Indiana Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to Indiana residents, a data breach triggers specific legal obligations. Indiana's Disclosure of Security Breach law, Ind. Code 24-4.9, sets out who must be notified, what information triggers that duty, and how quickly you need to act. Originally enacted in 2006, the law received a significant amendment through HEA 1341 (2022) that added a firm 45-day notification deadline.

This guide covers the full scope of Indiana's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, penalties, exemptions, and how the Indiana Consumer Data Protection Act (ICDPA) interacts with breach obligations.

Who Must Comply With Indiana's Breach Notification Law

Indiana's breach notification law applies to any individual, corporation, business, or other entity that owns or licenses computerized data containing the personal information of Indiana residents. This includes businesses located outside Indiana if they hold data belonging to Hoosier residents.

The law distinguishes between data owners and data maintainers. If a third party (such as a cloud hosting provider or payment processor) maintains data on behalf of an owner or licensee, that third party must notify the data owner immediately upon discovering a breach. The data owner then carries the responsibility to notify affected consumers and the Attorney General.

Entities with Separate Federal Compliance Frameworks

Businesses that already comply with breach notification procedures under certain federal laws can follow those frameworks instead of the state statute. Under IC 24-4.9-3-3.5, qualifying federal frameworks include:

• Gramm-Leach-Bliley Act (GLBA) for financial institutions
• HIPAA for healthcare entities and their business associates
• USA PATRIOT Act and Executive Order 13224 for covered entities
• Driver's Privacy Protection Act (DPPA)
• Fair Credit Reporting Act (FCRA)

In addition, any entity that maintains its own information privacy or security policy with breach notification procedures at least as stringent as the state statute is exempt from separate compliance under Indiana law.

What Qualifies as a Breach of Security

Under IC 24-4.9-2-2, a breach of the security of a system means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.

The definition is deliberately broad. It covers data that has been transferred to another medium, including paper or microfilm, if the data was originally maintained in computerized form.

Good Faith Exception

Not every unauthorized access counts as a breach. A good faith acquisition of personal information by an employee or agent of the entity does not trigger notification requirements, as long as the data was obtained for lawful purposes and was not further used or disclosed without authorization.

Portable Device Exception

The statute also excludes the unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed.

The Encryption Safe Harbor

Indiana provides a clear safe harbor for encrypted data. A breach does not require notification if the compromised personal information was encrypted or redacted, and the encryption key was not accessed or acquired during the breach.

This means businesses that encrypt personal information at rest and in transit can avoid notification requirements, but only as long as the encryption keys remain secure. If both the encrypted data and the key are compromised, full notification obligations apply.

Personal Information That Triggers Notification

Indiana's definition of personal information under IC 24-4.9-2-10 takes two forms:

Standalone trigger: A Social Security number that is not encrypted or redacted.

Name-plus trigger: An individual's first and last name (or first initial and last name) combined with any one or more of the following data elements:

• Driver's license number or state identification card number
• Credit card number
• Financial account number or debit card number, combined with any required security code, access code, or password that would permit access to the account

Personal information does not include information that is lawfully obtained from publicly available sources or from federal, state, or local government records that are lawfully made available to the public.

What Indiana's Law Does Not Cover

Compared to many states that have updated their breach notification laws in recent years, Indiana's definition of personal information is notably narrow. The law does not cover:

• Biometric data (fingerprints, retina scans, voiceprints)
• Medical or health information
• Health insurance identification numbers
• Passport numbers
• Login credentials (usernames combined with passwords)
• Taxpayer identification numbers (other than SSNs)

This gap is particularly significant for biometric data. While the ICDPA (IC 24-15) defines biometric data and classifies it as sensitive personal data requiring consent before processing, the breach notification statute does not require notification if biometric data alone is compromised. A business could suffer a breach exposing thousands of fingerprint records belonging to Indiana residents and have no obligation to notify them under the state breach notification law.

The 45-Day Notification Timeline

Before 2022, Indiana's law required notification "without unreasonable delay" but did not set a firm deadline. HEA 1341 (2022), effective July 1, 2022, added a 45-day hard deadline.

Under IC 24-4.9-3-3, notification must be made without unreasonable delay, but no more than 45 days after the discovery of the breach. The clock starts when the entity discovers or is notified of the breach, not when the breach itself occurred.

When Delay Is Permitted

A delay beyond the initial discovery period is considered reasonable only if it is:

1. Necessary to restore system integrity and prevent further unauthorized access
2. Necessary to determine the scope of the breach
3. Requested by the Attorney General or law enforcement because disclosure would impede a criminal or civil investigation or jeopardize national security

When a delay occurs under these exceptions, notification must happen as soon as possible after the reason for the delay no longer exists.

