Developing the NIST Privacy Framework: How can a collaborative process help manage privacy risks?

As prepared.

Thank you, Cam.

I’m honored to be with all of you here today to talk about what each of us recognize is a pivotal issue for our times.

For two decades now, the internet has been a job-creating, economy-growing and consumer-convenience bonanza. It has changed business, democratized information access and transformed how we interact as human beings.

The internet, mobility, computing, global positioning and communications technologies have driven unprecedented innovation and economic value in the U.S and around the world. Companies that are now major forces in these fields, and with substantial market capitalizations to match, did not even exist two decades ago.

Internet applications have permeated every aspect of our lives. Surveys in the last few years show that Americans collectively check their mobile phones 8 billion times a day. Amazing.

Which brings me to today’s dilemma: How do we maintain the clear societal benefits from the internet—and from emerging technologies like the Internet of Things, artificial intelligence and quantum computing—without jeopardizing our privacy and security?

Boiled down to two words, an appropriate answer might be: It’s complicated.

That’s also the impression most consumers have when they actually try to read the “terms of use” about privacy to which companies require us to agree before we download their apps.  

If they click to accept those “terms,” what will it mean for them? What risks might they encounter? What unintended consequences?

Indeed, finding ways to continue innovating with the internet, while simultaneously protecting privacy, is difficult and complicated. But just as clearly, it is necessary.

An approach to protect privacy is to develop and implement regulation. The European Union implemented its General Data Protection Regulation, or GDPR, in May of this year. The text includes 11 chapters, 99 articles and more than 170 “recitals” or “whereas clauses” that explain why a particular provision is needed.

The new GDPR requirements were described by the New York Times as bringing “sweeping changes to how companies operate online.”

We’ve also seen some of our largest companies publicly struggling with critical privacy issues.

Concerns about privacy and data use have dramatically affected stock market prices and other financial performance measures, as well as reputations.

And now, California has taken up the issue, issuing a new privacy law this summer. Across this nation and around the world, we see a developing patchwork of regulations. This is driven by good intentions and with a goal to properly consider ethics. It is also an unsustainable model.

It is too soon to tell how large an impact these regulations will ultimately have on products and services that rely on access to users’ data, and whether there will be a substantial measurable improvement in desired privacy outcomes.

At a minimum, the new EU regulations have spawned a rash of privacy policy messages to consumers’ inboxes.

And it’s reminding consumers that “free” internet software is typically paid for with access to personal data. Big data has big value.

It’s also made companies worry that mistakes in implementing privacy protections could be very costly.

Under the GDPR, companies can be fined up to 4 percent of their global revenues, which for some multinational corporations could amount to many millions of dollars.

The Trump Administration is committed to helping U.S. companies find practical privacy solutions that support both innovation and strong privacy protections.  

My agency, the National Institute of Standards and Technology, is part of the U.S. Department of Commerce.

NIST has announced a collaborative process to create a "Privacy Framework," which we envision as an enterprise-level guide that companies and other organizations can use to manage privacy risks.

In parallel with our effort, two other Commerce agencies—the National Telecommunications and Information Administration and the International Trade Administration—are creating a domestic policy approach for protecting privacy that ensures consistency with international policy needs.

For those of you who may not be so familiar with NIST, we trace our heritage to 1787, to Article 1 of the U.S. Constitution. Later in that same article is the language that created the U.S. Patent and Trademark Office, also part of the Department of Commerce. 

We were reconstituted in 1901 as the National Bureau of Standards. To better reflect our broad scope, we were renamed the National Institute of Standards and Technology in 1988.

NIST has a reputation for integrity; for the highest level of science and technology excellence; for being unbiased, transparent, collaborative, and honest. NIST is a non-regulatory institute. We’re often called “industry’s national lab.”

We specialize in measurement science and research in partnership with the private sector.  We support all of U.S. industry—from legacy technologies to emerging high-tech industries—computers, aerospace, 3D printing, telecommunications, medical diagnostics, advanced materials, cybersecurity, chemicals, bioscience and quantum-based technologies, NIST is right in there.

