3 min read Cybersecurity

Indiana Has a Data Breach Notification Law. Here's What Your Business Needs to Know.

Share

Most small business owners don't think about Indiana's data breach notification law until they need it. By then, the clock is already running.

IC 24-4.9 — Indiana's data breach notification statute — has been on the books since 2009. It applies to businesses of every size, including yours. Here's what it requires and how to be ready.

Who It Applies To

The law covers any business that owns or licenses computerized personal information about Indiana residents. It doesn't matter how many employees you have or what industry you're in.

"Personal information" means a person's full name combined with at least one of the following: Social Security number, driver's license or state ID number, or a financial account or card number paired with a PIN, password, or security code.

If you work in professional services, healthcare, legal, or accounting, you're almost certainly holding this kind of data.

What Counts as a Breach

A breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.

Key notes:

  • Encrypted data: If personal information was encrypted and the key wasn't compromised, notification may not be required.
  • Good-faith access: An employee accidentally accessing data without harmful intent generally doesn't qualify.
  • Ransomware and unauthorized access: These almost always qualify. When in doubt, call your IT provider — establishing what was and wasn't accessed quickly is critical.

The Notification Trigger and Timeline

Not every security incident requires notification. The law requires you to conduct a "reasonable and prompt investigation" to determine whether notification is needed. If you determine — or reasonably believe — that personal information was accessed by an unauthorized person, notification is required.

Indiana law requires notification "in the most expedient time possible." There's no fixed number of days, but "expedient" is not weeks — unreasonable delays invite AG scrutiny.

Document everything: when you discovered the incident, what you found, when you decided notification was required, and when notices went out.

Who Gets Notified

Affected Indiana residents must receive written notice that includes a description of what happened, what information was involved, steps they can take to protect themselves, and your contact information.

The Indiana Attorney General must also be notified if the breach affects more than 250 Indiana residents. This is the requirement most small businesses don't know about — and the one that carries the most risk if missed.

The Penalties

The AG can seek civil penalties of up to $150,000 per deceptive act under the Indiana Deceptive Consumer Sales Act. Failure to notify — or intentional delay — can qualify. How you handle a breach in the first 72 hours shapes the reputational outcome as much as the breach itself.

How Preparation Changes the Outcome

Businesses with a documented incident response plan fare meaningfully better when a breach occurs. You're not figuring out your obligations, your notification list, and your legal exposure all at once under pressure.

At minimum, your plan should cover: who handles the investigation, how you determine whether notification is required, who sends the required notices, and how everything gets documented.

Where a Managed IT Provider Fits In

A good managed IT provider reduces the probability of a breach through endpoint protection, patching, and email security. When something does happen, they help you establish the forensic picture quickly — what was accessed, what wasn't, and when. That's what makes notification timelines achievable.

At Blackbird, our service agreements include defined incident detection and notification obligations. If we see something that could constitute a breach, we tell you — in writing, with the specifics you need to make a notification decision. You're not figuring it out alone.

A Quick Checklist

Before you need it, make sure you can answer yes to these:

  • Do you know what personal information about Indiana residents is stored in your systems?
  • Do you know whether it's encrypted at rest?
  • Do you have an incident response plan — even a basic one?
  • Does your IT provider have a documented obligation to notify you of a suspected breach?
  • Do you have a process for notifying affected individuals and the AG if required?

If you answered "no" or "I'm not sure" to any of these, that's the gap to close.

The Bottom Line

Indiana's data breach law isn't designed to punish businesses that try to do the right thing. It's designed to ensure Indiana residents get timely notification when their data is compromised. The businesses that get into trouble didn't know what to do and moved too slowly.

You don't have to be large to be prepared — just intentional.

If you'd like to talk through what incident response readiness looks like for your business — and how a managed IT agreement covers your notification obligations — we're happy to have that conversation.

Contact us to schedule a conversation →

Blackbird IT Solutions is a managed IT and cybersecurity provider serving businesses in Louisville, Southern Indiana, and across the region. Our service agreements include defined incident detection and notification obligations — because being prepared isn't optional for the businesses we work with.

This post is for informational purposes only and does not constitute legal advice. For guidance specific to your situation, consult a licensed attorney.

Published by:

Matthew Williams