Reprinted
March 3, 2006





ENGROSSED

HOUSE BILL No. 1101

_____


DIGEST OF HB 1101 (Updated March 2, 2006 3:29 pm - DI 106)



Citations Affected: IC 4-33; IC 16-22; IC 24-4; IC 24-4.9; IC 35-32; IC 35-41; IC 35-43; IC 35-50; noncode.

Synopsis: Security breach disclosure and identity deception. Provides that a person that owns or licenses certain unredacted or unencrypted personal information concerning Indiana residents that is contained in a computerized data base must disclose to those Indiana residents without unreasonable delay a security breach in the computerized data base (including the unauthorized acquisition of computerized data that have been transferred to another medium) if the security breach could cause the Indiana residents to become victims of identity theft, identity deception, or fraud. Requires a database owner who is required to make a disclosure concerning a security breach to more than 1,000 persons
(Continued next page)

Effective: July 1, 2006.





Walorski, Ruppel, Noe, Tincher
(SENATE SPONSORS _ HERSHMAN, STEELE, LANANE)




    January 5, 2006, read first time and referred to Committee on Public Safety and Homeland Security.
    January 19, 2006, amended, reported _ Do Pass.
    January 23, 2006, read second time, ordered engrossed. Engrossed.
    January 26, 2006, read third time, passed. Yeas 92, nays 0.

SENATE ACTION

    February 1, 2006, read first time and referred to Committee on Corrections, Criminal, and Civil Matters.
    February 9, 2006, amended, reported favorably _ Do Pass.
    February 23, 2006, read second time, amended, ordered engrossed.
    February 24, 2006, engrossed.
    February 27, 2006, returned to second reading.
    March 1, 2006, reread second time, amended, ordered engrossed.
    March 2, 2006, engrossed, read third time, passed. Yeas 49, nays 0. Committee of One.





Digest Continued

to notify each credit reporting bureau of the security breach. Specifies that a person that maintains a computer data base but does not own or license the personal information contained in the data base must notify the data base owner if there is a security breach in the data base. Provides that a data base owner with a privacy plan drafted to comply with certain federal statutes may comply with that plan instead of these provisions if that plan meets the federal requirements, and permits a data base owner with its own privacy plan to comply with its own plan instead of these provisions if its plan is at least as stringent as these provisions or a plan that complies with certain federal statutes. Authorizes the attorney general to bring an action to enforce the disclosure requirements. Makes certain information that relates to a license application submitted to the Indiana gaming commission confidential. Provides that a person who disposes of a customer's unencrypted, unredacted personal information without first shredding, incinerating, mutilating, or erasing the personal information commits a Class C infraction. Enhances the offense to a Class A infraction for a second or subsequent offense, or if the person has unlawfully disposed of the personal information of more than 100 customers. Includes as personal information certain information collected as part of a license or permit application. Provides that a person who unlawfully obtains the identifying information of a deceased person commits identity deception. Makes identity deception a Class C felony if a person unlawfully obtains the identities of more than 100 persons or the fair market value of the fraud or harm caused by the identity theft is at least $50,000. Makes possession of a card skimming device with the intent to commit identity deception or fraud a Class D felony and a Class C felony if the device is possessed with the intent to commit terroristic deception. Permits a court to enter a restitution order requiring a person convicted of identity deception to reimburse the victim for additional expenses that arise or are discovered after sentencing or after the entry of a restitution order. Grants a court a five year period in which to order a person convicted of identity deception to pay additional restitution. Provides that a person who commits the offense of identity deception may be tried in any county in which any element of the offense occurs. Provides that jurisdiction for cases of identity deception lies in Indiana if the victim resides in Indiana. Imposes certain fiduciary obligations on members of the governing board of a county hospital, and specifies that if a hospital governing board has two physician members, only one physician member is required to be an active member of the medical staff of the hospital.



Reprinted
March 3, 2006

Second Regular Session 114th General Assembly (2006)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2005 Regular Session of the General Assembly.


