RE: Data Breach Requirements as Applied to Municipalities in Indiana

We are in receipt of your request for an opinion of the Office of the Indiana Attorney General (OAG) as to what statutory requirements are fastened upon a municipality that finds itself involved in a breach of data security or privacy. More specifically, you have asked whether such a municipality should follow the data breach requirements of Ind. Code § 24-4.9 ("Disclosure of Security Breach"),¹ or those found at Ind. Code § 4-1-11-1 et seq. ("Notice of Security Breach").²

Ind. Code § 4-6-2-5 sets forth "priority" matters for consideration as formal opinions of the Attorney General. Because municipalities and other political subdivisions are not on that list, the Attorney General is not required nor even encouraged to weigh in on opinion requests submitted on their behalf. However, the final clause of the opinion statute contains language that does allow the Attorney General to exercise his discretion to address an inquiry from a municipality or political subdivision. Despite not being listed as a "priority" requestor– because it is a municipality– the question presented as to that municipality is one of statutory interpretation. Once resolved, the interpretation we are being called upon to perform will be applicable to situations likely to recur in all cities and towns in Indiana.

For these reasons, we exercise our discretion here to accept and answer this issue with a published opinion.

In the event of a data breach, should a municipality follow the data breach requirements and the corresponding remedial measures set forth in Ind. Code § 24-4.9, or the very similar measures described in Ind. Code § 4-1-11?

A municipality should follow the data breach requirements described at Ind. Code § 24-4.9. Although both sets of statutes went into effect the same day and covered much the same subject matter, they are not identical. The latter-occurring statute, Ind. Code § 24-4.9 et seq., having a broader scope of applicability, sweeps widely enough to encompass the duties of municipalities and others in making notifications and containing the damage caused by data breaches.

There have been several earnest attempts to re-codify our laws to render them more comprehensible consistent and concise and–in a sort of legislative vision of Paradise– numbered and grouped together by subject to make them easier to find. Of course, where legislative processes are concerned, Paradise is often elusive, and is easily lost. Such was the case here, wherein two rather extensive chapters of legislation with the same effective date, on very nearly the same subject matter found themselves separated at birth and taking up residence in two far-flung places in Indiana Code. One set of statutes concerning "Notice of Security Breach" appears in Title 4, which relates to "State Offices and Administration," while another set on "Disclosure of Security Breach" appears at Title 24, in the realm of "Trade Regulation."

What the Corporation Counsel of this state's largest city wants to know, naturally, is which of this pair of statutory provisions was meant to apply to his client. The question is not strictly academic, for the two sets of statutes, while resembling statutory half-brothers, are not identical twins. Although the effective dates of both enactments were made to conform to each other, the provisions in Title 4 came out first–a product of the 2005 Session of the General Assembly, while those in Title 24 came out the next year. The provisions of Chapter 4.9 of Title 24 are a good deal more sophisticated and detailed than those found in Title 4. The Title 24 legislation, deals in significant detail with a number of issues that are simply not addressed anywhere in Title 4, as for example cases in which delay in notification may be appropriate³, coordination and collaboration between federal homeland security provisions and Indiana resources⁴, redacted data⁵, enforcement actions for injunctive relief that must exclusively be brought by the Attorney General,⁶ and a wider range of disclosure and notification methods.⁷

All of those substantive differences aside, the issue raised here is principally one of scope and, more specifically, which of these two sets of enactments should a municipal corporation–a unit of local government–follow? In comparing the jurisdictional elements of each set of statutes, we see that there is an easy answer: Only one of the two sets of provisions–the one at Ind. Code § 4-1-11-2(a)– even mentions "local agenc[ies]," the phrase appearing in the definition section, and titled "Breach of the security of the system, defined." So there is the easy answer–follow the Title 4 iteration. But that is the wrong answer.

In concluding that the obvious answer is the wrong one in this case, we begin with some fundamental principles of statutory interpretation. The primary goal of statutory construction is to determine and give effect to the intent of the legislative body. Freeman v. State, 658 N.E.2d 68, 70 (Ind. 1995). See also State v. Oddi-Smith, 878 N.E.2d 1245, 1248 (Ind. 2008). One must presume that the legislature is aware of existing statutes in the same area and must construe differing statutes together to produce a harmonious result. Town of Merrillville v. Merrillville Conservancy Dist., 649 N.E.2d 645, 649 (Ind. Ct. App. 1995). "When two statutes on the same subject must be construed together, a court should attempt to give effect to both and must attempt to harmonize any inconsistencies or conflicts before applying any other rule of statutory construction." Moryl v. Ransone, et al., 4 N.E.3d 1133, 1137 (Ind. 2014) (emphasis in original), citing State v. Universal Outdoor, Inc., 880 N.E.2d 1188, 1191 (Ind. 2008) and Bd. of Trs. of Ind. Pub. Emps. Ret. Fund v. Grannan, 578 N.E.2d 371, 375 (Ind. Ct. App. 1991), transfer denied.

