On September 4, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced it has initiated a collaborative project to develop a voluntary privacy framework.
The framework is intended to help organizations manage the data privacy risks they are now exposed to more than ever thanks to new technologies. These technologies, such as artificial intelligence and the “Internet of Things” offer businesses new avenues to achieve increased growth and efficiency, but their use of detailed data and the complex environments in which they run pose a real challenge to data security.
The proposed privacy framework is significant for several reasons. First, the NIST cybersecurity framework issued a few years ago has had a significant impact on how cybersecurity is reviewed and measured and has been popular and influential with legislators and regulators.
Also, the proposal shows that NIST may have overcome some of the reluctance the agency previously felt about issuing standards for use beyond the government sector. Where NIST was previously required to issue the cybersecurity framework, the new privacy framework is the agency’s own initiative.
Finally, the privacy framework wades into an area that is more difficult to assess and measure than cybersecurity and around which there is considerably less consensus regarding norms and standards.
NIST will be gathering input from stakeholders with the goal of developing a framework that fits the expanding needs of many different organizations. To collect this input, NIST is holding a series of public workshops, with the first occurring on October 16 at the International Association of Privacy Professionals’ “Privacy. Security. Risk. 2018” conference in Austin, Texas.
Note: For anyone attending the IAPP conference, please join me at my Friday, October 19, session, “Right of Boom: Top Things You Do Not Want to Do in a Data Breach Response,” which I’m presenting with Dr. Chris Pierson, the founder & CEO of Binary Sun Cyber Risk Advisors. We will guide the audience through lessons from many public data breaches and explain what you should absolutely not do in the wake of a breach.
Jim Shreve is chair of Thompson Coburn's Cybersecurity group and holds CIPP/US and CIPT certifications from the International Association of Privacy Professionals.