On January 16, 2020 the National Institute for Standards and Technology (NIST) released the first version of a voluntary privacy framework, “Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” This privacy framework will be widely used by organizations of all sizes. It provides a common approach which will standardize American company’s approach to Privacy compliance regulations. This decision to assign resources to be in compliance with the new privacy laws (CCPA, GDPR and the many others pending) will be made considering the rising cost of business insurance policies priced by insurance underwriters, who now have the ability to reference NIST compliance as a ratings tool when setting rates for corporate insurance policies. The elements pictured in the featured image depict three parts of the Privacy Framework: 1) The Core, 2) Profiles and 3) Implementation Tiers.
The three framework components provide instructive process descriptions which inform companies how they can manage privacy risk. This occurs through the connection between business drivers, organizational roles and responsibility, and privacy protection activities. Using the three framework parts: Core, Profiles and Implementation Tier, organizations will have the methods needed to comply with new privacy laws. Proactive adoption of the standards set forth in the privacy framework will reduce both privacy and cybersecurity risk.
The intersection of these two risk domains is depicted in Figure Two, which appears on the right.
The Cybersecurity Framework was published by NIST in 2014. Since then, the NIST Cybersecurity Framework has been instrumental in guiding companies to communicate and manage cybersecurity risk (1). Now that NIST has published the new privacy framework, US organizations can combine the elements of the two frameworks and better mitigate “adverse events” resulting from combined cybersecurity and privacy risks.
The problems organizations experience have many variations. NIST describes their scale as ranging from dignity type effects such as embarrassment or stigmas to more tangible harms such as discrimination, economic loss or physical harm (2). The NIST internal report (IR) 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems identifies additional types of privacy risks associated with data processes that may have “adverse effects” on individuals.
Specific details of the risk consequences are described in Appendix E of IR 8062. The potential for economic loss is a newly identified and significant corporate risk which will result in increased insurance costs for organizations that do not take proactive steps to audit and remediate their voluntary compliance with the new NIST Privacy Framework.
In today’s increasingly interconnected world, “adverse events” can result simply from individual’s interactions with systems, products and services, even when the data being processed in not specifically linked to identifiable individuals. For example, smart cities technologies could be used to alter or influence people’s behavior such as where or how they move through the city (3). Problems can also arise when there is a loss of confidentiality, integrity or availability (the CIA tirade) at some point in the data processing workflow. Once a company identifies the possibility of any given problem resulting from the company’s data processing workflow, it can assess the potential impact. The impact (RISK) assessment is where privacy risk and organizational risk intersect.
Figure 3 shows the relationship between Privacy Risk and Organizational Risk.
Privacy Risk Management is a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals and how to develop effective solutions to manage such risks. The NIST Framework Core Structure depicts the steps companies can take to mitigate risk.
Privacy Risk Assessment is a sub-process for identifying and evaluating specific privacy risks (4). In general, privacy risk assessments produce the information that can help organizations to weigh the benefits of the data processing work flow against the associated privacy risks and to determine the appropriate response—sometimes referred to as proportionality (5). In 2014, the NIST Cybersecurity Framework identified five (5) critical functions: Identify, Protect, Detect, Respond, Recover as shown in Figure 5.
Figure 5 –>
Figure 6 details the intersection of the two standards (Cyber and Privacy). Organizational executives and other stake holders are encouraged to study these diagrams and consider how their company will proactively work to address these new risks. These Figures visualize the high-level functions NIST recommends organizations implement to manage cybersecurity and privacy risks.
The new Privacy Framework released by NIST on January 16, 2020 provides useful and effective guidance for the organizations and individuals tasked with protecting the privacy of their stakeholder’s data. This new voluntary framework will be used by insurance companies to benchmark relative compliance and thus set risk rating scores which will determine the cost of specific business insurance policies. Thus, in this case our government will succeed in achieving its objective without regulatory interference.
The voluntary NIST framework will be successful in achieving significant compliance levels because of the “invisible hand” of economic theory.
Once again, Adam Smith’s postulate that free enterprise leads organizations toward socially beneficial actions by economic coercion will have the opportunity to be proven correct. The NIST Privacy Framework will be used by cyber-insurance underwriters to set individual pricing schedules based on compliance with the new national standard. The resulting economic incentive will cause executive decision makers to better protect the privacy of the information that drives their business.