Potential New Online Privacy and Data Security Regulation in IN

The Indiana attorney general proposed legislation last Monday to impose strict requirements for the storage of sensitive data, reduce harm to consumers in the case of a data breach, and increase transparency of online privacy policies. The proposed legislation also includes an amendment to Indiana’s Disclosure of Security Breach Act. According to the Indiana Attorney General Greg Zoeller, existing online privacy and data protection laws are not tough enough. State Sen. Jim Merritt (R-Indianapolis) will sponsor the legislation during the 2015 session of the Indiana General Assembly.

The proposed legislation would include the following provisions:

  • Secure Data Storage: Online operators that store personal or financial information would be required to:
    • Securely store data
    • Delete personal or financial data and only retain what is necessary for business purposes and processes
    • Share or sell data only when authorized by law or when consumers are informed in advance
    • Inform consumers by clear and conspicuous notice when personal data must be collected and how long it will be stored
  • Data Breach Notification Changes: The proposed amendment to the Disclosure of Security Breach Act would facilitate prompt and overt notification to affected consumers of a data breach. The legislation would require notices to include additional information to result in more informative and meaningful notification to consumers. Additionally, while the current law only covers electronically generated records, the proposed legislation would expand the Act to cover breaches of paper and handwritten records.
  • Privacy Policy Transparency: Website operators and online entities that collect personal or financial data from Indiana residents would be required to conspicuously post their privacy policies online and identify (1) what personal information is collected from site visitors, (2) whether that information is shared or sold, and (3) who will receive that information. Operators and online entities who profit from the sale of user data and do not disclose that information would be responsible for making a knowing misrepresentation under the proposed legislation.
Indiana is just the latest state seeking to expand privacy and data security requirements. In the last few months, New Jersey, New York, and Oregon have announced plans to amend existing regulations. This month, the New Jersey Assembly unanimously approved a bill designed to expand the state’s data breach laws to include disclosure of a breach of security of online accounts. In September, the New York Assembly introduced legislation that would require entities that conduct business in New York and deal with computerized private information to develop, implement, and maintain a comprehensive information security program. Finally, Oregon’s attorney general also recently announced plans to introduce legislation to enhance data privacy standards and increase enforcement of civil penalties against non-compliance.

In short, states are trending toward tougher and tighter privacy and data protection regulations. We will track these proposals and provide updates here.