Indiana

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: No
Deadline for Consumer Notice: No later than 45 days
Government Notification Required: Yes

Ind. Code §§ 24-4.9-1 to -24-4.9-5

Scope of this Summary:

Notification requirements applicable to any persons that own or license covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

Notification not required if the breach has not resulted in and could not result in identity deception, identity theft, or fraud.

Breach Defined

Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.

Form of Covered Info

Electronic or tangible medium (paper, microfilm, etc.) if transferred from computerized data.

Covered Info

  • A Social Security number
  • An individual's first and last names, or first initial and last name, and one or more of the following data elements:
    • A driver's license number.
    • A state identification card number.
    • A credit card number.
    • A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.

Consumer Notice Timing

Must be made without unreasonable delay but not more than 45 days after the discovery of the breach, consistent with measures necessary to restore the integrity of the system or necessary to discover the scope of the breach.

Consumer Notice Method

By mail, telephone, fax, or email. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

Content of notice undefined.

Delayed Notice

Notification may be delayed if law enforcement or the Attorney General requests delay because disclosure will impede a criminal or civil investigation or jeopardize national security.

Government Notice

If notice provided to one or more residents, must also notify the Indiana Attorney General within 45 days.

Consumer Reporting Agency Notice

If more than 1,000 residents are notified, must notify all Consumer Reporting Agencies with information necessary to assist the CRA to prevent fraud, including the types of covered info affected by the breach.

Exceptions for Other Laws

The statute exempts database owners that maintain data security procedures as part of an information security policy as stringent as the statute's disclosure requirements or in compliance with the following federal laws:

  • The USA PATRIOT Act.
  • Executive Order 13224 (66 Fed. Reg. 49,079 (Sept. 23, 2001)).
  • The Driver's Privacy Protection Act (18 U.S.C. § 2721).
  • The Fair Credit Reporting Act (FCRA).
  • The Gramm-Leach-Bliley Act (GLBA).
  • The Health Insurance Portability and Accountability Act (HIPAA).

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it following discovery of a breach.

Private Right of Action

The Indiana general breach notification statute is silent on an individual's private right of action for violations.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023