From: Steptoe & Johnson LLP
Article by Stewart A. Baker
Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s August draft.
At least not until you get to the privacy appendix. Then, suddenly, “should” blossoms in practically every sentence. The appendix says that it’s just telling companies what methodology they should use to protect privacy while carrying out cybersecurity measures. In truth, it is setting out a detailed and comprehensive set of prescriptions for companies handling personally identifiable information (PII).
Right off the bat, the NIST privacy “methodology” shows remarkable ambition, telling companies that they “should identify all PII of employees, customers, or other individuals that they collect or retain, or that may be accessible to them.” Why critical infrastructure cybersecurity should require a comprehensive census of PII — but not of other sensitive corporate information — is not explained.
The cybersecurity executive order asked NIST to produce a methodology to “identify and mitigate” the cybersecurity’s framework’s impact on privacy, but in fact, many of the privacy provisions in NIST’s appendix have only a nodding acquaintance with cybersecurity. For example, the NIST privacy appendix tells companies that they should “limit [their] use and disclosure of PII to the minimum amount necessary to provide access to applications, services, and facilities” and that they “should securely dispose of or de-identify PII that is no longer needed.” That may or may not be a good practice, but it’s connection to protecting the cybersecurity of critical infrastructure is tenuous. Later, the document goes even further, calling for companies to designate a privacy officer, particularly remarkable given that it doesn’t call for designation of a cybersecurity officer.
The NIST appendix’s disconnection from cybersecurity is most clear when it says that companies should identify their privacy policies and assess whether those policies do the following:
Leave a Reply