By Natalie Leutwyler, Lead Privacy Analyst, and Anne Kimbol, Chief Privacy Officer

Recently a number of important privacy initiatives and regulations have been started or passed and many businesses are worried about how to adjust their privacy policies and practices to address new concerns related to standards for privacy. HITRUST is one of the leading experts in the security and privacy field. The HITRUST CSF® contains a privacy controls category and, when appropriate, includes privacy controls in other categories as well.

Our comprehensive Framework is continuously being reviewed and updated to ensure that it is up to date with the latest industry standards and best practices. In version 9.1 of the HITRUST CSF, mappings to the European Union’s General Data Protection Regulation (GDPR) were added. In version 9.2, HITRUST added more GDPR language as well as mappings to the Singapore Personal Data Protection Act of 2012. In the forthcoming version 9.3, HITRUST will be adding the California Consumer Privacy Act (CCPA) to the Framework.

With respect to privacy, the HITRUST roadmap includes the new Brazilian General Data Privacy Act, state laws similar to the CCPA, if they are enacted, and additional international frameworks and requirements. As these requirements and laws change, the HITRUST CSF will change to reflect new understandings of the laws and, particularly in the case of the CCPA, any applicable regulations that are enacted. For the CCPA, we are anticipating rules from the California Attorney General’s Office to be finalized within the next year or so.

This work is meant to support all industries in their data protection programs as they utilize the HITRUST CSF and Assurance Program as a means to “assess once, report many” against the evolving privacy environment.

Additionally, HITRUST is working on creating a separate privacy certification. Currently through the HITRUST CSF Assurance Program, entities can obtain certification in ‘security’ or ‘security and privacy,’ not ‘privacy’ on its own. While there is no privacy without security in terms of an overall effective privacy program, HITRUST wants to meet industry needs to assess privacy programs separately. This is just one example of how HITRUST is adjusting its offerings to meet the needs of our customers and those who rely on the HITRUST CSF Certification as a means of trusting service providers and partners. This certification is in development and we will provide updates as the process moves forward as well as providing opportunities for stakeholder input and feedback.

HITRUST has also been involved in the work being done by the National Institute of Standards and Technology (NIST). The industry is familiar with the NIST Cybersecurity Framework, for which the HITRUST CSF may be used as the basis for implementation. NIST announced in October 2018 that it was beginning a one-year process to draft a Privacy Framework. Some of the main goals include ensuring that there is a common language being used in privacy discussions and to help entities improve their privacy posture. NIST has instituted a collaborative process to develop the Privacy Framework, including holding workshops and webinars as well as seeking comments from stakeholders throughout the process.

NIST continues to show its commitment to developing frameworks that are risk- and outcome-based while remaining user-centric. NIST frameworks are structured to support the varying needs and objectives of organizations; the alignment of the Privacy Framework mirroring the structure of the NIST Cybersecurity Framework can optimize the business objective of good privacy and cybersecurity practices. Privacy and security have both overlapping and distinct roles to play. A locked door with transparent, hurricane-resistant glass provides strong security protection, so long as limited keys exist, but it provides almost no privacy protection, as anyone walking by can see what is happening in the building. Similarly, a set of blinds covering the door window does not protect privacy if there is no lock, since it would be so easy to come in and see everything; without security to ensure access is limited, privacy cannot be protected. Security protects against unauthorized use, disclosure, or destruction. Privacy focuses on what uses and disclosures should be authorized.

NIST held its second workshop on the NIST Privacy Framework in May, which was focused largely on the draft which was released May 1. HITRUST attended the event to ensure that we remain up to date on the Privacy Framework’s development and were able to take advantage of this opportunity to contribute as the Framework is developed. To date, HITRUST has attended NIST’s first two workshops on the Framework, listened to NIST’s webinars and presentations outlining the Framework, and are continuously involved in the discussions surrounding reviewing the draft to ensure we are up to date on the Framework and actively engaged in the stakeholder process.

Although the proposed parallels between the Privacy Framework and the NIST Cybersecurity Framework embrace and demonstrate an understanding of the relationship between privacy and security, it is vital that the Privacy Framework remains focused on being risk- and outcome-based and doesn’t inadvertently lose value by trying to align too closely with the NIST Cybersecurity Framework. Consistency in the formatting between the two frameworks may help coordinate risk-management efforts, but alignment is not always appropriate. Privacy and security overlap in some areas, but they look at data in a fundamentally different way, which should be reflected in the functions and categories used in the Privacy Framework. The advancement of the Privacy Framework should aim to positively and distinctly impact both privacy and data protection in a manner complimentary to the NIST Cybersecurity Framework, not necessarily mirroring it.

Additionally, providing a common and accessible language is key to supporting the user, thus supporting the overall success of the framework. The provisioning of a common and comprehensive privacy language will help ensure the harmonizing of practices, data protection, and global interoperability.

However, questions have been raised regarding whether a common language will be achieved, particularly given discussions surrounding which definitions NIST should and should not include in the Framework. Although it is true that different laws and standards have varying definitions of personal data or personally identifiable data, it is unclear whether we can successfully achieve a common understanding concerning usage of the NIST Privacy Framework if it does not clarify what is considered personal data with respect to the Framework. Without that specificity, entities claiming compliance with the Framework could define their privacy practices differently for their assessments, thus stating a system is compliant with the Framework and has appropriate underlying practices will provide limited value to those seeking to understand an entity’s privacy posture.

Concerns in the privacy community have been raised about the potential for duplicative or inconsistent standards being released. The International Standards Organization (ISO) Project Committee (PC) 317 is developing standards on ‘consumer protection: privacy by design for consumer goods and services.’ The standards released by ISO/PC 317 will have immediate international impact given ISO’s standing and reputation worldwide. While ISO/PC 317 is focused on privacy by design rather than privacy at large, many of the issues that will need to be addressed in a privacy by design standard would encompass broader privacy standards. Like the NIST Privacy Framework, these standards are in development. In a panel held at George Washington University Law Center’s Cybersecurity Law Institute on May 22, Naomi Lefkowitz, NIST’s Senior Privacy Policy Advisor, said the ISO standard would fit well with the anticipated NIST Privacy Framework, but until the documents are further along it is impossible to tell. If the United States adopts the Privacy Framework and international companies are looking for the ISO/PC 317 standards, no one wins.

While HITRUST supports the concept of the NIST Privacy Framework, the devil will be in the details. To be successful, the Framework must reflect consumer and industry concerns appropriately and provide a combination of enough flexibility for a risk-based, scalable approach with enough clarity and consistency for a business stating that it is in compliance to have valuable meaning. It cannot conflict with the ISO/PC 317 standards if it is to have international impact and recognition. It also may have weak adoption in the United States absent greater incentives or legislation requiring stronger privacy programs.

HITRUST will continue to participate in the stakeholder process NIST is using for feedback on the NIST Privacy Framework as well as keep businesses updated on the Framework, supporting them in assessing their practices against the Framework as appropriate based on the complete document and our review of its proper place in the HITRUST CSF. HITRUST also plans to publish sector implementation guidance for the NIST Privacy Framework once the Framework is publicly available, similar to the implementation guidance developed for the NIST Cybersecurity Framework.

HITRUST commits to organizations that leverage the HITRUST CSF and other stakeholders that it will continue to expand and mature its privacy offerings – ensuring the HITRUST CSF remains relevant and reflects current and emerging international, federal, and state laws and interpretations, which is key to us meeting our mission of helping businesses improve their data protection practices and postures.