Indiana Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Indiana has moved aggressively to modernize its data privacy and cybersecurity regulatory framework. The state has long maintained breach notification requirements under the Disclosure of Security Breach Act (Indiana Code 24-4.9), but the passage of Senate Bill 5 — the Indiana Consumer Data Protection Act — during the 2023 legislative session marked a fundamental expansion of data privacy obligations for businesses operating in the state. With the ICDPA taking effect on January 1, 2026, Indiana joins a growing cohort of states with comprehensive consumer privacy legislation that creates new rights for residents and new compliance burdens for organizations.

For businesses already navigating breach notification obligations and industry-specific regulations like HIPAA and CMMC, the ICDPA adds another compliance layer that requires deliberate planning. The history of Indiana data breaches makes clear why the legislature determined that stronger protections were necessary. This guide breaks down the key laws, their specific requirements, and actionable steps for building a compliance program that addresses Indiana's full regulatory landscape.

Indiana Data Privacy and Cybersecurity Laws

Indiana Consumer Data Protection Act (ICDPA — Senate Bill 5)

Signed into law by Governor Eric Holcomb on May 1, 2023, and effective January 1, 2026, the Indiana Consumer Data Protection Act establishes comprehensive data privacy rights for Indiana residents and imposes corresponding obligations on businesses. The ICDPA applies to entities that conduct business in Indiana or produce products or services targeted to Indiana residents, and during a calendar year either control or process personal data of at least 100,000 Indiana consumers, or control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. Key provisions include:

• Consumer rights to access, correct, delete, and obtain a portable copy of their personal data

• Right to opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects

• Mandatory privacy notices disclosing categories of personal data processed, purposes of processing, and how consumers can exercise their rights

• Data protection assessments required for processing activities that present a heightened risk of harm, including targeted advertising, sale of personal data, and processing of sensitive data

• A 30-day cure period — businesses receive written notice from the Attorney General and have 30 days to cure alleged violations before enforcement action proceeds

• Enforcement exclusively by the Indiana Attorney General, with no private right of action

The ICDPA closely follows the framework established by Virginia's Consumer Data Protection Act, making it part of the 'Virginia model' of state privacy legislation. Notable features include its exemptions for data regulated under HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act, as well as an exemption for nonprofit organizations.

Disclosure of Security Breach Act (Indiana Code 24-4.9)

Indiana's breach notification law, in effect since 2006 and amended multiple times, requires any person or entity that owns or licenses computerized data containing personal information of Indiana residents to implement and maintain reasonable procedures to protect that data. When a breach occurs — defined as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information — the entity must notify affected individuals without unreasonable delay.

The law defines personal information as an individual's first name or initial and last name in combination with one or more of the following unencrypted elements: Social Security number, driver's license or state identification number, credit card or financial account number with any required security code, or any other unique identification number issued on a government document. Indiana amended IC 24-4.9 in 2014 to add the Attorney General notification requirement for breaches affecting 250 or more residents.

Indiana Insurance Data Security Act

Indiana enacted its Insurance Data Security Act based on the National Association of Insurance Commissioners (NAIC) model law. This statute applies to insurance companies, agents, and other licensed entities operating in Indiana, requiring them to develop and maintain comprehensive information security programs. Requirements include conducting risk assessments, implementing safeguards commensurate with identified risks, overseeing third-party service provider security, and establishing incident response plans. Licensed entities must notify the Indiana Department of Insurance within 72 hours of a cybersecurity event that meets specified impact thresholds.

Indiana Personal Information Protection Act Provisions

Indiana Code 24-4-14 addresses the protection of Social Security numbers specifically, restricting businesses and government agencies from publicly displaying, printing on mailings, or requiring the transmission of Social Security numbers in ways that create unnecessary exposure. While narrower than the broader privacy and breach statutes, this law addresses a specific and persistent vector for identity theft that has surfaced in multiple Indiana breach incidents.

Data Breach Notification Requirements in Detail

Indiana's breach notification framework under IC 24-4.9 contains several requirements that businesses must understand in operational detail.

Notification to Individuals

Affected Indiana residents must be notified without unreasonable delay. Notification may be provided by mail, telephone, fax, or email (if the entity has an existing email relationship with the individual). The notice must include a description of the incident in general terms, the type of personal information involved, and the general actions the entity has taken to protect the personal information from further breach. Indiana law also requires that the notification include contact information for the entity providing notice.

