Historical Balance of Transparency and Confidentiality in Public Records Laws
The general structure for public records laws, while differing in the details among the respective states and local units of government, is that government-held data is presumptively public; absent compelling reasons, government-held information should be available for inspection and disclosure. Despite this strong presumption in favor of disclosure, government officials face unique challenges in responding to public record requests, especially those that could require disclosure of confidential or private data. The binary choice of whether to disclose or withhold information inherently involves a decision that should balance disclosure of information held by the government with the importance of protecting privacy and confidential information. Typically, the policies and procedures that historically were designed to effectuate this balance were developed in an era before both the advent of cyberattacks and the monetization of data and data analytics. The primary, and indisputably critical, driver favoring disclosure is “shining the light” on the inner workings of government. The equally important consideration weighing against disclosure is the increasing public awareness of the need to protect personal privacy, as well as legitimately confidential data.
This challenging decision, faced by state and local government officials in particular, is often made without adequate, and sometimes even conflicting, principles and policies. For example, a 2013 survey of local government officials in Florida illustrates that the vast majority (84 percent) of survey respondents experience at least some cross-pressure between providing government transparency and protecting personal information. Overall, “[l]aws, rules, regulations and mandates, court rulings, political pressures from powerful advocacy groups on both sides of the transparency-privacy debate, and budget shortfalls make decision-making difficult.”
Historically, the principles of open government and transparency have favored the default assumption of disclosure as an important application of the public’s right to see the inner workings of their governments. This principle manifests itself in a multitude of ways by various state public records laws. Perhaps the most common statutory structure applies a broad definition for “public record” with specific, and usually narrowly defined, exemptions to disclosure. For example, Washington defines public record as “any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics.” Specific exemptions are numerous and include everything from garden-variety personal information on individuals such as Social Security numbers and addresses to commercial fishing catch data reported to the government. The key feature of this presumed disclosure approach means that if there is no specific exemption prohibiting disclosure of a requested record (either in the public records act or in other state and federal statutes), the record must be disclosed. Government transparency is further encouraged because even if a government record is exempt from disclosure, if the information that would violate personal privacy or vital government interests can be deleted from the rest of the government record, then the unredacted portions of the record must be disclosed.
In contrast to Washington and most other states, Nevada’s public records law does not define “public record,” yet it declares that unless specifically exempted from disclosure or classified as confidential, “all public books and public records of a governmental entity must be open at all times during office hours to inspection by any person” and copies of such records must be provided if requested. In addition to statutorily enumerated exceptions and confidentiality established by other laws, Nevada’s statute contemplates a balancing approach for withholding records from disclosure: “Any exemption, exception or balancing of interests which limits or restricts access to public books and records by members of the public must be construed narrowly.” Indeed, the Nevada Supreme Court has “routinely employed a balancing test when a statute failed to unambiguously declare certain documents to be confidential,” favoring the policies of open government over the privacy justifications for nondisclosure. Further, state agencies use the balancing test where the Nevada public records act and other laws are silent on the confidentiality of a given record. The balancing test is designed to encourage disclosure, with a “narrower interpretation of private or government interests promoting confidentiality or nondisclosure to be weighed against the liberal policy for an open and accessible government.”
Whether nondisclosure of a government record in response to a public records request flows from a statutorily defined exception, or whether it results from a government official exercising discretion under a balancing test or catch-all exemption, the decision to disclose or withhold a particular type of record reflects a judgment call about whether principles of transparency and open government outweigh privacy and confidentiality interests. The critical difference, however, is that in the former example, the legislature makes the policy decision prospectively, and in the latter, a government official exercises discretion on a case-by-case basis. The general shift toward digitization of government-held information, the associated aggregation of data by government agencies and private entities, and the development of analytical tools that make it easy to sort and extract valuable personal data from the huge troves of data now being collected and held at all levels of government have made this balancing decision even more problematic. The previous paradigm of individuals presenting themselves at the clerk’s window during normal business hours and asking for hard copies of documents—an exercise in public access inherently self-limited by time and physics—has given way to an increasing trend of commercial data harvesting and analytics that can be done with a few keystrokes, with state and local governments providing the raw materials.
E-Government, Cybersecurity Risks, and Impact on Historical Balance of Transparency Versus Confidentiality
Prior to the widespread application of information technology by state and local governments, public records were difficult to access because they were only available locally and individuals requesting access were generally required to do so in person or by mail. This functioned—intentionally or not—as a bottleneck, particularly for public records requests involving multiple custodians or large volumes of responsive materials, as it was particularly difficult to obtain any value from such data requests absent spending significant time and money to sort through paper records. The shift to e-government (i.e., the adoption of information technology, the use of the Internet to communicate with the public and provide government services, and so on) has drastically changed the landscape, as government records are now maintained in electronic databases and access is no longer limited to individuals who visit the custodial agency in person.
