TITLE 11 CONSUMER PROTECTION DIVISION OF THE OFFICE OF THE ATTORNEY GENERAL

This rule is being promulgated to provide guidance regarding the duties imposed under IC 24-4.9-3-3.5(c), which requires data base owners to "implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the data base owner."

The purpose of the rule is to encourage companies to enact measures to protect Hoosiers. It provides a safe harbor from possible action by the Office of the Attorney General (OAG) for companies that follow industry standards. Cyber-attacks are the fastest growing crime in the United States. While attacks will happen, companies need to take proactive measures to make it harder for would be hackers to harm Hoosiers. This rule aligns incentives so that Hoosiers are protected, and companies know how the OAG will determine whether a company took reasonable actions to protect Hoosiers' data. Companies that follow the steps in the rule will not be subject to action by OAG.

IC 5-28-2-6 defines a small business as a business entity that satisfies the following requirements:

(1) On at least fifty percent (50%) of the working days of the business entity occurring during the proceeding calendar year, the business entity employed not more than one hundred fifty (150) employees.

(2) The majority of the employees of the business entity work in Indiana.

There will be no additional reporting, record keeping, or other administrative costs beyond those already incurred by data base owners complying with the statutory mandate of IC 24-4.9-3-3.5(c). The rule clarifies that data base owners must verify that they have complied with the statutory mandate to take corrective action, but it does not impose additional reporting requirements.

There will be no additional cost to comply with the rule, but taking appropriate steps to implement and maintain reasonable procedures can help businesses avoid catastrophic losses in the event of a data breach incident.

There are no requirements or costs imposed on small businesses by the rule other than those set out in statute. The rule creates certainty for small businesses by providing guidance for complying with the statute.

Other factors considered:

A. Establishment of less stringent compliance or reporting requirements for small businesses.

The rule defines the requirements of the statute according to recognized industry and federal standards.

B. Establishment of less stringent schedules or deadlines for compliance or reporting requirements for small businesses.

The rule defines the requirements of the statute according to recognized industry and federal standards.

C. Consolidation or simplification of compliance or reporting requirements for small businesses.

The rule defines the requirements of the statute according to recognized industry and federal standards.

D. Establishment of performance standards for small businesses instead of design or operational standards imposed on other regulated entities by the rule.

The rule defines the requirements of the statute according to recognized industry and federal standards.

E. Exemption of small businesses from part or all of the requirements or costs imposed by the rule.

The rule defines the requirements of the statute according to recognized industry and federal standards.

DIN: 20201007-IR-011200366EIA

Composed: May 05,2024 10:02:01AM EDT

A PDF version of this document.