Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws:
- up to $150,000 per deceptive act
None to minimal
Breach reporting should be made without unreasonable delay to the Attorney General.
The security breach laws cover computerized data and paper documents that were once maintained as computerized data.
If notification is required for more than 1,000 consumers, data owner must also disclose to each consumer reporting agency.
For violations of consumer notification and breach reporting, penalties could include the Attorney General seeking injunctive relief, a civil penalty up to $150,000 per deceptive act and award of the Attorney General’s reasonable costs for investigating and maintaining the action.
Penalties for violations relating to data protection may include injunctive relief, a civil penalty up to $5,000 per deceptive act, and an award of the Attorney General’s reasonable costs associated with the investigation and maintaining the action.
There is a separate data disposal law where violations could be considered a Class C infraction, or Class A infraction, for violations involving personal information of more than 100 customers or where a prior unrelated judgment for a violation exists.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Ind. Code Article 24-4.9 §§ 24-4.9-1 to 24-4.9-5-1 Disclosure of Security Breach
Ind. Code Article 24-4-14 §§ 24-4-14-1 to 24-4-14-8 Persons Holding a Customer’s Personal Information