Sec. 9. A state agency (as defined in IC 4-1-10-2), other than state educational institutions, and a political subdivision (as defined in IC 36-1-2-13) shall:
(1) report any cybersecurity incident using their best professional judgment to the office without unreasonable delay and not later than two (2) business days after discovery of the cybersecurity incident in a format prescribed by the chief information officer; and
(2) provide the office with the name and contact information of any individual who will act as the primary reporter of a cybersecurity incident described in subdivision (1) before September 1, 2021, and before September 1 of every year thereafter.
Nothing in this section shall be construed to require reporting that conflicts with federal privacy laws or is prohibited due to an ongoing law enforcement investigation.
As added by P.L.134-2021, SEC.5. Amended by P.L.137-2021, SEC.18.
Structure Indiana Code
Title 4. State Offices and Administration
Article 13.1. Office of Technology
Chapter 2. Office of Technology
4-13.1-2-3. Chief Information Officer
4-13.1-2-4. Fees for Enhanced Access to Public Records
4-13.1-2-5. State Agency Use of Office Services
4-13.1-2-6. Office; State Agencies
4-13.1-2-8. Office; Assist Political Subdivisions
4-13.1-2-9. State Agency Reporting Requirements
4-13.1-2-10. State Educational Institution Reporting Requirements