How is Your Business Doing When it Comes to Data Security? New National Institute of Standards and Technology (NIST) Guidance Offers Assessment Tools and Recommended Practices
Seller Beware: Consumer Protection Insights for Industry
On October 22, 2013, the National Institute of Standards and Technology (NIST) released a draft Preliminary Cybersecurity Framework that outlines a set of cybersecurity best practices for the private sector. Compliance with the Framework will be entirely voluntary. However, the Framework may establish a common frame of reference for cybersecurity. Businesses can use the Framework to assess their data protection policies and practices and their readiness to respond to security lapses and intrusions.
NIST's draft Preliminary Cybersecurity Framework is the product of an Executive Order President Barack Obama issued on February 12, 2013 that, in addition to directing NIST to work collaboratively with the private sector to develop a cybersecurity framework, requires federal agencies to share additional information regarding threats to cybersecurity with certain U.S. companies. For additional information regarding this executive order, please see our advisory President Issues Executive Order to Improve Cybersecurity of Critical Infrastructure.
Although the Framework is primarily designed for "critical infrastructure entities" – including entities in the financial services, transportation, telecommunications, power supply, and public health sectors – it provides useful guidance to consumer products and consumer services companies and indeed any organization potentially subject to cyber-attacks and focused on evaluating and enhancing its cybersecurity posture.
The draft Framework divides cybersecurity planning into five core segments, each focused on an activity integral to cybersecurity: Identify; Protect; Detect; Respond; and Recover. For each of these core activities, the Framework identifies underlying key categories (e.g., "Asset Management," "Access Control," and "Detection Processes") and subcategories (e.g., "Physical devices and systems within the organization are catalogued," "Data-at-rest is protected," and "Notifications from detection systems are investigated"), and matches them with informative references to existing standards, guidelines, and practices commonly used in critical infrastructure sections. The draft Framework provides a high level of detail, much of which is technical and can be used to guide the development and specific implementation of data security systems for particular organizations.
The Framework broadly addresses means of enhancing cybersecurity and reducing associated risks. Appendix B to the Framework specifically focuses on the privacy and security of personally identifiable information (PII) and in that context, uses its five-part activity-based approach to offer the following guidance:
- Identify. (Know what you have.) The Framework recommends that organizations identify what PII they process, analyze, or transmit and identify the contractual, regulatory, and legal requirements that address the maintenance, collection, and sharing of such information. Organizations are also advised to identify threats and other vulnerabilities surrounding the maintenance of PII – including whether that information is likely to be targeted as a commodity in and of itself or instead is likely to be targeted as a means to access other assets within the organization.
- Protect. (Protect what you maintain.) To protect data, the Framework recommends limiting the use and disclosure of PII to the minimum amount necessary, offering training on privacy and cybersecurity, and implementing appropriate safeguards at all stages of the lifecycle of PII -- from collection to storage to disposal. The Framework also recommends conducting regular audits of stored PII as well as regular assessments of the need for its retention.
- Detect. (Seek to discover gaps in protection.) The Framework recommends that organizations implement procedures for detecting anomalies and security events, while cautioning that any security monitoring procedures that involve individuals or PII should be performed using the most minimally intrusive means possible.
- Respond. (Act on what you learn.) When it comes to response, organizations should understand any mandatory obligations for reporting breaches of PII, but cautions that any voluntary sharing of information about a security breach be done in such a way that limits the disclosure of PII to only that information that is necessary to describe or mitigate the breach.
- Recover. (Mitigate future risks.) Finally, in recovering from a security breach, organizations should explore ways to make improvements to their security systems and should effectively communicate their risk mitigation plans to rebuild their trust with affected individuals, relevant stakeholders, or the wider public.
The standards, guidance, and best practices referred to in the Framework have been developed by various organizations, including industry groups, to help manage cybersecurity risk. NIST plans to continue to rely on industry standards and practices as they are further developed, managed, and updated. Thus, NIST intends that the Framework will evolve with technological advances and in response to business requirements.
The draft Framework will be subject to a 45-day public comment period, and opportunities to provide input include a workshop that NIST will be holding at North Carolina State University on November 14-15. NIST plans to issue the final Framework in February 2014.
© Arnold & Porter Kaye Scholer LLP 2013 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.