AN ACT to amend the Indiana Code concerning commercial law.
position would exercise under similar circumstances.
(3) In a manner the member reasonably believes to be in the
best interests of the hospital.
(b) In discharging the member's duties, a member may rely on
information, opinions, reports, or statements, including financial
statements and other financial data, if prepared or presented by
one (1) of the following:
(1) A person whom the member reasonably believes to be
reliable and competent in the matters presented.
(2) Legal counsel, public accountants, or other persons as to
matters the member reasonably believes are within the
person's professional or expert competence.
(c) A member is not acting in good faith if the member has
knowledge concerning a matter in question that makes reliance
otherwise permitted by subsection (b) unwarranted.
Sec. 2. All proprietary and competitive information concerning
the county hospital is confidential. A member of a governing board
may not disclose confidential information concerning the county
hospital to any person not authorized to receive this information.
Sec. 3. (a) A member of a governing board who violates this
chapter may be removed from the governing board by action of the
board.
(b) The county executive may not:
(1) reappoint to a governing board; or
(2) appoint to a governing board;
an individual who violated this chapter while serving or after
serving as a member of a governing board.
Sec. 4. (a) A licensed physician is eligible for appointment to a
county hospital governing board only if the physician is an active
member of the medical staff of the hospital or holds a position that
is equivalent to being an active member of the medical staff of the
hospital.
(b) A physician who is terminated from the medical staff of the
hospital is removed from the governing board by operation of law.
(c) A physician whose clinical privileges or staff membership
privileges have been significantly reduced shall be removed from
the governing board by action of the board.
(d) If a hospital governing board has two (2) physician members
under IC 16-22-2-7 or IC 16-22-2-8, only one (1) physician member
must be an active member of the medical staff of the hospital or
hold a position that is equivalent to being an active member of the
medical staff of the hospital.
A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1,
2006]:
ARTICLE 4.9. DISCLOSURE OF SECURITY BREACH
Chapter 1. Application
Sec. 1. This article does not apply to:
(1) a state agency (as defined in IC 4-1-10-2); or
(2) the judicial or legislative department of state government.
Chapter 2. Definitions
Sec. 1. The definitions in this chapter apply throughout this
article.
Sec. 2. (a) "Breach of the security of a system" means
unauthorized acquisition of computerized data that compromises
the security, confidentiality, or integrity of personal information
maintained by a person. The term includes the unauthorized
acquisition of computerized data that have been transferred to
another medium, including paper, microfilm, or a similar medium,
even if the transferred data are no longer in a computerized
format.
(b) The term does not include the following:
(1) Good faith acquisition of personal information by an
employee or agent of the person for lawful purposes of the
person, if the personal information is not used or subject to
further unauthorized disclosure.
(2) Unauthorized acquisition of a portable electronic device on
which personal information is stored, if access to the device is
protected by a password that has not been disclosed.
Sec. 3. "Data base owner" means a person that owns or licenses
computerized data that includes personal information.
Sec. 4. "Doing business in Indiana" means owning or using the
personal information of an Indiana resident for commercial
purposes.
Sec. 5. Data are encrypted for purposes of this article if the
data:
(1) have been transformed through the use of an algorithmic
process into a form in which there is a low probability of
assigning meaning without use of a confidential process or
key; or
(2) are secured by another method that renders the data
unreadable or unusable.
Sec. 6. "Financial institution" means a financial institution as
defined in:
(1) IC 28-1-1-3, other than a consumer finance institution
licensed to make supervised or regulated loans under
IC 24-4.5; or
(2) 15 U.S.C. 6809(3).
Sec. 7. "Indiana resident" means a person whose principal
mailing address is in Indiana, as reflected in records maintained by
the data base owner.
Sec. 8. "Mail" has the meaning set forth in IC 23-1-20-15.
Sec. 9. "Person" means an individual, a corporation, a business
trust, an estate, a trust, a partnership, an association, a nonprofit
corporation or organization, a cooperative, or any other legal
entity.
Sec. 10. "Personal information" means:
(1) a Social Security number that is not encrypted or
redacted; or
(2) an individual's first and last names, or first initial and last
name, and one (1) or more of the following data elements that
are not encrypted or redacted:
(A) A driver's license number.
(B) A state identification card number.
(C) A credit card number.
(D) A financial account number or debit card number in
combination with a security code, password, or access code
that would permit access to the person's account.
The term does not include information that is lawfully obtained
from publicly available information or from federal, state, or local
government records lawfully made available to the general public.
Sec. 11. (a) Data are redacted for purposes of this article if the
data have been altered or truncated so that not more than the last
four (4) digits of:
(1) a driver's license number;
(2) a state identification number; or
(3) an account number;
is accessible as part of personal information.
(b) For purposes of this article, personal information is
"redacted" if the personal information has been altered or
truncated so that not more than five (5) digits of a Social Security
number are accessible as part of personal information.
