The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
State Data Breach Notification Statute
Covered Entities: A person, corporation, a business trust, an estate, a trust, a partnership, an association, a nonprofit corporation or organization, a cooperative, or any other legal entity that owns, licenses, or maintains personal information. The statute does not apply to state agencies.
Consumer Notification: Notification must be provided to any Indiana resident, without unreasonable delay, but not more than 45 days, whose “unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of personal information” has been acquired without authorization.
Regulatory Notification: Notification must be provided to the Indiana Attorney General if any Indiana resident is notified.
Notification Timeline: Notice must be provided without unreasonable delay, but not more than 45 days after the discovery of the breach, and consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system.
Data Format: Electronic.
Citations: Ind. Code Ann. § 24-4.9-1 et seq.
- Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
- Personal Information (PI): A Social Security number that is not encrypted or redacted; or an individual’s first and last name, or first initial and last name, and one or more of the following data elements that are not encrypted or redacted:
- Driver’s license number
- State identification card number
- Credit card number
- Financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required if the potentially impacted PI is protected by encryption, so long as it has not been compromised or disclosed or is otherwise known to the unauthorized actor.
- Good Faith: Notification is not required if the acquisition of PI was by an employee or agent of the entity for lawful purposes of the entity does not constitute a security breach if the PI is not used or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if the breach has not and could not result in identity deception, identity theft, or fraud that would affect an Indiana resident.
- Law Enforcement Delay: Notification may be delayed if the Attorney General or a law enforcement agency notifies the entity that notification will impede a criminal or civil investigation or jeopardize national security.
- Timing: Notification must be provided without unreasonable delay but no more than 45 days after the discovery of a breach and consistent with any measures necessary to determine the scope of the breach and restore integrity of the system.
- Format: N/A
- Content: N/A
- Method: Notification must be provided through either (1) mail, (2) telephone, (3) fax, or (4) email, if the entity has the email address of the impacted Indiana resident.
Substitute notice may be provided if the entity (1) demonstrates that the cost of providing notice will exceed $250,000, (2) that the affected class of Indiana residents to be notified exceeds 500,000, or (3) does not have sufficient contact information to provide notice. Substitute notice must include (1) a conspicuous posting onto the entity’s website, if one is maintained and (2) notice to major statewide media in the geographic area in which impacted Indiana residents reside.
Notification must be provided to the Indiana Attorney General if any Indiana resident is required to be notified at the time of consumer notice. The Indiana Attorney General prefers entities complete the Indiana Attorney General security breach reporting form.
Credit Reporting Agencies Notice:
Notification must be provided to credit reporting agencies if more than one thousand (1,000) Indiana residents are notified, and the entity must also provide the information necessary to assist in fraud prevention, including the PI of an Indiana resident affected by the breach.
Notification must be provided if personal information is maintained on behalf of another entity.
An entity that maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan under HIPAA is not required to make a disclosure under this chapter if the entity’s information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of data without unreasonable delay and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.
- Code Ann. § 24-4.9-1 et seq.
- Code Ann. § 4-1-10-2
Comprehensive Data Privacy Law
Indiana Consumer Data Protection Act
Indiana Code § 24-15
Entities or persons that conduct business in Indiana or produces products or services targeted to Indiana residents and during a calendar year control or process personal data of:
- 100,000 or more Indiana residents; or
- 25,000 or more Indiana residents and derive more than 50% of gross revenue from personal data sales.
Among other exclusions, the ICDPA excludes government entities; third parties when acting on behalf of government entities; financial institutions, nonprofit organizations; institutions of higher education; public utilities or affiliated service companies; employee data; and entities or data regulated by HIPAA, GLBA, FCRA, DPPA, and FERPA.
Controller and Processor Obligations:
Controllers. ICDPA Controller duties include obligations to:
- Establish procedures for, act on, and respond to Consumer requests to exercise Personal Data rights.
- Minimize collection of Personal Data to that which is adequate, relevant, and reasonably necessary in relation to the purposes for which Personal Data is Processed.
- Minimize Processing of Personal Data to purposes that are reasonably necessary and compatible with the disclosed purpose for the Processing unless the Consumer gives Consent.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Personal Data, appropriate to the volume and nature of the Personal Data.
- Avoid unlawful discrimination when Processing Personal Data.
- Avoid discrimination against a Consumer for exercising Personal Data rights.
- Obtain Consumer Consent prior to Processing Sensitive Personal Data and to Process Sensitive Personal Data of known children in accordance with COPPA.
- Provide Consumers with a reasonably accessible, clear, and meaningful privacy notice addressing:
- The categories of Personal Data Processed by the Controller;
- The purpose for Processing Personal Data;
- How Consumers may exercise their Personal Data rights, including appeals for treatment of Personal Data rights requests;
- The categories of Personal Data shared with third parties; and
- The categories of third parties with whom Personal Data is shared.
- Provide notice of any Sales to third parties or use of a Consumer’s Personal Data for Targeted Advertising, as well as the manner by which a Consumer may opt out of such Sales or use.
- Avoid making any contract, provision of a contract, or agreement of any kind that purports to waive or limit in any way a consumer’s rights under the ICDPA. Such an agreement is contrary to public policy and is void and unenforceable.
- Establish secure and reliable means for consumers to submit a request to exercise their rights, taking into account normal consumer interactions, the need for secure and reliable communication, and controller’s ability to authenticate the identity of the consumer.
- Create a binding contract with any Processor regarding the Processing of Personal Data and the procedures being performed by the Processor on behalf of the Controller. The contract must:
- Contain instructions for Processing Personal Data;
- Describe the nature and purpose of Processing;
- Describe the type of Personal Data subject to Processing;
- Set forth the duration of Processing;
- Establish the rights and obligations of the Controller and the Processor; and
- Require the Processor to:
- Ensure each individual Processing Personal Data is subject to a duty of confidentiality with regards to the Personal Data;
- Delete or return all Personal Data at the end of the provision of services at the direction of the Controller unless otherwise required by law;
- Make available all information in its possession necessary to demonstrate Processor compliance with its obligations under the ICDPA upon reasonable request by the Controller;
- Allow and cooperate with reasonable assessments to demonstrate Processor compliance with its obligations, and to provide a report of any such assessment upon Controller request;
- Enter into written agreements with any subcontractors engaged to Process Personal Data which meet the obligations of the Processor.
- Conduct and document a Data Protection Impact Assessment, for Processing activities created or generated after December 31, 2025, for each of the following activities involving Personal Data:
- Targeted Advertising;
- Personal Data Sales;
- Profiling, if the Profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment or unlawful disparate impact to Consumers;
- Financial, physical, or reputational injury to Consumers;
- Intrusion upon the solitude or seclusion or the private affairs or concerns of Consumers if offensive to a reasonable person; or
- Other substantial injury to Consumers.
- Sensitive Data Processing;
- Any Personal Data Processing that presents a heightened risk of harm to Consumers.
Processors. ICDPA Processor duties include obligations to:
- Adhere to the instructions of the Controller.
- Assist the Controller in meeting its obligations under the ICDPA, including by:
- Assisting the Controller in responding to Consumer requests;
- Assisting the Controller in meeting its obligations pertaining to Personal Data security and breach notification; and
- Providing necessary information to enable the Controller to conduct and document data protection impact assessments.
Businesses must respond without undue delay and within 45 days to verified consumer requests regarding the processing of Personal Data and Sensitive Personal Data, including consumers’:
- Right to know whether a Controller is Processing Personal Data;
- Right to access Personal Data;
- Right to correct inaccurate Personal Data;
- Right to delete Personal Data;
- Right obtain Personal Data in a format that is generally portable, readily usable, and transmittable;
- Right to opt out of the Processing of Personal Data for the purposes of Targeted Advertising, Personal Data Sales, or Profiling in furtherance of decisions that produce legal or similarly significant effects on the Consumer; and
- Right to appeal denials of Personal Data rights requests.
- Consent: A clear affirmative act that signifies a Consumer’s freely given, specific, informed, and unambiguous agreement to Process Personal Data relating to the Consumer.
- Consumer: An individual who is an Indiana resident and is acting only for a personal, family, or household purpose. The term does not include an individual acting in a commercial or employment context.
- Controller: A person that, alone or jointly with others, determines the purposes and means of processing Personal Data.
- Personal Data: Information linked to or reasonably linkable to an identified or identifiable individual. Personal Data excludes: de-identified data, aggregate data, and publicly available data (defined as information lawfully made available from federal, state, or local government records, and information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the Consumer to whom the information pertains, or by a person to whom the Consumer has disclosed the information).
- Processing: Any operation or set of operations performed, whether by manual or automated means, on Personal Data or on sets of Personal Data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data.
- Processor: A person that Processes Personal Data on behalf of a Controller.
- Profiling: Any form of solely automated processing of Personal Data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health or health records, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of Personal Data: The exchange of Personal Data for monetary consideration by a Controller to a third party. The ICDPA excludes the following disclosures from this definition: (i) disclosures to a Processor that Processes the Personal Data on behalf of the Controller; (ii) disclosures to a third party for purposes of providing a product or service requested by the Consumer or by the parent of a child to whom the Personal Data pertains; (iii) disclosures to an affiliate of the Controller; (iv) disclosures of information that the Consumer intentionally made available to the general public via mass media without restricting availability to a specific audience; or (v) disclosures or transfers to a third party as an asset as part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
- Sensitive Personal Data: Personal Data revealing racial or ethnic origin, religious beliefs, mental/physical diagnosis made by a health care provider, sexual orientation, or citizenship/immigration status; genetic and biometric data Processed for the purpose of uniquely identifying a specific individual; Personal Data collected from a known child; and precise geolocation data (within a radius of 1, 750 feet).
- Targeted Advertising: The displaying of an advertisement to a Consumer in which the advertisement is selected based on Personal Data obtained from that Consumer’s activities over time and across nonaffiliated websites or online applications to predict the Consumer’s preferences or interests. Targeted advertising does not include: (i) advertisements based on activities within a Controller’s own or affiliated websites or online applications; (ii) advertisements based on the context of a Consumer’s current search query or website or application visit; (iii) advertisements directed to a Consumer in response to the Consumer’s request for information or feedback; or (iv) the Processing of Personal Data solely for measuring or reporting advertising performance, reach, or frequency.
Violations of the ICDPA may be enforced exclusively by the Indiana Attorney General. The Attorney General must provide a 30-day cure period by written notice for violations. Violations which have not been adequately cured within the 30-day period may result in an injunction, a $7,500 civil penalty per violation, and reasonable expenses including attorney fees.
January 1, 2026
Insurance Data Security Statute
Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Indiana, not including a purchasing group or a risk retention group chartered and licensed in a state other than Indiana or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems. Certain licensees may be exempt as set forth in Ind. Code §§ 27-2-27-26.
Consumer Notification: A licensee shall comply with Ind. Code §§ 24-4.9, as applicable.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: Ind. Code §§ 27-2-27-1 to 27-2-27-32.
- Consumer: A resident of Indiana whose nonpublic information is in a licensee's possession, custody, or control.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming a consumer or any material part of the normal operations of the licensee, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information or an event where the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Indiana, not including a purchasing group or a risk retention group chartered and licensed in a state other than Indiana or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
- Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Financial account number or credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records.
- Any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
- The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
- Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
A licensee shall notify the Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- Indiana is the state of domicile of the licensee, in the case of an insurer, or the home state of the licensee, in the case of a producer, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing Indiana or any material part of licensee’s operations.
- The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Indiana and the cybersecurity event is either:
- A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law, or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Indiana or a material part of licensee’s operations.
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
- A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event.
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance unless the third-party service provider provides the notice.
If a licensee violates this chapter, the insurance commissioner may, after notice and hearing under Ind. Code Section 4-21.5, suspend or revoke the license, certificate of authority, or registration of the licensee
Information Security Standard
Covered Entities: Any database owner, defined as an entity that owns or licenses computerized data that includes personal information. This includes any current or former healthcare provider who is a database owner or former database owner whose information privacy, security policy, or compliance plan (1) does not require the database owner or former database owner to maintain and implement reasonable procedures; or (2) is not implemented by the database owner or former database owner to ensure that the personal information, including health records, is protected and safeguarded from unlawful use or disclosure after the database owner of former database owner ceases to be a covered entity under the federal Health Insurance Portability and Accountability Act.
First Party Security Standard: A database owner shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the database owner. The database owner shall also not dispose of or abandon records or documents containing unencrypted and unredacted personal information of Indiana residents without shredding, incinerating, mutilating, erasing, or otherwise rendering the personal information illegible or unusable.
Third Party Security Standard: N/A
Disposal/Destruction Standard: A database owner shall not dispose of or abandon records or documents containing unencrypted and unredacted personal information of Indiana residents without shredding, incinerating, mutilating, erasing, or otherwise rendering the personal information illegible or unusable.
Data Format: Electronic and physical.
Citations: Ind. Code § 24-4.9-2-10, 24-4.9-3-3.5
- Personal Information (PI): A Social Security number that is not encrypted or redacted; or an individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
- Driver’s license number;
- State identification card number;
- Credit card number; or
- Financial account number of debit card number in combination with a security code, password, or access code that would permit access to the person’s account.
- Genetic data.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- Health Records: Written, electronic, or printed information possessed or maintained by a health care provider concerning any diagnosis, treatment, or prognosis of the patient, including health information that is possessed or maintained on microfiche, microfilm, or in a digital format. The term includes mental health records, alcohol and drug abuse records, and information required to remain private under the federal Health Insurance Portability and Accountability Act.
This section does not apply to a database owner that maintains its own data security procedures as part of any information privacy, security policy, or compliance plan under:
- The USA PATRIOT Act;
- Executive Order 13224;
- The Driver’s Privacy Protection Act;
- The Fair Credit Reporting Act;
- The Financial Modernization Act of 1999;
- The Health Insurance Portability and Accountability Act;
If the data-base owner's information privacy, security policy, or compliance plan requires the data-base owner to maintain reasonable procedures to protect and safeguard from unlawful use or disclosure personal information of Indiana residents that is collected or maintained by the data-base owner and the data-base owner complies with the data base owner's information privacy, security policy, or compliance plan.
The Indiana Attorney General may bring an action under this section to obtain any or all of the following: an injunction to enjoin further violations of this section; a civil penalty or not more than $5000 per deceptive act; and/or the attorney general’s reasonable costs in the investigation of the deceptive act and maintaining the action.