Privacy Risk and Control Design: NIST’s Framework for Managing Privacy Risk

We made our way to the Moscone Center for the final day of sessions on a fresh San Francisco Friday morning. NIST’s (National Institute of Standard Technology) Framework for Managing Privacy Risk was the topic the panel was asked to dissect and discuss.

The session moderator was Naomi Lefkovitz, the Senior Privacy Policy Advisor at NIST. She was joined with an experienced team:

  • Jennifer Behrens, Chief Privacy Officer at Verato and Founder & Principal at PrivacyM
  • Jamie Danker, Director and Senior Privacy Officer at the Department of Homeland Security (DHS)
  • Logan O’Shaughnessy, Lead Privacy Incident Management & Response at the U.S Department of Health and Human Services (HHS)

Lefkovitz began the conversation with an open question and statement to the panel, introducing a query about what privacy risk is and what determines its critical value.

“When security people get in the room they debate about standards,” said Lefkovitz. “But when privacy people get in the room they debate about privacy and what it is. There is no standard or model for privacy,” she asserted.

This begs the question, if there is no standard to follow and no model to leverage, how do organizations define privacy and the risk it brings to the organization?

“The definition of privacy is about authorized access to information through collection, action, maintenance, use and disclosure,” said Lefkovitz. “But what about the cases where the system is supposed to be open and access to the system is warranted?” she asked.

Logan took the baton. “Ultimately, the individual aspect of privacy can be quickly overlooked since we focus on patching the vulnerabilities and closing the holes,” said Logan. “The effects to the individual could be severe – the security impacts are important and need to be remediated - these problems are knowable, and therefore, should be able to be solved,” he concluded.

Danker quickly weighed in on the topic of standards as definitions as her organization FIPS (Federal Information Processing Standards). “Yes, FIPS tend to be a bit squishy, but we still use FIPS as a framework for analysis,” she said.

“FIPS tend to be a bit squishy, but we still use them as a framework for analysis”
— Naomi Lefkovitz, Senior Privacy Policy Advisor at NIST

“Organizations still need the privacy risk management framework from NIST to help us get to the controls and response,” added O’Shaughnessy.

Pointing out the difficulty between security and risk personnel, Behrens noted that a security team can be the biggest ally if you approach it as if you are working together to help the company reach their goals. “There needs to be a compromise to satisfy the business’ needs,” said Behrens.

“Sometimes we are accused of putting the ‘No’ in innovation,” added Danker.

Lefkovitz moved matters on to hone in on the risk factor and the implications affecting data storage.

“Say you don’t need to store a user’s information,” posited O’Shaughnessey. “If data is collected, even with consent, as soon as you store the data it exposes you to a privacy risk,” he clarified.

“Let me add that there are tools available to help get to a quantitative level of risk,” said Brehrens, referencing privacy as a key element of the Sarbanes-Oxley Act 2002 (SOX). “Utilizing the right set of tools could lead you to a matrix for which you can assess the data journey. You get much more of an objective insight as to what’s happening with the user’s data if you can see how it flows through the system.”

The session concluded with a question from the audience that highlighted the dilemma an organization faces when choosing the importance of privacy vs protection. What is the priority when it’s privacy vs. security vs. functionality crunch time?

Behrens has a stab at answering the question with her reply. “It’s a negotiation,” she said. “End users are more savvy in what they expect, even if not sophisticated. They make decisions to interact with systems based on the media’s portrayal of the system and a user’s willingness to adopt that system. This assumes an often unspoken negotiation between people who design and build the system and the business owners; the results of which affect the level of risk,” she added.

Although there were no definitive answers as to the true measure of privacy risk, it’s clear that this panel of professionals will continue to fight the good ‘privacy risk’ fight.