Dr. Esther Choo speaks on the dangers of medical facilities reaching capacity if Oregonians do not heed new restrictions imposed by Gov. Brown’s two-week freeze statewide.
The state should create a privacy office to better protect Oregonians’ personal information, state auditors say.
State agencies often require residents to provide sensitive information like a social security number or birth date to access services, such as getting a driver’s license.
“Agencies use technology to collect, maintain, use, disseminate, and dispose of sensitive information for virtually all Oregonians,” auditors wrote in a report released Wednesday.
But the state hasn’t developed a system to “ensure that privacy risks are identified and managed throughout” state government, including processes to make sure that security incidents where personal information is at stake are “appropriately handled,” auditors said.
Legislative leadership: Tina Kotek, Peter Courtney set to lead Oregon Legislature’s chambers again
While many individual agencies have processes to comply with federal privacy requirements, “this fragmented approach…falls short of ensuring” sensitive information is properly managed, auditors said.
Oregon instances of data breaches
The threat is not abstract.
In 2014, a data breach at the Oregon Employment Department potentially compromised the personal information of more than 851,000 people.
In 2019, the state Department of Human Services said nine employees opened phishing emails, compromising the personal information of 645,000 people. Another breach that year compromised the protected health information of patients at the Oregon State Hospital.
“Such incidents can lead to identity theft or fraudulent activity that may result in inconvenience, embarrassment, financial loss or other harm for the individual,” auditors wrote.
And if state agencies fail to manage data privacy, they could face financial penalties associated with violating federal regulations, lawsuits or a decline in public trust.
When Oregonians use online forms or agency computer systems to seek services, they might not grasp the potential risks.
Those organizations collecting this information might not fully recognize the risks, either, auditors said.
No one is managing privacy issues
Photo (Photo: Getty Images)
There’s no one person responsible for data privacy issues at the statewide level. As a result, the state hasn’t evaluated the potential risks to Oregonians’ data, according to the audit.
“Once risks are understood, the state can develop policies and procedures to respond to those risks,” auditors wrote.
The state’s main IT office — known as Enterprise Information Services — maintains statewide information technology policy and oversight, including IT security for state agencies.
Right now in Oregon, the chief data officer — a position the Legislature recently created — is overseeing an initiative to make state data more accessible to the public, which includes an effort to inventory what data the state maintains.
Auditors say that’s a “critical first step to managing privacy risk,” as the inventory indicates whether a dataset contains sensitive information. But the chief data officer emphasized the initiative is not intended to manage that privacy risk.
2020 election: Oregon Secretary of State-elect Shemia Fagan to examine election system warnings
The state’s chief information officer agreed with the audit’s findings.
Enterprise Information Services has asked for state legislation to create a privacy office and appoint a privacy officer in 2021, but anticipated budget cuts due to the COVID-19 pandemic may mean that state money isn’t available for the position, auditors said.
If the bill proposing a state privacy officer moves forward and gets funding, the office would “begin to build an appropriate program in support of privacy overall,” state Chief Information Officer Terrence Woods wrote in a response to the audit.
Claire Withycombe is a reporter at the Statesman Journal. Contact her at [email protected], 503-910-3821 or follow on Twitter @kcwithycombe.
Read or Share this story: https://www.statesmanjournal.com/story/news/politics/2020/11/18/oregon-should-create-privacy-office-better-protect-oregonians-personal-info-audit/6329754002/