Those in data privacy have had to contend in recent years with a continual stream of new state laws mandating data-management practices. These requirements, often steeped in legal jargon, can leave state agencies and their employees confused — or even worse — non-compliant.
Tasked with getting state agencies on the same page about the latest privacy laws and requirements are state chief privacy officers. The National Association of State Chief Information Officers counts 24 states with privacy chiefs, double the number just four years ago.
“Think part of the reason [privacy] has started to grow is because people are starting to understand that security and privacy are different disciplines, even though they are very interconnected,” Katy Ruckle, Washington’s chief privacy officer said. “Privacy is getting raised up and getting more attention to resources for those agencies that don’t always feel like it’s the top priority for their leadership.”
Because the field is new, chief privacy officers must get others in state government up to speed on the requirements and make those communications easy to understand. Some challenges — like employees’ lack of privacy proficiency and the sheer volume of legal changes to how data can be handled — are compelling many state privacy chiefs to hold quarterly meetings and designate privacy liaisons at state agencies and departments.
Each data privacy official has different methods of internal communication, but most are recognizing in that amid the barrage of new privacy laws and compliance requirements, they cannot do this alone.
Eleven states have comprehensive data privacy laws on the books that govern how data should be managed. Another four states have these types of bills moving through their legislatures. These new laws, coupled with the growing threat of cyberattacks and data breaches, have made it urgent for governments to boost their privacy practices.
For many states — including Indiana, North Carolina, Washington and West Virginia — one way to boost privacy maturity has been establishing networks of privacy liaisons in charge of leading privacy efforts within each agency. Like chief privacy officers, agency liaisons often have a legal background. They are responsible for handling the day-to-day privacy operations within their departments, partaking in training sessions and following through on the privacy chief’s directives.
Indiana Chief Privacy Officer Ted Cotterill told StateScoop that much of this is new for many agencies: While health agencies may be familiar with managing private health data, most state agencies weren’t previously required by law to establish agency privacy officers or provide privacy guidance.
Cotterill said that in his liaison network, which was formalized last month, the agency privacy officer role juggles privacy and other duties.
“Everybody in government, certainly the senior players and business units, have a lot on their plates,” Cotterill said.
The same is true in West Virginia, which founded its privacy practice in 2003, making it the oldest inside any state government. West Virginia CPO Ashley Summitt told StateScoop that nearly all of her state’s 130 agency privacy officers have another job along with their privacy duties, a fact she needs to consider when communicating with them.
Cherie Givens, North Carolina’s chief privacy officer, told StateScoop that even with her state’s network, it’s hard to get people to make changes that improve privacy.
“They tend to fall back into the old habits, because it’s always uncertain when you’re having to learn something new, right? And that always puts people feeling a little uncertain and sometimes nervous,” Givens said. “They don’t want to do a privacy threshold analysis or they don’t want to have you look at a contract because that will take more time or they’re concerned that it might somehow negatively impact something.”
Methods of communication
Despite these hurdles, chief privacy officers still must set the tone of their states’ privacy practices and lead their legions of agency privacy officers. Katy Ruckle in Washington state said one difficulty she encounters in attempting to apply a unified approach to privacy is the differing levels of competence.
“Another challenge that I see just across the state agencies is there’s just not always a lot of consistency in terms of privacy maturity and emphasis on privacy in some agencies over the others,” she said.
To combat this, Ruckle, Givens and Summitt all said they host meetings for agency liaisons and other state employees interested in learning about privacy. Summitt and Ruckle said they hold quarterly meetings about trending topics that end with open forums for liaisons to ask questions. Ruckle and Givens said they publish monthly privacy blogs about trending privacy topics, such as artificial intelligence and risk management.
In Indiana, Cotterill said the state uses the Microsoft Teams chat channels prolifically, and they’ve created a dedicated privacy channel his office is populating with content for the agency officers. He said the goal was to “create a collaborative discussion space” with the channel for people to share challenges and solutions. But, he said, there’s “no need to reinvent the wheel” when it comes to getting the word out to agency employees, even though special considerations must be paid to each agency’s needs.
“We have to meet these agencies where they are. So we have to provide this flexible framework within which then they can apply their own regulations,” Cotterill said. “They have different operating styles and different structures, they have different needs and concerns around just how to fulfill their own missions.”
He said Indiana needs communication methods that meet the needs of every entity in the state. To do this, Cotterill said he’s posting to the state’s Privacy & Data Ethics Program website, which he said is a key resource for unifying his privacy program.
Leaning on cyber
Officials told StateScoop that a fundamental part of their communications is the issue of how data controls and other privacy considerations interact with states’ ongoing project of upgrading old IT systems.
North Carolina’s Givens, who has experience at the federal level as a privacy contractor employed with the U.S. Immigration and Customs Enforcement, said implementing privacy training as part of the state employee onboarding process was one of her first priorities in the office. She said it helps make privacy efforts across state agencies more consistent.
“So part of the process now for onboarding is that you have to know about privacy and that you’re expected to take some beginning privacy modules to make sure you’re up to date on that,” Givens said.
Along with pushing out internal communications and pushing “privacy by design” — industry lingo for considering privacy implications early in the development of new projects — partnering with cybersecurity folks in state government is another top priority for chief privacy officers. Because cybersecurity is more established, Givens said, leaning on her state’s cyber frameworks and leadership to do some of the legwork in advancing privacy has been invaluable.
“I think what’s key is that cybersecurity has been established — for what, 10-20 years now — that having their support and having them advertise the importance of privacy and sending folks to us is really the key,” Givens said.
And leaning on cybersecurity frameworks helps to mitigate risk associated with data breaches and cyberattacks, which is the goal for both data privacy and cybersecurity, even if they’re separate fields.
“Whenever I speak to a group of state employees or the privacy folks, I try to bring it back to that idea, because everybody understands that risk has a cost, and you can look that up and the parliament type studies where they will lay out exactly what kind of data cost the most per record if there’s ever a breach,” Summitt said. “I mean, obviously, there are laws in place, but we want to make sure that we don’t waste taxpayers money, so I bring it back to that kind of framework.”