Indiana has amended its breach notification law to require entities to notify individuals “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” It clarifies that a delay is “reasonable” if it is: “(1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will: (A) impede a criminal or civil investigation; or (B) jeopardize national security.” IN LEGIS 171-2022 (2022), 2022 Ind. Legis. Serv. P.L. 171-2022 (H.E.A. 1351) (WEST)
The law goes into effect on July 2, 2022.
On a side note, the Indiana Attorney General’s office is well known when it comes to consumer protection and frequently issues data requests after receiving notice that an Indiana resident’s personal information may have been compromised. Therefore, it is worthwhile to be aware of this new time frame when sending notification to individuals and the Indiana AG.