Indiana has become the latest state to propose more stringent privacy laws, potentially creating new compliance challenges for companies that do business in many different states.
The Indiana proposal, which will be introduced as a bill by state Senator Jim Merritt, addresses three distinct issues: data storage, security breaches, and privacy policies.
Regarding data storage, the proposal would require online operators that store personal or financial data to (1) store the data securely; (2) delete the data and not retain data beyond what is necessary for business purposes and processes; (3) share or sell data only when authorized by law or when consumers are informed in advance; and (4) inform consumers by conspicuous notice when data must be collected and how long it will be stored.
The data breach proposal would amend Indiana's Disclosure of Security Breach Act "to facilitate prompt and more informative notification to affected consumers so they can take action to protect themselves in case of a data breach." The proposal would also expand the Act to cover breaches of paper and handwritten records, as current law covers electronically generated records only.
Regarding privacy policies, if the proposal becomes law, website operators and online entities that collect personal or financial information from Indiana residents would be required to conspicuously post their privacy policies online. These policies would be required to identify what personal information the operator collects from site visitors and whether the operator shares or sells any of that information and with whom.
Indiana seems to be following in the footsteps of other states that have decided to tackle privacy issues directly, without waiting for federal legislation. As we noted in an earlier Alert, Delaware enacted a data destruction law which takes effect January 1, 2015. This law provides that if a commercial entity seeks to dispose of records containing consumers' personal identifying information, the commercial entity must take reasonable steps to destroy or arrange for the destruction of such records by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable. One bit of good news is that the sponsor of this bill intends to introduce a new bill in 2015 that would clarify the jurisdictional scope of the law: in an interview, Rep. Stephanie Bolden said that the law is not intended to apply to companies incorporated in Delaware unless they are actually doing business with Delaware consumers.