January 20, 2006



HOUSE BILL No. 1101

_____


DIGEST OF HB 1101 (Updated January 17, 2006 7:39 pm - DI 103)



Citations Affected: IC 4-1; IC 16-22; IC 24-4; IC 24-4.9; IC 35-32; IC 35-41; IC 35-43; IC 35-50; noncode.

Synopsis: Security breach disclosure and identity deception. Provides that a person that owns or licenses certain personal information concerning Indiana residents that is contained in a computerized data base must disclose to those Indiana residents without unreasonable delay a security breach in the computerized data base if the security breach could cause the Indiana residents to become victims of identity theft, identity deception, or fraud. Specifies that a person that maintains a computer data base but does not own or license the personal information contained in the data base must notify the data base owner if there is a security breach in the data base. Provides that a data base owner with a privacy plan drafted to comply with certain federal statutes may comply with that plan instead of these provisions if that plan meets the federal requirements, and permits a data base owner with its own privacy plan to comply with its own plan instead of these provisions if its plan is at least as stringent as these provisions or a plan that complies with certain federal statutes. Authorizes the attorney general to bring an action to enforce the disclosure requirements. Requires a state agency to disclose a breach of security involving information submitted or gathered as part of a licensing or permitting application, and makes this information confidential. Provides that a person who disposes of a customer's unencrypted, unredacted personal information without first shredding, incinerating, mutilating, or erasing the personal information commits a Class C infraction. Enhances the
(Continued next page)


Effective: July 1, 2006.



Walorski, Ruppel, Noe, Tincher


    January 5, 2006, read first time and referred to Committee on Public Safety and Homeland Security.
    January 19, 2006, amended, reported _ Do Pass.


Digest Continued

offense to a Class A infraction for a second or subsequent offense, or if the person has unlawfully disposed of the personal information of more than 100 customers. Excludes certain information concerning persons whose license or permit has been revoked, restricted, or suspended. Provides that a person who unlawfully obtains the identifying information of a deceased person commits identity deception. Makes identity deception a Class C felony if a person unlawfully obtains the identities of more than 100 persons or the fair market value of the fraud or harm caused by the identity theft is at least $50,000. Makes possession of a card skimming device with the intent to commit identity deception or fraud a Class D felony and a Class C felony if the device is possessed with the intent to commit terroristic deception. Permits a court to enter a restitution order requiring a person convicted of identity deception to reimburse the victim for additional expenses that arise or are discovered after sentencing or after the entry of a restitution order. Grants a court a five year period in which to order a person convicted of identity deception to pay additional restitution. Provides that a person who commits the offense of identity deception may be tried in any county in which any element of the offense occurs. Provides that jurisdiction for cases of identity deception lies in Indiana if the victim resides in Indiana. Imposes certain fiduciary obligations on members of the governing board of a county hospital.


January 20, 2006

Second Regular Session 114th General Assembly (2006)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2005 Regular Session of the General Assembly.

