By Peter S. Vogel & Chelsea Hilliard
Apr 6, 2020 12:47 PM PT
Life as we knew it before the coronavirus is gone forever, and many changes will manifest in the pandemic’s aftermath. How will it impact privacy laws around the globe? No one knows for sure, and we will not know until after the coronavirus is behind us. Cybercriminals long have been taking advantage of the Internet, and now the spread of COVID-19 has sped up their evil work.
However, since we don’t have a firm grip on all the cybercrime that actually is occurring, it is impossible to guess whether privacy laws can survive the pandemic.
Think about this while you are on your next teleconference: Are cybercriminals tracking you and maybe even participating in the meeting? By the time you have an answer to questions like this one, you may have compromised more privacy laws than you can imagine.
Europe’s GDPR
The primary purpose of the 2018 GDPR is to protect European Union residents and their data. Among other things, EU citizens can opt out of data collection, change data that is wrong, and remove their data (the “right to be forgotten.”)
Still, during the 2020 coronavirus pandemic, life has become more complicated. People around the world now are using the Internet to help protect themselves and loved ones. It’s likely that few people are paying much attention to the Terms of Use, Privacy Policies, or Click Agreements — which of course few even read prior to the pandemic’s onset.
It is difficult to imagine that the EU will have adequate resources to enforce its GDPR during the pandemic, which unfortunately is just the reality of the times. After the fact, enforcement may be too late to reconstruct privacy for some EU citizens.
US Privacy Update
You may not have noticed that long before the coronavirus pandemic of 2020, the National Institute of Standards & Technology (NIST) issued version 1.0 of its voluntary
Privacy Framework.
However, it’s important to its effectiveness in light of the coronavirus’ impact on the complex privacy laws in the U.S., EU, and around the world. It’s worth taking some time to understand how the Privacy Framework fits in.
First, NIST is a branch of the U.S. Department of Commerce, but it is not a regulatory authority. Rather, among other responsibilities, NIST establishes information technology and cybersecurity standards.
In February 2013 the president signed
Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” which led to Congress passing the Cybersecurity Enhancement Act of 2014 (CEA), which “updated the role of the NIST to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators.”
NIST Cybersecurity Framework
In 2014 NIST issued version 1.0 of its
Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). It was “developed under EO 13636, and continues to evolve according to CEA, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses.”
The Cybersecurity Framework 1.0 was updated to
version 1.1 in 2018. The update was based on feedback from industry, academic and government professionals, who provided hundreds of comments in response to NIST’s call, and from more than 2,000 attendees at workshops in 2016 and 2017.
The Cybersecurity Framework focuses on using business drivers to guide cybersecurity activities, and considering cybersecurity risks as part of an organization’s risk management processes. It consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles.
Among other thing,s the Cybersecurity Framework includes advice about “Risk Management” and how senior executives focus on organizational risk. It addresses changes in current and future risk, and the need to establish priorities and budgets. At the business process level, the focus should be on critical infrastructure risk management, and at the operational level the focus should be on securing critical infrastructure.
The Framework Core lays out these functions for organizations to adopt: Identify, Protect, Detect, Respond and Recover. Of course these functions assume that an organization has an “Incident Response Plan” (IRP) that is tested regularly, so that when there is a cybersecurity incident the organization will be ready.
However, it’s estimated that less than 50 percent of businesses actually have an IRP, and that even businesses with IRPs do not regularly test them.
NIST Privacy Framework
The Jan. 16 version 1.0 of NIST’s voluntary Privacy Framework includes advice about the intersection of Cybersecurity Risks and Privacy Risks, and the relationship between Privacy Risks and Organization Risks. For instance, a privacy risk for an individual may be “embarrassment, discrimination, or economic loss” while the organization risk may be “customer abandonment, noncompliance costs, or harm to reputation.”
Because of the relationship between the cybersecurity risk and privacy risk, the Privacy Framework advises “strengthening accountability” through collaboration and communication among senior executives, business/process management, and implementation/operations, and it spells out responsibilities at each level.
GDPR and the Privacy Framework
The Privacy Framework includes only one reference to the EU GDPR. It deals with Proportionality, which is “a general principle of the EU Law”:
- It restricts authorities in the exercise of their powers by requiring them to strike a balance between the means used and the intended aim. In the context of fundamental rights, such as the right to the protection of personal data, proportionality is key for any limitation on rights.
- More specifically, proportionality requires that advantages due to limiting the right are not outweighed by the disadvantages to exercise the right. In other words, the limitation on the right must be justified. Safeguards accompanying a measure can support the justification of a measure.
A pre-condition is that the measure is adequate to achieve the envisaged objective. In addition, when assessing the processing of personal data, proportionality requires that only personal data that is adequate and relevant for the purposes of the processing can be collected and processed.
The Privacy Framework makes no reference to the California Consumer Protection Act (CCPA), or any other state law. Since the Privacy Framework is not law — rather U.S. government advice — it is unclear how businesses will use the Privacy Framework to deal with laws enacted in other states.
Hazy Outlook
It is unclear if the new NIST Privacy Framework actually will provide additional safety and security in the midst of the cybercrime during the coronavirus pandemic.
Unfortunately no one knows, and we are clearly in very unsettling times. Please stay safe and secure physically in the real world and virtually on the Internet.
Peter Vogel has been an ECT News Network columnist since 2010. His focus is on technology and the law. Vogel is Of Counsel at
Foley & Lardner LLP, and focuses on cybersecurity, privacy and information management. He tries lawsuits and negotiates cloud contracts dealing with e-commerce, ERP and the Internet. Before practicing law, he received a master’s in computer science and was a mainframe programmer. His
blog covers IT and Internet topics.
Email Peter.
Chelsea Hilliard has been an ECT News Network columnist since 2019. As an associate at Foley & Lardner LLP, she focuses her business litigation practice on trade secret noncompetition and securities enforcement. She also helps clients with complex electronic discovery disputes and has been recognized as Texas Rising Star attorney by Texas Monthly, and a Top Lawyer under 40 by D Magazine. Email Chelsea.