Indiana Code 24-4.9-3

IC 24-4.9-3
Chapter 3. Disclosure and Notification Requirements

IC 24-4.9-3-1
Disclosure of breach
     Sec. 1. (a) Except as provided in section 4(c), 4(d), and 4(e) of this chapter, after discovering or being notified of a breach of the security of a system, the data base owner shall disclose the breach to an Indiana resident whose:
        (1) unencrypted personal information was or may have been acquired by an unauthorized person; or
        (2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key;
if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5), identity theft, or fraud affecting the Indiana resident.
    (b) A data base owner required to make a disclosure under subsection (a) to more than one thousand (1,000) consumers shall also disclose to each consumer reporting agency (as defined in 15 U.S.C. 1681a(p)) information necessary to assist the consumer reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach of the security of a system.
As added by P.L.125-2006, SEC.6.

IC 24-4.9-3-2
Notification of data base owner
Sec. 2. A person that maintains computerized data but that is not a data base owner shall notify the data base owner if the person discovers that personal information was or may have been acquired by an unauthorized person.
As added by P.L.125-2006, SEC.6.

IC 24-4.9-3-3
Delay of disclosure or notification
     Sec. 3. (a) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay. For purposes of this section, a delay is reasonable if the delay is:
        (1) necessary to restore the integrity of the computer system;
        (2) necessary to discover the scope of the breach; or
        (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:
            (A) impede a criminal or civil investigation; or
            (B) jeopardize national security.
    (b) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification as soon as possible after:

(1) delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach; or
(2) the attorney general or a law enforcement agency notifies the person that delay will no longer impede a criminal or civil investigation or jeopardize national security.
As added by P.L.125-2006, SEC.6.

IC 24-4.9-3-4
Method of disclosure; exceptions
     Sec. 4. (a) Except as provided in subsection (b), a data base owner required to make a disclosure under this chapter shall make the disclosure using one (1) of the following methods:
        (1) Mail.
        (2) Telephone.
        (3) Facsimile (fax).
        (4) Electronic mail, if the data base owner has the electronic mail address of the affected Indiana resident.
    (b) If a data base owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the data base owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the data base owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods:
        (1) Conspicuous posting of the notice on the web site of the data base owner, if the data base owner maintains a web site.
        (2) Notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside.
    (c) A data base owner that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under this chapter if the data base owner's information privacy policy or security policy is at least as stringent as the disclosure requirements described in:
        (1) sections 1 through 4(b) of this chapter;
        (2) subsection (d); or
        (3) subsection (e).
    (d) A data base owner that maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan under:
        (1) the federal USA Patriot Act (P.L. 107-56);
        (2) Executive Order 13224;
        (3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et seq.);
        (4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
        (5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or

        (6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data base owner's information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of a system without unreasonable delay and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.
    (e) A financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or the Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, as applicable, is not required to make a disclosure under this chapter.
    (f) A person required to make a disclosure under this chapter may elect to make all or part of the disclosure in accordance with subsection (a) even if the person could make the disclosure in accordance with subsection (b).
As added by P.L.125-2006, SEC.6.

Skip Ender Navigation

accessIndiana