Indiana has established itself as a state at the forefront of addressing complex data privacy and cybersecurity issues. That is in no small part due to the active engagement of the state’s attorneys general. As part of this interview series, we previously spoke with Indiana attorneys general Curtis Hill (2017-2021) during their terms in office about a variety of issues, including addressing robocalls, keeping sensitive health information off the digital black market and other matters at the nexus of privacy policy and consumer protection. Carrying on that legacy of leadership and bringing a new and unique perspective to these issues is Indiana Attorney General Todd Rokita, elected as his state’s top lawyer in November 2020.
Serving as a U.S. Congressman from Indiana’s 4th District from 2011 to 2019 and as Indiana’s Secretary of State prior to that, Attorney General Rokita brings a wealth of experience and critical perspective to the ongoing conversations addressing privacy policy at the state, federal and local levels. While Rokita served in the private sector, he was general counsel for Indiana’s largest employee health care consulting company, covering hundreds of thousands of lives and the Employee Retirement Income Security Act, the Health Insurance Portability and Accountability Act and other data and privacy issues.
As questions continue to surface around the function of state consumer protection and other laws addressing new technologies, the role of the federal government in setting uniform privacy policies, and the trend of municipalities increasingly attempting to claim a seat at the privacy and cyber breach enforcement table, Rokita is helping his state navigate these complex waters. In this interview with The Privacy Advisor, Attorney General Rokita discusses his views on federal privacy legislation, Indiana’s recent pursuit of privacy legislation, municipalities entering the fold and more.
The Privacy Advisor: The big question that has been at the top of nearly every privacy professional’s mind for a number of years now is whether Congress will eventually implement some kind of uniform, federal privacy law. Having served in Congress for eight years, do you think that is probable? In your current role as Indiana’s attorney general, do you think that a uniform federal privacy law is appropriate? And if so, what should the role of the states be?
Rokita: There is more pressure to implement a federal law now that the effective dates of states’ privacy laws are drawing near, but the differences on key issues, like whether the bill will contain a private right of action, makes passing a federal law through the current House and Senate challenging.
The Privacy Advisor: In addition to your public service, you have significant experience in the private sector, including serving as counsel to a large company. How does that experience influence your approach to your role as attorney general vis-a-vis data privacy and cybersecurity issues?
Rokita: Privacy and cybersecurity issues are predictable and preventable business risks. Companies need to be aware and work to manage this potential attack. In many instances, privacy and cybersecurity infiltrations are the biggest risk to a company’s survival. As many as 60% of businesses fail within six months of a cyber incident, and sadly, the majority of cyberattacks happen to small and midsize businesses who may not be financially sound enough to recover. Companies can reduce their exposure to cybercrime by stopping unnecessary data collection and implementing basic security measures. For instance, Microsoft claims adding multifactor authentication can reduce 99.9% of account compromises. Whether they are self-insured or purchase cyber insurance policies, companies need to be financially prepared.
The Privacy Advisor: Comprehensive state privacy legislation was proposed in Indiana’s legislature this session (HB 1261 and
