New legal requirements in Indiana for reporting cybersecurity incidents
Under a new state law, political subdivisions in Indiana are required to report cybersecurity incidents to the Indiana Bureau of Technology.
Each political subdivision must designate a primary contact person before September 1, 2021 (and each subsequent year before September 1).
Indiana political subdivisions must understand what constitutes a cybersecurity incident and be prepared to report and deal with such incidents
During the 2021 legislative session, the Indiana General Assembly passed HEA 1169, the Cyber Incident Reporting Act, which empowers the Indiana Office of Technology (IOT) to coordinate warning efforts and preparedness to avoid and combat cybersecurity threats.
Under the Cyber Incident Reporting Act, Indiana political subdivisions – to which the law only applies – will now be required to comply with cybersecurity incident reporting requirements. Within 48 hours of occurrence, the incident must be reported to the IOT so that it can alert other units, investigate the incident, and better prepare systems against future incidents. Reporting delays are permitted by law to avoid violations of federal privacy law and disruption of an ongoing law enforcement investigation. It is important to note that this law does not modify the Indiana data breach notification law for consumer personal information breaches in a non-political context.
A cybersecurity incident occurs when a computer system is subjected to an event that has or may jeopardize the functionality of the system, its integrity or the security of information stored, transmitted or processed by that system. Events where a violation of a unit’s policies on acceptable use and safety has occurred and events that result in a risk to public health and safety are also incidents that must be reported. The law provides for the use of best professional judgment in determining whether an event is suspicious or malicious so as to constitute a cybersecurity incident.
Subdivisions to report include counties, towns, villages, townships, school corporations, library districts, fire protection districts, airport and hospital authorities, tax and special service districts, building authorities, public transport companies and any other political subdivision that can sue or be sued.
If the information systems operated by a political subdivision of Indiana experience cybersecurity incidents such as ransomware attack, distributed denial of service attack, hack leading to modification of a website, compromise of the security of the messaging service or e-mail scams, or the exploitation of known or previous data unknown vulnerabilities in the information technology systems and software of the subdivision, a report should be made of these incidents to the ‘IOT.
Additional methods of attacking IT infrastructure may be added to state CIO reporting requirements over time as required by law. In the event of an incident involving the computer systems of a political subdivision, those potentially affected should consider checking the IOT website and should also consider consulting a lawyer about their duty to report. Reports can be made directly to the IOT.
HEA 1169 also requires each subdivision to provide the Office of Technology with the name and contact details of a person authorized to act as the primary contact for the IOT by September 1, 2021 and each subsequent year by September 1.