Organizations must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard personal information. Organizations must have measures in place for the secure disposal of personal information. The security breach laws cover computerized data and paper documents that were once maintained as computerized data.

Breach reporting must be made within 45 days after discovery to the Attorney General. If notification is required for more than 1,000 consumers, the breached Organization must also notify each consumer reporting agency.

If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Vendors must notify Organizations without delay after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.

Indiana passed the Insurance Data Security Law, which includes requirements for Insurance licensees to protect personal information and investigate and respond to breaches of security. Effective March 18, 2020, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

Organizations may be fined or penalized for Vendor violations. For violations of consumer notification and breach reporting, penalties could include the Attorney General seeking injunctive relief, a civil penalty up to $150,000 per deceptive act, and award of the Attorney General’s reasonable costs for investigating and maintaining the action. Improperly disposing of personal information is considered a deceptive act, and penalties for violations can be imposed up to $5,000 per deceptive act.