Thus, for the purpose of statutory interpretation, one must be mindful that each set of statutes, while superficially similar, represents a divergence, a forking path of intended meaning that motivated the legislature to address and create two statutory treatments of essentially the same topic, facially quite similar, yet subtly at variance with one another.

As the requestor correctly notes, confusion has arisen because Ind. Code § 4-1-11-2, defining "[b]reach of the security of the system," advises that "[a]s used in this chapter, 'breach of the security of the system' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local agency" (emphasis supplied). The requestor notes that this isolated reference to "local agencies" somehow does not ring true, for it is inconsistent with the entire remainder of the chapter, which defines and pulls into its substantive provisions, at every turn, everything but local agencies. The chapter even pauses long enough to afford us a definition of "state agency," cross-referencing it to the definition to be found at Ind. Code § 4-1-10-2.⁸ But no comfort and no revelation are to be found there; the cross-referenced definition makes no reference to a "local agency."

However, Ind. Code Art. 24-4.9 does address the requestor's concern. This chapter also addresses the subject of disclosure of a security breach, but here the legislature has clearly been at pains to exclude each of the covered categories of data breach-feasors that it had actively included at Ind. Code § 4-1-11-2 noting that the provisions (of Ind. Code Art. 24-4.9) do "not apply to. . .a state agency (as defined in Ind. Code § 4-1-10-2)" (emphasis supplied). This statute likewise cautions that it does not apply to "the judicial or legislative department of state government." Ind. Code § 24-4.9-1-1(2).

A well-met principle of statutory interpretation teaches that, "when certain items or words are specified or enumerated in a statute then, by implication, other items or words not so specified or enumerated are excluded."⁹ Health and Hospital Co. of Marion County v. Marion County, 470 N.E.2d 1348, 1355 (Ind. 1984). In this matter, Ind. Code Art. 24-4.9 proclaims at its very threshold the sorts of entities to which its provisions do not apply. The exclusions listed at the outset of the data breach provisions added in the 2006 legislative session as Ind. Code, Art. 24-4.9 do not list among the excluded categories a municipality (nor indeed, any "local agency") such as the City of Indianapolis. As a consequence, it would appear the legislature did indeed intend for these provisions (at Title 24 of the Code) to apply to municipalities.

A more searching scrutiny of this set of provisions confirms our view. Ind. Code Ch. 24-4.9-2 defines the applicable terms. "Breach of the security of data" is defined as the "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person."¹⁰ This definition is similar in all respects to the same definition found at Ind. Code § 4-1-11-2(a), except that it refers to a "person" rather than an agency. "Person" is defined as "an individual, a corporation, a business trust, an estate, a trust, a partnership, an association, a nonprofit corporation or organization, a cooperative, or any other legal entity."¹¹ "Legal entity" is not otherwise defined. However, "[i]n construing statutes, words and phrases will be taken in their plain or ordinary and usual sense unless a different purpose is clearly manifested by the statute itself. . .". Ind. State Dept. of Revenue v. Colpaert Realty Corp., 109 N.E.2d 415, 418-19 (Ind. 1952). "If the legislature has not defined a word, we may properly consult English dictionaries to determine the plain and ordinary meaning of words. Naugle v. Beech Grove City Schools, 864 N.E.2d 1058, 1068 (Ind. 2007). We review the statute as a whole and will presume that the legislature intended for the statutory language used to be applied in a logical and not an absurd manner. In re Resnover, 979 N.E.2d 668, 674 (Ind. Ct. App. 2012)." Montalvo, et al. v. Indiana ex rel. Zoeller, 27 N.E. 3d 795, 799 (Ind. Ct. App. 2015). Accordingly, "legal entity" is understood to mean "[a] body, other than a natural person, that can function legally, sue or be sued, and make decisions through agents." Black's Law Dictionary at 1031 (10^th ed. 2014).¹²

The City of Indianapolis qualifies as a "legal entity." It is a municipality, as defined by statute, and, as such, can function legally, sue and be sued, and act through its agents. Ind. Code §§ 36-1-2-11, 36-1-2-23. See Ind. Code Art. 36-3 (creating the consolidated governance of Indianapolis and Marion County). Therefore, the City of Indianapolis is a "person" under Ind. Code § 24-4.9-2-9 and subject to Ind. Code Art. 24-4.9.¹³ Further, the City of Indianapolis may also qualify as a "data base owner," which is defined as a "person that owns or licenses computerized data that included personal information." Ind. Code § 24-4.9-2-3 (emphasis supplied).

