What to Do After a Cyberattack in Indiana (2026)

If your business has been hacked, the first few hours are critical. The actions you take immediately after discovering a cyber incident influence how far attackers spread, how much data is lost, how quickly operations recover, and whether legal notification requirements under Indiana law apply.

This guide explains what to do after a cyberattack in Indiana, including immediate containment steps, reporting options, recovery planning, and Indiana’s data breach notification expectations for organizations.

What to Do After a Cyberattack in Indiana

Whether your organization is facing ransomware, unauthorized access, business email compromise, or suspected data theft, knowing what to do after a cyberattack in Indiana can reduce downtime, protect sensitive information, and limit regulatory exposure.

Follow the structured steps below to regain control quickly and responsibly.

Step 1: Confirm the Incident and Start an Incident Log Immediately

Cyberattacks commonly appear through:

• Ransomware notes, encrypted files, or locked systems
• Unauthorized password resets or suspicious login alerts
• Unexpected multi-factor authentication prompts
• Fraudulent invoices or payment change requests
• Disabled security tools or new administrator accounts
• Unusual outbound network activity

Begin documenting right away:

• Time of discovery
• Systems and users impacted
• Screenshots of alerts or ransom notes
• Employee reports of suspicious activity
• All response actions taken

Accurate documentation supports investigations, cyber insurance claims, and compliance obligations under Indiana’s Disclosure of Security Breach law (Ind. Code § 24-4.9) and the Indiana Consumer Data Protection Act (ICDPA), which took effect January 1, 2026.

Step 2: Contain the Threat While Preserving Evidence

When people search what to do after a cyberattack in Indiana, many rush to shut everything down. Containment is essential, but preserving evidence is equally important.

Recommended actions:

• Disconnect compromised machines from the network
• Disable affected user and administrator accounts
• Block malicious IP addresses and domains
• Preserve logs, suspicious emails, and ransom notes

The ransomware response guidance from the Cybersecurity and Infrastructure Security Agency (CISA) emphasizes isolating systems while keeping forensic artifacts for investigation and recovery.

Avoid wiping systems until the full scope of compromise is confirmed.

Step 3: Secure Backups Before Attackers Reach Them

Many ransomware groups attempt to encrypt or delete backups to prevent recovery.

Immediately:

• Verify backups are isolated or offline
• Pause backup jobs if compromise is suspected
• Rotate backup administrator credentials
• Confirm clean restore points exist

If your organization carries cyber insurance, notify the provider promptly. PivIT Strategy’s Advanced Cybersecurity Services team can help assess backup integrity and ensure recovery options remain protected.

Step 4: Lock Down Email, Identity, and Financial Systems

Email compromise remains one of the most common entry points for cyber incidents.

Email security priorities

• Reset global and delegated administrator accounts
• Enforce multi-factor authentication across all users
• Review forwarding rules and third-party app access
• Remove suspicious sessions and devices

Identity and endpoint protection

• Force password resets organization wide
• Confirm endpoint security tools are active
• Patch exposed systems and remote access services

Financial controls

• Freeze payment instruction changes temporarily
• Verify vendor requests by phone
• Review recent wire and ACH activity

These steps help prevent secondary financial losses, which are especially common following business email compromise incidents.

Step 5: Report the Incident and Seek Professional Support

Reporting supports investigations and may help recover stolen funds.

Federal reporting

The FBI encourages cybercrime victims to submit reports through IC3 and advises against paying ransomware demands because payment does not guarantee recovery and often leads to repeat attacks.

Indiana Attorney General

Indiana requires notification to the Attorney General for every notifiable breach — regardless of how many residents are affected. Submit the Indiana Data Breach Notification Form to DataBreach@atg.in.gov along with a copy of the notice sent to affected individuals.

Ransomware guidance

CISA’s StopRansomware resources provide structured containment and recovery checklists for organizations of all sizes.

At this stage, many Indiana organizations engage PivIT Strategy’s Managed IT Services team to manage response, investigation, and restoration.

Step 6: Understand Indiana Data Breach Notification Requirements

One of the main reasons businesses search what to do after a cyberattack in Indiana is concern about compliance. Indiana’s primary breach notification framework is Ind. Code § 24-4.9, strengthened by a 2022 amendment (HEA 1341) that added a firm 45-day deadline. Additionally, the Indiana Consumer Data Protection Act (ICDPA) took effect January 1, 2026, adding broader privacy obligations.

