A proposal by Indiana’s Attorney General Curtis Hill on Wednesday would add a significant step in the incident response process for responding to breaches of security affecting Indiana residents. On Wednesday, during a U.S. Chamber of Commerce virtual event, he announced his proposed rule designed to better protect Hoosiers from cyberattacks. It is expected that the proposed rule will take effect by the end of the year.
In short, there are two components to the proposed regulations:
- A requirement for data base owners to create, implement and report a corrective action plan (CAP) to the Attorney General within thirty days of the date it reports a breach to the Attorney General under the state’s existing breach notification law.
- A “safe harbor” for what constitutes “reasonable measures” to safeguard personal information in Indiana.
If the regulations are adopted, covered entities will need to revisit their incident response plans to ensure they have steps in place to timely submit a CAP to the Attorney General’s office. They might also consider modifying their data security plans to take advantage of the safe harbor.
Currently, Indiana law imposes general requirements on data base owners to “implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the data base owner.” Data base owners include persons that own or license computerized data that include personal information. As in several other states, these general obligations have not been well defined. AG Hill’s proposed rule, if adopted, would provide some clarity creating several duties for data base owners.
First, the general requirement to take “any appropriate corrective action” would, in the context of a data breach, mean the following:
- Continuously monitoring and remediating potential vulnerabilities in a timely fashion.
- Taking reasonable steps to mitigate and prevent the continued unlawful use and disclosure of personal information following any breach of security of data.
- Preparing a written CAP following any breach of security of data which does the following:
- Outlines the nature and all known or potential causes of the breach with reasonable specificity and citations to applicable technical data.
- Identifies the precise date and time of the initial breach, and any subsequent breaches, if feasible.
- Confirms that corrected measures were implemented at the earliest reasonable opportunity.
- Identifies the specific categories of personal information subject to unlawful use or disclosure, including the approximate number of individuals affected.
- Identifies what steps have already been taken to mitigate and prevent the continued unlawful use and disclosure of personal information.
- Identifies a specific corrective plan to mitigate and prevent the continued unlawful use and disclosure of personal information.
- Certify the development and implementation of the CAP to the Attorney General under penalty of perjury within thirty (30) days of providing notice of the breach to the Attorney General under existing law. Among other requirements for the CAP, the Attorney General would be authorized to conduct random and unannounced audits.
In short, simply complying with the disclosure and notification requirements under Indiana’s existing breach notification law (IC 24-4.9-3) would not, by itself, constitute appropriate corrective action following a breach.
We need a way to separate the businesses that are taking important steps to secure data from those who are not,” Attorney General Hill said. “This rule would provide businesses a playbook on how to protect data, and would protect the businesses that follow the playbook. It’s a win for both consumers and businesses.
Second, the proposed rule outlines a “safe harbor” for what constitutes “reasonable measures” protect personal information. More specifically, the rule identifies certain data security frameworks that, if adopted, would be presumed reasonable. These include:
- a cybersecurity program that complies with the National Institute of Standards and Technology (NIST) cybersecurity framework and follows the most recent version of specified standards, such as NIST Special Publication 800-171,
- for certain regulated covered entities, compliance with the following:
- The federal USA Patriot Act.
- Executive Order 13224.
- The federal Driver’s Privacy Protection Act.
- The federal Fair Credit Reporting Act.
- The federal Health Insurance Portability and Accountability Act
- Entities that comply with the payment card industry data security standard (PCI) in place at the time of the breach of security of data.
Because data security is not a one-time process, maintaining the safe harbor under the NIST framework requires the covered entity to implement any new version of the applicable standard. Any data security plan also would need to monitor vulnerabilities tracked by NIST National Vulnerability Database, and for each critical vulnerability commence remediation planning within twenty-four (24) hours after the vulnerability has been rated as such, and apply the remediation within one (1) week thereafter. Additionally, covered entities must conduct risk assessments annually and revise their data security plans accordingly.
The safe harbor provides further that data base owners which can bear the burden of demonstrating their data security plan is reasonably designed will not be subject to a civil action from the Office of the Attorney General arising from the breach of security of data.
It is worth nothing that the frameworks listed might not apply to all of the data maintained by a covered entity. For example, the privacy and security regulations under HIPAA would not apply to employee data or other activities of the covered entity that does not involve “protected health information,” but would involve personal information of Indiana residents. The regulations are unclear on this point, and covered entities must still consider reasonable measures for that data for the safe harbor to apply.