What is the Indiana Data Breach Notification Law?

Indiana Data Breach Notification Law

The Indiana data breach law gives Indiana residents a right to know when a security breach has exposed their personal information. This law was recently amended to narrow the amount of time a business entity has to notify affected individuals of a breach. The amended Indiana data breach notification law, effective as of July 1, 2022, is discussed in detail below.

Indiana Data Breach Notification Law: Way Back in 2006…

The Indiana data breach notification law became effective in July of 2006. The law applies to database owners that do business in Indiana. A database owner is a person or entity that owns or licenses computerized data that includes personal information. An entity “does business in Indiana” when that entity owns or uses the information of an Indiana resident for commercial purposes.

What is the Indiana Data Breach Notification Law? It’s Personal

The Indiana data breach notification law requires database owners to notify consumers when there has been a security breach involving their personal information. 

“Personal information” includes:

  • A social security number that is neither encrypted nor redacted
  • An individual’s first and last names, or first initial and last name, plus one or more of the following pieces of data that are neither encrypted nor redacted:
    • Driver license number
    • State identification card number
    • Credit card number
    • Financial account number or debit card number that, in combination with a security code, password, or access code that would permit access to an individual’s account

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

What is the Indiana Data Breach Notification Law? Let’s be Reasonable

Prior to the 2022 amendment to the Indiana data breach notification law, database owners were required to notify individuals of security breaches of their personal data. 

More specifically, database owners were required, upon discovering or being notified of a breach of the security of data, to:

  1. Disclose the breach to residents whose unencrypted personal information may have been accessed or acquired by an unauthorized person. 
  2. Disclose the breach to residents whose encrypted personal information was, or may have been, acquired by an unauthorized person with access to the encryption key.

The law was not particularly clear on how long database owners had to notify these individuals. The law simply stated that an entity required to make a notification “shall make the disclosure or notification without unreasonable delay.”

The law through clarity a small bone, defining a “reasonable delay” as a delay that is:

  1. Necessary to restore the integrity of a computer system
  2. Necessary to discover the scope of the breach
  3. In response to a request by law enforcement or the Indiana Attorney General to delay notification because disclosure would impede a criminal or civil investigation, or jeopardize national security

Pre-amendment, a database owner with a notification obligation who delayed that notification could take its time. The database owner was not required to provide notification until after delay was no longer necessary to discover the scope of the breach. Unsurprisingly, many database owners just happened to take a long time to discover the scope of the breach. 

In March of 2022, the law was amended – a numerical time limit was put on the disclosure time frame. As of July 1, 2022, a database owner must notify affected individuals and the Indiana Attorney General of a data breach without unreasonable delay, but no later than 45 days after the discovery of the breach. The amendment makes no other changes to the existing law. Database owners required to provide notification must still do so by mail, telephone, fax, or email. 

If the required disclosure affects more than 500,000 Indiana residents, or if the database owner determines the cost of the disclosure will be over $250,000, the notification may be done on the cheap by: 

  1. Posting the notice on the database owner’s website; or
  2. Providing notice to major news reporting media in the geographic area where Indiana residents affected by the breach resides.

Indiana Data Breach Notification Law and HIPAA Safe Harbor

The amended law retains a HIPAA safe harbor exemption. Under the Indiana data breach notification law, a database owner that maintains its own (i.e., not government-mandated) data security and disclosure procedures as part of a HIPAA security policy, is exempt from the Indiana law – provided that the database owner’s disclosure procedures are at least as stringent as those of HIPAA. Another way of saying this is that if a database owner has a HIPAA security policy, that policy should be effective and contain all information that HIPAA requires it to have.

What is the Indiana Data Breach Notification Law?  Well, That’s Just Fines

The amended Indiana data breach notification law retains the current law’s penalty language. Under the existing law, an owner who knowingly or intentionally fails to comply with the law may be sued by the Indiana Attorney General for committing a “deceptive act.” The Indiana Attorney General may file suit to obtain an injunction to prevent further violations, and/or civil penalties. The Attorney General may seek up to $150,000 per deceptive act.

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!