May 28, 2022

Volume XII, Number 148

Advertisement
Advertisement

May 27, 2022

Subscribe to Latest Legal News and Analysis

May 26, 2022

Subscribe to Latest Legal News and Analysis

May 25, 2022

Subscribe to Latest Legal News and Analysis

Indiana Amends Data Breach Notification Law

Indiana passed HB 1351 in March 2022, amending Indiana’s data breach notification law. Indiana’s breach notification law, as currently drafted, requires entities to notify Indiana residents and the Indiana Attorney General of a breach of the security of data without unreasonable delay and consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system; or if notification will no longer impede a criminal or civil investigation or jeopardize national security. HB 1351 narrows the timeline for required data breach notifications, requiring entities to make required notifications without unreasonable delay, but no more than forty-five (45) days after the discovery of the breach. The amendment will be effective starting July 1, 2022. 

All fifty states and American territories have enacted different data breach notification statutes, which require organizations to notify individuals when certain Personally Identifiable Information (“PII”) has been “breached” by an unauthorized individual (i.e., a threat actor). Generally, American states and territories define a “breach” under four scenarios: 

  • Unauthorized Access to PII;

  • Unauthorized Acquisition of PII;

  • Unauthorized Access or acquisition of PII; or 

  • Unauthorized Access and acquisition of PII.  

Acquisition, otherwise described as exfiltration, is defined or understood as data that the attacker has downloaded or otherwise copied. 

Access is defined as any data the attacker reviewed, regardless of whether the data was exfiltrated. The definition of PII varies greatly by jurisdiction but generally includes an individual’s first and last name and/or first initial and last name and one or more categories of sensitive information (e.g., government issued identification numbers, financial information, or medical information). 

Similarly, the timeline in which organizations have to notify individuals varies greatly by jurisdiction. For example, in Maine, an organization must submit breach notifications to impacted individuals no more than 30 days after becoming aware of the breach and identifying its scope. Meanwhile, Connecticut requires organizations to notify impacted individuals no later than 90 days after discovery of such breach.  

While Indiana’s change in the timeline for notification to no later than 45 days aligns Indiana with the general timeline of all fifty states and American territories, it also reflects the priorities of the Indiana Attorney Generals’ Office – to timely notify affected individuals. To ensure that your organization is prepared to timely respond and meet its notification obligations, as a preliminary matter, it is best to ensure that you have a detailed Incident Response Plan and that your organization has taken the time to conduct Tabletop exercises to practice the implementation and test the effectiveness of your plan.   

 

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 122
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Gicel Tomimbang Los Angeles California Associate Attorney Data Privacy Cybersecurity Squire Patton Boggs LLP
Associate

Gicel Tomimbang is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice.

A significant portion of Gicel’s practice focuses on the intersection of healthcare with privacy. Clients frequently turn to her for advice and counsel on complex issues that arise under the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), the FTC Act and the FTC Health Breach Notification Rule.

Gicel previously...

213-689-6543
Ericka A. Johnson Government Investigations & White Collar Attorney Squire Patton Boggs Washington DC
Associate

Ericka Johnson is an associate in the Government Investigations & White Collar Practice. She represents companies and executives in, among other things, Foreign Corrupt Practices Act (FCPA) internal investigations, enforcement actions, defense matters and compliance before the US Department of Justice and similar authorities. She assists multinational companies in developing and implementing effective anticorruption compliance policies and strategies for domestic and international operations. As part of her compliance practice, Ericka also advises companies on cybersecurity risks,...

202-457-6110
Advertisement
Advertisement
Advertisement