Not only has the shift to e-government resulted in easier access to government-held information through the Internet, but also there is simply more data that can be requested. The digitization of government-held information makes records easily searchable, and new datasets can be created by cross-referencing information held by multiple governmental custodians on the same subject. As an example, “Geographic Information Systems (GIS) maintained by governments agencies . . . have the capacity to aggregate information from numerous sources and create a composite that may invade a person’s privacy in a manner that the individual pieces of information do not.”
In addition to the creation of new datasets by government entities from existing data, the twenty-first century has seen a general expansion in the collection of data, particularly in the wake of the September 11 terrorist attacks. For example, a variety of federal statutes authorize government access to electronic communications, financial data, and other records held by third parties for purposes of criminal and national security investigations. More broadly, the shift to e-government has resulted in federal, state, and local governments generating ever-increasing amounts of data and records, as employees use information technology for a variety of tasks, including the processing of online forms and applications, recording public meetings, and providing public access to everything government collects. The prevalence of modern technology, such as smartphones and “machine-to-machine technology” including RFID communication, has “brought about enormous change in the size, diversity, and speed of data gathered on a daily basis at local levels.” It should come as no surprise that in the Information Age, there is an ever-increasing amount of information being collected, generated, and retained by government entities.
Overt Risks: Cyberattacks and Ransomware
The shift to e-government has obvious public policy benefits with respect to public records laws. “Electronic access increases accessibility, improves government transparency and accountability, and makes efficient use of resources.” However, the shift to e-governmentand greater access to public records also raise privacy concerns and increase the tension between access to public information and protection of private or otherwise confidential information. For example, increasing cybersecurity risks have emerged as a critical concern for government entities holding data and the subjects of that data. Some of this risk is overtly hostile, such as unauthorized external intrusions or outright attacks on government information systems via ransomware.
“Ransomware is a type of malicious software . . . designed to deny access to a computer system or data until a ransom is paid” and “typically spreads through phishing emails or by . . . unknowingly visiting an infected website.” These attacks are purely commercial, with the goal of forcing payment by rendering computer systems unusable until the ransom is paid, rather than seeking access to the actual content of the information itself. For example, in May 2019, hackers essentially shut down computer systems in Baltimore, Maryland, with ransomware and demanded approximately $100,000 to halt the attack. This attack shut down Baltimore’s government e-mail systems and made it impossible for the city to process any real estate transactions or accept payments for city-provided services. A year earlier, Atlanta, Georgia, experienced a similar attack, costing the city approximately $17 million to fully recover its digital civic services. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has observed that ransomware attacks have become increasingly prevalent among all levels of government, including state, local, tribal, and territorial government entities.
Similarly, hackers have been targeting public school systems around the country by immobilizing the digital infrastructure utilized for everything from hosting virtual classes and recording student grades to storing personal information on employees and students such as salary data and disciplinary records. As of October 2020, “at least 63 U.S. school districts and colleges have been impacted by ransomware [attacks], impacting learning at up to 1,302 individual schools.” Schools have become attractive targets for ransomware attacks because tight budgets limit the resources that can be devoted to cyber defense. And, even if a school has had the resources and foresight to provide backups that can be used to restore their systems, attackers are now stealing personally identifiable information and threatening to release it in order to increase their leverage to force payment. For example, in addition to students and teachers being locked out of their digital educational infrastructure, hackers may also leak personal information gathered from the compromised systems, as was the case in the Fairfax, Virginia, ransomware attack. These kinds of ransomware attacks are just one subset of the cybersecurity challenges state and local governments face every day.
Unfortunately, local governments appear ill-equipped to protect themselves from nearly constant cyberattacks. According to a recent nationwide survey of local government officials, “28% [of local government survey respondents] reported being attacked at least hourly and 19% said at least once a day, for a total of 47%.” Large numbers of local governments do not employ adequate, or sometimes even any, cybersecurity hygiene. “[M]any local governments did not know if they were under cyberattack or if they had been breached; did not count or catalog attacks, incidents, or breaches; and could not determine the types of attackers against their systems. They also were not well prepared in several important cybersecurity arenas such as detecting and recovering from breaches and data exfiltrations.” These types of cybersecurity risks are not just limited to local governments. A recent staff report from the U.S. Senate Permanent Subcommittee on Investigations found that despite statutory obligations under the Federal Information Security Modernization Act of 2014 to implement cybersecurity policies consistent with the National Institute of Science and Technology’s standards, “[federal] agencies currently [and historically have] fail[ed] to comply with basic cybersecurity standards.”
Even when government agencies and private organizations follow basic protocols—such as keeping software up-to-date—they remain at risk of cyberattack. In the late fall of 2020, a sophisticated nation-state attack (suspected to be a Russia-linked hacking group) compromised the cybersecurity supply chain to install malware in an update to a widely used network management software platform that allowed the hackers to access the networks of critical private and government entities. The hacking group’s activities went undetected for nearly nine months, while it gathered information from private industry entities and major federal agencies. In the immediate aftermath of the cyberattack, it was clear that thousands of public and private users downloaded the malware-infected updates, including several Fortune 500 companies, the State Department, the Department of Homeland Security, parts of the Pentagon, the Treasury Department, and the Commerce Department. The full breadth and details of this unprecedented attack may never be determined with complete confidence, but it appears that the hacking group accessed as many as 250 different networks and stayed hidden by utilizing servers within the United States to exploit prohibitions on domestic surveillance by federal agencies.