ENGROSSED

HOUSE BILL No. 1101



    A BILL FOR AN ACT to amend the Indiana Code concerning commercial law.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 4-33-5-1.5; (06)EH1101.4.1. -->     SECTION 1. IC 4-33-5-1.5 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]:
    Sec. 1.5. The following information submitted, collected, or gathered as part of an application to the commission for a license is confidential for purposes of IC 5-14-3-4:
        (1) Any information concerning a minor child of an applicant.
        (2) The Social Security number of an applicant or the spouse of an applicant.
        (3) The home telephone number of an applicant or the spouse of an applicant.
        (4) An applicant's birth certificate.
        (5) An applicant's driver's license number.
        (6) The name or address of a previous spouse of the applicant.
        (7) The date of birth of the spouse of an applicant.
        (8) The place of birth of the spouse of an applicant.
        (9) The personal financial records of an applicant or the spouse or minor child of an applicant.

SOURCE: IC 4-33-5-2; (06)EH1101.4.2. -->     SECTION 2. IC 4-33-5-2 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 2. Notwithstanding any other law, upon written request from a person, the commission shall provide the following information to the person:
        (1) Except as provided in section 1.5 of this chapter, the information provided under section 1 of this chapter concerning a licensee or an applicant.
        (2) The amount of the wagering tax and admission tax paid daily to the state by a licensed owner or an operating agent.
        (3) A copy of a letter providing the reasons for the denial of an owner's license or an operating agent's contract.
        (4) A copy of a letter providing the reasons for the commission's refusal to allow an applicant to withdraw the applicant's application.
SOURCE: IC 16-22-2-10; (06)EH1101.4.3. -->     SECTION 3. IC 16-22-2-10 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 10. (a) An individual is not prohibited from serving as a member of the governing board if the member:
        (1) has a pecuniary interest in; or
        (2) derives a profit from;
a contract or purchase connected with the hospital. However, the member shall disclose the interest or profit in writing to the board and provide a copy to the state board of accounts. The member shall abstain from voting on any matter that affects the interest or profit.
     (b) The governing board shall adopt a written conflict of interest policy that meets the requirements of subsection (a). The written conflict of interest policy may contain other requirements as determined by the board.
    (c) A member of a governing board who violates this section or the written conflict of interest policy described in subsection (b) may be removed from the governing board by action of the board.
    (d) The county executive may not:
        (1) reappoint to a governing board; or
        (2) appoint to a governing board;
an individual who violates this section or the written conflict of interest policy described in subsection (b) while serving or after serving as a member of a governing board.

SOURCE: IC 16-22-2.5; (06)EH1101.4.4. -->     SECTION 4. IC 16-22-2.5 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE

JULY 1, 2006]:
     Chapter 2.5. Standards for Members of a Governing Board
    Sec. 1. (a) A member of a governing board shall, based on facts then known to the member, discharge the member's duties as follows:
        (1) In good faith.
        (2) With the care an ordinarily prudent person in a like position would exercise under similar circumstances.
        (3) In a manner the member reasonably believes to be in the best interests of the hospital.
    (b) In discharging the member's duties, a member may rely on information, opinions, reports, or statements, including financial statements and other financial data, if prepared or presented by one (1) of the following:
        (1) A person whom the member reasonably believes to be reliable and competent in the matters presented.
        (2) Legal counsel, public accountants, or other persons as to matters the member reasonably believes are within the person's professional or expert competence.
    (c) A member is not acting in good faith if the member has knowledge concerning a matter in question that makes reliance otherwise permitted by subsection (b) unwarranted.
    Sec. 2. All proprietary and competitive information concerning the county hospital is confidential. A member of a governing board may not disclose confidential information concerning the county hospital to any person not authorized to receive this information.
    Sec. 3. (a) A member of a governing board who violates this chapter may be removed from the governing board by action of the board.
    (b) The county executive may not:
        (1) reappoint to a governing board; or
        (2) appoint to a governing board;
an individual who violated this chapter while serving or after serving as a member of a governing board.
    Sec. 4. (a) A licensed physician is eligible for appointment to a county hospital governing board only if the physician is an active member of the medical staff of the hospital or holds a position that is equivalent to being an active member of the medical staff of the hospital.
    (b) A physician who is terminated from the medical staff of the hospital is removed from the governing board by operation of law.
    (c) A physician whose clinical privileges or staff membership

privileges have been significantly reduced shall be removed from the governing board by action of the board.
    (d) If a hospital governing board has two (2) physician members under IC 16-22-2-7 or IC 16-22-2-8, only one (1) physician member must be an active member of the medical staff of the hospital or hold a position that is equivalent to being an active member of the medical staff of the hospital.

