Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $150,000 per deceptive act

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting should be made without unreasonable delay to the Attorney General.
  • The security breach laws cover computerized data and paper documents that were once maintained as computerized data.
  • If notification is required for more than 1,000 consumers, data owner must also disclose to each consumer reporting agency.
  • For violations of consumer notification and breach reporting, penalties could include the Attorney General seeking injunctive relief, a civil penalty up to $150,000 per deceptive act and award of the Attorney General’s reasonable costs for investigating and maintaining the action.
  • Penalties for violations relating to data protection may include injunctive relief, a civil penalty up to $5,000 per deceptive act, and an award of the Attorney General’s reasonable costs associated with the investigation and maintaining the action.
  • There is a separate data disposal law where violations could be considered a Class C infraction, or Class A infraction, for violations involving personal information of more than 100 customers or where a prior unrelated judgment for a violation exists.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Ind. Code Article 24-4.9 §§ 24-4.9-1 to 24-4.9-5-1 Disclosure of Security Breach
  • Ind. Code Article 24-4-14 §§ 24-4-14-1 to 24-4-14-8 Persons Holding a Customer’s Personal Information
BAck to map