By Ginger Armbruster, Chief Privacy Officer
Reflecting on this past year of change and turmoil, it is clear that the enormous volume of personal information involved with the increase in telework, transition to distance learning, and overall rapid switch to remote interactions with the world, has served to highlight how critical Data Privacy and Security are to our online safety. As we look forward to Data Privacy Day 2021 on Thursday, January 28, I wanted to take a few minutes to describe how the two separate disciplines of Data Privacy and Data Security work both together and separately to provide accountability about how the public’s personal and sensitive data is collected, used, and protected at the City of Seattle.
It seems that every week we hear news accounts of large-scale data security breaches and nation-state cyber-attacks on critical systems and data stores in both the private and public sectors. For an eye-opening overview please see this report from Identify Force enumerating major breaches of 2019 in which 7.9 billion data records were exposed. Once the numbers are final, they anticipate reporting a 273% increase in 2020. This is just one of many such reports available about data breach – and apologies in advance if this information disturbs anyone’s sleep!
What does this all mean for the City of Seattle? Unfortunately, we are right in the thick of it. As is true with all governments, because of the services we provide, the City of Seattle is a target rich environment. The City of Seattle experiences tens of thousands of malicious attempts weekly to access the sensitive data we collect from the public to provide essential City services. Protecting this data from breach and misuse is an important responsibility as the risks associated with unauthorized data access include personal identity theft and threats to critical infrastructure and public safety.
Holding everything from Social Security numbers to banking account information to utility consumption and transportation details, City systems are under constant cyber-attack as bad actors of all kinds and motivations seek to access the sensitive and personal data we hold. To combat this onslaught, Data Security employs technology, policies, and system controls to protect computer systems and data from internal and external breach, misuse, malicious interference, and theft. Our Chief Information Security Officer (CISO), Andrew Cushman, and his team employ a variety of technologies to identify potential vulnerabilities and attack vectors, managing solutions and systems to identify and significantly reduce the risks posed by breach, ransomware, and phishing attacks. It is an ever-changing threat landscape, and as such anyone who has ever played the game ‘Whack A Mole,’ has experienced what the effort looks like to keep digital infrastructure and computer systems safe.
That speaks to the role of Data Security, but what about Data Privacy? While Data Security addresses external and internal attacks to access systems and data, Data Privacy focuses on the commitments we make about how the City collects, uses, and manages the information we need to provide critical public services. Data Privacy relies on systems and data security as a foundation, but focuses on employing data protection and loss technologies, building awareness, providing education, creating policies, and establishing best practices for employees to minimize collection and protect sensitive and personal information. While Security is about identifying potential risk and employing technology solutions to protect data, Privacy is tasked with providing governance and guidance about the choices that individuals make to ensure appropriate collection and use of that data.
Maybe an easier way to explain this is with a car analogy. (As my teenager will be getting a learner’s permit soon, car safety is on my mind a lot these days.) In the interest of public safety, we all want to make certain that cars are operated safety and according to traffic laws. Accomplishing this is a two-part effort – combining a safe car with a safe driver. We first need to ensure that a vehicle is fully operational and secure. This means that the brakes work, the engine is tuned, door locks function, and indicator lights, headlights and brake lights all shine brightly. Taking care of the operational features and functions that contribute to vehicle safety is a good, if perhaps overly simplified, analogy for Data Security. All of a car’s parts must be in place and operational to ensure that the system is roadworthy before a driver ever takes the wheel and turns the key in the ignition, just as Data Security works to make sure that systems and controls are in place to ensure that an enterprise’s computerized infrastructure is secured from external and internal cyber-attacks before data is ever collected and stored.
The next part of car safety deals with how a driver operates a vehicle and the choices that they make to navigate safety in traffic. This includes making personal choices and assuming responsibility to obey laws, lane designations, and traffic signs that govern HOW they drive. Speeding, changing lanes without using indicators and ignoring traffic directions puts everyone at risk, regardless of whether a car is in top operational condition. Additionally, leaving expensive electronics or cash in an unlocked car invites car thieves and prowlers. As vehicles are only as safe as the drivers that operate them, it is also critical that drivers are trained and certified to abide by the rules, and that traffic enforcement is in place to catch and correct lawbreakers. This is the role that Data Privacy teams play in data accountability – ensuring that City employees, and other authorized consumers of the public’s data, work in accordance with the rules that allow us to obtain and use the public’s data.
The Data Privacy team’s goal at the City is to ensure that every department that collects and uses information, like a person driving a car, follows the laws, regulations, and commitments that govern how we handle the public’s information. The Data Privacy team does this by providing annual employee privacy and security training about good data stewardship, deploying privacy protecting and monitoring technologies, reviewing contracts to ensure that our partners abide by our commitments, evaluating the privacy issues associated with new technologies and projects, advising about minimizing data collection, and recommending options to reduce data privacy risks. In addition, the team collaborates with our City legal team to keep current about local, state, and federal laws pertaining to data management and with our policy teams to ensure that these are incorporated appropriately into City operations. With our partners from Digital Security and Risk, Law, and Operations, the Data Privacy team works to meet our mission statement to promote trust about the use and protection of the public’s data as we provide critical services to City residents.
Although this is a high-level overview of a complicated subject, and my car analogy does not take into account all of the very real nuanced overlaps between the two disciplines (I can almost hear my CISO counterpart’s objections to some of my generalizations as I write this), I hope that this provides a little more clarity about Data Privacy and Data Security, their respective responsibilities, interactions, and the role each plays at the City to protect the public’s data.
Happy Data Privacy Day!
To learn more about the City of Seattle Privacy Program, commitments and principals, visit our site on Seattle.gov/tech.
As the City of Seattle’s Chief Privacy Officer, Ginger leads a team of privacy specialists in the execution of the City’s Privacy Program, following a principles-based approach to the City’s collection and management of the public’s personal and sensitive information. Her office also has responsibility for compliance to the City’s Surveillance Ordinance, Open Data Program, and Citywide Public Records Act Program. Ginger started her career at the City working for the Data Security division, where one of her responsibilities was monitoring data breach activity. She is not remotely ready for her teenager to start driving.