Curtis Hill was sworn into office in January 2017 as the 43rd attorney general of Indiana. He previously served four terms as the Elkhart County Prosecutor, with a reputation for both tough stances on crime and working with defendants charged with less serious crimes to avoid incarceration. During his time as attorney general, he has prioritized rolling back federal overreach and safeguarding consumers from fraud and scams along with continuing to take a hard line on crime. As a relatively new attorney general, he has taken the opportunity to set the tone in his state on data privacy and security enforcement. Here, he talks with The Privacy Advisor about his state’s consumer protection efforts with regard to data privacy and cybersecurity.
The Privacy Advisor: Indiana passed a data security bill within the last year that allows the attorney general to sue health care providers that intentionally, recklessly or negligently cause a breach of health records. Notably, compliance with the federal Health Insurance Portability and Accountability Act does not automatically make the health care provider safe from enforcement. Can you speak to the importance of protecting health data as well as creating a state legislative scheme that is not pre-empted by similar federal laws?
AG Curtis Hill: I am focused on ways we can stop or reduce the crimes committed with stolen data. In black markets on the dark web, personal health information sells for 10 to 20 times more than credit card information. PHI can be used to facilitate a number of crimes:
- Extortion (blackmail), where criminals demand money, or worse, sexually exploit their victims, including minors, in order to prevent the criminals from exposing potentially embarrassing private medical information;
- Fraud, where criminals use stolen health insurance card information to obtain health care services, purchase medical equipment or pharmaceuticals that can be resold at a profit, contributing to the current opioid crisis;
- Identity deception, where criminals use stolen personal information and Social Security numbers to open lines of credit or create fake IDs;
- Ransoming data, where criminals encrypt the PHI and demand payment from the medical facility to restore the data.
The HITECH act gave state attorneys general authority to enforce HIPAA laws, but we can also enforce our state data security laws as pendent claims in the same action. That unique combination makes attorney general the ideal enforcers on health data breaches.
The Privacy Advisor: You took a strong tone against Equifax following that breach, including by sending the company a letter identifying certain deficiencies in their response to the incident. What do you believe should be the role of attorney general in reacting to data security breaches? Additionally, some states are acting on their own to sue the company, while several cities and counties are also taking it upon themselves to sue. How should these efforts be coordinated to achieve the best outcome for consumers?
Hill: Data breaches are criminal acts, whether they are committed by individuals, organized crime, terrorists or nation-states. First and foremost, we all have a duty to cooperate with federal, state and local law enforcement as they investigate, and if possible, prosecute the responsible parties. We have a good working relationship with our local FBI office, the U.S. Postal Inspector, Indiana State Police and federal and state prosecutors. We work closely with the attorneys general of other states and territories, participating in the National Association of Attorneys General data privacy working group, health privacy working group, and the Conference of Western Attorneys General cybersecurity group. Ultimately, each attorney general has a duty to act in the best interest of the residents of his or her state. In the Equifax matter, we have proceeded according to Indiana law rather than join the multistate investigation. In other cases, where it makes more sense, we are working as part of the attorney general multistate working group.
The Privacy Advisor: You have observed that many of the governmental processes out of the nation’s capital are not working and that attorneys general have to take the lead in filling regulatory gaps. How do you see attorneys general taking on that role in data privacy and security?
Hill: Data privacy and security cases should be decided on the evidence and in a timely manner. It is not fair to keep companies waiting five or six years, or even longer, before initiating a regulatory action. Indiana and other attorneys general should promptly act when notified of data breaches to determine whether any violations of state or federal law have occurred and look to the appropriate resolution for their consumers. Attorneys general can help respond to the evolution of technology as they are closer to the source of the breaches and security lapses.
The Privacy Advisor: You’ve spoken about the importance of coalition-building on a local and national level. How do you see yourself working with partners on data privacy and security?
Hill: Aside from our cooperation with law enforcement partners and my fellow attorneys general, I have also partnered with academia, businesses and state and local governments. We participated in the first ever AG Tech Forum at the Berkman Klein Center at Harvard Law School, and we remain on the leadership team. I have chaired the Legal and Insurance working group of Indiana’s Executive Cybersecurity Committee. I have partnered with the Indiana Chamber of Commerce to organize a Cybersecurity Forum for C-Suite executives. Throughout the year, my team has been engaged in outreach projects on identity theft, data privacy and security and cybersecurity.
The Privacy Advisor: What can people in the privacy field expect from state attorneys general, and Indiana in particular, in 2018?
Hill: Unfortunately, we expect to see even more criminal attacks on data owners.
We are currently tracking dozens of legislative changes in states, territories, and even at the federal level, that increase the duties of data owners. We will work tirelessly to enforce the new laws, and we will step up our pursuit of the criminals who commit these crimes.