Indiana has established itself as a state at the forefront of addressing complex data privacy and cybersecurity issues. That is in no small part due to the active engagement of the state’s attorneys general. As part of this interview series, we previously spoke with Indiana attorneys general Greg Zoeller (2009-2017) and Curtis Hill (2017-2021) during their terms in office about a variety of issues, including addressing robocalls, keeping sensitive health information off the digital black market and other matters at the nexus of privacy policy and consumer protection. Carrying on that legacy of leadership and bringing a new and unique perspective to these issues is Indiana Attorney General Todd Rokita, elected as his state’s top lawyer in November 2020.
Serving as a U.S. Congressman from Indiana’s 4th District from 2011 to 2019 and as Indiana’s Secretary of State prior to that, Attorney General Rokita brings a wealth of experience and critical perspective to the ongoing conversations addressing privacy policy at the state, federal and local levels. While Rokita served in the private sector, he was general counsel for Indiana’s largest employee health care consulting company, covering hundreds of thousands of lives and the Employee Retirement Income Security Act, the Health Insurance Portability and Accountability Act and other data and privacy issues.
As questions continue to surface around the function of state consumer protection and other laws addressing new technologies, the role of the federal government in setting uniform privacy policies, and the trend of municipalities increasingly attempting to claim a seat at the privacy and cyber breach enforcement table, Rokita is helping his state navigate these complex waters. In this interview with The Privacy Advisor, Attorney General Rokita discusses his views on federal privacy legislation, Indiana’s recent pursuit of privacy legislation, municipalities entering the fold and more.
The Privacy Advisor: The big question that has been at the top of nearly every privacy professional’s mind for a number of years now is whether Congress will eventually implement some kind of uniform, federal privacy law. Having served in Congress for eight years, do you think that is probable? In your current role as Indiana’s attorney general, do you think that a uniform federal privacy law is appropriate? And if so, what should the role of the states be?
Rokita: There is more pressure to implement a federal law now that the effective dates of states’ privacy laws are drawing near, but the differences on key issues, like whether the bill will contain a private right of action, makes passing a federal law through the current House and Senate challenging.
The Privacy Advisor: In addition to your public service, you have significant experience in the private sector, including serving as counsel to a large company. How does that experience influence your approach to your role as attorney general vis-a-vis data privacy and cybersecurity issues?
Rokita: Privacy and cybersecurity issues are predictable and preventable business risks. Companies need to be aware and work to manage this potential attack. In many instances, privacy and cybersecurity infiltrations are the biggest risk to a company’s survival. As many as 60% of businesses fail within six months of a cyber incident, and sadly, the majority of cyberattacks happen to small and midsize businesses who may not be financially sound enough to recover. Companies can reduce their exposure to cybercrime by stopping unnecessary data collection and implementing basic security measures. For instance, Microsoft claims adding multifactor authentication can reduce 99.9% of account compromises. Whether they are self-insured or purchase cyber insurance policies, companies need to be financially prepared.
The Privacy Advisor: Comprehensive state privacy legislation was proposed in Indiana’s legislature this session (HB 1261 and SB 358), but they did not pass. Do you think Indiana will eventually pass a comprehensive privacy law?
Rokita: Unless it is preempted by a new federal law, I expect Indiana will pass a privacy law. Hoosiers deserve to know what information companies collect about them. And if the information is not accurate, they then need a mechanism to correct the inaccuracy. There has been a flurry of activity in state legislatures in the past couple years. As other states pass laws that provide those basic rights to their constituents, the people of Indiana deserve similar rights.
The Privacy Advisor: While broader privacy legislation did not make it across the finish line in Indiana, an amendment was made to your state’s data breach notification law, which takes effect July 1, 2022 and requires companies that suffer a cyber breach to notify your office, as well as affected consumers, no more than 45 days after the breach is discovered, rather than the prior standard of notification “without unreasonable delay.” How will this impact your enforcement efforts?
Rokita: Indiana law will still require database owners to provide notice “without unreasonable delay.” The change simply clarifies the legalese and enforces that notice is given “not more than 45 days after the discovery of the breach.” Compared to the notice requirements of other states and federal entities, Indiana’s maximum limit is fair. I take my responsibility to enforce the law seriously, and that certainly applies here.
