Ind. Code § 4-13.1-2-9

Current through P.L. 171-2024
Section 4-13.1-2-9 - State agency reporting requirements

A state agency (as defined in IC 4-1-10-2), other than state educational institutions, and a political subdivision (as defined in IC 36-1-2-13) shall:

(1) report any cybersecurity incident using their best professional judgment to the office without unreasonable delay and not later than two (2) business days after discovery of the cybersecurity incident in a format prescribed by the chief information officer; and
(2) provide the office with the name and contact information of any individual who will act as the primary reporter of a cybersecurity incident described in subdivision (1) before September 1, 2021, and before September 1 of every year thereafter.

Nothing in this section shall be construed to require reporting that conflicts with federal privacy laws or is prohibited due to an ongoing law enforcement investigation.

IC 4-13.1-2-9

Amended by P.L. 137-2021,SEC. 18, eff. 7/1/2021.