You have been hired as part of the legal team at a large U.S. retail organization with over 5,000 employees. The company specializes in the sale of consumer electronic products, including smart home devices (e.g., garage door openers, thermostats) and wearable devices, both within the U.S. and internationally.

Currently, the company is in the early stages of developing an application for these devices that will allow consumers to:

• Register their devices (for example, for warranty and product update purposes)
• View information about their usage history
• Enable a universal remote control for some of the smart-enabled consumer products in its portfolio (for example, opening and closing the garage door, dimming lights, adjusting the temperature on the thermostat, recording television shows etc.) ("Dashboard App")

The company has a formalized governance structure in place requiring stakeholder approvals before a product can be released to consumers. The key stakeholders involved in product development are: Senior Management, Product, Marketing, Legal (where the Chief Privacy Officer sits), Chief Information Officer (CIO), and Engineering.

The Product team, through a Product Manager, is responsible for gathering requirements from the various stakeholders and delivering the requirements to engineers who will then build capabilities that meet them.

The organization is required to implement and comply with a myriad of privacy laws and regulations both domestic and international. The challenge of navigating complex legal requirements is handled by the company legal department. There have been issues in the past where Engineering does not know how to translate legal requirements into system capabilities.

Senior Management sees immense value in offering consumers a product that enables convenience and remote access to their smart-enabled devices, but also recognizes the potential for privacy concerns, given what the application could possibly collect about their customers' behavior.

Accordingly, Senior Management has tasked you and your department with using the Privacy Framework on the Dashboard App as a test case, to see if they can develop apps in a way that both maximizes benefits to their customers and minimizes adverse consequences.

Additional Readings

• NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0
• NIST Privacy Framework Core (January 16, 2020)
• NIST, Roadmap for Advancing the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (January 16, 2020)

Assignment: Memorandum to Senior Management

• You have been asked to draft a memorandum to Senior Management, addressing the following three topics. Your memorandum should be based on the fact pattern and the NIST Privacy Framework.
  1. Using the NIST Privacy Framework, outline for Senior Management
     1. The company business/mission environment
     2. The company regulatory environment
     3. The company's enterprise risk tolerance
     4. The privacy risks engendered by its systems, products, or services
  2. The Legal team is accustomed to considering privacy from a compliance perspective. To help Senior Management understand privacy from a compliance perspective, please focus on the NISTGovern-P Function, in particular the Subcategory on identifying legal, regulatory, and contractual requirements relating to your company's privacy obligations.
  3. As senior management is not familiar with doing a risk assessment from the perspective of what types of problems the Dashboard App could create for individuals using it, please identify and explain at least two privacy concerns that may affect end users of the Dashboard App.