Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to $150,000 per deceptive act

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Organizations must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard personal information.
  • Organizations must have measures in place for the secure disposal of personal information.
  • Breach reporting must be made without unreasonable delay to the Attorney General.
  • The security breach laws cover computerized data and paper documents that were once maintained as computerized data.
  • If notification is required for more than 1,000 consumers, the breached Organization must also notify each consumer reporting agency.
  • Vendors must notify Organizations without delay after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations may be fined or penalized for Vendor violations.
  • For violations of consumer notification and breach reporting, penalties could include the Attorney General seeking injunctive relief, a civil penalty up to $150,000 per deceptive act and award of the Attorney General’s reasonable costs for investigating and maintaining the action.
  • Improperly disposing of personal information is considered a deceptive act, and penalties for violations can be imposed up to $5,000 per deceptive act.
Statutes and Laws
  • Ind. Code Article 24-4.9 §§ 24-4.9-1 to 24-4.9-5-1 Disclosure of Security Breach
  • Ind. Code Article 24-4-14 §§ 24-4-14-1 to 24-4-14-8 Persons Holding a Customer’s Personal Information
  • Ind. Code § 24-4.9-3 Disclosure and Notification Requirements
  • Ind. Code § 24-4.9-3-2 Notification of Data Base Owner
  • Ind. Code § 24-4.9-4-1 Failure to Disclose or Notify; Deceptive Act
  • Ind. Code § 24-4.9-4-2 Action by Attorney General
BAck to map