CHAPTER 11. NOTICE OF SECURITY BREACH

IC 4-1-11
    Chapter 11. Notice of Security Breach

IC 4-1-11-1
Applicability
    Sec. 1. This chapter applies after June 30, 2006.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-2
"Breach of the security of the system"
    Sec. 2. (a) As used in this chapter, "breach of the security of thesystem" means unauthorized acquisition of computerized data thatcompromises the security, confidentiality, or integrity of personalinformation maintained by a state or local agency.
    (b) The term does not include the following:
        (1) Good faith acquisition of personal information by an agencyor employee of the agency for purposes of the agency, if thepersonal information is not used or subject to furtherunauthorized disclosure.
        (2) Unauthorized acquisition of a portable electronic device onwhich personal information is stored if access to the device isprotected by a password that has not been disclosed.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-3
"Personal information"
    Sec. 3. (a) As used in this chapter, "personal information" means:
        (1) an individual's:
            (A) first name and last name; or
            (B) first initial and last name; and
        (2) at least one (1) of the following data elements:
            (A) Social Security number.
            (B) Driver's license number or identification card number.
            (C) Account number, credit card number, debit card number,security code, access code, or password of an individual'sfinancial account.
    (b) The term does not include the following:
        (1) The last four (4) digits of an individual's Social Securitynumber.
        (2) Publicly available information that is lawfully madeavailable to the public from records of a federal agency or localagency.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-4
"State agency"
    Sec. 4. As used in this section "state agency" has the meaning setforth in IC 4-1-10-2.
As added by P.L.91-2005, SEC.2.
IC 4-1-11-5
Disclosures of security breach
    Sec. 5. (a) Any state agency that owns or licenses computerizeddata that includes personal information shall disclose a breach of thesecurity of the system following discovery or notification of thebreach to any state resident whose unencrypted personal informationwas or is reasonably believed to have been acquired by anunauthorized person.
    (b) The disclosure of a breach of the security of the system shallbe made:
        (1) without unreasonable delay; and
        (2) consistent with:
            (A) the legitimate needs of law enforcement, as described insection 7 of this chapter; and
            (B) any measures necessary to:
                (i) determine the scope of the breach; and
                (ii) restore the reasonable integrity of the data system.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-6
Notification to third party owner of security breach
    Sec. 6. (a) This section applies to a state agency that maintainscomputerized data that includes personal information that the stateagency does not own.
    (b) If personal information was or is reasonably believed to havebeen acquired by an unauthorized person, the state agency shallnotify the owner or licensee of the information of a breach of thesecurity of the system immediately following discovery. The agencyshall provide the notice to state residents as required under section5 of this chapter.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-7
Time requirement for notification
    Sec. 7. The notification required by this chapter:
        (1) may be delayed if a law enforcement agency determines thatthe notification will impede a criminal investigation; and
        (2) shall be made after the law enforcement agency determinesthat it will not compromise the investigation.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-8
Form of notification
    Sec. 8. Except as provided in section 9 of this chapter, a stateagency may provide the notice required under this chapter:
        (1) in writing; or
        (2) by electronic mail, if the individual has provided the stateagency with the individual's electronic mail address.
As added by P.L.91-2005, SEC.2.
IC 4-1-11-9
Alternate form of notification
    Sec. 9. (a) This section applies if a state agency demonstrates that:
        (1) the cost of providing the notice required under this chapteris at least two hundred fifty thousand dollars ($250,000);
        (2) the number of persons to be notified is at least five hundredthousand (500,000); or
        (3) the agency does not have sufficient contact information;
the state agency may use an alternate form of notice set forth insubsection (b).
    (b) A state agency may provide the following alternate forms ofnotice if authorized by subsection (a):
        (1) Conspicuous posting of the notice on the state agency's website if the state agency maintains a web site.
        (2) Notification to major statewide media.
As added by P.L.91-2005, SEC.2.

IC 4-1-11-10
Notification to consumer reporting agencies
    Sec. 10. If a state agency is required to provide notice under thischapter to more than one thousand (1,000) individuals, the stateagency shall notify without unreasonable delay all consumerreporting agencies (as defined in 15 U.S.C. 1681a) of the distributionand content of the notice.
As added by P.L.91-2005, SEC.2. Amended by P.L.1-2006, SEC.7.