On 17th January 2023, the industry regulator, the Bar Standards Board decided to hand down an order imposing a ban on a barrister preventing him from continuing to practise after evidence emerged
Indiana Data Protection Law Cut Adrift
Whilst many people will be indulging in that well deserved summer holiday in July 2022 the State of Indiana in the United States of America will be bringing into force an amendment to its data protection laws.
So What Is Changing?
The Amendment will affect data breach notification requirements in Indiana. Once it comes into force it will oblige parties to cooperate, not be obstructive and provide assistance by notifying the Attorney General of Indiana and affected persons of a breach without delay. There will also be changes made to the time limit for notifying the Attorney General and persons affected by a breach. The Indiana Attorney General or affected person must now be notified no later than 45 days following the uncovering of a breach.
The new Amendment is being introduced after the Governor of Indiana, Eric Holcomb signing off the Amendment into the data protection legislation on 18th March 2022. The State of Indiana joins numerous states such as Ohio, Wisconsin, Alabama and Maryland who have already implemented a forty-five day time-limit.
Whilst the move to cut the reporting requirements to forty-five days is a step in the right direction, it highlights the incredibly wide gulf which has emerged between the United Kingdom and European General Data Protection Regulation in the reporting obligations under these data protection regimes. Under Article 33 of the General Data Protection Regulation 2016 and section 67 of the Data Protection Act 2018 where a data breach takes place the controller of the personal data must notify the relevant regulatory body responsible for enforcing the regulations by no later than 72 hours. The timing is crucial for the purposes of Article 33. In line with the Indiana data protection laws notification to the regulatory authorities must take place without undue delay. However, where there is a divergence in the legal obligations is the requirement to notify under the General Data Protection Regulations is the time limit. Article 33 makes clear that such notification must take place ‘not later than 72 hours having become aware of it’. Similar to other areas of law this awareness is key.
Although on initially reading the legislation it appears that the Indianan laws on data protection are lagging behind in terms of the notification requirements of the regulatory authority, the new legal requirements appear to be streets ahead in relation to notifying individuals who have been affected by data protection breaches. Both Article 34 of the General Data Protection Regulations and section 68 of the Data Protection Act 2018 oblige parties acting as data controllers to communicate to the affected data subject following a breach of data protection. The legislation directs data controllers to make the relevant disclosure to the affected person in the words of both sets of legislation ‘without delay’. However, both the General Data Protection Regulations and the General Data Protection Act go no further in setting out an exact timescale for such disclosures to individual data subjects.
What Should Lawyers Be Advising Their Clients?
From 1st July 2022 when this amendment to the legislation is brought into force lawyers in the state of Indiana and those clients with a presence in the jurisdiction of Indiana will need to be advising their client that:
- they will be obliged to notify the data subject without delay
- within a reasonable period of time; and
- no later than forty- five days from the time when they became aware of the breach.
Lawyers need to be advising affected clients to take into account the new time-limits for notification in the event of a potential data breach.
#LinklaterLLP #HuntonAndrewaKurthLLP #HoganLovellsLLP #Fieldfisher #BristorsLLP #Bird&BirdLLP #Dentons #Allen&OveryLLP #BakerMcKenzie #CMS #Covington&Burling #TaylorWessing #PinsentMasons #NortonRoseFulbright #Latham&Watkins #DWF
THE ARTICLE WAS WRITTEN USING THE FOLLOWING SOURCES
 Hunton Privacy – Indiana Amends State Data Breach Notification Law – 4th November 2022 - Indiana Amends State Data Breach Notification Law | Privacy & Information Security Law Blog (huntonprivacyblog.com)
 Article 33 of the General Data Protection Regulation - Art. 33 GDPR – Notification of a personal data breach to the supervisory authority - General Data Protection Regulation (GDPR) (gdpr-info.eu)
 Article 34 of the General Data Protection Regulation - Art. 34 GDPR – Communication of a personal data breach to the data subject - General Data Protection Regulation (GDPR) (gdpr-info.eu)
 Section 67 Data Protection Act 2018 - Data Protection Act 2018 (legislation.gov.uk)
 Section 68 Data Protection Act 2018 - Data Protection Act 2018 (legislation.gov.uk)
 Sheppard Mullin Richter & Hampton LLP – Indiana Breach Notification Law Amended, Changes Effective July 1, 2022 – 5th April 2022 - Indiana Made a Minor Amendment to Data Breach Notification Law (natlawreview.com)