Chapter 3. Disclosure and Notification Requirements
Sec. 1. (a) Except as provided in section 4(c), 4(d), and 4(e) of
this chapter, after discovering or being notified of a breach of the
security of a system, the data base owner shall disclose the breach
to an Indiana resident whose:
(1) unencrypted personal information was or may have been
acquired by an unauthorized person; or
(2) encrypted personal information was or may have been
acquired by an unauthorized person with access to the
encryption key;
if the data base owner knows, should know, or should have known
that the unauthorized acquisition constituting the breach has
resulted in or could result in identity deception (as defined in
IC 35-43-5-3.5), identity theft, or fraud affecting the Indiana
resident.
(b) A data base owner required to make a disclosure under
subsection (a) to more than one thousand (1,000) consumers shall
also disclose to each consumer reporting agency (as defined in 15
U.S.C. 1681a(p)) information necessary to assist the consumer
reporting agency in preventing fraud, including personal
information of an Indiana resident affected by the breach of the
security of a system.
Sec. 2. A person that maintains computerized data but that is
not a data base owner shall notify the data base owner if the person
discovers that personal information was or may have been
acquired by an unauthorized person.
Sec. 3. (a) A person required to make a disclosure or notification
under this chapter shall make the disclosure or notification without
unreasonable delay. For purposes of this section, a delay is
reasonable if the delay is:
(1) necessary to restore the integrity of the computer system;
(2) necessary to discover the scope of the breach; or
(3) in response to a request from the attorney general or a law
enforcement agency to delay disclosure because disclosure
will:
(A) impede a criminal or civil investigation; or
(B) jeopardize national security.
(b) A person required to make a disclosure or notification under
this chapter shall make the disclosure or notification as soon as
possible after:
(1) delay is no longer necessary to restore the integrity of the
computer system or to discover the scope of the breach; or
(2) the attorney general or a law enforcement agency notifies
the person that delay will no longer impede a criminal or civil
investigation or jeopardize national security.
Sec. 4. (a) Except as provided in subsection (b), a data base
owner required to make a disclosure under this chapter shall make
the disclosure using one (1) of the following methods:
(1) Mail.
(2) Telephone.
(3) Facsimile (fax).
(4) Electronic mail, if the data base owner has the electronic
mail address of the affected Indiana resident.
(b) If a data base owner required to make a disclosure under
this chapter is required to make the disclosure to more than five
hundred thousand (500,000) Indiana residents, or if the data base
owner required to make a disclosure under this chapter determines
that the cost of the disclosure will be more than two hundred fifty
thousand dollars ($250,000), the data base owner required to make
a disclosure under this chapter may elect to make the disclosure by
using both of the following methods:
(1) Conspicuous posting of the notice on the web site of the
data base owner, if the data base owner maintains a web site.
(2) Notice to major news reporting media in the geographic
area where Indiana residents affected by the breach of the
security of a system reside.
(c) A data base owner that maintains its own disclosure
procedures as part of an information privacy policy or a security
policy is not required to make a separate disclosure under this
chapter if the data base owner's information privacy policy or
security policy is at least as stringent as the disclosure
requirements described in:
(1) sections 1 through 4(b) of this chapter;
(2) subsection (d); or
(3) subsection (e).
(d) A data base owner that maintains its own disclosure
procedures as part of an information privacy, security policy, or
compliance plan under:
(1) the federal USA Patriot Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781
et seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and
Accountability Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data
base owner's information privacy, security policy, or compliance
plan requires that Indiana residents be notified of a breach of the
security of a system without unreasonable delay and the data base
owner complies with the data base owner's information privacy,
security policy, or compliance plan.
(e) A financial institution that complies with the disclosure
requirements prescribed by the Federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer
Information and Customer Notice or the Guidance on Response
Programs for Unauthorized Access to Member Information and
Member Notice, as applicable, is not required to make a disclosure
under this chapter.
(f) A person required to make a disclosure under this chapter
may elect to make all or part of the disclosure in accordance with
subsection (a) even if the person could make the disclosure in
accordance with subsection (b).
Chapter 4. Enforcement
Sec. 1. (a) A person that is required to make a disclosure or
notification in accordance with IC 24-4.9-3 and that fails to comply
with any provision of this article commits a deceptive act that is
actionable only by the attorney general under this chapter.
(b) A failure to make a required disclosure or notification in
connection with a related series of breaches of the security of a
system constitutes one (1) deceptive act.
Sec. 2. The attorney general may bring an action under this
chapter to obtain any or all of the following:
(1) An injunction to enjoin future violations of IC 24-4.9-3.
(2) A civil penalty of not more than one hundred fifty
thousand dollars ($150,000) per deceptive act.
(3) The attorney general's reasonable costs in:
(A) the investigation of the deceptive act; and
(B) maintaining the action.
