House Bill 1351, an extension of new federal breach reporting requirements, is now law in Indiana, effective Jul 1, 2022. Governor Holcomb signed the relatively short bill that amends a section of existing Indiana law on computer data breaches to be disclosed to the public within 45 days:
- A person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach. For purposes of this section, a delay is reasonable if the delay is:
- necessary to restore the integrity of the computer system;
- necessary to discover the scope of the breach; or
- in response to a request from the attorney general or 9 law enforcement agency to delay disclosure because disclosure will:
- (A) impede a criminal or civil investigation; or
- (B) jeopardize national security.
A federal law signed by President Biden in March 2022 as part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require “covered entities”—organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. A “cyber incident” does not include compromised personal data as are required in some state reporting laws, including Indiana’s.
Data breach disclosures were already required in most circumstances, but are now necessary within 45 days unless it meets requirements from law enforcement or national security concerns. Companies still have to disclose the breach after law enforcement deems it no longer an investigation or risk.
“The bill says ‘person’, but for all practical purposes it is focused on companies—including hospitals and healthcare facilities,” says VPC Cyber Branch Director Rick Ball. The original law was signed a few years ago in light of several prominent nation-wide data breaches. Now with sensitive logins, personal data such as health records, and financial information like credit card numbers so easily transferred around the world, HB 1351 is trying to close the gap in timing.
“Thing is, a lot of people don’t even know a breach even happens. Healthcare facilities, for instance, often don’t discover malware or ransomware has been living quietly on their computers for weeks or months before they execute their malicious code,” says Ball.
“We can help companies train for this event. A cyber attack or other data breach is a lot like an incident command system. You need to know who is going to speak to the public, who is in charge of calling law enforcement, how to secure the existing computer network, and how to convey appropriate information to staff and other stakeholders,” adds Ball.
VPC offers tabletop exercises and interactive exercises on-site at your location to train for what is increasingly an inevitable part of doing business in the twenty-first century. To get started, learn more and request a cyber security training.