NIST Privacy Framework

NIST releases v1.0 of their Privacy Framework to help innovating companies improve their approach to privacy.

Earlier this month, the U.S. National Institute of Standards & Technology, better known as NIST, released the NIST Privacy Framework 1.0. The framework is designed as a “tool for improving privacy through enterprise risk management.” While adoption of the framework is voluntary, NIST has a history of creating strong, practical approaches in adjacent areas, as seen with broad adoption of their Cybersecurity Framework by CISOs throughout the world. 

Over the past five to ten years, as governments worldwide have strengthened data privacy laws and the penalties associated with them, privacy has become a leading driver of business risk in organizations. Given these new regulations, companies can no longer avoid privacy risk management.

NIST leadership indicated they hope the framework will essentially enable rapidly innovating companies who need help baking strong approaches to protecting sensitive information and personal data into their technologies from the ground up in emerging areas like biometrics, artificial intelligence, and the Internet of Things (IoT). 

This includes industries like healthcare in which the U.S. Health Insurance Portability and Accountability Act (HIPAA) has been in place for more than two decades. That act has well-known gaps particularly when being applied to Internet-related and emerging technologies across the industry, such as telemedicine and smart implants. 

The framework ultimately focuses on getting organizations to factor privacy into the designs of their products and services. It provides advice and guidelines across three areas for implementing data protections. The first, the Core, focuses on activities to implement and outcomes to achieve in order to improve sensitive data protection. The second, Profiles, guides users on which paths in the Core to prioritize to maximize the effectiveness of their privacy program at managing risk. The third and final, Implementation Tiers, aids organizations in determining whether they have sufficient resources and processes to achieve their targets for managing these risks and implementing their overall program. 

The framework also encourages collaboration and communication inside organizations from the C-Suite, the senior executive level, to the business manager and ultimately to the operational level when they develop and address their own privacy practices. Given data is ubiquitous across organizations, and many have little to no idea what data they have, who it belongs to, how it is managed, nor where it resides in the physical world, a framework like this can be a powerful tool to enable organizations with valuable approaches based in part on lessons learned for correcting this currently chaotic data privacy environment, and can assist in getting leadership within the organization to support their efforts for developing and expanding their privacy program. 

One area the framework highlights in detail is the relationship between cybersecurity and privacy risks. While these areas are clearly known to be adjacent, many have yet to recognize that cybersecurity incidents may have a separate privacy component with additional requirements beyond what a security professional would typically consider. These tend toward the data side of security versus the traditional triad of confidentiality, integrity, and availability common to security professionals. The framework goes as far as naming the overlap between the two areas as “cyber security-related privacy events,” an area that clearly will increase over time with the ever-evolving cyber threat landscape and increasing number of cyber attacks along with the continued explosion of data.

NIST also introduced a roadmap for advancing their framework. Beyond looking for key feedback on the document, they explore related themes and subjects for which further work or exploration is needed. One critical area here is developing the workforce – the roadmap document highlights the need for “further development of a knowledgeable and skilled privacy workforce (to include privacy practitioners and other personnel whose duties require an understanding of privacy risks)” in order for organizations to improve their ability to protect the personal information of individuals and maximizing the “beneficial uses of data.”

While the framework attempts to assist in “future-proofing products and services to meet these obligations in a changing technological and policy environment,” it is not a complete blueprint to creating a privacy program. Further, given its complexity, it is not well-suited for organizations with lower maturity nor for smaller teams attempting to address privacy risk from outside the core businesses they support. Finally, given its nature as a generalized framework, it can require significant effort to implement its approaches and recommendations in order to get their full benefit. 

One key advantage to the framework is that it is designed “to be agnostic to any law, so it can assist you no matter what your goals are.” Use of the Privacy Framework should therefore help organizations demonstrate compliance with the EU’s General Data Protection Regulation (GDPR), the emerging California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Understanding domestic and international regulatory obligations that apply to an organization is a key area of focus when developing a privacy program. 

Including these responsibilities is an important and necessary part of incident response planning so that the organization can be prepared to respond once the inevitable data breach eventually occurs. Whether your organization is just putting together these foundational aspects of its privacy program, or a large multinational organization, BreachRx allows organizations to stay fully up-to-date on regulatory changes and to keep track of the various contractual responsibilities that are relevant to them. 

Ideally, prior to experiencing an incident, your team should design a plan for managing incidents that takes into account internal and external policies, the regulations that apply to your company, and all the contractual obligations you’ve agreed to follow when you signed agreements with customers, suppliers, and business partners. These plans need to be updated frequently as the obligations change and your team should regularly practice the plans you put in place.

With an automated and dynamic solution that helps proactively prepare for incident response, our customers are able to exceed consumer and regulatory expectations and thus minimize the fallout from the inevitable events that will occur. Implementing the BreachRx platform is the fastest way to achieve a best in class program for effective incident management and response.

Recent Posts