In a handful of states, chief privacy officers work to guard against the misuse and loss of constituent data. But their jobs are far more intricate than you might imagine.
Thirty years ago, people wrote checks to pay their utilities, they registered their cars in lines at the DMV and their lives were very much separated from the government agencies they occasionally interacted with. But in 2017, data storage and sharing has changed the customer/government dynamic indefinitely.
Today, personal data permeates government at all levels. It isn’t just mailing addresses and vehicle registration anymore. It’s health data, payment information, your image. It’s criminal records data. It’s randomized daily travel data.
To compensate for the massive influx of data and the implications that often surround its use (and misuse) a handful of states rely on an evolving role — that of the Chief Privacy Officer (CPO).
This addition to the C suite is one that prevents overstep and makes sure state agencies have their heads in the game when it comes to how they work with constituent data within state and federal laws.
These CPOs grapple with certain issues daily, and aren't shy about sharing the risks that come with ignoring good privacy and data protection policy.
One issue that applies to all states navigating the privacy maze is that of proper training for those involved in the larger conversation. Whether this falls to the legislators ultimately making the rules or the state personnel acting on those rules, training and understanding of the risks are essential for success.
Utah CPO Benjamin Mehr knows all too well the importance of solid employee training. During a recent penetration test of state systems, security teams used a slightly altered version of the popular broadway show Hamilton to attract employees into clicking on an emailed link. The test, he said, was a very “good test.”
That might be why Mehr is more concerned about accidental leaks than the bad actor trying to crack the systems. While both pose substantial risks to agencies with data to lose, he said you never know what an employee will do without the proper training.
“I think we train, obviously, for people to protect the information, [for] various standards as far as not leaking account information, making sure they keep information securely stored," he said, "but there is always that risk of people doing something you trained them not to do and they go ahead and do it anyhow.”
And the cost of breaches is rising, which is one reason the state of West Virginia employs cyberinsurance, said CPO Sallie Milam, who also draws a hard line when it comes to the importance of thorough training.
“A lot of what we focus on is training because employees are a big risk in any workplace, so it’s important to train them on privacy and security risks.”
By the numbers, Milam said the average cost per lost record is $221, but per breach the costs come in at around an average of $7 million.
“When you look at the statistics, half of the privacy breaches are caused by bad actors, and you know from reading the news every day and all of the different phishing scams, they are all targeting our employees," she said. "And they are very good, so we counteract that with training, we counteract that with a vigorous incident management program, we counteract that with risk management and compliance programs."
Private-sector technology has done a lot of good for government, but it has also increased the public sector’s exposure to risk. The use of third-party vendors, though commonplace in today’s contracting environments, creates new threat vectors that must be managed.
For Milam, the issue highlights the importance of vendor assurance across the entire enterprise.
“When you think about information technology in any sector, public or private, and you think of the people that help you do your work, and they have subcontractors, it’s just like a spiderweb," she explained. "Every single one of those vendors, all the way out to the end of the web, impacts your level of risk.”
The issue is part of what Milam calls a “a particularly challenging area,” especially when smaller, less sophisticated vendors may not know whether they are fully complying with state requirements. This requires the state to vet and audit compliance.
Mehr agrees. The tack Utah takes is one of trust, but actively and constantly verifying. The state's systems carefully track the access granted to vendors. They also watch for unusual or after-hours access.
“Whenever we grant vendors access, we try to track their usage of the access, when they are done with the job, making sure the access is revoked," he explained, "and then of course we have our own System Event Monitoring System, so we can keep a close eye on those privileges that are being granted …”
While the concept of keeping data safe may seem simple on the surface, there are constantly shifting facets within the larger conversation. And Washington state’s Alex Alben says it isn’t a conversation that will be going away anytime soon — especially with smarter cities becoming more and more commonplace.
“The paradox is that the smarter we get in smart cities, the more we are collecting and using citizen data,” he said.
But the problem extends beyond just the acceptable uses for collected or stored data, Alben argues. CPOs must also look ahead to what is happening on the national, and occasionally the world, stage.
He sees the CPO role expanding nationally as the environment and the questions surrounding it get more complex.
“I also think that not every state has a lot of privacy law. A lot of privacy law is federal law, so being able to understand what is happening at the federal level is important, and that is not easy to do if you your job is to work for a specific state agency. So, having a CPO function is a benefit,” he said. “I think it’s going to be more important when the laws of other jurisdictions, even Europe and Asia, start coming into the picture, because states do collect data about people outside of their state.”
A new administration in the White House could mean changes that need to be translated to states. Confusion around which federal agency actually owns privacy and data protection regulation will likely continue to muddy the waters.
“The states are going to continue to say, 'We have the right to do consumer protection,'" Alben said, "but the boundaries between federal jurisdiction and state jursdiction are not well defined.”
For Mehr, the road ahead means negotiating the challenges around those using state networks, but who are outside of the purview of state oversight. Making sure their policies and procedures are in keeping with the best practices will be essential.
“The issue we deal with is focusing on the agencies we serve, but there are also other entities that are outside of the state’s purview, so to speak,” he said. “Cities and counties, smaller entities that piggyback off of our Internet connections, but we don’t have direct control over them as far as making sure they are following good policy and procedures, and being careful with their data.”