Update to Indiana Data Breach Notification Law Shortens Timeline for Notifications

On July 1, 2022, updated data breach notification laws (HB 1351) will take effect in Indiana that require notifications to be issued within 45 days of the discovery of a breach of the personally identifiable information (PII) of Indiana residents.

Currently, the data breach notification requirements are for notifications to be issued without unreasonable delay. The update has been made to ensure that individuals whose PII has been exposed are provided with timely notification. When PII has been exposed, individual notifications should still be issued without unreasonable delay.

A reasonable delay would be when one of the following conditions applies:

1) It is necessary to delay notification to restore the integrity of computer systems

2) It is necessary to delay notification to discover the scope of the breach

3) When there has been a request from the state attorney general or law enforcement to delay notifications to ensure criminal or civil investigations are not impeded, or when notifications have the potential to jeopardize national security.

In such cases, notifications should be issued when the integrity of computer systems has been restored, when the scope of the breach is known, or when law enforcement or the state attorney general advises the breached entity that there is no longer the need to delay notification as criminal/civil investigations will not be impeded or there is no longer a threat to national security.

The new law applies to breaches of the security of a system housing unencrypted PII, when PII is known to have been stolen or may have been stolen, and when encrypted PII has been exposed or stolen and an unauthorized person may have access to the encryption key to allow data to be decrypted.

Personal information is defined as a Social Security number, an individual’s first and last names, or first initial and last name, and one or more of the following data elements: driver’s license number; state identification card number; credit card number; financial account number or debit card number in combination with a security code, password, or access code.

Consumer reporting agencies must be notified if the breach affects more than 1,000 Indiana residents. Breaches must also be reported to the state attorney general. The failure to comply with the data breach notification requirements could see civil monetary penalties of up to $150,000 imposed by the state attorney general and reasonable attorney general costs to cover investigating and maintaining the action.

Entities exempt from the new law include those that maintain their own data security procedures as part of an information privacy policy, security policy, or compliance plan under:

  • The Gramm-Leach-Bliley Act
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The USA Patriot Act
  • Executive Order 13224
  • The Driver Privacy Protection Act
  • The Fair Credit Reporting Act

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.