Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s August draft.
At least not until you get to the privacy appendix. Then, suddenly, “should” blossoms in practically every sentence. The appendix says that it’s just telling companies what methodology they should use to protect privacy while carrying out cybersecurity measures. In truth, it is setting out a detailed and comprehensive set of prescriptions for companies handling personally identifiable information (PII).
Right off the bat, the NIST privacy “methodology” shows remarkable ambition, telling companies that they “should identify all PII of employees, customers, or other individuals that they collect or retain, or that may be accessible to them.” Why critical infrastructure cybersecurity should require a comprehensive census of PII — but not of other sensitive corporate information — is not explained.
The cybersecurity executive order asked NIST to produce a methodology to “identify and mitigate” the cybersecurity’s framework’s impact on privacy, but in fact, many of the privacy provisions in NIST’s appendix have only a nodding acquaintance with cybersecurity. For example, the NIST privacy appendix tells companies that they should “limit [their] use and disclosure of PII to the minimum amount necessary to provide access to applications, services, and facilities” and that they “should securely dispose of or de-identify PII that is no longer needed.” That may or may not be a good practice, but it’s connection to protecting the cybersecurity of critical infrastructure is tenuous. Later, the document goes even further, calling for companies to designate a privacy officer, particularly remarkable given that it doesn’t call for designation of a cybersecurity officer.
The NIST appendix’s disconnection from cybersecurity is most clear when it says that companies should identify their privacy policies and assess whether those policies do the following:
“i) provide notice to and enable consent by affected individuals regarding collection, use, dissemination, and maintenance of PII, as well as mechanisms for appropriate access, correction, and redress regarding use of PII;
“ii) articulate the purpose or purposes for which the PII is intended to be used;
“iii) provide that collection of PII be directly relevant and necessary to accomplish the specified purpose(s) and that PII is only retained for as long as is necessary to fulfill the specified purpose(s);
“iv) provide that use of PII be solely for the specified purpose(s) and that sharing of PII should be for a purpose compatible with the purpose for which the PII was collected; and
“v) to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.”
Not one of these quasi-requirements has anything to do with the objectives of the executive order. But they have everything to do with smuggling comprehensive privacy regulation into a cybersecurity initiative. In fact, the provisions are more specific and demanding than the twenty-year privacy consent decrees imposed on technology companies like Google that have been caught up in FTC enforcement actions.
The provisions are drawn from the so-called Fair Information Practice Principles that the US government adopted for itself in the 1970s — and that Europe’s data protection laws incorporated around the same time. The United States has never applied them across the board to its private sector, in part because they turned into such a free-floating instrument of selective enforcement in Europe. Taken literally, the principles are either fatally ambiguous or impossible to fully comply with, leaving privacy bureaucrats with authority to impose harsh penalties on anyone they choose.
Not surprisingly, that sounds like a great idea to the United States’ foremost practitioner of selective enforcement, the Federal Trade Commission. For more than a decade, the FTC has begged Congress to enact something like the Fair Information Practice Principles as a way of giving the Commission some legislative support for its claim to be the nation’s chief privacy enforcer. To no avail. So for the Commission, the NIST proposal is a bonanza of new authority, or at least topcover. Indeed, it is a godsend for every regulatory agency that wants to add privacy to its list of regulatory requirements.
That’s because of how the cybersecurity executive order treats NIST’s work product. Once NIST has finished the framework, next January, the administration plans to use a wide range of incentives to get industry to adopt the framework. But the document’s effect will be felt as soon as a preliminary draft is issued in October. The executive order instructs every regulatory agency in the federal government to to review the preliminary NIST framework and report to the President on whether the agency has authority to impose NIST’s framework on the industries it regulates. If an agency lacks authority, it will almost certainly be invited to go ask for it. This means that the privacy appendix, which made its first appearance in public in the dead of August, will have a potentially irreversible effect as early as October 10, when NIST is due to issue the preliminary framework.
In short, if the NIST framework keeps this appendix, the FTC and every other regulator in town will have plenty of topcover to impose the Fair Information Practice Principles on the private sector. The excuse for doing so will be the need for better cybersecurity, but adoption of the NIST framework as written will likely be a net loss for cybersecurity. That’s the subject of a third and final post that I’ll offer shortly.
NOTE: I tried to reach NIST officials to get their response. But the shutdown means that many are not available. I did get a clear sense that the preliminary framework will not be released on October 10. It will likely be delayed for as long as the shutdown lasts, plus some time for interagency clearance. So the bad news from the shutdown is that we can’t get to NIST’s website, and the good news is that every day of shutdown is a day of delay for this unfortunate standard. All things consdered, I think I can live without the website.