Understanding Indiana's Data Breach Notification Law

As cybersecurity incidents become increasingly common, states have implemented laws to protect consumers and regulate how businesses must respond to data breaches. In Indiana, the Disclosure of Security Breach Act (Ind. Code § 24-4.9 et seq.) outlines the requirements for notifying affected individuals when their personal information may have been compromised. 

Overview  

The Indiana breach notification law applies to any data collector that owns or licenses personal information of Indiana residents. In the event of a security breach, these entities must disclose it to affected Indiana residents quickly. 

Key Terms Explained 

Steps After a Data Breach  

If your company suffers a data breach impacting Indiana residents' personal information, you must take the following steps: 

1. Conduct a reasonable and prompt investigation to determine the likelihood that personal information was or will be misused. 
   

1. As soon as possible, disclose the breach to affected Indiana residents. This notice must include: 
   

• Description of the breach 

• Types of personal information impacted 

• Steps taken to protect the residents from identity deception/fraud 

• Contact information for credit reporting agencies 
  

1. Notify the Indiana Attorney General if the breach impacts more than 500 Indiana residents. 
   

1. Consult legal counsel, as additional requirements may apply based on the type of business, information compromised, and number of residents impacted. 
   

Failure to properly notify (in accordance with Indiana's law) can result in fines of $150,000 per deceptive act. Acting promptly and transparently reduces risks and costs. 

By understanding your obligations under the Indiana breach notification law, you can ensure your business responds appropriately and avoids penalties in the unfortunate event of a data breach incident.