Posts-on-Indiana-Cyber-Law
docx
keyboard_arrow_up
School
University of the Cumberlands *
*We aren’t endorsed by this school
Course
ISOL 531
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
4
Uploaded by SuperHumanJellyfish3761
Describe your state’s law including at least these considerations:
Indiana as a state has cybersecurity breach laws that helps to protect mishandling of personal
information data. These laws are created to ensure PI data are handled with utmost security and
care. An unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information (PI) maintained by an Entity. The term
includes the unauthorized acquisition of computerized data that has been transferred to another
medium, including paper, microfilm, or a similar medium, even if the transferred data is no
longer in a computerized format. Indiana state data breach law further states that:
Unauthorized acquisition of a portable electronic device on which PI is stored does not
constitute a security breach if all PI on the device is protected by encryption and the
encryption key (i) has not been compromised or disclosed, and (ii) is not in the
possession of or known to the person who, without authorization, acquired or has access
to the portable electronic device.
Good-faith acquisition of PI by an employee or agent of the Entity for lawful purposes of
the Entity does not constitute a security breach if the PI is not used or subject to further
unauthorized disclosure.
Notice must be provided to whose unencrypted PI was or may have been acquired by an
unauthorized person and those whose encrypted PI was or may have been acquired by an
unauthorized person with access to the encryption key.
What types of organizations or individuals does it apply to?
Indiana law applies to individuals, organizations, businesses and any entity who has access to
personal data or any un-authorized person (s) with access to the data encryption keys.
An Entity shall disclose the breach to affected IN residents y if the Entity knows, or
should know, or should have known that the unauthorized acquisition constituting the
breach has resulted in or could result in identity deception (as defined in Ind. Code § 35-
43-5-3.5), identity theft, or fraud affecting the IN resident.
Is it limited to only those organizations or individuals who reside or exist in that state, or
might it affect external interests?
The law covers every business, individuals’ organizations who handle PI data and covers
external bodies or individuals who remotely breach data situation with Indiana or data in transit
passing over Indiana. Such individual who causes such a breach shall be liable and brought to
Indiana to face the law.
How does the law define or describe the information that it protects, by both name and
description?
Indiana breach law describes such data as PI data that can be a Social Security number that is not
encrypted or redacted, or an individual’s first and last names, or first initial and last name, and
one or more of the following data elements that are not encrypted or redacted:
A driver’s license number or state identification card number.
A credit card number; or
A financial account number or debit card number in combination with a security code,
password, or access code that would permit access to the person’s account.
PI does not include information that is lawfully obtained from publicly available information or
from federal, state, or local government records lawfully made available to the general public.
What exemptions, if any, exist?
Any Entity that maintains its own disclosure procedures as part of an information privacy policy
or a security policy is not required to make a separate disclosure under the statute if the Entity’s
information privacy policy or security policy is at least as stringent as the disclosure
requirements under the statute.
What are the penalties for violating the law?
A person that knowingly or intentionally fails to comply with the database maintenance
obligations commits a deceptive act that is actionable only by the state Attorney General.
Penalties include injunctive relief, a civil penalty of not more than $150,000 per violation, and
reasonable costs.
In your opinion, is it effective? Good law? Needing updating? What other critiques or
opinions do you have about it?
In my own opinion I believe that this law is a great law and effective because it covers private
citizens’ personal data. In addition, there are other data laws like HIPAA, PCI DSS, NIST and
other laws and frameworks helping to strengthen every state law in protecting personal
identifiable information. I will add that with changes in technology like the use of AI, machine
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
learning such state laws needs to be always updated to stay intune with the recent technological
advancements.
Anything else that you think your classmates would benefit from.
I would say that it is important we as an individual look out for phishing tricks used by hackers
and scammers to make us give out of PI data. Either by them trying to make us fill out a form for
some benefits. Cyber-awareness training is very important for everyone, irrespective of of which
state you are in and it is very important for us to at least study the laws of every state we are in to
be able to comply with its regulations and rules.
References
https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-indiana.html
https://www.in.gov/attorneygeneral/consumer-protection-division/id-theft-prevention/security-
breaches/
https://www.in.gov/attorneygeneral/consumer-protection-division/id-theft-prevention/security-
breaches/security-breach-faqs-and-notification-form-for-businesses/