Among other actions taken by the federal government following the attack, CISA issued an emergency directive requiring all federal agencies to “immediately disconnect or power down [the malware-affected] products . . . from their network,” underscoring the seriousness and pervasiveness of the supply chain–focused cyberattack. In effect, this decision precluded the compromised governmental agencies from using some of their most essential cybersecurity detection capabilities, forcing them to “fly blind” until replacement software could be developed and installed. And perhaps most disturbingly, the prospect of residual malware lurking in their systems, waiting to be activated in an even more destructive attack, cannot be completely ruled out.
Commodification of Data and the Data Broker Industry
In addition to overtly hostile attacks, however, there are other more benign cybersecurity challenges to consider. For example, data brokers—companies that collect personal information and other data from public and private records (including Social Security numbers), aggregate it, and sell it to public and private entities—present softer and less nefarious cybersecurity challenges and privacy risks for government entities and the subjects of the data that is being harvested and sold. This commodification of data is particularly relevant to any current assessment of cybersecurity issues associated with public records laws because “[m]any requests for government records come not from watchdog groups, the press, or private citizens, but from data mining companies that glean personal information from governmental records for the purpose of creating ‘profiles’ or dossiers on individuals,” commercially perverting the core public policy principle of “shining light” on the inner workings of government. Data brokers routinely sell personal information to public and private entities for a variety of purposes, including, but not limited to, targeted marketing, credit reporting, background checks, government investigations, rate setting by banks and insurers, and voter targeting by political campaigns.
Commodification of government-held data is not a new issue; various government entities have long been selling information on individuals to the highest bidder. For example, in the 1970s and 1980s, the U.S. Census Bureau sold census data on individuals to private companies for marketing purposes (and often included questions related to respondents’ lifestyles at the request of private companies). And while the practice is now prohibited by the Driver’s Privacy Protection Act, many states made millions of dollars by selling motor vehicle records to private industry. With the advent of e-government and the ever-increasing capabilities of data aggregation and analytics, however, commodification of the personal data held by governments creates a significantly greater privacy risk for individuals than it has in the past.
The use of big data analytics and consumer profiling in the space of targeted advertising presents a particularly challenging issue. On the one hand, some consumers may prefer to receive advertisements for products they might actually be interested in purchasing based on their past purchase history and profile, as opposed to being bombarded indiscriminately by random advertisements. However, such profiling can also create risks to consumers, some subtle, some not so. Advertisers may market different “tiers” of products to individuals based on what that individual’s data analytics suggest, with lower-income individuals being offered lower-cost (and sometimes lower-quality) products compared to individuals who are profiled to have higher incomes. While targeted advertising certainly has the benefit of a certain degree of convenience to the consumer, and more importantly maximizing potential revenue for the seller, it can also be discriminatory. These practices range “from offering promotional discounts only to selected customers to targeting subprime mortgage offers online at likely victims. . . . At its worst, this data-mining supported targeting of consumers may be empowering racial profiling . . . .”
Another issue associated with the data broker industry is that the aggregated dossiers sold by brokers may not always be accurate, and individuals may experience harm, often unknowingly, from the dissemination of inaccurate personal information. For example, a report based on information supplied from a data broker may incorrectly indicate that an individual has a criminal conviction and a prospective employer may decline to hire that individual because of an erroneous data entry. Additionally, individuals can experience other harm, such as identity theft, as a result of unauthorized access and use of individual data. Because of the general anonymity of data brokerage transactions, criminals may pose as legitimate businesses to obtain vital information about individuals, including Social Security and credit card numbers, from data brokers and use that information to steal funds from victims’ financial accounts.
The risks associated with the data broker industry are different than those resulting from an overt attack on government computer systems because the privacy harms accompanying commodification of personal data are primarily borne by individuals and go largely undetected. In contrast, the harms associated with overt attacks on government information technology infrastructure, such as the Baltimore and Atlanta ransomware attacks, burden both the government entity attacked and the public at large. Because of the complexity of the considerations faced, the data broker industry and the associated aggregation of personal information bought and sold by public and private entities will continue to present significant policy challenges. Until the competing interests can be resolved through informed policy decisions, this will continue to be an important issue in the consideration of cybersecurity and public records for several reasons.
