It’s a well-known fact by now that organizations large and small, public and private, are increasingly hiring privacy officers to properly manage the data they collect and maintain. But privacy pros may soon find themselves applying for a job previously unheard of to most: chief privacy officer of an entire U.S. state.

To date, only four states have created such a position: Ohio, West Virginia, South Carolina and, most recently, Washington.

The CPOs of those states agree that given the amount of data governments store on citizens and the sensitivity of some of that data, it makes sense for state budgets to carve out funds for someone to shepherd how that data is collected, treated and stored.

But just because it makes sense doesn’t mean the legislators creating the budget can be expected to write the position into the state budget of their own accord. The tie that binds these four state CPOs is the support they have from the top-down—starting with the governor’s office. Preaching privacy as the Good Word has a little more credibility when the person running the state says it’s true.

As Washington state’s very first CPO, Alex Alben is carving out the role as he goes. His first day on the job was in April. While he’s still learning what it is to run the privacy program for a U.S. state, he’s certainly not new to thinking about protecting privacy for the sake of consumers.

Alben’s background is varied; aside from working as an entertainment lawyer once upon a time and then at a few high-tech startups, he was also formerly general counsel at Starwave Corporation. There, he wrote what he says was one of the first privacy policies for the Internet, circa 1994 or 1995. He got some experience in carving out a role for himself when he took a job as the first chief privacy officer at RealNetworks around 2000. And later, he lectured at Stanford Law School, U.C. Berkeley and the UW School of Law on digital technology.

Rather than fighting the battle many CPOs fight at their company—in which they’ve got to first convince the workforce, and maybe the C-suite, that privacy matters before they can embed that necessary culture of privacy within daily practices—Alben has a leg up. 

“The governor thinks this is a very serious issue,” he said. “And Washington has demonstrated leadership in a lot of technology categories,” he said. “So privacy is something that should be on our agenda.”

When he appointed Alben, in fact, Gov. Jay Inslee said privacy protection “must be” a core value for state government. “We want to be a leader in this field,” he said.

Recently, Washington led the nation when Inslee signed a law requiring that law enforcement obtain a warrant before employing what’s known as a “stingray,” or a cell-site simulator used to surveil suspected criminals.

The law passed unanimously in the legislature, which Alben said is an indication of the fact that privacy holds a front-and-center position in terms of priorities on a governmental level. And it’s also something that’s growing in terms of public consciousness, he said.

“The governor certainly wants to be forward-looking and have best practices,” Alben said. “We look at privacy as sort of a service organization for the state of Washington for state agencies in particular.”

It’s early yet, so Alben said while he’s still defining what the needs of the role will be, he’s broken it down into three areas. One, to be a resource to various state agencies and programs—interpreting legislation that deals with privacy, for example. The state recently passed a medical marijuana bill that will see the creation of a database, so Alben is consulting with stakeholders on what the privacy aspects of that will look like. Two, Alben gives advice to the governor’s office and others in state government on new technologies and their impacts on privacy. And three, Alben will handle outreach to the public to help them navigate their own privacy rights.

In West Virginia, it was the 2002 advent of HIPAA’s privacy regulations that got the governor motivated about privacy. Then-Governor Bob Wise tasked West Virginia’s Health Care Authority with overseeing the state’s implementation, and Sallie Milam happened to be the HIPAA senior legal counsel for the Health Care Authority at the time. 

Sallie Milam

While Milam was then in put in charge of a privacy team, she had no idea at that time she’d become a privacy officer for the entire state. But following the governor’s executive order, her role as HIPAA senior legal counsel changed to chief privacy officer, and her responsibilities expanded to cover all areas of privacy, including financial, children’s, Social Security and educational privacy.

Milam serves a dual role. Her purview comprises 12 departments and about 26,000 employees statewide. Each department has its own privacy officer, and Milam serves as not only the state’s CPO but as that of the Health Care Authority as well. She reports directly to the Health Care Authority executive director and her staff includes a deputy chief privacy officer, an administrative secretary and a legal intern this summer.

The state’s privacy program, more than 13 years old at this point, is a mature one, Milam said. The program is based on Generally Accepted Privacy Principles and audits are conducted yearly. The state monitors risk via a portal through which any red flags are to be reported, and an incidence response team responds to reported events. Flagged incidents are pushed jointly to the privacy office, the state’s chief information security officer and security team—with whom Milam works closely—and the state’s insurance agency. After the privacy has reviewed a reported incident and the security team has taken action, if necessary, it’s escalated to the governor’s privacy officer, who provides support.

Milam said she’s lucky to have support directly from the governor’s office and that kind of support trickles down. But privacy buy-in from the top is just the first hurdle. It’s vigilance that matters. 

“Even when you have a mature program, you always have turnover,” she said. “While we have the governor’s office’s support—even as governors change—privacy awareness is still really important and takes significant resources. I think it’s something not to be underestimated. The effort needs to remain just as strong as when you start.”

The state contracts with an outside vendor to create a new privacy training every three years. Its most recent program, “Privacy Rocks!,” won an international training award. Milam’s office supplements the training and keeps privacy as a focus by issuing privacy tips every couple of weeks.

“We cast a pretty broad net,” she said. It’s an effort that’s paid off. “If someone sees something that they don’t think is right, they know who to ask and how to escalate,” she said. “There’s definitely a culture of privacy, but you realize you’re never going to be done with training and you still need to help people connect the dots and think about how privacy impacts their day-to-day activities.” 

