Security Breach FAQ's & Notification Form for Businesses



Indiana's Security Breach Notification Statute: Indiana Code article 24-4.9


What is the significance of this law?

Indiana’s security breach notification statute, effective July 1, 2006, provides Indiana residents with the right to know when a security breach has resulted in the exposure of their personal information.


What types of security breaches are covered by this law?

A security breach is defined as an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of personal information.  Breaches that involve paper documents that were once maintained as computerized data are also covered by this law.

What type of information is covered by this law?

Personal information means a social security number or an individual’s name in combination with any one or more of the following data elements: driver’s license number, account number, a state identification card number, a credit card number, a financial account number, or a debit card number in combination with any required security code.

What are the obligations of businesses or state agencies when a breach occurs?

The Security Breach Statute requires that the business notify:

(1) Affected consumers following discovery of the breach. The disclosure must be made without unreasonable delay and must be provided to the affected persons by one of the following methods: a) mailed written notice, b) telephone notification, c) Facsimile (fax), or d) electronic mail notice, if an email address is available.

(2) Consumer reporting agencies if more than 1,000 Indiana residents are to be notified. The contact information for the three nationwide consumer reporting agencies is as follows:


     Fraud Victim Assistance Department
    P.O. Box 2000 
    Chester PA 19016-2000

(3) The Attorney General’s office.  Failure to do so may result in penalties under the breach notification statute.  Use our security breach reporting form.  You can submit your breach notification to the Indiana Attorney General's Office by completing the printable Breach Notification Form and mailing or faxing the form to:

 Identity Theft Unit—Data Breach
Attorney General of Indiana
Indiana Government Center South, 5th Floor
302 West Washington Street
Indianapolis, IN 46204

Online Breach Notification Form

Printable Breach Notification Form

Are there any exceptions to the notification requirements?

The law also provides for substitute notice to consumers if the business demonstrates to the Attorney General that the cost of providing regular notice to Indiana residents would exceed $250,000 or that the affected class of Indiana residents exceeds 500,000.  Where substitute notice is used, it must consist of all of the following, as applicable: conspicuous posting on the entity’s web site, and notification to geographically relevant statewide media.

What are the penalties for violations of the Security Breach Notification Statute?

The Attorney General may seek injunctive relief against any business entity for violating the law. If the court finds that a business violated this article, the court may impose a civil penalty of not more than $150,000 per deceptive act and award the Attorney General’s reasonable costs for investigating and maintaining the action.

Indiana Code article 24-4.9

Identity Theft Unit—Data Breach
Attorney General of Indiana
Indiana Government Center South, 5th Floor
302 West Washington Street
Indianapolis, IN 46204

8825 Nelson B Klein Pkwy
Indianapolis, IN 46250