In the digital age, the American people knowingly and unknowingly produce huge amounts of data on a daily basis.

Through widespread e-commerce, ubiquitous GPS maps, and regular social media interactions, the public transmits their sensitive financial, health, and other personal information through online platforms. Americans need assurance that all sectors will keep their personal data private and safeguarded from abuse, but our data security infrastructure in both the public and the private sectors is vulnerable to exploitations, hacks, and breaches. With malevolent foreign intelligence entities, the hacking of public agencies, the infiltration of hostile agents in private organizations, and other dangers, the threat of data insecurity and exposure to breaches is real and immediate for governments, companies, and individuals.

Nonstate cyber actors and nation-states have developed sophisticated mechanisms for exploiting the vulnerabilities of government systems. Not only do they steal information and money; they increasingly disrupt, destroy, or threaten the delivery of essential public services. For example, hackers have been targeting local governments for ransomware attacks, with important systems and data being blocked until a ransom payment is made. In the summer of 2019, a host of local governments—including Baltimore, MD; Albany, NY; Laredo, TX; and 22 small Texas towns—had their operations disrupted by such attacks. The City of Baltimore experienced a hack that prevented the locality from issuing health alerts and delayed water bill delivery. Similarly, the City of Atlanta’s systems for police reports and employment applications were down for days due to a March 2018 cyberattack. State and county governments, school districts, hospitals, and court systems have also become common targets of ransomware attacks.

Over the next decade, technology will continue to evolve, and data security programs in both the public and the private sectors will face new vulnerabilities. Public agencies and administrators have a critical role in ensuring data security and privacy by:

• Establishing and enforcing the regulations regarding technology surveillance, non-consensual data collection, and commercial selling of individual data to private or public entities;
• Ensuring that the regulatory framework is informed by the careful consideration of the ethical aspects of data collection and dissemination;
• Making regulatory adjustments based on new technologies and other lessons learned;
• Ensuring that public agencies themselves only collect and maintain the minimum amount of data necessary to achieve their missions; and
• Developing a workforce with the core competencies to protect data systems, use data to strengthen operations, and improve services while safeguarding the privacy and preventing breaches.

As part of the Grand Challenge to “Ensure Data Security and Individual Privacy,” the Academy will work with stakeholders to determine how to:

• Develop a model “Digital Bill of Rights” and framework/guidelines for protecting data privacy;
• Safeguard personal data, prevent data breaches, and protect data from cyberattacks (including ransomware);
• Ensure effective regulation of both the public and private sector’s collection and utilization of personal data;
• Identify needed adjustments to current statutory and regulatory frameworks to keep pace with emerging technologies; and
• Leverage administrative data consistent with privacy protections to improve public services.

This is an illustrative list of topics. As the Grand Challenges campaign kicks off and progresses, other issues can and will be addressed based on stakeholder feedback about critical needs and opportunities.