More States are Taking Privacy Seriously, but the Work isn't done
Broadcast Retirement Network's Jeffrey Snyder discusses state efforts to regulate personal privacy and data security with the National Association of State Chief Investment Officer's Amy Glasscock.
Jeffrey Snyder, Broadcast Retirement Network
Joining me now is Amy Glasscock from the National Association of Chief Information Officers or CIO. Amy, so great to meet you. Thanks for joining us this morning.
Amy Glasscock, National Association of State Chief Investment Officers
Yeah, absolutely. Thanks for having me.
Jeffrey Snyder, Broadcast Retirement Network
Yeah, I really appreciate this. And privacy, we were kind of talking in the virtual green room. Privacy is really important to so many, all of us really, want to maintain our digital privacy.
This is, I guess my first question is, this is really a key area for many, for all the United States states.
Amy Glasscock, National Association of State Chief Investment Officers
It is. Yeah, absolutely. And it's an issue that's been growing a lot over the last 10, 15 years or so.
We kind of like to think of it as being about a decade behind cybersecurity as a top issue. You know, it used to be that not all of the states had a chief information security officer. And today, not all of the states have a chief privacy officer, but that number has been growing rapidly over the last decade.
Jeffrey Snyder, Broadcast Retirement Network
And you referenced chief privacy officer. How does that role, and this is not a quiz, I mean, it's just more for information. How does that role differ maybe from the chief information officer?
Because I think, I would think that the CIO would have some level of relationship with privacy and cybersecurity and just data in general.
Amy Glasscock, National Association of State Chief Investment Officers
Yeah, absolutely. So the chief information officer is going to oversee how the state executive branch agencies use technology and help them facilitate products and services around their technology needs. And with technology comes a lot of data.
And so that's kind of where the chief privacy officers come in. And of course, there's chief data officers as well. But the chief privacy officers work really closely with the security officers as well to help protect the data that both employees are sharing with state government, as well as, of course, the information that citizens are sharing with state government, which, as you can imagine, is a lot.
So that's something that's been growing in importance for states for a lot of different reasons.
Jeffrey Snyder, Broadcast Retirement Network
Yeah. I'm thinking about PII or personal identification information, I think is what that stands for. Things like social security number, employee ID.
These are things that identify us as individuals uniquely, right? And so it really behooves each state to try to figure out a way to protect that information because they don't want that getting out into the public. And so much of what you read in the mainstream press is around data breaches and cyber breaches, et cetera.
Amy Glasscock, National Association of State Chief Investment Officers
Yeah. I always like to talk about it, sort of understand the responsibility that a state has. If you think about information that you're sharing with a company that you shop with, like Target, for example, maybe Target has your credit card information, knows kind of what you like to buy, your name and address, maybe your phone number, your email address.
But if you think about the state government, I mean, they have your birth certificate, they have your social security information, they have possibly your health department information, their driving information. So there's a lot of data that the states are responsible for and really responsible for keeping safe and helping to build that trust with citizens that when they do interact with the state, as we all have to do, that their information is going to be safe.
Jeffrey Snyder, Broadcast Retirement Network
Yeah. And in fact, everyone paid taxes recently. Part of that was paying to the federal government, paying to state governments, and that data needs to remain.
Obviously, the state needs it in order to transact, but also you want to keep that away from lots of bad actors out there. Amy, I know the report talked about that 31 states are really focused on privacy, but that doesn't mean that the other 19 are not focused on privacy. It just probably just means that they don't have dedicated CPOs or chief privacy officers, right?
Amy Glasscock, National Association of State Chief Investment Officers
Yes. Yeah. And if a state doesn't have one yet, then that is something that is falling to the chief information security officer or the CIO, or maybe the attorney general's office is working on it.
So privacy is not something that anybody gets to skip. It's just a fact of life. There are certain laws that states have to comply with.
Usually, you will find that some of the bigger health and human services agencies that they've probably had somebody in charge of privacy for a long time, but it's just a matter of getting that more enterprise level role established can be a hurdle for some states.
Jeffrey Snyder, Broadcast Retirement Network
Yeah. And the role, it's an evolving role because as I mentioned earlier, there are a lot of bad actors. We're in the midst of a conflict now, but these bad actors use cyber as a means of getting information.
