Frameworks for Data Privacy Compliance

In recent years, we have seen an increase in data privacy laws around the world. In the United States, the California Consumer Privacy Act (CCPA) went into effect this year, joining similar data privacy regulations in Maine and Nevada. Five states have also implemented privacy task forces, and many other state legislatures are considering consumer privacy laws.

As new privacy regulations are introduced, organizations that conduct business and have employees in different states and countries are subject to an increasing number of privacy laws, making the task of maintaining compliance more complex. While these laws require organizations to administer reasonable security implementations, they do not outline what specific actions should be taken to satisfy this requirement. As a result, many risk managers are turning to proven security frameworks that specifically address privacy. Doing so can help organizations build privacy and security programs that make compliance more manageable, even when beholden to multiple regulations.

Understanding Privacy and Security Frameworks

While no two frameworks are the same, each is designed to help organizations identify and address potential security gaps that could negatively impact data privacy. Such frameworks include the Center for Internet Security (CIS) Top 20, HITRUST CSF, and the National Institute of Standards and Technology (NIST) Framework.

CIS Top 20 features defensive security actions that serve as a reliable starting point to reduce the probability of data breaches, organized into three sections:

  • Basic Controls include inventory of software and hardware assets, continuous vulnerability management, and controlled use of administrative privileges.
  • Foundational Controls are more wide-ranging and detailed actions that fortify an organization’s defense, such as email protections, boundary defense, data protection and wireless access control.
  • Organizational Controls deal more directly with actions businesses should take to create a culture of security, including employee training, incident response and management, and penetration tests/red team exercises.

California’s attorney general has called the CIS Top 20 an example of “reasonable” security practices, though it is unclear if using this framework as a program baseline will be considered defensible. Still, industry-wide, it is considered the minimum level of security that organizations collecting information should implement.

Originally designed for health care organizations and third-party vendors that serve health care clients, HITRUST CSF leads organizations beyond baseline security practices to establish a strong, mature security program. Recently, HITRUST has expanded its relevancy and applicability beyond health care to provide organizations in any industry with a comprehensive and efficient approach to regulatory compliance and risk management.

HITRUST incorporates input from data protection professionals and existing regulations and standards into a single overarching security and privacy framework. Taking both risk and compliance concerns into account, HITRUST CSF is suitable for organizations of varying sizes and industries, regardless of risk profile.

Before pursuing HITRUST certification, organizations should identify key stakeholders and define the scope. HITRUST recommends a self-assessment to determine what areas should be addressed prior to a validated assessment for certification. Based on the results of the readiness assessment, the organization should develop a remediation plan for any issues identified and work with its external assessor to define timing of the validated assessment.

The NIST Framework also helps organizations move beyond baseline controls to build a stronger security posture. It is composed of three parts:

  • The Framework Core is a set of activities that helps an organization achieve certain cybersecurity outcomes and provides guidance to do so. Within the Framework Core are five functions to organize cybersecurity activities at their highest levels: identify, protect, detect, respond and recover.
  • Framework Implementation Tiers are four categories of cybersecurity maturity:
    • Tier 1: Partial. Risk management practices are not formalized, and there is little awareness of cybersecurity risk.
    • Tier 2: Risk Informed. Some cybersecurity practices are in place, but may not be implemented in a consistent manner across the organization.
    • Tier 3: Repeatable. A formalized, consistent, and enforced cybersecurity policy exists across the organization.
    • Tier 4: Adaptive. An organization has a formalized cybersecurity policy and is continuously adapting it based on past experiences and trends that may alter the way it protects data. While organizations should strive to advance their level of cybersecurity maturity, it may not always be possible or necessary to do so, as tiers are based on an organization’s risk tolerance and other business needs.
  • The Framework Profile aligns functions from the Framework Core and categories and subcategories within those functions with an organization’s business requirements, risk tolerance and resources to determine the current or desired state of cybersecurity activities. This profile can help set the stage for creating a plan to improve overall security posture.

Implementing any of these frameworks will better position an organization for compliance with the security components of privacy regulations, but always remember that it is not a one-time activity. Security frameworks are regularly adjusted to reflect changes to existing laws, introduction of new laws and the evolution of threats. Organizations should regularly reassess their methods for addressing data privacy and security against updated frameworks, determine how changes impact the risk of noncompliance, and adjust their strategies accordingly.

With a number of consumer data privacy laws in effect and more being proposed, businesses must take aggressive, proactive measures to achieve compliance and prepare for enforcement. The absence of definitive guidance from these laws will not preclude liability. Following the prescriptive measures outlined in proven security frameworks will ensure organizations not only meet industry-accepted standards, but also achieve comprehensive security maturity that will yield benefits far beyond compliance.

Reprinted with permission from Risk Management Magazine. Copyright Risk and Insurance Management Society, Inc. All rights reserved.

Written by Ken Jenkins, 2020

Learn more: