Investigation of Security Breach
Upon receiving notification of a security breach of one of the Corporation's databases, the Superintendent shall:
A. determine how the breach occurred;
B. take immediate steps to correct and stop further unauthorized access; and
C. determine whether notification is required to be provided to any individuals whose personal information may have been subject to unauthorized access.
Notification of Security Breach to Affected Individuals
Notification is not required, but may be done, when there is a determination, based on a reasonable review of all the facts, that the security breach has not caused or is not likely to result in a material risk of identity theft or other fraud or result in substantial loss or injury to the individuals who are affected by the security breach. In making this determination, the Superintendent shall consider, at a minimum, whether the information accessed by an authorized individual was:
A. unencrypted and unredacted personal information;
B. encrypted but accessed by a person with access to the encryption code.
If the Superintendent determines that notice should be given, it shall be provided in the most expedient time possible, but not later than forty-five (45) days of the discovery of the breach. Notification shall be by one of the following methods:
A. written notice to the address on record for the individual(s)
B. written notice sent electronically, if the Corporation's primary method of communication with the individual disclosure must be made is through electronic means and there is reasonable belief that the e mail address is current
C. by telephone, provided that actual direct conversation is held with the individual within three (3) days of the first attempted call
The notification shall include:
A. description of the security breach in general terms;
B. the type of personal information that may have been accessed;
C. general description of the measures taken to stop further Security Breaches;
D. a telephone number where the person may obtain assistance or additional information
E. reminder to be vigilant and monitor for fraud or identify theft.
If the Corporation does not have sufficient contact information to provide notification as specified above, the cost of providing notification would exceed $250,000 or the class of affected individuals exceeds 500 persons, the Corporation must provide substitute notice by the following methods:
A. written notice sent electronically, if the Corporation has an e-mail address for the resident to whom the disclosure must be made and there is reasonable belief that the e-mail address is current
B. conspicuous posting of the disclosure or notice on the Corporation's web site
C. notification to major media outlets, provided that the cumulative total of the readership, viewing audience, or listening audience of the outlets notified equals or exceeds seventy-five percent (75%) of the population
The Corporation may delay the disclosure or notification if a law enforcement agency determines that notice to the affected individual(s) will impede a criminal investigation or jeopardize homeland or national security. In such cases, the Corporation shall provide notification after the law enforcement determines that disclosure will not compromise the investigation or security.
If over 1,000 Indiana residents are affected by the security breach, credit reporting agencies shall be notified.
© NEOLA 2009