A Conversation on the NIST Privacy Framework

Remarks as prepared.

Hello, and thank you all for being here. And thank you to our hosts at the Center for Strategic and International Studies. 

We are thrilled for this opportunity to talk about one of NIST’s key initiatives toward building a stronger foundation of trust in technology products and services. We believe the Privacy Framework 1.0 has the potential to help not just individual organizations but also to shape the approach to consumer privacy in the U.S. and internationally.

It can be easy to dismiss privacy as simply a cybersecurity issue, and certainly privacy and cybersecurity are interlinked. However, privacy is so much more. 

Privacy issues don’t just arise from data breaches. For example, data collection for business purposes — think of smart meters or fitness trackers — could leave people feeling like they are giving away too much information and ultimately make them reluctant to use a product or service. 

The impact of a privacy incident can be devastating to an individual — they could suffer embarrassment, discrimination or economic loss. It could also be devastating to the organization that fails to protect that privacy, in terms of reputation and business loss.

Our Privacy Framework lead, Naomi Lefkovitz — from whom you’ll be hearing in today’s panel — likes to remind people: “If you violate a customer’s privacy but assure them you were compliant with relevant laws, they will probably still be very angry with you.”

NIST, of course, is a nonregulatory federal institute, rooted in research and measurement science and standards, so our focus is not on developing laws. The framework is designed to be agnostic to any particular law or regulation — but it can help organizations create the building blocks for the privacy outcomes they want, so they can meet their privacy obligations to their customers, boards or regulators.

Our approach to privacy reflects our mission to work with industry and to support innovation. NIST has an incredibly broad portfolio of responsibilities, including everything from building the world’s best atomic clocks, to developing standards for robots in manufacturing, to helping firefighters predict the behavior of wildfires. 

A challenge we face in all our R&D efforts is that to be truly effective, we must anticipate the measurement and standards needs of science, technology and commerce. We constantly look to the future; and even as the pace of change accelerates, NIST has an obligation to America to be at the leading edge. 

So, in our cybersecurity and privacy work, we find it’s best to keep an open mind to possible solutions, and to approach each task with respect for all stakeholders. NIST also brings our expertise and perspectives to the process. It means we consult early and often with both the public and private sectors. We want and need their input on how we select and implement broad programs and specific projects. It also means consulting formally and informally, so that we have regular reality checks along the way. 

We are committed to transparency, traceability and openness in the development and application of our work. We know that these types of collaborations result in higher quality, more appropriate and more useful products and services. These collaborations in the journey create buy-in for adoption by the community of practice. And we know that they help cultivate trust among those, like you, who are depending upon the work of NIST.

The Privacy Framework is a good example of this approach when facing a broad and multifaceted issue that matters to all of us as individuals. We all have a role in protecting privacy. Whether we’re in the public or private sectors, whether we’re lawyers, or engineers, or senior executives. 

But with so many aspects to privacy, and so much attention on it these days, we face a daunting challenge to find more consistent ways to communicate about it. That’s why a diversity of perspectives has been so critical to the development of the Privacy Framework. We sought to bring that diversity into a shared lexicon and practical tool that establishes privacy as a key component of enterprise risk management. 

Risk Management: A Common Focus

At NIST, and especially when it comes to cybersecurity, we spend a lot of time talking about risk. And we’ve been pleased to observe — amid the sea of worrisome news about threats, vulnerabilities and breaches — that cybersecurity risks are no longer considered the domain of the IT specialist or cybersecurity professional alone. Cybersecurity risk management issues are becoming increasingly familiar topics in C-suites and boardrooms. That’s true for businesses, and it is true for federal and other public sector organizations. 

At NIST, risk management is a common thread through many of our activities. We understand that it’s pretty much impossible, and certainly impractical, to eliminate entirely the cybersecurity risks that organizations face every day. There’s a reason why organizations hire risk managers, not risk eliminators. With that in mind, we aim to develop and deliver technological and organizational tools to better understand and manage risks.

Historically, this has been around the two “frameworks” that we’ve developed for cybersecurity risk management. Initially developed with a focus on critical infrastructure, the NIST Cybersecurity Framework has become popular in the five years since it was produced, both across the U.S. and around the world.  

Hardly a week goes by where we don’t learn about another Cybersecurity Framework use case. These come from large technology companies, small financial institutions and even other governments. Key to that framework’s success has been the active engagement of the private and public sectors from the beginning of the development process through today.

That development process brought up many questions about privacy risks in an increasingly connected, data-fueled world. At NIST we began to ask ourselves whether the risk-based approach we took in cybersecurity could work for privacy.

This question spurred the launch of NIST’s Privacy Engineering Program. It is focused on understanding how a risk-based approach could help organizations make better decisions and more effectively integrate privacy into their products and services. 

