---

---

---

HOUSE BILL No. 1396

Citations Affected: IC 24-4.9.

Synopsis: Data privacy. Provides that a data base owner may not make a material misrepresentation to an Indiana resident regarding the data base owner's collection, use, storage, sharing, or destruction of the resident's personal information. Provides that a data base owner may not require a contractor or vendor of the data base owner to make a material misrepresentation to an Indiana resident regarding the data base owner's collection, use, storage, sharing, or destruction of the resident's personal information. Adds the definition of "data" for purposes of security breach disclosure laws to include information maintained: (1) in a computerized format; (2) on paper; (3) on microfilm; or (4) in or on a similar medium.

Effective: July 1, 2013.

---

---

Mahan

---

---

    January 22, 2013, read first time and referred to Committee on Judiciary.

---

---

---

PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2012 Regular Session of the General Assembly.

---

    A BILL FOR AN ACT to amend the Indiana Code concerning trade regulation.

SOURCE: IC 24-4.9-2-2; (13)IN1396.1.1. -->     SECTION 1. IC 24-4.9-2-2, AS AMENDED BY P.L.137-2009, SECTION 3, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2013]: Sec. 2. (a) "Breach of the security of data" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
    (b) The term does not include the following:
        (1) Good faith acquisition of personal information by an employee or agent of the person for lawful purposes of the person, if the personal information is not used or subject to further unauthorized disclosure.
        (2) Unauthorized acquisition of a portable electronic device on which personal information is stored, if all personal information on the device is protected by encryption and the encryption key:

---

            (A) has not been compromised or disclosed; and
            (B) is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device.

SOURCE: IC 24-4.9-2-2.5; (13)IN1396.1.2. -->     SECTION 2. IC 24-4.9-2-2.5 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2013]: Sec. 2.5. "Data" includes information maintained:
        (1) in a computerized format;
        (2) on paper;
        (3) on microfilm; or
        (4) in or on a similar medium.

SOURCE: IC 24-4.9-2-3; (13)IN1396.1.3. -->     SECTION 3. IC 24-4.9-2-3, AS ADDED BY P.L.125-2006, SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2013]: Sec. 3. "Data base owner" means a person that owns or licenses computerized data that includes personal information.

SOURCE: IC 24-4.9-3-2; (13)IN1396.1.4. -->     SECTION 4. IC 24-4.9-3-2, AS ADDED BY P.L.125-2006, SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2013]: Sec. 2. A person that maintains computerized data but that is not a data base owner shall notify the data base owner if the person discovers that personal information was or may have been acquired by an unauthorized person.

SOURCE: IC 24-4.9-3-3.5; (13)IN1396.1.5. -->     SECTION 5. IC 24-4.9-3-3.5, AS ADDED BY P.L.137-2009, SECTION 5, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2013]: Sec. 3.5. (a) This section does not apply to a data base owner that maintains its own data security procedures as part of an information privacy, security policy, or compliance plan under:
        (1) the federal USA PATRIOT Act (P.L. 107-56);
        (2) Executive Order 13224;
        (3) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et seq.);
        (4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
        (5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or
        (6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);
if the data base owner's information privacy, security policy, or compliance plan requires the data base owner to maintain reasonable procedures to protect and safeguard from unlawful use or disclosure personal information of Indiana residents that is collected or maintained by the data base owner and the data base owner complies with the data base owner's information privacy, security policy, or

compliance plan.
    (b) A data base owner shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the data base owner.
    (c) A data base owner shall not dispose of records or documents containing unencrypted and unredacted personal information of Indiana residents without shredding, incinerating, mutilating, erasing, or otherwise rendering the personal information illegible or unusable.
     (d) A data base owner may not make a material misrepresentation to an Indiana resident regarding the data base owner's collection, use, storage, sharing, or destruction of the resident's personal information.
     (e) A data base owner may not require:
        (1) a contractor; or
        (2) a vendor;
of the data base owner to make a material misrepresentation to an Indiana resident regarding the data base owner's collection, use, storage, sharing, or destruction of the resident's personal information.
    (d) (f) A person that knowingly or intentionally fails to comply with any provision of this section commits a deceptive act that is actionable only by the attorney general under this section.
    (e) (g) The attorney general may bring an action under this section to obtain any or all of the following:
        (1) An injunction to enjoin further violations of this section.
        (2) A civil penalty of not more than five thousand dollars ($5,000) per deceptive act.
        (3) The attorney general's reasonable costs in:
            (A) the investigation of the deceptive act; and
            (B) maintaining the action.
    (f) (h) A failure to comply with subsection (b) or (c) in connection with related acts or omissions constitutes one (1) deceptive act.