Indiana's data-breach notification law, IC 24-4.9, governs when organizations must notify Indiana residents after their personal information is exposed. The law applies broadly to “data base owners” that maintain unencrypted personal information — including names plus Social Security numbers, driver's license numbers, credit-card numbers, or financial data.

In the case of Blackbaud, the statute applies indirectly through Indiana's nonprofits and organizations that use Blackbaud as a vendor. Blackbaud itself is headquartered outside Indiana, but if an Indiana nonprofit or charity using Blackbaud suffered a breach exposing Indiana residents' data, that Indiana-based entity would be the “data base owner” responsible for triggering the IC 24-4.9 notice.

The law requires

• Notice to affected Indiana residents without unreasonable delay, by mail, phone, fax, or email if contact information exists.
• Notification to major consumer-reporting agencies if more than 1,000 Indiana residents are affected.

While the Blackbaud corporate settlement and FTC consent agreement impose federal-level obligations, IC 24-4.9 supplements that by ensuring state-level residents receive timely notice and that the Indiana Attorney General can pursue enforcement if an Indiana nonprofit fails to comply. The Blackbaud breach made IC 24-4.9 highly visible to Indiana nonprofits, reminding them that third-party vendor breaches still trigger their own state-level notification duties.