As you might expect in this age of constant cyber intrusions, the state of Indiana is pushing forward toward better cybersecurity, spending both human and fiscal capital on educating employees and hardening state data systems.
State employees are being tutored—and constantly reminded—about the need for effective cyber-hygiene skills to help the state avoid being hacked via phishing scams and other similar techniques. The state is also working to further harden state computer systems to protect against potential lapses in security or foil schemes that might involve finding weak points of entry or sheer “brute force” attacks.
Indiana is one of only a single-digit number of states employing a formal chief privacy officer. Ted Cotterill also serves as general counsel for the state’s innovative Management Performance Hub, whose initiatives and practical results have been nationally lauded.
Indiana University also just hired its first chief privacy officer, imbuing the position with university-wide responsibilities to ensure and protect the privacy of IU students, faculty, staff and visitors across all campuses.
The responsibilities of such officials generally include not only ensuring compliance with all laws (including protecting individual health information, maintaining confidentiality of personal data such as Social Security numbers, and issues surrounding juveniles and students), but also requesting, receiving, retaining, processing and protecting institutional and personal data in accordance with state and federal laws as well as industry best practices.
But beyond the few laws with which most seem to be well-acquainted, such as the federal Health Insurance Portability and Accountability Act (better known as HIPAA), the federal Family Educational Rights and Privacy Act (the Buckley Amendment protecting student records), and state juvenile records laws, there is a dearth of specific direction on governmental privacy issues.
In the vacuum, Hoosiers have watched such social media giants as Alphabet’s Google, Facebook, Twitter, Apple and Microsoft chided for the data they have accumulated—with or without express consent, or since data privacy truly became a concern in recent years—but without much recourse for the consumer.
Even as the service economy has boomed and such entities as Airbnb and Uber have become part of the daily (or weekly) lives of Hoosiers, little thought has been devoted lately to the type and amount of data these services collect and how it has been used.
A few years ago, two younger members of the General Assembly—looking ahead to changes in the economy, technology and society in general—formed a millennial caucus to address and assuage such concerns. They saw these matters largely as non-partisan in nature and believed their generation was better-versed to understand and plan for them.
Little follow-through has resulted, even as legislative changes were sought to meet such new concepts as autonomous vehicles and vehicle manufacturers offering a service allowing people to rotate through different new vehicles on a periodic basis for a set per-month fee (raising a myriad of ownership, valuation and taxation, licensing, and insurance issues).
Indeed, it seems as though the courts have been more involved in privacy and tech issues than lawmakers have been. The Indiana Supreme Court has recently reviewed cases involving whether tracking a smartphone’s GPS data via “pinging” required a warrant, and whether law enforcement could require Hoosiers to reveal passcodes to their smartphones.
In the midst of this state and national policy debate, the General Assembly has remained almost entirely on the sidelines. Don’t expect that to remain true through 2020, though, as use of personal data becomes more intrusive and egregious.
Even as the national players in the data collection, aggregation and deployment battle prefer a national framework to avoid a patchwork of state and local regulatory schemes, watch for new privacy protections (or at least studies) to assume prominence on the 2020 legislative agenda after lawmakers ignored it this year.•
Feigenbaum publishes Indiana Legislative Insight for Hannah News Service. He can be reached at EDF@hannah-in.com.