Discussion: (0 comments)
There are no comments available.
A public policy blog from AEI
The latest on technology policy from AEI, published daily.
More options: Share,
View related content: Technology and Innovation
Former Homeland Security Secretary Michael Chertoff has lamented that “the most frustrating thing is when people treat privacy and security as if they are trade-offs. . . . I would like to see less of an oppositional approach and more taking a view that these things are actually interdependent and mutually reinforcing.” You can’t have privacy without security. This is the reason the National Institute of Standards and Technology at the Department of Commerce made creating its Cybersecurity Framework a top priority back in 2014.
Now NIST is using a similar toolset to work through the privacy side of the privacy and security equation. Amid the current rush to regulate privacy and how businesses obtain and keep consumer information, it’s encouraging that a federal agency is taking a more measured approach, acknowledging that heavy-handed regulation isn’t warranted for all types of data.
NIST designed its Privacy Framework (currently in discussion draft form) to dovetail the privacy work with the accomplishments of the Cybersecurity Framework, which helps identify and manage cybersecurity risk. The current exercise to identify the right level of privacy protections for managing enterprise data sets is helpful for businesses seeking to understand and manage their data collection and maintenance properly, both for security and privacy reasons.
The Privacy Framework’s core functions, designed to help businesses prioritize and create guidelines for their privacy needs, align with the same guidelines in the Cybersecurity Framework: identify, protect, control, inform, and respond. Aligning the cyber and privacy principles helps organizations asses their overall data protection risks. The discussion draft focuses on a privacy taxonomy and a methodology for outcomes using a self-assessment process and provides guidance on how to manage risk. Here’s an overview of the core functions.
Identify. The first step is identifying a business’ core assets and ranking its data collection by risk tolerance. Reviewing how systems, services, and products may affect consumer privacy informs the level of protection needed. Identifying how data will be used will help the business understand its legal and regulatory requirements. Once businesses identify risk factors, they can decide how to manage those risks on a proactive and reactive basis. How catastrophic would it be if the information became publicly available? Are the data confidential? Are they widely available?
Protect. Data are a vast corporate asset that need to be monitored and protected as a precious resource. But all data contain personal information, and protecting data from unauthorized access and malicious attacks is essential for reasons beyond privacy protection. The draft framework notes that data theft, not privacy violations, is the priority for many businesses due to their regulatory obligations.
Large data stores are attractive targets for hackers and data can be expensive to maintain, so data minimization may be a good decision for many businesses. Why be responsible for maintaining data that don’t create revenue?
Inform. The informing process starts with the business understanding how it works with data and being transparent in its data collection programs. It can then quickly assess any risk and know the procedures for escalation toward public disclosure if any data are stolen or made public due to a breach.
In the end, all these core functions will be foundational for companies looking to establish effective privacy policies. Understanding the business context for the collection of data (including the contexts under which data are processed); how an organization’s use of data may affect individuals’ privacy interests; and any regulatory, contractual, or legal requirements will help businesses and organizations prioritize as they seek to balance risk management and their business needs.
On May 13 and 14, NIST will hold a second public workshop on the development of its Privacy Framework to help coordinate best practices for enterprise risk management. The working group is looking for feedback and engagement on their discussion draft released on April 30.
There are no comments available.
1789 Massachusetts Avenue, NW, Washington, DC 20036
© 2019 American Enterprise Institute