In this age of hackers and cybercriminals, every state has a top security official focused on preventing breaches and protecting the vast amounts of data it collects. Now, a growing number also are hiring a top official to make sure that the privacy of residents’ personal data is protected as well.
Many large companies have employed 'chief privacy officers' for years, but they were rare in state government. A decade ago, there were only a few; today, at least eight states have them — Arkansas, Indiana, Kentucky, Ohio, South Carolina, Utah, Washington and West Virginia, according to the National Association of State Chief Information Officers. Arkansas hired its first in June.
“I expect we will see more states doing this in the future,” said Amy Glasscock, a senior policy analyst at the association. “It’s good to focus on privacy rather than just security because of the sensitive information that state governments have on citizens. Educating state agencies how to keep things private is very important.”
States collect reams of confidential information from residents, such as Social Security numbers, health records, tax forms and credit card numbers. Much of it is stored digitally and some states also use the cloud, remote servers that can be accessed over the internet instead of on a computer hard drive.
Chief privacy officers are tasked with ensuring that state agencies safeguard that information and comply with privacy regulations. That means state employees who handle data must know how to protect sensitive information when they use or share it.
South Carolina created its chief privacy officer position, for example, after a major data breach at the state Department of Revenue in 2012 that compromised the personal information of nearly 4 million taxpayers.
Chief privacy officers typically create statewide privacy policies that apply to every agency and require that staffers be trained. They meet regularly with state agencies’ privacy teams and evaluate new technology to make sure it doesn’t conflict with privacy protections. Some also offer services to consumers to educate them about protecting their privacy.
“It’s a great idea to have state privacy officers,” said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based digital civil liberties group. Governments must “understand that in their information and data operations they can actually do bad things when it comes to privacy.”
Alex Alben, Washington state’s chief privacy officer, said his office is rolling out a privacy checklist app for state and local governments with dozens of topics employees can search, such as how to assess the impact of a program on privacy or protect location-tracking data on mobile devices.
His office also has created a privacy guide for residents and does public outreach.
“You don’t want to just live in this bubble in the state capitol,” Alben said. “It’s important to know what residents’ concerns are about privacy and how their data is being used. We respond to people’s questions and try to be advocates for them.”
State chief privacy officers work closely with chief information security officers, who oversee cybersecurity. Cybercriminals are constantly scanning state computer networks seeking out vulnerabilities. In recent years, they have stepped up their attacks.
“If there’s been any sort of infiltration of a system, privacy is very important,” said Sallie Milam, West Virginia’s chief privacy officer. “We need to know what individuals are affected, what data was impacted, and what is the risk of harm.”
In a 2016 survey of state CIOs, 65 percent said recent cybersecurity incidents had changed the way they approached oversight of privacy issues. Still, only 11 percent said their state had an executive-level chief privacy officer.
The CIOs said they were concerned there was a lack of awareness in state agencies about the importance of privacy.
“If you’re really focused on security, it’s easier not to give as much attention to privacy issues,” said Glasscock, of the chief information officers’ association.
And chief privacy officers don’t just deal with external threats. Sometimes, breaches occur when state employees inadvertently release data that contains personal information, email a confidential document in an unsecured format, or don’t securely store it.
“As long as we have humans in these jobs, mistakes can happen,” Milam said.
A major challenge for chief privacy officers is ensuring that state vendors follow the proper privacy procedures. That can be difficult, given their numbers and the fact that many are small businesses.
“A lot of vendors, I imagine, just sign the document, and are not engaged in extensive compliance,” Milam said.
Washington state’s Alben said he worries about who is overseeing contractors to make sure they’re abiding by privacy rules.
“What are their privacy policies? How do you know they’re enforcing them? What happens when the contract ends?” he said. “These are all things we need to know about.”
Chief privacy officers also must make sure their efforts don’t impede the public’s right to know. A lot of data collected by states isn’t private; it’s public information that should be accessible to anyone.
Glasscock, of the chief information officers’ group, said many states haven’t bothered to create chief privacy officer positions because they don’t want to spend the money.
“You need buy-in at the executive level and from the governor,” she said. “You need people who feel really passionate about the issue.”
But that may be changing. “I think there is a growing trend toward governors caring about this issue and considering it as a priority,” she said.
Milam, who was appointed in 2003 and was the nation’s first state chief privacy officer, agrees the concept is gaining momentum in state capitols.
“There will have to be more of us in the future,” she said. “Privacy officers understand the rules and risks around the release of data. You have to have someone with that expertise, or you’ll lose your public trust.”