Privacy considerations are rising in business significance, and not simply as a matter of data breach liability. As you already know, the European Union recently invalidated the transfer of European citizen data to the United States under Safe Harbor principles that had been in place for over 15 years. This geopolitical result occurred without regard to the business implications for multinational corporations, and provides us with two clear takeaways. First, privacy (like cybersecurity itself) is a key business driver in today’s digital world. Second, the evolution of privacy norms and requirements must be reviewed continuously and anticipated, not simply because they change over time but because they can change overnight.
For those readers tracking these considerations within the NIST Framework, you’ll recall that privacy is an integral part of cybersecurity governance (see the October 2015 Cyber Tactics column). Separately, NIST has developed a draft privacy framework for federal information systems, which includes engineering objectives and privacy risk modeling.