Navigating Indiana's Digital Frontier: A Comprehensive Guide to Consumer Data Protection and Cybersecurity Compliance

In an increasingly digital economy, safeguarding consumer data and maintaining robust cybersecurity are paramount for businesses. Indiana has taken a significant step in this direction with the Indiana Consumer Data Protection Act (ICDPA), also known as Senate Bill 5 (SB5). This law, signed in May 2023, is scheduled to take effect on January 1, 2026, aiming to empower individuals with control over their personal data and mandate transparency in how data controllers handle it. Understanding and adhering to the ICDPA, alongside general cybersecurity best practices and state initiatives, is crucial for businesses operating in or targeting Indiana residents.

The Indiana Consumer Data Protection Act (ICDPA): Key Provisions

Purpose and Scope The ICDPA's primary goal is to promote data transparency and protect consumers' personal data, granting them rights and providing accessible methods to exercise them. Similar to other U.S. privacy laws, it requires data controllers (businesses) to issue privacy notices, respond promptly to consumer requests, and limit the collection and use of personal data.

Applicability to Businesses The ICDPA applies to for-profit businesses that operate in or outside Indiana but target Indiana residents. To fall under the law's purview, these businesses must meet one of two annual thresholds:

1. Control or process the personal data of 100,000 or more consumers.
2. Control or process the personal data of 25,000 or more consumers and derive 50% or more of their annual gross revenue from the sale of personal data. A "consumer" is defined as an Indiana resident acting in a personal, family, or household context, excluding those acting in an employment or commercial capacity.

Exemptions Certain entities and types of data are exempt from the ICDPA. These include:

• State government and its agencies.
• Third parties acting on behalf of state entities under contract.
• Entities subject to the Gramm-Leach-Bliley Act (financial institutions) and HIPAA (healthcare entities).
• Non-profit organizations, higher education institutions, and public utilities or their affiliates.
• Data such as protected health information under HIPAA, information used to protect data subjects, research or patient-identifying purposes, and personal data covered by laws like the Fair Credit Reporting Act and Driver’s Privacy Protection Act.

Definitions of Data The ICDPA distinguishes between two critical categories of data:

• Personal data: Any information linked or reasonably linkable to an identified or identifiable individual. This encompasses contact details, email addresses, residence addresses, and online identifiers like cookies and IP addresses. It explicitly excludes de-identified, publicly available, and aggregate data.
• Sensitive data: Personal data that, if compromised, is likely to cause severe harm or damage. This includes:
  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health diagnosis.
  • Sexual orientation.
  • Citizenship or immigration status.
  • Genetic or biometric data used for identification.
  • Personal data collected from children under 13 years of age.
  • Precise geolocation data.

Duties of Businesses (Data Controllers) Under ICDPA

Businesses covered by the ICDPA have several key obligations to ensure privacy-risk-proof handling of personal data:

• Data Minimization: Businesses must limit the collection of personal data to what is reasonably necessary and relevant for the specific purpose of use.
• Purpose Limitation: The use of personal data must be restricted to the purpose for which it was originally collected; additional consent is required for any other uses.
• Security Safeguards: Implement well-planned technical, administrative, and physical security practices that are proportional to the data collected and maintained. These measures should be meticulously crafted rather than nominal.
• Non-Discrimination: Businesses are prohibited from discriminating against consumers who exercise their rights, for example, by increasing prices or reducing the quality of services, unless it's related to participation in a loyalty program.
• Consent: Obtain affirmative consent before processing sensitive data. For data collected from children under 13, verifiable parental consent is required, aligning with COPPA regulations.
• Contractual Relationship: Establish contracts with data processors and third parties that clearly outline rights, obligations, data types processed, and the nature of processing to prevent irresponsible handling and mitigate legal repercussions.
• Response Plan: Respond to consumer requests within a maximum of 45 days, with a possible 45-day extension. Appeals must be decided within 60 days, with denial notifications provided within this period.
• Opt-Out Mechanisms: Provide convenient methods for consumers to opt out of targeted advertising, the sale of personal data, and profiling.
• Data Protection Impact Assessment: Regularly conduct and document impact assessments for high-risk activities, including targeted advertising, the sale of personal data, profiling, and sensitive data processing. These assessments must remain confidential.
• Privacy Notice: Deliver clear, understandable, and accessible privacy notices to consumers. These notices must detail the categories of personal data collected and shared, purposes of use, methods for exercising consumer rights and appeals, and opt-out options.

