The NIST Privacy Framework will complement the popular NIST CSF

Data privacy and cyber security have a symbiotic and sometimes conflicting relationship. Without robust cyber security, it is impossible to ensure data privacy, as evidenced by the Equifax hack. However, it’s fully possible for an organization to seriously violate users’ data privacy despite practicing robust cyber security. To help government agencies and private-sector organizations better manage the risks of collecting and storing user data and bring privacy risk into parity with their broader enterprise risk portfolio, NIST has released a preliminary draft of the new NIST Privacy Framework, with plans to publish an initial completed version by the end of 2019.

The structure of the NIST Privacy Framework closely mirrors that of the popular NIST CSF so that organizations can use the frameworks together. “While managing cybersecurity risk contributes to managing privacy risk,” NIST writes, “it is not sufficient, as privacy risks can also arise outside the scope of cybersecurity risks.” The Cambridge Analytica scandal – which came to light when a former employee blew the whistle, not in the aftermath of a data breach – illustrated this in stark relief.

What’s in the NIST Privacy Framework?

Like the NIST CSF, the NIST Privacy Framework has three components, or tiers, which seek to reinforce privacy risk management by helping organizations connect business and mission drivers with privacy protection activities.

The Core component of the Privacy Framework is a set of increasingly granular activities and outcomes to encourage organizational dialogue about managing privacy risks. It contains five main functions; Identify-P, Govern-P, Control-P, and Communicate-P, are for managing privacy risks related to data processing, and Protect-P relates to managing privacy risks associated with privacy breaches.

Organizations will use the Profiles component of the Privacy Framework to self-assess their current privacy risk management activities or desired outcomes and identify opportunities for improvement by comparing them with a desired target profile. Finally, the Implementation component will help organizations determine whether they have sufficient resources and processes in place to achieve their target profile.

The Privacy Framework is technology-agnostic and “flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and enterprises, and stay current with technology trends.”

The need for a separate privacy framework

Mobility and connected everything have fundamentally altered the way we live and do business, and consumers now enjoy many conveniences from these technologies. Unfortunately, as the NIST Privacy Framework points out, these conveniences are made possible by data collection on a massive scale, and consumers “may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services.” NIST goes on to say that organizations may not fully understand the consequences, either, and this could have severely negative effects on them in the long run.

Although no federal data privacy law is currently in sight, the California Consumer Privacy Act takes effect on January 1, 2020, and other states are passing privacy legislation modeled on the CCPA. While the NIST Privacy Framework will be voluntary, it seeks to implement some method to the madness and standardize the language around data privacy and privacy risk management.

Public comment on the NIST Privacy Framework draft will be open through October 24, 2019.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

A robust cyber incident response plan will minimize both damages and recovery time and ensure business continuity.

Proactive measures to defend against data breaches, malware, social engineering, and other cyberattacks are crucial to enterprise cybersecurity, but there’s no such thing as a completely impenetrable system. Despite your best efforts, your company could still be hacked; do you know what to do if that happens? A cyber incident response plan gives organizations a specific set of procedures to follow after a cyberattack, allowing security teams to respond faster and more effectively.

Unfortunately, many organizations either don’t have cyber incident response plans or have ineffective ones that aren’t clear, specific, or current. Here are five tips for developing an effective plan.

Begin with a current risk assessment

One of the most common shortfalls in cyber incident response plans is that they don’t address the specific risks the enterprise faces right now because they are developed using out-of-date or incomplete information. Be sure to conduct a thorough risk assessment before putting a plan together. Because both enterprise data environments and the cyber threat landscape are dynamic, you’ll need to conduct periodic reassessments and adjust your incident response plan accordingly.

Don’t develop your plan in a silo

According to research by McKinsey, incident response plans are often developed in organizational silos, where individual departments or business units prepare plans to mitigate targeted attacks. Unfortunately, this leaves the organization unprepared for an attack that spans multiple business units or even the entire enterprise. Make sure that all company stakeholders work together on incident response, and that the procedures address both types of attacks.

