Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.
Most significantly, SB413 would require data users to implement and maintain “reasonable procedures” that prohibit them from “retaining personal information beyond what is necessary for business purposes or compliance with applicable law” and “using personal information for purposes beyond those authorized by law or by the individual to whom the personal information relates.” These requirements are a substantial change from most existing U.S. privacy laws, and designing and implementing the necessary procedures could be a challenge for many companies.
Failure to comply with the bill’s requirements would constitute a deceptive act under state consumer protection law. While only the attorney general may bring an enforcement action, if a court determines that the violation was “done knowingly,” penalties include a fine of $50 for each affected Indiana resident, with a minimum fine of at least $5,000 and maximum fine of $150,000 per deceptive act.
The cap likely will be challenged as being too low during hearings on the bill. In any event, the fines imposed under this new section are cumulative with those available under any other state or federal law, rule or regulation.
SB413 also would require data users to have online privacy policies, and it specifies that that those policies must include information as to:
- whether personal information is collected through the data user’s Internet website;
- the categories of personal information collected through the data user’s Internet website, if applicable;
- whether the data user sells, shares or transfers personal information to third parties; and
- if applicable, whether the data user obtains the express consent of an individual to whom the personal information relates before selling, sharing or transferring the individual’s personal information to a third party.
The bill would explicitly prohibit data users from making a “misrepresentation to an Indiana resident concerning the data user’s collection, storage, use, sharing, or destruction of personal information,” or from requiring a vendor or contractor to do so.
While the bill may well be amended as it moves through the legislative process before the Indiana Senate adjourns on April 29, 2015, it is widely expected to pass. Assuming it does, it will reflect a further significant evolution in state laws regulating information privacy and security, and will add Indiana to the growing list of states moving ahead of federal law in these areas.