First, the data broker industry exists, in part, because of the trove of information on individuals held in government records. Data brokers routinely scrape public records for a variety of such information, including but not limited to driver’s license records, vehicle registration records, criminal records, voter registration records, property records, and occupational licensing records, and combine it with information from other sources. Simply put, the advent of e-government and the ever-widening pool of government-held information on individuals have contributed to the enabling of the data broker industry. Emerging privacy legislation, such as the California Consumer Privacy Act (CCPA), gives consumers more control over their personal information by granting them certain rights, such as the right to know when businesses collect personal information, the right to delete certain personal information, and the right to opt-out of the sale of personal information by businesses. However laudable the CCPA’s protection scheme is, however, it falls short of truly protecting personal information on individuals because it “does not apply to . . . government agencies,” which provide access to vast stores of information on individuals at essentially no cost to private industry.
Second, data brokers’ collection of information on individuals (often involving open records or public records requests), aggregation of that data, and subsequent sale back to government entities erodes the underlying purpose of public records laws because the data is not used to “shine light” on the inner workings of the government. Lastly, while government-held data may, and indeed must, be legally disclosed to a data broker if the data does not fall within a statutory exception to disclosure, the subsequent aggregation and cross-referencing of that data can transform otherwise disparate datasets into a highly nuanced, and invasive, aggregated analytic that more closely resembles nonpublic or otherwise confidential information that should not have been collected, much less disclosed, in the first place.
As described in more detail above, the principles of open government have historically favored the default assumption of disclosure under public records laws as an important application of the principle of government transparency. The framework of presumptive disclosure absent narrowly construed exceptions furthers the democratic goals of having an educated and engaged public, as well as allowing for greater accountability in government. However, the gathering of personal and otherwise confidential information, especially in the post-9/11 world, runs contrary to the bedrock principle of “privacy by design,” at the very same time when data aggregation and analytics have become significantly more advanced and sophisticated in ways that make exploitation of this data even more likely. These combined and ever-increasing forces threaten individual privacy in ways completely beyond the ability of most citizens to discern, much less fully understand. All the while, information gathering, disclosure, and protection by state and local governments have not changed in any material way to reflect this evolving landscape.
Accordingly, it may be fair to ask whether it is time to reassess how government entities collect, use, and potentially disclose data gathered in order to perform public responsibilities. Effectively mitigating cybersecurity risks such as unauthorized access and use of personal information (i.e., the data broker issue) may require a rethinking of the balancing of two important public interests and the current default framework of presumed disclosure unless explicitly exempted, especially in light of the pervasiveness of data aggregation and monetization. The next section discusses what some jurisdictions have done to address these concerns, analyzes the effectiveness of various approaches, and provides suggestions for how intractable cybersecurity hurdles, such as insufficient funding, might be addressed in the context of recalibrating the balance of transparency versus confidentiality in governmental records requests.
Addressing Cybersecurity Issues and Recalibrating the Transparency versus Confidentiality Balance
The cybersecurity and privacy issues resulting from the shift to e-government, accompanying pressure for increased access to government-held data, and the monetization and aggregation of personal information cannot be addressed by a single silver bullet solution. Government entities must take certain basic steps, such as improving management oversight and securing additional funding, to address the most overt cybersecurity risks, such as ransomware attacks. Increasing insight into, and emerging regulation of, the data broker industry may also slow the trend of what is otherwise almost certain to be the continuing invasion of individual privacy resulting from the access and use of government-held personal information by data brokers and their customers. The evolving landscape described previously has heightened the tension between transparency and privacy in the context of public records requests, and multiple approaches for rebalancing that tension, including privacy-by-design and redefining what constitutes a public record in the first instance, should also be considered. But ultimately, all levels of government will continue to collect, use, and retain vast amounts of data, with resources that are marginally adequate—or likely inadequate—to provide that data with the protection it deserves. Discussed following is the rhetorical, and some may suggest heretical, question of whether the time has come to reassess how government balances transparency, security, privacy, and commercial reality.
Assessing the Cybersecurity Landscape: Funding Will Always Be a Challenge
Cybersecurity risks such as external hacks and inadvertent disclosures can never be fully eliminated. The hackers are usually several steps ahead in their sophistication, and the human element, such as negligent employees or contractors, still accounts for an estimated 60 percent of all security incidents. But, cyber incidents are at least mitigatable problems for government entities. The most obvious preventative measure is enhanced institutional investment in defense and detection technology, as well as management and employee training. Additional funding earmarked for cybersecurity improvements, better management oversight, additional training and cybersecurity personnel, and improved information technology infrastructure would all go a long way toward improving government cybersecurity practices. These solutions comport with the scholarship analyzing the primary hurdles for local governments to achieve high levels of cybersecurity and are absolutely necessary for governments to harden their information technology systems against ransomware, intelligence gathering, and other overt cybersecurity risks.
A 2013 survey focused on local government entities in Florida concluded that governments must devote greater resources to their information technology systems to address cybersecurity risks and to better manage the cross-pressures of government transparency and privacy protection. This includes instituting clearer procedures and standards with respect to cybersecurity, requiring additional training for government employees, investing in more sophisticated technology, and hiring additional information technology and cybersecurity-focused personnel, as well as generally providing more rigorous enforcement and oversight. Unsurprisingly, these suggestions for improvement all require additional funding—an issue for virtually all state and local government programs.
