NIST Privacy Framework: The Implementation Challenges episode artwork

EPISODE · Feb 11, 2020

NIST Privacy Framework: The Implementation Challenges

from Info Risk Today Podcast · host InfoRiskToday.com

Although NIST's new privacy framework is agnostic toward any particular privacy law, "it gives organizations building blocks to help them meet any obligations under any particular law or jurisdiction" says Naomi Lefkovitz, a NIST senior privacy adviser.

Episode metadata supplied by the publisher feed · Published Feb 11, 2020

Although NIST's new privacy framework is agnostic toward any particular privacy law, "it gives organizations building blocks to help them meet any obligations under any particular law or jurisdiction" says Naomi Lefkovitz, a NIST senior privacy adviser.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

NIST Privacy Framework: The Implementation Challenges

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, this is Aparna Goswami, Associate Editor with Information Security Media Group. I have the pleasure of speaking with Naomi Lefkovitz, Senior Privacy Policy Advisor and Program Manager at NIST. We will be talking about NIST's privacy framework and what is she hearing from companies after they have implemented the framework. Welcome, Naomi, to the ISM discussion.

Thank you. Thank you for having me. Thank you, Naomi. It's my pleasure.

So, Naomi, now that this framework has been implemented mid of January, so where do you see companies facing the most challenges when it comes to implementing the framework? Yes, so I think, you know, one area that companies have a lot on their plates and they have a very long to-do list and, you know, they're maybe concerned about, you know, adding one more thing to that to-do list. So, we actually think that it's one of the benefits of the framework is that it's very flexible in how it can be used. And so companies and organizations can use it in a very lightweight way and they don't need to so that it would not be so difficult to use and, you know, wouldn't be another item on their checklist.

They can just sort of use it to help themselves communicate better about and tackle that long to-do list and the kinds of projects that they want to undertake with respect to privacy. I mean, I guess that's one of the challenges is sort of getting the buy-in, right, from senior management to use the framework because, you know, many companies have a lot to do. There may be concern that, you know, taking on the framework is just another item that will be resource intensive. And, you know, I think that, you know, some of the feedback that we've heard is that, in fact, you know, organizations can use this in a way to actually get credit for what they're already doing with privacy.

And so they can use it as a way to communicate about what they're already doing and it doesn't need to be seen as, you know, another item on their checklist. You know, and I do think, you know, we also respect that, you know, it is a comprehensive, we tried to make it a comprehensive framework. And so it may be more challenging for small businesses to use. And so, you know, like the cybersecurity framework, which it's modeled after, we are, you know, certainly thinking about developing additional guidance for small businesses to help them use the framework.

Okay, sure. So Naomi, does this framework accommodate other privacy regulatory issues outlined in GDPR, CCPA? Yeah, so we look at the framework as being, you know, we intended it to be agnostic to any particular law or jurisdiction. But then we look at it as having, giving organizations the kind of building blocks to help them meet, you know, any obligation under any particular law or jurisdiction that they're subject to.

So for example, you know, you might have an obligation under GDPR to accept data deletion requests from individuals. And so this is not, the framework is not a prescriptive requirement-based approach, but rather, you know, you have to think through sort of the kinds of policies, technical capabilities that you might need. And so, for example, we have, you know, one of the activities or outcomes that we have is making sure that data can be accessed for deletion. Because if you don't have the capability to actually go in and find and extract data in your systems, then, you know, meeting a legal obligation to take data deletion requests is just going to be aspirational.

Okay, got it. I wanted to ask, can this frame will be used, say, as a standard against which reasonable precautions must be measured? I wouldn't look at the framework that way. We don't really consider it sort of a standard.

It's literally a framework that is a way to think through the kinds of policies and capabilities that you need to build a strong privacy program. And it provides a way, you know, it's really a way for organizations to have a dialogue both internally and with other organizations about the kinds of privacy risks that they're facing and the kinds of, you know, what kinds of solutions that they want to implement to address those risks, whether those be policies or technical capabilities. Okay, you're saying that essentially you don't look at it as a framework that can be considered as an industry standard. Well, not in the sense that it's a standard.

So, you know, you can certainly, you know, it's a framework that really helps you sort of organize your thinking. And, you know, one of the things that we feel is actually a value with the framework is that it's very flexible in how an organization can use it. And so, therefore, on its own, it can be difficult to say what it means to comply with it. There would need to be sort of a sort of an intervention or an intervening step where you sort of made a decision about a particular way that you're going to use it and develop, for example, the assessment criteria against that particular way of using it.

So, you know, it could be taken into standards development, you know, and then could be assessed against. But on its own, it's intended to actually be very flexible and be used in many different ways. Okay, understood. Just wanted to clarify.

So, can it also be used to create a minimum threshold standard for negligence claims? I don't think so because, you know, what I just explained, that is the use, the use is very flexible. So, you know, we don't really encourage that kind of one-to-one direction. This is really about developing processes and having a dialogue and communication, which, you know, I really would emphasize that you should not underestimate how powerful that is in building privacy programs.

So, also when it comes to, I wanted to address the issue of biometrics as well here because that's one area which is kind of gray because people don't know how it is getting protected. So, how does it address, does this address biometrics in a privacy context with respect to the privacy framework? Yes. So again, we've designed the privacy framework to be very flexible and, you know, and to be able to be used with all kinds of technologies.

So, you know, so, so we, you know, there's many, many types of activities and outcomes in there and biometrics is just sort of one aspect of technology that needs to be managed. And so you might be developing policies around the conditions for using biometrics and that would, you know, be covered. Biometrics are not specifically called out as a specific technology, but it's still a technology that needs to be managed under appropriate policies and, you know, and training for employees and so on. So, you know, you would fit that into there.

And then, you know, thinking about kinds of technical capabilities and testing that the technical measure are being tested and assessed. And so again, you know, biometrics are not specifically called out, but it would, you know, all of those kinds of activities would be applicable to using biometrics. Okay. And finally, Naomi, I know it's too early, but what is the initial feedback that you're getting from companies when they have implemented the framework?

What is that you're saying? How has it made their life more easy or what is it that you are hearing? Yeah, so it's really early days yet, but we are already receiving feedback and it's been very positive. As I said, some organizations just use this, have already used it in a very lightweight way.

They've taken the five functions and they've lined up their own privacy program components against them and just done sort of a quick, you know, red, yellow, green. Where are we today? Where do we want to be? And used that as a way to talk to senior management.

So that very quick, lightweight way to use it. Others have sort of lined up their specific controls and internal system requirements and lined those up against the different subcategories. And so that's kind of a deeper dive way to do it. So I think, you know, we're very excited that it's already demonstrating both that flexibility that we hope for and value for organizations.

Well, thanks a lot, Naomi, for sharing your thoughts on this privacy framework. Well, thank you for having me. Thank you so much. You were listening to Naomi Lefkowitz for ICMJ Asia.

This is Suparna Goswami. Thank you for listening.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on February 11, 2020.

What is this episode about?

Although NIST's new privacy framework is agnostic toward any particular privacy law, "it gives organizations building blocks to help them meet any obligations under any particular law or jurisdiction" says Naomi Lefkovitz, a NIST senior privacy...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!