Introduced Version
HOUSE BILL No. 1396
_____
DIGEST OF INTRODUCED BILL
Citations Affected: IC 24-4.9.
Synopsis: Data privacy. Provides that a data base owner may not make
a material misrepresentation to an Indiana resident regarding the data
base owner's collection, use, storage, sharing, or destruction of the
resident's personal information. Provides that a data base owner may
not require a contractor or vendor of the data base owner to make a
material misrepresentation to an Indiana resident regarding the data
base owner's collection, use, storage, sharing, or destruction of the
resident's personal information. Adds the definition of "data" for
purposes of security breach disclosure laws to include information
maintained: (1) in a computerized format; (2) on paper; (3) on
microfilm; or (4) in or on a similar medium.
Effective: July 1, 2013.
Mahan
January 22, 2013, read first time and referred to Committee on Judiciary.
Introduced
First Regular Session 118th General Assembly (2013)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in
this style type, and deletions will appear in
this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in
this style type. Also, the
word
NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in
this style type or
this style type reconciles conflicts
between statutes enacted by the 2012 Regular Session of the General Assembly.
HOUSE BILL No. 1396
A BILL FOR AN ACT to amend the Indiana Code concerning trade
regulation.
Be it enacted by the General Assembly of the State of Indiana:
SOURCE: IC 24-4.9-2-2; (13)IN1396.1.1. -->
SECTION 1. IC 24-4.9-2-2, AS AMENDED BY P.L.137-2009,
SECTION 3, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2013]: Sec. 2. (a) "Breach of the security of data" means
unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information
maintained by a person. The term includes the unauthorized acquisition
of computerized data that have been transferred to another medium,
including paper, microfilm, or a similar medium, even if the transferred
data are no longer in a computerized format.
(b) The term does not include the following:
(1) Good faith acquisition of personal information by an employee
or agent of the person for lawful purposes of the person, if the
personal information is not used or subject to further unauthorized
disclosure.
(2) Unauthorized acquisition of a portable electronic device on
which personal information is stored, if all personal information
on the device is protected by encryption and the encryption key:
(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who,
without authorization, acquired or has access to the portable
electronic device.
SOURCE: IC 24-4.9-2-2.5; (13)IN1396.1.2. -->
SECTION 2. IC 24-4.9-2-2.5 IS ADDED TO THE INDIANA
CODE AS A NEW SECTION TO READ AS FOLLOWS
[EFFECTIVE JULY 1, 2013]: Sec. 2.5. "Data" includes information
maintained:
(1) in a computerized format;
(2) on paper;
(3) on microfilm; or
(4) in or on a similar medium.
SOURCE: IC 24-4.9-2-3; (13)IN1396.1.3. -->
SECTION 3. IC 24-4.9-2-3, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2013]: Sec. 3. "Data base owner" means a person that owns or
licenses computerized data that includes personal information.
SOURCE: IC 24-4.9-3-2; (13)IN1396.1.4. -->
SECTION 4. IC 24-4.9-3-2, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2013]: Sec. 2. A person that maintains computerized data but
that is not a data base owner shall notify the data base owner if the
person discovers that personal information was or may have been
acquired by an unauthorized person.
SOURCE: IC 24-4.9-3-3.5; (13)IN1396.1.5. -->
SECTION 5. IC 24-4.9-3-3.5, AS ADDED BY P.L.137-2009,
SECTION 5, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2013]: Sec. 3.5. (a) This section does not apply to a data base
owner that maintains its own data security procedures as part of an
information privacy, security policy, or compliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et
seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability
Act (HIPAA) (P.L. 104-191);
if the data base owner's information privacy, security policy, or
compliance plan requires the data base owner to maintain reasonable
procedures to protect and safeguard from unlawful use or disclosure
personal information of Indiana residents that is collected or
maintained by the data base owner and the data base owner complies
with the data base owner's information privacy, security policy, or
compliance plan.
(b) A data base owner shall implement and maintain reasonable
procedures, including taking any appropriate corrective action, to
protect and safeguard from unlawful use or disclosure any personal
information of Indiana residents collected or maintained by the data
base owner.
(c) A data base owner shall not dispose of records or documents
containing unencrypted and unredacted personal information of Indiana
residents without shredding, incinerating, mutilating, erasing, or
otherwise rendering the personal information illegible or unusable.
(d) A data base owner may not make a material
misrepresentation to an Indiana resident regarding the data base
owner's collection, use, storage, sharing, or destruction of the
resident's personal information.
(e) A data base owner may not require:
(1) a contractor; or
(2) a vendor;
of the data base owner to make a material misrepresentation to an
Indiana resident regarding the data base owner's collection, use,
storage, sharing, or destruction of the resident's personal
information.
(d) (f) A person that knowingly or intentionally fails to comply with
any provision of this section commits a deceptive act that is actionable
only by the attorney general under this section.
(e) (g) The attorney general may bring an action under this section
to obtain any or all of the following:
(1) An injunction to enjoin further violations of this section.
(2) A civil penalty of not more than five thousand dollars ($5,000)
per deceptive act.
(3) The attorney general's reasonable costs in:
(A) the investigation of the deceptive act; and
(B) maintaining the action.
(f) (h) A failure to comply with subsection (b) or (c) in connection
with related acts or omissions constitutes one (1) deceptive act.