Privacy Dispatches

How Do You Engineer Privacy? NIST Seeks Answers

Last week, the National Institute of Standards and Technology (NIST) hosted a workshop to discuss and develop the concept of privacy engineering. Although a great deal was covered, three topics recurred throughout the workshop and appeared to be of special interest to NIST, most notably the lack of technical standards concerning privacy,the role engineers can play in protecting privacy and the role NIST should play in the privacy field going forward.

Cybersecurity

Is SEC Cybersecurity Guidance Working?

Imagine that the FBI and DHS have arrived at your company to inform you of a potential cyber threat. Your public company disclosure obligations may not be the first thing on your mind, but such issues will quickly emerge.

Cybersecurity

Why Privacy Pros Should Embrace NIST’s Final Cybersecurity Framework

By Richard Santalesa, CIPP/US

By now the saga is familiar. After the White House tasked the National Institute of Standards and Technology (NIST) last February with developing a “Cybersecurity Framework” to reduce cybersecurity risks connected with “critical infrastructure,” a year to the day later, NIST released its final Version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity” along with a companion “Roadmap” and supporting documents.

The many NIST workshops and weekly conference calls over the last year—Full disclosure: I took part in many of NIST’s working group calls—initially resulted in a draft and then 44-page preliminary framework, released last October and covered by the IAPP here. The preliminary framework spurred significant discussion and controversy during the 45-day public comment period following its release, primarily in connection with the “Privacy Methodology” depicted in Appendix B.

More from Richard Santalesa

Cybersecurity

SEC and Cybersecurity—What Publicly-Traded Companies Need to Know

Note from the Editor:

Mary Ellen Callahan, CIPP/US, and Elaine Wolff, both of Jenner & Block, will be part of the breakout session "The SEC and Cybersecurity: What Every Publicly Traded Company Must Know" at the IAPP Global Privacy Summit in Washington, DC, on March 7 at 8:30 am. They will be joined by Nicole Maddrey, Vice President, Deputy General Counsel & Assistant Secretary, at Graham Holdings and Tangela Richter, Functional General Counsel—Direct Bank and Brokerage, Capital One.

With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention.

From the Wire

Tuning the Privacy/Customer Service Dial

By Jedidiah Bracy, CIPP/US, CIPP/E

Twitter handles can be valuable commodities, and no story better demonstrates that than one described by web developer Naoki Hiroshima. Originally published on his personal blog and then republished with permission by TheNextWeb, “How I lost my $50,000 Twitter username” describes the ordeal he went through when a hacker decided he wanted Hiroshima’s Twitter handle @N—registered to Hiroshima since 2007.

In a nutshell, a hacker decided he wanted @N and was going to do just about anything to get it—without paying any money, of course. To do so, according to the hacker himself (someone call “Ripley’s Believe It or Not”), he socially engineered his way into Hiroshima’s GoDaddy account, which controlled several of his website domains, in order to wrest control of @N from Hiroshima. Give up the Twitter handle and the hacker would take his hands off the throat of Hiroshima’s websites.

Extortion at its finest.

More from Jedidiah Bracy