*ES0459.1*
April 3, 2025
ENGROSSED
SENATE BILL No. 459
_____
DIGEST OF SB 459 (Updated April 3, 2025 1:04 pm - DI 150)
Citations Affected: IC 4-13.1; IC 13-18.
Synopsis: Environmental matters. Provides that the environmental
rules board may adopt rules establishing requirements for the
reclamation and reuse of treated wastewater. Requires certain entities
to: (1) conduct an annual public water system cybersecurity
vulnerability assessment; (2) annually provide the office of technology
with the name and contact information of any individual who will act
as the primary reporter of a cybersecurity incident; (3) submit an
annual certification to the department of environmental management
via a secured portal verifying certain information; and (4) when an
actual or suspected cybersecurity breach occurs, report the incident to
the office of technology.
Effective: July 1, 2025.
Niemeyer, Busch, Zay,
Randolph Lonnie M
(HOUSE SPONSORS — BAIRD, ERRINGTON, PIERCE K)
January 13, 2025, read first time and referred to Committee on Environmental Affairs.
February 4, 2025, amended, reported favorably — Do Pass.
February 6, 2025, read second time, ordered engrossed. Engrossed.
February 11, 2025, read third time, passed. Yeas 48, nays 0.
HOUSE ACTION
March 3, 2025, read first time and referred to Committee on Environmental Affairs.
April 3, 2025, amended, reported — Do Pass.
ES 459—LS 6707/DI 153 April 3, 2025
First Regular Session of the 124th General Assembly (2025)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in this style type. Also, the
word NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts
between statutes enacted by the 2024 Regular Session of the General Assembly.
ENGROSSED
SENATE BILL No. 459
A BILL FOR AN ACT to amend the Indiana Code concerning
environmental law.
Be it enacted by the General Assembly of the State of Indiana:
1 SECTION 1. IC 4-13.1-2-9, AS AMENDED BY P.L.137-2021,
2 SECTION 18, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
3 JULY 1, 2025]: Sec. 9. (a) This section does not apply to an entity
4 subject to IC 13-18-16.5.
5 (b) A state agency (as defined in IC 4-1-10-2), other than state
6 educational institutions, and a political subdivision (as defined in
7 IC 36-1-2-13) shall:
8 (1) report any cybersecurity incident using their best professional
9 judgment to the office without unreasonable delay and not later
10 than two (2) business days after discovery of the cybersecurity
11 incident in a format prescribed by the chief information officer;
12 and
13 (2) provide the office with the name and contact information of
14 any individual who will act as the primary reporter of a
15 cybersecurity incident described in subdivision (1) before
16 September 1, 2021, and before September 1 of every year
17 thereafter.
ES 459—LS 6707/DI 153 2
1 Nothing in this section shall be construed to require reporting that
2 conflicts with federal privacy laws or is prohibited due to an ongoing
3 law enforcement investigation.
4 SECTION 2. IC 13-18-3-1.5 IS ADDED TO THE INDIANA CODE
5 AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY
6 1, 2025]: Sec. 1.5. (a) The board may adopt rules under IC 4-22-2
7 and IC 13-14-9 establishing standards for the reclamation and
8 reuse of treated wastewater.
9 (b) The rules adopted under subsection (a):
10 (1) must protect state waters and public health;
11 (2) may concern multiple categories of reuse; and
12 (3) may create a permitting process.
13 SECTION 3. IC 13-18-16.5 IS ADDED TO THE INDIANA CODE
14 AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE
15 JULY 1, 2025]:
16 Chapter 16.5. Public Water and Wastewater Cybersecurity
17 Sec. 1. (a) This chapter applies to an entity that:
18 (1) is:
19 (A) a community water system (as defined in
20 IC 13-11-2-35.5(b)) with a population of five hundred (500)
21 or more;
22 (B) a publicly owned treatment works (as defined in
23 IC 13-11-2-177.5); or
24 (C) a semipublic facility (as defined in 327 IAC 5-1.5-59)
25 with a classification of Class III or Class IV (as described
26 in 327 IAC 5-23-3(4) and 327 IAC 5-23-3(5)); and
27 (2) utilizes:
28 (A) a computerized system to monitor and control the
29 processes of the entity's operation from a central location;
30 or
31 (B) another vulnerable monitoring or management system
32 identified by the department.
