CHAPTER 14. PERSONS HOLDING A CUSTOMER'S PERSONAL INFORMATION
IC 24-4-14
Chapter 14. Persons Holding a Customer's Personal Information
IC 24-4-14-1
Applicability
Sec. 1. This chapter does not apply to the following:
(1) The executive, judicial, or legislative department of state
government or any political subdivision.
(2) A unit (as defined in IC 36-1-2-23).
(3) The office of county auditor.
(4) The office of county treasurer.
(5) The office of county recorder.
(6) The office of county surveyor.
(7) A county sheriff's department.
(8) The office of county coroner.
(9) The office of county assessor.
(10) A person who engages in the business of waste collection,
except to the extent the person holds a customer's personal
information directly in connection with the business of waste
collection.
(11) A person who maintains and complies with a disposal
program under:
(A) the federal USA Patriot Act (P.L.107-56);
(B) Executive Order 13224;
(C) the federal Driver's Privacy Protection Act (18 U.S.C.
2721 et seq.);
(D) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(E) the federal Financial Modernization Act of 1999 (15
U.S.C. 6801 et seq.); or
(F) the federal Health Insurance Portability and
Accountability Act (HIPAA) (P.L.104-191);
if applicable.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-2
"Customer"
Sec. 2. As used in this chapter, "customer" means a person who:
(1) has:
(A) received; or
(B) contracted for;
the direct or indirect provision of goods or services from
another person holding the person's personal information; or
(2) provides the person's personal information to another person
in connection with a transaction with a nonprofit corporation or
charitable organization.
The term includes a person who pays a commission, a consignment
fee, or another fee contingent on the completion of a transaction.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-3
"Dispose of"
Sec. 3. As used in this chapter, "dispose of" means to discard or
abandon the personal information of a customer in an area accessible
to the public. The term includes placing the personal information in
a container for trash collection.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-4
"Encrypted"
Sec. 4. For purposes of this chapter, personal information is
"encrypted" if the personal information:
(1) has been transformed through the use of an algorithmic
process into a form in which there is a low probability of
assigning meaning without use of a confidential process or key;
or
(2) is secured by another method that renders the personal
information unreadable or unusable.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-5
"Person"
Sec. 5. As used in this chapter, "person" means an individual, a
partnership, a corporation, a limited liability company, or another
organization.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-6
"Personal information"
Sec. 6. As used in this chapter, "personal information" has the
meaning set forth in IC 24-4.9-2-10. The term includes information
stored in a digital format.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-7
"Redacted"
Sec. 7. (a) For purposes of this chapter, personal information is
"redacted" if the personal information has been altered or truncated
so that not more than the last four (4) digits of:
(1) a driver's license number;
(2) a state identification number; or
(3) an account number;
is accessible as part of personal information.
(b) For purposes of this chapter, personal information is
"redacted" if the personal information has been altered or truncated
so that not more than five (5) digits of a Social Security number are
accessible as part of personal information.
As added by P.L.125-2006, SEC.5.
IC 24-4-14-8
Disposal of personal information; infraction
Sec. 8. A person who disposes of the unencrypted, unredacted
personal information of a customer without shredding, incinerating,
mutilating, erasing, or otherwise rendering the information illegible
or unusable commits a Class C infraction. However, the offense is a
Class A infraction if:
(1) the person violates this section by disposing of the
unencrypted, unredacted personal information of more than one
hundred (100) customers; or
(2) the person has a prior unrelated judgment for a violation of
this section.
As added by P.L.125-2006, SEC.5.