Privacy, You, Your Organization, and the New NIST Privacy Framework
The National Institute of Standards and Technology (NIST) is a government agency, part of the Department of Commerce. They have some impressive intellectual capital working there, and they produce a considerable body of work that includes written standards and information on a wide variety of topics including information governance, security, and privacy. All of this information is freely available to the public, no fees or membership are required. They recently released the NIST Privacy Framework to provide guidance to organizations seeking to navigate these complexities. This privacy framework is designed to interact with the NIST Cybersecurity Framework, NIST’s most popular and most user-friendly framework for securing information assets from cybercrime and other threats.
Recent privacy laws have gotten the attention of many organizations. The European Union’s General Data Protection Regulation (GDPR) is a sweeping privacy rule that went into effect in 2018. Because many U.S. organizations interact with EU citizens or their data, this had a significant effect in the United States. Consumers received many notices of updated privacy policies and started seeing website notices about cookies. The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, offers broad privacy protections for California residents and affects organizations all over the U.S. because they likely interact with California residents and their personal data. Because of the CCPA, we now are seeing website links for “do not sell my personal information” and other changes. Other states are contemplating or implementing privacy related legislation.
Aside from privacy specific laws, organizations should consider the interaction between privacy, cybersecurity, and data breach reporting. In essence, every state has a data breach reporting law. Such laws have broad applicability because they apply to any organization holding data of a state resident, regardless of the organization’s headquarters. Put another way, a breached organization will need to evaluate what personal information was breached and where those people reside, and comply with the breach notification laws for all home states. New York just passed the SHIELD Act which strengthened its data breach reporting requirements and imposed a cybersecurity requirement (I wrote a short piece on this also here).
From another perspective, privacy is important to us as individuals and for our families. It is interwoven with cybersecurity, and that’s why my first book, Cybersecurity for the Home and Office, has a chapter devoted to it, another section devoted to privacy laws, and cybersecurity improvements that include a review of privacy settings on devices, software, and online accounts. Securing yourself starts with making reasoned choices about what information you choose to give away or make public. Understanding how privacy impacts us personally also aids us to guide privacy policies for our organizations. My second book, Cybercrime Investigations, also has a section devoted to privacy laws because comprehensive investigation of a cybercrime often requires knowledge of these laws and how they might apply.
For many organizations, these expanding privacy rules and frameworks can create fear, uncertainty, and doubt plus impose compliance costs. It can be hard to know where to start. Still, we can agree that privacy is important, is desired by our customers and clients, and will be the subject of increasing scrutiny. If we do nothing and fail to get started, this scrutiny will be harsh and unforgiving. A journey starts with a single step, and if we get started and begin to do what is reasonable and diligent to protect the privacy of those we interact with, we can prevent incidents from occurring in the first place, and subsequent examination will view our efforts in a more forgiving light.
Hopefully this summary is informative but it is merely a brief introduction and many concepts are simplified. This is not legal advice nor consulting advice, and is not tailored to your circumstances.
Related references include:
NIST Privacy Framework v 1.0, (full title: NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, v 1.0), available through main site https://www.nist.gov/privacy-framework and at https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf
Federal Trade Commission (FTC)
FTC: Protecting Personal Information: A Guide for Business: https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf
International Association of Privacy Professionals (IAPP) https://iapp.org/ (membership required for many resources, and I am pleased to have their CIPP/US certification, Certified Information Privacy Professional)
Main article also available on Medium at https://medium.com/@johnbandler/privacy-you-your-organization-and-the-new-nist-privacy-framework-ce5d17ecbbe7