0:05

Hi and welcome NASCIO Voices , where we

0:07

talk all things state IT . I'm

0:09

Amy Glasscock in Lexington , Kentucky .

0:12

And I'm Alex Whitaker in Washington DC . Today

0:14

, Amy and I are talking about the newest State Chief Privacy

0:16

Officer survey and report that was released

0:18

a couple of weeks ago NA SCIO . As our

0:20

resident privacy expert and author of the report

0:23

, Amy is going to give us the rundown . Let's get

0:25

into it . So

0:27

we do surveys each year of the CIOs

0:30

and every two years of the CISOs . How does

0:32

the CPO survey compare to those ?

0:35

Yeah , really good question . So

0:38

the CPO survey first of all , it doesn't

0:40

really go along any particular

0:42

cadence . We've done them three years apart , we've done them two years

0:44

apart . We've done them two years apart . Probably

0:46

need to be somewhat regular about them . But

0:48

outside of that , there are some

0:51

other differences . So the

0:53

CIO and the CISO communities

0:55

are already very well established

0:57

. So every state has a CIO

0:59

and every state has a CISO , and

1:02

states are rarely asking about how

1:04

those roles should be structured or how

1:06

to hire one at this point . So

1:08

those surveys are a lot more focused on policy

1:10

issues and what they're working

1:13

on , how they're thinking about different

1:15

policy issues or new technologies

1:17

or established technologies , things like that . So

1:20

, by contrast , the CPO community

1:22

is still emerging . Only about half

1:24

of states have someone identified as working

1:27

on privacy at the enterprise level , either

1:29

full-time or as part of their job . So I

1:31

look at this survey and report as

1:33

more of a tool for two purposes

1:35

. So one purpose

1:38

is for the current state CPOs

1:40

to use it as a benchmark to see where

1:42

their state is in the process of developing

1:44

a privacy program or establishing

1:46

the CPO role , as well as something that they

1:48

can take to the legislature or higher

1:51

up in the executive branch to say look

1:53

, other states are doing this and I think it would be

1:55

great for us to do this too . Or

1:57

this isn't just something I've been asking

2:00

for . This is a recommendation from NASCIO

2:02

, where the state chief privacy officer community of

2:04

practice resides . And then the

2:06

second purpose is for state CIOs

2:09

or other state officials who are interested in

2:11

hiring a state CPO , and these

2:13

people are usually looking for guidance on what

2:15

the reporting structure should be like and what

2:18

NASCIO recommends , so that that future

2:20

CPO has the best chance of success in their role

2:22

.

2:23

That's really so interesting , and one of the

2:25

things that I've loved about watching the CPO community

2:27

grow is just how it sort of mirrors how NASCIO

2:30

has grown over the last few years , because I'm sure when

2:32

you started you probably didn't expect to be running our CPO

2:34

group as well .

2:36

Yeah , definitely we didn't have one .

2:38

Right , okay , so how is

2:40

the role structured in state government and what

2:42

have the trends been ?

2:45

So the reporting structure is kind of all over the place

2:47

. 25% report

2:49

to a state CIO , which is less

2:51

than it has been historically . So

2:56

in 2019 , that number was 42% and in 2022

2:58

, it was 29% . So it's continuing to decrease

3:00

. And the number of CPOs who report

3:02

to a CISO is also decreasing

3:04

, at 19% currently , which

3:06

is down from 33% in 2019

3:09

and 24% in 2022

3:11

. The most common answer was

3:13

other administration official , at 38%

3:16

. So in my view , I

3:18

think all of this shows that states are increasingly

3:21

recognizing , like we do , that privacy

3:23

is not just a function of technology

3:25

or a subset of cybersecurity , but

3:28

it deals with data in general . When

3:30

asked how a state should ideally structure the role

3:33

we always say , I always say that

3:35

a CPO should have authority over

3:37

the executive branch agencies and

3:39

wherever that works best in that

3:42

state is where they should be . And

3:47

I also caution states not to embed the CPO too far down in the hierarchy of the executive branch

3:49

, because they need to be able to have some authority

3:51

to get things done . Now

3:54

, when we ask current CPOs what

3:56

branch they have authority over , only

3:58

a little over half said that they had authority

4:00

over the executive branch agencies and

4:03

41% said that they only have authority

4:05

over their department or agency . So

4:07

obviously we'd like to see that number go up

4:09

for executive branch agencies

4:11

and we found in the survey that

4:14

lack of authority was a real challenge in general

4:16

for respondents , and you

4:18

know these folks are tasked with leading privacy initiatives

4:20

for more than their agencies but aren't

4:23

actually given any authority or budget to get

4:25

things done and to get the things done that

4:27

they know they need to get done as privacy pros

4:29

. So obviously that's an issue

4:31

.

4:32

Yeah , unfortunately , hearing the

4:34

refrain that a role is not getting the budget or

4:37

support that it needs is not rare

4:39

in state government , but certainly seems like the CPOs

4:41

are really doing a lot of great work and it's always great to hear

4:43

from them at at our conferences . Yeah

4:45

, Um , so what is the thing that feels the most

4:47

different in this survey as compared to the

4:49

one two years ago ?

