As members of Congress, federal employees, and more than a dozen state attorneys general clash with Elon Musk’s Department of Government Efficiency (DOGE) over the legality of their actions and claims of accessing sensitive data with murky oversight and security, what example does the controversy set for CIOs on transparency and accountability?
Quarrels in the political arena include questions about information accessed by DOGE, an advisory organization created by executive order rather than an actual department with Cabinet-level authority approved by Congress. Musk’s team reportedly accessed data from the Treasury Department and other federal information systems, raising concerns that DOGE had the power to halt Social Security and Medicare payments.
What oversight exists for Musk and DOGE remains unclear, just as it is unclear what security protocols were put in place to protect the accessed data.
These actions could create a future quandary for US regulators who seek guardrails on data privacy. If DOGE’s handling of sensitive data is permitted with uncertain oversight, why should CIOs and their organizations face scrutiny?
“The events that we’re witnessing in Washington right now are truly unprecedented,” says Paul Barrett, deputy director of the Center for Business and Human Rights at New York University’s Stern School of Business. “There’s never been a systematic deployment of unconfirmed, not publicly identified, questionably qualified people throughout the federal bureaucracy, pushing aside legally protected, congressionally approved civil service workforces and delving into information systems and other aspects of the federal bureaucracy for purposes that are not being publicly disclosed or discussed, potentially violating an unfathomable number of laws, defying congressional intent in terms of interfering with programs that are established by statute — and we have no idea where it’s all headed.”
Barrett cites the traditional process of taking action on approved federal departments includes the drafting of bills that would work their way through Congress, with hearings and debate. “That’s democracy,” he says. “It’s a completely different process to have a raft of executive orders issued and then to have an unspecified kind of army of apparatchiks attached to an unconfirmed, unelected, Silicon Valley billionaire who, invoking these vague executive orders, sends his people in, who say ‘We demand access to this computer system.’”
Guardrails for Handling Sensitive Data
For years now, data privacy policy gained momentum on the international stage with Europe’s GDPR enforced in 2018 and domestically, at least at the state level, with the California Consumer Privacy Act (CCPA) in 2018 and California Privacy Rights Act (CPRA) in 2020, for example.
Despite the activity in the US capital, it seems the private sector intends to maintain its own best practices in how sensitive data should be handled. “I think transparency is the key, and CIOs need to be clean and be transparent on the level of data privacy that they’re offering to both internal customers and, in a company,” Anand Kashyap, co-founder and CEO of data security provider Fortanix, says. CIOs and their companies should also remain transparent about their products’ ability to collect personal data, the privacy that can be provided, and how another party might get their hands on that data. “Can the data be accessed by the government through a blind subpoena? If they can, then your company should be transparent about it.”
Kashyap says many companies tend to have transparency mechanisms in place to keep track of when the government asks for data in order to be clear about the level of privacy being offered. However, it might not be feasible to lock down privacy completely from government reach. “If you want to provide more privacy, like the GDPR, there are procedural and legal ways to do that, but government is super powerful, so subverting government is simply not possible,” he says, suggesting encryption as a means to protect data.
Leading by Their Own Example
Regardless of how government or quasigovernment entities operate, companies must still see to the protection of the data they retain. “Typically, there is a CIO which is responsible for procurement of all IT inside an organization,” Kashyap says. “CISOs set the security policies of how data should be classified inside an organization and then how data of various classifications should be protected through various means. CISOs typically have teams which are building security tools to actually provide the data security.” Data might be handled by multiple teams inside an organization, he says, which can fall under the purview of data officers with discussions about which platforms, servers, and policies to follow.
Scrutiny of how sensitive data gets handled and protected stems from very real concerns about the damage that might be done to all parties involved if it winds up in the wrong hands. Rajan Koo, CTO for insider risk management platform provider DTEX Systems, says massive data breaches, seen across many kinds of organizations, can echo long after the technical and even monetary issues are dealt with. “What we’ve found is that the true cost of those data breaches is often the PR issues, the reputational damage that gets encountered, the loss of trust in their customer base for handling their data and handling their privacy,” Koo says. “So reputational damage is one of those really big knock-on effects from having a data breach or having information stolen.”
Data security is also important to safeguard intellectual property, especially for organizations working on AI or novel research in pharmaceuticals, where Koo says there can be a threat of foreign interference and espionage. “Organizations have really woken up to the fact that this can really put them out of business maybe five or 10 years down the track,” he says. “The forward-looking CIOs and the CXOs of these organizations do see and understand that.” Koo also says more mature organizations may have that in mind and tend to look beyond simply meeting regulations on data security. “I think the less mature ones typically will do the minimum that’s required to keep their business functioning and appease the regulators,” he says.
Maintaining Confidence in Data Security
“Compliance and security is a conversation we have with customers on a daily basis,” says Bill Bruno, CEO of identity and data platform provider Celebrus. His company works with financial institutions, which historically face regulatory scrutiny, and with healthcare clients where HIPAA compliance comes into play. Precedents on data privacy set by European Union law also continue to proliferate around the world and guide how companies handle sensitive information.
“Every sort of place where we’ve deployed, there’s something governing it, and usually, as has been the case for many years, it’s all started in Europe and it kind of spreads from there,” Bruno says. “Even for our clients in [the Asia-Pacific], or the clients in South America — all of it is like an adaptation on GDPR at the end of the day.”
Though Europe led the way on such policy, Bruno says a 2017 US media transparency study, which he co-authored and was driven by the Association of National Advertisers, called out how data was being shared. “It highlighted how data was being used,” he says, “how people, organizations, advertising ecosystems, etcetera were using consumer data in non-transparent ways — in ways that maybe you didn’t even realize as a consumer was happening.”
That led to advertisements that followed consumers around their digital spaces without them realizing how or why marketers targeted them in that way — potentially through the use of data they collected. “GDPR, when it was brought in, was really to create transparency and to stop the sharing and the pooling of consumer data without explicit permission,” Bruno says.
Potential Policy Hypocrisy
Nationwide regulations on data privacy remain in debate, but NYU’s Barrett says even if the United States already possessed its own version of GDPR or had ratified the Privacy Bill of Rights, it might not matter, given recent events. “In this environment, I’m not sure how relevant or pertinent those things would be, because we do have all kinds of laws that would appear to prohibit the activity that’s going on at the behest of Elon Musk and those laws are not slowing him down in the least.”
“What we’re seeing is the most dramatic illustration of how power in the 21st century is just as much a function of digital data as it is guns and ammunition,” Barrett says. “That you can change the world if you can control information, and you know that’s hard to absorb because men in uniforms with guns are such a more familiar image when you talk about power.”