This year, Indiana joined several other states to pass a comprehensive consumer privacy law, that becomes operative on January 1, 2026. Like other consumer privacy laws, Indiana’s law requires businesses to establish reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data, which implicates cybersecurity concerns. However, the privacy law is not the only data protection/cybersecurity law in Indiana.  

Data Breach Notification for All Businesses

Indiana passed a security breach notification statute in 2006, which provides Indiana residents with the right to know about a security breach that has resulted in the exposure of their personal information.

Under the law, personal information includes social security number or an individual’s name in combination with any one or more of the following data elements: driver’s license number, account number, a state identification card number, a credit card number, a financial account number, or a debit card number in combination with any required security code.

In the event of a breach the business must notify affected consumers, consumer reporting agencies (if more than one thousand consumers are impacted) and the Attorney General’s office.

In 2022, the state modified the statute to require notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.

Reasonable Procedures to Secure

Under the state’s data breach notification requirements, database owners are required to maintain their own data security procedures in compliance with federal statutes. Moreover, they must implement and maintain reasonable procedures, including taking appropriate corrective action to protect and safeguard from unlawful use or disclosure of any personal information.

Cyber Incident Reporting for Public Entities

In 2021, Indiana adopted a Cyber Incident Reporting Law, to empower the Indiana Office of Technology to coordinate warning and preparation efforts to avoid and combat cybersecurity threats.

Under the law, public sector entities must report incidents such as ransomware, software vulnerability exploitations, denial of service attacks, and more within 48 hours of discovery to the Office of Technology. This law covers counties, municipalities, townships, school corporations, library districts, local housing authorities, fire protection districts, public transportation corporations, local building authorities, local hospital authorities or corporations, local airport authorities, special service districts, special taxing districts, or other separate local governmental entities.

Data Destruction

Indiana also has specific requirements for the protection of data when disposing of it. Under the statute, a person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction. Class C infractions carry a $500 fine. However, the offense is a Class A infraction if:

(1) the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or

(2) the person has a prior unrelated judgment for a violation of this section.

A Class A infraction can carry up to a $10,000 fine.

Further State Resources

The State of Indiana has also established a Cybersecurity Hub with resources for public and private entities, that includes practical guidance.

If you have questions about cybersecurity or related issues contact a member of our Privacy, Data, and Cybersecurity practice group.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dorothy Parson McDermott Dorothy Parson McDermott

Dorothy “Dottie” Parson McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She concentrates her practice in the defense of complex ERISA litigation, single plaintiff ERISA cases, civil rights and employment-related claims.

Dottie defends ERISA 401(k) Plan class actions.

Dorothy “Dottie” Parson McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She concentrates her practice in the defense of complex ERISA litigation, single plaintiff ERISA cases, civil rights and employment-related claims.

Dottie defends ERISA 401(k) Plan class actions. She also has experience defending and dealing with defined benefit plan administration and complex Taft-Hartley-multi-employer plan issues. She has litigated sophisticated ERISA preemption issues and defended benefit claims in the LTD Plan, welfare plan, and pension plan areas. Her ERISA clients include fiduciaries, trustees, service providers, ERISA plans, plan administrators, claim administrators, third-party service providers, managed care entities, Taft-Hartley-multiemployer funds, and employers in a wide variety of employee benefits litigation issues nationwide. She additionally advises employers and plan administrators regarding administration of qualified retirement and welfare benefit plans, particularly processing internal claims and appeals. She is a member of the Employee Benefits Committee, Section of Labor & Employment Law, ABA. She is also a member of the ERISA focused DRI Life, Health and Disability Committee. Finally, she is a member of the American Health Lawyers Association.

Dottie also defends employers and management in federal and state courts and before administrative entities (EEOC, Indiana and U.S. Department of Labor, and similar state agencies) in matters ranging from ADA, ADEA, COBRA, FMLA, Title VII, Section 1981, the Indiana Wage Payment and Claims statutes, covenant not to compete/trade secret, and wrongful termination claims. Additionally, she participates in internal FLSA audits on behalf of employers, and the defense of FLSA class action litigation. Dottie further advises employers and management on human resource issues, reductions in force, employee handbooks, policies, severance agreements, EEO training, and workplace violence prevention restraining orders. She also leads internal corporate investigations regarding claims of sexual harassment and discrimination. Moreover, she provides analysis and guidance regarding drug testing laws and medical marijuana/marijuana-related legislation impacting employers in numerous states across the United States.

Photo of Mary T. Costigan Mary T. Costigan

Mary T. Costigan is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a core member of the firm’s Privacy, Data and Cybersecurity practice group. She holds a Certified Information Privacy Professional/US designation from the International Association of…

Mary T. Costigan is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a core member of the firm’s Privacy, Data and Cybersecurity practice group. She holds a Certified Information Privacy Professional/US designation from the International Association of Privacy Professionals (iapp).

Mary advises regional, national and multinational clients across various industries on data privacy and cybersecurity laws and best practices including employee monitoring, internet privacy, biometric data collection, artificial intelligence, the California Consumer Privacy Act (CCPA), HIPAA, and the EU General Data Protection Regulation.

Mary has extensive experience helping clients respond to cybersecurity incidents including ransomware attacks.