May 7, 2019
Scary stories of cybersecurity incidents, ransomware attacks, data breaches, and/or data privacy violations have sadly become a part of life now. News reports, such as the recent Facebook and Cambridge Analytica scandal, show how private companies’ lax policies on data sharing and lack of proper auditing leave room for data misuse and abuse. Individuals are entitled to know what information private companies or government organizations have on them and how it is shared and protected. As citizens and consumer advocates are becoming more aware of data privacy and security risks, they are calling upon state and federal government to enact regulations so that living in the digital age doesn’t turn every-day social media users into commodities for companies that are willing to “trade” their personal information to make a profit.
Citizens’ personal data can also be exposed to cyber attacks. Recent data breaches affecting millions of citizen’s personal data in the U. S. Office of Personnel Management, South Carolina’s Department of Revenue, and Texas’ Comptroller’s Office exposed weak cyber-safe protocols and vulnerabilities that make governments easy target for hackers and state-sponsored organizations. Examples like these do not inspire confidence about how our personal information is handled or protected. A recent Pew Research Center study on cybersecurity shows that almost 50 percent of Americans do not trust the federal government or social media sites to protect their data. The same percentage think their information is less secure in the past five years before the study.
State governments are taking heed when it comes to data security. According to a 2019 NCSL report on data security laws, all states have enacted security measures to protect data and systems.
A recent policy brief published by NASCIO notes the growing role of the enterprise-wide approach to data privacy and how some states are being proactive as opposed to reacting to data breach incidents. We are starting to see more efforts to create a privacy-centered culture and effective policies to safeguard citizens’ personal information. These efforts include hiring Chief Privacy Officers.
Social security numbers, driver’s licenses, tax information, birth certificates, death and criminal records, financial information, family status information and voting records, are among the personal citizen data state governments are entrusted with every day. Federal government agencies have a head start in overseeing how tax payers’ personal information is handled since 2005, with designated senior agency officials for privacy. According to the same NASCIO policy brief, the first Chief Privacy Officer was named in West Virginia in 2013. Since then, this data privacy protection role has been adopted by other states.
Greater federal privacy protections have been called for; a comprehensive national data privacy legislation that would regulate how businesses, or any organization can collect, store and share individuals’ personal data and enforce heavy fines for violations. Unlike the comprehensive regulatory approach offered by the European Union General Data Protection Regulation, the United States’ laws provide only limited protections for information collected and shared in certain areas such as health and finance.
Many of the data security laws that states have passed in the past three years seem to coincide with the increase in cybersecurity threats and attacks against government institutions. This is good news, since these new laws require an enterprise approach in terms of how data is protected and how government oversees data security statewide. Also included are measures requiring training for state employees and periodic security audits or assessments. Additionally, at least 35 states have data disposal laws requiring governmental, or private entities to destroy or dispose of personal information, make it unreadable, or indecipherable to protect citizens against unauthorized access to such personal information.
While all states have enacted legislation requiring private companies and governmental entities to notify individuals of security breaches involving personally-identifiable information, it is clear that both corporations and governments have to do more to safeguard consumers’ and citizens’ data before breaches occur.
Challenges remain due to limited resources and budget constraints so many states are facing. Even as cybersecurity is recognized as a top concern for state governments and a business risk, most states only spend between 1-3% of their enterprise IT budgets on cybersecurity, compared to the Federal government whose spend on cybersecurity represents 16% of their budget. (NASCIO’s 2018 Deloitte-NASCIO Cybersecurity Study – States at risk: Bold plays for change)
Everyone seems to be on the same page when it comes to citizens’ rights to transparency and understanding how their data is collected, used and shared. However, in the absence of a uniform standard on how to protect personal information, states are left to their own devices in terms of how they manage and secure data. Only three states out of 12 interviewed by NASCIO have the data privacy protection role established in statute. And only one state has a defined budget line for privacy within their information security budget. So even though the role seems to be defined in those 12 states, the budget to support those activities is absent in almost all of them. Without a clear mandate and budget, chief privacy officers are not able to push out policies to other executive branch agencies and enforce them consistently. Many of the data privacy officers currently hired by state governments provide more of a reactive assistance, when agencies come to them with concerns.
State government agencies need to pay close attention when reviewing contracting terms of services for cloud solutions specifically the data-use and data-sharing terms, and anything related to privacy issues to better protect citizens’ personal information. At a minimum, government contracts with cloud service providers should include provisions to guarantee that the technology provider: protects personal information from unauthorized access or disclosure; protects data confidentiality; and prevents data breaches. Private companies alike ought to take responsibility for protecting our data and increase transparency about how they are using this information and whom they are sharing it with. Moreover, we cannot talk about data privacy efforts without recognizing the need for a stronger data security culture.
Ultimately, we all should play our part, remaining vigilant and understanding the risks and vulnerabilities of the environments we are operating in, such as the internet of things, social media, online banking, mobile apps, etc. There are ways to stay connected and use these platforms safely. Options can vary depending on the consumer’s risk aversion level. Here are just a few simple tips for safeguarding personal data that you can use:
To sum it all up, companies and governments alike can do more to keep our data private and secure. As citizens and private consumers, we should know our rights and expect that our data is protected. We should expect that any time personally-identifiable information is collected, it is done for valid reasons, in a transparent manner, and with the individual’s consent. We all share responsibility for solving the data privacy and security problem. Do you know what your state is doing to protect data privacy? Answer in the comment box below!