Privacy, You, Your Organization, and the New NIST Privacy Framework

The release of a new privacy framework is a good opportunity to discuss privacy and how it relates to you, your organization, information governance and cybersecurity. If your organization has not thought about privacy, this is a good time to start. If your organization does not have a privacy policy, it probably needs one. Privacy is part of information governance, and ties into cybersecurity. We should also consider privacy from our personal perspective as individuals and protectors of our family members. This short piece introduces you to these concepts.

The National Institute of Standards and Technology (NIST) is a government agency, part of the Department of Commerce. They have some impressive intellectual capital working there, and they produce a considerable body of work that includes written standards and information on a wide variety of topics including information governance, security, and privacy. All of this information is freely available to the public, no fees or membership are required. They recently released the NIST Privacy Framework to provide guidance to organizations seeking to navigate these complexities. This privacy framework is designed to interact with the NIST Cybersecurity Framework, NIST’s most popular and most user-friendly framework for securing information assets from cybercrime and other threats.

Increasing laws, regulations, norms, and expectations indicate that organizations should improve their privacy practices. This starts with a privacy policy tailored to the organization and the data they collect and store. A privacy policy should mesh with the organization’s broader information governance plan, and their protection of their information. Thus, good information governance would include having a cybersecurity policy and a privacy policy. Organizations with neither should start by working on their cybersecurity.

A privacy policy sets forth rules about how you will handle information pertaining to other people, and informs them (and your employees) of these rules. Most organizations should have a privacy policy, including those that have customers, clients, members, mailing lists, website visitors, or hold or process information pertaining to other people.

Recent privacy laws have gotten the attention of many organizations. The European Union’s General Data Protection Regulation (GDPR) is a sweeping privacy rule that went into effect in 2018. Because many U.S. organizations interact with EU citizens or their data, this had a significant effect in the United States. Consumers received many notices of updated privacy policies and started seeing website notices about cookies. The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, offers broad privacy protections for California residents and affects organizations all over the U.S. because they likely interact with California residents and their personal data. Because of the CCPA, we now are seeing website links for “do not sell my personal information” and other changes. Other states are contemplating or implementing privacy related legislation.

Aside from privacy specific laws, organizations should consider the interaction between privacy, cybersecurity, and data breach reporting. In essence, every state has a data breach reporting law. Such laws have broad applicability because they apply to any organization holding data of a state resident, regardless of the organization’s headquarters. Put another way, a breached organization will need to evaluate what personal information was breached and where those people reside, and comply with the breach notification laws for all home states. New York just passed the SHIELD Act which strengthened its data breach reporting requirements and imposed a cybersecurity requirement (I wrote a short piece on this also here).

From another perspective, privacy is important to us as individuals and for our families. It is interwoven with cybersecurity, and that’s why my first book, Cybersecurity for the Home and Office, has a chapter devoted to it, another section devoted to privacy laws, and cybersecurity improvements that include a review of privacy settings on devices, software, and online accounts. Securing yourself starts with making reasoned choices about what information you choose to give away or make public. Understanding how privacy impacts us personally also aids us to guide privacy policies for our organizations. My second book, Cybercrime Investigations, also has a section devoted to privacy laws because comprehensive investigation of a cybercrime often requires knowledge of these laws and how they might apply.

For many organizations, these expanding privacy rules and frameworks can create fear, uncertainty, and doubt plus impose compliance costs. It can be hard to know where to start. Still, we can agree that privacy is important, is desired by our customers and clients, and will be the subject of increasing scrutiny. If we do nothing and fail to get started, this scrutiny will be harsh and unforgiving. A journey starts with a single step, and if we get started and begin to do what is reasonable and diligent to protect the privacy of those we interact with, we can prevent incidents from occurring in the first place, and subsequent examination will view our efforts in a more forgiving light.

Hopefully this summary is informative but it is merely a brief introduction and many concepts are simplified. This is not legal advice nor consulting advice, and is not tailored to your circumstances.

See my website for a copy of this article plus additional references, starting at https://johnbandler.com/privacy-and-the-new-nist-privacy-framework

My books are
Cybersecurity for the Home and Office: The Lawyer’s Guide to Taking Charge of Your Own Information Security
Cybercrime Investigations: A Comprehensive Resource for Everyone

Posted 1/30/2020.