Key obligations under Ind. Code § 24-4.9:

• 45-day notification deadline — Notice must be made without unreasonable delay but no more than 45 days after discovery of the breach. Unlike some states, Indiana’s clock starts at discovery, not after an investigation is complete.
• Identity theft or fraud threshold — Notification is required if the breach has resulted in, or could result in, identity deception, identity theft, or fraud against an Indiana resident. If the breach cannot result in any of these harms, notification may not be required.
• AG notification required for every notifiable breach — Indiana is one of the few states that requires AG notification regardless of the number of affected residents. If even one resident must be notified, the AG must also be notified within 45 days.
• Consumer reporting agencies — If more than 1,000 residents are affected, the organization must also notify all nationwide consumer reporting agencies.
• No harm threshold in practice — Because the standard references what “could result” in fraud, the harm threshold is relatively broad in Indiana. Organizations should consult legal counsel before determining notification is not required.
• What counts as personal information — A Social Security number alone, or an individual’s name combined with driver’s license number, state ID number, financial account number, or debit/credit card number with required access codes.
• Penalties — Up to $150,000 per deceptive act, enforced exclusively by the Indiana AG. No private right of action under the breach notification statute.

New in 2026: Indiana Consumer Data Protection Act (ICDPA)

The ICDPA, effective January 1, 2026, grants Indiana residents rights over their personal data and imposes obligations on organizations that process data of 100,000 or more Indiana residents (or 25,000+ if more than 50% of gross revenue comes from selling personal data). Key obligations include privacy notices, consent for sensitive data, data protection assessments, and a 30-day permanent right-to-cure period before enforcement.

Organizations should:

• Notify affected individuals within 45 days of discovery
• Notify the Indiana AG for every notifiable breach
• Notify consumer reporting agencies if 1,000+ residents are affected
• Assess ICDPA obligations if your organization meets the applicability thresholds

For more on your ongoing compliance obligations, see our guide to Indiana Cybersecurity Laws You Should Know (2026).

Step 7: Communicate Clearly and Carefully

Poor communication often increases reputational and financial damage.

Internal communication

• Share verified information only
• Provide official password reset instructions
• Warn employees about attacker outreach attempts
• Centralize incident communications

External communication

• Use alternate channels if email is compromised
• Alert vendors of possible fraud risk
• Coordinate customer communications with legal guidance

Substitute notice via conspicuous website posting and major news media is permitted when direct notification would cost more than $250,000 or affect more than 500,000 Indiana residents.

Step 8: Recover Systems and Strengthen Defenses

Recovery is not just restoring files. It involves removing the attacker and closing the security gaps that allowed them in.

Typical recovery efforts include:

• Forensic timeline analysis
• Rebuilding compromised systems
• Organization-wide credential resets
• Multi-factor authentication implementation
• Network segmentation improvements
• Backup isolation enhancements
• Advanced endpoint and email monitoring

Without hardening, businesses remain vulnerable to repeat attacks. The ICDPA also requires organizations subject to its scope to implement reasonable administrative, technical, and physical data security practices — an ongoing obligation beyond breach response.

PivIT Strategy’s IT Consulting Services can help Indiana organizations build a post-incident security roadmap. For executive-level IT leadership and long-term security strategy, our Fractional CIO Services provide ongoing guidance without the cost of a full-time hire.

How PivIT Strategy Helps Indiana Businesses After a Cyberattack

When an Indiana business contacts PivIT Strategy, the focus is fast containment, secure recovery, and long-term protection.

Support typically includes:

• Immediate threat isolation
• Email and identity security lock down
• Forensic investigation coordination
• Secure system restoration
• Compliance documentation assistance
• Ongoing cybersecurity improvements

Contact us to speak with our team.

Final Checklist: What to Do After a Cyberattack in Indiana

• Start an incident log
• Isolate affected systems
• Disable compromised accounts
• Secure backups
• Lock down email and identity access
• Report to FBI IC3 for ransomware or fraud
• Notify affected individuals within 45 days of discovery
• Notify the Indiana AG for every notifiable breach (DataBreach@atg.in.gov)
• Notify consumer reporting agencies if 1,000+ residents are affected
• Assess ICDPA obligations if applicable
• Recover systems and strengthen security

Frequently Asked Questions: What to Do After a Cyberattack in Indiana

How quickly should a business respond? Immediately. The first few hours determine how much damage spreads and whether backups remain usable.

What is Indiana’s notification deadline? 45 days from discovery of the breach, not from completion of the investigation.

Does Indiana require AG notification for every breach? Yes. Unlike most states with thresholds, Indiana requires AG notification for every notifiable breach, regardless of how many residents are affected.

What is the ICDPA and does it apply to my organization? The Indiana Consumer Data Protection Act, effective January 1, 2026, applies to organizations that process personal data of 100,000+ Indiana residents, or 25,000+ if more than half of gross revenue comes from selling personal data. It adds privacy rights, consent requirements, and ongoing data security obligations.

Should a ransom be paid? Law enforcement discourages paying ransoms because recovery is not guaranteed and attackers often target paying victims again.

What mistakes make breaches worse?

• Missing the 45-day notification window
• Forgetting that AG notification is required for every notifiable breach
• Underestimating ICDPA obligations for larger data processors
• Wiping systems before forensic review

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.