The National Institute of Standards and Technology (NIST), the United States non-regulatory government body responsible for maintaining industrial and scientific standards, has developed a new privacy framework aimed at helping organizations secure personal data and stay in compliance with the law. The NIST Privacy Framework 1.0 is a voluntary tool that guides organizations through various privacy protection strategies. It is not a law or regulation, but it is a very substantial free tool for any organization with an online presence.
The new NIST Privacy Framework has been spun off from the existing NIST Cybersecurity Framework, which was developed in 2014. The two packages are meant to be used in tandem, and basically provide a road map for an organization with no prior knowledge to start from zero and become familiar with cyber industry security, data handling standards and best practices.
Who needs the NIST Privacy Framework?
As Dov Goldman, Director of Risk & Compliance at Panorays, points out, the NIST Privacy Framework is aimed primarily at members of the C-suite who have to make decisions about cybersecurity without necessarily having a strong technical background:
“With the enactment of far-reaching data privacy regulations like GDPR and CCPA, the new NIST Privacy Framework could not have come at a better time. The framework provides a canonical standard in language business managers understand. This will undoubtedly help companies organize their privacy processes so they can protect their customers’ personal data and comply with regulations. The impact of this is analogous to the NIST Cybersecurity Framework, in that it provides a business-level guide of how to do things right. As usual, privacy policies only work when they are part of an ongoing process of managing and collaborating with third parties, as the new NIST standard makes clear. Therefore, companies should be sure to put in place a comprehensive third-party cyber risk process that also considers compliance with privacy regulations.”
Both the new NIST Privacy Framework and the existing cybersecurity framework start with a “core” of cybersecurity practices and outcomes that are written for a non-technical audience. The reader then moves on to a set of “profiles” that organizations will commonly find themselves in, which make concrete recommendations about security and privacy policies. The frameworks also establish a set of four implementation tiers that can help an organization conceptualize its overall strategy.
This new framework was developed not just as a “crash course” in privacy and security best practices, but also to help organizations adapt to new and emerging data handling laws like the California Consumer Privacy Act (CCPA). Any organization handling personally identifiable information, such as home addresses or device location data, is required to take certain steps to safeguard the storage and transmission of this data. The security requirements – along with the potential fines – go up for more sensitive and potentially damaging data such as social security and bank account numbers. Less sensitive categories of data also sometimes become more sensitive when combined, and the framework helps guide organizations through these sorts of scenarios. The framework also helps organizations stay compliant with longstanding data handling regulations such as the Health Insurance Portability and Accountability Act (HIPAA), and data regulations in foreign countries such as the EU’s General Data Protection Regulation (GDPR).
Even if an organization already has a robust security strategy in place, a look through the new NIST Privacy Framework is highly recommended to identify potential blind spots and ensure that all applicable regulations are being complied with. It is a tool for helping organizations manage privacy risk and improve data security that is applicable to companies of all sizes.
A preliminary draft of the NIST Privacy Framework was released in September 2019, but this release is considered the initial “full version” and is the first to incorporate public feedback.
What does the new NIST Privacy Framework have to say?
The NIST Privacy Framework opens with an acknowledgement that there is no good “one size fits all” approach to organizational cybersecurity, and that rapid changes would likely render such a fixed approach obsolete before long even if it was possible. Instead, it focuses on providing an array of tools and helping organizations conceptualize themselves within general groupings in terms of risk, regulation and necessary response.
As Marc Gaffan, CEO of Hysolate, summarized the overall approach:
“Cybersecurity and privacy are merging closer together, especially as we see the introduction and enforcement of regulations like GDPR and CCPA. It’s great to see frameworks like NIST help organizations map out the areas of potential risk as it relates both to privacy and cybersecurity. Organizations should follow such a framework to manage and mitigate risk, but remember that it takes time to check all of the boxes. It’s important to identify the biggest, and most critical gaps first, and then address less critical gaps down the road.”
The framework asks organizations to break down all of these possible threats into a concept called “privacy events.” A privacy event begins with any potential problem the end user could experience as a result of some sort of breach or failure during the data handling and storage process. This helps to discover potential violations that previously may have had low visibility to the organization (like a home smart device leaking information that can be used maliciously or for surveillance purposes) by starting with the negative event and tracking back all the ways that failures in the data handling process could have got the end user there.
The four-tiered risk management approach is designed to help organizations conceptualize and review all the general strategies available to them. The four tiers represent mitigation (handling risk with internal measures like protective products or services and security policies), transfer (having vendors sign contracts taking on some of the responsibility), avoidance (simply ending the data collection if the risks outweigh the benefits), and acceptance (not attempting mitigation when the potential negative outcomes are too unlikely or minimally damaging to worry about). The profiles and implementation tiers help companies quickly get a bearing as to what the scope of their efforts in managing privacy risk should be.
The NIST Privacy Framework also reviews levels of accountability, something that has proven to be a point of confusion and contention in numerous organizations. It breaks down the general expectations for each level of the business, from senior executives to implementation by the ground troops, in terms of how modern regulations tend to assign responsibility.