Indiana
Click here to review text of state statute (see Ind. Code, Title 24, §§ 24-4.9 et seq.) (For specific rules applicable to state agencies – see Ind. Code Title 4, §§ 4-1-11 et seq.) |
Information Covered / Important Definitions
Information covered:
Personal information of Indiana residents.
Definition includes an unencrypted or unredacted social security number standing alone.
Important definitions:
“Security Breach” means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
Definition includes the unauthorized acquisition of computerized data that has been transferred to another medium, including paper, microfilm, or a similar media, even if the transferred data are no longer in a computerized format.
Unauthorized acquisition of an encrypted portable electronic device on which personal information is stored is not a security breach if the encryption key has not been compromised.
“Encrypted” means data that have been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or data which are secured by another method that renders data unreadable or unusable.
“Redacted” means data have been altered or truncated so that no more than last four digits are accessible (or last five digits for social security numbers).
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or legal entity using computerized personal information of an Indiana resident for commercial purposes.
Third party recipients:
Any covered entity that maintains computerized data that includes personal information but does not own or license the data must notify the owner or licensee of a security breach.
Notice Procedures & Timing / Other Obligations
Written, electronic, telephonic, or facsimile notice must be provided to victims of a security breach without unreasonable delay, but in any event within forty-five (45) days, unless a law enforcement agency or the attorney general determines that notice will impede a civil criminal investigation or jeopardize national security. Notification must occur as soon as possible after delay is no longer necessary or authorized by attorney general or law enforcement agency.
Under the statute, a delay is reasonable if the delay is:
(1) necessary to restore the integrity of the computer system;
(2) necessary to discover the scope of the breach; or
(3) in response to a request from the Attorney General or a law enforcement agency to delay disclosure because disclosure will:(A) impede a criminal or civil investigation; or (B) jeopardize national security.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity does not have sufficient contact information.
- Notice only required if the covered entity knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident.
Other obligations:
Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Covered entity must implement and maintain reasonable procedures to protect and safeguard personal information of Indiana residents.
Covered entity must dispose of records or documents containing unencrypted or unredacted personal information by shredding, incinerating, mutilating, erasing, or otherwise rendering personal information illegible or unusable.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Safe harbor not available if encryption key has been compromised.
Other exemptions:
Exemption for good faith acquisition of personal information by an employee or agent of covered entity so long as personal information not used or subject to further unauthorized disclosure.
Covered entity is exempt if it maintains and complies with its own data security procedures as part of an information privacy and security policy or compliance plan under USA Patriot Act, Executive Order 13224, Driver’s Privacy Protection Act (18 U.S.C. 2721), Fair Credit Reporting Act (15 U.S.C. 1581), Financial Modernization Act of 1999 (15 U.S.C. 6801), or HIPAA, provided the procedures are reasonable.
Notification to Regulator / Waiver
Attorney general must be notified of any security breach using a designated form.
Click here for form.
A determination of no likelihood of harm:
Does not require notification to attorney general.
Penalties
Violations are actionable deceptive acts.
For violations of the notification rules:
The attorney general may bring an action to enjoin future violations of the statute, a civil penalty of not more than $150,000 per deceptive act, and the attorney general’s reasonable costs.
For violations of the record retention rules:
The attorney general may bring an action to enjoin future violations of the statute, a civil penalty of not more than $5,000 per deceptive act, and the attorney general’s reasonable costs.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute (see Ind. Code, Title 24, §§ 24-4.9 et seq.) |