The Digital Identity and Authentication Council of Canada (DIACC) uses the Pan-Canadian Trust Framework (PCTF) to establish guidelines for securing data and protecting the rights of Canadian citizens by controlling and notifying citizens of how the data is used. The European Union has the General Data Protection Regulation (GDPR) for a very wide definition of personally identifiable information – in fact, many organizations likely don’t realize the data that they may have that falls under the protection of GDPR.
Meanwhile, the United States has a patchwork of sector-based requirements for protection of credit card data, health data, confidential unclassified information used for Department of Defense contracts, and while all states have a breach notification law that calls for “reasonable” security and notification requirements, only a handful have actual privacy laws in effect. Even so, the Federal Trade Commission (FTC) enforces US privacy policy and there are many cases of large fines and sanctions for businesses that did not “reasonably” protect consumer data that they collect and maintain.
There is new legislation pending called Improving Digital Identity Act of 2020 that would establish a government-wide approach that would leverage the Social Security Administration and Department of Motor Vehicles to offer new identity services for citizens. The National Institute of Standards and Technology (NIST) will develop the standard framework, which makes sense since that NIST framework was developed by the government for their use and shared freely as guidance for US-based organizations to follow. Alignment to this standard is the best protection for business who want to ensure that their protection of data is “reasonable”, after all, it’s hard for the FTC to argue that their own standard is not reasonable.
While the new legislation is not yet in place, there are immediate benefits in aligning yourself to the NIST Cyber Security Standard (CSF) (or your clients if you provide IT services). You can identify gaps in your protections and address them to minimize your cyber risk – “Detect”, “Respond” and “Recover” are often sorely lacking without aligning to a standard. Aligning to a framework can provide a competitive advantage with customers, make you eligible for Federal grants or contracts, and may qualify you for discounts on your commercial insurance policy.