SOURCE: IC 24-4-14; (06)EH1101.4.5. -->     SECTION 5. IC 24-4-14 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]:
     Chapter 14. Persons Holding a Customer's Personal Information
    Sec. 1. This chapter does not apply to the following:
        (1) The executive, judicial, or legislative department of state government or any political subdivision.
        (2) A unit (as defined in IC 36-1-2-23).
        (3) The office of county auditor.
        (4) The office of county treasurer.
        (5) The office of county recorder.
        (6) The office of county surveyor.
        (7) A county sheriff's department.
        (8) The office of county coroner.
        (9) The office of county assessor.
        (10) A person who engages in the business of waste collection, except to the extent the person holds a customer's personal information directly in connection with the business of waste collection.
        (11) A person who maintains and complies with a disposal program under:
            (A) the federal USA Patriot Act (P.L.107-56);
            (B) Executive Order 13224;
            (C) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et seq.);
            (D) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
            (E) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or
            (F) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L.104-191);
        if applicable.
    Sec. 2. As used in this chapter, "customer" means a person who:
        (1) has:
            (A) received; or
            (B) contracted for;
        the direct or indirect provision of goods or services from another person holding the person's personal information; or
        (2) provides the person's personal information to another person in connection with a transaction with a nonprofit corporation or charitable organization.
The term includes a person who pays a commission, a consignment fee, or another fee contingent on the completion of a transaction.
    Sec. 3. As used in this chapter, "dispose of" means to discard or abandon the personal information of a customer in an area accessible to the public. The term includes placing the personal information in a container for trash collection.
    Sec. 4. For purposes of this chapter, personal information is "encrypted" if the personal information:
        (1) has been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or
        (2) is secured by another method that renders the personal information unreadable or unusable.
    Sec. 5. As used in this chapter, "person" means an individual, a partnership, a corporation, a limited liability company, or another organization.
    Sec. 6. As used in this chapter, "personal information" has the meaning set forth in IC 24-4.9-2-10. The term includes information stored in a digital format.
    Sec. 7. (a) For purposes of this chapter, personal information is "redacted" if the personal information has been altered or truncated so that not more than the last four (4) digits of:
        (1) a driver's license number;
        (2) a state identification number; or
        (3) an account number;
is accessible as part of personal information
.
    (b) For purposes of this chapter, personal information is "redacted" if the personal information has been altered or truncated so that not more than five (5) digits of a Social Security number are accessible as part of personal information.

    Sec. 8. A person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction.

However, the offense is a Class A infraction if:
        (1) the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or
        (2) the person has a prior unrelated judgment for a violation of this section.

SOURCE: IC 24-4.9; (06)EH1101.4.6. -->     SECTION 6. IC 24-4.9 IS ADDED TO THE INDIANA CODE AS A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]:
     ARTICLE 4.9. DISCLOSURE OF SECURITY BREACH
    Chapter 1. Application
    Sec. 1. This article does not apply to:
        (1) a state agency (as defined in IC 4-1-10-2); or
        (2) the judicial or legislative department of state government.
    Chapter 2. Definitions
    Sec. 1. The definitions in this chapter apply throughout this article.
    Sec. 2. (a) "Breach of the security of a system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
    (b) The term does not include the following:
        (1) Good faith acquisition of personal information by an employee or agent of the person for lawful purposes of the person, if the personal information is not used or subject to further unauthorized disclosure.
        (2) Unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed.
    Sec. 3. "Data base owner" means a person that owns or licenses computerized data that includes personal information.
    Sec. 4. "Doing business in Indiana" means owning or using the personal information of an Indiana resident for commercial purposes.
    Sec. 5. Data are encrypted for purposes of this article if the data:
        (1) have been transformed through the use of an algorithmic process into a form in which there is a low probability of

