Indiana Data Breach Notification Package
(Compliant with Indiana Code § 24-4.9 et seq.)
TABLE OF CONTENTS
- Instructions for Using This Template
- Letter to the Indiana Attorney General
- Letter to Affected Indiana Residents (Consumer Notice)
1. INSTRUCTIONS FOR USING THIS TEMPLATE
[// GUIDANCE:
1. Replace every bracketed [PLACEHOLDER] with the requested information.
2. Send the Attorney General (“AG”) notice on or before the 45th day after discovery of the breach unless delayed by written law-enforcement request.
3. Where the breach affects 1,000+ Indiana residents, you must also notify the nationwide Consumer Reporting Agencies (“CRAs”).
4. Retain proof of mailing/e-delivery and maintain an internal incident file.
5. This package does not cover any parallel federal or industry-specific notice duties (e.g., HIPAA, GLBA, DFARS).]
2. LETTER TO THE INDIANA ATTORNEY GENERAL
Document Header
[ORGANIZATION LETTERHEAD]
Date: [MM/DD/YYYY]
Via Certified Mail & E-Mail
Indiana Attorney General – Consumer Protection Division
302 W. Washington Street, 5th Floor
Indianapolis, IN 46204
E-Mail: [email protected] [// GUIDANCE: Verify current address/e-mail prior to sending.]
Re: Data Breach Notification Under Indiana Code § 24-4.9
1. Identity of Data Base Owner
• Legal Name: [ORGANIZATION LEGAL NAME]
• State of Incorporation/Formation: [STATE]
• Principal Place of Business: [ADDRESS]
• NAICS/Industry: [DESCRIPTION]
2. Incident Summary
• Date(s) of Breach: [MM/DD/YYYY – MM/DD/YYYY]
• Date Breach Discovered: [MM/DD/YYYY]
• Type of Compromise (e.g., phishing, ransomware, lost device): [DESCRIPTION]
• Systems Affected: [DESCRIPTION]
• Detailed Narrative of Events:
[SUMMARY OF INCIDENT—WHO, WHAT, WHEN, HOW]
3. Scope of Impact
• Total Indiana Residents Affected: [#]
• Total Individuals (all jurisdictions): [#]
• Categories of Personal Information Exposed (per Ind. Code § 24-4.9-2-2):
☐ Social Security numbers
☐ Driver’s license / state ID numbers
☐ Financial account numbers + access codes
☐ Other: [SPECIFY]
4. Remediation & Mitigation
• Date Breach Contained: [MM/DD/YYYY]
• Technical Measures Implemented: [PATCHING, PASSWORD RESETS, MFA, ETC.]
• Third-Party Forensics Engaged: [FIRM NAME] (engaged [MM/DD/YYYY])
• Identity-Protection/Monitoring Services Offered to Residents: [YES/NO – PROVIDER]
• Law-Enforcement Notified:
Agency: [FBI / STATE POLICE / ETC.]
Case/File No.: [IF AVAILABLE]
5. Consumer Notification
• Method(s): ☐ First-Class Mail ☐ E-Mail ☐ Substitute Notice (per statute)
• Date(s) to be Sent: [MM/DD/YYYY] (no later than 45 days after discovery)
• Copy of Consumer Notice: Attached as Exhibit A
6. CRA Notification (if applicable)
☐ The breach involves 1,000 or more Indiana residents; CRA notification letters will be issued on [MM/DD/YYYY].
7. Contact for Additional Information
[NAME, TITLE]
[PHONE] | [E-MAIL]
Respectfully submitted,
__________
[AUTHORIZED SIGNATORY NAME]
[Title]
3. LETTER TO AFFECTED INDIANA RESIDENTS (CONSUMER NOTICE)
Document Header
[ORGANIZATION LETTERHEAD]
Date: [MM/DD/YYYY]
Important Security Notice
Dear [FIRST NAME LAST NAME],
1. What Happened
On [BREACH DISCOVERY DATE], we determined that an unauthorized party [brief description of incident]. Following discovery, we immediately [actions taken] and engaged independent cybersecurity experts to assist our investigation.
2. What Information Was Involved
The incident involved the following personal information relating to you:
• [LIST OF DATA ELEMENTS]
We have no evidence that your information has been misused; however, we are notifying you out of an abundance of caution and in compliance with Indiana Code § 24-4.9.
3. What We Are Doing
• We contained the incident and enhanced security controls, including [MFA/ENCRYPTION/PATCHING].
• We have offered you [12/24] months of complimentary identity-protection and credit-monitoring services through [SERVICE PROVIDER]. To enroll, please visit [URL] and use the code [ENROLLMENT CODE] by [DEADLINE].
• We filed the required notice with the Indiana Attorney General and, where applicable, the nationwide CRAs.
4. What You Can Do
- Enroll in the complimentary monitoring service.
- Remain vigilant and review account statements and credit reports.
- Consider placing a fraud alert or security freeze on your credit file:
• Equifax: 888-766-0008 | https://www.equifax.com
• Experian: 888-397-3742 | https://www.experian.com
• TransUnion: 800-680-7289 | https://www.transunion.com
- Report suspected identity theft to the Federal Trade Commission (“FTC”) at 877-ID-THEFT (877-438-4338) or www.identitytheft.gov, and to local law enforcement.
For additional guidance on identity theft prevention, you may contact the Indiana Attorney General’s Identity Theft Unit at 800-382-5516 or www.indianaconsumer.com.
5. For More Information
If you have questions, please contact our dedicated hotline at [TOLL-FREE NUMBER], Monday–Friday, 8 a.m.–8 p.m. Eastern, or e-mail us at [[email protected]].
We regret any inconvenience this incident may cause and remain committed to safeguarding your information.
Sincerely,
__________
[AUTHORIZED SIGNATORY NAME]
[Title]
[Organization Name]
[Address] | [Phone] | [E-Mail]
[// GUIDANCE:
• Keep the notice clear and conspicuous—avoid marketing content.
• Use first-class mail unless the statute’s substitute-notice criteria are met.
• Retain copies of all notices and mailing proofs for at least three years.
• Coordinate with cyber-insurance counsel to ensure compliance with policy conditions and privilege protection (e.g., engaging counsel first, then forensics).]
END OF TEMPLATE