HOUSE BILL No. 1101


    A BILL FOR AN ACT to amend the Indiana Code concerning commercial law.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 4-1-11-3; (06)HB1101.1.1. -->     SECTION 1. IC 4-1-11-3, AS ADDED BY P.L.91-2005, SECTION 2, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 3. (a) As used in this chapter, "personal information" means either of the following:
        (1) With respect to an individual's: individual:
            (A) the individual's:
                (i) first name and last name; or (B)
                 (ii) first initial and last name; and
            (2) (B) at least one (1) of the following data elements:
                (A) (i) The individual's Social Security number.
                (B) (ii) The individual's driver's license number or identification card number.
                (C) (iii) Account number, credit card number, debit card number, security code, access code, or password of an the individual's financial account.
        (2) Information collected for the purpose of issuing a license or permit to a person that allows the person to engage in specific employment or perform a specific task in relation to employment in Indiana and that is:
            (A) required to be submitted as part of a license or permit application; or
            (B) gathered as part of the license or permit application screening or approval process.
    (b) The term does not include the following:
        (1) The last four (4) digits of an individual's Social Security number.
        (2) Publicly available information that is lawfully made available to the public from records of a federal agency or local agency.
         (3) If a person has had a license or permit revoked, restricted, or suspended due to an action by the person that makes the person no longer suitable to hold an unrestricted license or permit, the:
            (A) person's full legal name;
            (B) person's city of residence;
            (C) type of license or permit held by the person; and
            (D) facts that caused the person's license or permit to be revoked, restricted, or suspended.
SOURCE: IC 4-1-11-6.5; (06)HB1101.1.2. -->     SECTION 2. IC 4-1-11-6.5 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 6.5. Personal information is confidential for purposes of IC 5-14-3-4.
SOURCE: IC 16-22-2-10; (06)HB1101.1.3. -->     SECTION 3. IC 16-22-2-10 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 10. (a) An individual is not prohibited from serving as a member of the governing board if the member:
        (1) has a pecuniary interest in; or
        (2) derives a profit from;
a contract or purchase connected with the hospital. However, the member shall disclose the interest or profit in writing to the board and provide a copy to the state board of accounts. The member shall abstain from voting on any matter that affects the interest or profit.
     (b) The governing board shall adopt a written conflict of interest policy that meets the requirements of subsection (a). The written conflict of interest policy may contain other requirements as determined by the board.
    (c) A member of a governing board who violates this section or the written conflict of interest policy described in subsection (b)

may be removed from the governing board by action of the board.
    (d) The county executive may not:
        (1) reappoint to a governing board; or
        (2) appoint to a governing board;
an individual who violates this section or the written conflict of interest policy described in subsection (b) while serving or after serving as a member of a governing board.

SOURCE: IC 16-22-2.5; (06)HB1101.1.4. -->     SECTION 4. IC 16-22-2.5 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]:
     Chapter 2.5. Standards for Members of a Governing Board
    Sec. 1. (a) A member of a governing board shall, based on facts then known to the member, discharge the member's duties as follows:
        (1) In good faith.
        (2) With the care an ordinarily prudent person in a like position would exercise under similar circumstances.
        (3) In a manner the member reasonably believes to be in the best interests of the hospital.
    (b) In discharging the member's duties, a member may rely on information, opinions, reports, or statements, including financial statements and other financial data, if prepared or presented by one (1) of the following:
        (1) A person whom the member reasonably believes to be reliable and competent in the matters presented.
        (2) Legal counsel, public accountants, or other persons as to matters the member reasonably believes are within the person's professional or expert competence.
    (c) A member is not acting in good faith if the member has knowledge concerning a matter in question that makes reliance otherwise permitted by subsection (b) unwarranted.
     Sec. 2. All proprietary and competitive information concerning the county hospital is confidential. A member of a governing board may not disclose confidential information concerning the county hospital to any person not authorized to receive this information.
    Sec. 3. (a) A member of a governing board who violates this chapter may be removed from the governing board by action of the board.
    (b) The county executive may not:
        (1) reappoint to a governing board; or
        (2) appoint to a governing board;
an individual who violated this chapter while serving or after

serving as a member of a governing board.
     Sec. 4. (a) A licensed physician is only eligible for appointment to a county hospital governing board if the physician is an active member of the medical staff of the hospital or holds a position that is equivalent to being an active member of the medical staff of the hospital.
     (b) A physician who is terminated from the medical staff of the hospital is removed from the governing board by operation of law.
    (c) A physician whose clinical privileges or staff membership privileges have been significantly reduced shall be removed from the governing board by action of the board.

