CHAPTER 3. DISCLOSURE AND NOTIFICATION REQUIREMENTS
IC 24-4.9-3
Chapter 3. Disclosure and Notification Requirements
IC 24-4.9-3-1
Disclosure of breach
Sec. 1. (a) Except as provided in section 4(c), 4(d), and 4(e) ofthis chapter, after discovering or being notified of a breach of thesecurity of data, the data base owner shall disclose the breach to anIndiana resident whose:
(1) unencrypted personal information was or may have beenacquired by an unauthorized person; or
(2) encrypted personal information was or may have beenacquired by an unauthorized person with access to theencryption key;
if the data base owner knows, should know, or should have knownthat the unauthorized acquisition constituting the breach has resultedin or could result in identity deception (as defined in IC 35-43-5-3.5),identity theft, or fraud affecting the Indiana resident.
(b) A data base owner required to make a disclosure undersubsection (a) to more than one thousand (1,000) consumers shallalso disclose to each consumer reporting agency (as defined in 15U.S.C. 1681a(p)) information necessary to assist the consumerreporting agency in preventing fraud, including personal informationof an Indiana resident affected by the breach of the security of asystem.
(c) If a data base owner makes a disclosure described insubsection (a), the data base owner shall also disclose the breach tothe attorney general.
As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009,SEC.4.
IC 24-4.9-3-2
Notification of data base owner
Sec. 2. A person that maintains computerized data but that is nota data base owner shall notify the data base owner if the persondiscovers that personal information was or may have been acquiredby an unauthorized person.
As added by P.L.125-2006, SEC.6.
IC 24-4.9-3-3
Delay of disclosure or notification
Sec. 3. (a) A person required to make a disclosure or notificationunder this chapter shall make the disclosure or notification withoutunreasonable delay. For purposes of this section, a delay isreasonable if the delay is:
(1) necessary to restore the integrity of the computer system;
(2) necessary to discover the scope of the breach; or
(3) in response to a request from the attorney general or a lawenforcement agency to delay disclosure because disclosure will:
(A) impede a criminal or civil investigation; or (B) jeopardize national security.
(b) A person required to make a disclosure or notification underthis chapter shall make the disclosure or notification as soon aspossible after:
(1) delay is no longer necessary to restore the integrity of thecomputer system or to discover the scope of the breach; or
(2) the attorney general or a law enforcement agency notifiesthe person that delay will no longer impede a criminal or civilinvestigation or jeopardize national security.
As added by P.L.125-2006, SEC.6.
IC 24-4.9-3-3.5
Duties of a data base owner; exceptions; enforcement powers
Sec. 3.5. (a) This section does not apply to a data base owner thatmaintains its own data security procedures as part of an informationprivacy, security policy, or compliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2721et seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 etseq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.6801 et seq.); or
(6) the federal Health Insurance Portability and AccountabilityAct (HIPAA) (P.L. 104-191);
if the data base owner's information privacy, security policy, orcompliance plan requires the data base owner to maintain reasonableprocedures to protect and safeguard from unlawful use or disclosurepersonal information of Indiana residents that is collected ormaintained by the data base owner and the data base owner complieswith the data base owner's information privacy, security policy, orcompliance plan.
(b) A data base owner shall implement and maintain reasonableprocedures, including taking any appropriate corrective action, toprotect and safeguard from unlawful use or disclosure any personalinformation of Indiana residents collected or maintained by the database owner.
(c) A data base owner shall not dispose of records or documentscontaining unencrypted and unredacted personal information ofIndiana residents without shredding, incinerating, mutilating, erasing,or otherwise rendering the personal information illegible or unusable.
(d) A person that knowingly or intentionally fails to comply withany provision of this section commits a deceptive act that isactionable only by the attorney general under this section.
(e) The attorney general may bring an action under this section toobtain any or all of the following:
(1) An injunction to enjoin further violations of this section.
(2) A civil penalty of not more than five thousand dollars($5,000) per deceptive act. (3) The attorney general's reasonable costs in:
(A) the investigation of the deceptive act; and
(B) maintaining the action.
(f) A failure to comply with subsection (b) or (c) in connectionwith related acts or omissions constitutes one (1) deceptive act.
As added by P.L.137-2009, SEC.5.
IC 24-4.9-3-4
Method of disclosure; exceptions
Sec. 4. (a) Except as provided in subsection (b), a data base ownerrequired to make a disclosure under this chapter shall make thedisclosure using one (1) of the following methods:
(1) Mail.
(2) Telephone.
(3) Facsimile (fax).
(4) Electronic mail, if the data base owner has the electronicmail address of the affected Indiana resident.
(b) If a data base owner required to make a disclosure under thischapter is required to make the disclosure to more than five hundredthousand (500,000) Indiana residents, or if the data base ownerrequired to make a disclosure under this chapter determines that thecost of the disclosure will be more than two hundred fifty thousanddollars ($250,000), the data base owner required to make a disclosureunder this chapter may elect to make the disclosure by using both ofthe following methods:
(1) Conspicuous posting of the notice on the web site of thedata base owner, if the data base owner maintains a web site.
(2) Notice to major news reporting media in the geographic areawhere Indiana residents affected by the breach of the securityof a system reside.
(c) A data base owner that maintains its own disclosureprocedures as part of an information privacy policy or a securitypolicy is not required to make a separate disclosure under thischapter if the data base owner's information privacy policy orsecurity policy is at least as stringent as the disclosure requirementsdescribed in:
(1) sections 1 through 4(b) of this chapter;
(2) subsection (d); or
(3) subsection (e).
(d) A data base owner that maintains its own disclosureprocedures as part of an information privacy, security policy, orcompliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781et seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 etseq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.6801 et seq.); or (6) the federal Health Insurance Portability and AccountabilityAct (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the database owner's information privacy, security policy, or compliance planrequires that Indiana residents be notified of a breach of the securityof data without unreasonable delay and the data base owner complieswith the data base owner's information privacy, security policy, orcompliance plan.
(e) A financial institution that complies with the disclosurerequirements prescribed by the Federal Interagency Guidance onResponse Programs for Unauthorized Access to CustomerInformation and Customer Notice or the Guidance on ResponsePrograms for Unauthorized Access to Member Information andMember Notice, as applicable, is not required to make a disclosureunder this chapter.
(f) A person required to make a disclosure under this chapter mayelect to make all or part of the disclosure in accordance withsubsection (a) even if the person could make the disclosure inaccordance with subsection (b).
As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009,SEC.6.