Notification to the Indiana Attorney General

If a breach affects more than 250 Indiana residents, the entity must notify the Indiana Attorney General. This notification must be provided without unreasonable delay and should include the nature of the breach, the number of Indiana residents affected, and the steps the entity has taken or plans to take in response. The AG's Consumer Protection Division maintains an online breach reporting portal.

Notification to Consumer Reporting Agencies

When a breach affects more than 1,000 Indiana residents at a single time, the entity must also notify nationwide consumer reporting agencies. This notification must describe the timing, distribution, and content of the notices sent to affected individuals.

Enforcement and Penalties

The Indiana Attorney General enforces the Disclosure of Security Breach Act under the Indiana Deceptive Consumer Sales Act (IC 24-5-0.5). This provides the AG with authority to seek injunctive relief, civil penalties, and consumer restitution. The Schneck Medical Center settlement in 2023, which imposed $250,000 in penalties and required specific security improvements, demonstrated that the AG's office is actively using this enforcement authority. Businesses should not interpret the absence of a specific per-violation penalty cap as a sign of lax enforcement.

Industry-Specific Compliance in Indiana

Indiana's economic composition means that many businesses must layer state compliance obligations on top of federal and industry-specific frameworks. The state's strength in manufacturing, life sciences, and healthcare makes the following overlapping requirements particularly common.

HIPAA — Healthcare Organizations

Indiana's healthcare sector is extensive, with major systems including IU Health (the state's largest), Community Health Network, Franciscan Health, Parkview Health, and the safety-net systems in Indianapolis and Gary. All HIPAA-covered entities and business associates must comply with the Privacy Rule, Security Rule, and Breach Notification Rule in addition to Indiana's state breach notification requirements. Because Indiana's notification standard is 'without unreasonable delay' while HIPAA allows up to 60 days, organizations must be prepared to meet whichever timeline is shorter in practice. Many healthcare organizations find that healthcare IT security partnerships help manage this dual compliance burden.

CMMC — Defense Contractors

Indiana hosts significant defense manufacturing operations, including Naval Surface Warfare Center Crane Division (NSWC Crane) in Martin County, which supports the Department of Defense across multiple mission areas. Hundreds of Indiana manufacturers serve as defense subcontractors and must achieve Cybersecurity Maturity Model Certification (CMMC) compliance. CMMC 2.0 Level 2 requires implementing all 110 controls in NIST SP 800-171 and undergoing third-party assessment. Indiana's overlap between commercial manufacturing and defense supply chains means many companies must address both commercial cybersecurity requirements and federal CUI protection standards simultaneously.

FDA — Life Sciences and Medical Devices

Indiana's life sciences corridor, centered in Indianapolis with Eli Lilly, Roche Diagnostics, Biomet, and hundreds of smaller firms, must comply with FDA regulations governing cybersecurity in medical devices and the protection of clinical trial data. The FDA's premarket cybersecurity guidance, updated in 2023, requires medical device manufacturers to include software bill of materials (SBOM), vulnerability management plans, and security architecture documentation in submissions. Companies operating in Warsaw's orthopedic device cluster — home to Zimmer Biomet, DePuy Synthes, and Biomet — must address these requirements alongside state data protection obligations.

NIST and Manufacturing Standards

Indiana manufacturers increasingly face cybersecurity requirements from customers and supply chain partners even when not directly subject to CMMC. The NIST Cybersecurity Framework (CSF) and NIST Manufacturing Extension Partnership (MEP) provide frameworks widely used in Indiana's manufacturing sector. The Indiana MEP center, Conexus Indiana, provides resources for manufacturers navigating these requirements. Firms should review manufacturing cybersecurity approaches that address the convergence of IT and OT security in factory environments.

Indiana Compliance Checklist for Businesses

The following checklist addresses core requirements across Indiana state laws and the most common federal frameworks affecting Indiana organizations:

• Inventory all personal data you collect, process, and store — map data flows across your organization and third-party vendors, identifying where Indiana resident data resides

• Prepare for ICDPA compliance before January 1, 2026 — assess whether your organization meets the processing thresholds, implement consumer rights request processes, and publish compliant privacy notices

• Develop a written information security program with administrative, technical, and physical safeguards proportionate to the sensitivity and volume of data you handle

• Establish an incident response plan that specifically addresses Indiana's 'without unreasonable delay' notification standard and AG reporting threshold of 250 affected residents

