Indiana Amends Its Data Breach Notification Law

Written by: Brock Wolf, Esq.

Indiana Governor Eric Holcomb signed into law an amendment to Indiana’s data breach notification statute. The amendment, which takes effect on July 1, 2022, implements a forty-five (45) day deadline for reporting a breach to affected individuals and the Indiana Attorney General.

Indiana’s breach notification law now requires entities to notify individuals, “without reasonable delay, but not more than forty-five (45) days after the discovery of the breach.” As previously provided by Indiana’s notification statute, a delay is reasonable if it is:

1. 1. 1. necessary to restore the integrity of the computer system;
      2. necessary to discover the scope of the breach; or
      3. in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:
         • impede a criminal or civil investigation; or
         • jeopardize national security.

Indiana joins eleven (11) other states in requiring notice be provided within forty-five (45) days after discovery of a breach. As the July 1 effective date approaches, entities doing business in Indiana should be mindful of this timing notification change.