Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

INDIANA DATA PRIVACY REGULATIONS

Did You Know?

 
  • Computerized data includes data transferred to paper, microfiche, etc.
  • Database owners are responsible for reporting and notifications
  • Reporting to state attorney general
  • Reporting to consumer reporting agencies
  • Noncompliance constitutes deceptive act.  Penalties up to $150,000, enjoinment, etc.
  • Laws also cover PII data protection and disposal to prevent a breach

Who Me?

 

Indiana breach and notification laws may apply if you:

  • Owns or licenses computerized data that includes PII 
  • Maintains computerized data that includes PII but does not own or license it 

There are exemptions.

Other state or federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?

 

PII relevant to a breach in Indiana includes:

  • Unsecured Social Security Number
  • An individual's name with one or more of the following:
    • Driver license or identification number
    • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's financial account

LAWS

APPLICABLE LAW

A few applicable statutes include, but are not limited to:

IC 24 / Title 24. Trade Regulation / IC 24-4 - Article 4. Regulated Businesses / Article 4.9. Disclosure Of Security Breach / IC 24-4.9-1 to 24-4.9-5-1

RELATED LAW

A few related statutes include, but are not limited to:

  • IC 24 / Title 24. Trade Regulation / IC 24-4 - Article 4. Regulated Businesses / Chapter 14. Persons Holding a Customer's Personal Information / IC 24-4-14-1 to 24-4-14-8;
  • IC 24 / Title 24. Trade Regulation / IC 24-4 - Article 4. Regulated Businesses / Article 4.9. Disclosure Of Security Breach / IC 24-4.9-3-3.5 Duties of a data base owner; exceptions; enforcement powers

PENALTIES

COMPLIANCE PENALTIES

Failure to give notification or any other part of the applicable statute is a deceptive act, actionable by the attorney general, who may bring action or obtain an injunction to enjoin future violations, a penalty up to $150,000, and reasonable costs.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was encrypted or redacted;
  • Whether a key, password, etc.,was obtained or compromised;
  • If it was acquired by an unauthorized person;
  • If identity deception, identity theft, or fraud may affect the Indiana resident.

TIME LIMITS

The notification may be delayed if law enforcement or state attorney general indicates the notification may impede an investigation or jeopardize nation security. Otherwise, notification is required without unreasonable delay.

The state attorney general must be notified if notification is required. Incidents >1,000 require notification to consumer reporting agencies with specific information.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

The notification may be provided via mail, telephone, fax, or sent electronically if the data base owner has the email address of the affected Indiana resident.

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or the persons to be notified exceeds 500,000.

Contact the Privacy Experts at CSR