A year from now, in September 2022, the Oregon legislature will hear advice for a data privacy program. This news summary, from the 2021 hearings, starts with Teresa Furnish.
[00:00:13] Teresa Furnish: I’m Teresa Furnish. I’m the IT Audit Manager at the Secretary of State Audits Division. The title of this audit is, “The State Does Not Have a Privacy Program to Manage Enterprise Data Privacy Risk.” And it was released in November, 2020.
In the United States, the federal laws are incohesive. There’s not a great single set of privacy laws at the federal level. So each state is left to either address data privacy on their own, or accept the risks that come with not having really cohesive laws around data privacy.
People are concerned about what happens to their information, particularly Personally Identifiable Information. It’s now collected, processed, stored, shared over technology and the Internet in a way that is unprecedented.
We boiled down the definition for personal identifiable information PII as any information that can be used to identify an individual. So as you can imagine, state agencies have a lot of that, in order to meet their mission. State agencies have a lot of information on all of Oregonians. Some of the PII that the states hold would include Social Security Numbers, date, and place of birth, your full name, even a phone number can be considered PII.
However, it’s important to note that not all PII is created equal. PII can become more sensitive when it’s combined with other information. For example, if my full name exists somewhere in a database and that gets lost or breached or disclosed inappropriately, this is not going to be a big risk for me. My full name is not a huge secret. However, if that database also has my Social Security Number, my date of birth, it can result in harm to me if that’s disclosed.
The state’s exposure for privacy risk, we identified two primary concerns. One of them is the exposure to the individual that we could as a state and an state agency could accidentally harm the citizens that it was trying to protect. If a disclosure of private information results in personal financial harm, discrimination, or identity theft, that’s the risk to the individual that we do not want to have occur. We don’t want to harm our citizens.
There’s also a risk on the state agency side and to Oregon as a whole. If privacy is not managed and something does get out, the state and agency can be sued. There’s a loss of public trust. Financial penalties can arise from noncompliance with the federal laws that do exist. And then there’s the cost of credit monitoring. I believe it’s over a million dollars just for a small breach. So as you can imagine, the larger the breach, the higher that cost would get. So those are the two primary risks that a privacy risk management program attempts to identify and address.
[00:03:12] Sean McSpaden: Senate Bill 293 among other things directs the office of the state Chief Information Officer to prepare recommendations for elevating consideration of privacy, confidentiality, and data security measures; and address, among other topics, the merits of either establishing and appointing a dedicated state Privacy Officer.
[00:03:35] Terrence Woods: My name is Terrence Woods and I am the state Chief Information Officer. I would like, at the committee’s pleasure, to have our Chief Data Officer and our Chief Information Security Officer speak for a couple of minutes, in regards to what a position like Privacy Officer would do on behalf of the state.
[00:03:51] John Q: Kathryn Helms, Chief Data Officer.
[00:03:54] Kathryn Helms: We’ve seen the audit from the Secretary of State’s office come out recommending the Chief Privacy Officer: How do we navigate an incredibly complicated privacy landscape, both at the federal level, and then even at the state level, as noted in our previous presentation, there isn’t necessarily a standard definition for Personally Identifiable Information, and privacy is tremendously context- specific, depending on an individual’s own appetite for how they want to manage their own individual information, in addition to the complex nature of the ways that folks interact with the state as an entity: What might be private in the context of a healthcare setting may not be private in the context of an employer – employee relationship, may not be private if we’re consensually giving that information out to a website for package and sale and reuse.
And so overall I think noting the complexity of privacy as a specific standalone discipline, I really just wanted to articulate the difference and that inherent tension that’s extant between a Chief Data Officer who might be pushing for that analytic transparency, open data, and then also the Privacy Officer.
[00:05:04] Gary Johnson: My name is Gary Johnson. I’m the Chief Security Officer for the State of Oregon. I would echo a lot of what Kathryn said. The way I view the Privacy Officer in the context of both Kathryn and myself as a three-legged stool or a pyramid, if you will. You really want to have that focus, that discipline, that priority on privacy and not as a secondary factor. It needs to be a focus unto itself. And it is a unique skill set as well.
[00:05:34] Rep. Pam Marsh: So we’ve established that there are tensions between Data and Privacy. So can you talk about that one a little bit?
[00:05:42] Terrence Woods: Co-chairs, Members of the Committee. You bet, Rep. Marsh. The main thing there, I would say, is really having a distinct role, should something like this move forward. You have governance around these particular roles, and then you also have the communities of practice, what are the other states doing?
And so it really comes down to focus. Mr. Johnson talked about burying a role like this within another discipline. You run the risk of not only having that tension there, but you run the risk of the actual, what you’re trying to get out of a privacy officer, being secondary.
And so, in my humble opinion, I think as long as that discipline exists, separate and apart, it has the right governance around it, as well as working, you know, in terms of best practice and working with other states, I think that is one way of which you can mitigate that particular risk.
[00:06:33] Rep. Pam Marsh: So if the two of you disagreed, does Terrence get to decide? ()
[00:06:37] Terrence Woods: Co-chairs members of the committee, thank you, Rep. Marsh. I talked about governance earlier. I think that would weigh in, but certainly at the end of the day, yes, I would be the person who would have to make that decision.
[00:06:48] John Q: The state of Oregon, planning for the privacy of your personal data.