Indiana Disclosure of Security Breach
Ind. Code § 24-4.9-1 - § 24-4.9-5-1
SUMMARY:
EFFECTIVE. July 1, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Indiana and owns or licenses computerized data that includes Personal Information; and (2) any person or entity maintaining information which includes Personal Information on State residents.
WHAT IS A BREACH. Unauthorized acquisition of unencrypted or unredacted computerized data that compromises the security, integrity, or confidentiality of Personal Information maintained by a person or business, even if the data is transferred to another medium and is no longer in a computerized format. A security breach does not include the following:
-
Good faith acquisition of Personal Information by an employee or agent of the owner for lawful internal purposes, if it is not used or subject to further unauthorized disclosure.
-
Unauthorized acquisition of a portable device on which Personal Information is stored, if such information is protected by encryption and the encryption key:
-
Has not been compromised or disclosed; and
-
Is not in the possession of or known to the person who has access to such portable device.
-
WHAT IS PERSONAL INFORMATION. An individual’s first and last name, or first initial and last name in combination with any one or more of the following data elements that is not encrypted or redacted:
-
Driver’s license number or State identification card number.
-
Social Security Number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Indiana residents whose unencrypted Personal Information was or may have been acquired, or encrypted Personal Information was or may have been acquired with access to the encryption key. Notification must also be sent to the Attorney General.
If more than 1,000 residents are involved in a breach, the person or business shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the information necessary to prevent fraud, including Personal Information of an Indiana resident affected by the breach.
EXCEPTION. This Section does not apply to the following:
-
Does not apply to personal information stored on a portable electronic device if access to that device is protected by encryption that has not been compromised or disclosed or is otherwise known to the unauthorized actor.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy that is at least as stringent as the requirements of this section, is considered in compliance with this Section if the affected Indiana individuals are notified by the person or business in accordance with its policies.
-
A financial institution that complies with disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, is not required to make a disclosure under this Section.
-
This Section also does not apply to a person or business which maintains its own disclosure procedures as part of data security policy under the following, provided such policy is followed:
-
Federal USA Patriot Act (P.L. 107-56).
-
Executive Order 13224.
-
Federal Driver’s Privacy Protection Act (18 U.S.C. 2721 et seq.).
-
Federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
-
Federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.).
-
Federal Health Insurance Portability and Accountability Act (HIPPA) (p.l. 104-191).
WHEN TO NOTIFY OF THE BREACH. Notification must be sent as soon as possible after the person or business first becomes aware of a security breach. The disclosure shall be made without unreasonable delay consistent with measures necessary to determine the nature and scope of the breach, or to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation or jeopardize national security and is requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Mail.
-
Telephonic.
-
Fax.
-
Electronic (if the person or business has the Email address of the affected Indiana resident).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000 or the affected class of persons to be notified exceeds 500,000, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Conspicuous posting of the notice on the website of the person or business.
-
Notification to major media in the geographic area where the affected Indiana resident(s) resides.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data that includes Personal Information that it does not own, then the person or business shall notify the owner of a security breach. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The state Attorney General may bring an action to obtain any or all of the following:
-
A court order to enforce compliance and prevent any further violations.
-
A civil fine of up to $150,000 for failure to comply with any provision of this Section.
-
A civil fine of up to $5,000 for:
-
Failure to implement and maintain reasonable procedures to protect and safeguard Personal Information from unlawful use or disclosure.
-
Failure to properly dispose of records or documents containing unencrypted and unredacted Personal Information by shredding, incinerating, mutilating, erasing or otherwise making the Personal Information illegible or unusable.
-
-
Attorney General’s costs.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Ind. Code §§ 24-4-14-8, 24-4.9-3-3.5(d). A person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction. However, the offense is a Class A infraction if the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers.
LEGISLATIVE UPDATES.
S.B. 503 – Signed into law on 4/26/2005, Effective 7/1/2006.
H.E.A. 1197 – Signed into law on 3/24/2008, Effective 7/1/2009.
H.E.A. 1121 – Signed into law on 5/12/19, Effective 7/1/2009.
For more information, see here: http://iga.in.gov/legislative/laws/2021/ic/titles/024#24-4.9
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.