While working on a project for a client aligning them to the new NIST Privacy Framework, I was able to do a deep dive on a few topics that the framework utilizes but doesn’t detail. One of those is the idea of “ecosystem risk.” The inclusion of ecosystem risk represents a notable change from the NIST Cybersecurity Framework which utilized the term "supply chain risk." For example, in the Privacy Framework’s Core, category ID.SC (Supply Chain Risk Management) became category ID.DE (Data Processing Ecosystem Risk Management). By the way, this change was not a foregone conclusion, and the first draft of the privacy framework utilized the supply chain terminology in the Core, though discussion of the data processing ecosystem was contained in the main documentation.
Now, I realize that most organizations struggle with direct vendor due diligence as it is. Incorporating full supply chain risk or broad ecosystem risks represents a large ask. The ability of organizations to understand the societal consequences of their actions represents a pinnacle of enlightenment. While most won’t be prepared to act, acknowledgment of the broader impacts of one’s activities is the first step to creating workable solutions and industry norms.
While the Privacy Framework does discuss the ecosystem as being broader than the supply chain, it doesn’t, in my view, sufficiently distinguish the two concepts and the potential implications of examining ecosystem risk. Many people understand that supply chain risks incorporate not only looking at your organization’s suppliers and their suppliers, but also downstream to your customers and their customers, where your products or services are not strictly for end consumer consumption. This represents a very linear, vertical view of the market with a primary view of protecting the end consumer.
The initial interpretation that one might take from the term ecosystem risk lies with certain “platform” products or services that allow for other vendors, with whom your organization has no relationship, to leverage your product or service without your input. The platform-as-a-service, software-as-a-service and Internet of Things markets all share these characteristics in which third parties can build upon the infrastructure you’ve created. Unfortunately, some of what they build could potentially be harmful to your customers, downstream consumers and/or others. For the most part, organizations seem to take a hands-off approach when they lack commercial liability for the intervening acts of others. There are exceptions, especially where third parties create reputational risk, such as Apple requiring apps to post privacy notices, Google looking for malicious code in apps before acceptance into the Play Store, and even most social media companies’ content moderation to prevent users from harming other users.
This view of ecosystem risk represents a ┴ (inverted T) model, where an organization incorporates the risks its products and services create by actors perpendicular to the consumer in the organization’s supply chain. In other words, the threat actors are neither your suppliers or customers, but suppliers of end consumers where your product or service acts as an intermediary or facilitator.
This model, unfortunately, creates a perception among many organizations that, because they don’t provide a platform, ecosystem risk is immaterial to their consideration. I’d like to suggest than ecosystem risk represents an even broader view than this. During the course of the aforementioned alignment of my client to the NIST Privacy Framework, I heard a good story on NPR that illustrates the potential broadness of ecosystem risk. This story isn't about privacy or data but groceries and food deserts. If you're not familiar with food deserts, these are areas, often in urban or poorer rural areas, where there is no ready access to healthy fresh foods. A recent study found a correlation between dollar stores and food deserts. While dollar stores don't consider themselves full-service grocery stores, they often sell a significant amount of very cheap food, mostly canned, and/or convenience food. This has a possible effect (though the study only shows correlation, not causation) of competitively driving out full-service grocery chains from these poorer urban and rural environments creating food deserts. This has a negative effect on the health of these populations. This would be an example of an ecosystem risk caused by the action of these stores, with a negative secondary consequence on the health of the population, not directly as stores’ customers but by the lack of alternatives caused by their competition in small markets. This effect wouldn't be captured in a simplistic supply chain risk analysis (is the supplier’s food safe?) or even the ┴ model, such as are third parties preparing the consumer’s food unsafely. Note, at least one chain has attempted to address the concern over a lack of healthy options by stocking more fresh fruits and vegetables.
Broad ecosystem analysis consists not of just the supply chain or third parties utilizing your products or services, but rather how your product or services’ existence affects the entire market, from driving more privacy-friendly alternatives out of business to supporting suppliers who respect their employee’s privacy, from desensitizing consumers with lower privacy expectations to raising industry norms through market differentiation. Through a systematic approach, identifying at-risk populations and categories of threats to be addressed, organizations can seek to mitigate the risks they create.
I commend the National Institute of Standards and Technology for driving the discussion with the inclusion of ecosystem risk. I don’t want this post to dissuade anyone from adopting or investigating the NIST Privacy Framework. Adoption is not dependent on this sophisticated and expansive view of ecosystem risk. Rather, NIST has provided a measured step ladder approach with its Implementation Tiers. Each tier (there are four) represents the sophistication in the incorporation of privacy risks in program development. Organizations need not implement at a Tier 4 Adaptive level where NIST suggests “[t]he organization understands its role(s), dependencies, and dependents in the larger ecosystem and contributes to the community’s broader understanding of risks.” Tier 2 and 3 may be perfectly acceptable for many organizations or, as NIST says, in the Privacy Framework, “… organizations at Tier 1 will likely benefit from moving to Tier 2, not all organizations need to achieve Tiers 3 or 4.”
One of the keys to determining which Tier your organization needs to be in rest on your role in the overall market. If you are a market maker, the key to the way the ecosystem functions, you have a larger responsibility to see that that market respects privacy throughout. I’ve experienced this first-hand handling vendor negotiations for large firms talking to vendors and requiring more thorough vetting than the smaller companies may be used to. Ultimately, this doesn’t just benefit the large firm but benefits all the smaller customers of those vendors who didn’t have the leverage to demand something better. For smaller companies that influence may be limited, especially in fractured markets, industry associations have a role to play by developing a comprehensive understanding of the market and risks and sharing that with their members. Each one doing our part can collectively raise the bar, so to speak, for privacy.
Photo by Loic Leray on Unsplash
Strategic Privacy by Design is a new handy guide to implementing privacy by design, written from a practitioner’s perspective. Authored by R. Jason Cronk, CIPP/US, CIPM, CIPT, FIP, this is the first IAPP book to get into the details of how privacy by design works, with dozens of sample scenarios, workflows, charts, and tables.
If you want to comment on this post, you need to login.