IN
Indiana Senate Bill SB0459

Indiana 2025 Regular Session

Indiana Senate Bill SB0459 Compare Versions

OldNewDifferences
1+*ES0459.1*
2+April 3, 2025
3+ENGROSSED
4+SENATE BILL No. 459
5+_____
6+DIGEST OF SB 459 (Updated April 3, 2025 1:04 pm - DI 150)
7+Citations Affected: IC 4-13.1; IC 13-18.
8+Synopsis: Environmental matters. Provides that the environmental
9+rules board may adopt rules establishing requirements for the
10+reclamation and reuse of treated wastewater. Requires certain entities
11+to: (1) conduct an annual public water system cybersecurity
12+vulnerability assessment; (2) annually provide the office of technology
13+with the name and contact information of any individual who will act
14+as the primary reporter of a cybersecurity incident; (3) submit an
15+annual certification to the department of environmental management
16+via a secured portal verifying certain information; and (4) when an
17+actual or suspected cybersecurity breach occurs, report the incident to
18+the office of technology.
19+Effective: July 1, 2025.
20+Niemeyer, Busch, Zay,
21+Randolph Lonnie M
22+(HOUSE SPONSORS — BAIRD, ERRINGTON, PIERCE K)
23+January 13, 2025, read first time and referred to Committee on Environmental Affairs.
24+February 4, 2025, amended, reported favorably — Do Pass.
25+February 6, 2025, read second time, ordered engrossed. Engrossed.
26+February 11, 2025, read third time, passed. Yeas 48, nays 0.
27+HOUSE ACTION
28+March 3, 2025, read first time and referred to Committee on Environmental Affairs.
29+April 3, 2025, amended, reported — Do Pass.
30+ES 459—LS 6707/DI 153 April 3, 2025
131 First Regular Session of the 124th General Assembly (2025)
232 PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
333 Constitution) is being amended, the text of the existing provision will appear in this style type,
434 additions will appear in this style type, and deletions will appear in this style type.
535 Additions: Whenever a new statutory provision is being enacted (or a new constitutional
636 provision adopted), the text of the new provision will appear in this style type. Also, the
737 word NEW will appear in that style type in the introductory clause of each SECTION that adds
838 a new provision to the Indiana Code or the Indiana Constitution.
939 Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts
1040 between statutes enacted by the 2024 Regular Session of the General Assembly.
11-SENATE ENROLLED ACT No. 459
12-AN ACT to amend the Indiana Code concerning environmental law.
41+ENGROSSED
42+SENATE BILL No. 459
43+A BILL FOR AN ACT to amend the Indiana Code concerning
44+environmental law.
1345 Be it enacted by the General Assembly of the State of Indiana:
14-SECTION 1. IC 4-13.1-2-9, AS AMENDED BY P.L.137-2021,
46+1 SECTION 1. IC 4-13.1-2-9, AS AMENDED BY P.L.137-2021,
47+2 SECTION 18, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
48+3 JULY 1, 2025]: Sec. 9. (a) This section does not apply to an entity
49+4 subject to IC 13-18-16.5.
50+5 (b) A state agency (as defined in IC 4-1-10-2), other than state
51+6 educational institutions, and a political subdivision (as defined in
52+7 IC 36-1-2-13) shall:
53+8 (1) report any cybersecurity incident using their best professional
54+9 judgment to the office without unreasonable delay and not later
55+10 than two (2) business days after discovery of the cybersecurity
56+11 incident in a format prescribed by the chief information officer;
57+12 and
58+13 (2) provide the office with the name and contact information of
59+14 any individual who will act as the primary reporter of a
60+15 cybersecurity incident described in subdivision (1) before
61+16 September 1, 2021, and before September 1 of every year
62+17 thereafter.
63+ES 459—LS 6707/DI 153 2
64+1 Nothing in this section shall be construed to require reporting that
65+2 conflicts with federal privacy laws or is prohibited due to an ongoing
66+3 law enforcement investigation.
67+4 SECTION 2. IC 13-18-3-1.5 IS ADDED TO THE INDIANA CODE
68+5 AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY
69+6 1, 2025]: Sec. 1.5. (a) The board may adopt rules under IC 4-22-2
70+7 and IC 13-14-9 establishing standards for the reclamation and
71+8 reuse of treated wastewater.
72+9 (b) The rules adopted under subsection (a):
73+10 (1) must protect state waters and public health;
74+11 (2) may concern multiple categories of reuse; and
75+12 (3) may create a permitting process.