assigning meaning without use of a confidential process or key; or
        (2) are secured by another method that renders the data unreadable or unusable.
    Sec. 6. "Financial institution" means a financial institution as defined in:
        (1) IC 28-1-1-3, other than a consumer finance institution licensed to make supervised or regulated loans under IC 24-4.5; or
        (2) 15 U.S.C. 6809(3).
    Sec. 7. "Indiana resident" means a person whose principal mailing address is in Indiana, as reflected in records maintained by the data base owner.
    Sec. 8. "Mail" has the meaning set forth in IC 23-1-20-15.
    Sec. 9. "Person" means an individual, a corporation, a business trust, an estate, a trust, a partnership, an association, a nonprofit corporation or organization, a cooperative, or any other legal entity.
    Sec. 10. "Personal information" means:
        (1) a Social Security number that is not encrypted or redacted; or
        (2) an individual's first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted:
            (A) A driver's license number.
            (B) A state identification card number.
            (C) A credit card number.
            (D) A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.
The term does not include information that is lawfully obtained from publicly available information or from federal, state, or local government records lawfully made available to the general public.
    Sec. 11. (a) Data are redacted for purposes of this article if the data have been altered or truncated so that not more than the last four (4) digits of:
        (1) a driver's license number;
        (2) a state identification number; or
        (3) an account number;
is accessible as part of personal information
.
    (b) For purposes of this article, personal information is "redacted" if the personal information has been altered or

truncated so that not more than five (5) digits of a Social Security number are accessible as part of personal information.
    Chapter 3. Disclosure and Notification Requirements
    Sec. 1. (a) Except as provided in section 4(c), 4(d), and 4(e) of this chapter, after discovering or being notified of a breach of the security of a system
, the data base owner shall disclose the breach to an Indiana resident whose:
        (1) unencrypted personal information was or may have been acquired by an unauthorized person; or
        (2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key;
if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5), identity theft, or fraud affecting the Indiana resident.

     (b) A data base owner required to make a disclosure under subsection (a) to more than one thousand (1,000) consumers shall also disclose to each consumer reporting agency (as defined in 15 U.S.C. 1681a(p)) information necessary to assist the consumer reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach of the security of a system.
     Sec. 2. A person that maintains computerized data but that is not a data base owner shall notify the data base owner if the person discovers that personal information was or may have been acquired by an unauthorized person.
     Sec. 3. (a) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay. For purposes of this section, a delay is reasonable if the delay is:
        (1) necessary to restore the integrity of the computer system;
        (2) necessary to discover the scope of the breach; or
        (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:
            (A) impede a criminal or civil investigation; or
            (B) jeopardize national security.
    (b) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification as soon as possible after:


        (1) delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach; or
        (2) the attorney general or a law enforcement agency notifies the person that delay will no longer impede a criminal or civil investigation or jeopardize national security.

     Sec. 4. (a) Except as provided in subsection (b), a data base owner required to make a disclosure under this chapter shall make the disclosure using one (1) of the following methods:
        (1) Mail.
        (2) Telephone.
        (3) Facsimile (fax).
        (4) Electronic mail, if the data base owner has the electronic mail address of the affected Indiana resident.
    (b) If a data base owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the data base owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the data base owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods:
        (1) Conspicuous posting of the notice on the web site of the data base owner, if the data base owner maintains a web site.
        (2) Notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside.
    (c) A data base owner that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under this chapter if the data base owner's information privacy policy or security policy
is at least as stringent as the disclosure requirements described in:
        (1) sections 1 through 4(b) of this chapter;
        (2) subsection (d); or
        (3) subsection (e).
    (d) A data base owner that maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan under:
        (1) the federal USA Patriot Act (P.L. 107-56);
        (2) Executive Order 13224;
        (3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et seq.);
        (4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
        (5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or
        (6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data base owner's information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of a system without unreasonable delay and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.
    (e) A financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or the Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, as applicable, is not required to make a disclosure under this chapter.
    (f) A person required to make a disclosure under this chapter may elect to make all or part of the disclosure in accordance with subsection (a) even if the person could make the disclosure in accordance with subsection (b).