33 (b) An entity shall do the following:
34 (1) Conduct a cybersecurity vulnerability assessment at least
35 once per calendar year.
36 (2) Before September 1 of each year, provide the office of
37 technology established by IC 4-13.1-2-1 with the name and
38 contact information of any individual who will act as the
39 primary reporter of a cybersecurity incident.
40 (3) Beginning in 2026, not later than December 31 of each
41 even-numbered year, submit a certification to the department
42 via a secured portal verifying that the entity:
ES 459—LS 6707/DI 153 3
1 (A) completed the assessment described in subdivision (1);
2 (B) mitigated or has documented plans to mitigate
3 identified vulnerabilities; and
4 (C) updated emergency response plans to account for
5 vulnerabilities and mitigating procedures.
6 (4) When an actual or reasonably suspected cybersecurity
7 breach occurs, report the cybersecurity incident to the office
8 of technology established by IC 4-13.1-2-1:
9 (A) either:
10 (i) not later than twenty-four (24) hours after discovery
11 of the cybersecurity incident, if the cybersecurity
12 incident impacts the operations of the entity; or
13 (ii) not later than two (2) business days after discovery of
14 the cybersecurity incident, if the cybersecurity incident
15 does not impact the operations of the entity; and
16 (B) in a format prescribed by the chief information officer
17 of the office of technology.
18 (c) In conducting an assessment under subsection (b)(1), the
19 entity shall utilize an assessment tool or framework approved by
20 the department and the office of technology established by
21 IC 4-13.1-2-1.
22 (d) An assessment conducted under subsection (b)(1) is
23 confidential under IC 5-14-3-4(b)(19).
ES 459—LS 6707/DI 153 4
COMMITTEE REPORT
Mr. President: The Senate Committee on Environmental Affairs, to
which was referred Senate Bill No. 459, has had the same under
consideration and begs leave to report the same back to the Senate with
the recommendation that said bill be AMENDED as follows:
Page 2, delete lines 31 through 32, begin a new line double block
indented and insert:
"(A) either:
(i) not later than twenty-four (24) hours after discovery
of the cybersecurity incident, if the cybersecurity
incident impacts the operations of the entity; or
(ii) not later than seventy-two (72) hours after discovery
of the cybersecurity incident, if the cybersecurity
incident does not impact the operations of the entity;
and".
and when so amended that said bill do pass.
(Reference is to SB 459 as introduced.)
NIEMEYER, Chairperson
Committee Vote: Yeas 9, Nays 0.
_____
COMMITTEE REPORT
Mr. Speaker: Your Committee on Environmental Affairs, to which
was referred Senate Bill 459, has had the same under consideration and
begs leave to report the same back to the House with the
recommendation that said bill be amended as follows:
Page 1, between the enacting clause and line 1, begin a new
paragraph and insert:
"SECTION 1. IC 4-13.1-2-9, AS AMENDED BY P.L.137-2021,
SECTION 18, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2025]: Sec. 9. (a) This section does not apply to an entity
subject to IC 13-18-16.5.
(b) A state agency (as defined in IC 4-1-10-2), other than state
educational institutions, and a political subdivision (as defined in
IC 36-1-2-13) shall:
(1) report any cybersecurity incident using their best professional
judgment to the office without unreasonable delay and not later
ES 459—LS 6707/DI 153 5
than two (2) business days after discovery of the cybersecurity
incident in a format prescribed by the chief information officer;
and
(2) provide the office with the name and contact information of
any individual who will act as the primary reporter of a
cybersecurity incident described in subdivision (1) before
September 1, 2021, and before September 1 of every year
thereafter.
Nothing in this section shall be construed to require reporting that
conflicts with federal privacy laws or is prohibited due to an ongoing
law enforcement investigation.".
Page 1, line 13, after "Water" insert "and Wastewater".
Page 2, line 20, delete "1 of each" and insert "31 of each
even-numbered".
Page 2, line 35, delete "seventy-two (72) hours" and insert "two (2)
business days".
Renumber all SECTIONS consecutively.
and when so amended that said bill do pass.
(Reference is to SB 459 as printed February 5, 2025.)
BAIRD
Committee Vote: yeas 13, nays 0.
ES 459—LS 6707/DI 153