By Anne Kimbol, Chief Privacy Officer, HITRUST
A year ago, it would have been hard to say that 2019 would be bringing strong agreement on the fundamental principles of privacy that allow companies to begin strengthening their approach and protect consumers.
Hearings at the Senate Commerce Committee and House Energy and Commerce Committees this week solidified this need.
And there are a lot more people joining the conversation.
Who would have thought that many of the leading trade associations would advocate for a strong risk-based framework that would incentivize strong and enforceable compliance programs universalizing compliance and create “safe harbor” process in the law? The good news is that there are solutions already in the marketplace now.
Within the last few months there have been a number of proposals on the table. The Federal Trade Commission (FTC) and Senate Commerce Committee, among others, have held hearings on data protection and appropriate privacy frameworks for the United States to consider. The FTC, the National Telecommunications and Information Administration (NTIA), and Congress have all asked if the FTC should be the main enforcer of data protection principles and, if so, whether it has the resources and authority to effectively do so.
The NTIA released a request for comments on a possible approach to consumer privacy, and the National Institute of Standards and Technology (NIST) has hosted a workshop to discuss a possible privacy framework, with a second workshop scheduled for May. The European Union, through its General Data Protection Regulation (GDPR), and California, through its already amended Consumer Privacy Act (CCPA) confirmed their stance on these issues earlier this year. In response, we have seen proposed privacy frameworks from a broad range of stakeholders, including the US Chamber of Commerce, several large tech firms, and a number of trade associations.
More Good News
The good news is that the overall principles being suggested match up well with existing privacy frameworks. They match so well, in fact, that they serve as the control objectives for the privacy category in newly released HITRUST CSF® version 9.2. This category focuses transparency; individual participation; purpose specification; data minimization; use limitation; data quality and integrity; and accountability and auditing – which includes not only mappings to US law and the GDPR, but also references to the Fair Information Practice Principles (FIPPs), the Organization for Economic Cooperation and Development (OECD) Privacy Principles, and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. These standards were also referred to by the NTIA regarding the proposed stance of this Administration on privacy and at the NIST Privacy Framework Workshop in Austin late last year.
Combined with the security categories, the HITRUST CSF is, and will remain a strong risk-based framework against which entities can assess their compliance with applicable laws and best practices with respect to data protection. While the areas of disagreement among the privacy proposals remain large, they should not overshadow the need for reaching a viable approach going forward.
HITRUST, as a leader in risk-based data protection standards, is actively monitoring and participating in these discussions to help ensure Congress and the Administration consider the issues involved fully and understand how frameworks like the HITRUST CSF allow industry to balance some of these important concerns and ensure their practices are strong and up-to-date. We look forward to continuing our work of engaging with interested parties and sharing information on what role the HITRUST CSF can play. Version 9.2, as mentioned, with its revamped privacy category, and Version 10, which is expected in 2019, furthers HITRUST’s work to broaden the framework so that it is industry and location neutral.
The HITRUST CSF is applicable to all organizations large and small, includes mappings and information from laws and frameworks globally, and takes a broad view of how entities should consider and address data protection. Using the HITRUST CSF framework can help entities ensure their data protection policies and procedures are in line with not just laws but also industry practices, which evolve faster than laws and tend to be more focused on current data uses. This is true and will remain true in the future, as the HITRUST CSF adapts to meet changing laws, standards, and industry and consumer expectations on data protection.