SOURCE: IC 24-4-14; (06)HB1101.1.5. -->     SECTION 5. IC 24-4-14 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]:
     Chapter 14. Persons Holding a Customer's Personal Information
    Sec. 1. This chapter does not apply to the following:
        (1) The executive, judicial, or legislative department of state government or any political subdivision.
        (2) A unit (as defined in IC 36-1-2-23).
        (3) The office of county auditor.
        (4) The office of county treasurer.
        (5) The office of county recorder.
        (6) The office of county surveyor.
        (7) A county sheriff's department.
        (8) The office of county coroner.
        (9) The office of county assessor.
        (10) A person who engages in the business of waste collection, except to the extent the person holds a customer's personal information directly in connection with the business of waste collection.
        (11) A person who maintains and complies with a disposal program under:
            (A) the federal USA Patriot Act (P.L.107-56);
            (B) Executive Order 13224;
            (C) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et seq.);
            (D) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
            (E) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or
            (F) the federal Health Insurance Portability and

Accountability Act (HIPAA) (P.L.104-191);
        if applicable.
    Sec. 2. As used in this chapter, "customer" means a person who:
        (1) has:
            (A) received; or
            (B) contracted for;
        the direct or indirect provision of goods or services from another person holding the person's personal information; or
        (2) provides the person's personal information to another person in connection with a transaction with a nonprofit corporation or charitable organization.
The term includes a person who pays a commission, a consignment fee, or another fee contingent on the completion of a transaction.
    Sec. 3. As used in this chapter, "dispose of" means to discard or abandon the personal information of a customer in an area accessible to the public. The term includes placing the personal information in a container for trash collection.
    Sec. 4. For purposes of this chapter, personal information is "encrypted" if the personal information:
        (1) has been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or
        (2) is secured by another method that renders the personal information unreadable or unusable.
    Sec. 5. As used in this chapter, "person" means an individual, a partnership, a corporation, a limited liability company, or another organization.
    Sec. 6. As used in this chapter, "personal information" has the meaning set forth in IC 24-4.9-2-10. The term includes information stored in a digital format.
    Sec. 7. For purposes of this chapter, personal information is "redacted" if the personal information has been altered or truncated so that not more than the last four (4) digits of:
        (1) a Social Security number;
        (2) a driver's license number;
        (3) a state identification number; or
        (4) an account number;
is accessible as part of personal information.
    Sec. 8. A person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the

information illegible or unusable commits a Class C infraction. However, the offense is a Class A infraction if:
        (1) the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or
        (2) the person has a prior unrelated judgment for a violation of this section.

SOURCE: IC 24-4.9; (06)HB1101.1.6. -->     SECTION 6. IC 24-4.9 IS ADDED TO THE INDIANA CODE AS A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]:
     ARTICLE 4.9. DISCLOSURE OF SECURITY BREACH
    Chapter 1. Application
    Sec. 1. This article does not apply to:
        (1) a state agency (as defined in IC 4-1-10-2); or
        (2) the judicial or legislative department of state government.
    Chapter 2. Definitions
    Sec. 1. The definitions in this chapter apply throughout this article.
    Sec. 2. (a) "Breach of the security of a system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person.
    (b) The term does not include the following:
        (1) Good faith acquisition of personal information by an employee or agent of the person for lawful purposes of the person, if the personal information is not used or subject to further unauthorized disclosure.
        (2) Unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed.
    Sec. 3. "Data base owner" means a person that owns or licenses computerized data that includes personal information.
    Sec. 4. "Doing business in Indiana" means owning or using the personal information of an Indiana resident for commercial purposes.
    Sec. 5. Data are encrypted for purposes of this article if the data:
        (1) have been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or
        (2) are secured by another method that renders the data

unreadable or unusable.
    Sec. 6. "Financial institution" means a financial institution as defined in:
        (1) IC 28-1-1-3, other than a consumer finance institution licensed to make supervised or regulated loans under IC 24-4.5; or
        (2) 15 U.S.C. 6809(3).
    Sec. 7. "Indiana resident" means a person whose principal mailing address is in Indiana, as reflected in records maintained by the data base owner.
    Sec. 8. "Mail" has the meaning set forth in IC 23-1-20-15.
    Sec. 9. "Person" means an individual, a corporation, a business trust, an estate, a trust, a partnership, an association, a nonprofit corporation or organization, a cooperative, or any other legal entity.
    Sec. 10. "Personal information" means:
        (1) a Social Security number that is not encrypted or redacted; or
        (2) an individual's first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted:
            (A) A driver's license number.
            (B) A state identification card number.
            (C) A credit card number.
            (D) A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.
The term does not include information that is lawfully obtained from publicly available information or from federal, state, or local government records lawfully made available to the general public.
    Sec. 11. Data are redacted for purposes of this article if the data have been altered or truncated so that not more than the last four (4) digits of:
        (1) a Social Security number;
        (2) a driver's license number;
        (3) a state identification number; or
        (4) an account number;
is accessible as part of personal information.
    Chapter 3. Disclosure and Notification Requirements
    Sec. 1. (a) Except as provided in section 4(c), 4(d), and 4(e) of this chapter, after discovering or being notified of a breach of the security of a system, the data base owner shall disclose the breach

to an Indiana resident whose:
        (1) unencrypted personal information was or may have been acquired by an unauthorized person; or
        (2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key;
if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5), identity theft, or fraud affecting the Indiana resident.
     (b) A data base owner required to make a disclosure under subsection (a) shall also disclose to each consumer reporting agency (as defined in 15 U.S.C. 1681a) information necessary to assist the consumer reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach of the security of a system.
     Sec. 2. A person that maintains computerized data but that is not a data base owner shall notify the data base owner if the person discovers that personal information was or may have been acquired by an unauthorized person.
     Sec. 3. (a) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay. For purposes of this section, a delay is reasonable if the delay is:
        (1) necessary to restore the integrity of the computer system;
        (2) necessary to discover the scope of the breach; or
        (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:
            (A) impede a criminal or civil investigation; or
            (B) jeopardize national security.
    (b) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification as soon as possible after:
        (1) delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach; or
        (2) the attorney general or a law enforcement agency notifies the person that delay will no longer impede a criminal or civil investigation or jeopardize national security.
     Sec. 4. (a) Except as provided in subsection (b), a data base owner required to make a disclosure under this chapter shall make

the disclosure using one (1) of the following methods:
        (1) Mail.
        (2) Telephone.
        (3) Facsimile (fax).
        (4) Electronic mail, if the data base owner has the electronic mail address of the affected Indiana resident.
    (b) If a data base owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the data base owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the data base owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods:
        (1) Conspicuous posting of the notice on the web site of the data base owner, if the data base owner maintains a web site.
        (2) Notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside.
    (c) A data base owner that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under this chapter if the data base owner's information privacy policy or security policy is at least as stringent as the disclosure requirements described in:
        (1) sections 1 through 4(b) of this chapter;
        (2) subsection (d); or
        (3) subsection (e).
    (d) A data base owner that maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan under:
        (1) the federal USA Patriot Act (P.L. 107-56);
        (2) Executive Order 13224;
        (3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et seq.);
        (4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
        (5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or
        (6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data

base owner's information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of a system without unreasonable delay and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.
    (e) A financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or the Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, as applicable, is not required to make a disclosure under this chapter.
    (f) A person required to make a disclosure under this chapter may elect to make all or part of the disclosure in accordance with subsection (a) even if the person could make the disclosure in accordance with subsection (b).
     Chapter 4. Enforcement
    Sec. 1. (a) A person that is required to make a disclosure or notification in accordance with IC 24-4.9-3 and that fails to comply with any provision of this article commits a deceptive act that is actionable only by the attorney general under this chapter.
     (b) A failure to make a required disclosure or notification in connection with a related series of breaches of the security of a system constitutes one (1) deceptive act.
     Sec. 2. The attorney general may bring an action under this chapter to obtain any or all of the following:
        (1) An injunction to enjoin future violations of IC 24-4.9-3.
        (2) A civil penalty of not more than one hundred fifty thousand dollars ($150,000) per deceptive act.
        (3) The attorney general's reasonable costs in:
            (A) the investigation of the deceptive act; and
            (B) maintaining the action.
        (4) Reasonable attorney's fees.
        (5) Costs of the action.
     Chapter 5. Preemption
    Sec. 1. This article preempts the authority of a unit (as defined in IC 36-1-2-23) to make an enactment dealing with the same subject matter as this article.

SOURCE: IC 35-32-2-6; (06)HB1101.1.7. -->     SECTION 7. IC 35-32-2-6 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 6. (a) Subject to subsection (b), a person who commits the offense of identity deception may be tried in a county in which:
        (1) the victim resides; or
        (2) the person:
            (A) obtains;
            (B) possesses;
            (C) transfers; or
            (D) uses;
        the information used to commit the offense.
    (b) If:
        (1) a person is charged with more than one (1) offense of identity deception; and
        (2) either:
            (A) the victims of the crimes reside in more than one (1) county; or
            (B) the person performs an act described in subsection (a)(2) in more than one (1) county;
the person may be tried in any county described in subdivision (2).
SOURCE: IC 35-41-1-1; (06)HB1101.1.8. -->     SECTION 8. IC 35-41-1-1, AS AMENDED BY P.L.115-2005, SECTION 3, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 1. (a) As used in this section, "Indiana" includes:
        (1) the area within the boundaries of the state of Indiana, as set forth in Article 14, Section 1 of the Constitution of the State of Indiana;
        (2) the portion of the Ohio River on which Indiana possesses concurrent jurisdiction with the state of Kentucky under Article 14, Section 2 of the Constitution of the State of Indiana; and
        (3) the portion of the Wabash River on which Indiana possesses concurrent jurisdiction with the state of Illinois under Article 14, Section 2 of the Constitution of the State of Indiana.
    (b) A person may be convicted under Indiana law of an offense if:
        (1) either the conduct that is an element of the offense, the result that is an element, or both, occur in Indiana;
        (2) conduct occurring outside Indiana is sufficient under Indiana law to constitute an attempt to commit an offense in Indiana;
        (3) conduct occurring outside Indiana is sufficient under Indiana law to constitute a conspiracy to commit an offense in Indiana, and an overt act in furtherance of the conspiracy occurs in Indiana;
        (4) conduct occurring in Indiana establishes complicity in the commission of, or an attempt or conspiracy to commit, an offense in another jurisdiction that also is an offense under Indiana law;
        (5) the offense consists of the omission to perform a duty imposed by Indiana law with respect to domicile, residence, or a

relationship to a person, thing, or transaction in Indiana;
        (6) conduct that is an element of the offense or the result of conduct that is an element of the offense, or both, involve the use of the Internet or another computer network (as defined in IC 35-43-2-3) and access to the Internet or other computer network occurs in Indiana; or
        (7) conduct:
            (A) involves the use of:
                (i) the Internet or another computer network (as defined in IC 35-43-2-3); or
                (ii) another form of electronic communication;
            (B) occurs outside Indiana and the victim of the offense resides in Indiana at the time of the offense; and
            (C) is sufficient under Indiana law to constitute an offense in Indiana.
    (c) When the offense is homicide, either the death of the victim or bodily impact causing death constitutes a result under subsection (b)(1). If the body of a homicide victim is found in Indiana, it is presumed that the result occurred in Indiana.
     (d) If the offense is identity deception, the lack of the victim's consent constitutes conduct that is an element of the offense under subsection (b)(1). If a victim of identity deception resides in Indiana when a person knowingly or intentionally obtains, possesses, transfers, or uses the victim's identifying information, it is presumed that the conduct that is the lack of the victim's consent occurred in Indiana.

SOURCE: IC 35-43-5-3.5; (06)HB1101.1.9. -->     SECTION 9. IC 35-43-5-3.5 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 3.5. (a) Except as provided in subsection (b), (c), a person who knowingly or intentionally obtains, possesses, transfers, or uses the identifying information of another person, including the identifying information of a person who is deceased:
        (1) without the other person's consent; and
        (2) with intent to:
            (A) harm or defraud another person;
            (B) assume another person's identity; or
            (C) profess to be another person;
commits identity deception, a Class D felony.
     (b) However, the offense defined in subsection (a) is a Class C felony if:
        (1) a person obtains, possesses, transfers, or uses the identifying information of more than one hundred (100)

persons; or
        (2) the fair market value of the fraud or harm caused by the offense is at least fifty thousand dollars ($50,000).
    (b) (c) The conduct prohibited in subsection subsections (a) and (b) does not apply to:
        (1) a person less than twenty-one (21) years of age who uses the identifying information of another person to acquire an alcoholic beverage (as defined in IC 7.1-1-3-5);
        (2) a minor (as defined in IC 35-49-1-4) who uses the identifying information of another person to acquire:
            (A) a cigarette or tobacco product (as defined in IC 6-7-2-5);
            (B) a periodical, a videotape, or other communication medium that contains or depicts nudity (as defined in IC 35-49-1-5);
            (C) admittance to a performance (live or film) that prohibits the attendance of the minor based on age; or
            (D) an item that is prohibited by law for use or consumption by a minor; or
        (3) any person who uses the identifying information for a lawful purpose.
    (c) (d) It is not a defense in a prosecution under subsection (a) or (b) that no person was harmed or defrauded.

SOURCE: IC 35-43-5-4.3; (06)HB1101.1.10. -->     SECTION 10. IC 35-43-5-4.3 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 4.3. (a) As used in this section, "card skimming device" means a device that is designed to read information encoded on a credit card. The term includes a device designed to read, record, or transmit information encoded on a credit card:
        (1) directly from a credit card; or
        (2) from another device that reads information directly from a credit card.
     (b) A person who possesses a card skimming device with intent to commit:
        (1) identity deception (IC 35-43-5-3.5);
        (2) fraud (IC 35-43-5-4); or
        (3) terroristic deception (IC 35-43-5-3.6);
commits unlawful possession of a card skimming device. Unlawful possession of a card skimming device under subdivision (1) or (2) is a Class D felony. Unlawful possession of a card skimming device under subdivision (3) is a Class C felony.
SOURCE: IC 35-50-5-3; (06)HB1101.1.11. -->     SECTION 11. IC 35-50-5-3, AS AMENDED BY P.L.2-2005, SECTION 129, IS AMENDED TO READ AS FOLLOWS

[EFFECTIVE JULY 1, 2006]: Sec. 3. (a) Except as provided in subsection (i) or (j), in addition to any sentence imposed under this article for a felony or misdemeanor, the court may, as a condition of probation or without placing the person on probation, order the person to make restitution to the victim of the crime, the victim's estate, or the family of a victim who is deceased. The court shall base its restitution order upon a consideration of:
        (1) property damages of the victim incurred as a result of the crime, based on the actual cost of repair (or replacement if repair is inappropriate);
        (2) medical and hospital costs incurred by the victim (before the date of sentencing) as a result of the crime;
        (3) the cost of medical laboratory tests to determine if the crime has caused the victim to contract a disease or other medical condition;
        (4) earnings lost by the victim (before the date of sentencing) as a result of the crime including earnings lost while the victim was hospitalized or participating in the investigation or trial of the crime; and
        (5) funeral, burial, or cremation costs incurred by the family or estate of a homicide victim as a result of the crime.
    (b) A restitution order under subsection (a), or (i), or (j) is a judgment lien that:
        (1) attaches to the property of the person subject to the order;
        (2) may be perfected;
        (3) may be enforced to satisfy any payment that is delinquent under the restitution order by the person in whose favor the order is issued or the person's assignee; and
        (4) expires;
in the same manner as a judgment lien created in a civil proceeding.
    (c) When a restitution order is issued under subsection (a), the issuing court may order the person to pay the restitution, or part of the restitution, directly to:
        (1) the victim services division of the Indiana criminal justice institute in an amount not exceeding:
            (A) the amount of the award, if any, paid to the victim under IC 5-2-6.1; and
            (B) the cost of the reimbursements, if any, for emergency services provided to the victim under IC 16-10-1.5 (before its repeal) or IC 16-21-8; or
        (2) a probation department that shall forward restitution or part of restitution to:

            (A) a victim of a crime;
            (B) a victim's estate; or
            (C) the family of a victim who is deceased.
The victim services division of the Indiana criminal justice institute shall deposit the restitution it receives under this subsection in the violent crime victims compensation fund established by IC 5-2-6.1-40.
    (d) When a restitution order is issued under subsection (a), or (i), or (j), the issuing court shall send a certified copy of the order to the clerk of the circuit court in the county where the felony or misdemeanor charge was filed. The restitution order must include the following information:
        (1) The name and address of the person that is to receive the restitution.
        (2) The amount of restitution the person is to receive.
Upon receiving the order, the clerk shall enter and index the order in the circuit court judgment docket in the manner prescribed by IC 33-32-3-2. The clerk shall also notify the department of insurance of an order of restitution under subsection (i).
    (e) An order of restitution under subsection (a), or (i), or (j), does not bar a civil action for:
        (1) damages that the court did not require the person to pay to the victim under the restitution order but arise from an injury or property damage that is the basis of restitution ordered by the court; and
        (2) other damages suffered by the victim.
    (f) Regardless of whether restitution is required under subsection (a) as a condition of probation or other sentence, the restitution order is not discharged by the completion of any probationary period or other sentence imposed for a felony or misdemeanor.
    (g) A restitution order under subsection (a), or (i), or (j), is not discharged by the liquidation of a person's estate by a receiver under IC 32-30-5 (or IC 34-48-1, IC 34-48-4, IC 34-48-5, IC 34-48-6, IC 34-1-12, or IC 34-2-7 before their repeal).
    (h) The attorney general may pursue restitution ordered by the court under subsections (a) and (c) on behalf of the victim services division of the Indiana criminal justice institute established under IC 5-2-6-8.
    (i) The court may order the person convicted of an offense under IC 35-43-9 to make restitution to the victim of the crime. The court shall base its restitution order upon a consideration of the amount of money that the convicted person converted, misappropriated, or received, or for which the convicted person conspired. The restitution order issued for a violation of IC 35-43-9 must comply with

subsections (b), (d), (e), and (g), and is not discharged by the completion of any probationary period or other sentence imposed for a violation of IC 35-43-9.
     (j) The court may order the person convicted of an offense under IC 35-43-5-3.5 to make restitution to the victim of the crime, the victim's estate, or the family of a victim who is deceased. The court shall base its restitution order upon a consideration of the amount of fraud or harm caused by the convicted person and any reasonable expenses (including lost wages) incurred by the victim in correcting the victim's credit report and addressing any other issues caused by the commission of the offense under IC 35-43-5-3.5. If, after a person is sentenced for an offense under IC 35-43-5-3.5, a victim, a victim's estate, or the family of a victim discovers or incurs additional expenses that result from the convicted person's commission of the offense under IC 35-43-5-3.5, the court may issue one (1) or more restitution orders to require the convicted person to make restitution, even if the court issued a restitution order at the time of sentencing. For purposes of entering a restitution order after sentencing, a court has continuing jurisdiction over a person convicted of an offense under IC 35-43-5-3.5 for five (5) years after the date of sentencing. Each restitution order issued for a violation of IC 35-43-5-3.5 must comply with subsections (b), (d), (e), and (g), and is not discharged by the completion of any probationary period or other sentence imposed for an offense under IC 35-43-5-3.5.

SOURCE: ; (06)HB1101.1.12. -->     SECTION 12. [EFFECTIVE JULY 1, 2006] (a) IC 35-43-5-3.5, as amended by this act, and IC 35-43-5-4.3, as added by this act, apply only to crimes committed after June 30, 2006.
     (b) IC 35-50-5-3, as amended by this act, applies only to persons sentenced after June 30, 2006.