What is the Indiana Data Breach Notification Law?

Indiana Data Breach Notification Law

The Indiana data breach law gives Indiana residents a right to know when a security breach has exposed their personal information. This law was recently amended to narrow the amount of time a business entity has to notify affected individuals of a breach. The amended Indiana data breach notification law, effective as of July 1, 2022, is discussed in detail below.

Indiana Data Breach Notification Law: Way Back in 2006…

The Indiana data breach notification law became effective in July of 2006. The law applies to database owners that do business in Indiana. A database owner is a person or entity that owns or licenses computerized data that includes personal information. An entity “does business in Indiana” when that entity owns or uses the information of an Indiana resident for commercial purposes.

What is the Indiana Data Breach Notification Law? It’s Personal

The Indiana data breach notification law requires database owners to notify consumers when there has been a security breach involving their personal information. 

“Personal information” includes:

  • A social security number that is neither encrypted nor redacted
  • An individual’s first and last names, or first initial and last name, plus one or more of the following pieces of data that are neither encrypted nor redacted:
    • Driver license number
    • State identification card number
    • Credit card number
    • Financial account number or debit card number that, in combination with a security code, password, or access code that would permit access to an individual’s account

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

What is the Indiana Data Breach Notification Law? Let’s be Reasonable

Prior to the 2022 amendment to the Indiana data breach notification law, database owners were required to notify individuals of security breaches of their personal data. 

More specifically, database owners were required, upon discovering or being notified of a breach of the security of data, to:

  1. Disclose the breach to residents whose unencrypted personal information may have been accessed or acquired by an unauthorized person. 
  2. Disclose the breach to residents whose encrypted personal information was, or may have been, acquired by an unauthorized person with access to the encryption key.

The law was not particularly clear on how long database owners had to notify these individuals. The law simply stated that an entity required to make a notification “shall make the disclosure or notification without unreasonable delay.”

The law through clarity a small bone, defining a “reasonable delay” as a delay that is:

  1. Necessary to restore the integrity of a computer system
  2. Necessary to discover the scope of the breach
  3. In response to a request by law enforcement or the Indiana Attorney General to delay notification because disclosure would impede a criminal or civil investigation, or jeopardize national security

Pre-amendment, a database owner with a notification obligation who delayed that notification could take its time. The database owner was not required to provide notification until after delay was no longer necessary to discover the scope of the breach. Unsurprisingly, many database owners just happened to take a long time to discover the scope of the breach.