Privacy, You, Your Organization, and the New NIST Privacy Framework

by John Bandler

The release of a new privacy framework is a good opportunity to discuss privacy and how it relates to you, your organization, information governance and cybersecurity. If your organization has not thought about privacy, this is a good time to start. If your organization does not have a privacy policy, it probably needs one. Privacy is part of information governance, and ties into cybersecurity. We should also consider privacy from our personal perspective as individuals and protectors of our family members. This short piece introduces you to these concepts.

The National Institute of Standards and Technology (NIST) is a government agency, part of the Department of Commerce. They have some impressive intellectual capital working there, and they produce a considerable body of work that includes written standards and information on a wide variety of topics including information governance, security, and privacy. All of this information is freely available to the public, no fees or membership are required. They recently released the NIST Privacy Framework to provide guidance to organizations seeking to navigate these complexities. This privacy framework is designed to interact with the NIST Cybersecurity Framework, NIST’s most popular and most user-friendly framework for securing information assets from cybercrime and other threats.

Increasing laws, regulations, norms, and expectations indicate that organizations should improve their privacy practices. This starts with a privacy policy tailored to the organization and the data they collect and store. A privacy policy should mesh with the organization’s broader information governance plan, and their protection of their information. Thus, good information governance would include having a cybersecurity policy and a privacy policy. Organizations with neither should start by working on their cybersecurity.

A privacy policy sets forth rules about how you will handle information pertaining to other people, and informs them (and your employees) of these rules. Most organizations should have a privacy policy, including those that have customers, clients, members, mailing lists, website visitors, or hold or process information pertaining to other people.

Recent privacy laws have gotten the attention of many organizations. The European Union’s General Data Protection Regulation (GDPR) is a sweeping privacy rule that went into effect in 2018. Because many U.S. organizations interact with EU citizens or their data, this had a significant effect in the United States. Consumers received many notices of updated privacy policies and started seeing website notices about cookies. The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, offers broad privacy protections for California residents and affects organizations all over the U.S. because they likely interact with California residents and their personal data. Because of the CCPA, we now are seeing website links for “do not sell my personal information” and other changes. Other states are contemplating or implementing privacy related legislation.

Aside from privacy specific laws, organizations should consider the interaction between privacy, cybersecurity, and data breach reporting. In essence, every state has a data breach reporting law. Such laws have broad applicability because they apply to any organization holding data of a state resident, regardless of the organization’s headquarters. Put another way, a breached organization will need to evaluate what personal information was breached and where those people reside, and comply with the breach notification laws for all home states. New York just passed the SHIELD Act which strengthened its data breach reporting requirements and imposed a cybersecurity requirement (I wrote a short piece on this also here).

From another perspective, privacy is important to us as individuals and for our families. It is interwoven with cybersecurity, and that’s why my first book, Cybersecurity for the Home and Office, has a chapter devoted to it, another section devoted to privacy laws, and cybersecurity improvements that include a review of privacy settings on devices, software, and online accounts. Securing yourself starts with making reasoned choices about what information you choose to give away or make public. Understanding how privacy impacts us personally also aids us to guide privacy policies for our organizations. My second book, Cybercrime Investigations, also has a section devoted to privacy laws because comprehensive investigation of a cybercrime often requires knowledge of these laws and how they might apply.

For many organizations, these expanding privacy rules and frameworks can create fear, uncertainty, and doubt plus impose compliance costs. It can be hard to know where to start. Still, we can agree that privacy is important, is desired by our customers and clients, and will be the subject of increasing scrutiny. If we do nothing and fail to get started, this scrutiny will be harsh and unforgiving. A journey starts with a single step, and if we get started and begin to do what is reasonable and diligent to protect the privacy of those we interact with, we can prevent incidents from occurring in the first place, and subsequent examination will view our efforts in a more forgiving light.

This short article is designed to provide helpful introductory information, and (of course) is not legal or consulting advice, nor tailored to your circumstances.

Additional reading:

Helpful short articles and pages related to this include:

Related references include:

NIST Privacy Framework v 1.0, (full title: NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, v 1.0), available through main site https://www.nist.gov/privacy-framework and at https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf

Federal Trade Commission (FTC)

FTC landing page: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/consumer-privacy

FTC: Protecting Personal Information: A Guide for Business: https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf

International Association of Privacy Professionals (IAPP) https://iapp.org/  (membership required for many resources, and I am pleased to have their CIPP/US certification, Certified Information Privacy Professional)

Posted 1/30/2020. Updated 2/19/2021. Written by and copyright John Bandler.

Main article also available on Medium (thought not kept as up to date) at https://medium.com/@johnbandler/privacy-you-your-organization-and-the-new-nist-privacy-framework-ce5d17ecbbe7