4:52

So , uh , Probably not a huge surprise , but

4:54

this year we asked about the

4:56

CPO's involvement in AI for

4:58

the first time , and I feel like that is

5:00

really the big thing that has shifted since

5:03

have

5:17

been involved in developing policies related to AI in their state . <p class="MsoNormal">So this year we asked about their involvement in AI for thefirst time and I feel like that is really the big thing that has shifted since2022 . 77% of state CPOs reported that they are or have been involved in settingpolicies related to artificial intelligence in their state . I would even go sofar to say that the explosion of AI is adding to the relevance of the CPO roleand the increasing interest in having one for states that don’t . <o:p></o:p></p>So .

5:25

I also thought it was interesting

5:27

that 94% of

5:29

state CPOs said that they are involved

5:31

at least some of the time in the approval

5:34

process for technology-related procurements

5:36

and contracts the time in the approval

5:38

process for technology-related procurements and contracts , and

5:43

I think I can draw the line to the fact that so many IT procurements

5:45

have elements of AI in them now , which means that new terms and conditions may need to

5:47

be added to standard old procurement language , and

5:50

state CPOs who , by the way , are

5:52

usually attorneys at least 75%

5:54

of them are often weighing in on how to

5:56

best do that .

5:58

Got it . Well , I knew we couldn't get through a NASCIO podcast

6:00

without mentioning AI .

6:01

Of course not !

6:04

Are there any stats that were surprising or

6:06

went in a different direction than you expected

6:08

?

6:09

For sure . One is that

6:11

the number of respondents who say that they're

6:13

the first person to hold the role in their state

6:15

has bounced around over the years

6:17

. So from 2019 to

6:19

2022 to 2024

6:21

, it went from 67%

6:23

down to 41% and now back up

6:25

to 56% . And those

6:27

are folks that say that they're the first

6:30

person to hold the role in its current

6:32

iteration . So when

6:34

it went down two years ago , that told me that the role

6:36

had been around long enough , that several states had already

6:39

replaced their CPO a time or

6:41

maybe even two times . And then this

6:43

year , when it went up again , you know

6:45

, you realize that there are still a lot

6:47

of states that are just now hiring a CPO

6:49

or they're creating the role in a

6:51

more official capacity for the first time

6:54

. So you know we've had states that

6:56

have a general counsel or someone working

6:58

on privacy . And then , you

7:00

know , the next year they're like okay , now we have a new

7:02

role , we're hiring a chief privacy officer for

7:04

the first time with that title . So that's

7:07

kind of cool to see as well . And then , second

7:10

thing that you know , sort of

7:12

surprising was the number of CPOs

7:14

that said that they have the authority to

7:16

enforce privacy compliance . It was only 20%

7:19

this year , compared to 42%

7:22

just two years ago . Obviously

7:24

disappointing to see that number go down

7:26

, but I always take this with a grain

7:28

of salt , considering the small sample size

7:30

. You know , there's only like 25

7:33

people on our list . 17 filled out the

7:35

survey . Did these respondents

7:37

interpret authority differently than the respondents

7:40

two years ago did ? Or are states

7:42

actually taking authority away from CPOs

7:45

? I mean , I have to think it's more the first one , I hope

7:47

. And then , finally

7:49

, the number of respondents who said that they have

7:51

an established privacy program in their state

7:53

went down five points , from 29%

7:56

in 2022 to 24% this

7:58

year . That got some press

8:03

in our trade press . But again

8:05

, I think this just may have been more of maybe

8:08

an interpretation of what established means

8:11

to a CPO from one year to the next

8:13

, or maybe more likely

8:15

it could have been that even just one state

8:17

with an established program that had filled

8:19

out the survey two years ago didn't

8:21

fill it out this year , and then that can throw the answers

8:23

off . And so you know , I doubt

8:25

any state just took an established privacy program

8:28

and threw it out the door .

8:29

Right . So for those states that

8:32

don't yet have a chief privacy

8:34

officer and you know , it sounds like there are a few , of

8:36

course what are NASCIO's recommendations

8:38

for those that would like to establish the role ?

8:41

Yes . So we have three recommendations

8:43

, as we always try to do in these . So

8:45

the first is to establish

8:48

privacy governance . Privacy governance

8:50

was the number one resource CPOs

8:52

said that they need to do their job effectively

8:55

. The second is to

8:57

ensure dedicated funding and authority

8:59

for state CPOs , for states that are creating

9:02

the role or who want to elevate the role . So

9:04

lack of authority and lack of funding

9:06

were the top two challenges that CPOs

9:08

said that they face and talked about

9:10

that a little bit already . I will

9:12

say two years ago

9:14

only one state had a dedicated budget

9:17

for privacy and this year three

9:19

states did . So a little bit of progress

9:21

there Still a lot more needed

9:23

and with additional authority

9:26

and with additional funding it's going to be easier

9:28

to develop that privacy governance too

9:30

. From the first recommendation . And

9:32

then , finally , we recommend establishing

9:35

and training agency leads . A lot

9:37

more states are doing this now than they were five years

9:39

ago , and I think that's great

9:41

, because then you have a team of

9:43

privacy advocates at the agency level

9:45

who have a basic working knowledge

9:47

of privacy and who also

9:49

really understand the business of that agency

9:51

as well as the unique privacy needs

9:54

of the individual agencies .

