As a founder, CEO or a Corporate Director, Privacy and Artificial Intelligence (AI) are concepts you should be focused on because they may pose big risks, or opportunities, to your business. And if you have been paying attention to GDPR from Europe, or to California’s latest privacy regulations, you may think you’ve got it down cold! Other states are looking at privacy issues now too, including Utah’s new State Privacy Officer and Privacy Commission, so hopefully you’re paying attention to all of that. Most of those regulations are focused on companies treatment of data in the course of their business.
However, Utah’s Office of the State State Auditor convened a commission last year which has also recently added to the mix of issues for companies to address, with new guidelines for Utah government entities as they contemplate acquiring advanced technologies. That’s right, these are guidelines for GOVERNMENT entities to follow when procuring advanced technology, particularly relating to Privacy and AI, not just focused on companies which own “consumer” data. But I believe that these types of guidelines will migrate into best practices that will eliminate some companies from doing business with government entities, or companies which do business with government entities.
If you are a founder, CEO or Board member of a company pushing the state of the art in technology, this is for you!
These new guidelines from Utah’s State Auditor apply to state agencies and Utah government entities which are considering purchasing or developing technologies that might impact either privacy or have an AI component. Utah is apparently one of only two U.S states which currently have or are publicly working on such rules, but you can bet that more such guidelines and regulations are coming (apparently other states are asking about what Utah has come up with!).
Why should it matter to CEOs and Corporate Boards?
- First, if your business sells to or does business with a government entity, these same guidelines may be coming to a client near you!
- Second, these are strong practices that, in some form, are highly likely to percolate through society and the economy as a whole. Once standards like this are being put in place somewhere, clients, citizens and government officials will begin to realize that they have value to society as a whole.
- Do vendors whose technology your company uses match up to these high standards? If not, why not?
So, if your company can’t meet these requirements today, don’t rest comfortably just because you don’t do business with Utah or don’t currently have government customers. I predict these standards will become the price of entry for businesses using private information and AI.
These guidelines came out in the form of a set of principles with a companion set of questions that state agencies and Utah government entities should ask themselves as they look to procure advanced technology solutions and are particularly focused. According to the Office’s press release, these “…documents are intended to help government entities with their procurement of advanced software technologies that have the potential to impair the privacy of Utahns or could lead to discrimination against them.”
Key elements related to Personally Identifiable Information (PII)
Below is summary information from the principles and questions issued by the Office related to software and solutions that include or potential impact Personally Identiable Information, or PII.
1. Limit Sharing of Sensitive Data: Government entities should fully understand their data. They should limit sharing of sensitive data (private data, PII, etc.) to the greatest extent possible to protect individual privacy and should not share more than is necessary to perform the required task. Data should be filtered and restricted within the government’s systems before being transferred into the vendor’s application. Wherever possible, a government entity should anonymize data, but government entities should recognize that sensitive data can be reconstructed from previously anonymized sources.
2. Minimize Sensitive Data Collection and Accumulation: A software application should collect no more sensitive data than it needs, and should retain that sensitive data no longer than it needs to accomplish the specified purpose.
3. Validate Technology Claims – including Capability Review: A vendor should clearly demonstrate the validity of their marketing claims. Example claims that warrant particular caution include
a. Asserted use of AI or ML,
b. Proposed use of disparate data sources, especially social media or integration of government and private sources, and
c. Real-time capabilities, especially real-time data intelligence or analysis
4. Rely on Objective, Repeatable Metrics: Vendors make various claims about the ability of their software applications to deliver value within a given accuracy or efficiency measure. Do not rely on anecdotes as validation of these claims. Government entities should invest in software applications where the value can be measured on an ongoing basis. A reputable vendor should include success criteria in any Request For Proposal (RFP) response, and these should include metrics that are easy to measure and compare across time and vendors. The RFP should also request that work to automate the gathering and reporting of these metrics be included in the project definition.
5. Assess Threat Models: The vendor should be able to enumerate the people, processes, and technological interfaces that constitute an attack or risk surface for their proposed software solution. These threats should be prioritized, and high-priority threats should have recommended mitigations. The vendor should have a vulnerability reporting process. A documented history of conducting and remediating penetration tests is a significant benefit.
7. Demonstrate Privacy Compliance: Privacy Specific Items and Protection: The vendor should demonstrate compliance with privacy regulations, such as CCPA or any similar laws enacted by Utah.
a. The vendor should define what constitutes PII under the contract. A government entity’s default definition may be overly narrow and may need adjustment for particular problems.
b. The vendor should describe their anonymization process and how it protects against the use of secondary data to de-anonymize data. A governmental entity should evaluate the effectiveness of that process to mitigate de-anonymization in the context of the software application.
c. Specific certifications may be required for a specific application, but such certifications may still be insufficient to protect privacy.
9. Determine Ongoing Validation Procedures: The government entity must have a plan to oversee the vendor and vendor’s solution to ensure the protection of privacy and the prevention of discrimination, especially as new features/capabilities are included.
So how do these guidelines differ from something like the California Privacy Rights Act (CPRA)? Like Europe’s GDPR, CPRA makes a business responsible for how third parties use, share or sell personal information that the business collected in the first place. CPRA adds GDPR-like provisions to the existing CCPA. Not all states have such regulations, although some states are evaluating similar rules or have had bills proposed, if not yet passed. Utah has an initial bill providing some privacy protections in general, but by guiding its agencies and government entities to set the bar high for vendors, Utah is advantaging companies which are adopting these higher standards.
In the case of these new Utah guidelines, state or local government entities which are clients of advanced technology will be insisting in better protection by vendors of private or personal information. Perhaps more importantly, these clients will be looking for enhanced oversight of the vendor and more specific processes and procedures and true demonstrations of protections and capabilities of the proposed technology.
To be sure, these guidelines emerged out of the State auditor’s review of the embarrassing contract between Utah’s Attorney General and the now-discredited firm Banjo, which frankly had claimed extensive capabilities that the Auditor’s review significantly invalidated. As a CEO or Board Member, choosing to pursue best practices as you develop PII and privacy impacting products and solutions will benefit your firm now and in the future.