Security Breach Notification Law in the State of Indiana

February 28, 2022 | 4 minutes read
Security Breach Notification Law in the State of Indiana

Ind. Code §§ 4-1-11, 24-4.9 is a data breach notification law that was passed in the U.S. state of Indiana in 2006 and was later amended in 2009. The law sets forth the requirements that businesses within the state are required to uphold should a data breach occur, and also provides the Indiana attorney general with the authority to impose numerous legal punishments against individuals and entities that are found to be in violation of the law. With this being said, Ind. Code §§ 4-1-11, 24-4.9 represents the primary means by which residents of the state of Indiana can secure their identity and privacy should any personal data pertaining to them become compromised due to a security breach.

How is a security breach defined under Ind. Code §§ 4-1-11, 24-4.9?

Under Ind. Code §§ 4-1-11, 24-4.9, a security breach is defined as “an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity. The term includes the unauthorized acquisition of computerized data that has been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.” Alternatively, as it concerns the scope and applicability of the law, Ind. Code §§ 4-1-11, 24-4.9 applies to “any individual, corporation, business trust, estate, trust, partnership, association, nonprofit corporation or organization, cooperative, state agency or any other legal entity (collectively, Entity) that owns or licenses computerized data that includes PI.”

What are the security breach notification requirements under Ind. Code §§ 4-1-11, 24-4.9?

Under Ind. Code §§ 4-1-11, 24-4.9, business entities within the state of Indiana are required to provide notice to all affected parties in the event that a data breach occurs. These notices may be provided to consumers via mail, telephone, fax, or email communication, and must be provided to said consumers without unreasonable delay. Moreover, affected entities must also provide notice to the Indiana attorney general, as well as the three major credit reporting agencies within the U.S., should a security breach impact more than 1,000 residents within the state. Third parties that collect or process information concerning residents of Indiana must also abide by the provisions set forth in Ind. Code §§ 4-1-11, 24-4.9.

What categories of personal information are covered under Ind. Code §§ 4-1-11, 24-4.9?

Under Ind. Code §§ 4-1-11, 24-4.9, the following data elements are covered should a data breach occur, in conjunction with an Indiana resident’s first name or first initial and last name, under circumstances where said information has not been encrypted or redacted:

What are the penalties for violating Ind. Code §§ 4-1-11, 24-4.9?

In terms of the penalties that can be imposed against businesses and organizations that fail to comply with Ind. Code §§ 4-1-11, 24-4.9, the provisions of the law are enforced by the Indiana attorney general. To this point, the Indiana attorney general has the authority to engage in various legal actions as it relates to non-compliance with the law. More specifically “a person or organization that fails to comply with the provision of the disclosure or commits a deceptive
act (failure to make a required disclosure) is susceptible to action only by the attorney general. The attorney general may apply a civil penalty of not more than $150,000 per deceptive act or an injunction to enjoin future violations subject to investigation of the deceptive act.”

While data breaches were not widespread in 2006 as they are currently in 2022, legislation such as Ind. Code §§ 4-1-11, 24-4.9 provides American citizens with a means to seek justice and compensation in the event that they experience the adverse effects of a data breach. While the categories of personal information that are protected under the law are somewhat limited when compared to more modern standards, they still provide citizens of Indiana with enough coverage to safeguard their identity and personal privacy following the occurrence of a data breach. As such, Indiana, much like other states around the country, will likely consider adopting a more updated data breach notification law in the near future, as the threat and possibility of such events only grow more likely with each passing day.

Related Reads

Anyone doing business in or with the EU's 27 member states must take redaction seriously or possibly face million euro fines.
June 20, 2024 | 5 minutes read
The EU’s GDPR And How To Best Comply In 2024

What is the GDPR? How do you comply? With CaseGuard Studio, the all-in-one redaction solution, sensitive data redaction is made simple with powerful AI tools.

Learn More »
Two police officers on motor cycles watching people use a cross walk in the UK.
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Doctor in green scrubs looking at multiple computer screens with sensitive medical information on them
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
healthcare worker
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
surveillance-cameras
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The word "Security" with a curser near by
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »