Reprinted
January 25, 2008
HOUSE BILL No. 1197
_____
DIGEST OF HB 1197
(Updated January 24, 2008 4:08 pm - DI 106)
Citations Affected: IC 4-6; IC 24-4.9.
Synopsis: Data breaches. Requires the attorney general to publish
notice of a breach of the security of a system on the attorney general's
Internet web site, and authorizes the attorney general to initiate a
program to educate consumers of risks posed by a security breach.
Provides, for purposes of the law requiring the disclosure of a breach
of the security of a system, that the unauthorized acquisition of a
portable electronic device on which personal information is stored does
not constitute a breach of the security of a system if the contents of the
portable electronic device are encrypted and if the encryption key is not
compromised. Provides that, in the event of a security breach requiring
notification, the data base owner's primary regulator and the attorney
general must also be notified. Specifies that an individual's: (1) name;
and (2) financial account or debit card number in combination with an
expiration date; constitute personal information which, if disclosed,
could constitute a data breach.
Effective: July 1, 2008.
Pierce
, Dermody
, Walorski
, Koch
January 10, 2008, read first time and referred to Committee on Technology, Research and
Development.
January 16, 2008, amended, reported _ Do Pass.
January 24, 2008, read second time, amended, ordered engrossed.
Reprinted
January 25, 2008
Second Regular Session 115th General Assembly (2008)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in
this style type, and deletions will appear in
this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in
this style type. Also, the
word
NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in
this style type or
this style type reconciles conflicts
between statutes enacted by the 2007 Regular Session of the General Assembly.
HOUSE BILL No. 1197
A BILL FOR AN ACT to amend the Indiana Code concerning trade
regulation.
Be it enacted by the General Assembly of the State of Indiana:
SOURCE: IC 4-6-9-7.5; (08)HB1197.2.1. -->
SECTION 1. IC 4-6-9-7.5 IS ADDED TO THE INDIANA CODE
AS A
NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY
1, 2008]:
Sec. 7.5. (a) Subject to subsection (d), if a data base owner
discloses a breach of the security of a system (as defined in
IC 24-4.9-2-2) to the attorney general in accordance with
IC 24-4.9-3, or if the attorney general otherwise discovers a breach
of the security of a system required to be disclosed to the attorney
general in accordance with IC 24-4.9-3, the division shall publish
a notice of the security breach on the web site maintained by the
attorney general.
(b) Subject to subsection (d), notice of a breach of the security
of a system published on the web site maintained by the attorney
general must include the following information, if available:
(1) The name of the organization whose system security has
been breached.
(2) The number of individuals and the number of Indiana
residents whose personal information may have been
compromised by the breach.
(3) The date on which the breach occurred.
(4) The circumstances under which the breach occurred.
(5) Any other information that, in the opinion of the attorney
general, would assist an individual in determining whether the
individual's personal information has been disclosed or
compromised.
(c) The division may initiate and maintain an educational
program to inform consumers of:
(1) risks involved in a breach of the security of a system; and
(2) steps that the victim of a security breach should take to
prevent and mitigate the damage from the security breach.
(d) A notice of a breach of the security of a system must be
redacted to exclude any information that:
(1) is confidential;
(2) would assist in the commission of:
(A) identity deception (IC 35-43-5-3.5);
(B) another crime; or
(C) fraud; or
(3) could jeopardize the security of a system.
SOURCE: IC 24-4.9-2-2; (08)HB1197.2.2. -->
SOURCE: IC 24-4.9-2-2. -->
SECTION 2. IC 24-4.9-2-2, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2008]: Sec. 2. (a) "Breach of the security of a system" means
unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information
maintained by a person. The term includes the unauthorized acquisition
of computerized data that have been transferred to another medium,
including paper, microfilm, or a similar medium, even if the transferred
data are no longer in a computerized format.
(b) The term does not include the following:
(1) Good faith acquisition of personal information by an employee
or agent of the person for lawful purposes of the person, if the
personal information is not used or subject to further unauthorized
disclosure.
(2) Unauthorized acquisition of a portable electronic device on
which personal information is stored, if access to the device all
personal information on the device is protected by a password
that encryption and the encryption key:
(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who,
without authorization, acquired or has access to the
portable electronic device.
SOURCE: IC 24-4.9-2-5; (08)HB1197.2.3. -->
SECTION 3. IC 24-4.9-2-5, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2008]: Sec. 5. (a) Except as provided in subsection (b), data
are encrypted for purposes of this article if, in a manner consistent
with the best practices common in the industry, the data:
(1) have been transformed through the use of an algorithmic
process into a form in which there is a low probability of
assigning meaning without use of a confidential process or key;
or
(2) are secured by another method that renders the data
unreadable or unusable.
(b) Data that have been transformed or secured as described in
subsection (a) are not encrypted for purposes of this article unless
the key required to decrypt the data complies with the best
practices common in the industry and has not been disclosed or
compromised.
SOURCE: IC 24-4.9-2-10; (08)HB1197.2.4. -->
SECTION 4. IC 24-4.9-2-10, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2008]: Sec. 10. "Personal information" means:
(1) a Social Security number that is not encrypted or redacted; or
(2) an individual's first and last names, or first initial and last
name, and one (1) or more of the following data elements that are
not encrypted or redacted:
(A) A driver's license number.
(B) A state identification card number.
(C) A credit card number.
(D) A financial account number or debit card number in
combination with a security code, password, expiration date,
or access code that would permit access to the person's
account.
The term does not include information that is lawfully obtained from
publicly available information or from federal, state, or local
government records lawfully made available to the general public.
SOURCE: IC 24-4.9-3-1; (08)HB1197.2.5. -->
SECTION 5. IC 24-4.9-3-1, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2008]: Sec. 1. (a) Except as provided in section 4(c), 4(d), and
4(e) of this chapter, after discovering or being notified of a breach of
the security of a system, the data base owner shall disclose the breach
to an Indiana resident whose:
(1) unencrypted personal information was or may have been
acquired by an unauthorized person; or
(2) encrypted personal information was or may have been
acquired by an unauthorized person with access to the encryption
key;
if the data base owner knows, should know, or should have known that
the unauthorized acquisition constituting the breach has resulted in or
could result in identity deception (as defined in IC 35-43-5-3.5),
identity theft, or fraud affecting the Indiana resident.
(b) A data base owner required to make a disclosure under
subsection (a) to more than one thousand (1,000) consumers shall also
disclose to each consumer reporting agency (as defined in 15 U.S.C.
1681a(p)) information necessary to assist the consumer reporting
agency in preventing fraud, including personal information of an
Indiana resident affected by the breach of the security of a system.
(c) If a data base owner makes a disclosure described in
subsection (a), the data base owner shall also disclose the breach
to:
(1) the data base owner's primary regulator, if the data base
owner is regulated; and
(2) the attorney general.
SOURCE: IC 24-4.9-3-4; (08)HB1197.2.6. -->
SECTION 6. IC 24-4.9-3-4, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2008]: Sec. 4. (a) Except as provided in subsection (b), a data
base owner required to make a disclosure under this chapter shall make
the disclosure using one (1) of the following methods:
(1) Mail.
(2) Telephone.
(3) Facsimile (fax).
(4) Electronic mail, if the data base owner has the electronic mail
address of the affected Indiana resident.
(b) If a data base owner required to make a disclosure under this
chapter is required to make the disclosure to more than five hundred
thousand (500,000) Indiana residents, or if the data base owner
required to make a disclosure under this chapter determines that the
cost of the disclosure will be more than two hundred fifty thousand
dollars ($250,000), the data base owner required to make a disclosure
under this chapter may elect to make the disclosure by using both of the
following methods:
(1) Conspicuous posting of the notice on the web site of the data
base owner, if the data base owner maintains a web site.
(2) Notice to major news reporting media in the geographic area
where Indiana residents affected by the breach of the security of
a system reside.
(c) A data base owner that maintains its own disclosure procedures
as part of an information privacy policy or a security policy is not
required to make a separate disclosure under this chapter if the data
base owner's information privacy policy or security policy is at least as
stringent as the disclosure requirements described in:
(1) sections 1 through 4(b) of this chapter;
(2) subsection (d); or
(3) subsection (e).
(d) A data base owner that maintains its own disclosure procedures
as part of an information privacy, security policy, or compliance plan
under:
(1) the federal USA Patriot Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et
seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability
Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data base
owner's information privacy, security policy, or compliance plan
requires that Indiana residents, the attorney general, and the owner's
primary regulator be notified of a breach of the security of a system
without unreasonable delay and the data base owner complies with the
data base owner's information privacy, security policy, or compliance
plan.
(e) A financial institution that complies with the disclosure
requirements prescribed by the Federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information
and Customer Notice or the Guidance on Response Programs for
Unauthorized Access to Member Information and Member Notice, as
applicable, is not required to make a disclosure under this chapter.
(f) A person required to make a disclosure under this chapter may
elect to make all or part of the disclosure in accordance with subsection
(a) even if the person could make the disclosure in accordance with
subsection (b).