Indiana Adopts Data Security Breach Notification Law

Public Law 125 goes into effect on July 1, 2006. It contains two provisions that are important for Indiana businesses:

• A data security breach notification law requirement; and
• A requirement that companies destroy customers' personal information when materials containing such data are discarded.

Indiana joins over 20 other jurisdictions in requiring data owners (generally, those who collect certain data about individuals that, if improperly used, could lead to identity theft) to notify their customers when a third party obtains unauthorized access to the data.

Data owners will need to comply with the notification statutes enacted in all of the jurisdictions where their affected customers live. While many states' laws are similar, many states' statutes have unique provisions. Therefore, each state's law that applies needs to be carefully considered so that the notice delivered will be in compliance.

The notice must be prompt. Some states require the data owner to notify consumer reporting agencies, and some require notice to law enforcement. For breaches affecting large numbers of people or when individual notice would be very expensive to accomplish, delivering notice to major news reporting media and posting the notice on the data owner's website can be a substitute for individual notice. In Indiana, the Attorney General has enforcement authority.

What You Can Do Today to Prepare for a Data Security Breach

Because notice must be delivered quickly, companies should develop an action plan in advance. Consider:

• How you collect and store your
  customers' personal data (many states' notification laws do not apply to encrypted data);
• Whether your privacy policies are up to date;
• How your company would want to respond to your customers in the event of a breach (Would you send individual notices? Would you want to provide any perks to your affected customers, like a toll-free hotline, free credit report monitoring?);
• Developing a public relations crisis plan, including strategies on whether you would issue a press release to the media (consider media outlets besides the local paper, like local business journals, on-line bulletin boards, and certain blogs); and
• Having a data security breach notification kit on hand, with a template for a notice letter that complies with all state laws on the topic, relevant web sites and governmental materials for reference.

Many of these decisions will be fact dependent and you won't be able to make final choices before the fact - but you will be ahead of the game when you are faced with a crisis. The goal of a preparedness plan is to enable your company to make quick decisions when disaster strikes.

Responding After a Breach

After a breach, data owners carefully should determine:

• What information was accessed;
• Who the hackers were and where they were located;
• When the breach occurred (and there may have been more than one); and
• How many customers were affected?

Next steps:

• Fix the problem / secure the data;
• Evaluate applicable state laws;
• Notify credit card issuers;
• Determine whether law enforcement must or should be notified; and
• Develop a consumer notice strategy.

Destruction of Documents Containing Personal Data

Public Law 125 also requires personal data to be unusable once it is discarded. Businesses that collect personal identification information will want to re-visit (or create) document-destruction policies. Penalties attach for non-compliance.