Senate Bill 0379

    January 12, 2004, read first time and referred to Committee on Transportation and Homeland Security.
    January 22, 2004, amended, reported favorably _ Do Pass.
    February 2, 2004, read second time, amended, ordered engrossed.

Reprinted

February 3, 2004

Second Regular Session 113th General Assembly (2004)

PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in ~~this~~ ~~style~~ ~~type.~~
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or ~~this~~ ~~style~~ ~~type~~ reconciles conflicts between statutes enacted by the 2003 Regular Session of the General Assembly.

SENATE BILL No. 379

A BILL FOR AN ACT to amend the Indiana Code concerning state administration.

Be it enacted by the General Assembly of the State of Indiana:

    SECTION 1. IC 4-1-10 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2004]:
     Chapter 10. Release of Social Security Number
    Sec. 1. As used in this chapter, "state agency" means an authority, a board, a branch, a commission, a committee, a department, a division, or another instrumentality of the executive, including the administrative, department of state government. Except as provided in subdivision (4), the term does not include the judicial or legislative department of state government. The term includes the following:
        (1) A state elected official's office.
        (2) A state educational institution (as defined in IC 20-12-0.5-1).
        (3) A body corporate and politic of the state created by state statute.
        (4) The Indiana lobby registration commission established by

IC 2-7-1.6-1.
    Sec. 2. Except as provided in section 3 or 4 of this chapter, a state agency may not disclose an individual's Social Security number.
    Sec. 3. Unless prohibited by state statute, federal statute, or court order, a state agency may disclose the Social Security number of an individual to a state, local, or federal agency.
    Sec. 4. A state agency may disclose the Social Security number of an individual if:
        (1) the disclosure of the Social Security number is expressly required by state law, federal law, or a court order;
        (2) the individual expressly consents in writing to the disclosure of the individual's Social Security number; or
         (3) the disclosure of the Social Security number is:
            (A) made to comply with:
                (i) the USA Patriot Act of 2001 (P.L. 107-56); or
                (ii) Presidential Executive Order 13224; or
            (B) to a commercial entity for the permissible uses set forth in the:
                (i) Drivers Privacy Protection Act (18 U.S.C. 2721 et seq.);
                (ii) Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or
                (iii) Financial Modernization Act of 1999 (15 U.S.C. 94 6801 et seq.).
    Sec. 5. A state agency complies with section 2 of this chapter if the agency:
        (1) removes; or
        (2) completely and permanently obscures;
a Social Security number on a public record before disclosing the public record.
    Sec. 6. If a state agency releases a Social Security number in violation of this chapter, the agency shall provide notice to the person whose Social Security number was disclosed in the manner set forth in IC 4-1-11.
     Sec. 7. An employee of a state agency who knowingly, intentionally, or recklessly discloses a Social Security number in violation of this chapter commits a Class D felony.
     Sec. 8. A person who knowingly, intentionally, or recklessly makes a false representation to a state agency to obtain a Social Security number from the state agency commits a Class D felony.
     Sec. 9. An employee of a state agency who negligently discloses a Social Security number in violation of this chapter commits a

Class A infraction.
     Sec. 10. If a state agency releases a Social Security number in violation of this chapter, the agency shall provide notice to the person whose Social Security number was disclosed as set forth in IC 4-1-11.
    Sec. 11. (a) The attorney general may investigate any allegation that a Social Security number was disclosed in violation of this chapter.
    (b) If the attorney general determines that there is evidence that a state employee committed a criminal act under section 7 or 8 of this chapter, the attorney general shall report the attorney general's findings to:
        (1) the local prosecuting attorney in the county where the criminal act occurred; and
        (2) the state police department.
    Sec. 12. If the attorney general determines that there is evidence that a state employee committed an infraction under section 9 of this chapter, the attorney general:
        (1) shall report the attorney general's findings to the appointing authority (as defined in IC 4-2-6-1) of the agency that employees the employee; and
        (2) may report the attorney general's findings to the local prosecuting attorney in the county where the infraction occurred.
    Sec. 13. The attorney general may adopt rules under IC 4-22-2 that the attorney general considers necessary to carry out this chapter.
    SECTION 2. IC 4-1-11 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2004]:
     Chapter 11. Notice of Security Breach
     Sec. 1. As used in this chapter, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local agency. The term does not include good faith acquisition of personal information by an agency or employee of the agency for the purposes of the agency, if the personal information is not used or subject to further unauthorized disclosure.
     Sec. 2. As used in this chapter, "personal information" means:
        (1) an individual's:
            (A) first name and last name; or

            (B) first initial and last name; and
        (2) at least one (1) of the following data elements:
            (A) Social Security number.
            (B) Driver's license number or identification card number.
            (C) Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account.
The term does not include publicly available information that is lawfully made available to the public from records of a federal agency or local agency.
     Sec. 3. As used in this section "state agency" has the meaning set forth in IC 4-1-10-1.
     Sec. 4. (a) Any state agency that owns or licenses computerized data that includes personal information shall disclose a breach of the security of the system following discovery or notification of the breach to any state resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
    (b) The disclosure of a breach of the security of the system shall be made:
        (1) without unreasonable delay;
        (2) consistent with:
            (A) the legitimate needs of law enforcement, as described in section 6 of this chapter; and
            (B) any measures necessary to:
                (i) determine the scope of the breach; and
                (ii) restore the reasonable integrity of the data system.
    Sec. 5. (a) This section applies to a state agency that maintains computerized data that includes personal information that the state agency does not own.
    (b) If personal information was or is reasonably believed to have been acquired by an unauthorized person, the state agency shall notify the owner or licensee of the information of a breach of the security of the system immediately following discovery. The agency shall provide the notice to state residents as required under section 4 of this chapter.
    Sec. 6. The notification required by this chapter:
        (1) may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation; and
        (2) shall be made after the law enforcement agency determines that it will not compromise the investigation.
    Sec. 7. Except as provided in section 8 of this chapter, a state

agency may provide notice:
        (1) in writing; or
        (2) by electronic mail, if the individual has provided the state agency with the individual's electronic mail address.
    Sec. 8. (a) This section applies if a state agency demonstrates that:
        (1) the cost of providing notice is at least two hundred fifty thousand dollars ($250,000);
        (2) the number of persons to be notified is at least five hundred thousand (500,000); or
        (3) the agency does not have sufficient contact information;
the state agency may use an alternate form of notice set forth in subsection (b).
    (b) A state agency may provide the following alternate forms of notice if authorized by subsection (a):
        (1) Conspicuous posting of the notice on the state agency's web site, if the state agency maintains a web site.
        (2) Notification to major statewide media.
    SECTION 3. [EFFECTIVE JULY 1, 2004] (a) Notwithstanding IC 4-1-10 and IC 4-1-11, both as added by this act, a state agency is not required to comply with IC 4-1-10 or IC 4-1-11, both as added by this act, until July 1, 2005.
    (b) This SECTION expires July 2, 2005.
    SECTION 4. [EFFECTIVE UPON PASSAGE]: (a) Notwithstanding IC 4-1-10, as added by this act, the attorney general may initiate rulemaking as set forth in IC 4-1-10-13, as added by this act.
    (b) This SECTION expires July 2, 2005.
    SECTION 5. An emergency is declared for this act.