August 5, 2021

Volume XI, Number 217

Advertisement

August 05, 2021

Subscribe to Latest Legal News and Analysis

August 04, 2021

Subscribe to Latest Legal News and Analysis

August 03, 2021

Subscribe to Latest Legal News and Analysis

August 02, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Does the NIST Privacy Framework Require that Companies Score Themselves?

No. The NIST privacy framework recommends that companies summarize their maturity with respect to each category by using four “Tiers.” The Tiers are intended to describe whether the current practices of the company with respect to the domain are partially in place (Tier 1), risk informed (Tier 2), repeatable (Tier 3), or adaptive (Tier 4). While the NIST privacy framework contemplates that a maturity assignment using the tiering system will help a company “communicate internally about resource allocations necessary to progress to a higher Tier or as general benchmarks to gauge progress in its capability to manage privacy risks,” the privacy framework does not mandate that companies assign a tier to each subcategory, nor does the privacy framework mandate that companies achieve a certain tier level.[1] The net result is that the tiers are designed to be a tool to help companies conceptualize their maturity in relationship to specific privacy issues.

[1] NIST, NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 at 9 (Jan. 16, 2020).

 

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 162
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement