Bill Summary – FastDemocracy

Requires political subdivisions, state agencies, school corporations, and state educational institutions (public entities), with the exception of specified categories of hospitals, to adopt not later than December 31, 2027, a: (1) technology resources policy; and (2) cybersecurity policy; that meet specified requirements. Requires the office of technology (office) to develop: (1) standards and guidelines regarding cybersecurity for use by political subdivisions and state educational institutions; and (2) a uniform cybersecurity policy for use by state agencies. Requires the office to develop, in collaboration with the department of education: (1) a uniform technology resources policy governing use of technology resources by the employees of school corporations; and (2) a uniform cybersecurity policy for use by school corporations. Requires: (1) a public entity to biennially submit to the office the cybersecurity policy adopted by the public entity; and (2) the office to establish a procedure for collecting and maintaining a record of submitted cybersecurity policies. Requires a public entity that engages a third party to conduct an assessment of the public entity's cybersecurity policy to provide the results of the assessment to the office. Establishes: (1) the cybersecurity insurance program (program) for the purpose of providing coverage to a participating government entity for losses incurred by the government entity as a result of a cybersecurity incident; and (2) the cybersecurity insurance board (board) to administer the program. Provides that coverage for losses incurred by a participating government entity as a result of a cybersecurity incident are paid under the program from premiums paid into a trust fund by participating government entities. Specifies that claims from the fund shall not be paid until the balance in the fund reaches $10,000,000. Provides that the board shall contract with cybersecurity professionals who can be dispatched by the board to assist a participating government entity in the event of a cybersecurity incident. Provides that fines recovered by the attorney general for any of the following violations are deposited in the trust fund: (1) Failure of an adult oriented website to implement or properly use a reasonable age verification method. (2) Failure of a data base owner to safeguard personal information of Indiana residents. (3) Failure of a data base owner to disclose or provide notice of a security breach. (4) Violation of consumer data protection law. Makes an appropriation.
Statutes affected: 
Introduced Senate Bill (S): 4-13.1-4-5, 4-13.1-4-6, 24-4-23-15, 24-4.9-3-3.5, 24-4.9-4-2, 24-15-10-2
Senate Bill (S): 4-13.1-4-2, 4-13.1-4-5, 4-13.1-4-6, 24-4-23-15, 24-4.9-3-3.5, 24-4.9-4-2, 24-15-10-2
Engrossed Senate Bill (S): 4-13.1-4-2, 4-13.1-4-5, 4-13.1-4-6, 24-4-23-15, 24-4.9-3-3.5, 24-4.9-4-2, 24-15-10-2