Sec. 9. (a) This section does not apply to an entity subject to IC 13-18-16.5 . (b) A state agency (as defined in IC 4-1-10-2 ) other than a state educational institution, and a political subdivision (as defined in IC 36-1-2-13 ), other than a political subdivision established under IC 8-1-11.1 , shall: (1) report any cybersecurity incident using their best professional judgment to the office without unreasonable delay and not later than two (2) business days after discovery of the cybersecurity incident in a format prescribed by the chief information officer; and (2) provide the office with the name and contact information of any individual who will act as the primary reporter of a cybersecurity incident described in subdivision (1) before September 1, 2021, and before September 1 of every year thereafter. Nothing in this section shall be construed to require reporting that conflicts with federal privacy laws or is prohibited due to an ongoing law enforcement investigation.
‹ Prev All Indiana sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.