Security Breach Notification Law in the State of Indiana
Ind. Code §§ 4-1-11, 24-4.9 is a data breach notification law that was passed in the U.S. state of Indiana in 2006 and was later amended in 2009. The law sets forth the requirements that businesses within the state are required to uphold should a data breach occur, and also provides the Indiana attorney general with the authority to impose numerous legal punishments against individuals and entities that are found to be in violation of the law. With this being said, Ind. Code §§ 4-1-11, 24-4.9 represents the primary means by which residents of the state of Indiana can secure their identity and privacy should any personal data pertaining to them become compromised due to a security breach.
How is a security breach defined under Ind. Code §§ 4-1-11, 24-4.9?
Under Ind. Code §§ 4-1-11, 24-4.9, a security breach is defined as “an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity. The term includes the unauthorized acquisition of computerized data that has been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.” Alternatively, as it concerns the scope and applicability of the law, Ind. Code §§ 4-1-11, 24-4.9 applies to “any individual, corporation, business trust, estate, trust, partnership, association, nonprofit corporation or organization, cooperative, state agency or any other legal entity (collectively, Entity) that owns or licenses computerized data that includes PI.”
What are the security breach notification requirements under Ind. Code §§ 4-1-11, 24-4.9?
Under Ind. Code §§ 4-1-11, 24-4.9, business entities within the state of Indiana are required to provide notice to all affected parties in the event that a data breach occurs. These notices may be provided to consumers via mail, telephone, fax, or email communication, and must be provided to said consumers without unreasonable delay. Moreover, affected entities must also provide notice to the Indiana attorney general, as well as the three major credit reporting agencies within the U.S., should a security breach impact more than 1,000 residents within the state. Third parties that collect or process information concerning residents of Indiana must also abide by the provisions set forth in Ind. Code §§ 4-1-11, 24-4.9.
What categories of personal information are covered under Ind. Code §§ 4-1-11, 24-4.9?
Under Ind. Code §§ 4-1-11, 24-4.9, the following data elements are covered should a data breach occur, in conjunction with an Indiana resident’s first name or first initial and last name, under circumstances where said information has not been encrypted or redacted:
- Social security numbers.
- Financial account numbers, including credit and debit cards.
- Passwords, access codes, and security codes that could be used to permit entry into an individual’s financial account.
- Driver’s license numbers and state identification card numbers.
What are the penalties for violating Ind. Code §§ 4-1-11, 24-4.9?
In terms of the penalties that can be imposed against businesses and organizations that fail to comply with Ind. Code §§ 4-1-11, 24-4.9, the provisions of the law are enforced by the Indiana attorney general. To this point, the Indiana attorney general has the authority to engage in various legal actions as it relates to non-compliance with the law. More specifically “a person or organization that fails to comply with the provision of the disclosure or commits a deceptive
act (failure to make a required disclosure) is susceptible to action only by the attorney general. The attorney general may apply a civil penalty of not more than $150,000 per deceptive act or an injunction to enjoin future violations subject to investigation of the deceptive act.”
While data breaches were not widespread in 2006 as they are currently in 2022, legislation such as Ind. Code §§ 4-1-11, 24-4.9 provides American citizens with a means to seek justice and compensation in the event that they experience the adverse effects of a data breach. While the categories of personal information that are protected under the law are somewhat limited when compared to more modern standards, they still provide citizens of Indiana with enough coverage to safeguard their identity and personal privacy following the occurrence of a data breach. As such, Indiana, much like other states around the country, will likely consider adopting a more updated data breach notification law in the near future, as the threat and possibility of such events only grow more likely with each passing day.