Clearly identify your stakeholders and their roles and responsibilities

Depending on an organization’s size, quite a few people can be involved in cyber incident response, from IT and security staff to legal and public relations personnel. Who is the incident commander? Who has the authority to take systems offline? Who notifies victims in the event of a breach, and how? Who handles press inquiries? Make sure that your plan specifies who is involved and what their responsibilities are.

Clearly define incident types and thresholds

Different types of attacks require different countermeasures. A high-risk or critical incident might warrant the full or partial shutdown of a system, but doing this would be overkill for a low-risk incident. Incident response plans should include a quantifiable method to classify cyber incidents according to severity.

Outline clear, specific procedures

Each incident classification category must be attached to clear, specific procedures outlining, in detail, what each stakeholder needs to do as part of the incident response. This includes internal reporting and documentation, investigation, containment and eradication, and recovery. Make sure the procedures outline when external parties, such as law enforcement, government regulators, outside legal counsel, and cyber insurers, need to be involved.

Developing a comprehensive cyber incident response plan is well worth the time and effort to minimize damages and ensure business continuity. According to the Ponemon Institute, companies that contain data breaches within 30 days can save over $1 million in recovery costs.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Insurers operating in multiple states must comply with a patchwork of state-level legislation patterned after the NAIC’s Insurance Data Security Model Law

In 2017, the National Association of Insurance Commissioners (NAIC) developed the Insurance Data Security Model Law in response to a growing number of cyber incidents within the insurance industry. Similar to the NIST CSF, the NAIC Model Law is voluntary unless a state elects to codify its guidelines into legislation. In 2018, South Carolina became the first state to get on board.

Two years later, more states are passing versions of the NAIC Model Law or their own data security laws targeting insurers. Connecticut, Delaware, and New Hampshire are the latest to jump into the fray, with Connecticut patterning its legislation after the cyber security regulations the State of New York passed in 2017 targeting the finance and insurance industries, and the other states using the NAIC Model.

What’s in the NAIC Model Law?

The purpose of the NAIC Model is to establish a uniform set of standards for data security, breach investigation, and breach notification within the insurance industry. The model includes guidelines regarding security testing, implementing a information security plan, assessing cyber risks, incident response, and breach notification procedures. The NAIC Model applies to “licensees,” a broad category that includes companies ranging from large insurance carriers to small, independent adjusters.

The NAIC Model law requires licensees to develop and maintain a comprehensive, written, and customized “Information Security Program” based on a risk assessment and containing administrative, technical, and physical security controls. The NAIC Model provides a number of guidelines for security controls, which licensees must adhere to as “appropriate” based on the results of their risk assessment:

• Adopt secure development practices for in-house application development.
• Restrict access at physical locations to authorized personnel.
• Utilize technical access controls to restrict access to covered data on information systems.
• Encrypt or protect by “other appropriate means” covered data that is transmitted over an external network or stored on a laptop computer or other portable computing or storage device.

Licensees must also include cyber risks in their enterprise risk management processes and notify their state insurance commissioner of a cybersecurity event within 72 hours.

It’s important to note that the NAIC Model Law applies to “nonpublic information,” which covers a much broader range of data than “personal information.” In addition to personal information, such as Social Security Numbers, driver’s license information, and customer health information, nonpublic information includes “business related information of a Licensee the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Licensee.”

Insurers must grapple with a patchwork of state-level data security laws

While state-level insurance data security laws are similar, there are significant differences that insurers need to be aware of. For example, the NAIC Model Law exempts licensees with fewer than 10 employees. However, New Hampshire exempts licensees with fewer than 20 employees, and Delaware’s law exempts those with fewer than 15. Michigan set the magic number at 25 and also excluded independent contractors; Connecticut is taking a phased approach.

Some states have also modified the NAIC’s suggestion of a 72-hour breach notification deadline. Licensees in Connecticut, Delaware, and Ohio have three business days, while Michigan insurers have 10 days.

When the NAIC unveiled the Model Law, its goal was to get all states to pass a version of it within three years. Regardless of whether the NAIC reaches its target, insurers should expect more state-level legislation on data security and privacy and prepare to adjust accordingly.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.