NIST to Finalize Privacy Framework SoonAgency Now Accepting Comments on Latest Draft
The National Institute of Standards and Technology expects to release its much anticipated privacy framework by year’s end.
NIST recently released an updated draft and is accepting comments through Oct. 24. It anticipates finalizing version 1.0 this year, a NIST spokesperson confirms.
One of the more significant changes in the latest version of the framework is additional flexibility for users to decide how they want to approach data and customer privacy outcomes, says Naomi Lefkovitz, a NIST senior privacy adviser.
For instance, some organizations may want to use cryptography to protect data, while others may choose de-identification techniques that help limit inferences that can be made from online behavior, according to NIST. The agency is also looking for feedback regarding how newer technologies, such as internet of things devices and artificial intelligence, are altering notions of privacy and how data is collected and protected.
The updated draft also looks to align some aspects of the privacy framework with the NIST Cybersecurity Framework - the recommended guideline used by federal agency heads to manage cybersecurity risks that’s also used by many private-sector organizations.
"Our goal was to deliver a tool that could help organizations communicate better about privacy risks when designing and deploying products and services, provide more effective solutions that can lead to better privacy outcomes and facilitate compliance with their legal obligations," Lefkovitz says.
Prelude to Privacy Law?
While adoption of the NIST Privacy Framework will be voluntary, some security and privacy experts say that the guidelines could set the stage for national privacy legislation - a U.S. version of the European Union's General Data Privacy Regulation - that could supersede state laws that have tried to fill the void, such as the California Consumer Privacy Act or the New York State SHIELD Act.
"This is hugely significant because this is a privacy framework intended for a U.S. or a global audience," says Caitlin Fennessy, a senior privacy fellow at the International Association of Privacy Professionals, who previously worked on privacy issues for the U.S. Department of Commerce, the parent agency of NIST.
"As we look to potential federal legislation, we have to understand that NIST chose to write this in terms of privacy controls, so it gets a lot closer to privacy engineering. … And NIST has focused on translating privacy principles into operational principles," Fennessy tell Information Security Media Group. "So from my perspective, if and when we get to federal legislation, we can focus on getting those privacy principles to an operational level."
The NIST Privacy Framework draft has three parts:
- The “core” section is designed to help organizations enable a dialogue that includes CISOs and their security teams; the other parts of organization's leadership; and those working in the trenches, such as the engineers and designers who are developing products and services. The goal is to ensure that privacy protections are built into all levels of an organization, including the products and services offered to the public.
- The “profiles” section is designed to help organizations prioritize outcomes. It also looks to ensure that an organization's privacy and business needs, along with risks, are considered.
- The “implementation tiers” section is designed to support decision making and communication to ensure privacy goals are met and the resources are in place to manage data privacy and risk.
"The privacy framework is intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio," according to the latest draft.
One of the biggest changes in the latest version of the draft is the “core” section, which overlaps with NIST's Cybersecurity Framework.
Lefkovitz notes that many of those offering feedback to NIST on an earlier draft wanted more flexibility within the core section so that their organizations could decide how many of the recommendations to follow.
"They told us that we should design the core to meet organizations where they are today and provide the flexibility to allow them to 'choose their own adventure' when it comes to using both frameworks," Lefkovitz says.
Fennessy of IAPP notes that how organizations see the core section fitting into their plans largely depends on how well their cybersecurity and privacy teams work together as well as the maturity of an organization's privacy protection plans. Less mature organizations might want to adopt more of the framework, while others may pick and choose, she says.
One major question about NIST’s proposed privacy framework is whether it will be as broadly adopted by private businesses as well as government agencies as the cybersecurity framework.
Fennessy predicts that the new privacy framework will be widely implemented by government agencies as well as the tech industry.
"The tech industry is … paying close attention to privacy issues these days, including the enforcement that we are seeing in that space," she says.
One of those big tech companies - IBM - has already signaled its support for this type of framework.
Banking Sector's Perspective
A spokesperson for the American Bankers Association tells ISMG that the organization is tracking the framework development for its members. Earlier this year, the ABA, along with the Bank Policy Institute and the Securities Industry and Financial Markets Association, wrote a letter to NIST offering feedback and suggestions, noting that many financial institutions already have these types of privacy controls in place.
"The creation of a framework should leverage the expertise and experience of more mature sectors to help improve privacy outcomes across all sectors of the economy," the letter stated. "The framework will help sectors that are presently subject to minimal privacy requirements to develop more mature and robust frameworks for managing privacy risk."
Whether industries and government agencies adopt all or part of the NIST Privacy Framework, it’s important to have a common language and standards for protecting data, says Chris Pierson, CEO of the cybersecurity company BlackCloak.
"More than a rule set, this framework enables organizations to think about and communicate privacy through a common lens of verbiage, policies and governance objectives that ultimately embark trust to the end customer," Pierson tells ISMG.
"For many years, privacy by design has been a mantra of the private sector for including privacy - and security - in the prioritization of new projects within organizations," he says. "This framework takes privacy by design to the next level by implementing common and measurable standards that can allow for the design and improvement of privacy programs throughout an organization, much like the NIST Cybersecurity Framework. (See: 'Privacy by Design': Building Better Apps)