The Case for Privacy Risk ManagementOver the past few years, there has been a massive cultural and legal shift in the way consumers view and secure their personal data online that's in line with the rise of advanced technologies like artificial intelligence. Concerned by an increasing rate of incidents that range from the 2017 Equifax hack to the scandalous Cambridge Analytica gaming of consumers’ social media data for political purposes, policymakers have begun to strike back on consumers’ behalf. Europe’s General Data Protection Regulation (GDPR), the landmark privacy legislation that went into effect May 2018, was the first large-scale effort to offer consumers more legal protections. Given the absence of a comprehensive federal privacy law, the California Consumer Privacy Act (CCPA), which will come into force on 1 January 2020, marks the first similar step in the United States. Similar laws are being pursued in a handful of other states. For more than two decades, the Internet and associated information technologies have driven unprecedented innovation, economic value and access to social services. Many of these benefits are fueled by data about individuals that flow through a complex ecosystem—so complex that individuals may not be able to understand the potential consequences for their privacy as they interact with systems, products and services. Organizations may not fully realize the consequences, either. Failure to manage privacy risks can have direct adverse consequences for people at both the individual and societal level, with follow-on effects on organizations’ reputation, bottom line and prospects for growth. Finding ways to continue to derive benefits from data while simultaneously protecting individuals’ privacy is challenging and not well-suited to one-size-fits-all solutions. According to Bernhard Debatin, an Ohio University professor and director of the Institute for Applied and Professional Ethics, the first problem is that there has never been a clear—or enforceable—definition of privacy since it is such a complex and abstract concept. “The notion of privacy has changed over time,” says Debatin. “In post-modern, information-based societies, the issue of data protection and informational privacy has become central, but other aspects [such as old-school, bodily privacy] still remain relevant. In other words, over time, the concept of privacy has become increasingly complex.” This broad and shifting nature of privacy makes it difficult to communicate clearly about privacy risks within and between organizations and with individuals. What has been missing is a common language and practical tool that is flexible enough to address diverse privacy needs.
Development of NIST Privacy FrameworkThe National Institute of Standards and Technology (NIST) has developed the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework) to drive better privacy engineering and help organizations protect individuals’ privacy by:
- Building customer trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole,
- Fulfilling current compliance obligations as well as future-proofing products and services to meet these obligations in a changing technological and policy environment, and
- Facilitating communication about privacy practices with customers, assessors and regulators.
Definition of Key TerminologyThe Privacy Framework follows the structure of the NIST Cybersecurity Framework to facilitate the use of both frameworks together. From the early stages of the development, it became apparent that there was a need to develop a privacy risk vocabulary to form a common ground of understanding. Therefore, the terms “data,” “data action,” “data processing” and “privacy risk” were defined as follows:
- Data: A representation of information including digital and non-digital formats.
- Data Action: A system/product/service data lifecycle operation including but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission and disposal.
- Data Processing: The collective set of data actions.
- Privacy Risk: The likelihood that individuals will experience problems resulting from data processing and the impact should they occur.
Cybersecurity Risks vs. Privacy RisksAnother area that needed to be clarified was the difference between cybersecurity risks and privacy risks. Security risks are related with threats and vulnerabilities as well as the loss of confidentiality, integrity and availability. By contrast, Naomi Lefkovitz points out that privacy risks are associated with unintended consequences of data processing which are often caused by the way designers architect systems, even secure ones. Operations that process personally identifiable information could pose privacy threats. "When security people think about threats, they think of bad actors or events out of their control, such as natural disasters," Lefkovitz says. "But [in regard to privacy], it's the operation of the system that's giving rise to the risk." As an example, Lefkovitz points to smart metering of electricity. The systems can be built securely to protect the private information collected, but the data itself can reveal people's behavior inside their homes. In addition, security tools designed to safeguard personal identifiable information (PII) from malicious actors, such as persistent activity monitoring, could reveal information about individuals that is unrelated to cybersecurity. However, cybersecurity and privacy risks overlap as the following Vern diagram displays.
Privacy Risk Management and AssessmentThe Privacy Framework defines privacy risk management as “a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals and how to develop effective solutions to manage such risks.” In addition, privacy risk assessment is defined as “a sub-process for identifying, evaluating, prioritizing, and responding to specific privacy risks.” Privacy risk assessments can help organizations to weigh the benefits of the data processing against associated risks and to determine the appropriate response. “Risk assessment and risk management are still challenging tasks given that there is not an industry-standard definition of risk nor a common, accepted means of quantifying IT risk. This is especially true of privacy where the laws are still evolving and haven’t had much time to build up court precedent,” says Anthony Israel-Davis, Senior Manager SaaS Ops at Tripwire. Privacy risk assessment is an important process because privacy is considered in many laws as a fundamental human right and a condition that safeguards multiple values. Finally, privacy risk assessments help organizations distinguish between privacy risk and compliance risk. Identifying if data processing could create problems for individuals, even when an organization may be fully compliant with applicable laws or regulations, can help with ethical decision-making in system, product and service design or deployment. Privacy risk assessments are the basis for a privacy-by-design product or service development.
Privacy Framework StructureThe Privacy Framework is comprised of three parts, namely the Core, Profiles and Implementation Tiers, as illustrated below.
- Communicate-P and
ConclusionReviewing the NIST Privacy Framework, Anthony Israel-Davis, Senior Manager of R&D at Tripwire, commented that,
the NIST Privacy Framework does a good job of making the case for privacy risk management and a flexible means by which an organization can assess its own privacy posture and develop a program to improve it. Still in draft form, it’s a bit wordy and could use an editor’s pen to help it become more succinct. The most helpful portions are in the appendices where the framework is detailed and from which a flexible assessment tool could be built. Privacy is becoming a paramount concern with real legal and financial risk, any tool that helps an organization manage that risk is a welcome addition and I look forward to a finalized version of the NIST framework.