Like Milam, Theodora Wills started out in healthcare and didn’t necessarily see a title as “chief privacy officer” coming. Her degree is in healthcare administration, and she’s worked as a privacy consultant, then the Department of Defense deputy director for privacy. From there she moved on to privacy group director for the Centers for Medicare and Medicaid Services.

 She’s been South Carolina’s privacy officer for just a couple months. While she’s got background in privacy and program management, she spent a lot of time in her first few weeks learning.

 “A large part of my day to day has been working to understand the many functions of what the state does and the vast amount of information in our holdings,” she said.

Two deputies report to Wills, who’s now looking to more firmly establish privacy liaisons across the state’s agencies and give those liaisons the training and tools they need to succeed. While there’s always a need for allies, Wills said a big part of why she applied to the job is because it seemed like South Carolina’s privacy office “got it.”

Wills reports to the state’s chief operating officer of the Division of Technology, a sub-unit of the Budget and Control Board, as do the chief information officer and the chief information-security officer.

“It’s at a level that you can talk to the right people that can help you implement change,” she said. “You aren’t buried so deep into the organization that it takes so long to be heard. I truly appreciate where and how they’ve established the position.”

Wills will be responsible for developing and coordinating privacy activities for the state government, ensuring data collection and storage complies with federal and state laws and developing, implementing and monitoring the statewide privacy governance program, according to the job description. She’s also responsible for working with the CISO and info-sec team on incident response.

 Because of the variety of programs and operations within the state, how those policies are implemented will vary, Wills said.

 “My goal is to give state agencies the privacy box they must play within.  How they conduct their operations within that construct is at their discretion.” Wills said of her plans. “Whatever they do, these privacy threads have to come through.”

 At the moment, many of the requirements for state agencies that pertain to privacy are integrated with existing in security policies. Wills’ job will be to expand privacy language in existing policies and where necessary establish new privacy policies.

She said she plans for her office to work collaboratively with IT and security teams, as there’s an attitude that whatever programs and policies are implemented at a state-level must be looked at holistically.

 In fact, it was the need for that kind of training and sophistication that caught the attention of Ohio’s top brass and greatly changed the role of CPO, first occupied by Sol Bermann, CIPP/US, and created in 2007. The role was originally created by then-governor Ted Strickland, who realized the position was necessary for a number of reasons, Bermann said.

Daren Arnold

“Some of it was an acknowledgement that privacy expectations in government were growing,” he said, because of the vast amount of data governments collect on citizens, the necessary role privacy plays in enabling personalized government services and the expanding world of data breaches. “Some of it was building out a role that could provide best practices to citizens and the private sector on how to protect their privacy, and some of it was based on observations of Peter Swire’s value during his time in the federal government.”

As it would turn out, the timing of establishing the role couldn’t have been better.

Daren Arnold was a month into his tenure as the state’s second CPO, after serving as the IT law & policy advisor for the state’s IT department, when a major breach hit in 2008. The breach involved improper access to personal information by state employees

The incident triggered legislation pertaining specifically to Ohio state agencies, establishing stronger rules for employees’ access to confidential personal information (CPI), which meant Arnold was thrust into a very specific privacy-compliance project. The statute required agencies to set criteria for access to CPI; implement logging technologies, appoint a data privacy point of contact, establish procedures to notify affected individuals of incidents of improper access to CPI, and more. While Arnold had a strong understanding of the Fair Information Practice Principles as well as a variety of sectorial laws like HIPAA and FERPA, the learning curve for him was more about how to establish a privacy program that complied with a specific provision.

The positive spin on the breach incident was that it elevated the level of privacy awareness. To bolster that, there were hours of training with agencies, IT staff and chief legal counsels and ultimately all state employees with access to confidential personal information. The privacy program now in place, Arnold’s role is to interact with state agencies to ensure they have the tools, knowledge and understanding necessary to make smart decisions on privacy based on the law.

“Ultimately, we consider the agencies data owners, and I like to push that responsibility back to them,” Arnold said. “They are the ones who make decisions about collecting the data and then how the data is used in compliance with statues and laws.”

But his role is to help them see potential harms and to understand that incorporating privacy is a way “to do our job better.”

Arnold reports directly to the state’s chief information security director, which he says he appreciates greatly because of the CISO’s support.

“He understands the difference between info-security and privacy, and is a big proponent of privacy as a standalone,” Arnold said.

While now Arnold is an army of one, he says there are proposals to set up additional resources in the privacy office in the future, and it’s vital that the state does so.

“The state government has every bit of information about you from the moment you’re born until the moment you die, “ Arnold said, including birth certificates, death certificates, tax forms and health and education records. “You name the data at any particular point in your life, and it’s likely our state or the state you lived in last that has that information about you.”

Given the sensitivity of the data and the importance of its safety, Arnold said it only makes sense that a state would dedicate someone specifically to managing it properly.

“There really are too few CPOs in the states,” he said. “And as privacy continues to change and people have a better understanding of the need to manage privacy, I can just see that expanding.”

That’s a sentiment West Virginia’s Milam can get behind.

“States need to manage their privacy issues just as the private sector manages theirs,” she said. “Privacy is a matter of public trust as well as the law.”

It remains to be seen if other governors take that sentiment to heart and follow the paths of their four trailblazing peers. 

Photo credit: IMG_6897.JPG via photopin (license)