Number one on the list of bad ideas for data privacy protection

In 23 states, chief information officers are working through an onslaught of legislative efforts that would mandate government contractors to install third-party monitoring software on their systems.

Recommended as a time-keeping initiative for contractors to verify proof of work, legislation that would require screenshot captures every three minutes, keystroke logging, and storing data for seven years flies in the face of industry best practice recommendations that say data need to be protected at every level of collection.

State governments would be foolish to require contractors to use the equivalent of spyware to keep large quantities of digital information on projects and constituents. A state law mandating third parties to collect and maintain copies of potentially sensitive records for financial audit is at the top of the list of bad ideas for data protection in 2019.

Was this legislation drafted for the 1990s? Most versions of the draft language are identical to each other and would call for the collection of screenshots, keystrokes, and mouse activity to ensure contractors are working. There must be a whole generation of employees who are wondering, “What’s a mouse?” Plus, most of the proposed bills do not consider work on a smartphone or tablet “work product,” meaning the legislation would promote a lower level of digital efficiency in today’s world of cloud computing and smart devices.

At what cost?

In today’s environment in which breaches are a significant issue for cybersecurity protection, why would state legislatures place their constituents’ information in harm’s way? Many of the legislative efforts ask for a massive amount of data to be retained by state contractors and then sent to an additional third party for review to prove the contracted parties’ work product. These vendor files would be a treasure trove for cyber criminals to mine, with sensitive data including detailed personal information about constituent cases such as identification numbers, dates of birth, location data, and underage custody casework information.

What’s worse is that there is no demonstration that there is an actual increase in productivity with any of these tools. For example, the legislation proposed in Rhode Island bill H5255 requires the agency or an auditor to have retroactive access to real-time data collected. The proposed software program would automatically take a screenshot of a computer terminal every three minutes. This particular legislation requires that the software used “must not capture any data that is private or confidential on an individual,” without instruction on how a contractor would audit the screenshots and redact them while keeping them to demonstrate the number of hours of work spent on a project. The proposed legislation also requires that no funds from the project be used to comply with this spyware audit scheme.

One company that sells monitoring software encourages legislators through marketing materials that praise these bills as a way to avoid overbilling to “save your state tens of millions of dollars with zero cost and zero risk.” There is nothing in life that has zero cost, or zero risks. These proposed pieces of legislation would leave contractors with potential liability for the information held in their records by the request of the government and create a costly process for managing and maintaining the data.

Moreover, this is without a financial recovery capability unless they charge more in the initial contract for the sunk investment needed to comply with this draft legislation. Many of the draft legislative efforts require that any data collected by the software system be considered accounting records of the vendor, hence the vendor’s liability to manage. Many of the legislative proposals have language requiring vendors to retain the data from the audit function — that is, the screenshots of work product — for at least seven years and provide access to the stored data to the government free of charge with no explicit provisions on the protection of the collected data. Several federal laws would prohibit keeping the collected data for long periods, and the data themselves could possibly violate multiple state and federal privacy laws, contingent on the information in the screenshots.

There are project planning software programs that would not create this level of risk for state governments. Legislators may intend to bring cost accountability to the government procurement process, but the method these proposals lay out would be intrusive to both constituents and the contract worker. They also pose a risk to the citizens who would be surrendering their private information to be managed through a third party with a seven-year storage obligation and no ability for cost recovery to ensure appropriate cybersecurity guidance for the appropriate use and storage of the information.

Creating a culture of trust between governments and information management means having cybersecurity tools in place to protect crucial assets. In many cases, the most crucial piece to protect is the information in the system. Most often, the people managing these data cause the most risk. The amount of data these draft bills could make available for hackers makes them dangerous to government departments and tax-paying citizens. Rather than creating a risk management problem for state legislatures, legislation should focus on creating a cybersecurity structure. Programs that educate government and contract workers and enforce data security across the work environment should be the goal. These programs should ensure people, processes, and the technology they use are secured, rather than mandate new vulnerabilities that place workers, contractors, and citizens at risk.