Can I avoid having a data breach response plan in Indiana? What are the requirements?

Can I avoid having a data breach response plan in Indiana? What are the requirements?

No, it is not possible to avoid having a data breach response plan in Indiana if you are a licensee. Indiana Code 27-2-27-20 mandates that a licensee must establish a written incident response plan as part of its information security program to promptly respond to and recover from any cybersecurity event ^[1.1].

Disclosure of breach

If a data breach occurs, the data base owner shall disclose the breach to an Indiana resident whose unencrypted personal information was or may have been acquired by an unauthorized person, or encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key, if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident ^[2.1].

Definition of “Breach of the security of data”

“Breach of the security of data” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format ^[2.2].

Method of disclosure

A data base owner required to make a disclosure under this chapter shall make the disclosure using one of the following methods: mail, telephone, facsimile (fax), or electronic mail, if the data base owner has the electronic mail address of the affected Indiana resident. If a data base owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the data base owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the data base owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods: conspicuous posting of the notice on the website of the data base owner, if the data base owner maintains a website, and notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside ^[2.4].

Therefore, it is mandatory to have a data breach response plan in Indiana, and if a data breach occurs, the data base owner must disclose the breach to the affected Indiana resident(s) using one of the methods mentioned above.

Source(s):

• [1.1] Incident response plan
• [2.1] Disclosure of breach
• [2.2] “Breach of the security of data”
• [2.4] Method of disclosure; exceptions

Jurisdiction

Indiana

• Privacy