Indiana Enacts Bill Governing Data Breach Disclosure

On March 18, 2022, Eric Holcomb, the Indiana governor, signed HB 1351 into law, which places disclosure or notice requirements on persons who have suffered a data breach. 

Under the requirements of the bill, when an entity discovers a data breach, it must disclose the breach “without unreasonable delay,” which is not more than forty-five (45) days after discovery of the breach.

This permissible period of delay may be extended under certain circumstances, including where delay is “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or where the Indiana Attorney General or a law enforcement agency informs the entity that disclosure would impede a criminal or civil investigation.

The bill will take effect July 1, 2022. As such, entities who operate in Indiana should review their data breach reporting requirements and update their requirements to reflect the 45-day notice & disclosure timeframe.