Indiana § 28-1-2-30.5 Keeping and handling of personal records; breach of security; disposal
of personal records; winding up of business; providing records to the
department

Indiana Statutes

§ 28-1-2-30.5 — Keeping and handling of personal records; breach of security; disposal of personal records; winding up of business; providing records to the department

Indiana § 28-1-2-30.5

Art. 1DEPARTMENT OF FINANCIAL INSTITUTIONS

Ch. 2Powers and Duties of the Department

This text of Indiana § 28-1-2-30.5 (Keeping and handling of personal records; breach of security; disposal of personal records; winding up of business; providing records to the department) is published on Counsel Stack Legal Research, covering Indiana primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Ind. Code § 28-1-2-30.5 (2026).

Text

5.

(a)This section applies to the following:

(1)Any:

(A)financial institution;

(B)person required to file notification with the department under IC 24-4.5-6-202;

(C)person subject to IC 24-7; or

(D)other person subject to regulation by the department.

(2)Any person licensed or required to be licensed under IC 24-4.4 or IC 24-4.5.

(b)As used in this section, "customer", with respect to a person described in subsection (a), means an individual consumer, or the individual's legal representative, who obtains or has obtained from the person a financial:

(1)product; or

(2)service; that is to be used primarily for personal, family, or household purposes. The term does not include an affiliate of the person.

(c)As used in this section, "personal information" includes any of the followin

Free access — add to your briefcase to read the full text and ask questions with AI

5. (a) This section applies to the following:
(1) Any:
(A) financial institution;
(B) person required to file notification with the department
under IC 24-4.5-6-202;
(C) person subject to IC 24-7; or
(D) other person subject to regulation by the department.
(2) Any person licensed or required to be licensed under IC 24-4.4 or IC 24-4.5.
(b) As used in this section, "customer", with respect to a person
described in subsection (a), means an individual consumer, or the
individual's legal representative, who obtains or has obtained from the
person a financial:
(1) product; or
(2) service;
that is to be used primarily for personal, family, or household purposes.
The term does not include an affiliate of the person.
(c) As used in this section, "personal information" includes any of
the following:
(1) An individual's first and last names or first initial and last
name.
(2) Any of the following data elements:
(A) A Social Security number.
(B) A driver's license number.
(C) A state identification card number.
(D) A credit card number.
(E) A financial account number or debit card number.
(3) With respect to an individual, any of the following:
(A) Address.
(B) Telephone number.
(C) Information concerning the individual's:
(i) income or other compensation;
(ii) credit history;
(iii) credit score;
(iv) assets;
(v) liabilities; or
(vi) employment history.
(d) As used in this section, personal information is "encrypted" if
the personal information:
(1) has been transformed through the use of an algorithmic
process into a form in which there is a low probability of
assigning meaning without use of a confidential process or key;
or
(2) is secured by another method that renders the personal
information unreadable or unusable.
(e) As used in this section, personal information is "redacted" if the
personal information has been altered or truncated so that not more
than the last four (4) digits of:
(1) a Social Security number;
(2) a driver's license number;
(3) a state identification number; or
(4) an account number;
are accessible as part of the personal information.
(f) As used in this section, "personal records" means any records
that:
(1) are maintained, whether as a paper record or in an electronic
or a computerized form, by a person to whom this section applies;
and
(2) contain the unencrypted, unredacted personal information of
one (1) or more customers or potential customers.
(g) A person to whom this section applies shall keep and handle
personal records in a manner that:
(1) reasonably safeguards the personal records from destruction,
theft, or other loss; and
(2) protects the personal records from misuse.
(h) If a breach of the security of any personal records occurs, the
person maintaining the records is subject to the disclosure requirements
under IC 24-4.9-3, unless the person is exempt from the disclosure
requirements under IC 24-4.9-3-4.
(i) A person to whom this section applies may not dispose of
personal records without first:
(1) shredding, incinerating, or mutilating the personal records; or
(2) erasing or otherwise rendering illegible or unusable the
personal information contained in the records.
(j) If a person to whom this section applies ceases doing business,
the person shall, as part of the winding up of the business, safeguard
any personal records maintained by the person in accordance with this
section until such time as the person is entitled or required to destroy
the records under:
(1) applicable law; or
(2) the person's own records maintenance policies.
(k) A person to whom this section applies shall provide at the
person's cost any records that the director considers relevant or material
to an examination, investigation, or other matter under consideration
by the department.