They want to get paid in cryptocurrency. So this is an ever-changing, ever-evolving world and the strategy needs to change.
Amy Glasscock, National Association of State Chief Investment Officers
Yeah. And dealing with that sort of bad actors and hackers and things like that, that's definitely something that the chief information security officer is going to be heavily involved in. And often when there is a data breach, that's when the CPO is often pulled in as well.
So they're looking at, was this because somebody wasn't following best practices with privacy or are we sharing too much of our datasets among one another when it's not necessary? Are we sharing more parts of that dataset than is necessary with this agency or things like that? So there's kind of like a set of best practices that privacy officers are going to be looking at and encouraging agencies to adopt.
And then of course, that's sort of, they're focused on that right to privacy that we have as citizens or employees. And then the security officers are really focused on protecting that right that we have.
Jeffrey Snyder, Broadcast Retirement Network
And I would imagine that one of the benefits of the organization, the association, is that people can share ideas. So the state of Arkansas doesn't have to create its own privacy structure and Alabama doesn't. And you go through the 50 states, they don't have to do that.
They can come together and you get the best of all worlds.
Amy Glasscock, National Association of State Chief Investment Officers
Absolutely. Yeah. One of the things that we've been doing as an association is gathering that chief privacy officer community of practice in person once a year since 2021.
And it's really a great opportunity for them to share best practices and talk about their wins and their challenges together and sort of work through things in a group setting. And then of course, we also provide opportunities and platform for them to discuss issues throughout the year as well. And we have regular calls too.
So that I think is just kind of like the most valuable thing as an association that you can do is to bring your members together to share their expertise with one another.
Jeffrey Snyder, Broadcast Retirement Network
I know this is a topic also for the federal government. How does that interrelation, you're finding the best practices, but also I'm sure the feds, the FBI, the Treasury, SEC, they're all trying to solve for the Congress, trying to solve for privacy as well. So is there that uniformity that I guess, so that you have a whole of government approach is the way I can describe it.
Amy Glasscock, National Association of State Chief Investment Officers
I think that what we have our eye most on with the federal government is with Congress. And if they are planning to pass a national privacy law or something that would kind of be one wall that we could all look together at and because they haven't and haven't been able to, despite many tries, politics always gets in the way and other agenda items in Congress. But a lot of states have been passing their privacy laws instead, just because they feel like they need to be on top of this and protect privacy of their citizens and there isn't a federal law.
So I think that's kind of the big thing that states are keeping in mind when it comes to federal privacy. And you're kind of seeing the same thing around AI right now too, in absence of a federal law, then states are passing their own. Now I will say that usually these laws have to do with the private sector and how companies are using your information.
But we are starting to see some more laws and state levels that are actually about how the government uses your information too.
Jeffrey Snyder, Broadcast Retirement Network
And I would have just to kind of pick up on what you're talking about. I would imagine that you're also working with the private sector to formulate, not you personally, but the association, the chief information security officers, the CPOs are working to find best practices with their corporate partners because you can't do this in a vacuum. And like government, private sector, not-for-profit sector, they all need to protect their valuable data.
Amy Glasscock, National Association of State Chief Investment Officers
Yeah. I would say a big part of the chief privacy officer role is being involved in contracts and procurement and making sure that the state's privacy laws are being followed by their vendors as well. That's a big part of it.
States heavily rely on their vendor partners for services and products and things. States aren't really in the business as much anymore of developing their own technology. So the private sector is a big partner with states and chief privacy officers are always working to make sure that the contracts have crossed all the T's and dotted all the I's for the most important privacy aspects of those contracts.
Jeffrey Snyder, Broadcast Retirement Network
Certainly a tough job, Amy. And it's only going to get tougher. I don't think it's going to get easier, but certainly partnering is going to help make it easier.
Amy, great to see you. Thanks for joining us. And we look forward to having you back again very soon.
Amy Glasscock, National Association of State Chief Investment Officers
Thanks. Happy to be here.
The Arena Media Brands, LLC THESTREET is a registered trademark of TheStreet, Inc.