The Podcast That Helps You Understand Federal Data Privacy and Governance
We couldn’t be more excited to announce the launch of our brand new podcast FEDSpace – your source for all things federal data privacy and governance.
The show – available now on Apple Podcasts, Spotify, and everywhere you get your podcasts – is dedicated to helping you understand the future of federal data management. Each month we’ll bring you interviews with leaders from civilian and defence agencies, privacy pioneers and information governance experts in the Federal Space (see what we did there?)
A lawyer by training, Naomi recently won the International Association of Privacy Professionals 2020 Vanguard Award, which recognizes privacy professionals “who show exceptional leadership, knowledge and creativity in the field of privacy and data protection, whether through spearheading projects or programs that positively impact the profession or through achievements over the course of an entire tenure or career.”
Naomi and her team at NIST, worked to create the NIST Privacy Framework, a tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. On this episode, Mark Evans, Senior Enterprise Sales Engineer at Active Navigation, talks with Naomi about the Privacy Framework and how its helping organizations to take privacy seriously.
On this episode, you’ll learn about:
- What is the NIST Privacy Framework, how it was created and some of its goals
- Several of the biggest challenges organizations and federal agencies are faced with when identifying and managing cyber risks from a privacy standpoint
- How to overcome privacy obstacles
- What you can expect next from NIST
Naomi, a warm welcome and thanks for joining us today.
[00:00:31] Naomi Lefkovitz: Thank you, Mark. Thanks so much for having me I’m looking forward to this!
[00:00:34] Mark Evans: So before we dive in, I just wanted to offer my congratulations on receiving the International Association of Privacy Professionals – that’s the IAPP – the Vanguard Award this month. It’s such a great achievement and a real, true recognition of the fantastic work that you’ve put into the NIST Privacy Framework, which is what we’re focusing on today. So congratulations from everyone here at Active Navigation on a well-deserved award.
[00:00:59] Naomi Lefkovitz: Thank you so much. It’s a huge honor. We’re delighted to have the recognition of the work and I just want to give a shout out to my team because I’m really just the face of it. So they deserve the accolades as well.
[00:01:12] Mark Evans: So Naomi, you’ve been with NIST now for about 8 years, can you walk us through your career journey a little bit and tell us how you landed at NIST and more importantly, how you became involved in the privacy framework?
[00:01:24] Naomi Lefkovitz: So I’m actually a lawyer by training and I started out in – this will date me – in the dot com boom of the 90s and I started for one of the first online retailers in e-commerce.
So in some ways I like to think that I’ve been in privacy for a long time because I wrote one of the first privacy policies on the internet. I like to joke that it was only a paragraph long! From there, I went to the Federal Trade Commission and I worked in their division of privacy and identity protection, and then I did it a detail with the Obama administration and the executive office of the president and worked more on privacy and civil liberties.
And that really brought me to NIST, where they really wanted me to help in the information technology lab and work on privacy and develop a program. So I actually lead our privacy engineering program and it’s that foundation gave us the ability to develop the privacy framework.
[00:02:35] Mark Evans: Cool! So for those that might not have heard of the privacy framework, because it’s a fairly recent initiative, can you give us a high-level overview of what its main purpose is and some of the benefits it can bring to an agency if they adopt it?
[00:02:49] Naomi Lefkovitz: Absolutely. So we like to make clear that this is a voluntary tool that we developed. In part we were hearing, actually from industry and as well as the administration that, we’d done a really good job with the cybersecurity framework – any of your listeners may be familiar with that – and there’s been major privacy incidents in the news and a lot of regulatory activity around privacy, and that it would be very helpful to have a kind of voluntary tool with a risk-based approach to help organizations.
So wanted to give a little bit of background, just to sort of set the frame and I think we really worked with stakeholders to develop this tool and ultimately we came away with sort of three key purposes or value propositions for the framework.
First and foremost, it’s really about building trust – this is something that we do at NIST in our information technology lab. We’re really trying to build trust in information systems and technologies and really working to see how privacy is an aspect of building that trust. So whether you’re an organization with customers or you’re working as a business partner, having good privacy, having effective solutions, and really ultimately being able to essentially optimize, beneficial uses of data while minimizing adverse consequences for people, or even society as a whole, is an important aspect of building trust.
