Main Menu
Know Your Disclosure Obligations in the Event of a Data Breach

The leaking of confidential government and business data to media outlets and onto the Internet has made headlines recently.  If you discover or are notified that confidential information that you possess or license was or may have been acquired by an unauthorized person or possibly left unsecured, would you know how to respond?  At a minimum you will likely be required to make certain disclosures under Indiana law.  If the confidential information at issue includes “personal information” (PI), such as an individual’s social security number, you will likely need to disclose the breach to each affected Indiana resident and the Indiana Attorney General (AG), and possibly each consumer reporting agency.  The manner of disclosure could depend on the number of affected Indiana residents and costs. How quickly must the disclosures be made? 

They should be made “without unreasonable delay.”  Whether a delay is reasonable will depend on the nature of the breach and the response, if any, by law enforcement officials.  The AG has recently been active in this area and has filed lawsuits where he believes there was a unreasonable delay in disclosing a breach.  The following principles are helpful in managing PI: implement a combination of physical and electronic security, employee training, and vetting of third-party security practices; properly dispose of PI as soon as you no longer need it; and have a plan for responding to security breaches.  Any plan should include making the required disclosures in a timely manner.



Recent Posts




Back to Page