« Not Law - How the opportunity to control the Ebola virus in West Africa was lost | Main | Ind. Courts - "New Tippecanoe Co. juvenile magistrate ‘not starting from scratch’" »

Tuesday, December 30, 2014

Ind. Gov't. - AG Zoeller seeks to expand Indiana's data privacy laws

Indiana is the latest state in the past few months seeking to expand privacy and data security requirements, according to this comprehensive story by Jalyce Mangum in Ad Law Access.

Dan Carden has this story in the NWI Times.

The AG's detailed Dec. 22nd news release is available here. One proposal that caught the ILB's eye:

Indiana’s Disclosure of Security Breach Act would be enhanced to facilitate prompt and more informative notification to affected consumers so they can take action to protect themselves in case of a data breach.
In a 2006 post, the ILB criticized the then-new IC 24-4.9, Disclosure of Security Breach [now found here], writing:
HB 1101 does not require that Indiana residents be notified immediately if a security breach occurs. Notification would be covered by the new IC 24-4.9-3, Disclosure and Notification Requirements, beginning on p. 7 of the Enrolled Act. Rather, the language contains qualifers such as "without unreasonable delay" and "as soon as possible after." There is not even a "but in no event not later than ...".

How are people to be notified? That is pretty much left up to the data base owner (see top of p. 9) and may be via mail, phone, fax, or e-mail. Of course, telephone leaves no record, and e-mail is likely to be mistaken for spam or phishing by a wary recipient.

The section goes on to provide that if this has been a really big disclosure of private information -- such as one of over 500,000 Indiana residents -- the requirements for notification are eased and may be met by posting on the company's web site or via a press release.

The Enrolled Act goes on to exempt from its disclosure requirements entities already covered by laws such as the Fair Credit Reporting Act, HIPAA, etc., if they contain similar requirements.

Chapter 4 (see p. 10 of the Enrolled Act) deals with enforcement. A person who fails to comply with the requirements of the act "commits a deceptive act that is actionable only by the attorney general under this chapter." This language may preclude private suits.

Under the proposed IC 24-4.9-4-1(b), "A failure to make a required disclosure or notification in connection with a related series of breaches of the security of a system constitutes one deceptive act." In other words, a security breach resulting in the disclosure of information on a million consumers is ok under this bill as long as there is notification. Failure to notify would constitute one deceptive act, for which attorney general could seek a civil penalty of up to $150,000. This penalty would apparently go to the state general fund, not to those affected by the security breach.

Further, the new law specifically preempts local units of government from passing ordinances "dealing with the same subject matter as this article."

Finally, and most importantly, HEA 1101's new IC 24-4.9 offers no remedies to those consumers whose security has been breached, other than requiring that they be notified of the breach. What of the remedies that would pause or help repair the damage the breach has caused -- the remedies of security freezes, credit monitoring and credit repair set forth in Professor Ramasastry's article?

Short of that, the biggest question here is: Is the new IC 24-4.9 now to be the exclusive remedy available to Indiana residents for these security breaches resulting in disclosure of their information? Or can consumers whose records have been released bring suit for negligence and ask for damages, costs, security freezes, and credit monitoring or credit repair? Will the companies whose negligence resulted in the disclosure be able to claim compliance with the minimal notification requirements of the new law as a defense?

Posted by Marcia Oddi on December 30, 2014 08:53 AM
Posted to Indiana Government