CHAPTER 11. NOTICE OF SECURITY BREACH

IC 4-1-11
     Chapter 11. Notice of Security Breach

IC 4-1-11-1
Applicability
    
Sec. 1. This chapter applies after June 30, 2006.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-2
"Breach of the security of the system"
    
Sec. 2. (a) As used in this chapter, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local agency.
    (b) The term does not include the following:
        (1) Good faith acquisition of personal information by an agency or employee of the agency for purposes of the agency, if the personal information is not used or subject to further unauthorized disclosure.
        (2) Unauthorized acquisition of a portable electronic device on which personal information is stored if access to the device is protected by a password that has not been disclosed.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-3
"Personal information"
    
Sec. 3. (a) As used in this chapter, "personal information" means:
        (1) an individual's:
            (A) first name and last name; or
            (B) first initial and last name; and
        (2) at least one (1) of the following data elements:
            (A) Social Security number.
            (B) Driver's license number or identification card number.
            (C) Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account.
    (b) The term does not include the following:
        (1) The last four (4) digits of an individual's Social Security number.
        (2) Publicly available information that is lawfully made available to the public from records of a federal agency or local agency.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-4

"State agency"
    
Sec. 4. As used in this section "state agency" has the meaning set forth in IC 4-1-10-2.
As added by P.L.91-2005, SEC.2.
IC 4-1-11-5
Disclosures of security breach
    
Sec. 5. (a) Any state agency that owns or licenses computerized data that includes personal information shall disclose a breach of the security of the system following discovery or notification of the breach to any state resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
    (b) The disclosure of a breach of the security of the system shall be made:
        (1) without unreasonable delay; and
        (2) consistent with:
            (A) the legitimate needs of law enforcement, as described in section 7 of this chapter; and
            (B) any measures necessary to:
                (i) determine the scope of the breach; and
                (ii) restore the reasonable integrity of the data system.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-6
Notification to third party owner of security breach
    
Sec. 6. (a) This section applies to a state agency that maintains computerized data that includes personal information that the state agency does not own.
    (b) If personal information was or is reasonably believed to have been acquired by an unauthorized person, the state agency shall notify the owner or licensee of the information of a breach of the security of the system immediately following discovery. The agency shall provide the notice to state residents as required under section 5 of this chapter.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-7
Time requirement for notification
    
Sec. 7. The notification required by this chapter:
        (1) may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation; and
        (2) shall be made after the law enforcement agency determines that it will not compromise the investigation.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-8
Form of notification
    
Sec. 8. Except as provided in section 9 of this chapter, a state agency may provide the notice required under this chapter:
        (1) in writing; or
        (2) by electronic mail, if the individual has provided the state agency with the individual's electronic mail address.
As added by P.L.91-2005, SEC.2.
IC 4-1-11-9
Alternate form of notification
    
Sec. 9. (a) This section applies if a state agency demonstrates that:
        (1) the cost of providing the notice required under this chapter is at least two hundred fifty thousand dollars ($250,000);
        (2) the number of persons to be notified is at least five hundred thousand (500,000); or
        (3) the agency does not have sufficient contact information;
the state agency may use an alternate form of notice set forth in subsection (b).
    (b) A state agency may provide the following alternate forms of notice if authorized by subsection (a):
        (1) Conspicuous posting of the notice on the state agency's web site if the state agency maintains a web site.
        (2) Notification to major statewide media.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-10
Notification to consumer reporting agencies
    
Sec. 10. If a state agency is required to provide notice under this chapter to more than one thousand (1,000) individuals, the state agency shall notify without unreasonable delay all consumer reporting agencies (as defined in 15 U.S.C. 1681a) of the distribution and content of the notice.
As added by P.L.91-2005, SEC.2. Amended by P.L.1-2006, SEC.7.