Legal Blog

Cybersecurity And Privacy – Linked In NIST’s Framework, But Still To Be Developed

imgres The National Institute of Standards and Technology (NIST) issued its Framework for Improving Critical Infrastructure Cybersecurity 1.0 on February 12, 2013, available here.  While the entire Framework is somewhat general in nature – too general perhaps to please some (your blogger included), completely missing in action was any detail covering privacy and civil liberties standards.  The Framework explained that privacy and civil liberties are “aspects” of cybersecurity, and provided a “general set of considerations and processes for considering privacy and civil liberties implications in the context of a cybersecurity program.” But instead of providing details, the Framework only directed its readers via footnote to NIST Special Publication 800-53 Revision 4 (Security and Privacy Controls for  Federal Information Systems  and Organizations) available here. So, what happened?  It would appear that the drafters of the Framework could not reach consensus about the privacy and civil liberties issues.  In fact, released jointly with the Framework was a “Roadmap” of future NIST and government actions, available here.  The Roadmap explained that the important privacy and civil liberties issues will be the focus of an upcoming “workshop” that could lead to the development of standards for “privacy engineering” to be “modeled after security engineering.”  These standards would serve “as a foundation for the identification of technical standards and best practices that could be developed to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties.” Why are privacy and civil liberties standards so important to the cybersecurity industry?  The reason is that comprehensive cybersecurity, almost by definition, requires sharing of private information with the government, and this sharing of information creates a fear (whether real or perceived) of its misuse by the government.  It is this sharing and concern about misuse which is a primary impediment to Congressional action in this area.  So, in addition to the importance of these matters in and of themselves, the connection between cybersecurity and privacy security is critical for the development of legally enforceable cybersecurity standards which can only come about through legislation and subsequent enforceable executive regulations.  Without these legal underpinnings, companies will continue to lack the safe harbors from lawsuits that they need in order to create baseline, reliable security protections for their customers.  Small Business Jobs Act of 2010If you have any questions regarding Cybersecurity And Privacy – Linked in NIST’s Framework, But Still To Be Developed please contact Offit Kurman’s government contracting attorney Edward Tolchin at 240-507-1769 or etolchin@offitkurman.com. Mr. Tolchin’s practice is focused on government contracting, cybersecurity, business litigation, and technology matters. To learn more about Offit Kurman’s Government Contracting and Cybersecurity Practice Groups, please fill out our contact form to access the sound legal guidance that our experienced business law team of attorneys has to offer. You can also connect with Offit Kurman via Facebook, Twitter, Google+, YouTube, and LinkedIn.