As data becomes a crucial element of IT, with electronic health records and location data collected by navigation services, organizations have realized that security and privacy are closely linked, if not hand in glove. Some agencies, like the Department of Veterans Affairs, have combined security and privacy, naming the chief information security officer the chief privacy officer, but other organizations have encountered roadblocks to implementing privacy as a facet of both security and customer trust.
Among many organizations, there is a recognition that the ecosystem is evolving faster than privacy laws and regulations are, and that many organizations, whether public or private, need forward-thinking guidance on how to develop privacy solutions.
“Getting privacy right will underpin the use of technologies in the future, including AI and biometrics, quantum computing, the 'internet of things' and personalized medicine,” said Copan. “These technologies will be a big part of our future. According to one industry estimate, the biometrics market alone will be worth more than $59 billion by 2025.”
Although NIST is part of the Department of Commerce, it's aim is to develop the privacy framework by more than just the economic incentives.
“There is the genuine value to the human spirit of living in a free and democratic society,” Copan said. “Getting privacy right means enjoying the benefits of innovative products while upholding our country’s founding values.”
Naomi Lefkovitz, who served as the chief architect of the privacy framework, shared Copan’s belief of the importance and relevance of the framework.
“I was recently reading this law review article claiming we’re at a constitutional moment for privacy,” she said. “It’s possibly a slightly overused trope, but I take the point. I do think that we’re at a significant technology and privacy inflection point, with the advent of AI and machine learning. We have this opportunity now to chart a course on privacy that can impact people and society around the world for many years to come.”
Because NIST is not a regulatory agency, the framework is designed to be “agnostic” toward existing privacy laws, Copan explained. It also does not prescribe future regulations. Just as the NIST cybersecurity framework has become the national and global standard for cybersecurity measures, NIST hopes this framework will achieve the same reach.
The framework is risk-based and outcome-focused, complying with existing laws and regulations while leaving room to evolve alongside technological advancement.
“Everybody knows the principles,” Lefkovitz said, referring to both existing privacy practices in the U.S. and global privacy standards such as the General Data Protection Regulation (GDPR) in Europe. “What we’re doing is providing the building blocks that help you get to [principles including] data minimization.”
The framework is nonbinding, but NIST expects that both public and private-sector organizations will want to adopt the framework to build trust with their clients and customers.
“The impact of a privacy incident can be devastating to an individual,” Copan explained. “It can also be devastating to the organization that fails to protect that privacy, whether that’s governmental or otherwise, in terms of reputation and in the case of a company, genuine business loss. As Naomi … is fond of saying, ‘if you violate a customer’s privacy, but assure them that you were compliant with all relevant laws, they’ll still probably be very, very angry with you.'”
Lefkovitz provided details about how the framework gives organizations the tools to find the privacy solutions that best fit the needs of each organization and its customers.
“We actively put in things like ‘establish privacy values,'” she said, “but not only establish them, because lots of companies talk about privacy values, and then you look at their products and you’re like, ‘what happened?.'” Have privacy values — now have processes to embed your privacy values in your products. It’s that kind of process ... that is so critical.”
Lefkovitz also underscored that privacy is an “enabler of trust.”
“Having that risk-based discussion furthers that [perspective],” she said. “It keeps organizations focused on actually innovating on their privacy solutions.”
The framework is intended to be “a living document,” NIST has stated, drawing upon both the knowledge that the standards can improve through risk-based discussions and that it will need to change to accommodate innovations.
“We take an attitude similar to health care,” Lefkovitz said, “where we’re constantly trying to improve our medical treatments. I would like to see that for privacy.”
NIST strongly encourages both public and private organizations to engage with the framework and offer feedback to improve upon its foundations. The agency remembers the critical role evangelists played in expanding buy-in for the NIST cybersecurity framework and hopes to have a similar experience here.
“We’re looking for privacy leaders who will stand up and say, ‘we’re using it,'” Lefkovitz said.
Among other programs, NIST is working on a guide to help small and medium businesses implement privacy standards and already has designed an online privacy engineering and collaboration space to foster the evolution on framework. NIST also recognizes the importance of building skills around the world to implement and analyze privacy standards and is incorporating privacy terms and skills into the NICE framework to encourage privacy training.
“Despite the sprint to get to this point, we are only at the beginning of this privacy journey,” Copan said.