On May 1, 2025, Governor Mike Braun signed into law Senate Enrolled Act 472 (SEA 472). It requires public entities to adopt specific policies regarding technology resource use and cybersecurity and to meet certain compliance requirements. The change in law also imposes new responsibilities on the Indiana Office of Technology (IOT) to create guidelines and regulations for public entities to implement. It is mandatory for public entities to maintain their compliance with the IOT’s guidance. SEA 472 is effective as of July 1, 2025, but public entities have until 2028 to implement the policies.
Who Is Impacted by the Change in Law?
The change in law affects public entities, including:
- Political subdivisions
- State agencies
- School corporations
- State educational institutions
The law does not apply to the department of public utilities of a consolidated city (e.g., Indianapolis) and certain acute care hospitals licensed under Indiana Code (I.C.) 16-21.
Public entities must implement two separate policies by December 31st, 2027:
- A uniform technology resource use policy; and
- A cybersecurity policy.
All public entities must implement a mandatory training program for employees, covering both policies. However, different types of public entities have different requirements for policy implementation.
Uniform Technology Resource Use Policy
SEA 472 requires public entities, excluding school corporations, to implement policies that govern the use of technology resources by their employees. School corporations must implement the uniform technology resources policy developed by the Indiana Department of Education and IOT, in lieu of their own policy. Public entities shall submit their uniform technology resource use policy to IOT, under procedures to be adopted by IOT, by December 31st beginning in 2027.
A policy governing the use of technology resources must at least prohibit employees of public entities from using technology resources to participate in lobbying not pertaining to job duties, engage in illegal activity, or violate the public entity’s cybersecurity policy. The policy must also include a description of the disciplinary procedures that would result from a violation of the policy.
Cybersecurity Policies
State agencies, political subdivisions, and state educational institutions must adopt their own cybersecurity policy based on IOT’s regulations and guidelines. School corporations must adopt the uniform cybersecurity policy developed by the Indiana Department of Education and IOT. Public entities shall submit their cybersecurity policy to IOT, under procedures to be adopted by IOT, by December 31st of each odd-numbered year beginning in 2027. A public entity may use a third party to assess their cybersecurity policy but shall provide the results of the assessment to IOT.
While not a new requirement, state educational institutions and political subdivisions, not including departments of public utilities of a consolidated city, must report the following to IOT:
- Cybersecurity incidents without unreasonable delay and not later than two business days after discovery of the incident; and
- The contact information of the primary reporter of the cybersecurity incident by September 1st, following the incident.
What to Do Now?
While waiting for IOT’s forthcoming guidance, you can begin thinking about the policies you may currently have in place, begin conversations with any IT vendors who work with your unit of government, and contact your attorney to ensure all legal aspects are covered. For more information on these new requirements under SEA 472, please contact the authors or any attorney with Frost Brown Todd’s Government Services Practice Group.
*Note: Kaitlyn Ross, a second-year law student at Maurer School of Law, contributed to this article while working as a summer associate at Frost Brown Todd.