Indiana’s New Cybersecurity and Privacy Laws – A Solution in SOC 2

Key Takeaways

• New Laws: SEA 472 (2025) and INCDPA (2026) raise cybersecurity and privacy standards in Indiana.
• SEA 472: Public entities must update policies, train staff, and share third-party assessment results.
• INCDPA: Businesses must protect consumer data, ensure transparency, and honor resident rights.
• Compliance Risk: Meeting only minimum state requirements may expose organizations to penalties.
• SOC 2 Solution: Independent reporting strengthens compliance and builds stakeholder trust.

Senate Enrolled Act 472 (SEA 472) and the Indiana Data Consumer Privacy Act (INCDPA) are the two most recent cybersecurity and privacy laws in Indiana. These statutes significantly raise the bar on expectations of information security, specifically on the topics of data security, privacy, confidentiality, incident response, and overall cybersecurity governance for organizations operating in Indiana. The following article provides a high-level overview of these laws and the opportunity that a SOC 2 Type II Examination can offer entities exploring this new regulatory landscape.

Key Points

Senate Enrolled Act 472 ^[1] (SEA 472, Effective July 2025)

The act was signed into law on May 1, 2025, and will be effective July 1, 2025. The new law imposes new responsibilities on the Indiana Office of Technology to create guidelines and regulations for implementation.

• Requires all Indiana public entities (including government agencies, school districts, and public institutions) to implement technology resources and cybersecurity policies covering information security, data security, and incident response.
• Mandates biennial updates and submission of cybersecurity policies to the Indiana Office of Technology (IOT), along with regular employee training.
• Entities subject to third-party cybersecurity assessments must provide those results to the state, further demonstrating compliance and best practice.

Indiana Data Consumer Privacy Act ^[2] (INCDPA, Effective January 2026)

The act was signed into law on May 1, 2023, and will be effective January 1, 2026. The new law applies to a person that conducts business in Indiana or produces products or services that are targeted at Indiana residents that either controls or processes personal data of at least 100,000 Indiana residents or controls or processes personal data of at least 25,000 Indiana residents and derives over fifty percent (50%) of gross revenue from the “sale” of any personal data during a calendar year.

• Grants Indiana residents specific rights over their personal data, including rights to access, correct, delete, and opt out of data sales or targeted marketing.
• Imposes requirements on organizations to implement “reasonable” technical and organizational measures for protecting the privacy, confidentiality, and security of consumer data.
• Organizations must clearly communicate data collection and processing practices and develop robust incident response plans with defined breach notification timelines.
• Non-compliance may result in enforcement actions by the Indiana Attorney General, making governance oversight critical.

Risk & Governance Implications

The requirements introduced by these laws increase risk exposure for non-compliance and further highlight the importance of proactive governance in cybersecurity, privacy, and incident response disciplines. Entity leadership should be aware that simply adopting minimum state requirements may not be sufficient to assure regulators or stakeholders of a robust security posture.

Why Adopt SOC 2 for Indiana Compliance?

An Industry Standard

Consider adopting SOC 2 as a best-practice, cybersecurity and privacy, independent attestation report. SOC 2 provides an independent third-party attestation, demonstrating that the organization’s controls across security, confidentiality, incident response, and privacy exceed state mandates and instill greater confidence across governance, regulatory, and customer stakeholders.

Monitor Compliance

SOC 2 requires demonstration of governance and oversight through internal control. Instituting regular management-level reviews of cybersecurity and privacy program effectiveness, including policy updates, employee training, third-party assessments, and incident response testing will ensure compliance with these laws and prepare for an ever-changing regulatory environment.

Stakeholder Communication

Formalized and consistent SOC 2 reporting communicates security and privacy posture effectively to regulators, customers, and the public, enhancing organizational reputation and reducing risk.

Conclusion

Indiana’s new cybersecurity laws represent a significant shift in regulatory expectations for information security, specifically on the topics of data security, privacy, confidentiality, and incident response. SOC 2 offers an opportunity for Indiana entities to address these new regulatory requirements and prepare for the future by adopting an industry standard framework, possessing an independent attestation over the design and operating effectiveness of internal controls related to security, availability, confidentiality, processing integrity and privacy, while effectively communicating their privacy and security posture to regulators and stakeholders.

For more information on SOC 2 services and more, be sure to visit our firm’s SOC & Cybersecurity industry page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA, CCSFP, CHQP, CCA regarding our services.

About the Author

Related Services