Indiana Privacy Laws

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Up to $150,000 per deceptive act

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasnable delay

Fines & Penalties

Violations

Up to $150,000 per deceptive act

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Up to $150,000 per deceptive act

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Indiana Privacy Law Information

  • Privacy Program

    Organizations must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard personal information. Organizations must have measures in place for the secure disposal of personal information. The security breach laws cover computerized data and paper documents that were once maintained as computerized data.

  • Breach Reporting

    Breach reporting must be made without unreasonable delay to the Attorney General. If notification is required for more than 1,000 consumers, the breached Organization must also notify each consumer reporting agency.

  • Consumer Notification

    If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

  • Vendor/Third Parties

    Vendors must notify Organizations without delay after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.

  • Industry Specific Laws

    Indiana passed the Insurance Data Security Law, which includes requirements for Insurance licensees to protect personal information and investigate and respond to breaches of security. Effective March 18, 2020, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days. Indiana passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security, Effective March 19, 2020, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

  • Fines & Penalties

    Organizations may be fined or penalized for Vendor violations. For violations of consumer notification and breach reporting, penalties could include the Attorney General seeking injunctive relief, a civil penalty up to $150,000 per deceptive act, and award of the Attorney General’s reasonable costs for investigating and maintaining the action. Improperly disposing of personal information is considered a deceptive act, and penalties for violations can be imposed up to $5,000 per deceptive act.

Indiana

Statutes and Laws

IND. CODE § 24-4.9-3

Disclosure and notification requirements

IND. CODE § 24-4.9-3-2

Notification of data base owner

IND. CODE § 24-4.9-4-1

Failure to disclose or notify; deceptive act

IND. CODE § 24-4.9-4-2

Action by attorney general

IND. CODE §§ 27-2-27-1 – 27-2-27-32

Insurance Data Security

IND. CODE ARTICLE 24-4-14-1 TO 24-4-14-8

Persons holding a customer’s personal information