9:56

Got it . So lots of information and

9:58

recommendations , but , most

10:00

importantly perhaps , where can listeners read the

10:03

report ?

10:04

Of course , yes , so I've just sort

10:06

of , you know , done the high level here . There's so

10:08

much more in the report questions we

10:10

haven't even talked about today . But

10:12

of course you can find it on our website under

10:15

our Resource Center , and we'll definitely put a

10:17

link in the show notes as well .

10:19

Awesome . Well , amy , thank you so much . This has

10:21

been so interesting , and I really encourage

10:23

everybody who has not yet to check out the report

10:25

, because there's a lot of fascinating stuff in there . But

10:28

while everyone is very interested in the role of

10:30

the CPO , of course and that's why they tuned in

10:32

they are also , of course , here for

10:34

the

10:37

lightning round . Are you ready ?

10:39

I'm ready all right .

10:41

Well , as host of our podcast , I

10:43

will ask you do you have any new podcast

10:45

recommendations ?

10:47

Yes , I do . I have been loving and I think

10:49

our listeners would also enjoy Hard

10:52

Fork , which is a technology podcast from

10:54

the New York Times with Kevin Roose and Casey

10:56

Newton and I

10:58

know I've mentioned this to the policy team

11:00

at NASCIO but they talk about current events

11:02

and technology , a lot about AI . Of

11:04

course , it's educational . It's really

11:06

funny . I laugh out loud multiple times

11:08

every episode and you can tell that

11:10

they're friends and it's just a really great

11:13

way to stay up on current tech events . So highly

11:15

recommend it to our listeners .

11:17

Awesome , that's , of course , after you listen to NASCIO

11:19

Voices .

11:19

Of course . I'm sure they'd recommend

11:21

ours too .

11:23

So we have talked about the fact that

11:25

you saw the solar eclipse this week . Tell

11:27

us what it was like .

11:30

Yes , it was so amazing . I will say

11:32

I'm

11:39

going to come across like a real like sky nerd or something here . But when I got to drive into

11:41

totality because it was only about two hours from my house took my mom and my daughter

11:43

with me and was

11:46

just kind of you know , not really knowing what to expect

11:48

. I kind of wanted to see what it was like for it to get dark in the

11:50

middle of the day . That was my main goal and I was like

11:52

, well , if you have some clouds it's fine , but

11:55

luckily we really didn't have any clouds

11:57

. We drove to this beautiful little park

11:59

in Ohio and watched it with

12:02

a thousand other people and

12:04

that moment , when the moon

12:06

covered the sun and we could take our glasses

12:08

off and look up at the blazing Corona

12:13

, it was just completely magical . I think I had tears streaming down my face and

12:15

my mom did too , and my

12:17

daughter said , wow , just wow , that's

12:19

all I can say . So you know , if

12:22

you ever have an opportunity to see

12:24

one , I definitely recommend it . Spain

12:27

two years from now , maybe I'll try it , because the next

12:29

one in the US isn't for like 20

12:31

years , yeah .

12:33

Yeah , all I got was burned retinas because we didn't

12:35

really get it in DC , but I'm glad that you

12:37

had a great time . So now

12:39

for what is my favorite lightning round question

12:41

what did you want to be when you were a kid ?

12:45

I feel like most kids in the 80s 90s

12:47

we were trying to were like trying to save the whales

12:49

and we had our Lisa Frank folders with

12:51

dolphins on them . So I wanted to be a marine biologist

12:54

for a short time , and

12:56

also an actress . Neither

12:59

of those really worked out , but I don't

13:01

care so much about the marine biology anymore , but being an actress

13:03

would still be pretty cool .

13:05

All right , ok , cool , I wanted to be Indiana Jones

13:07

, but then I found out how much

13:09

math and science are involved for archaeology , and

13:11

now I'm the government affairs director

13:13

at NASCIO . That's right , you never know , all

13:16

right . Well , thank you so much for the overview

13:18

, Amy . Hopefully , through this work , more states

13:20

will be able to establish the CPO role

13:23

without feeling like they're starting from scratch . So thanks

13:25

so much .

13:26

Absolutely , and I agree . That's certainly

13:28

my goal . Of course , I'd like to see all

13:30

the states with a privacy lead and I'd like to have

13:32

all of them join our community of practice at NASCIO

13:34

. Great Thanks .

13:36

Thank you . Thanks again for listening

13:38

to NASCIO Voices . NASCIO Voices is a production

13:40

of the National Association of State Chief Information

13:43

Officers , or NASCIO . Learn more at NASCIO . org

13:45

. We'll

13:51

be back in two weeks with a preview of our mid-year conference with Emily Lane . Talk

13:53

with you then .