Executive Summary
Large scale data breaches have been in the media spotlight lately. In addition to federal requirements for protecting patient information, health care providers should familiarize themselves and stay up to date with state data breach requirements. The reporting process for data breaches of personal information for Indiana residents to the Indiana Attorney General (“AG”) has been streamlined with the recent introduction of a new form that may be submitted online. Providers should now use this form when reporting data breaches to the AG.
Background and Discussion
Since 2006, businesses that maintain certain personal information (“Personal Information”) of Indiana residents have been subject to the Indiana Security Breach Notification Statute (“Security Breach Law”). As part of this law, businesses are required to notify individuals whose Personal Information was accessed or acquired as a result of a breach of the business owner’s database system. Personal Information, as defined by the Security Breach Law, includes (1) social security numbers or (2) an individual’s first or last name (or first initial and last name) and one or more of the following:
- Driver’s license numbers;
- State identification card numbers;
- Credit card numbers; or
- Financial account numbers or debit card numbers in combination with a security code, password or access code that would permit access to the person’s account (IC 24-4.9-2-10).
In addition to notifying the affected individual, businesses must notify the AG and, in certain instances, notify consumer-reporting agencies.
Recently, the AG announced an update to its breach notification process that requires businesses that have suffered a data breach of Indiana residents’ Personal Information to submit notification to the AG on a specific form. The new Indiana Data Breach Notification Form, or OIG Form 1079 (‘”Form”), outlines specific information needed to satisfy the Security Breach Law. Prior to the creation of this Form, Indiana businesses contacted the AG by telephone or submitted a written letter or summary to report a breach incident. Now, businesses must use this new Form to notify the AG. The Form is available here.
The AG may seek injunctive relief against any business entity for violating the Security Breach Law. If the court finds that a business violated the law, the court may impose a civil penalty against the business of not more than $150,000 per deceptive act and award the AG reasonable costs for investigating and bringing the action, which the business will also be required to pay.
Practical Takeaways
In light of the recent large scale data breaches of customer information, this is a good time for Indiana businesses, including health care providers, to review their data breach policies and procedures to ensure they have a plan in place to report breaches to residents and the AG without unreasonable delay.
If you have questions for would like further information, please contact Charise Frazier at (317) 977-1406 or cfrazier@hallrender.com, Kendra Conover at (317) 977-1456 or kconover@hallrender.com or your regular Hall Render attorney.
Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to health care law.