A more recent nationwide study similarly observes that there are many barriers to local governments achieving adequate levels of cybersecurity, including poor top-level management of cybersecurity by elected and appointed officials, lack of competitive governmental salaries for cybersecurity personnel, generally insufficient numbers of cybersecurity employees and inadequate training, and lack of funding. The study concludes that to improve cybersecurity practice, “local governments should create and maintain a culture of cybersecurity, address [the above] barriers to cybersecurity, and follow best cybersecurity practices.” These changes must be from the top down to be successful. In private industry, “top executives and board members must be fully engaged in and supportive of cybersecurity. They should not leave cybersecurity solely or even predominately to technologists.” The same principle applies in the public sector. If elected and appointed officials are not knowledgeable of cybersecurity risks and do not play an active role in improving cybersecurity within their respective government units (e.g., by instilling a culture of cybersecurity), “the problems of cybersecurity management . . . are not likely to diminish greatly over time.”
Legislative and Regulatory Initiativesto Address Cybersecurity Concerns
Many states are actively assessing how improvements in technology and implementation of revised cybersecurity policies and procedures can help protect government-held information and individual privacy. For example, in the aftermath of the ransomware attack on Atlanta, Georgia Governor Brian Kemp signed an Executive Order restructuring the State Government Systems Cybersecurity Review Board (Cybersecurity Board) to include a variety of new personnel, including the Chief Information Security Officer of the Georgia Technology Authority and Executive Director of the Georgia Cyber Center at Augusta University, among others. The Cybersecurity Board is responsible for reviewing the cybersecurity of all executive branch agencies to “identify risks, promote best practices, and audit for cybersecurity training compliance.” The Executive Order also requires the Georgia Technology Authority to develop cybersecurity training materials and executive branch agencies must ensure that all employees complete semiannual cybersecurity training, as well as authorizing termination of employment for employees who fail to complete the training in a timely manner.
A number of states are also studying how emerging technologies, such as blockchain, can be used for recordkeeping and delivery of government services to improve efficiency and cybersecurity. Blockchain, a common name for distributed ledger technologies, is an architectural approach to managing data that records transactions chronologically, permanently, and unalterably, without the need for a central entity to store and share the dataset. For example, in June 2019, the Florida legislature established a Blockchain Task Force comprised of government and industry representatives to “study if and how state, county, and municipal governments can benefit from a transition to a blockchain-based system for recordkeeping, data security, financial transactions, and service delivery and identify ways to improve government interaction with businesses and the public.” The Florida Blockchain Task Force is statutorily directed to study a number of issues including risks and benefits of implementing blockchain technology, and to make recommendations to the Florida governor and legislature concerning the feasibility of implementing blockchain technology in government recordkeeping, including drafting any proposed legislation. To date, the Florida Blockchain Task Force has held four public meetings on the issue but does not appear to have issued its final report and recommendations as of the writing of this chapter. A similar task force in Illinois also studied the feasibility of implementing blockchain technology into government, and many of its recommendations focused on legislative changes related to property law and public recording that would facilitate the integration of distributed ledger technologies into property registries.
Many federal agencies, including the State Department, Department of Labor, Centers for Disease Control and Prevention, and Postal Service Office of Inspector General, have ongoing initiatives to incorporate blockchain technology for a variety of services ranging from streamlining the Temporary Worker Visa Program to improving the system for tracking and managing physical assets owned by the government (e.g., laptops, cell phones, and so on). According to a 2018 report by the Public-Private Analytic Exchange Program, incorporating blockchain into public records management could be extremely useful, as a “tamperproof, redundant, and transparent ledger” has obvious benefits with respect to improving cybersecurity while maintaining transparency of government-held information. The primary hurdles as applied to public records appear to be a combination of lack of understanding what distributed ledger technologies can do, lack of funding, and simple political inertia. State and local governments can lead the way if the will is there, but authorizing the use of distributed ledger technologies for legally binding government records, such as records of property title transfers, will likely require legislation because current law may not recognize digital records tied to a blockchain as legally binding. And adequate funding to study and properly implement distributed ledger technologies in the public records space is also required because:
If the [distributed ledger technology] selected by a municipality is determined to be cryptographically vulnerable, there could be leaks of sensitive information or the risk of modifications to the underlying data, which could cause great harm to specifically targeted users (by changing a property ownership record, for example) or generalized chaos (by corrupting large numbers of records over time, making it difficult to find a known ‘safe’ state to revert to).
Embrace, Rather than Oppose, the Reality of the Data Broker Industry?
