On Tuesday, the U.S. National Institute of Standards and Technology initiated its process for the development of a privacy framework to a room full of privacy professionals here in Austin, Texas. The first in a series of public workshops, officials from NIST described the framework as a "voluntary enterprise risk-management tool."
The framework is intended to be a collaborative effort with public and private sectors to help organizations "better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals' privacy; and increase trust in products and services."
No doubt, the workshop garnered lots of questions and commentary from the privacy community, ranging from the framework's scope and intent to whether it would be interoperable with other standards. Should the document define certain words commonly used, like personal data? Would the framework be legally binding? These were some of the initial questions during the day's event.
NIST Senior Privacy Policy Advisor Naomi Lefkovitz said the agency is proposing a working assumption "that organizations are challenged with bridging between policies or principles and implementation of effective privacy practices."
Similarly, NIST Chief Cybersecurity Advisor Donna Dodson said the framework would be voluntary. The purpose of the workshops, she said, is "to see if what we envision is in line with what you envision." Dodson emphasized that NIST wants this to be an open and transparent process "in collaboration with all of you, which will be critical to the success of this endeavor."
Lefkovitz noted that the framework is a separate initiative from the National Telecommunications and Information Administration's effort at creating a U.S. privacy blueprint.
"These are separate but complementary efforts," she said. "We are working on a tool that organizations can use in their enterprise. It will be a practical and hands-on framework."
Tuesday's workshop included three panel sessions, the first of which was lead by NIST officials, who explained the intent and aims of the framework and asked for initial feedback on those efforts. Privacy professionals from across industry sectors were clearly engaged during the panel, asking a range of questions that included whether the framework will define terms, such as "personal data" and even "privacy," and whether it should include "sociological" factors, like fairness, algorithmic transparency and data ethics.
Though one of the aims of the framework is to create a common language for stakeholders, Lefkovitz warned about getting "boxed in" by definitions. "How much more complicated do we need to get?"
There was also concern about how the framework would fit with other existing privacy and data security frameworks, from the ISO 27000 standards to IEEE to OASIS and more. NIST intends the framework to be inclusive of such standards, envisioning it to set a foundation, not a prescription.
Lefkovitz said that much of what goes into the framework will be up to the stakeholders over the coming year. During that time, NIST will hold a series of workshops, like the one held Tuesday, issue drafts for public feedback and host various briefings and conference side events. "Let us know how we can engage and get more targeted feedback from you," she said. NIST also plans to hold a live webinar Nov. 29 to allow for questions and a second workshop that will explore an outline for the framework early in 2019.
NIST says it's the right organization to lead such an effort because it has experience creating other successful models, including the Cybersecurity Framework. That assertion was backed up by McAfee Chief Standards and Technology Policy Strategist Kent Landfield during one of the event's panel sessions.
"We didn't figure out the answer at the beginning of the [Cybersecurity Framework] process," he said. "It was a path; it was a journey. The framework's focus was on providing a tool for organizations to improve their security. The intent was to give organizations the ability to look at themselves, go through pieces of the framework and figure out what it was they needed to address."
SunTrust Senior Vice President and Chief Privacy Officer Ron Whitworth pointed out that "it has only been five years" since the Cybersecurity Framework came out, and the "adoption rate is high." Being in the highly regulated financial sector, Whitworth also said he didn't have concerns that the framework would be an obstacle. "It's outstanding. The more we have to measure ourselves against, the more we can have conversations with regulators and boards of directors about what we're doing. It helps those conversations."
Sarah Morrow, CIPP/US, CIPM, FIP, chief privacy officer at Texas Health and Human Services, agreed, saying that in the health sector, having a framework would be beneficial. "If we have a framework, I can show it to the Office for Civil Rights and say, 'This is what we're doing.'" She also said a framework should be "big enough to incorporate other frameworks and be useful enough for everyone, from the bean counters to the C-suite, so they can understand what we're trying to accomplish. It needs to be useful and applicable."
Cisco Vice President and Chief Privacy Officer Michelle Dennedy, CIPP/US, CIPM, cautioned against getting wrapped up in definitions and instead urged stakeholders to look at outcomes and problems that need to be solved. "I hope the framework will be seamlessly interoperable," she said. "I hope it is relentlessly interoperable with other standards." She added the framework should be desirable for organizations to use in order to encourage innovation.
Prifender Chief Data Solutions Officer Sagi Leizerov, CIPP/US, said the "framework must address strategic gaps in the market right now. What we are truly missing is key aspects that have not been discussed by privacy pros; we need to know where the data is. Somebody has to come up — and it would be good if it was NIST — and address what can be done about managing information about people."
Up until this point, he argued, "It's like we've been trying to kill cancer with a Band-Aid."
Clearly, the process is just beginning for the NIST framework, and there will be difficult questions to answer, but there appeared to be strong support for a model similar to the Cybersecurity Framework, and that continued engagement from stakeholders will be key.
Perhaps most importantly, noted NIST Applied Cybersecurity Division Chief Kevin Stine during his summary of the discussion, there was broad consensus that the framework should go beyond being a compliance tool and that it should harness a risk-based approach to privacy.
In characterizing the feel of the room Tuesday, former Senior Privacy Advisor at the Office of Management and Budget Marc Groman, CIPP/US, said he sensed some skepticism and some enthusiasm from stakeholders, while asking, "was it like that for the Cybersecurity Framework?"
McAfee's Kent Landfield said, "yes," noting "there were lots of heated discussions," but those discussions yielded a framework that organizations now use.