Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.
What causes a security breach to occur?
How will I know if a security breach has occurred involving my personal information?
How is personal information defined?
What are the risks involved in a security breach?
Security breaches can be caused by the theft of a laptop computer or electronic device, a hacker who gains access to confidential records or systems, an employee that fails to follow security procedures, or a business that fails to use appropriate security measures to protect sensitive data, among other causes. A few common methods include:
Indiana’s disclosure law requires data base owners, state agencies, businesses, and organizations that collect and maintain personal information to notify you in the event of a security breach. Upon discovering that a breach has occurred, a business or organization must disclose the breach to each Indiana resident whose personal information was affected.
Under the law, this disclosure must occur “without unreasonable delay.” The notification should provide enough detail so that you can be prepared to protect yourself against identity theft or fraud. Failure to comply with the notification requirement can result in a lawsuit by the Attorney General and an order to pay civil penalties of up to $150,000.00.
Notification can occur by mail, phone, fax, or email, fax, or email. Substitute notice – disclosing the breach on the business website and to major news reporting media in the relevant geographic areas – is permitted if more than 500,000 persons are affected or if the cost of notification would exceed $250,000.00.
“Personal information” is defined by statute to include either your (1) Social Security number; or (2) your name and address, plus any one of the following: driver’s license number; state ID card number, credit card number, or debit card or financial account number in combination with the security code or password that would permit access to the account. SSNs or account numbers that are redacted to show only the last 4 digits do not constitute personal information. Neither does data that is encrypted to render it unreadable.
If your personal information falls into the wrong hands, it could be used to open new accounts in your name, drain your existing accounts, or commit some other form of identity theft or fraud against you. A Social Security Number by itself can be used to create a new account in your name, which could result in collection actions and harassment, lawsuits to collect the erroneous debt, inaccurate credit reports that may keep you from getting a car loan or mortgage re-finance, and many other types of monetary damage and frustration.
Identity theft continues to be one of the top consumer complaint categories at the state and federal levels, and the increasing number of persons affected by security breaches is likely a factor in that trend. It’s important that you have timely and accurate information about security breaches that may impact you so that you can act quickly to protect yourself. Delayed notification may lead to further instances of fraud, higher monetary damage amounts, and even the passing of important deadlines that affect your legal rights to recover your money or restore your identity.