So that’s first and foremost. But we certainly recognize that privacy does exist in a very regulatory environment. So we designed the framework to actually be agnostic to any particular law or jurisdiction, but really to sort of providing the building blocks of the policies and the technical capabilities that you might need as an organization to meet your legal obligations and to sort of demonstrate how you might be – the measures that you might be taking – to meet your legal obligations.
And that sort of brings us to the third proposition, which is really, we see this as a communication tool, and that’s something that we learned with the cybersecurity framework, that that was one of its principal benefits was not to be some sort of prescriptive checklist, but really to encourage dialogue about the kinds of activities and outcomes and privacy objectives that an organization may have, and you know, what’s the best way to strengthen privacy programs and get to the more effective solutions for privacy.
[00:05:38] Mark Evans: Thanks for detailed overview. I think two things that really stuck out in my mind there was trust and communication. They’re really two strong facets of our organizations as well internally as we work with the information governance programs.
So we talked about risk there – what do you see as some of the biggest challenges to organizations in identifying and managing those risks from a privacy standpoint in today’s environment?
[00:06:04] Naomi Lefkovitz: You know, I’m actually going to come back to that trust issue. I think that there’s a lot of trust that needs to be built. There’s research that’s emerging about, sort of this concept of privacy resignation where people certainly are using lots of products and services online, but if you really ask them about it, they actually feel kind of resigned, right? They don’t really have a good sense of how their privacy is being protected. I think that this is only going to grow as we move forward with emerging technologies like internet of things and artificial intelligence that can provide many, many benefits but also bring a whole set of privacy risks as well.
So I think this is where we really see the privacy framework as a risk-based approach, playing a role to help organizations, as you say, “do privacy” better. That is, rather than sort of taking a checklist approach, really think through where are the concerns arising from the way that they’re processing data?
It’s a little bit jargony, sorry. But by that, we mean anything from collecting data through disposing of it, but really thinking through how are we doing that and where might there be some privacy risks so that we can actually tailor effective solutions to mitigating and addressing those risks.
[00:07:37] Mark Evans: So recently we’ve seen some really large scale privacy breaches that, you know, it’s affected millions of people across the world. Why do you think that historically, and still today, privacy doesn’t quite get the same level of attention to security when it comes to risk management?
[00:07:55] Naomi Lefkovitz: I think that’s a great question and I think it’s because privacy, for various reasons, went down this path of starting with principals – and principals are very important – but then they moved from principals almost just sort of, you know, very prescriptive requirements. So for example, the principle of transparency, which is very important, got translated into having a privacy notice. And I think we all know the result of that – I could ask for a show of hands of how many people read privacy notices, and I’m pretty sure it will be low to zero. And so that’s sort of that result of taking that checklist approach of, well, you know, Hey, we have a privacy notice. The risk-based approach question would be, Hey, is anybody reading the privacy notice? And what are they getting from it? Because if you’re not reading it, it’s hard to understand what privacy benefit you’re getting out of it.
And so where security started, just from the get-go basically, from a more sort of risk-based approach of, what are the threats and vulnerabilities and what’s the right solution in that moment or in that environment to address those, those particular risks.
And that’s where we have been working both in the privacy engineering program, and now with the framework, to see how we can build and catch up with security from a risk management perspective.
[00:09:28] Mark Evans: So you mentioned that there are lots of privacy notices and lots of information, but you know, the framework itself is incredibly detailed and each time I read through it, I learned something new and it’s obviously been very well thought out and it was a massive undertaking.
[00:09:45] So what were some of the biggest challenges for you and your team when you were building this out?
[00:09:52] Naomi Lefkovitz: I think there were a couple, I mean, one I think we just touched on right in the last question which was that we didn’t really have a foundation of agreed-upon concepts for privacy risk management the way we did in cybersecurity when we were developing the cybersecurity framework.
So we ended up leveraging the work that we’d already done in the privacy engineering program over the last several years. That’ll be interesting to see how that goes, but one of our goals is to, as I mentioned again with the communication, is to be able to develop some more uniform, consistent ways of communicating about privacy risks.