Properly protecting the privacy of individuals while balancing required disclosure, however, will require more than investing in technology and improving cybersecurity policies and procedures. External threats are only part of the equation. Effective mitigation of the risks to privacy posed by the data broker industry, especially access to and use of personal or otherwise confidential information that may be completely within the law, may require a rethinking of basic principles of public records laws in light of the pervasiveness of data aggregation and monetization of personal information. Some states, such as Vermont, have addressed the data broker industry through relatively “light touch” direct regulation rather than heavier-handed outright prohibition by amending public records laws. Vermont’s data broker statute, for example:
- Defines a data broker as “a business . . . that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”;
- Requires data brokers to register with the state, pay an annual $100 fee, and provide a variety of information related to the broker’s data collection practices and any security breaches it has experienced, among other items;
- Provides for civil penalties if a broker fails to register and allows the Vermont Attorney General to bring an action to collect such penalties and seek injunctive relief;
- Imposes obligations on data brokers to develop, implement, and maintain a “comprehensive information security program . . . contain[ing] administrative, technical, and physical safeguards” to protect personally identifiable information; and
- Provides minimum standards and technical requirements for the information security program, grants the Vermont Attorney General enforcement authority to conduct investigations and bring civil actions for violations, and provides that any violations of the information security program requirements constitute unfair and deceptive business practices.
Direct regulation of the data broker industry has also been proposed several times at the federal level but has not yet gained traction. In 2014, the Federal Trade Commission (FTC) issued a report analyzing the data broker industry and the benefits and risks associated with the collection, aggregation, and sale of personal information to third parties. Overall, the report finds that “Data brokers acquire a vast array of detailed and specific information about consumers; analyze it to make inferences about consumers, some of which may be considered quite sensitive; and share the information with clients in a range of industries. Much of this activity takes place without consumers’ knowledge.” Accordingly, the report recommends that Congress enact legislation “that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities” and provides specific recommendations for the three main types of data broker products: marketing products, risk mitigation products, and people search products. The report also calls on the data broker industry to adopt a number of best practices, including implementing “privacy-by-design” (i.e., considering individual privacy at every stage of product development), refraining from collecting data on minors, and instituting measures that would curb derivative use of data brokers’ products for unlawful discriminatory purposes. Federal legislation addressing the concerns raised in the FTC report has been introduced in every Congressional session following issuance of the 2014 report, but legislation has never been enacted despite “even industry groups . . . supporting federal legislation.”
Using a different approach that acknowledges the potential value of access to personal data for legitimate public policy reasons, the European Commission, the European Union’s (EU) executive body, recently proposed rules that “would grant businesses and research organizations access to data normally blocked off due to privacy, commercial confidentiality, or intellectual property rights.” The new rules would operate in conjunction with the EU’s General Data Protection Regulation (GDPR), and data-holding entities would still be required to implement privacy safeguards, such as anonymization of personal data, prior to sharing it with private entities under the proposed rules. The proposed rules, which aim to provide data access to promote innovation, illustrate that access to personal data by private industry can be appropriate, so long as adequate safeguards are implemented. For example, the benefits of the data broker industry, such as fraud prevention and tailored advertising, may be worth the price of access to consumer’s private information, so long as confidential information is adequately protected and consumers are given the opportunity to meaningfully review, correct, and opt-out of data brokers’ databases.
Recalibrating the Traditional Balance of Transparency and Confidentiality in Today’s Data-Centric Environment
Direct regulation of the data broker industry through registration requirements, data security obligations, and implementation of transparency to consumers and regulators, however, is likely only a partial, and temporary, solution. Because the pressure for commercial access to and use of personal information does not fall neatly into the already challenging equation that struggles to address the balance between disclosure and transparency on the one hand, and legitimate interests in privacy on the other, state and local governments may have to reconsider re-balancing how these powerful commercial and policy interests are addressed by adding yet another variable to the equation: securing the significant additional funding needed for proper cybersecurity protections and management. As a conceptual starting point, direct regulation of the commercial aspects of the data broker industry through a combination of registration and basic principles of transparency, like Vermont’s statutory scheme, could provide a unique opportunity for funding cybersecurity improvements. While Vermont’s annual registration fee for data brokers is only a modest $100, states may consider charging proportionately higher licensing fees on data brokers who collect, maintain, and sell data on individuals residing in their respective states that could be dedicated to protecting the security of personal data collected and used by the state as well as potentially local governments in that jurisdiction. Licensing fees could be on a sliding scale depending on how large the data broker is, the size of the data sets to which access is allowed, and the commercial value of what is in essence public data.
This could require a significant reassessment of the balance of public access to private data held by the government, as some states go so far as to prohibit access to certain types of data if it will be used for commercial purposes. For example, entities requesting GIS data from North Carolina government agencies must agree to not resell or use the data for trade or commercial purposes. In South Carolina, information contained in police incident reports and employee salary schedules, including home addresses and home telephone numbers of public employees, “may not be utilized for commercial solicitation.” Such states that impose restrictions based on the intended purposes for the data requested or the identity of the requester “reflect a concern regarding the ‘derivative uses’ to which public records may be put,” such as commercial use by the data broker industry.
