The Digital Identity and Authentication Council of Canada (DIACC) uses the Pan-Canadian Trust Framework (PCTF) to establish guidelines for securing data and protecting the rights of Canadian citizens by controlling and notifying citizens of how the data is used. The European Union has the General Data Protection Regulation (GDPR) for a very wide definition of personally identifiable information – in fact, many organizations likely don’t realize the data that they may have that falls under the protection of GDPR.
There is new legislation pending called Improving Digital Identity Act of 2020 that would establish a government-wide approach that would leverage the Social Security Administration and Department of Motor Vehicles to offer new identity services for citizens. The National Institute of Standards and Technology (NIST) will develop the standard framework, which makes sense since that NIST framework was developed by the government for their use and shared freely as guidance for US-based organizations to follow. Alignment to this standard is the best protection for business who want to ensure that their protection of data is “reasonable”, after all, it’s hard for the FTC to argue that their own standard is not reasonable.
While the new legislation is not yet in place, there are immediate benefits in aligning yourself to the NIST Cyber Security Standard (CSF) (or your clients if you provide IT services). You can identify gaps in your protections and address them to minimize your cyber risk – “Detect”, “Respond” and “Recover” are often sorely lacking without aligning to a standard. Aligning to a framework can provide a competitive advantage with customers, make you eligible for Federal grants or contracts, and may qualify you for discounts on your commercial insurance policy.