SIIA joined with 11 other industry organizations today to express strong concerns with the direction and potential impact of the National Institute of Standards and Technology’s (NIST) recently proposed privacy risk management framework. Specifically, in their draft Internal Report, “Privacy Risk Management for Federal Information Systems”, NIST puts forward a privacy risk management framework with privacy engineering objectives and a privacy risk model. The draft report is intended to offer a methodology to federal agencies to enable them to identify, calculate and account for privacy risks in their systems.
While privacy risk management is a laudable goal that should be pursued, this proposed framework endeavors beyond risk management of agreed-upon concepts of privacy. Instead, the draft report presents a catalog of privacy “problems” that include a long list of subjective problems and risk-management methodologies that have not been fully thought-out and tested.
By attempting to define these “problems,” as a critical part of the engineering methodology, NIST is effectively outlining policy objectives in the privacy realm. However, policy discussions are currently underway in self-regulatory and governmental policy-making bodies, including Congress, state legislatures, the Federal Trade Commission and the National Telecommunications and Information Administration. By populating the proposed risk management framework with privacy “problems,” the NIST methodology is no longer an engineering tool, but rather, a vehicle for policy making.
The outcome, if this approach is applied in practice, would most certainly provide for very inconsistent determinations as agencies seek to implement the framework based on potential harms, or “problems,” where there is little consensus. And while the focus is intended to be only on Federal Government systems, there’s no question that this would have a broad impact on private sector IT providers who partner with the government in building their systems.
Overall, the draft report has some very good elements for promoting strong privacy risk management practices. But unfortunately, strong concerns posed by the IT industry in 2014 were not addressed prior to the release of this draft. Hopefully, before this effort moves forward, there will be an opportunity to flesh out many of the key methodology details and potential harm variables to enable sound engineering decision-making by agencies and their vendors.