TITLE 11 CONSUMER PROTECTION DIVISION OF THE OFFICE OF THE ATTORNEY GENERAL
Governor's Notice of Disapproval
LSA Document #20-366
Indiana Government Center South, Fifth Floor
302 West Washington Street
Indianapolis, Indiana 46204-2770
RE: Data Privacy – Security Breach Rule (revised as of Dec. 11, 2020), LSA 20-366(F)
I'd like to emphasize once more that I understand the importance of what the proposed rule seeks to do and I support efforts to promote protection of personal information maintained by businesses. As I stated in my December 10, 2020, letter:
Protection of the personal information of Hoosiers is of paramount importance. I know many "data base owners" (Hoosier businesses and other businesses servicing Hoosiers) go to great lengths to protect the personal information of their customers, clients and employees from cyber criminals who seek to exploit the information to commit fraud, identity theft and other crimes. Many in the business community also know data breaches may well lead to a loss of customer trust as well as administrative and other legal actions. It is in everyone's best interest for data base owners to have strong measures in place to protect personal information.
I appreciate your efforts to address certain specific concerns I highlighted in my previous denial of this rule by amending it and sending a revised rule the very next day. The concerns I highlighted were not an exhaustive list and I continue to have concerns with the rule as revised. The revised rule still fails to provide the business community sufficient clarity and continues to place unnecessary or unachievable burdens on Indiana businesses. Given the significant impact a rule such as this will have on the business community coupled with the strong interest the business community showed by providing comments during the regular rulemaking process, I believe it is important to allow the business community an opportunity to weigh in on the parameters of the rule as revised.
I encourage the Office of the Attorney General to work with the business community to redraft a rule, or alternatively, propose legislation, which will provide clear and achievable security parameters for the business community. Doing so will foster acceptance and compliance leading to greater protections of personal information while not unduly burdening the business community.
Pursuant to
IC 4-22-2-34, and for the reasons stated above and in my December 10th letter, I am disapproving the proposed revised rule.
Posted: 01/13/2021 by Legislative Services Agency
DIN: 20210113-IR-011200366DGA
Composed: May 05,2024 12:13:22PM EDT
A
PDF version of this document.
