Security System Breach
Alan L. Weldy
If you or your organization gathers data regarding customers or other individuals, you need to be aware of a new Indiana law, House Enrolled Act 1102 (the “Act”). Under the Act, you may have disclosure requirements in the event of a breach of security system, which is defined as the unauthorized acquisition of computerized data that comprises the security, confidentiality, or integrity of personal information. Personal information includes a Social Security number that is not encrypted or redacted, an individual’s first and last names, a driver’s license number, state identification number, credit card number, or financial account number.
Under the Act, after discovering or being notified of a breach of the security of a system, the database owner is required to disclose the breach to an Indiana resident whose personal information was or may have been acquired by an unauthorized person. If the database owner is required to make a disclosure to more than 1,000 consumers, it must also disclose to each consumer reporting agency the information necessary to assist the consumer reporting agency in preventing fraud. In general, the notice to consumers may be made by mail, telephone, fax, or e-mail. If, however, the database owner is required to make disclosure to more than 500,000 Indiana residents, or if the database owner determines that the cost of disclosure will be more than $250,000, the database owner may elect to disclose by using both of the following methods:
(1) conspicuous posting of the notice on a website of the database owner, if the database owner maintains a website; and
(2) notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security system reside.
Under the Act, if a person is required to make a disclosure and fails to do so, that person commits a deceptive act which may be prosecuted by the Attorney General. The Attorney General may bring an action under the Act, taking any or all of the following remedies:
(1) an injunction to enjoin future violations;
(2) a civil penalty of not more than $150,000 per deceptive act; and
(3) the Attorney General’s reasonable costs in investigating and prosecuting the deceptive act.
Clearly, if you or your organization maintain a database with personal information related to Indiana residents, you need to be aware of your obligations and the potential penalties for failing to comply with the notice provisions of the Act. If you have questions in this regard, feel free to contact Alan Weldy, of Counsel, Yoder, Ainlay, Ulmer & Buckingham, LLP.
________________________
Alan Weldy is an attorney of Counsel with the law firm
of Yoder, Ainlay, Ulmer & Buckingham, LLP in Goshen, Indiana, practicing
in the areas of business litigation, corporate law, and health law.
While information in this article is
believed to be accurate, it is educational and general in nature, and
should not be construed as legal advice. Please consult your attorney
for specific legal advice. Yoder, Ainlay, Ulmer & Buckingham, LLP
© 2006
Yoder,
Ainlay, Ulmer & Buckingham, LLP