Can I store personal information about my customers in Indiana? What are the requirements?

Yes, you can store personal information about your customers in Indiana, but you must comply with the state’s laws and regulations regarding the collection, use, and disposal of personal information.

Relevant Laws and Regulations

The following laws and regulations are relevant to the storage of personal information of customers in Indiana:

• IC 24-4-14-8: This law requires that personal information of customers must be disposed of in a way that renders it illegible or unusable. If a person disposes of unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable, they commit a Class C infraction. However, the offense is a Class A infraction if the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers or has a prior unrelated judgment for a violation of this section.
• IC 4-1-6-2: This law requires that any state agency maintaining a personal information system must collect, maintain, and use only that personal information as is relevant and necessary to accomplish a statutory purpose of the agency. The law also requires that personal information maintained or disseminated from the system is accurate, complete, timely, and relevant to the needs of the state agency. Additionally, the law requires that personal information of a confidential nature must be segregated from that which is a matter of public record, and appropriate access controls must be established for all categories of personal information contained in the system.
• 760 INAC 1-67-10: This regulation limits the redisclosure and reuse of nonpublic personal financial information. If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution, the licensee’s disclosure and use of that information is limited. The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information. The licensee may also disclose and use the information pursuant to an exception in section 13 or 14 of this rule, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information. However, the licensee may not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
• 760 INAC 1-67-12: This regulation provides an exception to opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing. The opt-out requirements in sections 6 and 9 of this rule do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with section 3 of this rule and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.

Additional Information

• Personal information is defined as “information that identifies an individual, including the individual’s name, address, telephone number, Social Security number, driver’s license number, and other identifying information” ^[1.2].
• If you collect personal information from customers, you may be required to provide an annual privacy notice to customers that accurately reflects your privacy policies and practices ^[2.1].
• There are other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information ^[2.3].

To summarize, you can store personal information about your customers in Indiana, but you must comply with the state’s laws and regulations regarding the collection, use, and disposal of personal information. Additionally, if you collect personal information from customers, you may be required to provide an annual privacy notice to customers that accurately reflects your privacy policies and practices.

Source(s):

• [1.2] “Personal information”
• [2.1] Annual privacy notice to customers
• [2.3] Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information

Jurisdiction

Indiana

• Privacy