SB 382-2_ Filed 04/02/2013, 11:10 Steuerwald
PREVAILED Roll Call No. _______
FAILED Ayes _______
WITHDRAWN Noes _______
RULED OUT OF ORDER
HOUSE MOTION ____
I move that Engrossed Senate Bill 382 be amended to read as follows:
SOURCE: Page 5, line 34; (13)MO038202.5. -->
Page 5, between lines 34 and 35, begin a new paragraph and insert:
SOURCE: IC 24-4.9-2-3; (13)MO038202.2. -->
"SECTION 2. IC 24-4.9-2-3, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2013]: Sec. 3. (a) Except as provided in subsection (b),
"data base owner" means a person that owns or licenses computerized
data that includes personal information.
(b) For purposes of IC 24-4.9-3-3.5, "data base owner" means
a person that owns or licenses data that includes personal
information, including data that is maintained:
(1) in a computerized format;
(2) on paper;
(3) on microfilm; or
(4) in or on a medium similar to the mediums described in this
SOURCE: IC 24-4.9-3-3.5; (13)MO038202.3. -->
SECTION 3. IC 24-4.9-3-3.5, AS ADDED BY P.L.137-2009,
SECTION 5, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2013]: Sec. 3.5. (a) This section does not apply to a data base
owner that maintains its own data security procedures as part of an
information privacy, security policy, or compliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability
Act (HIPAA) (P.L. 104-191);
if the data base owner's information privacy, security policy, or
compliance plan requires the data base owner to maintain reasonable
procedures to protect and safeguard from unlawful use or disclosure
personal information of Indiana residents that is collected or
maintained by the data base owner and the data base owner complies
with the data base owner's information privacy, security policy, or
(b) A data base owner shall implement and maintain reasonable
procedures, including taking any appropriate corrective action, to
protect and safeguard from unlawful use or disclosure any personal
information of Indiana residents collected or maintained by the data
(c) A data base owner shall not dispose of records or documents
containing unencrypted and unredacted personal information of Indiana
residents without shredding, incinerating, mutilating, erasing, or
otherwise rendering the personal information illegible or unusable.
(d) A data base owner shall not make a material
misrepresentation to an Indiana resident regarding the data base
owner's collection, use, storage, sharing, or destruction of the
resident's personal information.
A person that knowingly or intentionally fails to comply with
any provision of this section commits a deceptive act that is actionable
only by the attorney general under this section.
The attorney general may bring an action under this section
to obtain any or all of the following:
(1) An injunction to enjoin further violations of this section.
(2) A civil penalty of not more than five thousand dollars ($5,000)
per deceptive act.
(3) The attorney general's reasonable costs in:
(A) the investigation of the deceptive act; and
(B) maintaining the action.
A failure to comply with subsection (b) or (c) in connection
with related acts or omissions constitutes one (1) deceptive act.".
Renumber all SECTIONS consecutively.
(Reference is to ESB 382 as printed March 26, 2013.)
MO038202/DI 107 2013