Language Translation
  Close Menu



Cyber Incident Reporting Law


Indiana lawmakers recently passed legislation that will increase the amount of information sharing regarding cyberattacks and other threats across state agencies and local government. This new law requires public-sector entities to report incidents such as ransomware, software vulnerability exploitations, denial-of-service attacks and more.

Which government entities are required to report cybersecurity incidents to the Indiana Office of Technology?

The following groups are required within 48 hours of discovery to report cybersecurity incidents to the Indiana Office of Technology:

Counties, municipalities, townships, school corporations, library districts, local housing authorities, fire protection districts, public transportation corporations, local building authorities, local hospital authorities or corporations, local airport authorities, special service districts, special taxing districts or other separate local governmental entities that may sue and be sued.

What are cybersecurity incidents?

A malicious or suspicious occurrence that consists of one or more of the categories of attack vectors:

  • Jeopardizes or may potentially jeopardize the confidentiality, integrity, or availability of an information system, an operational system or the information that such system processes, stores or transmits;
  • Jeopardizes or may potentially jeopardize the health and safety of the public; or
  • Violates security policies, security procedures or acceptable use policies.

Which attacks must be reported?

  • Ransomware - Malicious software designed to block access to a computer system until a sum of money is paid.
  • Business Email Compromise - Scams targeting organizations, government and other, who conduct wire transfers or electronic payments. The scheme leverages email accounts, either spoofed or compromised, of executives or high-level employees involved with wire transfer payments to do fraudulent transfers.
  • Vulnerability Exploitation - Vulnerabilities in a system component, including the operating system, software or application, which are leveraged to force the component to act in ways it’s not intended enabling unauthorized activities.
  • Zero-day exploitation - An unknown exploit that exposes a vulnerability in software or hardware. Zero-day exploits are leveraged by attackers before the vulnerability can be patched or fixed by the creator of the product.
  • Distributed Denial of Service - The intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers.
  • Website defacement - An attack on a website that changes the visual appearance of a website or a web page.

How do I report an incident if I am a government entity?

The law requires a primary contact for each governmental organization.  Organizations can provide multiple contacts as long as they are authorized to report incidents and receive any information resulting from incident reporting.

Sign up to be a point of contact for your organization here:

Report a cybersecurity incident here:  Go To Incident Reporting Form

Have questions? We’ve got you covered in our FAQs.