Chapter 5. Preemption
Sec. 1. This article preempts the authority of a unit (as defined
in IC 36-1-2-23) to make an enactment dealing with the same
subject matter as this article.
conduct that is an element of the offense, or both, involve the use
of the Internet or another computer network (as defined in
IC 35-43-2-3) and access to the Internet or other computer
network occurs in Indiana; or
(7) conduct:
(A) involves the use of:
(i) the Internet or another computer network (as defined in
IC 35-43-2-3); or
(ii) another form of electronic communication;
(B) occurs outside Indiana and the victim of the offense
resides in Indiana at the time of the offense; and
(C) is sufficient under Indiana law to constitute an offense in
Indiana.
(c) When the offense is homicide, either the death of the victim or
bodily impact causing death constitutes a result under subsection
(b)(1). If the body of a homicide victim is found in Indiana, it is
presumed that the result occurred in Indiana.
(d) If the offense is identity deception, the lack of the victim's
consent constitutes conduct that is an element of the offense under
subsection (b)(1). If a victim of identity deception resides in
Indiana when a person knowingly or intentionally obtains,
possesses, transfers, or uses the victim's identifying information, it
is presumed that the conduct that is the lack of the victim's consent
occurred in Indiana.
offense is at least fifty thousand dollars ($50,000).
(b) (c) The conduct prohibited in subsection subsections (a) and (b)
does not apply to:
(1) a person less than twenty-one (21) years of age who uses the
identifying information of another person to acquire an alcoholic
beverage (as defined in IC 7.1-1-3-5);
(2) a minor (as defined in IC 35-49-1-4) who uses the identifying
information of another person to acquire:
(A) a cigarette or tobacco product (as defined in IC 6-7-2-5);
(B) a periodical, a videotape, or other communication medium
that contains or depicts nudity (as defined in IC 35-49-1-5);
(C) admittance to a performance (live or film) that prohibits
the attendance of the minor based on age; or
(D) an item that is prohibited by law for use or consumption by
a minor; or
(3) any person who uses the identifying information for a lawful
purpose.
(c) (d) It is not a defense in a prosecution under subsection (a) or
(b) that no person was harmed or defrauded.
article for a felony or misdemeanor, the court may, as a condition of
probation or without placing the person on probation, order the person
to make restitution to the victim of the crime, the victim's estate, or the
family of a victim who is deceased. The court shall base its restitution
order upon a consideration of:
(1) property damages of the victim incurred as a result of the
crime, based on the actual cost of repair (or replacement if repair
is inappropriate);
(2) medical and hospital costs incurred by the victim (before the
date of sentencing) as a result of the crime;
(3) the cost of medical laboratory tests to determine if the crime
has caused the victim to contract a disease or other medical
condition;
(4) earnings lost by the victim (before the date of sentencing) as
a result of the crime including earnings lost while the victim was
hospitalized or participating in the investigation or trial of the
crime; and
(5) funeral, burial, or cremation costs incurred by the family or
estate of a homicide victim as a result of the crime.
(b) A restitution order under subsection (a), or (i), or (j) is a
judgment lien that:
(1) attaches to the property of the person subject to the order;
(2) may be perfected;
(3) may be enforced to satisfy any payment that is delinquent
under the restitution order by the person in whose favor the order
is issued or the person's assignee; and
(4) expires;
in the same manner as a judgment lien created in a civil proceeding.
(c) When a restitution order is issued under subsection (a), the
issuing court may order the person to pay the restitution, or part of the
restitution, directly to:
(1) the victim services division of the Indiana criminal justice
institute in an amount not exceeding:
(A) the amount of the award, if any, paid to the victim under
IC 5-2-6.1; and
(B) the cost of the reimbursements, if any, for emergency
services provided to the victim under IC 16-10-1.5 (before its
repeal) or IC 16-21-8; or
(2) a probation department that shall forward restitution or part of
restitution to:
(A) a victim of a crime;
(B) a victim's estate; or
a violation of IC 35-43-9.
(j) The court may order the person convicted of an offense
under IC 35-43-5-3.5 to make restitution to the victim of the crime,
the victim's estate, or the family of a victim who is deceased. The
court shall base its restitution order upon a consideration of the
amount of fraud or harm caused by the convicted person and any
reasonable expenses (including lost wages) incurred by the victim
in correcting the victim's credit report and addressing any other
issues caused by the commission of the offense under
IC 35-43-5-3.5. If, after a person is sentenced for an offense under
IC 35-43-5-3.5, a victim, a victim's estate, or the family of a victim
discovers or incurs additional expenses that result from the
convicted person's commission of the offense under IC 35-43-5-3.5,
the court may issue one (1) or more restitution orders to require
the convicted person to make restitution, even if the court issued a
restitution order at the time of sentencing. For purposes of entering
a restitution order after sentencing, a court has continuing
jurisdiction over a person convicted of an offense under
IC 35-43-5-3.5 for five (5) years after the date of sentencing. Each
restitution order issued for a violation of IC 35-43-5-3.5 must
comply with subsections (b), (d), (e), and (g), and is not discharged
by the completion of any probationary period or other sentence
imposed for an offense under IC 35-43-5-3.5.