Ask Reggi Your Question Now
Can you summarize IC 4-1-11?
MISCELLANEOUS PROVISIONS > Notice of Security Breach
Short Summary
The provided legal document content pertains to the breach of the security of the system and the disclosure of such breaches by state agencies. It defines the term ‘breach of the security of the system’ as the unauthorized acquisition of computerized data compromising the security, confidentiality, or integrity of personal information maintained by a state or local agency. The document specifies that the term does not include the good faith acquisition of personal information by an agency or employee for agency purposes, as long as the information is not used or further disclosed without authorization. It also excludes the unauthorized acquisition of a password-protected portable electronic device. The document defines ‘personal information’ as an individual’s name along with certain data elements such as Social Security number, driver’s license number, or financial account information. However, it excludes the last four digits of a Social Security number and publicly available information from federal or local agency records. The document requires state agencies to disclose breaches of the security system to affected state residents whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The disclosure should be made without unreasonable delay and in accordance with the legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore data system integrity. If a state agency maintains personal information it does not own, it must notify the owner or licensee of the information immediately following discovery of a breach. The document allows for a delay in notification if it would impede a criminal investigation, but the notification must be made once the investigation is not compromised. The notice can be provided in writing or electronically if the individual has provided their email address. In cases where the cost of providing notice is high, the number of affected persons is large, or there is insufficient contact information, alternate forms of notice such as posting on the agency’s website or notification to major statewide media may be used. If notice is required for more than one thousand individuals, consumer reporting agencies must also be notified. The document does not specify any penalties for non-compliance or violation of its provisions.
Whom does it apply to?
State agencies, state residents, owners or licensees of personal information
What does it govern?
Breach of the security of the system, disclosure of a breach of the security of the system
What are exemptions?
Good faith acquisition of personal information by an agency or employee of the agency for agency purposes, unauthorized acquisition of a portable electronic device with password protection
What are the Penalties?
No specific penalties mentioned
Jurisdiction
Indiana