![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
ABSTRACT
Regardless of the industry, there are several commonalities that transcend data privacy and security. Confidentiality, integrity and availability of the data should form the foundation of any risk analysis that assesses technical, administrative and physical safeguards. In the United States, the National Institute for Standards and Technology (“NIST”) publishes a variety of special publications to assist the United States Government and private persons in their legal and regulatory compliance efforts. Recently, NIST promulgated new publications – NIST-SP-800-53, rev. 5 and NISTIR 8228. These two publications are of particular importance for two reasons. First, SP800-53 addresses a broad spectrum of privacy and security controls. Second, NISTIR 8228 applies IoT, which is quickly expanding and evolving into a collection of various technologies that interact with the physical world. In essence, IoT is the intersection between information technology and operational technology. The impetus behind this article is to provide a synopsis of these two recent NIST standards, assess their application to a variety of laws in the healthcare, finance and government procurement and conclude with a round-up of why NIST should be the first place to turn. The take-aways for readers should be the following: to appreciate the importance of data privacy and security compliance; to utilize a risk analysis, which is based on NIST standards to address the gaps in the requisite technical, administrative and physical safeguards; and to provide a sampling of legal scenarios where NIST applies.
Notes
1. See https://nvlpubs.nist.gov/nistpubs/SpecialPublications (last visited Jul. 4, 2019).
2. U.S. Department of Commerce, NIST-SP-800–53, rev. 4 (Apr. 2013), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
3. Id.
4. Id.
5. NIST, NIST 800–53 Rev 5 – Why is it so important?, https://www.nuharborsecurity.com/nist-800-53-rev-5-draft/(last visited July 5, 2019).
6. R.V.Rose, HIPAA and the Importance of Data Availability (Mar. 28, 2018), https://www.physicianspractice.com/hipaa/hipaa-and-importance-data-availability.
7. Risk is often defined as (probability x severity).
8. A. Kraus, NIST and FedRAMP: A Brief Overview, https://reciprocitylabs.com (last visited Mar. 17, 2019).
9. Supra n. 5.
10. Id.
11. Id.
12. NIST, NISTIR 8228 (June 2019), https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf.
13. NIST, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks: NISTIR 8228 (June 25, 2019), https://csrc.nist.gov/News/2019/nist-publishes-nistir-8228.
14. Id.
15. See https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (last visited July 5, 2019).
16. See https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html (last visited July 5, 2019).
17. 78 Fed. Reg. 5566 (Jan. 25, 2013), https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
18. 78 Fed. Reg. at 5575.
19. 78 Fed. Reg. at 5647.
20. U.S. Department of Health and Human Services, Judge rules in favor of OCR and requires Texas cancer center to pay $4.3 million in penalties for HIPAA violations (June 18, 2018), https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html.
21. Id.
22. McAfee, Overview of the Gramm-Leach-Bliley Act, https://www.skyhighnetworks.com/cloud-compliance/glba-compliance-requirements/(last visited Jul. 4, 2019).
23. U.S. Federal Trade Commission, Financial Institutions and Customer Information: Complying with the Safeguards Rule, https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying (last visited July 5, 2019).
24. See https://www.sec.gov/about/laws/glba.pdf (last visited July 5, 2019).
26. Id.
27. ISPAB Presentation, Federal Risk and Authorization Management Program (FedRAMP) (Feb. 3, 2012).
Additional information
Notes on contributors
Rachel V. Rose
Rachel V. Rose, JD, MBA – Attorney at Law, PLLC (Houston, Texas) – advises clients on healthcare, cybersecurity and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at [email protected].