Indiana Tightens the State’s Deadline for Providing Notification of a Data Breach
States continue to tinker with their breach notification laws. The latest modification to the Indiana statute relates to the timing of notification. On March 18, 2022, Indiana Governor Eric Holcomb, signed HB 1351 which tightens the rules for providing timely notice to individuals affected by a data breach.
Prior to the change, the relevant section read:
"a person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay"
After the change, which is effective July 1, 2022, it reads:
"a person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach."
As revised, the statute attempts to make clear the last date by which notification must be provided – not later than 45 days after discovery. But there remains a question about whether notification could be (or should be) provided before that 45-day period ends. After discovery of a breach, a period of delay in notification is permitted if it is reasonable. The current law describes reasonable delay, as follows:
[A] delay is reasonable if the delay is:
(1) necessary to restore the integrity of the computer system;
(2) necessary to discover the scope of the breach; or
(3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:
(A) impede a criminal or civil investigation; or
(B) jeopardize national security.
This analysis can become significantly more complicated when residents in multiple states are affected by the breach. Although some states have a similar 45-day notification deadline (e.g., Alabama, Maryland, Ohio, and Wisconsin), other states have a shorter periods (e.g., 30 days in Florida) or a longer period (e.g., 60 days in Connecticut). Additionally, in our experience as breach counsel, covered entities with breach reporting obligations can expect heightened attention by the Indiana Attorney General’s Office to investigate perceived delays in notification. This change reflects that focus on timeliness and may become the source of greater enforcement activity in Indiana.