Over the weekend, Attorney General Curtis Hill issued the following statement:
“The governor has a fantastic opportunity to adopt a safe harbor rule I proposed that would incentivize companies to take strong data protection measures, which will reduce the scale and frequency of cyberattacks in Indiana.
“We worked for more than a year to establish these voluntary protocols, which would protect companies in compliance with the rule and protect consumers from cyber-threats. This proposed rule is nationally recognized as an innovative model that encourages companies to voluntarily invest in data security precautions. Companies that voluntarily invest in data protection would be given favorable consideration by the state in the event of a data breach.
“The state of Ohio has a similar provision in the form of a statute, but Indiana’s proposed rule would be the first in the nation designed to provide businesses this type of assistance by administrative rule. A very important aspect of this rule is that it is strictly voluntary. Businesses would not be mandated to adhere to these protocols. Rather, businesses that choose not to apply the rule’s standards would not qualify for the potential legal protections available to businesses that choose to do so.
“Although my office proposed and wrote the safe harbor rule, Indiana law requires that it be approved by the governor. Initially, in a letter on Dec. 10, 2020, the governor declined to approve the rule; however, he acknowledged the need to provide data protection guidance to businesses.
“The governor further cited concerns about the proposed rule’s language regarding audits, deceptive acts, and the insurance industry. We reviewed the governor’s concerns and removed all of the items that he found objectionable, without impacting the substance of the rule’s protections. We submitted the amended proposal for further consideration, and we remain hopeful that he will approve this rule that is both pro-consumer and pro-business.
“The proposed safe harbor rule was also endorsed by several business consumer groups, including the United States Chamber of Commerce.
“Cyberattacks are the fastest-growing type of crime in the U.S., and they already occur with alarming frequency. A recent survey of more than 300 public and private organizations across Indiana showed that nearly one-fifth said they had experienced a cyberattack in the past three years. Thousands of Hoosiers filed claims for restitution payments in light of the Equifax data breach, which compromised the personal information of nearly 4 million current and former Indiana residents. And in December, one of the largest cybersecurity firms in the U.S. said it had been hacked.
“There has never been a better time to take bold action to protect Hoosiers’ data. If Gov. Holcomb fails to approve this effective rule, he will miss an exciting opportunity to modernize Indiana’s cybersecurity efforts and to position the state as a model for the protection of personal data. It would be unfortunate if the governor is unable to rise above his objections and adopt a policy that benefits everyone.”