top of page

Indiana Data Breach Law

Indiana Code § 24-4.9 et seq

Enacted:  3.21.2006

Type of Data Covered: Any form of data. 

Is Breach Defined?

“Breach of the security of data” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.

When is notice required?

Notice is required for all affected Indiana residents "whose: 1) unencrypted personal information was or may have been acquired by an authorized person; or 2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key; if the data base owner knows, should know, or should have known that the unauthorized acquisition... has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident." Data base owners required to report to over 1,000 residents must also report to consumer reporting agencies. The Attorney General should also receive notice if it is required to be given to residents. Notice is still expected within a reasonable time frame as long as there is not a compelling law enforcement or national security issue. 

What are the penalties for non-compliance?

Violations have their own section of the law, §24-4.9-3-3.5(e)-(g), which reads as follows: 

  • (e)  A person that knowingly or intentionally fails to comply with any provision of this section commits a deceptive act that is actionable only by the attorney general under this section.

  • (f)  The attorney general may bring an action under this section to obtain any or all of the following:

    • (1)  An injunction to enjoin further violations of this section.

    • (2)  A civil penalty of not more than five thousand dollars ($5,000) per deceptive act.

    • (3)  The attorney general’s reasonable costs in:

      • (A)  the investigation of the deceptive act; and

      • (B)  maintaining the action.

  • (g)  A failure to comply with subsection (c) or (d) in connection with related acts or omissions constitutes one (1) deceptive act.

bottom of page