I think the other big challenge was, building this bridge between the principles-based approach that privacy has been in, and implementation. Because I think that’s something else that we’d really focused on in the privacy engineering program is, as I sort of pointed out with my example. It’s one thing to have principals, they’re very important, they provide structure, but you can’t just automatically implement them. So, if you think about data minimization, right, which is another very important principle – you tell engineers “just collect or retain only the information that’s necessary and appropriate.” And they were like, “okay, everything’s necessary in my opinion.” So you really have to provide a frame of analysis, and that’s what risk management does.
So I think one of the challenges with the framework is that we were shifting the way privacy programs “typically organize themselves around principles. And we really tried to embed them in the operational activities and outcomes around which the privacy framework is organized. So, I think they’re still a “stay tuned on that”, but that was our, our goal is to really help move from principles to implementation.
[00:11:53] Mark Evans: I liked the fact that you brought up data minimization there cause that’s, my day-to-day business and I really appreciate your insights around that piece.
One of the things that I really do like about the framework is that it’s involved community collaboration from day one, and I think that’s really important whenever you’re developing a new initiative.
Can you give us some insights into how government agencies participated in that collaboration and what value they’ve added?
[00:12:20] Naomi Lefkovitz: Absolutely. So our goal was to run a public, open, very transparent process. We really modelled it after the way we developed the cybersecurity framework. We thought that was very successful and so we started with the request for information and moved through various public workshops and comment periods and different draft iterations.
And all along the way, we got feedback and engagement in the workshops and in public comments – which are all on our website – from federal agencies and even other levels of government as well, all the way down to the local level. So it’s really, I think, a really nice example of both public sector and private sector participation.
[00:13:09] Mark Evans: So just going back to the data minimization piece, one of the core functions in the framework is the “identify” and just want to really dive a little deeper into that – and there’s a subcategory called inventory and mapping.
What we’ve found from a vendor side of things is that a lot of organizations don’t have a good grasp of how important that step is when building out any kind of information governance or privacy program of their own. And what we always say to organizations is that you can’t protect what you don’t know you have, and that’s where the inventory and mapping piece comes in from our perspective.
Can you give us some insights into your reasoning for including that and give us a sense for how important the authors of the framework feel it is in the overall sense of the framework itself?
[00:13:56] Naomi Lefkovitz: Absolutely. We heard very clearly from stakeholders that this is very important. So, sort of stepping back one step, we heard that stakeholders wanted the structure of the framework to be aligned with the cybersecurity framework. So naturally, we certainly took a look at what was already existing in the cybersecurity framework, and they have an identical function and it made a lot of sense. It was a lot of very organizational-level processes and practices that are easily translatable to privacy.
But it really struck us that their “identify” starts with a category around asset management – and there was a little bit about data flow identification within that category – but we felt, and it was very validated by stakeholders, that how you process data and what you’re doing with it and where it is, is so critical to understanding and managing privacy risks that it really needed a category devoted to that.
And I would agree with you – when we developed a privacy risk assessment methodology, and part of that methodology calls for developing data maps of the data processing and then going on analyze privacy risks and identifying problems and sort of prioritizing them… and we found that when organizations use that privacy risk assessment, we thought, Oh, you know, are they going to be able to like think through the kinds of problems people might experience? Is that going to be hard?
That didn’t turn out to be the hard part. It turned out to be the mapping exercise – that was the hardest part. So I think we’ve heard clearly from stakeholders of this very important aspect.
[00:15:48] Mark Evans: I couldn’t agree with you more. You know, we mentioned the fact that NIST also developed a cybersecurity framework, and we’ve seen how successful that’s become over the past eight years since it was first released in terms of the level of adoption it has across organizations, it’s helped drive standards and it’s created a whole set of new focused roles across many types of organizations.
[00:16:10] So what level of impact – in terms of outcomes – would you like to see five years from now for the privacy framework?
[00:16:17] Naomi Lefkovitz: I think we would really love to see that a risk-based approach is really producing more effective solutions for privacy and also that we’re able to develop more consistent, uniform terminology and underlying concepts as an approach to privacy risk management. If we could see the signs of that taking hold, then I really think that we could demonstrate some of that impact from the privacy framework.
