NIST Eliminates Privacy Appendix from Cybersecurity Framework

January 24, 2014 by Elliot Golding 2 Comments

In a January 15, 2014 update, the National Institutes of Standards and Technology (“NIST”) announced that it would eliminate contentious privacy provisions in Appendix B of the Preliminary Cybersecurity Framework. The appendix was originally intended “to protect individual privacy and civil liberties” as part of the February 2012 Executive Order 13636 requiring NIST to establish a framework to manage cybersecurity risk. The proposed privacy provisions generated widespread controversy, however, because “the methodology did not reflect consensus private sector practices and therefore might limit use of the Framework.” As a result, NIST determined that the appendix “did not generate sufficient support through the comments to be included in the final Framework.”

In place of a separate privacy appendix, NIST stated that it would incorporate an alternative methodology proposed on behalf of several industry sectors. This substitute approach eliminates references to specific privacy standards, such as Fair Information Practice Principles (FIPPs), given the current lack of consensus regarding such standards. Instead, the Framework will provide “more narrowed and focused” guidance in the “How To Use” section that requires companies to consider privacy implications and address them as appropriate. The high-level measures now include ensuring proper privacy training, reviewing any monitoring activities, and evaluating any privacy concerns that arise when information (such as threat data) is shared outside the company. According to NIST, this approach will “allow organizations to better incorporate general privacy principles when implementing a cybersecurity program.”

Although eliminating the privacy appendix in favor of more general guidance was the only definitive change that NIST announced, the update also noted several other common issues raised in public comments. These topics – which include reaching consensus on what “adoption” of the Framework entails and the use of “Framework Implementation Tiers” to assess the strength of a company’s cybersecurity program – will remain key areas of debate once the Cybersecurity Framework is released on February 13, 2014.

Although the Framework is slated for release in just a few weeks (and will be available here), NIST made clear that it is intended to be a “living document” that will need to be “update[d] and refine[d] . . . based on lessons learned through use as well as integration of new standards, guidelines, and practices that become available.” NIST also explained that it intends to continue serving as the “convener” for such changes until the document can be transitioned to a non-government organization, but will issue a roadmap with more details soon.

Author: Elliot Golding

Elliot Golding is an associate in the firm's Privacy & Cybersecurity, Antitrust, and Health Care groups. Elliot's Privacy & Cybersecurity practice focuses on compliance counseling and security incident litigation regarding a wide range of laws and regulations governing the security and privacy of personal information, such as: HIPAA and HITECH, the Gramm-Leach-Bliley Act (GLBA), the Telephone Consumer Protection Act (TCPA), and state laws governing security and breach notification. Elliot frequently advises clients regarding cyber security and information governance best practices, security policy design and implementation, training, and breach response – both prior to an incident and when managing a data breach crisis. In addition to counseling, Elliot has defended clients in litigation by state attorneys general under state security breach notification laws and HIPAA, and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations. Elliot also provides training directly to clients and their employees regarding HIPAA and state security breach requirements. Elliot is currently the vice-chair of Cloud Computing Committee within the ABA Section of Science and Technology Law.