DPI16_Banner_300x250 WITH COPY

By Matthew P. Barach, Esq., CIPP/G

States grapple not only with legal and regulatory issues surrounding privacy, but also with how to handle personal information collected by state agencies. Despite this, the vast majority of states lack dedicated privacy offices and/or chief privacy officers. The state of California is an exception. Its approach to information privacy for state government should serve as a model for the other 49 states.

In 2001, California became the first state in the nation to dedicate a state agency to information and data privacy—the Office of Privacy Protection. Last January the state merged the Office of Privacy Protection and the State Information Security Office, creating the California Office of Information Security and Privacy Protection (OISP). The OISP mission now “unites consumer privacy protection with the oversight of government’s responsible management of information.” The OISP provides services to consumers, recommends practices to business, and provides policy direction, guidance, and compliance to state government.

“It facilitates a more holistic approach to information management,” says California Chief Privacy Officer Joanne McNabb, of the recent structural change. “And it fosters collaboration between privacy and security.”
Traditionally, California has led the United States on information privacy practices. The California state office approach is novel as it combines privacy with security for more efficient administration of information management. “It can be a better model than the silo approach to privacy and security,” says McNabb.

The combined security-privacy agency model also is beneficial in that it makes privacy a one-stop shop. This helps the public understand the interplay of privacy and security and allows for greater collaboration among privacy and security officers. “It is more efficient,” says McNabb, who adds that the setup also “builds a consumer ombudsman role into state policy-making and provides a feedback loop on state practices.” Further, the model rightfully elevates privacy’s importance and highlights the role of the privacy professional.

Originally, the California Office of Privacy Protection was organized as a part of the Department of Consumer Affairs. The State Information Security Office was a branch of the Office of Technology Review, which was part of the Department of Finance. The new configuration for privacy and security in state government was established as of January 1, 2008. Today, the Office of Information Security and Privacy Protection (OISP) are under the State and Consumer Services Agency, which is aligned with the Chief Information Officer and the Governor of California.

A survey of the other 49 states reveals that technology, cyber, or other critical infrastructure agencies exist, but their efforts focus in whole or part on state government information security. For example, Florida’s Office of Information Technology exists to improve “government services and to ensure that the state’s technology infrastructure is reliable, secure, and cost-effective, and meets the business requirements of state agencies.” New York’s Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), established in September 2002, focuses on the state’s cyber-security readiness and critical infrastructure coordination, and coordinates cyber-readiness efforts, geographic information systems, and critical infrastructure preparedness.

All states emphasize data security and technology, but most have not fully embraced the potential value that state government can bring to information privacy. They have not established a clear information privacy directive or created privacy offices.

Only four other states have privacy offices: Arizona, Wisconsin, Ohio, and West Virginia. Each of these states differs substantively from the California model.

“My role is to establish consistent standards in information privacy for agencies in state government,” says Mary Beth Joublanc, chief privacy officer for the state of Arizona. Arizona’s Statewide Information Security and Privacy Office (SISPO) operates within the Government Information Technology Agency, serving as the strategic planning, facilitation, and coordination office for IT security. Ms. Joublanc has taken guidance from her neighbors in California and says she could see Arizona’s privacy role expanding in the future. “As we get things in place, we want to be more out-focused on citizens,” says Joublanc.

Wisconsin modeled its Office of Privacy Protection on California’s approach, according to Susan H. Schliz who leads the office and serves on the state’s privacy committee.

“[It’s] a place for consumers who have been a victim of identity theft,” says Schliz. The office, which resides in the Department of Agriculture, Trade and Consumer Protection, also provides training for consumers and businesses. Its mission is “to protect the privacy of individuals’ personal information by identifying consumer problems and facilitating the development of fair information practices.”

Unlike California, the Wisconsin Office of Privacy Protection does not oversee the state’s information privacy program. Instead, each Wisconsin state agency maintains a separate privacy program. Also, there is no security or technology component to this office; although the agency does collaborate closely with law enforcement on identity theft.

The West Virginia Privacy Office dedicates efforts towards the protection of personally identifiable health information and protecting the privacy of personally identifiable information collected and maintained by Executive Branch agencies.

Lastly, the state of Ohio’s Privacy & Security Information Center provides technology, policies, standards, and solutions for enhancing the privacy and security of Ohio's data and systems. Additionally, the state’s Web site aims “to act as a privacy and security knowledge center for the citizens, businesses, and employees of the state.”
Various states’ consumer affairs divisions and/or state attorney general offices house privacy professionals. Generally, state attorneys general have the enforcement power to bring actions for failing to file required data breach notices pursuant to state breach notification statutes and/or conduct investigations involving identity theft. However, these agency roles generally focus on consumer protection laws and do not involve privacy management within state government. For example, the New York State Consumer Protection Board provides guidance on information privacy for consumers and businesses, but is not responsible for privacy within New York state agencies.

This survey of the 50 states reveals an overall information privacy void in state governments. Security offices have received the majority of state funding and resources, while privacy has been largely diminished as a funding priority at the agency level.

This void in turn diminishes the role of the privacy professional. This runs counter to the federal government, which has made privacy an imperative at the agency level through the creation of chief privacy officer positions (although no national privacy officer has been established).

Moreover, there is a lack of consistency in state governments’ approaches to administrating information privacy. This can cause confusion about the role of the privacy professional and can lead to a duplication of efforts in state agencies.

Privacy professionals should become better organized at the state level and actively engage in the political process to lobby state legislatures to adopt the California model, taking care to ensure the information privacy message remains apolitical.

The work won’t be easy. The results of the Blue Ribbon Commission to Establish a Comprehensive Internet Policy effort in the state of Maine may foreshadow the challenges privacy professionals might face in this regard. In 2000, commission member Sally Sutton introduced what might have been the first proposal in the U.S. calling for a privacy advocate in state government. The proposed advocate would have been responsible for receiving and investigating complaints, providing legal representation, making policy recommendations, assisting public and private entities in the development of information policies, coordinating the state’s treatment of personal data, and educating the public. The revolutionary proposal was never adopted. “The Legislators who sponsored were not re-elected and the proposal died,” Sutton said recently.

California’s heavy lifting in this area provides states with a new model to use in their own efforts. The California approach can and should be recognized as an example of the important role privacy offices can play at the state level. The efficiency of the California model enables better administration of information privacy for consumers, businesses, and state government

Author’s note:
California Governor Arnold Schwarzenegger has released a Reorganization Plan for IT Governance that proposes to once again realign the Office of Information Security and Privacy Protection—breaking it into two separate offices. The information security area would fall under the state’s Office of the CIO, and the Office of Privacy Protection would remain under the State & Consumer Services Agency, with a continued focus on consumers and businesses. This proposal will go before the California legislature this spring.

Matthew P. Barach, Esq., CIPP/G, is the Internet and Information Privacy Counsel for the New York State Consumer Protection Board (CPB) and founder of Boston Privacy Group, where he advises numerous businesses on information privacy best practices. He is the author of a column entitled “Think Privacy,” and he created the New York State Business Privacy. Barach has been a business lawyer and entrepreneur for 14 years. He is an avid golfer and a proud, but slow, marathon runner. He lives with his wife and two children in Sudbury, Massachusetts. He can be reached at 


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»