Privacy & Information Security Law Blog

On December 12, 2013, Fred H. Cate, Senior Policy Advisor in the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”), submitted comments in response to the National Institute of Standards and Technology’s (“NIST’s”) Preliminary Cybersecurity Framework (the “Preliminary Framework”). On October 22, NIST issued the Preliminary Framework, as required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (“Executive Order”), and solicited comments on the Framework. The Preliminary Framework includes standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.

The comments criticized the Methodology to Protect Privacy and Civil Liberties, which appears as Appendix B to the framework, as being unlikely to advance either privacy or security.

The primary reason for the criticism is the fact that the proposed privacy methodology is completely distinct both from the Preliminary Cybersecurity Framework itself and from the wide range of successful privacy and data protection programs already implemented by industry leaders.

Commenters also note that the considerable breadth of Appendix B magnifies the concern over the inconsistency of Appendix B. Appendix B does not appear to be limited to security-related activities to start with, and, even when applied to those activities, it raises the prospect of privacy and civil liberties issues being evaluated where experience shows they are unlikely to exist. Moreover, the inclusion of “civil liberties” issues, which historically have applied only in the context of government activities, in a framework that primarily targets the private sector is not only overly broad, but potentially specious. In addition, a number of the requirements of Appendix B go far beyond existing U.S. privacy law.

According to the comments, the proposed methodology also is troubling because of the claim in its introductory text suggesting that it is “based on the Fair Information Practice Principles (FIPPs) referenced in the Executive Order.” FIPPs, such as notice and choice, are a poor basis for addressing most cybersecurity privacy issues. The FIPPs also are being increasingly challenged, precisely because of their often-poor fit in contexts such as Big Data, ubiquitous surveillance and cybersecurity.

The reference to the Executive Order also is misleading since FIPPs are addressed in Section 5 of the Executive Order, which deals with the conduct of government agencies, not industry (and even there are referenced along with “other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities”). FIPPS are not addressed in the context of the privacy methodology in Section 7.

To address these concerns, Cate recommends the following:

• Eliminate Appendix B and move privacy protection into Appendix A, so that the protection of privacy is clearly integrated with cybersecurity.
• Make explicit that the privacy protections apply only in the context of information assurance activities.
• Limit the privacy methodology, wherever it appears, to objectives and principles, rather than specific tasks. In addition, limit the methodology to privacy—not other civil liberties—or if the protection of other civil liberties is to be included, clarify that this responsibility can apply only to government entities.
• Eliminate any reference to FIPPs.
• Focus instead on more relevant principles of “accountability” and “stewardship” of personal data, such as the work the Centre has been leading in recent years.
• Do not assume that all, or even most, information assurance activities will raise privacy issues, and do not impose significant burdens on industry to restrict sharing cyber threat information with the government that might contain personally identifiable information if the government already has access to the data.

Under the Executive Order, NIST is required to issue a final version of the Framework in February 2014.