Indiana Code
Chapter 3. Disclosure and Notification Requirements
24-4.9-3-4. Method of Disclosure; Exceptions

Sec. 4. (a) Except as provided in subsection (b), a data base owner required to make a disclosure under this chapter shall make the disclosure using one (1) of the following methods:
(1) Mail.
(2) Telephone.
(3) Facsimile (fax).
(4) Electronic mail, if the data base owner has the electronic mail address of the affected Indiana resident.
(b) If a data base owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the data base owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the data base owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods:
(1) Conspicuous posting of the notice on the web site of the data base owner, if the data base owner maintains a web site.
(2) Notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside.
(c) A data base owner that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under this chapter if the data base owner's information privacy policy or security policy is at least as stringent as the disclosure requirements described in:
(1) sections 1 through 4(b) of this chapter;
(2) subsection (d); or
(3) subsection (e).
(d) A data base owner that maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data base owner's information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of data without unreasonable delay and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.
(e) A financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or the Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, as applicable, is not required to make a disclosure under this chapter.
(f) A person required to make a disclosure under this chapter may elect to make all or part of the disclosure in accordance with subsection (a) even if the person could make the disclosure in accordance with subsection (b).
As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009, SEC.6.