Finally, and most compelling, this chapter of the Code has its own version of a "pre-emption" clause, at Ind. Code § 24-4.9-5-1, which provides that "[t]his article preempts the authority of a unit (as defined in Ind. Code § 36-1-2-23) to make an enactment dealing with the same subject matter as this article." A "unit," as defined in Ind. Code § 36-1-2-23, includes a "municipality," which in turn, is defined as including a "city" (as noted above). Ind. Code §§ 36-1-2-11, 36-1-2-23. It appears to us that this somewhat unusual pre-emption clause is specifically targeted at entities such as the City of Indianapolis, which unlike other "persons" and "legal entities," have the power to enact laws that could fall afoul of this proscription against exceeding the bounds of their authority, and recognizing that the State has chosen to "occupy the field" on the issues of notification and corrective action for data security breaches.

Ultimately, when construing statutes, the primary goal is to determine and give effect to the legislature's intent in creating the law. State v. Oddi-Smith, 878 N.E.2d 1245, 1248 (Ind. 2008). The text itself is the best guide, with the text being read in a common-sense manner to give all parts of the statute or statutes meaning in accord with the underlying goals of the overall statutory scheme. Id.

The date of enactment of the two code provisions at issue may also be relevant. Ind. Code, Ch. 4-1-11 was enacted through Pub. L. 91-2005, while Ind. Code Art. 24-4.9 was enacted the following year through Pub. L. 125-2006. The "preemption" provision at Ind. Code § 24-4.9-5-1 was part of the original 2006 enactment.

"There is a strong presumption that the legislature in enacting a particular piece of legislation is aware of existing statutes on the same subject." Indiana Alcoholic Beverage Commission v. Osco Drug, Inc., 431 N.E.2d 823, 833 (Ind. Ct. App. 1982). It would thus appear that the orphaned reference to "local agency" in the earlier act was neither a mistake nor an aberration. Rather, it likely signaled an intent that local units of government, should they desire to enter the field of regulation of database breach issues, were invited to adopt the statutory framework and pertinent definitions that were in 2005 being adopted and applied to agencies of state government. Only in the next legislative session, however, did the process become complete when the action items and standards were raised, rendered in greater technological and legal detail, and applied to the remaining entities, both public and private, including the City of Indianapolis.

Here it is appropriate to recall that even in the event of dissonant notes being sounded between two statutory enactments, the later-occurring statute (in this case, the one codified at Ind. Code, Title 24) controls the earlier. The rules of statutory interpretation also hold that the more specific provisions control the more general. See, e.g., W. Clark Community. School Corp. v. H.L.K., 690 N.E.2d 238, 241 (Ind.1997); State v. Greenwood, 665 N.E.2d 579, 583 (Ind. 1996); Freeman v. State, 658 N.E.2d 68, 70 (Ind.1995); In the Matter of Termination of Parent-Child Relationship of M.N. and H.N., 796 N.E.2d 280, 284 (Ind. 2003). In this case, Ind. Cod Art. 24-4.9 is more specific to the City of Indianapolis as it is both a "unit" as defined in Title 36 of the Indiana Code and a "legal entity," as this phrase is commonly understood.¹⁴

Additionally, Ind. Code Art. 24-4.9 specifically notes that it does not apply to the very entities covered by Ind. Code § 4-1-11. See Ind. Code § 24-4.9-1-1. Further evidence of legislative intent is the addition of the "preemption" provision, directed at local "units" of government, prohibiting enactment of any similar laws and thus requiring adherence to these provisions.

The provisions of Ind. Code Ch. 4-1-11 regarding disclosures of security breaches apply to state agencies, as this term is defined at Ind. Code § 4-1-10-2. The City of Indianapolis is not a "state agency" under the applicable definition. The later enactment of similar procedures for addressing security breaches, Ind. Code Art. 24-4.9, applies to a number of entities and individuals that are considered "persons" under the statute. A "legal entity," as that term is understood in common parlance, would include a local governmental entity, especially as state agencies have been excluded. The preemption statute at Ind. Code § 24-4.9-5-1 is clear that this article is intended to apply to a "unit" of government. As noted previously, a "unit" includes a "municipality," which, in turn, includes the City of Indianapolis. The legislative intent is that municipalities such as the City of Indianapolis are to be governed by Ind. Code Art. 24-4.9, and not by Ind. Code §§ 4-1-11-1 et seq.

SUBMITTED and

ENDORSED FOR PUBLICATION:

Curtis T. Hill, Jr.

Attorney General

Scott C. Newman, Chief Counsel

Kevin C. McDowell, Deputy Attorney General

Nicole M. Schuster, Deputy Attorney General

DIN: 20180613-IR-010180248AOA

Composed: Apr 29,2024 1:21:44AM EDT

A PDF version of this document.