Consumer Rights Under ICDPA

The ICDPA grants Indiana consumers several crucial rights regarding their personal data:

• Right to Confirm and Access: Consumers can confirm if their personal data is being processed and access it upon request.
• Right to Correct: Consumers have the right to correct inaccuracies in their personal data that is held by businesses.
• Right to Delete: Consumers can request the deletion of their personal data collected and maintained by businesses, regardless of its source.
• Right to Obtain: Consumers are entitled to receive a copy or summary of their personal data in a portable and readable format, once a year.
• Right to Opt-Out: Consumers can opt out of the sale of their personal data or its use for targeted advertising or profiling.

Enforcement and Penalties

The ICDPA's enforcement is exclusive to the Attorney General of Indiana. Violations can lead to an injunction and a civil penalty of up to $7,500 per violation. A unique feature is a 30-day cure period, during which businesses can resolve violations and notify the enforcement agency to avoid litigation and fines, a provision that is currently permanent. Unlike some other state laws (e.g., CCPA), the ICDPA does not provide a private right of action.

It is also important to note that while the ICDPA does not have specific breach notification provisions, businesses in Indiana are subject to the state's breach notification law. This law mandates prompt notification of affected consumers and the Attorney General in the event of a breach, with non-compliance potentially incurring penalties of up to $150,000 per deceptive act.

Broader Cybersecurity Landscape and State Initiatives in Indiana

Beyond the ICDPA, Indiana actively fosters a robust cybersecurity environment, which indirectly supports data privacy compliance. Cyberattacks are a widespread challenge across all sectors in Indiana, with phishing and ransomware being particularly prevalent. Manufacturing, in particular, faces heightened risks due to its reliance on interconnected digital technologies (Industry 4.0) and supply chain vulnerabilities. Intellectual property theft is a significant motivator for cyberattacks in manufacturing.

The State of Indiana, through various initiatives, aims to strengthen its cybersecurity posture:

• Indiana Executive Council on Cybersecurity (IECC): This council collaborates across public and private sectors, military, research, and academia to enhance Indiana's cybersecurity. It has developed strategic plans and reports highlighting the importance of cybersecurity and collaboration.
• Indiana Cybersecurity Hub: An online resource offering information and tools, including best practices for local government and K-12.
• CyberTrack Program: Developed by IU’s Center for Applied Cybersecurity Research, Purdue cyberTAP, and the Indiana Office of Technology, this program defines "reasonable cybersecurity" for local governments and critical infrastructure providers, including a prioritized list of CIS Safeguards.
• Indiana Economic Development Corporation (IEDC): Provides no-cost trainings, assessments, and one-on-one assistance to small businesses for cyber threat protection, along with free cybersecurity guides and toolkits through the Indiana Small Business Development Center.
• Purdue University Northwest's Center for Cybersecurity: Emphasizes the need for basic awareness of cyber threats among small business owners and offers undergraduate and graduate certificates and programs in cybersecurity. The university is also a National Center of Academic Excellence in Cyber Defense.
• Cyber Shield: Indiana participates in this Department of Defense cyber exercise, which involves international partners and civilian cyber professionals, focusing on protecting critical infrastructure from cyberattacks.
• Senate Bill 472 (2025): This bill aims to improve cybersecurity for Indiana public entities by mandating uniform technology policies and establishing a cybersecurity insurance program to cover cyber incidents.
• Cyber Risk Insurance: Indiana policymakers are actively exploring ways to enhance accessibility to cyber risk insurance for small and medium-sized businesses, potentially through state-sponsored risk pools or subsidies. They are also working with insurers to standardize required security measures like multi-factor authentication and regular patching. A survey showed that 67% of organizations with cyber risk insurance are required to implement certain security measures, with employee training/cyber hygiene and automatic patching being most common, and multi-factor authentication often mandated.
• Employee Training and Awareness: The human element remains a major cybersecurity vulnerability. Phishing and social engineering attempts can lead to process control manipulation. Consequently, there is a strong emphasis on continuous employee training and cyber hygiene. Leaderships' education is vital for budget, policy enforcement, and cultural integration.
• Incident Response: Having a robust incident response plan is critical. Studies show that companies often struggle to realize they have been breached, with an average time of 194 days. Panic after an attack can lead to poor decisions, and transparency is key to mitigating reputational damage. Businesses should lean into their incident response plan, communicate openly, and explain consequences transparently.

Conclusion

The Indiana Consumer Data Protection Act represents a significant step forward in protecting user data in the state, effective January 1, 2026. Businesses must proactively assess their data handling practices, ensure compliance with the ICDPA's strict duties, and be prepared to honor consumer rights. Beyond legal mandates, embracing a strong cybersecurity posture—supported by state initiatives, continuous employee training, and resilient systems—is not merely a matter of compliance but a fundamental necessity for operational continuity, protection of intellectual property, and maintaining customer trust in an increasingly interconnected and threat-filled digital world. Collaboration between IT and OT departments and specific OT cybersecurity programs are essential for comprehensive security.