NIST Expects to Create Privacy Guidelines for Smaller Organizations

The National Institute of Standards and Technology director shed light this week on how the agency shaped the first version of its privacy framework and plans to create more solutions, including a soon-to-come privacy guide to deliberately support small- and medium-sized businesses.

NIST launched the first version of its privacy framework in mid-January, after months of collaboration with people who hoped to eventually put the tool into practice. At a Center for Strategic and International Studies event in Washington Wednesday, Under Secretary of Commerce for Standards and Technology and NIST Director Walter Copan said after years of development and following the initial rollout, the agency views itself “truly only at the beginning of [it’s] privacy framework journey.” 

“Getting privacy right will underpin the use of technologies in the future, including [artificial intelligence] and biometrics, quantum computing, the internet of things, and personalized medicine—and these technologies all will be a big part of our future,” Copan said. “Getting privacy right means enjoying the benefits of innovative products while upholding our country's founding values.”

Data breaches and multiplying laws around privacy were very much in the news during the summer of 2018, and Copan said NIST “very quickly” began hearing from industry stakeholders who questioned whether the agency could create a tool similar to its much-used cybersecurity framework that could be applied to privacy. The following November, the agency launched a request for information on the matter, and according to Copan, the results were “absolutely essential” to the standards agency’s next steps. 

Responders were direct regarding what the framework would need to encompass to meet their needs, Copan said. Though Congress has yet to pass one preemptive law governing privacy across the nation, many organizations already have to comply with a range of internal policies and external regulations, so it was made clear early on that compatibility with all existing standards was “extremely important.” Organizations also said they needed the framework that would not stifle innovation, would embrace an “outcome-focused approach,” and would support their aims to “build the kind of culture of awareness in security and privacy.”

“Likewise, multiple organizations told us very clearly—very forcefully in some cases—that they needed a flexible tool,” Copan said. “So as a result, the privacy framework is not a checklist of requirements. It's a tool to allow organizations prioritize and design the most effective privacy solutions for their business environment and for their customers’ needs.”

NIST also heard that the tool needed to foster communication, and support organizations as they work with privacy, nonprivacy, cybersecurity and other professionals. “Find simple words,” Copan said. “Identify, govern, control, communicate, protect.” 

Like NIST’s cybersecurity framework, the final version of the privacy framework is broken up into three parts—and those five “simple” words Copan mentioned make up the set of privacy protection activities laid out in its Core. The other two sections include Profiles, which according to NIST “help determine which of the activities in the Core an organization should pursue to reach its goals most effectively,” as well as the Implementation Tiers, “which help optimize the resources dedicated to managing privacy risk.” The sections are meant to be flexible enough to be adapted by organizations of many sizes that can work through them in the way that best suits their needs. The framework also aims to enable those who use it to “continually reevaluate and adjust to new risks.”

“A tool is only as good as the results that it creates and our focus is on the outcomes ultimately that will be generated by the privacy framework. We want it to be an essential part of every organization’s toolkit for success in the United States and abroad,” Copan said. Though it’s meant to be continuously updated as society advances, the director said version 1.0 “has the potential to shape not just individual organizations, but to shape any approach to consumer privacy in [America] and internationally.”

Going forward, NIST aims to work directly with organizations to better understand how they are using the privacy-focused resources it provides to inform its next steps. The agency also created an online repository of related resources to support entities as they put the framework to use, an online collaboration space where users can make suggestions for improvements, and it also simultaneously released a companion roadmap with the framework that describes the key challenges to achieving privacy objectives. Copan announced at the event that NIST is also producing new supporting materials, including a new privacy guide with the explicit intent to help “small- and medium-sized businesses building privacy, as they seek to become the trusted big businesses of the future.”

“Over the next few months, we’ll be reaching out to these innovative smaller companies with their resource constraints understood to better have a sense of how the privacy framework can help enhance their work and their operations,” he said.

Following Copan’s talk a panel of experts and industry stakeholders discussed the framework’s value, but repeatedly iterated that entities are not required to comply, warranting what they view as a dire need for Congress to pass overarching privacy legislation. 

“If a company is a good company that wants to engage in good data practices, this tool will allow them to do a good job. If it’s a company that just wants to sort of check a box—or worse, maybe obscure practices that aren’t good—this is not a magic fix, it’s a voluntary process,” the Center for Democracy and Technology’s Interim Co-CEO and Vice President for Policy Chris Calabrese said. “At the end of the day, it’s not a substitute for a legislative approach or a regulatory approach, but it is a very useful supplement.”

General Manager for Microsoft’s Corporate Standards Group Jason Matusow and IBM’s Vice President for Ethics and Policy Michael Cronin also said their companies feel that the passage of comprehensive privacy legislation is necessary, particularly at this point in history, to help America’s business entities avoid confusing fragmentation. 

“Having the single law that deals with that would be a wonderful thing to do,” Cronin said.