     Chapter 4. Enforcement
    Sec. 1. (a) A person that is required to make a disclosure or notification in accordance with IC 24-4.9-3 and that fails to comply with any provision of this article commits a deceptive act that is actionable only by the attorney general under this chapter.

     (b) A failure to make a required disclosure or notification in connection with a related series of breaches of the security of a system constitutes one (1) deceptive act.
     Sec. 2. The attorney general may bring an action under this chapter to obtain any or all of the following:
        (1) An injunction to enjoin future violations of IC 24-4.9-3.
        (2) A civil penalty of not more than one hundred fifty thousand dollars ($150,000) per deceptive act.

         (3) The attorney general's reasonable costs in:
            (A) the investigation of the deceptive act; and
            (B) maintaining the action.

     Chapter 5. Preemption
    Sec. 1. This article preempts the authority of a unit (as defined in IC 36-1-2-23) to make an enactment dealing with the same

subject matter as this article.

SOURCE: IC 35-32-2-6; (06)EH1101.4.7. -->     SECTION 7. IC 35-32-2-6 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 6. (a) Subject to subsection (b), a person who commits the offense of identity deception may be tried in a county in which:
        (1) the victim resides; or
        (2) the person:
            (A) obtains;
            (B) possesses;
            (C) transfers; or
            (D) uses;
        the information used to commit the offense.
    (b) If:
        (1) a person is charged with more than one (1) offense of identity deception; and
        (2) either:
            (A) the victims of the crimes reside in more than one (1) county; or
            (B) the person performs an act described in subsection (a)(2) in more than one (1) county;
the person may be tried in any county described in subdivision (2).

SOURCE: IC 35-41-1-1; (06)EH1101.4.8. -->     SECTION 8. IC 35-41-1-1, AS AMENDED BY P.L.115-2005, SECTION 3, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 1. (a) As used in this section, "Indiana" includes:
        (1) the area within the boundaries of the state of Indiana, as set forth in Article 14, Section 1 of the Constitution of the State of Indiana;
        (2) the portion of the Ohio River on which Indiana possesses concurrent jurisdiction with the state of Kentucky under Article 14, Section 2 of the Constitution of the State of Indiana; and
        (3) the portion of the Wabash River on which Indiana possesses concurrent jurisdiction with the state of Illinois under Article 14, Section 2 of the Constitution of the State of Indiana.
    (b) A person may be convicted under Indiana law of an offense if:
        (1) either the conduct that is an element of the offense, the result that is an element, or both, occur in Indiana;
        (2) conduct occurring outside Indiana is sufficient under Indiana law to constitute an attempt to commit an offense in Indiana;
        (3) conduct occurring outside Indiana is sufficient under Indiana law to constitute a conspiracy to commit an offense in Indiana, and an overt act in furtherance of the conspiracy occurs in Indiana;
        (4) conduct occurring in Indiana establishes complicity in the commission of, or an attempt or conspiracy to commit, an offense in another jurisdiction that also is an offense under Indiana law;
        (5) the offense consists of the omission to perform a duty imposed by Indiana law with respect to domicile, residence, or a relationship to a person, thing, or transaction in Indiana;
        (6) conduct that is an element of the offense or the result of conduct that is an element of the offense, or both, involve the use of the Internet or another computer network (as defined in IC 35-43-2-3) and access to the Internet or other computer network occurs in Indiana; or
        (7) conduct:
            (A) involves the use of:
                (i) the Internet or another computer network (as defined in IC 35-43-2-3); or
                (ii) another form of electronic communication;
            (B) occurs outside Indiana and the victim of the offense resides in Indiana at the time of the offense; and
            (C) is sufficient under Indiana law to constitute an offense in Indiana.
    (c) When the offense is homicide, either the death of the victim or bodily impact causing death constitutes a result under subsection (b)(1). If the body of a homicide victim is found in Indiana, it is presumed that the result occurred in Indiana.
     (d) If the offense is identity deception, the lack of the victim's consent constitutes conduct that is an element of the offense under subsection (b)(1). If a victim of identity deception resides in Indiana when a person knowingly or intentionally obtains, possesses, transfers, or uses the victim's identifying information, it is presumed that the conduct that is the lack of the victim's consent occurred in Indiana.
SOURCE: IC 35-43-5-3.5; (06)EH1101.4.9. -->     SECTION 9. IC 35-43-5-3.5 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 3.5. (a) Except as provided in subsection (b), (c), a person who knowingly or intentionally obtains, possesses, transfers, or uses the identifying information of another person, including the identifying information of a person who is deceased:
        (1) without the other person's consent; and
        (2) with intent to:
            (A) harm or defraud another person;
            (B) assume another person's identity; or
            (C) profess to be another person;
commits identity deception, a Class D felony.
     (b) However, the offense defined in subsection (a) is a Class C felony if:
        (1) a person obtains, possesses, transfers, or uses the identifying information of more than one hundred (100) persons; or
        (2) the fair market value of the fraud or harm caused by the offense is at least fifty thousand dollars ($50,000).

