|Disclosure of Security Breach Act|
|CITATION||Indiana Code: § 24-4.9 et seq.|
|SUMMARY||After discovering or being notified of a breach of the security of data, the data base owner must disclose the breach to an Indiana resident whose: unencrypted personal information was or may have been acquired by an unauthorized person; or encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key; if the database owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident.|
The law covers ‘Personal Information’ which is defined as any of the following items:
|INDUSTRY||Applies to an entity or individual that owns or uses personal information of an Indiana resident for commercial purposes.|
|PENALTIES||Only the Attorney General may bring an action for the failure to comply with the Act. A failure to make a required disclosure or notification in connection with a related series of breaches constitutes a deceptive act.
The Attorney General may bring an action to obtain any of the following: (1) An injunction to enjoin future violations; (2) A civil penalty of not more than one hundred fifty thousand dollars ($150,000) per deceptive act; (3) The Attorney General’s reasonable costs in investigation of the deceptive act and of maintaining the action.
|Notice of Security Breach|
|CITATION||Ind. Code §§ 4-1-11 et seq.|
|SUMMARY||This law applies to a ‘Breach of the Security of the System’, which is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local agency.|
The law covers ‘Personal Information’ which is defined as an individual’s:
The law exempts the last four digits of an individual’s Social Security number.
If the cost of providing the notice exceeds $250,000 or the number of persons is at least 500,000, then an alternative method of providing notice is allowed.
Any state agency that owns or licenses computerized data that includes personal information.
Any state agency that maintains computerized data that includes personal information that the state agency does not own if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
|PENALTIES||No penalties provided by the Act.|