Confirmation Bias in the Privacy Profession: Common Misreading of the NIST Privacy Framework

Tuesday, September 12, 2023 - 4:30 pm4:45 pm

Nandita Rao Narla, DoorDash; R. Jason Cronk, Institute of Operational Privacy Design

Abstract: 

Confirmation bias is a cognitive bias whereby people consume information in a way that reinforces their previously held beliefs. Many users and implementers of the NIST Privacy Framework do just that, diverting their attention away from many of the important and central concepts in the framework. Similar to the Cybersecurity Framework, the Privacy Framework embodies a risk based approach, but many privacy professionals are more familiar with principle based privacy with a primary goal of legal and regulatory compliance. Focusing on these mental models can lead to challenges and conflicting interpretations of NIST Privacy Framework concepts and terminology, much of which is unique to the framework and not found elsewhere in the professional literature. This presentation will highlight some of the common misconceptions and antipatterns related to the usage of NIST privacy framework drawn from real life case studies and implementation experience across industries.

Nandita Rao Narla, DoorDash

Nandita Rao Narla is the Head of Technical Privacy and Governance at DoorDash, where she leads the privacy engineering, assurance and operations teams. Previously, she was part of the founding team of a data visibility and data risk intelligence startup and as an advisor helped Fortune 500 companies build and mature Privacy, Cybersecurity, and Information Governance programs. Nandita currently serves on the advisory boards for Extended Reality Safety Initiative (XRSI), Techno Security & Digital Forensics Conference, and IAPP - Privacy Engineering. Nandita holds an MS in Information Security from Carnegie Mellon University, a BTech in Computer Science from JNT University, and privacy and security certifications such as FIP, CIPP/US, CIPT, CIPM, CDPSE, CISM, CRISC, and CISA.

R. Jason Cronk, Institute of Operational Privacy Design

With over two decades of experience in principle and trust consulting, R. Jason Cronk is a seasoned privacy engineer, developer, lawyer, author of the IAPP textbook “Strategic Privacy by Design,” Section Leader of the IAPP's Privacy Engineering Section, and founder and president of the Institute of Operational Privacy Design, a non-profit organization of privacy professionals which seeks to define and drive the adoption of common and comprehensive standards to protect individuals' privacy. His knowledge and involvement reaches across the spectrum as an active member of the academic, engineering, legal and professional privacy communities and a pioneering voice in the development of privacy by design. Whether it is writing books, developing models and frameworks, or training companies and individuals alike, he is tirelessly advocating for privacy across the world.

BibTeX
@conference {290833,
author = {Nandita Rao Narla and R. Jason Cronk},
title = {Confirmation Bias in the Privacy Profession: Common Misreading of the {NIST} Privacy Framework},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = sep
}

Presentation Video