.gov/legislative/laws/2021/ic/titles/024/#24-4-14-8

AND

http://iga.in.gov/legislative/laws/2018/ic/titles/024/#24-4.9-3-3.5

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.