The Privacy Advisor: It is our understanding that it was previously an office policy that “without reasonable delay” was to be interpreted as 45 days. Has your office considered using office policies to address other privacy-related issues?
Rokita: The longstanding unofficial policy was that notices provided within 30 days were presumed to be “without unreasonable delay,” barring other facts to the contrary. We make an effort to communicate what we believe reasonable security requires. For instance, when companies report a data breach, we ask them whether they had multifactor authentication implemented at the time of the breach. If they answer “no,” we ask “why?” In most cases, implementing multifactor authentication is relatively simple, and reduces whether an account is compromised by 99.9%.
From an education perspective, we also provide the following 10 tips:
- Use multifactor authentication.
- Implement endpoint detection and response.
- Use up-to-date encryption.
- Create a skilled, empowered security team.
- Share and incorporate threat information.
- Back up your data, regularly test backups, and keep backups offline.
- Update and patch systems promptly.
- Test your incident response plan.
- Check your security team’s work.
- Segment your networks.
The Privacy Advisor: It was recently announced that your office was joining Washington, Texas and the District of Columbia in an enforcement action over so-called “dark patterns.” Dark patterns, as well as other issues around consumer-facing algorithms, appear to be of increasing interest to attorneys general around the country, and have even been highlighted as a priority issue for this year’s Presidential Initiative at the National Association of Attorneys General. Could you speak to your office’s interest in these technologies and practices and how you plan to address them?
Rokita: Harry Brignull, the user interface designer, coined the term “dark patterns,” which are essentially high-tech tricks that make consumers do things they didn’t mean to do. Dark patterns are a 21st-century version of false or misleading advertisements or deceptive sales tactics or campaigns. Examples of this include misdirection, “confirmshaming,” and “privacy Zuckering.” No matter what form of cyberattack is occurring, we will get to the bottom of it by investigating web pages and application designs to determine whether they are unfair, abusive or deceptive under Indiana law.
The Privacy Advisor: You have been vocal about issues with municipalities in your state, particularly those who have engaged private plaintiffs’ lawyers, bringing lawsuits that at times might conflict with your responsibilities as Indiana’s top lawyer. What are your thoughts on the prospects of municipalities bringing data privacy or data breach lawsuits on behalf of consumers?
Rokita: Indiana’s Disclosure of Security Breach Act contains a preemption section that “preempts the authority of a unit (as defined in IC 36-1-2-23) to make an enactment dealing with the same subject matter as this article.” By adding that provision, the legislature has spoken very clearly that only the attorney general can bring enforcement actions. In states lacking a preemption clause, we have witnessed unnecessary duplication of effort that ultimately wastes taxpayer dollars.
The Privacy Advisor: Some states have implemented and other states are pursuing laws regulating so-called “data brokers.” These laws aim to regulate entities that collect and sell consumers’ personal information and other data. The FTC has also focused on these actors. Do you see the activities of data brokers as something of interest to your office?
Rokita: Data brokers have drastically multiplied over the past decade, and they are using our data in ways that seriously impact our lives. Data brokers like Sift determine a consumer’s trustworthiness. A company known as Zeta Global identifies people who have a lot of money to spend.
Vermont, one of the few states that requires data brokers to register, has a list of nearly 500 companies, but it is estimated there are more than 8,000. You may not have heard of most of them, but they have almost certainly heard of you. The biggest concern about these companies is whether they use consumers’ data in a discriminatory manner that is unfair, abusive, deceptive or violates civil rights’ protections.
The Privacy Advisor: Prior to your election, Curtis Hill pursued a cybersecurity safe harbor rulemaking that would have provided businesses with certain protections against state enforcement and private litigation if they implemented sufficient cyber safeguards. While that effort did not come to fruition, is that something your office has considered revisiting? More generally, are there any privacy and cyber security issues that you have considered addressing through rulemakings, or even implementation of office policies?
Rokita: While I am generally not a big fan of rules and regulations, my administration reached out to the parties who expressed an interest in the safe harbor rule to gauge interest in revisiting it. The feedback was mixed. At the moment, privacy seems to be of greater concern than security. Given the pace of technological change, there is also some concern that prescriptive rules will become outdated too quickly. For now, we try to give guidance through tips and recommendations. The terms in the consent judgments and assurances of voluntary compliance also provide guidance for defendants in our enforcement cases.