Indiana passed HB 1351 in March 2022, amending Indiana’s data breach notification law. Indiana’s breach notification law, as currently drafted, requires entities to notify Indiana residents and the Indiana Attorney General of a breach of the security of data without unreasonable delay and consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system; or if notification will no longer impede a criminal or civil investigation or jeopardize national security. HB 1351 narrows the timeline for required data breach notifications, requiring entities to make required notifications without unreasonable delay, but no more than forty-five (45) days after the discovery of the breach. The amendment will be effective starting July 1, 2022.
All fifty states and American territories have enacted different data breach notification statutes, which require organizations to notify individuals when certain Personally Identifiable Information (“PII”) has been “breached” by an unauthorized individual (i.e., a threat actor). Generally, American states and territories define a “breach” under four scenarios:
- Unauthorized Access to PII;
- Unauthorized Acquisition of PII;
- Unauthorized Access or acquisition of PII; or
- Unauthorized Access and acquisition of PII.
Acquisition, otherwise described as exfiltration, is defined or understood as data that the attacker has downloaded or otherwise copied.
Access is defined as any data the attacker reviewed, regardless of whether the data was exfiltrated. The definition of PII varies greatly by jurisdiction but generally includes an individual’s first and last name and/or first initial and last name and one or more categories of sensitive information (e.g., government issued identification numbers, financial information, or medical information).
Similarly, the timeline in which organizations have to notify individuals varies greatly by jurisdiction. For example, in Maine, an organization must submit breach notifications to impacted individuals no more than 30 days after becoming aware of the breach and identifying its scope. Meanwhile, Connecticut requires organizations to notify impacted individuals no later than 90 days after discovery of such breach.
While Indiana’s change in the timeline for notification to no later than 45 days aligns Indiana with the general timeline of all fifty states and American territories, it also reflects the priorities of the Indiana Attorney Generals’ Office – to timely notify affected individuals. To ensure that your organization is prepared to timely respond and meet its notification obligations, as a preliminary matter, it is best to ensure that you have a detailed Incident Response Plan and that your organization has taken the time to conduct Tabletop exercises to practice the implementation and test the effectiveness of your plan.