My friend Stewart Baker has likened the privacy requirements of the draft NIST framework to a "privacy tax." His fear, which has sound economic force, is that the imposition of privacy protective requirements on cybersecurity efforts will drive up the cost of cybersecurity and, necessarily, result in less of that good. Of course, some might argue that this is the right result -- that privacy concerns are of value and should be accounted for in pricing cybersecurity. But that argument begs a difficult question -- how valuable and measured against what in terms of cybersecurity lost?
These thoughts came to mind when I read this letter NIST, commenting on the privacy provisions of the draft Framework. The letter is from Professor Fred Cate, of University of Indiana, whom I think it is fair to characterize as generally much more supportive of privacy protections than Mr. Baker. Yet his conclusions, in their moderate form, echo Stewart's in some interesting ways. His fundamental conclusions (if I may paraphrase) are the the draft privacy protections are overbroad; apply an inappropriate standard; and mistakenly assume that all information assurance activities will involve issues of privacy. His solution, broadly speaking, is to recommend that NIST transition their privacy discussion to principles of "stewardship" and "accountability" that more closely speak to the types of risks to privacy involved in cybersecurity efforts. On the whole, the entire letter is worth a read.