[00:16:49] Mark Evans: So the framework’s been out now for a few months, and now that it’s out in the world there’s a lot of planning around engagement of stakeholders through various mechanisms such as webinars, workshops, and industry days.
[00:17:02] I actually attended one of the early industry days back in January, and it was really informative and a great vehicle for learning more and asking questions. Right now we live in very different times with a global impact. How have yourself and the team changed your outreach and engagement strategies given the situation that we find ourselves in right now?
[00:17:25] Naomi Lefkovitz: Yes, it is very challenging. I would say that in terms of all the really serious challenges out there, I don’t want to over-rank ours. But there are certain aspects of our work that – in terms of webinars and virtual meetings and podcasts like this one – that naturally lend themselves to being online. But we are trying to think through, you know, how do we replicate the things like our public workshops that are so valuable to have in person? Are we able to replicate them virtually? And if not, how are we going to manage that? So you know, it is still an open question, but we are working on that.
[00:18:10] Mark Evans: Yes, very challenging times. Indeed. So if our listeners want to learn more about the framework or they want to get started themselves on a privacy program, what kind of resources does NIST provide and where can people find them?
[00:18:24] Naomi Lefkovitz: Yes. So we have a dedicated website, and the framework itself is there, but we’ve provided resources about early adoption, as well as if you’re new to the framework we have a one-on-one webinar recording to help you get started.
[00:18:43] And then we have launched a resource repository. This is very important because we recognize that the framework is relatively high level – it’s really outcome-based. So it’s not telling you exactly how to achieve these outcomes – rather we are looking to have these supporting resources to help organizations achieve specific outcomes or activities to help them develop profiles or think about how there might be crosswalks or mappings to key laws or regulations.
So we’ve developed this resource repository and we’re really encouraging contributions from the community to make that repository robust and help advance the implementation of the privacy framework.
[00:19:30] Mark Evans: So what will level of contribution have you had to date for the resources area.
[00:19:36] Naomi Lefkovitz: So it’s been a little slow and gotten a little slower thanks to our challenging circumstances. Certainly, there’s a number of resources in there from NIST guidance, but we really are looking to have additional resources from the community.
[00:19:53] Mark Evans: Oh, great! So what’s next? What can we expect next from NIST as it relates to the evolution of the privacy framework?
[00:20:00] Naomi Lefkovitz: So another concept that we borrowed from the cybersecurity framework was the idea of this companion roadmap. And so in this roadmap, we highlighted a number of areas where we think there are some key privacy challenges and more work needs to be done to both help support and advance the privacy framework. So we have been looking at that and thinking about the workstreams that we’re developing.
So, for example, our director announced early on that we would do a guide for small and medium-sized businesses to help them better use the privacy framework. We’ve heard a number of times in different arenas from stakeholders about privacy workforce and the need to mature and advanced a skilled and knowledgeable workforce. So you’re certainly looking at that area thinking about, can we build out perhaps the taxonomy for privacy workforce as well as various other initiatives that we can do under the roadmap to advance a framework and make sure that it continues to evolve to meet stakeholders needs.
[00:21:17] Mark Evans: Well, that’s great to hear that this is evolving day by day and you’ve got a really solid roadmap out there that’s based on the successful outcomes from the cybersecurity framework. So it’s really good to hear!
I mentioned at the beginning about the Vanguard award in the article there was a quote that said that you went into public service so that you could do good.
I think that’s a great quote and the privacy framework is, in my opinion. it’s certainly a good thing – if not a great thing – and it was a real pleasure speaking with you today, Naomi, and I hope the listeners have got some really good insights into what the privacy framework is, what it supports, what the benefits are and how they can get started. I’d really like to thank you so much for being a part of this conversation today.
[00:22:05] Naomi Lefkovitz: Thank you, Mark. Thank you so much for having me and it’s been a great pleasure and I look forward to continuing to work with you and other stakeholders on the framework.
[00:22:14] Mark Evans: Once again, thanks so much for your time. Well, thanks everyone for tuning in today. We’ll see you next time on FEDSpace – produced by Active Navigation.