    (b) (c) The conduct prohibited in subsection subsections (a) and (b) does not apply to:
        (1) a person less than twenty-one (21) years of age who uses the identifying information of another person to acquire an alcoholic beverage (as defined in IC 7.1-1-3-5);
        (2) a minor (as defined in IC 35-49-1-4) who uses the identifying information of another person to acquire:
            (A) a cigarette or tobacco product (as defined in IC 6-7-2-5);
            (B) a periodical, a videotape, or other communication medium that contains or depicts nudity (as defined in IC 35-49-1-5);
            (C) admittance to a performance (live or film) that prohibits the attendance of the minor based on age; or
            (D) an item that is prohibited by law for use or consumption by a minor; or
        (3) any person who uses the identifying information for a lawful purpose.
    (c) (d) It is not a defense in a prosecution under subsection (a) or (b) that no person was harmed or defrauded.
SOURCE: IC 35-43-5-4.3; (06)EH1101.4.10. -->     SECTION 10. IC 35-43-5-4.3 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 4.3. (a) As used in this section, "card skimming device" means a device that is designed to read information encoded on a credit card. The term includes a device designed to read, record, or transmit information encoded on a credit card:
        (1) directly from a credit card; or
        (2) from another device that reads information directly from a credit card.

     (b) A person who possesses a card skimming device with intent to commit:
        (1) identity deception (IC 35-43-5-3.5);
        (2) fraud (IC 35-43-5-4);
or
        (3) terroristic deception (IC 35-43-5-3.6);
commits unlawful possession of a card skimming device. Unlawful

possession of a card skimming device under subdivision (1) or (2) is a Class D felony. Unlawful possession of a card skimming device under subdivision (3) is a Class C felony.

