In February of this year, President Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity. The Executive Order directed the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework to assist owners and operators of critical infrastructure in addressing cybersecurity risks. On October 29, NIST published a preliminary version of the Framework (the “Preliminary Framework”), which is open for public comment through December 13. NIST intends to issue a final version in February 2014. The creation of the framework has, of course, been a major development in the information security community – according to NIST Director Patrick Gallagher, approximately three thousand individuals have been involved to date in the development of the Preliminary Framework. But privacy professionals should be paying attention to the framework as well.
The Executive Order directs NIST to include “methodologies . . . to protect individual privacy and civil liberties.” To that end, Appendix B of the Preliminary Framework sets forth a draft Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program (“Privacy Methodology”) based on the Fair Information Practice Principles and organized to track the content of the Framework Core (the part of the framework that describes the elements expected to be present in a cybersecurity program). Notably, for almost every category of cybersecurity outcome identified in the Framework Core, the draft Privacy Methodology describes a corresponding set of privacy practices. The following are examples of how the draft proposes to tie privacy practices to cybersecurity activities:
Data Security: “Implement safeguards at all states of PII’s [personally identifiable information’s] lifecycle within the organization and proportionate to the sensitivity of the PII to protect against loss, theft, unauthorized access or acquisition, disclosure, copying, use or modification.”
Information Protection Processes and Procedures: “Securely dispose of, de-identify, or anonymize PII that is no longer needed. Regularly audit stored PII and the need for its retention.”
Protective Technology: “Audit access to databases containing PII. Consider whether PII is being logged as part of an independent audit function, and how such PII could be minimized while still implementing the cybersecurity activity effectively.”
And the Preliminary Framework’s definition of PII is fairly broad:
Information which can be used to distinguish or trace an individual’s identity such as the individual’s name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
As these examples indicate, the draft Privacy Methodology has taken a very expansive view of how organizations should approach and address the privacy implications of cybersecurity operations. Whether or not the proposal changes between now and Feburary 2014, what does the inclusion of privacy and civil liberties ultimately mean for organizations that adopt the final Cybersecurity Framework and for the privacy professionals that work for those organizations? There are at least two significant implications:
- A significant role for the privacy function. Because the Executive Order requires the framework to include methodologies to protect privacy, privacy professionals will be called upon to guide and support implementation of the framework through the Privacy Methodology.
- A potentially very significant challenge for organizations using the framework: Organizations that adopt the Framework will have to take steps to align their privacy policies, procedures and practices with the Privacy Methodology. Depending on the scope and approach of the final Privacy Methodology, that may be a substantial undertaking.
Once the framework is finalized in February, the federal government will offer incentives for organizations to adopt it, and the framework is likely to be influential beyond the industries deemed critical infrastructure. Government agencies may work with the insurance industry to develop underwriting practices that encourage adoption of cybersecurity measures. Procurement programs will likely favor those organizations that adopt the framework. Adoptees may be afforded liability limitations. And as organizations adopt the framework, they will likely favor doing business with those organizations that have also adopted the framework, which means that organizations outside critical infrastructure will be incentivized to adopt it.
Even without voluntary adoption, the framework may end up becoming part of the regulatory structure. In August, the Administration’s Cybersecurity Coordinator wrote that “agencies will recommend [ways to] make compliance easier, for example: eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures.” As agencies take steps to embed the framework into their programs, the framework could end up establishing a comprehensive privacy framework for cybersecurity operations. Because organizations may find it difficult to implement the framework’s privacy methodologies only for cybersecurity operations, the Privacy Framework could become a de facto set of standards for handling PII.
As mentioned above, the Framework is now open for public comment. NIST has announced that there will be a Cybersecurity Framework workshop November 14-15, and privacy is on the agenda. Organizations have until December 13 to assess the Framework and direct their comments to NIST, which has indicated that it welcomes input on the Privacy Methodology. The comment period provides organizations with an opportunity to voice their suggestions on practical ways to address the role of privacy considerations in the Framework.