The Government Accountability Office recently reiterated its designation of information security as a governmentwide “high-risk issue” in its report, Information Security: Protecting Personally Identifiable Information. The high-risk designation for information security in the federal government has been included in GAO reports to Congress each year since 1997. Along with its own audits, GAO’s most recent high-risk assessment was based on consideration of annual reporting by federal agencies of their own assessments of risk, including certain material risks reported regarding information security.

Consequences of real and perceived inadequacies in information security policies and controls

Under what circumstances would U.S. consumers confidently continue to share their data with companies that self report under Sarbanes-Oxley that their operations put customer data at high risk? Frankly, it is hard to imagine the likelihood that such companies could easily maintain the continuing trust and confidence of customers or shareholders without significant costs. In fact, Larry Ponemon, chairman of The Ponemon Institute, has reported that U.S. businesses have seen a steady exodus of customers, a reluctance of some customers to share data and increased costs, including from lost business opportunities, following disclosure of data breaches at their companies. Should we expect the reactions of U.S. citizens to be any different in the federal space? It seems unlikely.

Reports of information management deficiencies take on added significance in the wake of publicized data breaches at federal agencies. Following the release of GAO’s most recent report, at least two more incidents of data breaches have been reported by branches of the federal services domestically and abroad. The stakes are high for agencies that do not adequately address information privacy and security in a well-planned and integrated manner throughout their enterprise. They include reputational and operational risks from inadequate or incomplete plans for safeguarding personal information and addressing data incidents.

A major component of privacy protection for personal data held by the government is the security of personal information. This privacy principle is articulated in the 1974 Privacy Act, the 2002 E-Government Act and in the 2002 Federal Information Security Management Act. Despite these statutory requirements, guidance from the Office of Management and Budget and high-level initiatives that include a nearly two-year effort by the President’s Task Force on Identity Theft to address data handling and data breach incidents, the GAO reports a continuing lack of security readiness by many federal agencies.

What can agencies learn from data breach experiences in the private sector? Absent concrete demonstrations to the public of thoughtful policy implementation and effective protections for privacy and data security of personal information, U.S. citizens may limit data sharing and their participation in government programs. A lack of citizen confidence in the government’s commitment and ability to appropriately manage personal information could limit the uptake and benefits of e-government initiatives. The rollout of significant federal programs that depend on the collection, use and retention of personal data of U.S. citizens, permanent residents and foreign visitors also could be delayed or compromised.

Opportunities to retool using private sector best practices

As information use, accessibility, technologies and risks continue to dramatically change, so must the government's resolve to address the changing environment and to make principled and effective information management policy one of our nation’s most important and visible goals. There are positive opportunities for government to retool, innovate, and learn from the best practices of leading private sector companies in the United States to architect a modern, responsive and effective information management program that promotes trust and confidence.

Appointment of Chief Privacy Officers working in partnership with CIOs

The best practices of industry include taking a comprehensive and integrated approach to privacy and information security, combining privacy policy leadership under a chief privacy officer, with effective technology practices and procedures headed up by a chief information officer. Chief privacy officers and chief information officers partner to holistically protect and safeguard personal information within an enterprise. And the likelihood of their success is supported when there is partnering and collaboration.

An integrated information management program defines enterprise values and formulates a privacy framework that includes information security. An comprehensive information management program assesses risks, tackles behavioral challenges and undertakes an array of training and risk mitigation efforts. Clear parameters are outlined for the appropriate collection and use of personal data. Privacy attentiveness is built into the consideration and use of technologies to collect, share and store personal information.

Many leading American companies recognize the separate roles of a chief privacy officer and a chief information officer within an organization and their necessary partnership to build a successful culture of privacy and security for an enterprise. The CPO has general responsibility for the development of a strategic information privacy policy and compliance framework. The CIO has general responsibility for the procurement, design and development of information systems that work effectively for the enterprise (including responsibility for their physical and technical security features and procedural safeguards) and for ensuring that information products requested by internal customers/clients are timely produced and delivered through the deployment of technologies. Working together, the CPO and CIO can address privacy safeguards and comprehensive information policy development and implementation, as well as information technology leadership that reflects the integration of privacy and security assessments throughout the life cycle development and deployment of technologies.

Unfortunately, federal agencies often lack an integrated information management policy approach. This may limit the realization of their best efforts to address specific challenges, including information security and cost-effective, multidisciplinary risk mitigation strategies.

In the federal space there are very few chief privacy officers appointed with responsibility for policy and compliance. Each federal agency is required to have a designated senior privacy official, but they rarely serve at the same high-grade level as chief information officers and lack independent or significant policymaking authority. Designated senior privacy officials often are balancing their role as an adjunct duty to other primary staff responsibilities and can be several levels below agency decision-makers. Federal senior privacy officials reportedly also have more limited direct access to senior leadership in comparison to CIOs in their respective agencies. For many designated senior privacy officials, these circumstances make it difficult to affect information management policy development or privacy compliance directly and effectively at their agencies, including with regard to information security.

Today in the federal space, writ large, there are many challenges to the development and full implementation of a coordinated, comprehensive and governmentwide deployment of programs to protect the privacy, security and data integrity of personal information, notwithstanding best efforts by career professionals and political appointees. Just one of these challenges is that senior privacy officials for agencies may have little or infrequent interfacing opportunities with senior level officials at OMB for ongoing high-level dialogues and guidance. An excellent and long-standing initiative by OMB has been the coordination of regular meetings of a formal CIO Council. That model for dialogue with and among chief privacy officers and OMB policymakers also would greatly assist the federal government in addressing the fullest range of information management challenges. An OMB-led joint forum for regularly scheduled leadership exchanges between the CIOs and chief privacy officers for each agency would greatly enhance cooperation and joint planning, as well as consistency in information privacy and security management approaches.

Effective information management requires leadership, a strong privacy framework and a multidisciplinary approach

Effective information privacy and data security is an iterative and multidimensional challenge that requires multidisciplinary solutions, beyond merely physical and technical safeguards and procedures. Some immediate, low-cost strategies that could improve planning and coordination of federal information privacy and security management include the following:

• Appointing chief privacy officers at all federal agencies by executive order and as required in certain cases by statute (Senior Executive Service level, assistant secretary level or above, consistent with CIOs);

• Establishing an OMB-hosted CPO Council, modeled on the successful CIO Council;

• Creating a joint forum for federal government CPOs and CIOs to address governmentwide information management policy and information technology leadership goals;

• Establishing formal SES performance criteria for CPOs, CIOs, general counsels and chief security officers that promote and reward effective information management policy leadership through demonstrated partnerships among these functions within each agency, including for information security;

• Providing incentives for timely and full implementation of information security requirements through appropriate statutory and regulatory changes to FISMA, including enhanced coordination and compliance reporting by chief privacy officers and CIOs at each agency.

With a creative and full federal commitment, the only thing labeled high risk in subsequent government audits of federal information privacy and security ought to be the perpetrators who seek to do harm to individuals whose information is in the care of the government or to government systems and programs.

Disclaimer: This article solely represents the personal views and observations of the author. It is not held out as an offering of legal advice and is intended as a general discussion on selected information privacy policy issues.