SOURCE: IC 35-50-5-3; (06)EH1101.4.11. -->     SECTION 11. IC 35-50-5-3, AS AMENDED BY P.L.2-2005, SECTION 129, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2006]: Sec. 3. (a) Except as provided in subsection (i) or (j), in addition to any sentence imposed under this article for a felony or misdemeanor, the court may, as a condition of probation or without placing the person on probation, order the person to make restitution to the victim of the crime, the victim's estate, or the family of a victim who is deceased. The court shall base its restitution order upon a consideration of:
        (1) property damages of the victim incurred as a result of the crime, based on the actual cost of repair (or replacement if repair is inappropriate);
        (2) medical and hospital costs incurred by the victim (before the date of sentencing) as a result of the crime;
        (3) the cost of medical laboratory tests to determine if the crime has caused the victim to contract a disease or other medical condition;
        (4) earnings lost by the victim (before the date of sentencing) as a result of the crime including earnings lost while the victim was hospitalized or participating in the investigation or trial of the crime; and
        (5) funeral, burial, or cremation costs incurred by the family or estate of a homicide victim as a result of the crime.
    (b) A restitution order under subsection (a), or (i), or (j) is a judgment lien that:
        (1) attaches to the property of the person subject to the order;
        (2) may be perfected;
        (3) may be enforced to satisfy any payment that is delinquent under the restitution order by the person in whose favor the order is issued or the person's assignee; and
        (4) expires;
in the same manner as a judgment lien created in a civil proceeding.
    (c) When a restitution order is issued under subsection (a), the issuing court may order the person to pay the restitution, or part of the restitution, directly to:
        (1) the victim services division of the Indiana criminal justice institute in an amount not exceeding:
            (A) the amount of the award, if any, paid to the victim under IC 5-2-6.1; and
            (B) the cost of the reimbursements, if any, for emergency services provided to the victim under IC 16-10-1.5 (before its repeal) or IC 16-21-8; or
        (2) a probation department that shall forward restitution or part of restitution to:
            (A) a victim of a crime;
            (B) a victim's estate; or
            (C) the family of a victim who is deceased.
The victim services division of the Indiana criminal justice institute shall deposit the restitution it receives under this subsection in the violent crime victims compensation fund established by IC 5-2-6.1-40.
    (d) When a restitution order is issued under subsection (a), or (i), or (j), the issuing court shall send a certified copy of the order to the clerk of the circuit court in the county where the felony or misdemeanor charge was filed. The restitution order must include the following information:
        (1) The name and address of the person that is to receive the restitution.
        (2) The amount of restitution the person is to receive.
Upon receiving the order, the clerk shall enter and index the order in the circuit court judgment docket in the manner prescribed by IC 33-32-3-2. The clerk shall also notify the department of insurance of an order of restitution under subsection (i).
    (e) An order of restitution under subsection (a), or (i), or (j), does not bar a civil action for:
        (1) damages that the court did not require the person to pay to the victim under the restitution order but arise from an injury or property damage that is the basis of restitution ordered by the court; and
        (2) other damages suffered by the victim.
    (f) Regardless of whether restitution is required under subsection (a) as a condition of probation or other sentence, the restitution order is not discharged by the completion of any probationary period or other sentence imposed for a felony or misdemeanor.
    (g) A restitution order under subsection (a), or (i), or (j), is not discharged by the liquidation of a person's estate by a receiver under IC 32-30-5 (or IC 34-48-1, IC 34-48-4, IC 34-48-5, IC 34-48-6, IC 34-1-12, or IC 34-2-7 before their repeal).
    (h) The attorney general may pursue restitution ordered by the court under subsections (a) and (c) on behalf of the victim services division of the Indiana criminal justice institute established under IC 5-2-6-8.
    (i) The court may order the person convicted of an offense under

IC 35-43-9 to make restitution to the victim of the crime. The court shall base its restitution order upon a consideration of the amount of money that the convicted person converted, misappropriated, or received, or for which the convicted person conspired. The restitution order issued for a violation of IC 35-43-9 must comply with subsections (b), (d), (e), and (g), and is not discharged by the completion of any probationary period or other sentence imposed for a violation of IC 35-43-9.
     (j) The court may order the person convicted of an offense under IC 35-43-5-3.5 to make restitution to the victim of the crime, the victim's estate, or the family of a victim who is deceased. The court shall base its restitution order upon a consideration of the amount of fraud or harm caused by the convicted person and any reasonable expenses (including lost wages) incurred by the victim in correcting the victim's credit report and addressing any other issues caused by the commission of the offense under IC 35-43-5-3.5. If, after a person is sentenced for an offense under IC 35-43-5-3.5, a victim, a victim's estate, or the family of a victim discovers or incurs additional expenses that result from the convicted person's commission of the offense under IC 35-43-5-3.5, the court may issue one (1) or more restitution orders to require the convicted person to make restitution, even if the court issued a restitution order at the time of sentencing. For purposes of entering a restitution order after sentencing, a court has continuing jurisdiction over a person convicted of an offense under IC 35-43-5-3.5 for five (5) years after the date of sentencing. Each restitution order issued for a violation of IC 35-43-5-3.5 must comply with subsections (b), (d), (e), and (g), and is not discharged by the completion of any probationary period or other sentence imposed for an offense under IC 35-43-5-3.5.

SOURCE: ; (06)EH1101.4.12. -->     SECTION 12. [EFFECTIVE JULY 1, 2006] (a) IC 35-43-5-3.5, as amended by this act, and IC 35-43-5-4.3, as added by this act, apply only to crimes committed after June 30, 2006.
     (b) IC 35-50-5-3, as amended by this act, applies only to persons sentenced after June 30, 2006.


EH 1101_LS 6726/DI 106

Figure

Graphic file number 0 named seal1001.pcx with height 58 p and width 72 p Left aligned