Indiana Attorney General to Push Web Privacy, Breach Notice Upgrades

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dec. 23 — Indiana Attorney General Greg Zoeller (R) Dec. 22 announced proposed legislation to require online enterprises to improve security and privacy protection and provide clearer privacy policies for consumers, as well as to expand the state's breach notification law.

Citing recent corporate data breaches—such as those at Staples Inc.—Zoeller said in a statement that Indiana's “existing laws are proving inadequate.”

State Sen. Jim Merritt (R), who joined Zoeller at a press conference announcing the legislative initiative, is slated in January—when the Legislature reconvenes— to sponsor a bill on the issues. “Identity theft and data breaches are serious crimes and can have life-altering consequences for victims,” Merritt said in the statement.

Online Privacy Policies 

The proposed legislation would require online companies that collect and store personal or financial data to:

• not retain information beyond what is necessary for business purposes and delete it after it is no longerneeded;

• secure stored data;

• “share or sell data only when authorized by law or when consumers are informed in advance;” and

• provide “conspicuous notice” of when data is collected and for how long data will be stored.

 

In addition, website operators and online companies that collect financial or personal information from state residents would be required under the proposed legislation to “conspicuously post” privacy policies that “identify what personal information the operator collects from site visitors and whether the operator shares or sells any of that information, and with whom.”

A covered online company that profits from selling user information and has failed to disclose to consumers that it is collecting and selling their data would be considered to have made “a knowing misrepresentation,” the statement said.

Data Breach Notice 

Zoeller also aims to include provisions in the proposed legislation to strengthen the state's data breach notification law.

Indiana enacted a breach notice law in 2005 that covered only state agency data breaches. In 2006, the notice requirement was expanded to cover all businesses.

The legislative proposal would amend the state Disclosure of Security Breach Act to expand its reach to cover not only breaches of electronic data but breaches of protected personal information in other media, such as paper documents.

The proposal would also require covered entities to provide “more informative notification to affected consumers so they can take action to protect themselves in case of a data breach,” the statement said.