Data privacy has been thrust into the limelight with the passage of the General Data Protection Regulation in Europe last year and a string of high-profile consumer privacy snafus. The National Institute of Standards and Technology has plans to help companies address data privacy with the development of a Privacy Framework, which is due to be finalized by October.
The framework’s development is very much a work in progress. So far it has emerged as a modular, volunteer enterprise risk-management tool, meant to help companies protect consumer privacy while protecting business imperatives.
Continuing the ongoing theme of data privacy at RSA Conference 2019, NIST’s Naomi Lefkovitz, senior privacy policy advisor, and Kevin Stine, chief of the Applied Cybersecurity Division at the institute, took to the session stage to discuss the current state of the Privacy Framework, while positioning data privacy as one more element of a comprehensive overall enterprise risk management plan.
First and foremost, the Privacy Framework is being developed to be risk-based/outcome-based and non-prescriptive, in order to increase adoption. So unlike the GDPR, which carefully specifies how data privacy should be achieved, the framework will instead contain desired outcomes and best practices for deciding how to achieve them.
“Privacy is just another dimension of risk, and should be a part of that broader enterprise risk management activity in an organization,” Lefkovitz said. “They need to consider what is the likelihood of a problematic data action occurring, and what the impact would be in terms of customer loyalty, compliance and cost.”
Five Functions
To help in the risk-management endeavor, the NIST has so far proposed five functions of the framework: Identify, protect, control, inform and respond. Each of these headings will contain a set of best practices and approaches for achieving desired outcomes.
For instance, under “identify,” Businesses should identify legal requirements and perform an assessment, Lefkovitz noted, “with an emphasis on flows and data mapping, and understanding where data is and what exactly you have.”
On the protection front, she noted that there’s an overlap with data security within this function, but that NIST is also thinking about expanding the protection concept to include information lifecycle and privacy engineering ideas like dissociability – i.e., separating the data from the person it’s linked to using pseudonymization (or data masking). Also, the framework could take into account an array of cryptographic techniques.
“We are trying to provide concepts to act as a foundation for more clearly defined relationships between privacy and security,” Lefkovitz said. “Privacy risk is more than data risk – companies also process data, over the entire lifecycle, from collection through disposal. And they need to process that data to achieve business or data objectives – but there can be unintended consequences and privacy issues can arise for individuals.”
When it comes to control, most people think of this as ensuring that users have control of their information. “However, that’s a tiny part of it – this also is to help express the capabilities you need in order to offer that user control in the first place,” said Lefkovitz. “It aligns with manageability – both individual and organizational management.”
The inform and respond functions meanwhile may seem obvious – data notifications and consumer notices in case of an incident – but these also has to do with situations like inappropriate processing, which may not trigger a notification – but which still need to be dealt with. These functions also align with predictability. “You need to understand what happens in the event of an incident,” Lefkovitz said.
There’s no expectation that every organization needs to achieve every outcome or practice within the framework, she added. Different companies have different requirements, after all: For some, privacy risk needs to be tied to compliance. For some, there are only minimal resources available to manage privacy risk. Some companies might have the type of privacy risk where a specialized workforce is needed.
“The idea is for anyone to take this and create a tailored, risk-based approach,” Lefkovitz said.
Still in Development
NIST is still actively soliciting feedback on the Privacy Framework as it stands today. It will hold a live webinar on March 14 and a workshop in May, and comments and feedback will be accepted throughout the development process leading up to its publication later this year.
“This is a voluntary tool, and so it needs to meet the needs of the stakeholders, so we are developing this with input from the industry,” Stine said. He added that an analysis of more than 80 public responses from a feedback window that closed in February is helping to guide what ends up in the final document.
For instance, “many expressed a desire for a framework compatible with laws and regulations, that would help organizations with their compliance needs,” Stine said. “There are international as well as federal, state and local statutes and regulations governing aspects of data privacy, which creates a complex patchwork of laws and plenty of challenges for compliance.”
In the same vein, another primary mandate is to ensure interoperability with global standards – a need that Stine said is increasing as the global privacy requirements and regulatory landscape becomes more stringent; there’s already a long list of standards and approaches that organizations are using today that businesses would like to integrate into any Privacy Framework implementation, he added.
“It has to be compatible with other approaches in use to manage risk today,” Stine said. “We’re also looking at framework attributes like taking a consensus-based approach, and using a common and accessible language/taxonomy so it’s presented in a language that would be meaningful to folks at all levels of the organization. “It also needs to be adaptable and technology-agnostic.
Another aspect from the public commentary that NIST is using to finalize the framework include creating it with an eye to the needs of not only large organizations, but also small and medium-sized businesses, in order to maximize limited human, technical and financial resources.
“Organizations of all shapes and sizes, not just multinationals but smaller companies that may be part of a broader supply chain, should be able to use this too,” Stine said.
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.