Hi, this is Aparna Goswami, Associate Editor with Information Security Media Group. I have the pleasure of speaking with Naomi Lefkovitz, Senior Privacy Policy Advisor and Program Manager at NIST. We will be talking about NIST's privacy framework and what is she hearing from companies after they have implemented the framework. Welcome, Naomi, to the ISM discussion.
Thank you. Thank you for having me. Thank you, Naomi. It's my pleasure.
So, Naomi, now that this framework has been implemented mid of January, so where do you see companies facing the most challenges when it comes to implementing the framework? Yes, so I think, you know, one area that companies have a lot on their plates and they have a very long to-do list and, you know, they're maybe concerned about, you know, adding one more thing to that to-do list. So, we actually think that it's one of the benefits of the framework is that it's very flexible in how it can be used. And so companies and organizations can use it in a very lightweight way and they don't need to so that it would not be so difficult to use and, you know, wouldn't be another item on their checklist.
They can just sort of use it to help themselves communicate better about and tackle that long to-do list and the kinds of projects that they want to undertake with respect to privacy. I mean, I guess that's one of the challenges is sort of getting the buy-in, right, from senior management to use the framework because, you know, many companies have a lot to do. There may be concern that, you know, taking on the framework is just another item that will be resource intensive. And, you know, I think that, you know, some of the feedback that we've heard is that, in fact, you know, organizations can use this in a way to actually get credit for what they're already doing with privacy.
And so they can use it as a way to communicate about what they're already doing and it doesn't need to be seen as, you know, another item on their checklist. You know, and I do think, you know, we also respect that, you know, it is a comprehensive, we tried to make it a comprehensive framework. And so it may be more challenging for small businesses to use. And so, you know, like the cybersecurity framework, which it's modeled after, we are, you know, certainly thinking about developing additional guidance for small businesses to help them use the framework.
Okay, sure. So Naomi, does this framework accommodate other privacy regulatory issues outlined in GDPR, CCPA? Yeah, so we look at the framework as being, you know, we intended it to be agnostic to any particular law or jurisdiction. But then we look at it as having, giving organizations the kind of building blocks to help them meet, you know, any obligation under any particular law or jurisdiction that they're subject to.
So for example, you know, you might have an obligation under GDPR to accept data deletion requests from individuals. And so this is not, the framework is not a prescriptive requirement-based approach, but rather, you know, you have to think through sort of the kinds of policies, technical capabilities that you might need. And so, for example, we have, you know, one of the activities or outcomes that we have is making sure that data can be accessed for deletion. Because if you don't have the capability to actually go in and find and extract data in your systems, then, you know, meeting a legal obligation to take data deletion requests is just going to be aspirational.
Okay, got it. I wanted to ask, can this frame will be used, say, as a standard against which reasonable precautions must be measured? I wouldn't look at the framework that way. We don't really consider it sort of a standard.
It's literally a framework that is a way to think through the kinds of policies and capabilities that you need to build a strong privacy program. And it provides a way, you know, it's really a way for organizations to have a dialogue both internally and with other organizations about the kinds of privacy risks that they're facing and the kinds of, you know, what kinds of solutions that they want to implement to address those risks, whether those be policies or technical capabilities. Okay, you're saying that essentially you don't look at it as a framework that can be considered as an industry standard. Well, not in the sense that it's a standard.
So, you know, you can certainly, you know, it's a framework that really helps you sort of organize your thinking. And, you know, one of the things that we feel is actually a value with the framework is that it's very flexible in how an organization can use it. And so, therefore, on its own, it can be difficult to say what it means to comply with it. There would need to be sort of a sort of an intervention or an intervening step where you sort of made a decision about a particular way that you're going to use it and develop, for example, the assessment criteria against that particular way of using it.
So, you know, it could be taken into standards development, you know, and then could be assessed against. But on its own, it's intended to actually be very flexible and be used in many different ways. Okay, understood. Just wanted to clarify.
So, can it also be used to create a minimum threshold standard for negligence claims? I don't think so because, you know, what I just explained, that is the use, the use is very flexible. So, you know, we don't really encourage that kind of one-to-one direction. This is really about developing processes and having a dialogue and communication, which, you know, I really would emphasize that you should not underestimate how powerful that is in building privacy programs.
So, also when it comes to, I wanted to address the issue of biometrics as well here because that's one area which is kind of gray because people don't know how it is getting protected. So, how does it address, does this address biometrics in a privacy context with respect to the privacy framework? Yes. So again, we've designed the privacy framework to be very flexible and, you know, and to be able to be used with all kinds of technologies.
So, you know, so, so we, you know, there's many, many types of activities and outcomes in there and biometrics is just sort of one aspect of technology that needs to be managed. And so you might be developing policies around the conditions for using biometrics and that would, you know, be covered. Biometrics are not specifically called out as a specific technology, but it's still a technology that needs to be managed under appropriate policies and, you know, and training for employees and so on. So, you know, you would fit that into there.
And then, you know, thinking about kinds of technical capabilities and testing that the technical measure are being tested and assessed. And so again, you know, biometrics are not specifically called out, but it would, you know, all of those kinds of activities would be applicable to using biometrics. Okay. And finally, Naomi, I know it's too early, but what is the initial feedback that you're getting from companies when they have implemented the framework?
What is that you're saying? How has it made their life more easy or what is it that you are hearing? Yeah, so it's really early days yet, but we are already receiving feedback and it's been very positive. As I said, some organizations just use this, have already used it in a very lightweight way.
They've taken the five functions and they've lined up their own privacy program components against them and just done sort of a quick, you know, red, yellow, green. Where are we today? Where do we want to be? And used that as a way to talk to senior management.
So that very quick, lightweight way to use it. Others have sort of lined up their specific controls and internal system requirements and lined those up against the different subcategories. And so that's kind of a deeper dive way to do it. So I think, you know, we're very excited that it's already demonstrating both that flexibility that we hope for and value for organizations.
Well, thanks a lot, Naomi, for sharing your thoughts on this privacy framework. Well, thank you for having me. Thank you so much. You were listening to Naomi Lefkowitz for ICMJ Asia.
This is Suparna Goswami. Thank you for listening.