Effective July 1, 2022, owners of personally identifiable information on residents of Indiana must provide notice of a data breach no later than 45 days after discovering of the breach. Currently, Indiana’s data breach law requires notice of a breach “without unreasonable delay.” When the amendment goes into effect in July, the 45-day period will be the latest that notice can be given.
The current law’s list of circumstances under which a delay is “reasonable” will continue to apply. Those circumstances include if the delay is “(1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will: (A) impede a criminal or civil investigation; or (B) jeopardize national security.”
If one of these circumstances apply, notice of the breach is required as soon as possible after “(1) delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach; or (2) the attorney general or a law enforcement agency notifies the person that delay will no longer impede a criminal or civil investigation or jeopardize national security.” Presumably the 45-day maximum effective July 1, 2022 will not apply in the event of a law enforcement delay.
Companies experiencing a data breach, however, must keep this 45-day period in mind and work expeditiously to identify the scope of the breach and restore their systems. “Personal information” under the Indiana statute covers (1) a Social Security Number that is not encrypted or redacted; or (2) an individual’s first name (or first initial) and last name plus one or more of the following data elements that are not encrypted or redacted: driver’s license number; state identification card number; credit card number; and a financial account number or debit card number in combination with a security code, access code or password.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.
Data Points: Privacy & Data Security Blog Updates
- The Consumer Financial Protection Bureau Stakes Out Its Enforcement Authority Over Unfair Information Security Practices
- Maryland Amendments to Data Security and Breach Notification Law
- The Devil Really is in the Details: The SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies and BDCs
- Will the U.S. Finally Pass Comprehensive Data Privacy Legislation?