A law which went into effect in Indiana requires companies to notify citizens when data breaches occur.
Public Law 125 excludes companies cover by federal laws, including the Patriot Act, the Federal Driver’s Protection Act, the Fair Credit Reporting Act, the Federal Financial Modernization Act, and HIPAA, meaning all companies are exempt. If the breach affects more than a half-million, or the notification process is expected to cost more that $250,000, the company in question can have a $15/hour junior webmaster post a “conspicuous notice” on their website, and they can make fifteen $0.02 calls to local media outlets – all companies will be taking this option.
But the mandate does ensure that when more than a thousand people are affected, the company must notify credit reporting agencies. No word if the cost containment measures apply to this halfway decent portion of the measure, or how long the company has to wait before they actually opt-out of the law based on the federal exemption and/or make that “conspicuous” web post sans RSS feed.