Potential New Online Privacy and Data Security Regulation in IN
The Indiana attorney general proposed legislation last Monday to impose strict requirements for the storage of sensitive data, reduce harm to consumers in the case of a data breach, and increase transparency of online privacy policies. The proposed legislation also includes an amendment to Indiana’s Disclosure of Security Breach Act. According to the Indiana Attorney General Greg Zoeller, existing online privacy and data protection laws are not tough enough. State Sen. Jim Merritt (R-Indianapolis) will sponsor the legislation during the 2015 session of the Indiana General Assembly.
The proposed legislation would include the following provisions:
- Secure Data Storage: Online operators that store personal or financial information would be required to:
- Securely store data
- Delete personal or financial data and only retain what is necessary for business purposes and processes
- Share or sell data only when authorized by law or when consumers are informed in advance
- Inform consumers by clear and conspicuous notice when personal data must be collected and how long it will be stored
- Data Breach Notification Changes: The proposed amendment to the Disclosure of Security Breach Act would facilitate prompt and overt notification to affected consumers of a data breach. The legislation would require notices to include additional information to result in more informative and meaningful notification to consumers. Additionally, while the current law only covers electronically generated records, the proposed legislation would expand the Act to cover breaches of paper and handwritten records.
- Privacy Policy Transparency: Website operators and online entities that collect personal or financial data from Indiana residents would be required to conspicuously post their privacy policies online and identify (1) what personal information is collected from site visitors, (2) whether that information is shared or sold, and (3) who will receive that information. Operators and online entities who profit from the sale of user data and do not disclose that information would be responsible for making a knowing misrepresentation under the proposed legislation.
In short, states are trending toward tougher and tighter privacy and data protection regulations. We will track these proposals and provide updates here.