9/28/20

Client Alert: Indiana Attorney General to Create Safe Harbor for Businesses that Implement Reasonable Cybersecurity Plans

Related Practices

Attorneys & Professionals

On September 23, at a U.S. Chamber of Commerce event, Indiana Attorney General Curtis Hill announced his intention to establish a rule to give businesses an incentive to implement cybersecurity plans to protect Indiana consumers’ information from cyberattacks. His announcement came on the heels of Indiana’s $19.5 million settlement with Equifax over its 2017 data breach.

Hill’s rule would create a safe harbor for businesses that have “reasonably designed, implemented and executed” data security plans pursuant to specified frameworks.  These frameworks range from industry standards such as PCI-DSS, the NIST Cybersecurity Framework, or the ISO 27000 family of information security controls to federal requirements under HIPAA.  Businesses that qualify for the safe harbor protection will not be subject to a civil action from the Attorney General arising from a data breach.

The Office of the Attorney General filed a notice of intent to adopt the proposed rule in July. If the rule is approved, it will likely take effect by the end of the year. Representatives from the U.S. Chamber of Commerce have applauded this proposal.

For assistance with creating or reviewing your organization’s privacy compliance program or privacy laws in general, please contact John Landolfi, Christopher Ingram, Christopher LaRocco, Sarah Boudouris, Gretchen Rutz, or your Vorys attorney.