Name any market sector or technology application that’s emerged in the last 100 years and NIST has likely helped make it possible and helped improve its products through better measurement science, standards, engineering and accurate performance data.

NIST is also the National Metrology Institute of the USA, and we support development of measurements and standards internationally on behalf of the nation as well as for fair trade.

We work with each state and territory of the Union to ensure that we have a trusted system of standards and weights and measures—

• so that no matter where you go to pump fuel you can be sure that the right amount is delivered;
• so that you can rely on the accuracy of your electric meter connected to the grid; and,
• so you can understand there is an accurate measurement system for ride-hailing apps to help make sure you’ll be charged fairly for your lift. 
• We’re also the federal agency tapped in the President’s Management Agenda to improve the process of moving new technologies created from federally funded R&D to commercial markets.

In fact, NIST is the only scientific and technical federal laboratory explicitly charged with fostering innovation to help industry create jobs and grow the economy.

So, we’re always looking for ways to help American companies improve their products and services, to enhance their competitiveness and to create useful standards together.

I mention this as background, because it may not be obvious why NIST has taken up this privacy framework initiative.

Through the lens of the S&T community, they see NIST as a respected, Nobel-prize-winning, world-class research institute that regularly announces groundbreaking discoveries in measurement science and technology, as well as for advanced manufacturing.

Over the last decades, however, NIST has been increasingly called upon to use its deep technical expertise and strong relationships with industry to find common ground and disentangle seemingly intractable issues.

For example, on August 14, 2003, a cascade of electrical grid failures caused some 55 million people to lose power in eight northeastern states and southeast Canada.

Investigations found both human error and equipment failures caused the event. Today, both new standards and new regulations adopted since then have lowered risk that a similar blackout could happen again.

NIST’s role in this achievement, beginning in 2007, was to assemble all the relevant stakeholders, from the equipment makers to the regulators, and create a “framework” to achieve improved interoperability of the electric power grid, including so-called “smart grid” devices and systems.

Ten years later, more than 70 industry standards have been put in place with NIST leadership and support that now substantially lower the risk of blackout.

At the same time, these consensus standards make it possible for renewable energy sources such as wind and solar to be better integrated into the grid.

And yet, even with something as seemingly straightforward as electricity distribution, privacy was a big issue. Some stakeholder groups and communities objected to smart meters. They were worried that patterns of electricity use could reveal behavior inside their homes and buildings.

Of course, an even more directly relevant example to our topic today, is NIST’s work to create a Cybersecurity Framework. There’s that word again.

The NIST Cybersecurity Framework was first issued in draft form in 2013.

The project came about because of recognized concerns with the vulnerability of the nation’s critical infrastructure. Things like the electric grid, water companies, telecommunications, etc.

At that time, there was a disconnect between the acknowledged need for stronger, more comprehensive cybersecurity protections and the actual implementation of such efforts.

Just as at this time for this discussion, there is currently a disconnect between the acknowledged need for better agreement on a shared vision of strong privacy protections and agreed methods for reaching such a vision.

In 2013, the headlines focused on cybersecurity breaches where consumers’ credit card information, social security numbers and other sensitive personally identifiable data had been hacked, even from large corporations or federal agencies.

The threat of identity theft had been long been recognized by the public.

But the frequency of these breaches reached a critical point in 2015. A regular survey by the NTIA and the Census Bureau that year found 63 percent of online households were specifically concerned about identify theft.

And perhaps even more important in 2015 was the chilling economic effect from worries about ID theft.

• 45 percent of online households responding to the survey said concerns about cybersecurity risks stopped them from conducting financial transactions, buying goods or services, posting to social media networks or expressing opinions online.

NIST has had success in creating, disseminating, updating and evaluating the cybersecurity framework for use by organizations of all kinds. It has made a positive impact for our security, and it has also been adopted as the standard by other countries.

Our current project to create a new privacy framework is based on our experience, proven process and success with the cybersecurity framework and other frameworks before it.