76+13 SECTION 3. IC 13-18-16.5 IS ADDED TO THE INDIANA CODE
77+14 AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE
78+15 JULY 1, 2025]:
79+16 Chapter 16.5. Public Water and Wastewater Cybersecurity
80+17 Sec. 1. (a) This chapter applies to an entity that:
81+18 (1) is:
82+19 (A) a community water system (as defined in
83+20 IC 13-11-2-35.5(b)) with a population of five hundred (500)
84+21 or more;
85+22 (B) a publicly owned treatment works (as defined in
86+23 IC 13-11-2-177.5); or
87+24 (C) a semipublic facility (as defined in 327 IAC 5-1.5-59)
88+25 with a classification of Class III or Class IV (as described
89+26 in 327 IAC 5-23-3(4) and 327 IAC 5-23-3(5)); and
90+27 (2) utilizes:
91+28 (A) a computerized system to monitor and control the
92+29 processes of the entity's operation from a central location;
93+30 or
94+31 (B) another vulnerable monitoring or management system
95+32 identified by the department.
96+33 (b) An entity shall do the following:
97+34 (1) Conduct a cybersecurity vulnerability assessment at least
98+35 once per calendar year.
99+36 (2) Before September 1 of each year, provide the office of
100+37 technology established by IC 4-13.1-2-1 with the name and
101+38 contact information of any individual who will act as the
102+39 primary reporter of a cybersecurity incident.
103+40 (3) Beginning in 2026, not later than December 31 of each
104+41 even-numbered year, submit a certification to the department
105+42 via a secured portal verifying that the entity:
106+ES 459—LS 6707/DI 153 3
107+1 (A) completed the assessment described in subdivision (1);
108+2 (B) mitigated or has documented plans to mitigate
109+3 identified vulnerabilities; and
110+4 (C) updated emergency response plans to account for
111+5 vulnerabilities and mitigating procedures.
112+6 (4) When an actual or reasonably suspected cybersecurity
113+7 breach occurs, report the cybersecurity incident to the office
114+8 of technology established by IC 4-13.1-2-1:
115+9 (A) either:
116+10 (i) not later than twenty-four (24) hours after discovery
117+11 of the cybersecurity incident, if the cybersecurity
118+12 incident impacts the operations of the entity; or
119+13 (ii) not later than two (2) business days after discovery of
120+14 the cybersecurity incident, if the cybersecurity incident
121+15 does not impact the operations of the entity; and
122+16 (B) in a format prescribed by the chief information officer
123+17 of the office of technology.
124+18 (c) In conducting an assessment under subsection (b)(1), the
125+19 entity shall utilize an assessment tool or framework approved by
126+20 the department and the office of technology established by
127+21 IC 4-13.1-2-1.
128+22 (d) An assessment conducted under subsection (b)(1) is
129+23 confidential under IC 5-14-3-4(b)(19).
130+ES 459—LS 6707/DI 153 4
131+COMMITTEE REPORT
132+Mr. President: The Senate Committee on Environmental Affairs, to
133+which was referred Senate Bill No. 459, has had the same under
134+consideration and begs leave to report the same back to the Senate with
135+the recommendation that said bill be AMENDED as follows:
136+Page 2, delete lines 31 through 32, begin a new line double block
137+indented and insert:
138+"(A) either:
139+(i) not later than twenty-four (24) hours after discovery
140+of the cybersecurity incident, if the cybersecurity
141+incident impacts the operations of the entity; or
142+(ii) not later than seventy-two (72) hours after discovery
143+of the cybersecurity incident, if the cybersecurity
144+incident does not impact the operations of the entity;
145+and".
146+and when so amended that said bill do pass.
147+(Reference is to SB 459 as introduced.)
148+NIEMEYER, Chairperson
149+Committee Vote: Yeas 9, Nays 0.
150+_____
151+COMMITTEE REPORT
152+Mr. Speaker: Your Committee on Environmental Affairs, to which
153+was referred Senate Bill 459, has had the same under consideration and
154+begs leave to report the same back to the House with the
155+recommendation that said bill be amended as follows:
156+Page 1, between the enacting clause and line 1, begin a new
157+paragraph and insert:
158+"SECTION 1. IC 4-13.1-2-9, AS AMENDED BY P.L.137-2021,
15159 SECTION 18, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
16160 JULY 1, 2025]: Sec. 9. (a) This section does not apply to an entity
17161 subject to IC 13-18-16.5.
