CHAPTER 14. PERSONS HOLDING A CUSTOMER'S PERSONAL INFORMATION

IC 24-4-14
Chapter 14. Persons Holding a Customer's Personal Information

IC 24-4-14-1
Applicability
    Sec. 1. This chapter does not apply to the following:
        (1) The executive, judicial, or legislative department of stategovernment or any political subdivision.
        (2) A unit (as defined in IC 36-1-2-23).
        (3) The office of county auditor.
        (4) The office of county treasurer.
        (5) The office of county recorder.
        (6) The office of county surveyor.
        (7) A county sheriff's department.
        (8) The office of county coroner.
        (9) The office of county assessor.
        (10) A person who engages in the business of waste collection,except to the extent the person holds a customer's personalinformation directly in connection with the business of wastecollection.
        (11) A person who maintains and complies with a disposalprogram under:
            (A) the federal USA Patriot Act (P.L.107-56);
            (B) Executive Order 13224;
            (C) the federal Driver's Privacy Protection Act (18 U.S.C.2721 et seq.);
            (D) the federal Fair Credit Reporting Act (15 U.S.C. 1681 etseq.);
            (E) the federal Financial Modernization Act of 1999 (15U.S.C. 6801 et seq.); or
            (F) the federal Health Insurance Portability andAccountability Act (HIPAA) (P.L.104-191);
        if applicable.
As added by P.L.125-2006, SEC.5.

IC 24-4-14-2
"Customer"
    Sec. 2. As used in this chapter, "customer" means a person who:
        (1) has:
            (A) received; or
            (B) contracted for;
        the direct or indirect provision of goods or services fromanother person holding the person's personal information; or
        (2) provides the person's personal information to another personin connection with a transaction with a nonprofit corporation orcharitable organization.
The term includes a person who pays a commission, a consignmentfee, or another fee contingent on the completion of a transaction.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-3
"Dispose of"
    Sec. 3. As used in this chapter, "dispose of" means to discard orabandon the personal information of a customer in an area accessibleto the public. The term includes placing the personal information ina container for trash collection.
As added by P.L.125-2006, SEC.5.

IC 24-4-14-4
"Encrypted"
    Sec. 4. For purposes of this chapter, personal information is"encrypted" if the personal information:
        (1) has been transformed through the use of an algorithmicprocess into a form in which there is a low probability ofassigning meaning without use of a confidential process or key;or
        (2) is secured by another method that renders the personalinformation unreadable or unusable.
As added by P.L.125-2006, SEC.5.

IC 24-4-14-5
"Person"
Sec. 5. As used in this chapter, "person" means an individual, apartnership, a corporation, a limited liability company, or anotherorganization.
As added by P.L.125-2006, SEC.5.

IC 24-4-14-6
"Personal information"
Sec. 6. As used in this chapter, "personal information" has themeaning set forth in IC 24-4.9-2-10. The term includes informationstored in a digital format.
As added by P.L.125-2006, SEC.5.

IC 24-4-14-7
"Redacted"
    Sec. 7. (a) For purposes of this chapter, personal information is"redacted" if the personal information has been altered or truncatedso that not more than the last four (4) digits of:
        (1) a driver's license number;
        (2) a state identification number; or
        (3) an account number;
is accessible as part of personal information.
    (b) For purposes of this chapter, personal information is"redacted" if the personal information has been altered or truncatedso that not more than five (5) digits of a Social Security number areaccessible as part of personal information.
As added by P.L.125-2006, SEC.5.

IC 24-4-14-8 Disposal of personal information; infraction
    Sec. 8. A person who disposes of the unencrypted, unredactedpersonal information of a customer without shredding, incinerating,mutilating, erasing, or otherwise rendering the information illegibleor unusable commits a Class C infraction. However, the offense is aClass A infraction if:
        (1) the person violates this section by disposing of theunencrypted, unredacted personal information of more than onehundred (100) customers; or
        (2) the person has a prior unrelated judgment for a violation ofthis section.
As added by P.L.125-2006, SEC.5.