Revision to Indiana Data Breach Notification Law Shortens Time Frame for Notifications

On July 1, 2022, revised data breach notification laws (HB 1351) will be in force in Indiana that necessitates the issuance of notifications 45 days from the time of discovering a breach that affected the personally identifiable information (PII) of Indiana citizens.

Presently, the data breach notification conditions are for notifications to be given with no unreasonable delay. The revision has been made to make sure that those whose PII was exposed are given immediate notification. When PII is compromised, individual notifications ought to still be given without unreasonable delay.

A reasonable delay is whenever one of these situations applies:

1) It is required to postpone notification to reestablish the reliability of computer systems

2) It is needed to hold off notification to uncover the extent of the breach

3) Whenever the state attorney general or authorities request to postpone notifications to make certain criminal or civil investigations are not impeded, or whenever notifications can potentially endanger national security.

In these instances, notifications must be sent when the integrity of computer systems has been regained, when the scope of the breach is known, or whenever the authorities or the state attorney general notifies the breached entity that it’s no longer necessary to hold off notification as criminal/civil investigations won’t be impeded or there is no longer a danger to national safety.

The new regulation is applicable to breaches of the security of a network keeping unencrypted PII, whenever PII is identified to have been compromised or may have been stolen, and if encrypted PII is exposed or stolen and an unauthorized individual might have obtained access to the encryption key to enable decryption of information.

Personal information pertains to a Social Security number, someone’s first and last names, or first initial and last name, and at least one of the following data types: state ID card number; driver’s license number; financial account number; credit card number or debit card number together with a password, access code or security code.

Consumer reporting institutions need to be advised in case the breach has an effect on over 1,000 Indiana locals. Breach reports need to be provided to the state attorney general also. The inability to follow the data breach notification specifications could result in civil monetary fines of about $150,000 charged by the state attorney general and fair attorney general charges to cover investigating and retaining the activity.

Entities not impacted by the new rules include those that retain their own data security processes in a data security policy, privacy policy, or compliance plan as per:

  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The USA Patriot Act
  • The Gramm-Leach-Bliley Act
  • Executive Order 13224
  • The Fair Credit Reporting Act
  • The Driver Privacy Protection Act