What is the Indiana Data Breach Notification Law? Let’s be Reasonable
Prior to the 2022 amendment to the Indiana data breach notification law, database owners were required to notify individuals of security breaches of their personal data.
More specifically, database owners were required, upon discovering or being notified of a breach of the security of data, to:
- Disclose the breach to residents whose unencrypted personal information may have been accessed or acquired by an unauthorized person.
- Disclose the breach to residents whose encrypted personal information was, or may have been, acquired by an unauthorized person with access to the encryption key.
The law was not particularly clear on how long database owners had to notify these individuals. The law simply stated that an entity required to make a notification “shall make the disclosure or notification without unreasonable delay.”
The law through clarity a small bone, defining a “reasonable delay” as a delay that is:
- Necessary to restore the integrity of a computer system
- Necessary to discover the scope of the breach
- In response to a request by law enforcement or the Indiana Attorney General to delay notification because disclosure would impede a criminal or civil investigation, or jeopardize national security
Pre-amendment, a database owner with a notification obligation who delayed that notification could take its time. The database owner was not required to provide notification until after delay was no longer necessary to discover the scope of the breach. Unsurprisingly, many database owners just happened to take a long time to discover the scope of the breach.