In case you are not familiar with the cybersecurity framework, here’s a quick description of the current Version 1.1.

• It’s voluntary.
• It’s created collaboratively with expert input from across private and public sectors. It can be used by any size or type of organization to help manage cybersecurity risks.
• It’s written in English, and by that, I mean that it is understandable to everyone from CEOs and entrepreneurs to the geekiest cybersecurity experts.
• It breaks cybersecurity risk management into five “buckets” for easier decision-making and prioritizing: identify, protect, detect, respond and recover.
• It’s a guide, not a one-size-fits-all prescription.
• It gives you options to consider and is backed up with best practices and documented solutions to implement depending on the specific threats faced by your organization in carrying out your mission with your resources.
• It focuses on desired outcomes.
• It provides a common language and definitions so that:
  • suppliers can better align their cybersecurity choices to business customers’ needs,
  • people within an organization can better hold each other accountable; and,
  • organizations can better communicate to any stakeholder, including international customers and governments, how they manage cybersecurity risks.
• And finally, it turns today’s best practices into common practices through periodic updates.

It’s not a magic bullet, but it is driven by what our scientists at NIST would call a feedback loop.

It was originally created by soliciting input from thousands of stakeholders from industry, academia and government, from the U.S. and internationally. And it is now a living document that is revised to meet new realities in the marketplace and incorporate new cybersecurity approaches.

Many organizations, from government to multinational corporations to small businesses, have successfully improved their cybersecurity posture by using the framework.

By 2015, a Gartner study found the NIST cybersecurity framework was being used by more than 30 percent of U.S. organizations surveyed and was expected to reach 50 percent by 2020.

Which brings us back to this morning’s topic, a privacy framework.

If we have a strong cybersecurity framework, do we even need a privacy one?

Yes, we do. Strong cybersecurity is a prerequisite for managing privacy risks, but it’s not sufficient.

Privacy risks also arise from how organizations collect, store, use, and share information, as well as from how people interact with products and services.

We need a different set of considerations to manage cybersecurity and privacy risks appropriately.

So, if you accept that a separate privacy framework is needed, then which elements of the cybersecurity framework plan should we consider in developing the new framework?

All of them. We believe the new privacy framework should be:

• Voluntary
• Adaptable for use by any organization as an enterprise-wide tool
• Understandable and implementable from the C-suite to IT experts to privacy advocates
• Provide a common language and inform privacy risk management decisions
• Focused on outcomes tailored to an individual organization’s needs; and
• Help organizations meet privacy obligations here and abroad.

The intent of the new framework is to increase the effectiveness of privacy protections by enabling conscious, well-considered choices made by organizations based on their customers’ needs that are clearly communicated and understood.

The new framework is further intended to enable innovation through technology solutions with privacy protections engineered in.

The ultimate purpose of this effort is improved trust between businesses and their customers and between organizations and the public.

Right now, there are many different perspectives on what strong privacy protection looks like.

It’s difficult to communicate quickly within and between organizations clearly about privacy risks.

The conversation is complex, conducted in legalese more often than English, and confusing even to experts.

What’s missing is a shared lexicon and a practical structure that brings all parties together and is flexible enough to address diverse privacy needs.

For the rest of this morning’s sessions, we’ll be hearing about the details and the challenges ahead in achieving what is a deceptively simple goal:

• better privacy based on addressing actual risks in a way that supports continued innovation.

As the cliché goes, it’s a tough job but somebody’s got to do it!

At NIST, we thrive on challenges and we hope that you do too, because we will need everyone’s help to be successful.

Today’s discussion is just a beginning. We’ll be quickly following this with another public workshop to gather more feedback in Austin, Texas, on Oct. 16.

There will be many more opportunities to share your good ideas, recommendations and concerns.

Over the coming year, we will offer multiple opportunities for input and to contribute to drafts of the privacy framework to help improve it.

The bottom line is that we want the U.S to lead the way to a privacy future that maximizes privacy protections, innovation, and trust.

We look forward to working with all of you to get there.

Thanks!