A Cyber Privacy Framework May Be More Valuable Than a Cyber Security One

Jason Malo is a Research Director in CEB TowerGroup’s Retail Banking practice and has over 16 years of experience in the development, management, and marketing of online service solutions. He is focused on market evaluation and product strategy for mobile banking, as well as the impacts of emerging threats, regulation, and customer attitudes regarding security and fraud across banking and card channels. Mr. Malo will be speaking at the NICE Actimize ENGAGE Client Forum in New York, on October 23^rd on “Will Privacy Concerns Slow Mobile Services & Cybersecurity Efforts?”

In the most recent working copy of the U.S. Cyber Security Framework, the National Institute for Standards and Technology (NIST) includes an Appendix which has taken the structure developed for security, and applied it to the development of a privacy methodology. From what has thus far been a fair, but relatively unremarkable outcome in the codification of information security practices, the beginnings of something unique and universally applicable may have sprouted.

Concerns regarding privacy and the protection of civil liberties have increased significantly in the brief time since one social media executive deemed them to be “old people issues.” National and international efforts are underway to establish common cyber security frameworks, and multiple points of legislation have been taken up, but almost all of them have been derailed by the need to ensure proper protection of information.

Recent drivers of privacy concerns are greater self-awareness of the breadth of information shared online, revelations of far-reaching data collection by security intelligence services, non-transparent mobile information collection practices, and the aforementioned cyber security efforts which some see as Orwellian in their justifications.

There have been attempts to define practices for protecting privacy. “Consumer Data Privacy in a Networked World” from the White House, a.k.a. the “Consumer Privacy Bill of Rights”, articulately spells out the need for privacy and substantive principles, but stops short of a practical approach. The FTC’s “Protecting Consumer Privacy in an Era of Rapid Change” provides some principles to drive a strategic privacy plan, but is not fleshed out enough to provide practical direction.

The “Methodology to Protect Privacy and Civil Liberties”, Appendix B of the August 28, 2013 draft of the Cybersecurity Framework, advances this privacy discussion with a practical alignment to functional tasks related to information. If someone in these roles looks at this framework, they will have a high-level understanding of their responsibilities, and that will help set practical boundaries for sharing information.

In the end, with more focus and clarification, Appendix B of the Cybersecurity Framework will have more impact than the framework itself. Privacy has been used synonymously with security at times, but too often serves as its counterpoint of late. Without clarity regarding the consistent protection of personal data, any broad, multi-entity security effort is doomed to fail, and that is why a Privacy Framework should take on emphasis in shared effort, rather than be relegated to a supporting section.