February 13, 2020

Last Updated on January 13, 2024

GDPR, CCPA and the NIST Privacy Framework, OH MY!
Like Dorothy in The Wizard of Oz, those of us concerned with privacy regulations seem to be following a yellow brick road. Although where this one ends there’s no all-powerful and all-knowing man behind the curtain… (Be warned, I’m going to hit this “Lions and Tigers and Bears” analogy hard throughout the post.)
Much like when Dorothy, the Tin Man and the Scarecrow quickly determined that the lion was cowardly and had no teeth, most US-based SMBs quickly learned that the initially frightening GDPR lion was a bit “toothless,” as there was no feasible way an EU entity could penalize them for noncompliance. So many SMB’s largely ignored it.
Further down the yellow brick road, despite their fears, Dorothy, the Tin Man, the Scarecrow and the Cowardly Lion were fortunately spared from any Tigers. But SMBs were not so lucky. CCPA pounced shortly after the GDPR Lion joined us, and this Tiger has teeth (the California Attorney General). Thus, we have reason to hold on to this Privacy Tiger’s tail for fear of getting bitten.
As they continued further down the yellow brick road, Dorothy, the Tin-Man, the Scarecrow, and the Cowardly Lion were even more fortunately spared from encountering any Bears. Alas, SMBs are not so lucky, as they met a bear of a standard: the NIST Privacy Framework. OH, MY!
Why am I so concerned about a framework that at this point is voluntary?  Because we don’t need the Great Oz to tell us where this is all going, and let’s just say that we aren’t in Kansas (a euphemism for a state of privacy ignorance) anymore.

“Now let’s return to the NIST Privacy Framework launched in 2020.  Like NCSF, it’s “voluntary”—until it isn’t, and I think “isn’t” isn’t all that far down the yellow brick road, along with perhaps winged monkeys as well…”


Consider that the US Government had historically provided a significant amount of Information Security guidance but has generally enforced very little of it (except on its own agencies, and even then, loosely and poorly). Until, in 2011, the government launched the “The Federal Risk and Authorization Management Program (FedRAMP),” a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
In short, if you want to be a Cloud Services Provider to a federal agency, you must operate per a mandated information security and certification program. FedRAMP is a “bear” to implement—although there is certainly gold at the end of that yellow brick road. (I bet you’re starting to wonder how far I intend to  push this analogy, right? :>))
Then, in 2014, the government launched the NIST Cybersecurity Framework (NCSF), which provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect and respond to cyber-attacks. NCSF was, and remains, “voluntary.” However, increasingly state/federal laws and regulations (e.g., Ohio Senate Bill 220) create a “safe harbor” for businesses if they comply with the NIST Cybersecurity Framework.  So, while compliance is still voluntary, if you are breached failure to have complied with NCSF can be used to determine that your security posture was not “reasonable and appropriate” and/or that you were “negligent.”  That sounds like a tiger with an ever-growing potential to bite…
In 2019, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC). It mandates that any organization that wants to win a DoD contract (there are 315,000 companies in the Defense Industrial Base) must implement a robust information security program. CMMC is also a bear, but more like a Black Bear compared to the Grizzly Bear that is FedRAMP. Nevertheless, CMMC represents a high hurdle that these companies need to address in short order.
Now let’s return to the NIST Privacy Framework launched in 2020.  Like NCSF, it’s “voluntary”—until it isn’t, and I think “isn’t” isn’t all that far down the yellow brick road, along with perhaps winged monkeys as well.  (I warned you I was going to push this analogy beyond credibility…)
So, what should an SMB do? Find your Professor Marvel, peer into his crystal ball and see what you see.
In her crystal ball, Dorothy saw the effect that her absence from the farm had on her beloved Auntie Em. She jumps up and knows that she has no choice to return home immediately.  When you peer into your version of that crystal ball, I think you’ll see that our collective failure to protect personal information has had a significant impact on our beloved clients, and that governments worldwide have plans to fix that. This vision should spur you to figuratively jump up and start the process of addressing privacy in your business.
Here’s your last chance to bow out before the analogous coup de grâce… 
Goodbye, Professor Marvel, and thanks a lot.” (I kind of like the idea of being referred to as Professor Marvel… anyone know where you can find Frank Baum’s coat?)
“Goodbye, good client. Better get under cover; there’s a Privacy storm blowin’ up, a whopper! Just speakin’ the vernacular of the peasantry. Poor companies. I hope you all get home all right.”