While laudable in theory, such absolute prohibitions against derivative commercial use may miss the mark, since the voracious appetite of the marketplace for such data may simply prompt the commercial entity to seek the same or similar data from other sources, likely at incrementally greater cost than the otherwise “free” source of government. As a result, an opportunity to tap a revenue stream that could be dedicated to improvements in cybersecurity would be lost, with no net change in the ultimate outcome: the individual’s data will still be available and accessed from another source. Given the pervasiveness of the data broker industry and the challenges associated with enforcing restrictions on commercial use, states might consider whether, under appropriate conditions and safeguards, a more tailored solution might be to charge access or user fees for certain types of “commercial” records requests and dedicate those revenues to investments in cybersecurity improvements.
There are various ways this could be implemented. For example, states could adopt a two-step process of (1) requiring data brokers to register and then (2) amending their public records laws to contain a rebuttable (or, for ease of administration, perhaps even irrebuttable) presumption that any requests for public data from data brokers, data broker employees, and all related entities are automatically deemed to be for “commercial purposes” and would be subject to a market-based fee. Alternatively, states could avoid the registration step and simply amend their public records laws to require the requesting entity to state the purpose for which the data is being requested and require the requesting entity to pay fees for any commercial uses; this approach is very similar to that used in Arizona. A healthy and effective audit function could also be funded by these fees. States should also consider whether the disclosed data must be accompanied by a “trickledown” use agreement to ensure that the data is only used by the requesting entity for the agreed-to purpose and that it is not re-sold, or alternatively, any reselling would incorporate some sort of market-based fee that would be returned to the state. Amendments to public records laws could also authorize a private right of action if the requesting entity violates such an agreement, as well as authorizing the state attorney general to bring an action for injunctive relief and damages.
While it may initially appear provocative or even counterintuitive, such a “Faustian bargain” between government entities and the data broker industry would recognize the government’s need to collect and use data, allow the state to capture some of the monetary value of personal information held by governments—presumably in anonymized form without actual individual data being made available—and provide data brokers with a transparent means to secure the raw material required to extract commercial value from the data itself. Common sense tells us that data brokers will find a way to secure this type of aggregate data with or without the willing participation of government entities. While charging a fee for making aggregated or anonymized personal information available to commercial entities may at first seem like “selling out” to the shadowy world of data brokers, the reality is that the data broker industry will find this data somewhere; the only question is whether state and local governments can make that process more transparent and capture the value of the data in order to fulfill the important public purpose of protecting actual disaggregated personal data from unauthorized disclosure.
Certain facts are immutable: governments need to collect and use data for public purposes. Government-held data should be readily accessible under the commendable “shine the light” principle that embodies access to data held by government. And there is an insatiable commercial appetite for data, with market forces likely to find alternative sources for the same information if data brokers were precluded from mining existing government data. Rather than finding a way to prevent data brokers from accessing public information, might it make more sense to allow carefully defined and controlled commercial access to certain government-held aggregated and/or anonymized data at a market-driven price and thereby provide appropriate funding for data protection? Data subjects and advocates for individual privacy no doubt will be uncomfortable with this framework at first blush, but we live in an imperfect world. If the consequence of allowing commercial access to otherwise aggregated or anonymized public data provides state and local governments with a revenue stream dedicated to improving cybersecurity protections for disaggregated or individualized personal data that was never intended to be public and needs to be protected against unauthorized disclosure, perhaps that is a trade-off worth considering.
Normalizing the Definition of Public Dataand Exceptions for Disclosure
There are other aspects of public records laws that are also worth taking a hard look at in considering how the balance between transparency and privacy can be recalibrated to reflect current practices for how data is collected and used. For example, many states define “public records” extremely broadly. Minnesota defines “government data” as “all data collected, created, received, maintained or disseminated by any government entity regardless of its physical form, storage media or conditions of use.” Washington defines a public record as “any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics.” Such broad definitions arguably undercut the primary purpose of public records laws because the definitions could encompass data that does not further the goal of government transparency, such as personal information on private individuals not directly related to government functions.
While different types of personal information may be exempt from disclosure under public records laws through specific exceptions, a better approach might be to narrow the definition of what constitutes a public record in the first instance by “permit[ting] public access to [only] those records that have a direct effect on official [governmental] duties and activities,” rather than allowing access to records that are simply held by a government entity or are in some way related to a government function. Redefining public records on the front end so the definition does not encompass certain types of data, such as personal information on individuals not having a direct effect on governmental activities, could be an easy first step in amending public records laws to reflect basic principles of privacy-by-design. Addressing privacy concerns proactively, rather than reactively, by considering first the need to collect personal data, second the need to use such data for legitimate governmental purposes, and lastly the need to disclose such data, at every stage of product or process development, would require a huge paradigm shift in how government operates, but it would be worth attempting in at least small steps on a trial basis for those entities interested in improving how this balance is struck. “[E]ffective privacy management requires privacy to be taken into account at all stages of a dataset’s lifecycle.” Asking the threshold question of “Do we really need to collect/use/retain this individualized personal data?” could go a long way toward recalibrating the balance between transparency and privacy.
