Agencies are treating privacy today like they treated cybersecurity three or five years ago.
They realize it’s important. They realize they have to do it. But they aren’t exactly sure how and what it means to apply privacy to data.
“Privacy is a management issue. It’s a classic risk management issue in the same way that cybersecurity issues are risk management issues and in the same way business expenditures are risk management issues,” said Peter Miller, the chief privacy officer at the Federal Trade Commission, during a presentation at ACT- IAC’s forum on cybersecurity and privacy in Washington Tuesday. “In order to do an effective job, you have to accurately identify the risks that are involved. Again, that talks about how you actually handle the risks associated and the issues, and is privacy actually involved?”
Like many experts preached for the last decade and still do today around cybersecurity, agencies need to consider privacy implications on the front end of any new system, data collection or other activity.
More than a decade after Congress passed the last major law addressing privacy, the E-Government Act of 2003, privacy issues are near the top of the list for many agencies with the recent National Security Agency data collection revelations, as well as the increased number of data breaches across the public and private sectors.
Over the last 40 years, agencies haven’t ignored privacy. The Privacy Act of 1974 still applies today. The E-Government Act included privacy updates and new requirements, including the need for all agencies to do a privacy impact assessment when there are new collections of, or new technologies applied to, personally identifiable information.
And of course, the Office of Management and Budget required, as part of the E- Government Act’s implementation guidance, that each agency name a senior official in charge of privacy.
Two faces of privacy
Some agencies named a person whose sole job is to be the chief privacy officer (CPO), such as the departments of Homeland Security and Justice. But others have added the CPO hat to their CIO or general counsel or assistant secretary for management.
So now, 10 years after the E-Government Act, 40 years after the Privacy Act and in the midst of recent data disclosures, agencies really are just beginning to understand how they need to address privacy issues.
Miller said part of the challenge is privacy is both subjective and objective.
Privacy, in many ways, is hard to define because it means different things to everyone. But there are rules and regulations that govern agency implementation — most of which need to be updated because Congress and the White House haven’t kept them up with the changes in technology and how agencies use data. This discussion is very similar to the debate around cybersecurity that’s been ongoing for the last three years between the administration and Congress.
Miller said the role of the CPO is similar to the role of a chief information security officer, but less defined in some respects.
“I want to be the person to support the business operations in a positive way. So privacy is never saying ‘no.’ Privacy is about saying ‘yes’ or ‘yes, but there may be some modifications to a particular project or particular application.’ But not something that actually stops an organization dead in the water,” he said. “Of course, the other issue we all deal with is, privacy is just one component of an overall operation. So you have the IT piece, the business mission piece, you have stakeholders, and you have all these different pressures on an organization. So privacy can’t always drive the process, but what it can do is inform the process.”
A major role for the CPO is to convince the business owners about why privacy needs to be considered on the front end of any program, again similar to the way CISOs and CIOs were talking about cybersecurity three or five years ago.
Best practices available
Miller said the FTC is following several principles to improve its privacy processes.
“It’s important that you know the data. I think one of the things privacy puts a real premium on is knowing where in an organization personal information resides, and knowing how it’s used and where it’s used, and that’s separate from the other information an organization handles,” he said. “One of the key issues for this, in terms of knowing the organization’s data, is being able to break it down in a way that makes sense in terms of talking about it, identifying risks and moving on.”
Miller said the other issue the FTC tries to keep an eye on is the lifecycle of the data from first ingestion to disposal, which is important for both privacy and cybersecurity.
“You pretty much have to start thinking about information when it comes in the door or is created, and follow it all the way through,” he said. “If you lose track of information at any point during that process, whether you are talking about privacy and cybersecurity, you find yourself in a position where there is unaccounted-for information and perhaps gaps in the system.”
Miller said the FTC, and other agencies for that matter, need to include their CPOs early on in the process when the agency is developing a new system. He said the times he has said “no” is when colleagues brought him something to approve at the last minute and there were privacy issues.
The other area Miller said the FTC and others need to pay close attention to in terms of implementing privacy is for new technologies, including cloud computing or mobility.
“Vendor management issues are unbelievably important in terms of data flow. You need to make sure that whatever principles your organization has established in terms of how it will handle, collect and use data is not only flowed through to vendors, but you have a way to audit it, you have a way to look at it and you have a way to ensure you know what your vendors are doing,” he said. “When we talk about privacy friendly information lifecycles, one of the things that we are talking about is making sure you know where personal information is through all points in the organization, from the time you collect it to the time you get rid of it. One of the things I’d also like to flag is, if you are an organization that decides you can keep information by de-identifying it, anonymizing it or aggregating it, it’s really important to know how you are doing that, what the principles are and what the defenses are, in case it does get re-identified.”
Coming together across sectors
Miller added privacy experts say it is very possible to fully de-identify data as technology and analyses tools get better. He said it’s key for agencies to consider this issue as part of their risk management plans.
Miller said there are two ongoing examples of these two concepts coming together.
“On the public sector side, we have NIST Special Publication 800-53, Rev 4, Appendix J, which formally incorporates privacy controls into the pre-existing information security controls,” he said. “NIST actually has recognized the importance of this by changing the title of the publication so it’s no longer just information security, but information security and privacy.”
Miller also said the upcoming Critical Infrastructure Cybersecurity Framework that NIST is leading the development of is focusing on privacy controls and considerations that need to be worked through as part of implementing the standards.
There have been some reports that NIST removed the privacy appendix from the cyber framework, which is due out next month. But administration officials say privacy still is very much a part of the framework.
Updates needed for documents?
Dennis Callahan, the director of federal alliances for Palo Alto Networks, which provides cybersecurity software to agencies, said agencies are most focused on having tools that protect both cybersecurity and privacy.
He said agencies are becoming more comfortable with how to deal with privacy, many times through cyber tools such as identity management. But the processes to integrate policies around cyber and privacy issues are getting more difficult to implement.
One audience member at the ACT-IAC event asked if Miller thought the Privacy Impact Assessments (PIA) and System of Record Notices (SORN) need to be updated.
Miller answered the question in a politically correct way, reiterating that it was his opinion, not the FTC’s.
He said the laws and guidance are five years old or longer — in some case 40 years ago for the Privacy Act. So the goal for agencies is to apply guidance as flexibly as possible. Where there are gaps, agencies need to make an intelligent risk management decision, Miller said.