After five months of working through the COVID-19 pandemic, government organizations have largely started to understand the technical challenges of shifting their operations to telework. But a new data infrastructure resulting from more staff working from home and increasingly using cloud-based tools has introduced new legal implications that officials must contend with, a technology lawyer told the National Association of Counties’ online conference on Tuesday.
Brian Bodor, a partner with Pillsbury Winthrop Shaw Pittman, pointed to several data-rich trends among municipal governments that may have legal implications, such as “smart city” technologies like street-level sensors and data-analytics platforms, and cloud-based solutions, which have surged in popularity as organizations support mass telework. Rita Reynolds, NACo’s chief technology officer, said she’s increasingly seeing robotic process automation “collecting and accumulating data” within county governments to help workers complete repetitive tasks.
“All of these trends are data-intensive,” Bodor said, adding that while the companies that provide these services have put a lot of thought into protecting their own interests, the same degree of consideration may not extend to their customers. It’s up to local governments themselves, he said, to ensure they’re complying with all laws and security and privacy standards during the pandemic.
1. Contracts are the only way to protect data ownership
“Not many people realize that you can’t actually copyright your data,” Bodor said. “The only way you can protect it is via contract.”
In addition to the original data sets that governments own, Bodor reminded officials to consider their data’s “derivatives,” such as anonymized versions of the data, aggregated data sets and other modified versions that local governments should seek to protect ownership of. New valuable data sets can also spawn from unexpected places, he said, such as from artificial intelligence that’s been fed government data.
“All of that is fair game for discussing or reserving for yourself ownership of that data,” he said. “It doesn’t always mean that you have to own it, but you can also have license rights, for example, to ensure that you have access and the ability to use it.”
2. Always retain the right to access your data
“Always, always, always maintain a clear and unfettered right to get access to your data,” Bodor said.
Preserving the right to data access is especially important when procuring a new cloud-based service, he said, and he encouraged officials to ensure that their data will available and easily usable, lest they introduce new costs or complications into their business processes.
“If you were to get all your data back as, say, a printed copy of dot-matrix pages that are linked as an accordion style, that’s probably not going to be helpful to you,” Bodor said. “Nor would having a PDF of all your data be valuable. So it’s important to discuss the format that is common that your systems can use to grab that data back and easily incorporate it back into your environment.”
3. Make vendors share the cost of compliance
Local governments can outsource technologies, but they can’t outsource the burden they carry to comply with various data security and privacy rules, Bodor said.
“Suppliers like to put all that financial burden on you, but that’s not always fair,” he said. Sometimes the laws change and they really apply to everybody equally and they’re going to have to undertake measures as a cost of doing business in order to ensure that they comply with those. You should not bear the sole cost of that on your nickel.”
4. Don’t pass the buck on security
When buying new technology during the pandemic, officials shouldn’t assume that the supplier’s security provisions meet their standards, Bodor said, because they may not go far enough. These contractual terms, he said, can cover a broad range of topics, from how data is protected and used by their services to provisions about how long the vendor has before notifying their customer.
“Is it an actual or a suspected breach, and what steps do they need to take when a breach happens, and then finally if the breach is really their fault, what liability are they taking on?” Bodor said.
Reynolds, the NACo CTO, said there are many new security considerations during the pandemic that local governments “never had to think about before,” such as the potential need to hide sensitive information like users’ IP addresses as they work from home and ensuring data is encrypted as it travels across a VPN or remote-desktop environment. Though much has changed during the health crisis, she said, there’s one important lesson that’s remained consistent.
“First and foremost, we have to empower our end-users, our employees with basic security knowledge,” she said.