McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business HomeProducts & SolutionsData ProtectionUS & Global Data Protection LawsSecurity Breach Notification Laws

Indiana

Disclosure of Security Breach Act
CITATION Indiana Code: § 24-4.9 et seq.
SUMMARY After discovering or being notified of a breach of the security of data, the data base owner must disclose the breach to an Indiana resident whose: unencrypted personal information was or may have been acquired by an unauthorized person; or encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key; if the database owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident.
DATA COVERED

The law covers ‘Personal Information’ which is defined as any of the following items:

  1. Social Security number that is not encrypted or redacted; or
  2. Individual's first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted:
    1. Driver's license number;
    2. State identification card number;
    3. Credit card number; or
    4. Financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.
INDUSTRY Applies to an entity or individual that owns or uses personal information of an Indiana resident for commercial purposes.
PENALTIES Only the Attorney General may bring an action for the failure to comply with the Act. A failure to make a required disclosure or notification in connection with a related series of breaches constitutes a deceptive act.

The Attorney General may bring an action to obtain any of the following: (1) An injunction to enjoin future violations; (2) A civil penalty of not more than one hundred fifty thousand dollars ($150,000) per deceptive act; (3) The Attorney General’s reasonable costs in investigation of the deceptive act and of maintaining the action.


Notice of Security Breach
CITATION Ind. Code §§ 4-1-11 et seq.
ENACTED 2005
SUMMARY This law applies to a ‘Breach of the Security of the System’, which is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local agency.
DATA COVERED

The law covers ‘Personal Information’ which is defined as an individual’s:

  1. First name and last name; or
  2. First initial and last name; and
  3. At least one of the following:
    1. Social Security number;
    2. Driver’s license number or identification card number;
    3. Account number, credit card number, debit card number, security code, access code, or password of an individual’s financial account.

The law exempts the last four digits of an individual’s Social Security number.

If the cost of providing the notice exceeds $250,000 or the number of persons is at least 500,000, then an alternative method of providing notice is allowed.
INDUSTRY

Any state agency that owns or licenses computerized data that includes personal information.

Any state agency that maintains computerized data that includes personal information that the state agency does not own if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
PENALTIES No penalties provided by the Act.
United States - English