So it’s no surprise that more states are now hiring chief privacy officers (CPOs). As highlighted in a 2019 report from the National Association of State Chief Information Officers, there were only a few state CPOs up until the last couple years, and most are the first to hold their position in their state.
GovTech decided to dig a little further into the role, who holds it and how they operate. In conducting our own search, we found 13 states that had CPOs, though the titles varied from place to place. They are Arizona, Arkansas, Indiana, Kentucky, Massachusetts, Michigan, New Jersey, Ohio, South Carolina, Tennessee, Utah, Washington and West Virginia.
Their work often revolves around managing legal risk, ensuring compliance with privacy doctrines like HIPAA and creating standards around data privacy as governments collect more data and share it between agencies more often.
In two of those states — Arizona and Washington — the position is currently filled by an interim or acting CPO. Additionally, information wasn’t available for all CPOs on all questions.
Laying Down the Law
Nearly all state CPOs come from a legal background, including a Juris Doctorate and a career spent at law firms or serving as counsel for government agencies and other organizations.What was the primary field each person worked in before becoming a state CPO?
Legal: 4
Policy: 1
Government administration: 1
Privacy: 1
Information security: 1
Information technology: 1
What is the highest degree obtained by each state CPO?
Juris Doctorate: 6
Master’s of Health Administration: 1
Master’s of Business Administration: 1
Who do they report to?
Department head: 5
Department deputy director: 1
Chief information security officer: 2
Which agency is the CPO in?
IT department: 9
Other: 2*
New Faces
How long has each CPO been in place?Less than a year: 1
One year: 3
Two years: 1
More than two years: 4
Titles
Number of state CPOs with each word in their title:Privacy: 10
Compliance: 2
Data: 2
*Two State CPOs Aren't in IT Departments:
Indiana: Indiana’s CPO, Ted Cotterill, operates within the state’s Management Performance Hub (MPH), a standalone state agency charged with fostering data-driven innovation and collaboration among the other agencies. He sees this as an ideal position for the CPO, because it allows the role to add value to efforts happening statewide and send a message that privacy best practices should be considered when using data. That holds especially true when agencies share sensitive data in order to tackle tough challenges, as is the case in Indiana where MPH is coordinating an effort to combat the opioid crisis.“We realized early on that all of this siloed data maintained by our agencies can provide really valuable insights when leveraged as a strategic asset, and in MPH we’ve been able to create legal, technical and business proficiencies by … [consolidating] this data,” he said.
West Virginia: State CPO Ashley Summitt is positioned within the Board of Risk and Insurance Management (BRIM), which offers casualty insurance coverage for state agencies. West Virginia has actually had a CPO longer than any other state, with Gov. Bob Wise first creating the role in 2003. Until two years ago, the position was within the Health Care Authority. But in 2017, with the privacy office focusing more and more on insurance matters, Gov. Jim Justice put the State Privacy Office into BRIM, which is in the Department of Administration.
Summitt said it’s good positioning so her agency can have a tech focus while staying close to its core work.
“Privacy cannot thrive without data security, and with the Office of Technology being a sister Administration agency, it gives us a great opportunity to work even more closely together to enhance risk management in these areas,” she wrote in an email.
Data was gathered from state CPOs, communications officers, agency websites, LinkedIn profiles, NASCIO and coverage from GovTech as well as other publications. Moriah Chace helped gather the data. Due to lack of comprehensive staff listings and variance in terminology, it’s possible that there are states with CPOs not included on this list. If we missed one, let us know at bmiller@govtech.com.