/*
/*]]>*/

Indiana Cybersecurity, Privacy & Data Security Laws

January 3, 2018

Indiana Cybersecurity, Privacy & Data Security Laws

Navigation:
< Back

 

TEKRiSQ   Overview   Data Breach Law  Consumer Data Privacy  Insurance Data Security  Solutions   Contact

Indiana Cybersecurity & Privacy Laws: A Guide for SMBs & Licensees

Navigate the data security and privacy landscape in Indiana. TEKRiSQ helps Small and Medium Businesses and Insurance Licensees understand their compliance obligations to protect data and avoid penalties.

Explore Indiana Laws

Understanding Data Protection in the Hoosier State

Indiana has enacted significant legislation to protect personal information, ensure data security, and regulate privacy, including its Disclosure of Security Breach Law and the Indiana Insurance Data Security Law. Furthermore, the Indiana Consumer Data Protection Act (INCDPA) is set to become effective in 2026, bringing comprehensive consumer privacy rights to the state.

For Small and Medium Businesses (SMBs) and entities holding specific licenses (like insurance companies) operating in or serving Indiana residents, adherence to these laws is crucial. Non-compliance can lead to significant financial repercussions, legal challenges, and damage to your business’s reputation.

This guide provides a clear overview of Indiana’s key cybersecurity, data security, and privacy laws, summarizing your responsibilities and explaining why proactive compliance is essential for protecting your data and ensuring business continuity.

Indiana state outline with digital security icons

Indiana Disclosure of Security Breach Law (Indiana Code Article 24-4.9)

Illustration of a broken lock with data flowing out, representing a data breach

What is This Law?

Indiana’s security breach notification statute requires businesses and individuals that own or license computerized data containing personal information of Indiana residents to notify affected individuals and the Attorney General’s Office in the event of a security breach. It covers both computerized data and paper documents that were once maintained as computerized data.

Key SMB Responsibilities:

  • Definition of Personal Information: Includes a Social Security number, or an individual’s name (first name or initial and last name) in combination with a driver’s license number, state identification card number, account number, credit card number, or debit card number (with any required security code, access code, or password).
  • Timely Notification to Consumers: Notify affected consumers “without unreasonable delay” following discovery of the breach. Notification methods include mailed written notice, telephone, fax, or electronic mail.
  • Attorney General Notification: Businesses must notify the Indiana Attorney General’s Office if any Indiana resident is notified of a breach. This notification should be within 45 days of discovery of the breach.
  • Consumer Reporting Agency Notification: If more than 1,000 Indiana residents are to be notified, businesses must also notify nationwide consumer reporting agencies.
  • Substitute Notice: Allowed if the cost of providing notice exceeds $250,000 or if more than 500,000 Indiana residents are affected. Requires conspicuous website posting and notification to geographically relevant statewide media.
  • Exemptions: Compliance with certain federal laws (e.g., GLBA, HIPAA) may exempt entities from additional notifications under this statute.

Why it’s Important:

This law is crucial for protecting Indiana residents from identity theft and fraud. For SMBs, compliance is vital for managing crisis communication, maintaining transparency, and avoiding potential civil penalties of up to $150,000 per deceptive act (violation) and the Attorney General’s investigation costs.

Indiana AG: Security Breach FAQs & Notification Form for Businesses →

Indiana AG: Security Breaches Overview →

Indiana Consumer Data Protection Act (INCDPA) (SB 5)

What is This Law?

The Indiana Consumer Data Protection Act (INCDPA) was signed into law in May 2023 and will become effective on January 1, 2026. It is a comprehensive data privacy law, similar to those in other states, designed to give consumers more control over their personal data.

Key SMB Responsibilities (Effective Jan 1, 2026):

  • Applicability Thresholds: Applies to businesses that conduct business in Indiana or target Indiana residents, and either:
    • Control or process personal data of at least 100,000 Indiana residents annually; OR
    • Control or process personal data of at least 25,000 Indiana residents and derive over 50% of gross revenue from the “sale” of personal data.
  • Consumer Rights: Grant consumers rights to access, correct, delete, and obtain a copy of their personal data, and the right to opt-out of the sale of personal data, targeted advertising, or certain profiling.
  • Privacy Notice: Provide a clear, accessible, and meaningful privacy notice disclosing data processing practices, consumer rights, and how to exercise those rights.
  • Data Minimization: Limit the collection of personal data to what is reasonably necessary for disclosed purposes.
  • Data Security: Implement and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data.
  • Data Protection Impact Assessments (DPIAs): Required for certain high-risk processing activities (e.g., targeted advertising, sale of personal data, processing sensitive data).
  • Non-Discrimination: Do not discriminate against consumers for exercising their rights.

Why it’s Important:

The INCDPA marks a significant step towards comprehensive data privacy in Indiana. For SMBs meeting the thresholds, proactive preparation before the 2026 effective date is crucial. Compliance will build consumer trust, enhance data governance, and avoid potential enforcement actions by the Attorney General.

Indiana Senate Bill 5 (INCDPA) Official Text →

Overview of the Indiana Data Privacy Law (Clifford Chance) →

Illustration of data flowing into a secure lock, representing data privacy

Indiana Insurance Data Security Law (Indiana Code § 27-2-27 et seq.)

Illustration of insurance documents with a privacy lock and shield

What is This Law?

The Indiana Insurance Data Security Law (effective July 1, 2021) is based on the NAIC Insurance Data Security Model Law. It requires insurance licensees to implement comprehensive information security programs to protect nonpublic insurance data for policyholders or members.

Key Licensee Responsibilities:

  • Information Security Program (ISP): Develop, implement, and maintain a comprehensive written ISP based on a risk assessment, with administrative, technical, and physical safeguards for nonpublic information.
  • Risk Assessment: Conduct ongoing assessments to identify and mitigate reasonably foreseeable threats to information systems and nonpublic information.
  • Incident Response Plan (IRP): Establish a written IRP to promptly respond to, and recover from, cybersecurity events.
  • Cybersecurity Event Notification: Notify the Indiana Department of Insurance (IDOI) within 3 business days of determining a cybersecurity event has occurred, if it involves nonpublic information and is reasonably likely to materially harm a consumer or the licensee’s operations.
  • Annual Certification: Indiana-domiciled insurance companies must annually file a certification of compliance with the IDOI by April 15th.
  • Exemptions: Licensees with fewer than 50 employees, less than $5 million in gross annual revenue, or less than $10 million in year-end total assets may be exempt from certain ISP and certification requirements. Compliance with HIPAA or GLBA information security programs may also provide compliance for certain aspects.

Why it’s Important:

This law is crucial for protecting the highly sensitive financial and health information handled by insurance entities. Compliance builds trust with policyholders, mitigates the severe financial and reputational damage of data breaches, and ensures regulatory alignment with national standards. The IDOI has enforcement powers, including the ability to suspend or revoke licenses.

Indiana Department of Insurance: Data Security →

Indiana Enacts Insurance Data Security Law (Practical Law Summary) →

Why Indiana Compliance Matters for All SMBs

Beyond specific industry regulations, a strong compliance posture is essential for every Indiana SMB.

Avoid Costly Penalties

Non-compliance with state laws can lead to significant fines and legal fees that can cripple a small business.

Affordable SMB Cybersecurity Solutions →

Build & Maintain Customer Trust

Consumers are increasingly aware of their data privacy rights. Demonstrating robust compliance builds trust and enhances your brand’s reputation.

Understanding Digital Trust →

Protect Against Cyber Threats

Compliance often mandates the implementation of strong cybersecurity measures, directly protecting your business from data breaches, ransomware, and other attacks.

Enhance Your Security Posture →

Ensure Business Continuity

Proactive compliance and security measures significantly reduce the likelihood and impact of disruptive security incidents, ensuring your operations continue smoothly.

Secure Your Data →

Competitive Advantage

Being recognized as a secure and compliant business can differentiate you from competitors and attract more clients, especially in sensitive industries.

Learn about Data Governance →

Streamline Operations

Implementing well-defined security and privacy practices leads to more organized and efficient data handling.

Develop Your IRP →

TEKRiSQ Solutions for Indiana Compliance

TEKRiSQ offers comprehensive services to help your Indiana SMB or licensed entity achieve and maintain compliance with state cybersecurity and privacy laws.

Cyber Risk Assessments

Identify vulnerabilities and compliance gaps specific to Indiana’s regulations.

Explore Assessments →

Data Governance & Privacy

Implement frameworks for data handling, aligning with Indiana privacy mandates.

Learn about Data Governance →

Incident Response Planning (IRP)

Develop robust plans to meet Indiana data breach notification requirements.

Get Your IRP →

Employee Cybersecurity Training

Educate your team on their role in protecting data and complying with state laws.

Explore Training →

Managed Security Services

Ongoing support to continuously monitor and improve your security posture for sustained compliance.

For Consulting Firms →

Endpoint Protection (EDR)

Advanced threat detection and response for your devices, a key component of robust security.

Discover EDR →

Indiana State Contacts & Resources

For official information and assistance regarding Indiana’s data privacy, security, and insurance laws, you can contact:

Indiana Attorney General’s Office

Consumer Protection Division:

Phone: (317) 232-6330 or 1-800-382-5516

Indiana AG: Contact Us →

Indiana Department of Insurance (IDOI)

General Inquiries:

Phone: (317) 232-2385

Indiana DOI: Data Security →

Ready to Ensure Your Indiana Compliance?

Don’t let complex regulations be a barrier. Partner with TEKRiSQ for expert guidance and practical solutions.

Get a Free Consultation