Sec. 30.5. (a) This section applies to the following:

(1) Any:

(A) financial institution;

(B) person required to file notification with the department under IC 24-4.5-6-202;

(C) person subject to IC 24-7; or

(D) other person subject to regulation by the department.

(2) Any person licensed or required to be licensed under IC 24-4.4 or IC 24-4.5.

(b) As used in this section, "customer", with respect to a person described in subsection (a), means an individual consumer, or the individual's legal representative, who obtains or has obtained from the person a financial:

(1) product; or

(2) service;

that is to be used primarily for personal, family, or household purposes. The term does not include an affiliate of the person.

(c) As used in this section, "personal information" includes any of the following:

(1) An individual's first and last names or first initial and last name.

(2) Any of the following data elements:

(A) A Social Security number.

(B) A driver's license number.

(C) A state identification card number.

(D) A credit card number.

(E) A financial account number or debit card number.

(3) With respect to an individual, any of the following:

(A) Address.

(B) Telephone number.

(C) Information concerning the individual's:

(i) income or other compensation;

(ii) credit history;

(iii) credit score;

(iv) assets;

(v) liabilities; or

(vi) employment history.

(d) As used in this section, personal information is "encrypted" if the personal information:

(1) has been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or

(2) is secured by another method that renders the personal information unreadable or unusable.

(e) As used in this section, personal information is "redacted" if the personal information has been altered or truncated so that not more than the last four (4) digits of:

(1) a Social Security number;

(2) a driver's license number;

(3) a state identification number; or

(4) an account number;

are accessible as part of the personal information.

(f) As used in this section, "personal records" means any records that:

(1) are maintained, whether as a paper record or in an electronic or a computerized form, by a person to whom this section applies; and

(2) contain the unencrypted, unredacted personal information of one (1) or more customers or potential customers.

(g) A person to whom this section applies shall keep and handle personal records in a manner that:

(1) reasonably safeguards the personal records from destruction, theft, or other loss; and

(2) protects the personal records from misuse.

(h) If a breach of the security of any personal records occurs, the person maintaining the records is subject to the disclosure requirements under IC 24-4.9-3, unless the person is exempt from the disclosure requirements under IC 24-4.9-3-4.

(i) A person to whom this section applies may not dispose of personal records without first:

(1) shredding, incinerating, or mutilating the personal records; or

(2) erasing or otherwise rendering illegible or unusable the personal information contained in the records.

(j) If a person to whom this section applies ceases doing business, the person shall, as part of the winding up of the business, safeguard any personal records maintained by the person in accordance with this section until such time as the person is entitled or required to destroy the records under:

(1) applicable law; or

(2) the person's own records maintenance policies.

(k) A person to whom this section applies shall provide at the person's cost any records that the director considers relevant or material to an examination, investigation, or other matter under consideration by the department.

As added by P.L.90-2008, SEC.20. Amended by P.L.1-2009, SEC.147; P.L.35-2010, SEC.98.