• Conduct data protection assessments for processing activities involving targeted advertising, sale of personal data, or processing of sensitive data as required by the ICDPA

• Review third-party vendor agreements to include data processing terms, security requirements, breach notification obligations, and audit rights — the Medicaid and MOVEit breaches demonstrate Indiana's exposure to supply chain risk

• Implement access controls and encryption for personal information at rest and in transit, including multi-factor authentication for all remote access and privileged accounts

• Train all employees on data handling, phishing recognition, and incident reporting procedures, with documented completion records

• Maintain compliance documentation including risk assessments, policy versions, training records, and incident response logs for regulatory review

How Indiana Businesses Stay Compliant

Compliance in Indiana is a continuous obligation, not a one-time project. The combination of the ICDPA's new requirements, existing breach notification law, and industry-specific regulations requires ongoing attention.

Risk Assessments

Conduct formal risk assessments at least annually and whenever significant changes occur in your IT environment or business operations. Assessments should account for Indiana-specific threats — ransomware targeting healthcare providers, IP theft targeting life sciences, and OT attacks targeting manufacturers. Document findings and track remediation.

Security Awareness Training

Indiana breach history consistently shows phishing as the leading initial access vector. Effective programs include simulated phishing campaigns with measurable improvement tracking, role-specific training for finance and HR personnel who handle sensitive data, and executive training on BEC recognition. Annual checkbox training is insufficient given the pace at which phishing techniques evolve.

Incident Response Testing

Conduct tabletop exercises at least annually, simulating breach scenarios relevant to your industry. Include executive leadership, legal counsel, communications staff, and IT in exercises. Test your ability to meet Indiana's notification requirements under realistic time pressure. The Schneck settlement demonstrated that the AG evaluates the adequacy of both prevention and response.

Continuous Monitoring

Many Indiana businesses work with managed IT services providers to maintain 24/7 monitoring, log management, and compliance reporting that would be difficult to sustain internally. This is particularly relevant for mid-sized manufacturers and healthcare practices that lack dedicated security operations staff but handle data volumes that attract sophisticated attackers.

Frequently Asked Questions

When does the Indiana Consumer Data Protection Act take effect?

The ICDPA (Senate Bill 5) was signed into law on May 1, 2023, and takes effect on January 1, 2026. Businesses that meet the processing thresholds should begin preparation well before the effective date, as implementing consumer rights request processes, updating privacy notices, and conducting data protection assessments requires significant lead time.

Does the ICDPA apply to small businesses?

The ICDPA applies based on data processing volume, not business size per se. It covers entities that process personal data of at least 100,000 Indiana consumers in a year, or process data of at least 25,000 consumers and derive over 50% of gross revenue from selling personal data. Small businesses that fall below these thresholds are not subject to ICDPA-specific obligations, but they remain subject to Indiana's breach notification requirements under IC 24-4.9 and any applicable federal regulations.

How does Indiana's breach notification timeline compare to other states?

Indiana uses a 'without unreasonable delay' standard rather than specifying an exact number of days. This differs from states like Florida (30 days), Texas (60 days), or Colorado (30 days) that set explicit deadlines. The flexibility of Indiana's standard does not mean organizations can delay indefinitely — the Attorney General's enforcement action against Schneck Medical Center demonstrated that unreasonable delay will be penalized. Best practice is to target notification within 30 to 45 days of confirming a breach.

What triggers the obligation to notify the Indiana Attorney General?

Under IC 24-4.9, the AG must be notified when a breach affects more than 250 Indiana residents. Notification should be provided without unreasonable delay and must include the nature of the breach, the number of affected individuals, and response measures taken. Breaches affecting more than 1,000 individuals also trigger an obligation to notify nationwide consumer reporting agencies. The AG notification is filed through the Consumer Protection Division's breach reporting portal.

Are there specific cybersecurity standards Indiana businesses must follow?

Indiana does not mandate a specific cybersecurity framework for all businesses. However, the Disclosure of Security Breach Act requires 'reasonable procedures' to protect personal data, and regulators evaluate reasonableness by reference to recognized frameworks such as NIST CSF, CIS Controls, or ISO 27001. Industry-specific requirements may mandate particular standards — HIPAA Security Rule for healthcare, CMMC for defense contractors, and FDA cybersecurity guidance for medical device manufacturers. Understanding the full Indiana cyber threat landscape helps organizations determine appropriate security investments for their specific risk profile.