This year, Indiana joined several other states to pass a comprehensive consumer privacy law, that becomes operative on January 1, 2026. Like other consumer privacy laws, Indiana’s law requires businesses to establish reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data, which implicates cybersecurity concerns. However, the privacy law is not the only data protection/cybersecurity law in Indiana.  

Data Breach Notification for All Businesses

Indiana passed a security breach notification statute in 2006, which provides Indiana residents with the right to know about a security breach that has resulted in the exposure of their personal information.

Under the law, personal information includes social security number or an individual’s name in combination with any one or more of the following data elements: driver’s license number, account number, a state identification card number, a credit card number, a financial account number, or a debit card number in combination with any required security code.

In the event of a breach the business must notify affected consumers, consumer reporting agencies (if more than one thousand consumers are impacted) and the Attorney General’s office.

In 2022, the state modified the statute to require notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.

Reasonable Procedures to Secure

Under the state’s data breach notification requirements, database owners are required to maintain their own data security procedures in compliance with federal statutes. Moreover, they must implement and maintain reasonable procedures, including taking appropriate corrective action to protect and safeguard from unlawful use or disclosure of any personal information.

Cyber Incident Reporting for Public Entities

In 2021, Indiana adopted a Cyber Incident Reporting Law, to empower the Indiana Office of Technology to coordinate warning and preparation efforts to avoid and combat cybersecurity threats.

Under the law, public sector entities must report incidents such as ransomware, software vulnerability exploitations, denial of service attacks, and more within 48 hours of discovery to the Office of Technology. This law covers counties, municipalities, townships, school corporations, library districts, local housing authorities, fire protection districts, public transportation corporations, local building authorities, local hospital authorities or corporations, local airport authorities, special service districts, special taxing districts, or other separate local governmental entities.

Data Destruction

Indiana also has specific requirements for the protection of data when disposing of it. Under the statute, a person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction. Class C infractions carry a $500 fine. However, the offense is a Class A infraction if:

(1) the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or

(2) the person has a prior unrelated judgment for a violation of this section.

A Class A infraction can carry up to a $10,000 fine.

Further State Resources

The State of Indiana has also established a Cybersecurity Hub with resources for public and private entities, that includes practical guidance.

If you have questions about cybersecurity or related issues contact a member of our Privacy, Data, and Cybersecurity practice group.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dorothy Parson McDermott Dorothy Parson McDermott

Dorothy “Dottie” McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She oversees defense of demand letters, charges, litigations and advice and counsel across Jackson Lewis’s nationwide footprint of offices, making portfolio management easier for in-house counsel and leadership…

Dorothy “Dottie” McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She oversees defense of demand letters, charges, litigations and advice and counsel across Jackson Lewis’s nationwide footprint of offices, making portfolio management easier for in-house counsel and leadership across jurisdictions. Clients ranging from Fortune 500 companies to small family-owned businesses, in-house counsel, and members of human resources and management teams appreciate Dottie’s sage and practical input as she aligns proposed defense and resolution strategies with business goals and objectives.

Dottie has more than 20 years of experience defending employers of all sizes, human resources professionals, and management teams in the defense of civil rights and employment-related claims and complex ERISA litigation, single plaintiff ERISA cases. This includes matters before federal and state courts and administrative entities involving claims of discrimination, harassment, wrongful termination and/or retaliation under the ADA, ADEA, COBRA, Equal Pay Act, FMLA, GINA, Title VII, Section 1981, and USERRA. Additionally, she participates in internal FLSA audits on behalf of employers, and the defense of FLSA and ERISA 401(k) collective and class action litigation and defense of other wage hour claims.

Dottie also advises employers and management on human resource issues, background checks and the FCRA, reductions in force and WARN compliance, employee handbooks, policies, severance agreements, EEO training, drug testing issues and workplace violence prevention restraining orders. She also leads internal corporate investigations regarding claims of sexual harassment and discrimination.

Photo of Mary T. Costigan Mary T. Costigan

Mary T. Costigan is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a core member of the firm’s Privacy, Data and Cybersecurity practice group. She holds a Certified Information Privacy Professional/US designation from the International Association of…

Mary T. Costigan is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a core member of the firm’s Privacy, Data and Cybersecurity practice group. She holds a Certified Information Privacy Professional/US designation from the International Association of Privacy Professionals (iapp).

Mary advises regional, national and multinational clients across various industries on data privacy and cybersecurity laws and best practices including employee monitoring, internet privacy, biometric data collection, artificial intelligence, the California Consumer Privacy Act (CCPA), HIPAA, and the EU General Data Protection Regulation.

Mary has extensive experience helping clients respond to cybersecurity incidents including ransomware attacks.