Introduced Version
SENATE BILL No. 459
_____
DIGEST OF INTRODUCED BILL
Citations Affected: IC 13-18.
Synopsis: Environmental matters. Provides that the environmental
rules board may adopt rules establishing requirements for the
reclamation and reuse of treated wastewater. Requires certain entities
to: (1) conduct an annual public water system cybersecurity
vulnerability assessment; (2) annually provide the office of technology
with the name and contact information of any individual who will act
as the primary reporter of a cybersecurity incident; (3) submit an
annual certification to the department of environmental management
via a secured portal verifying certain information; and (4) when an
actual or suspected cybersecurity breach occurs, report the incident to
the office of technology.
Effective: July 1, 2025.
Niemeyer
January 13, 2025, read first time and referred to Committee on Environmental Affairs.
2025 IN 459—LS 6707/DI 153 Introduced
First Regular Session of the 124th General Assembly (2025)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in this style type. Also, the
word NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts
between statutes enacted by the 2024 Regular Session of the General Assembly.
SENATE BILL No. 459
A BILL FOR AN ACT to amend the Indiana Code concerning
environmental law.
Be it enacted by the General Assembly of the State of Indiana:
1 SECTION 1. IC 13-18-3-1.5 IS ADDED TO THE INDIANA CODE
2 AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY
3 1, 2025]: Sec. 1.5. (a) The board may adopt rules under IC 4-22-2
4 and IC 13-14-9 establishing standards for the reclamation and
5 reuse of treated wastewater.
6 (b) The rules adopted under subsection (a):
7 (1) must protect state waters and public health;
8 (2) may concern multiple categories of reuse; and
9 (3) may create a permitting process.
10 SECTION 2. IC 13-18-16.5 IS ADDED TO THE INDIANA CODE
11 AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE
12 JULY 1, 2025]:
13 Chapter 16.5. Public Water Cybersecurity
14 Sec. 1. (a) This chapter applies to an entity that:
15 (1) is:
16 (A) a community water system (as defined in
17 IC 13-11-2-35.5(b)) with a population of five hundred (500)
2025 IN 459—LS 6707/DI 153 2
1 or more;
2 (B) a publicly owned treatment works (as defined in
3 IC 13-11-2-177.5); or
4 (C) a semipublic facility (as defined in 327 IAC 5-1.5-59)
5 with a classification of Class III or Class IV (as described
6 in 327 IAC 5-23-3(4) and 327 IAC 5-23-3(5)); and
7 (2) utilizes:
8 (A) a computerized system to monitor and control the
9 processes of the entity's operation from a central location;
10 or
11 (B) another vulnerable monitoring or management system
12 identified by the department.
13 (b) An entity shall do the following:
14 (1) Conduct a cybersecurity vulnerability assessment at least
15 once per calendar year.
16 (2) Before September 1 of each year, provide the office of
17 technology established by IC 4-13.1-2-1 with the name and
18 contact information of any individual who will act as the
19 primary reporter of a cybersecurity incident.
20 (3) Beginning in 2026, not later than December 1 of each year,
21 submit a certification to the department via a secured portal
22 verifying that the entity:
23 (A) completed the assessment described in subdivision (1);
24 (B) mitigated or has documented plans to mitigate
25 identified vulnerabilities; and
26 (C) updated emergency response plans to account for
27 vulnerabilities and mitigating procedures.
28 (4) When an actual or reasonably suspected cybersecurity
29 breach occurs, report the cybersecurity incident to the office
30 of technology established by IC 4-13.1-2-1:
31 (A) without unreasonable delay and not later than two (2)
32 hours after discovery of the cybersecurity incident; and
33 (B) in a format prescribed by the chief information officer
34 of the office of technology.
35 (c) In conducting an assessment under subsection (b)(1), the
36 entity shall utilize an assessment tool or framework approved by
37 the department and the office of technology established by
38 IC 4-13.1-2-1.
39 (d) An assessment conducted under subsection (b)(1) is
40 confidential under IC 5-14-3-4(b)(19).
2025 IN 459—LS 6707/DI 153