18162 (b) A state agency (as defined in IC 4-1-10-2), other than state
19163 educational institutions, and a political subdivision (as defined in
20164 IC 36-1-2-13) shall:
21165 (1) report any cybersecurity incident using their best professional
22166 judgment to the office without unreasonable delay and not later
167+ES 459—LS 6707/DI 153 5
23168 than two (2) business days after discovery of the cybersecurity
24169 incident in a format prescribed by the chief information officer;
25170 and
26171 (2) provide the office with the name and contact information of
27172 any individual who will act as the primary reporter of a
28173 cybersecurity incident described in subdivision (1) before
29174 September 1, 2021, and before September 1 of every year
30175 thereafter.
31176 Nothing in this section shall be construed to require reporting that
32177 conflicts with federal privacy laws or is prohibited due to an ongoing
33-law enforcement investigation.
34-SECTION 2. IC 13-18-3-1.5 IS ADDED TO THE INDIANA CODE
35-AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY
36-SEA 459 — Concur 2
37-1, 2025]: Sec. 1.5. (a) The board may adopt rules under IC 4-22-2
38-and IC 13-14-9 establishing standards for the reclamation and
39-reuse of treated wastewater.
40-(b) The rules adopted under subsection (a):
41-(1) must protect state waters and public health;
42-(2) may concern multiple categories of reuse; and
43-(3) may create a permitting process.
44-SECTION 3. IC 13-18-16.5 IS ADDED TO THE INDIANA CODE
45-AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE
46-JULY 1, 2025]:
47-Chapter 16.5. Public Water and Wastewater Cybersecurity
48-Sec. 1. (a) This chapter applies to an entity that:
49-(1) is:
50-(A) a community water system (as defined in
51-IC 13-11-2-35.5(b)) with a population of five hundred (500)
52-or more;
53-(B) a publicly owned treatment works (as defined in
54-IC 13-11-2-177.5); or
55-(C) a semipublic facility (as defined in 327 IAC 5-1.5-59)
56-with a classification of Class III or Class IV (as described
57-in 327 IAC 5-23-3(4) and 327 IAC 5-23-3(5)); and
58-(2) utilizes:
59-(A) a computerized system to monitor and control the
60-processes of the entity's operation from a central location;
61-or
62-(B) another vulnerable monitoring or management system
63-identified by the department.
64-(b) An entity shall do the following:
65-(1) Conduct a cybersecurity vulnerability assessment at least
66-once per calendar year.
67-(2) Before September 1 of each year, provide the office of
68-technology established by IC 4-13.1-2-1 with the name and
69-contact information of any individual who will act as the
70-primary reporter of a cybersecurity incident.
71-(3) Beginning in 2026, not later than December 31 of each
72-even-numbered year, submit a certification to the department
73-via a secured portal verifying that the entity:
74-(A) completed the assessment described in subdivision (1);
75-(B) mitigated or has documented plans to mitigate
76-identified vulnerabilities; and
77-(C) updated emergency response plans to account for
78-vulnerabilities and mitigating procedures.
79-SEA 459 — Concur 3
80-(4) When an actual or reasonably suspected cybersecurity
81-breach occurs, report the cybersecurity incident to the office
82-of technology established by IC 4-13.1-2-1:
83-(A) either:
84-(i) not later than twenty-four (24) hours after discovery
85-of the cybersecurity incident, if the cybersecurity
86-incident impacts the operations of the entity; or
87-(ii) not later than two (2) business days after discovery of
88-the cybersecurity incident, if the cybersecurity incident
89-does not impact the operations of the entity; and
90-(B) in a format prescribed by the chief information officer
91-of the office of technology.
92-(c) In conducting an assessment under subsection (b)(1), the
93-entity shall utilize an assessment tool or framework approved by
94-the department and the office of technology established by
95-IC 4-13.1-2-1.
96-(d) An assessment conducted under subsection (b)(1) is
97-confidential under IC 5-14-3-4(b)(19).
98-SEA 459 — Concur President of the Senate
99-President Pro Tempore
100-Speaker of the House of Representatives
101-Governor of the State of Indiana
102-Date: Time:
103-SEA 459 — Concur
178+law enforcement investigation.".
179+Page 1, line 13, after "Water" insert "and Wastewater".
180+Page 2, line 20, delete "1 of each" and insert "31 of each
181+even-numbered".
182+Page 2, line 35, delete "seventy-two (72) hours" and insert "two (2)
183+business days".
184+Renumber all SECTIONS consecutively.
185+and when so amended that said bill do pass.
186+(Reference is to SB 459 as printed February 5, 2025.)
187+BAIRD
188+Committee Vote: yeas 13, nays 0.
189+ES 459—LS 6707/DI 153