Language Translation
  Close Menu

Security Breach FAQ's & Notification Form for Businesses

INDIANA'S SECURITY BREACH NOTIFICATION STATUTE: INDIANA CODE ARTICLE 24-4.9

WHAT IS THE SIGNIFICANCE OF THIS LAW?

Indiana’s security breach notification statute, effective July 1, 2006, provides Indiana residents with the right to know when a security breach has resulted in the exposure of their personal information.

WHAT TYPES OF SECURITY BREACHES ARE COVERED BY THIS LAW?

A security breach is defined as an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of personal information. Breaches that involve paper documents that were once maintained as computerized data are also covered by this law.

WHAT TYPE OF INFORMATION IS COVERED BY THIS LAW?

Personal information means a social security number or an individual’s name in combination with any one or more of the following data elements: driver’s license number, account number, a state identification card number, a credit card number, a financial account number, or a debit card number in combination with any required security code.

WHAT ARE THE OBLIGATIONS OF BUSINESSES OR STATE AGENCIES WHEN A BREACH OCCURS?

The Security Breach Statute requires that the business notify:

  1. Affected consumers following the discovery of the breach. The disclosure must be made without unreasonable delay and must be provided to the affected persons by one of the following methods: a) mailed written notice, b) telephone notification, c) Facsimile (fax), or d) electronic mail notice, if an email address is available.
  2. Consumer reporting agencies if more than 1,000 Indiana residents are to be notified. The contact information for the three nationwide consumer reporting agencies is as follows:
  1. The Attorney General’s office. Failure to do so may result in penalties under the breach notification statute. Use our security breach reporting form. You can submit your breach notification to the Indiana Attorney General's Office by completing the printable Breach Notification Form and emailing it to DataBreach@atg.in.gov. Although not necessary, you may also mail or fax the form to (be sure to also include a sample or copy of the notice going to the affected individuals):
  • Data Privacy & Identity Theft Unit - Data Breach
    Attorney General of Indiana
    Indiana Government Center South, 5th Floor
    302 West Washington Street
    Indianapolis, IN 46204
    317-232-6201

Printable Breach Notification Form

Online Breach Notification Form

ARE THERE ANY EXCEPTIONS TO THE NOTIFICATION REQUIREMENTS?

The law also provides for substitute notice to consumers if the business demonstrates to the Attorney General that the cost of providing regular notice to Indiana residents would exceed $250,000 or that the affected class of Indiana residents exceeds 500,000. Where substitute notice is used, it must consist of all of the following, as applicable: conspicuous posting on the entity’s website, and notification to geographically relevant statewide media.

WHAT ARE THE PENALTIES FOR VIOLATIONS OF THE SECURITY BREACH NOTIFICATION STATUTE?

The Attorney General may seek injunctive relief against any business entity for violating the law. If the court finds that a business violated this article, the court may impose a civil penalty of not more than $150,000 per deceptive act and award the Attorney General’s reasonable costs for investigating and maintaining the action.

STATUTE CITATION
Indiana Code article 24-4.9

ATTORNEY GENERAL
Data Privacy & Identity Theft Unit
Attorney General of Indiana
Indiana Government Center South, 5th Floor
302 West Washington Street
Indianapolis, IN 46204
317-232-6201

FBI
Indianapolis
8825 Nelson B Klein Pkwy
Indianapolis, IN 46250
http://indianapolis.fbi.gov/
317-595-4000

SECRET SERVICE
Indianapolis
317-635-6420

Latest News

View More News