Privacy regulation took center stage in 2018 when the European Union’s General Data Protection Regulation went into effect. This year, the influence of GDPR crossed the ocean when the California Consumer Privacy Act established similar privacy requirements for companies holding the data of California residents. These laws are at the forefront of what most privacy and compliance experts expect will be a new wave of consumer-oriented privacy legislation.
While the laws don’t directly apply to state agencies, government officials can look to them as models for appropriate privacy practices. By adopting privacy controls similar to those required of the private sector, state agencies can safeguard the sensitive personal information of their constituents. Let’s look at a few key practices that state agencies can implement now to stay ahead of emerging privacy regulations.
Agencies Should Minimize Retention of Citizens' Data
The most effective way to protect sensitive information is not to collect it in the first place — or, if collection is necessary, discard it as soon as it is no longer needed.
Retaining unnecessary data provides opportunities for attackers to steal the data and for mishaps to disclose data to unauthorized people. Data minimization practices stress that agencies should collect information from constituents only when it is necessary for a specific government purpose, and they should discard that information as soon as it is no longer needed for that purpose.
Data minimization is easy to agree to in principle, but it is often harder to implement in practice. Agencies seeking to adopt this philosophy should build inventories of the types of personal information they collect and the locations where it is stored. They also need data retention schedules that provide clear timelines for the secure disposal of information that is no longer needed.
Obtaining Constituent Consent Is Critical
Notice and consent are two of the key principles of both GDPR and CCPA. They’re also two of the Generally Accepted Privacy Principles, which privacy professionals around the world endorse. State agencies should ensure that they collect, process and maintain personal information in a manner consistent with the GAPP.
Notice means agencies should clearly disclose to constituents the types of personal information they collect and maintain. Consent means they should obtain opt-in approval from those constituents before collecting or using personal information. These principles also dictate that information collected for one purpose should not be used for another purpose without obtaining additional consent from the information subject.
It’s important to note the GAPP framework was designed with the private sector in mind. There are clearly cases where the government must collect information about people regardless of their consent. Tax reporting information is a perfect example of this. However, in those cases, the principle of notice should still be observed unless disclosing the existence of a collection effort would run contrary to government interests, such as in the case of a confidential law enforcement investigation.
MORE FROM STATETECH: How should state governments should be thinking through cyberinsurance protections?
Encrypt Data in Motion and at Rest
Technology controls are not a cure-all for privacy concerns, but technological solutions do play an important role in the privacy professional’s toolkit. After all, ensuring the security of personal information is another of the GAPP criteria. Agencies that maintain stores of personal information about their constituents have a duty to protect that information from unauthorized disclosure.
17
The number of privacy provisions commonly appearing in strong, comprehensive privacy statutes
Source: app.org, “US state comprehensive privacy law comparison,” April 18, 2019
Encryption technology is one of the most important controls agencies can adopt to protect the confidentiality of sensitive information. Encryption uses mathematical algorithms to prevent unauthorized access to information by anyone who lacks the appropriate decryption key. This technology may be applied both to data that is traveling over a network (otherwise known as data in motion) and to data that is stored for later use (data at rest).
Agencies should scrutinize all of their data-handling practices to ensure they are applying strong encryption to all of their sensitive data stores. Doing so requires the same accurate data inventory used to practice data minimization. In addition, they should scrutinize all applications that involve the collection, transfer, analysis and processing of personal information to ensure any movement of that information over nonsecure networks, such as the internet, uses Transport Layer Security or other encryption to protect data in motion.
MORE FROM STATETECH: Find out how states can best quantify cybersecurity risks.
Data Loss Prevention Tools Are Crucial
No matter how strong an agency’s security controls, the reality is cybersecurity incidents will occur. Whether it’s a deliberate attack by identity thieves or a mishap by an agency employee, the risk always exists that sensitive information will leave the secure confines of agency systems. That’s where data loss prevention technology plays a crucial role.
DLP solutions monitor systems and networks for the unencrypted transmission of sensitive information. They use pattern-matching technology to identify Social Security numbers, credit card numbers and other uniquely formatted data elements and can supplement this approach with the digital watermarking of sensitive files. When the DLP system detects an unauthorized data flow, it can block the network connection and alert administrators, avoiding the loss of sensitive information and allowing an investigation of the circumstances leading up to the potential breach.
Emerging state and federal privacy legislation may not directly affect state government agencies, but that doesn’t mean that states get a free pass. Constituents still expect that agencies will treat their personal information with the care and security it deserves. By implementing these practices, state officials can protect their constituents and avoid embarrassing privacy mishaps.
