Ind. Code § 24-4.9-3-1
(a) Except as provided in section 4(c), 4(d), and 4(e) of this chapter, after discovering or being notified of a breach of the security of data, the data base owner shall disclose the breach to an Indiana resident whose:
(2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key;
if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5 ), identity theft, or fraud affecting the Indiana resident.
As added by P.L.125-2006, SEC.6. Amended by P.L.137-2009, SEC.4.