of the affected individual’s residence, rather than such person’s state of employment or patronage. For larger
businesses, this could necessitate determining the reporting requirements of numerous states. Determining the
residency of all affected individuals is important to do as early as possible because the reporting requirements
of different states are varied and even contradictory, making the task of drafting one cohesive acknowledgement
letter to consumers or employees difficult.
This article will explore generally the requirements a business faces following the disclosure of personal
information of an Indiana resident only.
1. Take quick action, but do not rush.
Indiana law requires that reporting of any breach be made “without unreasonable delay.” Beyond the legal
requirement, the business has a duty to protect its employees and consumers from further harm. Notifying the
affected individuals as early as possible allows those affected individuals to take personal action to protect their
interests (such as reporting the breach to their financial institutions, cancelling credit cards, and placing fraud alerts
or freezes on their accounts). Quick reporting makes the best of a bad situation by allowing loyal employees and
consumers the ability to mitigate their own losses. Failing to quickly report the disclosure may cause additional
losses and cost the company goodwill.
However, “without unreasonable delay” does not call for immediate reporting. The business obviously will want
to avoid a marketing nightmare if it fails to comply with all relevant requirements and is forced to issue repeat
or corrective notices. For reasons addressed below, the business first needs to compile facts surrounding the
breach and review the appropriate notice requirements before reporting the disclosure. The business may also
involve other authorities during this investigation period, but in doing so the business should be aware that the
law enforcement agency may issue a report (to the public or which may become public) which could present a
more negative effect than the business making the disclosure. If possible, the business should try to coordinate
publication with any agencies that are helping with the matter.
2. Determine the scope of disclosure.
The Indiana reporting requirements increase if the disclosure affects 1,000 or more Indiana residents. If this
threshold is met, the business must notify not only the affected individuals but also the three major credit reporting
agencies: Equifax, Experian, and Transunion. The business must also provide information necessary to assist the
reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach
of security. If the business is required to report the disclosure to 500,000 or more Indiana residents, the business
may elect to use different notification methods that are more conducive to large scale disclosure. 4
Although, this article addresses Indiana law, it is noteworthy that at least one other state 5 requires the business to
provide a period of credit monitoring at no cost to the affected individuals depending on the cause of the breach.
This is also a voluntary consideration the business may want to explore offering.
3. Draft an appropriate disclosure statement.
After reviewing the facts surrounding the breach, the business must craft a disclosure statement to be provided to
all affected individuals as follows:
RBELAW.com
27