Indiana Attorney General Curtis Hill on Wednesday joined cybersecurity experts at a U.S. Chamber of Commerce virtual event to discuss his intent to establish a rule in Indiana that would better protect Hoosiers from cyberattacks, the fastest-growing type of crime in the United States.
Hill’s proposed safe harbor rule would give businesses operating in Indiana a better understanding of how to protect consumers’ data and reward businesses who comply with steps laid out in the rule. Should the rule be implemented, Indiana would be the first state in the U.S. to approach this issue via regulation.
“Hoosiers’ data is at risk because some businesses do not take proactive measures to protect themselves and the consumers they serve from cyberattackers, and some simply do not know what precautions they ought to take,” Hill said. “Our safe harbor rule would both protect Hoosiers from data breaches and incentivize businesses that take steps to prevent them from happening in the first place.”
Not every company that experiences a data breach is irresponsible, Hill said. For this reason, the rule would protect and encourage continued investment by companies that have already taken precautions, while clarifying expectations to all companies that maintain Hoosiers’ data.
The cybersecurity experts who joined Hill at the event applauded this approach to data protection. Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce, praised the proposed rule, saying it gives businesses a clearer understanding of how to protect consumers’ data.
Alexis Cocco, a privacy, data security and consumer class-action defense lawyer at Reed Smith, said the proposed rule will allow businesses to direct resources toward compliance with the rule, as opposed to the costs of a class-action lawsuit that could follow a data breach. Data breaches, on average, cost millions of dollars, Cocco said.
“We need a way to separate the businesses that are taking important steps to secure data from those who are not,” Hill said. “This rule would provide businesses a playbook on how to protect data, and would protect the businesses that follow the playbook. It’s a win for both consumers and businesses.”
In the last three years, Hill has obtained settlements with several companies after data breaches exposed consumers’ personal information. Most recently, he secured a $19.5 million settlement with Equifax following Indiana’s lawsuit against the company over its massive 2017 data breach. That data breach impacted 3.9 million Indiana residents.
Hoosiers who were impacted by the Equifax data breach should watch for an important announcement about obtaining a restitution payment in light of the breach. More information about obtaining a payment will be available soon.
Hill said the Equifax data breach is a perfect example of why businesses must invest additional resources into data protection.
“Equifax did not take the precautions necessary to protect the personal data of millions of consumers,” Hill said. “Much of the damage from this data breach could have been mitigated had Equifax followed the steps outlined in this rule. It is our hope that this proposed rule prevents data breaches of this scale from happening again in the future.”
In July, the Office of the Attorney General filed a notice of intent to adopt the proposed rule. The proposed rule is expected to be published by the Indiana Register, after which there will be a period for public comment followed by a public hearing on the rule. The public hearing will be advertised and available virtually. It is expected that the proposed rule will take effect by the end of the year.