CHAPTER 3. DISCLOSURE AND NOTIFICATION REQUIREMENTS
IC 24-4.9-3
Chapter 3. Disclosure and Notification Requirements
IC 24-4.9-3-1
Disclosure of breach
Sec. 1. (a) Except as provided in section 4(c), 4(d), and 4(e) of
this chapter, after discovering or being notified of a breach of the
security of data, the data base owner shall disclose the breach to an
Indiana resident whose:
(1) unencrypted personal information was or may have been
acquired by an unauthorized person; or
(2) encrypted personal information was or may have been
acquired by an unauthorized person with access to the
encryption key;
if the data base owner knows, should know, or should have known
that the unauthorized acquisition constituting the breach has resulted
in or could result in identity deception (as defined in IC 35-43-5-3.5),
identity theft, or fraud affecting the Indiana resident.
(b) A data base owner required to make a disclosure under
subsection (a) to more than one thousand (1,000) consumers shall
also disclose to each consumer reporting agency (as defined in 15
U.S.C. 1681a(p)) information necessary to assist the consumer
reporting agency in preventing fraud, including personal information
of an Indiana resident affected by the breach of the security of a
system.
(c) If a data base owner makes a disclosure described in
subsection (a), the data base owner shall also disclose the breach to
the attorney general.
As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009,
SEC.4.
IC 24-4.9-3-2
Notification of data base owner
Sec. 2. A person that maintains computerized data but that is not
a data base owner shall notify the data base owner if the person
discovers that personal information was or may have been acquired
by an unauthorized person.
As added by P.L.125-2006, SEC.6.
IC 24-4.9-3-3
Delay of disclosure or notification
Sec. 3. (a) A person required to make a disclosure or notification
under this chapter shall make the disclosure or notification without
unreasonable delay. For purposes of this section, a delay is
reasonable if the delay is:
(1) necessary to restore the integrity of the computer system;
(2) necessary to discover the scope of the breach; or
(3) in response to a request from the attorney general or a law
enforcement agency to delay disclosure because disclosure will:
(A) impede a criminal or civil investigation; or
(B) jeopardize national security.
(b) A person required to make a disclosure or notification under
this chapter shall make the disclosure or notification as soon as
possible after:
(1) delay is no longer necessary to restore the integrity of the
computer system or to discover the scope of the breach; or
(2) the attorney general or a law enforcement agency notifies
the person that delay will no longer impede a criminal or civil
investigation or jeopardize national security.
As added by P.L.125-2006, SEC.6.
IC 24-4.9-3-3.5
Duties of a data base owner; exceptions; enforcement powers
Sec. 3.5. (a) This section does not apply to a data base owner that
maintains its own data security procedures as part of an information
privacy, security policy, or compliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2721
et seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability
Act (HIPAA) (P.L. 104-191);
if the data base owner's information privacy, security policy, or
compliance plan requires the data base owner to maintain reasonable
procedures to protect and safeguard from unlawful use or disclosure
personal information of Indiana residents that is collected or
maintained by the data base owner and the data base owner complies
with the data base owner's information privacy, security policy, or
compliance plan.
(b) A data base owner shall implement and maintain reasonable
procedures, including taking any appropriate corrective action, to
protect and safeguard from unlawful use or disclosure any personal
information of Indiana residents collected or maintained by the data
base owner.
(c) A data base owner shall not dispose of records or documents
containing unencrypted and unredacted personal information of
Indiana residents without shredding, incinerating, mutilating, erasing,
or otherwise rendering the personal information illegible or unusable.
(d) A person that knowingly or intentionally fails to comply with
any provision of this section commits a deceptive act that is
actionable only by the attorney general under this section.
(e) The attorney general may bring an action under this section to
obtain any or all of the following:
(1) An injunction to enjoin further violations of this section.
(2) A civil penalty of not more than five thousand dollars
($5,000) per deceptive act.
(3) The attorney general's reasonable costs in:
(A) the investigation of the deceptive act; and
(B) maintaining the action.
(f) A failure to comply with subsection (b) or (c) in connection
with related acts or omissions constitutes one (1) deceptive act.
As added by P.L.137-2009, SEC.5.
IC 24-4.9-3-4
Method of disclosure; exceptions
Sec. 4. (a) Except as provided in subsection (b), a data base owner
required to make a disclosure under this chapter shall make the
disclosure using one (1) of the following methods:
(1) Mail.
(2) Telephone.
(3) Facsimile (fax).
(4) Electronic mail, if the data base owner has the electronic
mail address of the affected Indiana resident.
(b) If a data base owner required to make a disclosure under this
chapter is required to make the disclosure to more than five hundred
thousand (500,000) Indiana residents, or if the data base owner
required to make a disclosure under this chapter determines that the
cost of the disclosure will be more than two hundred fifty thousand
dollars ($250,000), the data base owner required to make a disclosure
under this chapter may elect to make the disclosure by using both of
the following methods:
(1) Conspicuous posting of the notice on the web site of the
data base owner, if the data base owner maintains a web site.
(2) Notice to major news reporting media in the geographic area
where Indiana residents affected by the breach of the security
of a system reside.
(c) A data base owner that maintains its own disclosure
procedures as part of an information privacy policy or a security
policy is not required to make a separate disclosure under this
chapter if the data base owner's information privacy policy or
security policy is at least as stringent as the disclosure requirements
described in:
(1) sections 1 through 4(b) of this chapter;
(2) subsection (d); or
(3) subsection (e).
(d) A data base owner that maintains its own disclosure
procedures as part of an information privacy, security policy, or
compliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781
et seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability
Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data
base owner's information privacy, security policy, or compliance plan
requires that Indiana residents be notified of a breach of the security
of data without unreasonable delay and the data base owner complies
with the data base owner's information privacy, security policy, or
compliance plan.
(e) A financial institution that complies with the disclosure
requirements prescribed by the Federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer
Information and Customer Notice or the Guidance on Response
Programs for Unauthorized Access to Member Information and
Member Notice, as applicable, is not required to make a disclosure
under this chapter.
(f) A person required to make a disclosure under this chapter may
elect to make all or part of the disclosure in accordance with
subsection (a) even if the person could make the disclosure in
accordance with subsection (b).
As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009,
SEC.6.