Similarly, anticipating the inevitability of widespread aggregation of personal information for commercial use, often without the data subject’s knowledge or permission, could influence how government treats private or otherwise confidential data at the collection stage, mirroring the principles of GDPR and CCPA. When confidential or private data is collected by a government entity, it must be collected for an essential purpose; any use beyond that purpose would have to be agreed to by the individual. Once the government entity accomplishes the stated use of the data, the data should be permanently deleted so as to minimize potential future harm resulting from unauthorized access and/or use. Additionally, individuals should be allowed the right to opt out of any subsequent commercial use of data that they provide to government entities.
In summary, the shift to e-government and accompanying pervasiveness of the data broker industry and monetization of personal data arguably necessitates a significant rebalancing of the conflicting considerations that promote transparency in government versus protecting individual privacy in order to reflect more accurately the appropriate balance for how data is collected and used today. Aprivacy-by-design scheme, while one of many important first steps, will not be a silver bullet solution, but it would help inform how individual privacy should be considered when the government collects private or otherwise confidential information. Government entities should also consider more carefully how to protect data generally and privacy in particular during the storage, processing, and release of any such data in response to a records request. Whether the “Faustian bargain” described above is appropriate in order to obtain additional revenue to improve cybersecurity protections is certainly beyond the scope of this chapter, but it should not be beyond scope for the ongoing and ever-challenging discussion of how these competing interests can better be balanced.
Lessons Learned and Practical Pointers
While achieving absolute security of government-held information may very well be an insurmountable problem, it is worth examining what legal practitioners may do proactively to protect sensitive client information requested, used, or held by the government. From a practical standpoint, certain entities may not have a choice in which government agencies they interact with, particularly in regulated industries with permitting or reporting requirements. For example, a business that requires a wastewater permit for an industrial process will almost certainly have to provide information on the covered process to the state’s environmental permitting authority. Depending on what information the agency requires in a permit application and the particular facts, the business could potentially be required to disclose trade secrets or otherwise sensitive or confidential information in a permit application. And while providing sensitive information to the government may raise concerns in and of itself, the problem is compounded when the agency concerned practices poor cyber hygiene.
Refusing to disclose information required by the government because of cybersecurity or confidentiality concerns is not likely to be an option for a business that needs to obtain a permit in order to operate. Thus, the next best alternative is to understand more completely how the government agency will manage the sensitive data and take concrete steps to proactively protect client information. For example, if government agencies ask for data that contains personally identifiable, sensitive, or trade secret information, counsel could request to provide such information only via encrypted format and separately provide the encryption key. If a regulator is asking for sensitive or trade secret information, it would be prudent for the regulated entity to designate prominently the data as such and contemporaneously provide sufficient facts to support a “trade secret” designation by the government agency in the event of a public records request. While these actions by no means guarantee that the sensitive data will be treated as confidential in a public records request, or that the data will be managed securely in the government agency’s computer systems, such actions at least put the agency on notice of the sensitivity of the information at issue and make it more difficult for the data to be misused or accessed by unauthorized individuals.
Practitioners may also attempt to negotiate with government agencies to allow for certain data protections to be implemented, akin to obtaining a protective order in litigation for highly confidential data. For example, an entity providing sensitive information to the government could negotiate for certain access restrictions, two-factor authentication, or even specific data management technologies to be implemented by the government agency to ensure data security. This approach may not be workable in every instance because funding and leverage may prove to be significant hurdles. However, where there is a compelling government need for sensitive or confidential information, and the data-providing entity is also willing to provide capital to fund enhanced cybersecurity measures, negotiating with government agencies for the special treatment of particularly sensitive information could alleviate some concerns about the security of data held by government agencies.
Conclusion
The tension between transparency and confidentiality is inherent in almost any decision on whether to disclose or withhold certain information pursuant to a public records law data request. And while that tension has always been present, competing expectations of confidentiality and individual privacy on the one hand, and an open and transparent government on the other, have continued to stretch the fabric of the public’s trust in their government’s collection, use, and retention of data, especially personal data, in an age of almost ubiquitous collection and big data analytics. Public records laws were never designed for the digital age and are sorely lagging behind the technology of data collection and use, as well as the potential commercial value of the ever-increasing amount of data being collected by government entities, big and small. The important policy considerations that underlie open and unfettered access to government data have not been updated to account for the shifting historical balance between transparency and confidentiality. Last, but hardly least, government institutions are generally ill-equipped and inadequately funded to address the overtly hostile, or even the more benign, cybersecurity challenges that are ever-present in the information age.
But the situation is not hopeless. States and their local units of government, as the incubators of democracy, can consider and apply a privacy-by-design lens in the “why” and “how” of data collection, use, and retention, and re-assess how public records laws can be tailored to work more effectively in an environment where data is an increasingly valuable commodity. This is a process, not a destination, and it will require imagination and certainly additional funding sources—including whether it might be time to consider charging market-based fees for commercial public records requests. The challenges are significant, but so are the opportunities.
