Changes to Indiana Data Breach Notification Law Lessens Length of Time for Issuing Notifications

Revised HB 1351 data breach notification laws will become effective in Indiana on July 1, 2022. The new law requires the sending of breach notifications within 45 days from the time of identifying an exposure of the personally identifiable information (PII) of Indiana locals.

At the moment, the data breach notification specifications are for breach notifications to be released with no unreasonable delay. The change has been made to make sure that persons whose PII were compromised get a prompt notification. When PII is exposed, individual notices must still be sent without unreasonable delay.

A reasonable delay is any time one of these circumstances applies:

1) It is needed to hold off notification to recover the functionality of computer systems

2) It is required to postpone notification to find out the extent of the breach

3) If the state attorney general or law enforcement requests to hold off notifications to make certain civil or criminal investigations aren’t impeded, or if notifications can possibly put national security at risk.

In these cases, notifications ought to be given as soon as the reliability of computer systems has been recovered, when the scope of the breach is known, or if law enforcement or the state attorney general tells the breached entity that it is no longer needed to postpone notification as criminal/civil investigations are not delayed or there is no more a risk to national protection.

The new legislation applies to breaches of the security of a system storing unencrypted PII, when PII is recognized to have been stolen or may have been stolen, and when encrypted PII is compromised or stolen and an unauthorized person might have gotten access to the encryption key to permit decryption of data.

Personal information includes a Social Security number, a person’s first initial and last name, or first and last names, and one or more of the following data elements: state identification card number; driver’s license number; credit card number; financial account number or debit card number along with a password, security code, or access code.

Consumer reporting organizations ought to be informed when the breach impacts more than 1,000 Indiana residents. Breach reports should be sent to the state attorney general as well. The failure to adhere to the data breach notification conditions could lead to civil monetary penalties of as much as $150,000 issued by the state attorney general and valid attorney general fees to cover investigating and maintaining the action.

Entities not affected by the new legislation include those that keep their own data security procedures included in an information privacy policy, security policy, or compliance plan according to:

  • The Health Insurance Portability and Accountability Act (HIPAA)The
  • Gramm-Leach-Bliley Act
  • Executive Order 13224
  • The USA Patriot Act
  • The Fair Credit Reporting Act
  • The Driver Privacy Protection Act