Who Must Be Notified

Affected Individuals

The primary obligation is to notify every Indiana resident whose unencrypted personal information was or may have been acquired by an unauthorized person. Notification is also required for individuals whose encrypted personal information was acquired by a person who also accessed the encryption key.

The notification trigger includes a risk assessment: disclosure is required when the entity knows, should know, or should have known that the breach has resulted in or could result in identity deception, identity theft, or fraud.

Indiana Attorney General

The Indiana Attorney General must be notified of every breach that triggers consumer notification. Businesses submit the Data Breach Notification Form by email to DataBreach@atg.in.gov or by mail to the Data Privacy & Identity Theft Unit at Indiana Government Center South, 5th Floor, 302 West Washington Street, Indianapolis, IN 46204.

A sample of the consumer notification letter should be included with the Attorney General submission.

Consumer Reporting Agencies

When a breach affects more than 1,000 Indiana residents, the entity must also notify the nationwide consumer reporting agencies. This notification must include information sufficient to help the agencies prevent fraud, such as the timing of the breach and the types of personal information exposed. The three major agencies and their breach reporting contacts are:

• Equifax: SecurityMonitoring@equifax.com
• Experian: BusinessRecordsVictimAssistance@experian.com
• TransUnion: databreach@transunion.com

How to Provide Notification

Indiana law permits several methods for notifying affected individuals:

• Written notice sent by mail
• Telephone notification
• Facsimile (fax)
• Electronic mail if an email address for the individual is available

Substitute Notice

Substitute notice is available as an alternative when the cost of standard notification would exceed $250,000 or when the affected class exceeds 500,000 Indiana residents. Substitute notice must consist of both:

1. Conspicuous posting of the breach notice on the entity's website
2. Notification to major news media in the geographic areas where affected residents live

The entity must demonstrate to the Attorney General that it qualifies for substitute notice before using this method.

Enforcement and Penalties

Indiana's breach notification law is enforced exclusively by the Indiana Attorney General. There is no private right of action. Individuals cannot sue businesses directly for failing to provide breach notification.

Under IC 24-4.9-4-2, knowingly or intentionally failing to comply with the notification requirements constitutes a deceptive act. The Attorney General may seek:

• Injunctive relief to stop ongoing violations
• Civil penalties up to $150,000 per deceptive act
• Reasonable costs incurred by the Attorney General in investigating and maintaining the enforcement action

Recent Enforcement Activity

Indiana's Attorney General has been active in data breach enforcement through multistate coalitions:

• Blackbaud (2023): AG Todd Rokita co-led a 50-state coalition resulting in a $49.5 million settlement after the company failed to implement reasonable data security practices and delayed breach notification. Indiana received nearly $3.6 million, the largest share of any state.
• Marriott (2024): A $52 million multistate settlement resolved claims that Marriott failed to secure guest reservation data over a four-year period, compromising 131.5 million U.S. records. Indiana received over $900,000.
• Inmediata: AG Rokita led a 33-state coalition against the healthcare clearinghouse for a coding error that exposed 1.5 million patients' protected health information for nearly three years.

How the ICDPA Interacts With Breach Notification

The Indiana Consumer Data Protection Act (IC 24-15), effective January 1, 2026, created a comprehensive privacy framework for Indiana. However, the ICDPA does not contain its own breach notification requirements. Businesses subject to the ICDPA must still follow IC 24-4.9 for breach notification.

The ICDPA does add relevant obligations that affect breach preparedness:

• Data security requirement: Controllers must implement reasonable administrative, technical, and physical data security practices to protect personal data.
• Data minimization: Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose. Collecting less data reduces breach exposure.
• Sensitive data consent: Biometric data, precise geolocation, and other sensitive categories require explicit consumer consent before processing. While this adds protection, it does not change the breach notification trigger for those data types.

The ICDPA is enforced separately by the Attorney General, with penalties up to $7,500 per violation and a permanent 30-day right to cure before any enforcement action.

More Indiana Laws

• Indiana Recording Laws
• Indiana Recording Laws
• Indiana Recording Laws
• Indiana Recording Laws
• Indiana Recording Laws
• Indiana Data Privacy Laws
• Indiana Lemon Laws
• Indiana Statute of Limitations

Sources and References

This article draws from the following official Indiana government sources:

• Ind. Code 24-4.9 (Disclosure of Security Breach) - Full text of Indiana's data breach notification statute
• Indiana Attorney General: Security Breaches - AG breach reporting portal and guidance
• Indiana AG: Security Breach FAQs & Notification Form - Business notification requirements and form
• Ind. Code 24-15 (Indiana Consumer Data Protection Act) - Comprehensive privacy law effective January 1, 2026
• HEA 1341 (2022) - Amendment adding the 45-day notification deadline

This article provides general legal information about Indiana data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Indiana for guidance specific to your situation.