U.S. Supreme Court Justice Louis Brandeis once characterized privacy as the "right to be left alone." More and more, citizens are looking to their elected officials to safeguard that right. Indiana Attorney General (AG) Greg Zoeller has led a charge to protect the citizens of his state from disruptions of their personal affairs and intrusions by robocallers and junk marketers into their homes.  Further, he has a robust ID theft protection unit in his office, and Indiana law governing data breaches requires that the AG get notice of breaches impacting Indiana residents so that he can track data losses to ensure compliance with state consumer protection and other laws.

In this Q&A, Zoeller discusses his initiatives and his priorities for protecting residents of the Hoosier state from privacy intrusions and losses of personal information.

The Privacy Advisor: You have long had an interest in protecting consumers in the area of telephone privacy, in particular. Recently, you, along with Missouri Attorney General Chris Koster, launched the first-ever national No-Call Law Enforcement Summit. What were the goals of the summit, and in your view, are states making progress in protecting telephone privacy? Further, what may be needed at the federal level to cure the problems that you see in this area more generally?

Zoeller: The goals of the national No-Call Law Enforcement Summit were to gather the experts on Do-Not-Call enforcement to share investigative tools, techniques and best practices for taking action against violators. I believe that the states and the Federal Trade Commission (FTC) are making some progress, as the number of Do-Not-Call complaints is trending downward. However, more needs to be done by the Federal Communications Commission to regulate Internet-based (VOIP) calls, restore our trust in Caller ID and make unwanted call blocking universally available and affordable for consumers.

The Privacy Advisor: You have formed an ID theft unit within your office. What was the impetus for doing so, and what do you view as its greatest accomplishments? What challenges still remain?

Zoeller: In 2005 and 2006, our office began to see a steady increase of consumer complaints from identity theft victims. Each of these victims wanted to see the guilty parties arrested but also needed help to correct their records and recover from the crime. Identifying this growing need led our office to informally establish our Identity Theft Unit in 2007. In 2009, I worked with our General Assembly to pass an Identity Theft bill that further enhanced our ability to investigate and prosecute identity crimes and provide tools that further enhance victims’ ability to recover from the crime. Our identity theft unit has handled more than 5,400 cases involving identity related fraud or data privacy incidents. We have also assisted consumers in removing more than $1.1 million in fraudulent liability from their accounts and have seen arrests made in 58 separate complaints. There are many challenges involved with investigating identity theft complaints, including jurisdictional hurdles that are often inevitable when the victim, the suspect and the location of the crime all occur in different venues. Despite some of our successes in this area, identity theft continues to be a problem. Our personal and financial information is at greater risk of being stolen—perhaps more than ever before—as we pay bills, order merchandise, file our taxes and do our banking online. We can be aware and take precautions to safeguard our personal information, but there is an inherent risk that cannot be completely avoided.

The Privacy Advisor: Under your leadership, Indiana has investigated major companies with respect to the use and protection of consumer information, including by pharmacies, health insurers and retailers. What are the most important lessons that entities that handle consumer information should learn from these investigations? What mistakes has your office seen when it comes to privacy and data security?

Zoeller: Our office is committed to enforcing Indiana’s data breach law to better protect our consumers. This past year we updated our website, www.IndianaConsumer.com, to include educational materials for businesses that collect and maintain the personal information of Indiana consumers. We have also created a notification form that can be used by companies that experience a breach to allow them to quickly notify our office with the relevant information required by our notification statute. Notifying the Office of the Attorney General immediately will never have a negative repercussion but may serve as a positive factor in how we address any violations. One of the biggest lessons we want businesses to learn is to act as quickly as possible to determine whether their data has been breached. Like most state breach notification statutes, Indiana law requires businesses to notify consumers “without unreasonable delay” once they discover personal information has been compromised. Failure to do so may result in consumer fraud that could have otherwise been prevented. One of the biggest mistakes businesses can make when it comes to collecting private information is to collect more data than they really need and then store or transmit this data without properly securing or encrypting it. While we recognize consumers’ sensitive information may be needed for legitimate business purposes, the collection, storage and use of that data should always warrant appropriate security procedures being followed.

The Privacy Advisor: Indiana's data breach notice law requires that an entity experiencing a breach concerning personal information on an Indiana resident must notify that resident "without unreasonable delay." What further insight can you give on what may constitute a reasonable time in which to give notice?

Zoeller: Currently, there is no bright-line test to determine whether notice was provided to consumers without unreasonable delay. However, I strongly encourage companies to be proactive and be over-inclusive when providing notice. Consumers who have had their information targeted by identity thieves are at greatest risk of harm within hours or days of the breach. While I understand the desire of companies to get it right and not unduly cause panic to those that ultimately were not harmed by a breach, this is an area where we simply do not have the luxury of waiting for complete information. Upon learning of a potential breach, companies should immediately inform consumers that there may be an issue and allow consumers an opportunity to protect themselves. Unfortunately, many companies have chosen to protect their own reputations rather than look out for their consumers. It is unacceptable when consumers learn of such breaches from their own banks or credit card companies rather than hearing it firsthand from those entities charged with safeguarding their personal information.

The Privacy Advisor: Given the complexities surrounding evolving technology and data use, and the increase in sophistication involving phishing, hacking and other data intrusions, how can companies best partner with your office to better protect consumers?

Zoeller: We do need to work together in order to safeguard consumers’ personal information. Ultimately, we have the same goal in mind, so I have spent much of my time in office creating an atmosphere where we can have an open dialogue. Companies need to be forthcoming with information and let us know as soon as they learn of a possible breach. I understand that the law requires that such notice be provided “without unreasonable delay,” but this is little consolation for those consumers that must now spend the next few months or years repairing the damage caused by those breaches. While I appreciate that many companies have provided credit monitoring and other services to assist consumers, we ultimately need to ensure that the best protection available is being used and that consumers’ information is adequately safeguarded. We stand ready to partner with those companies that value their customers and will continue to work to protect the public’s interests.

The Privacy Advisor: Finally, the FTC also is looking at information concerning data breaches. It is also considering possible regulations in evolving areas involving privacy concerning mobile tracking and regulation concerning the "Internet of Things." How closely does your office work with the FTC on privacy enforcement and privacy policy matters? What can we expect to see come of this work?

Zoeller: Our Office considers the FTC to be a great partner in not only data breach cases but in other consumer protection cases as well. We regularly meet with the FTC and our other federal, state and local partners to share best practices regarding investigations and enforcement. This will continue, and we appreciate the willingness of all of our partners to listen intently to one another as we develop comprehensive policies that best protect consumers.

Indiana Attorney General Greg Zoeller was elected Indiana's 42nd Attorney General in 2008 and reelected to a second term in 2012. Prior to being elected, Zoeller served as the chief deputy to his predecessor, Steve Carter making him the first to have served in the office prior to being elected.