There is a saying in sociopolitical circles: “politics is downstream from culture.” Using that same line of thinking, poses a question: Is information security downstream from data privacy?
In order to tell the difference between security and privacy and how they feed in to each other to achieve both, we’ll look at the leading regulation: the National Institute of Standards and Technology (NIST) Privacy Framework.
Information Security Versus Data Privacy
Why do you secure something? You secure something because you want to keep it private. After all, it’s not exactly like we are in the habit of sharing client data, personally identifiable information, intellectual property or the nuclear codes. All of that should be private. In turn, the rightful owner of the data must secure it. And, that is what makes for an interesting discussion about the difference between cybersecurity and privacy.
Cybersecurity and information security measures are often designed around keeping information safe and available, as a whole. On the other hand, privacy measures tend to be more focused on the processing of personal data and privacy rights.
We may be in the middle of a shift. Laws and frameworks centered around privacy are gaining even greater traction. You could make the argument that much of the shift is a result of protecting the privacy of customer data. For example, a 2019 Pew Research study revealed Americans have data privacy concerns specifically related to the collection and use of their data. Some of the key findings include:
- Concern about how much data apps collected.
- Concern that people collecting that data are not holding it as securely as it once was.
- People feel their online actions are being tracked.
- Few people know what is being done with the data being collected on them.
- Most people accept, but do not read, privacy policies.
- Most people see more risks than benefits from personal data collection.
National Efforts to Increase Privacy
With this shift in public opinion comes an increased focus on privacy and cybersecurity law and protecting personal data. Some examples just over the last couple of years include:
- The European Union’s General Data Protection Regulation (GDPR) from 2018.
- The California Consumer Privacy Act (CCPA), which came into full effect in January 2020.
- More state governments looking at data privacy legislation, in places like New York, Maine, Massachusetts, Nevada, Texas, Washington and even talk of legislation at the federal level.
The federal government is even talking and taking action in regards to American consumer data, notably that mobile app data should be protected and housed within the U.S. due to potential national security concerns. Multiple countries are looking at specific data localization standards in order to protect the data of their citizens and businesses.
It’s almost like we are entering into a type of Catch-22 situation, whereas we create and integrate more secure measures, such as biometrics and next generation authentication, we create a potential privacy nightmare at the same time.
Perhaps the way we avoid that nightmare is to look at what good privacy looks like and then secure that. And a great place to start for how to make a robust privacy program is the NIST Privacy Framework, which was released in early 2020.
Why is the NIST Privacy Framework a Good Example?
The folks over at NIST may have hit another home run after the wildly successful and industry best practice NIST Cybersecurity Framework (NIST CSF). Designed to improve privacy through enterprise risk management, the NIST Privacy Framework works much like the NIST CSF, where the core is made up of functions, categories and subcategories. In fact, there are even some categories and subcategories that are the same as those in the NIST CSF.
Using both these frameworks in tandem makes for a pretty awesome program for both information security and data privacy.
The core functions of the NIST Privacy Framework are:
- Identify: Develop the organizational understanding to manage privacy risk for people arising from data processing.
- Govern: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s where privacy risk informs risk management priorities.
- Control: Develop and implement plans to enable groups or people to manage data with sufficient detail to manage privacy risks.
- Communicate: Develop and implement plans to enable groups and people to have a thorough knowledge and engage in a dialogue about how data are processed and related privacy risks.
- Protect: Develop and implement data processing safeguards.
If you know the NIST CSF at all, you will feel right at home going through the NIST Privacy Framework, even more so if you use the recently updated (September 2020) NIST Special Publication 800-53rev5, Security and Privacy Controls for Information Systems and Organizations.
Perhaps one of the most helpful tools of the NIST Privacy Framework is the roadmap, which identifies priority areas that describe key challenges and some initial activities.
Why Privacy May Be an Easier Sell than Security
What if we begin to apply that ‘privacy mindset’ to the business as a whole, not just personal data? That could have a profound impact. After all, in many countries, corporations do have some sort of individual rights. In the U.S., for example, the Supreme Court extended some, not all, protections guaranteed to individuals in the Bill of Rights to corporations.
One of the greatest challenges security experts always face is getting people to ‘buy in’ to protection. Putting security downstream from privacy may be one way to get the buy in you need, exactly because privacy can be pictured more easily. There’s something more emotive and personal about privacy than the more generic ‘security’ concept. The NIST Privacy Framework addresses issues from that perspective, too. Just a small sample of examples that illustrate that personal nature includes:
- Categories of people (e.g. customers, employees or prospective employees, consumers),
- Context (e.g. demographics and privacy interests or perceptions, data sensitivity and/or types, visibility of data processing to users and third parties),
- Stakeholder privacy preferences,
- Techniques to limit identification, such as de-identification privacy techniques and tokenization
Next to understanding business operations and having the ability to speak knowledgeably on that issue to the decision makers, getting stakeholders to buy in to security through a strong privacy program based on something like the NIST Privacy Framework may be the most important tool in your persuasion arsenal. If ‘security first’ isn’t working for you, try ‘privacy first’ and let security follow.