Privacy

Getting privacy right will underpin the use of technologies of the future, including AI and biometrics, quantum computing and the internet of things, and personalized medicine. And these technologies will be a big part of our future. According to one industry estimate, the biometrics market alone will be worth more than $59 billion by 2025.

But it’s not just about the dollar value, of course. There’s also the genuine value to the human spirit of living in a free and democratic society. Getting privacy right means enjoying the benefits of innovative products while upholding our country’s founding values.

Back in the summer of 2018, major privacy breaches and multiplying laws and regulations around the world dominated the news. Fairly quickly, NIST heard from industry stakeholders — and IBM was a leader in these conversations — asking whether we could replicate the success of the Cybersecurity Framework for privacy. 

Before we could figure that out, we needed to know more from our community of stakeholders, so we issued a formal government Request for Information, or RFI. The results were invaluable for our next steps. We heard that compatibility with existing laws, regulations, frameworks and standards is extremely important. Depending on their sector and mission objectives, organizations must already comply with multiple internal policies and external regulations. 

Stakeholders made it clear they wanted a framework that was at least compatible with what they were already working toward, and ideally, would facilitate the compliance process. Our stakeholders also confirmed that they wanted a framework that would be risk-based and outcome-focused. An outcome-focused approach would allow these organizations to innovate and to focus resources where it makes the most sense for their privacy practices.

We heard from organizations genuinely invested in protecting individuals’ privacy, beyond simply complying with the regulations. They wanted a tool that would support their organizational goals and aspirations. Likewise, multiple organizations told us very forcefully that they needed a flexible tool. Something that would identify and manage privacy risks to individuals in the context of their specific organization, privacy posture, business objectives and customers. 

As a result, the Privacy Framework is not a checklist of requirements. It allows organizations to prioritize and design the most effective privacy solutions for their business environment. And just as with the NIST Cybersecurity Framework, they said a key value of the Privacy Framework will be the extent to which it can foster communications within and between organizations. 

They told us they would like a framework that could help them communicate with privacy professionals and non-privacy professionals. With five simple words: Identify, Govern, Control, Communicate, and Protect, organizations can quickly convey how they’re managing data to minimize privacy risks.

And NIST itself had a larger goal, to bring privacy into greater parity with security considerations. This goes well beyond the Privacy Framework. For example, we are revising Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. In this fifth version, privacy controls are fully integrated into the security control catalog, creating a consolidated and unified set of controls for information systems and organizations.

Next Steps

As I have been reminding the NIST team — despite the sprint to get to this point — we are only at the very beginning of our Privacy Framework journey. Now that a completed Version 1.0 is in the hands of the people for whom it was developed, we want to work collaboratively to further understand how organizations are using the framework. 

We want to know what lessons we can learn, and what our next steps should be to ensure that this framework continues to evolve to meet the needs of stakeholders. We encourage you to contribute to our online repository of resources. It includes framework correlations with key privacy laws, regulations and standards, as well as common profiles, guidance and best practices to help organizations better implement the framework with benchmarks they can use. 

And our new online Privacy Engineering Collaboration Space will help keep the conversation going. In this public online venue, practitioners can discover, share, discuss and improve upon open source tools, solutions and processes that support privacy engineering and risk management. 

Our goal is to encourage the development of more effective and accessible solutions that help organizations achieve privacy objectives and implement better privacy protections for individuals. When we developed the Privacy Framework, we also developed a companion “roadmap” that describes key challenges to achieving privacy objectives.

These challenges will drive our continued focus and further research and development that: 

• advances the evolution of the framework; 
• promotes a well-functioning data processing ecosystem; and 
• expands the body of standards, guidance, practices and tools supporting privacy risk management. 

Two initiatives we are working on in the Collaboration Space are de-identification — including differential privacy techniques — and privacy risk assessment. We are also following the model of the Cybersecurity Framework by considering supporting materials we can develop with stakeholders to provide further clarity on how to use the Privacy Framework. 

I’m excited to announce today one such project — a guide to help small and medium businesses build in privacy as they grow to become the trusted big businesses of the future. Over the next few months we will be reaching out to these innovative smaller companies, with their resource constraints, to better understand how the Privacy Framework can help enhance their operations.

Conclusion

I’m grateful to the many stakeholders who have taken the time to work with us over the past few years. And today I look forward to hearing from some of those already adopting the Privacy Framework. 

The benefits of the framework will only be realized if organizations actually use it. That’s why we want to encourage all of you to review the framework. Let us help you apply it to your situation and demonstrate your privacy leadership by becoming “early adopters.” 

Again, this is only the beginning. A tool is only as good as the results it creates. We want the new Privacy Framework to be an essential part of every organization’s toolkit for success. We look forward to working with you to achieve that goal. Thank you.