NIST Expects to Create Privacy Guidelines for Smaller Organizations

stoatphoto/Shutterstock.com

National Institute of Standards and Technology Director Walter Copan offered insights in how the agency’s privacy framework came together and its future.

The National Institute of Standards and Technology director shed light this week on how the agency shaped the first version of its privacy framework and plans to create more solutions, including a soon-to-come privacy guide to deliberately support small- and medium-sized businesses.

NIST launched the first version of its privacy framework in mid-January, after months of collaboration with people who hoped to eventually put the tool into practice. At a Center for Strategic and International Studies event in Washington Wednesday, Under Secretary of Commerce for Standards and Technology and NIST Director Walter Copan said after years of development and following the initial rollout, the agency views itself “truly only at the beginning of [it’s] privacy framework journey.” 

“Getting privacy right will underpin the use of technologies in the future, including [artificial intelligence] and biometrics, quantum computing, the internet of things, and personalized medicine—and these technologies all will be a big part of our future,” Copan said. “Getting privacy right means enjoying the benefits of innovative products while upholding our country's founding values.”

Data breaches and multiplying laws around privacy were very much in the news during the summer of 2018, and Copan said NIST “very quickly” began hearing from industry stakeholders who questioned whether the agency could create a tool similar to its much-used cybersecurity framework that could be applied to privacy. The following November, the agency launched a request for information on the matter, and according to Copan, the results were “absolutely essential” to the standards agency’s next steps. 

Responders were direct regarding what the framework would need to encompass to meet their needs, Copan said. Though Congress has yet to pass one preemptive law governing privacy across the nation, many organizations already have to comply with a range of internal policies and external regulations, so it was made clear early on that compatibility with all existing standards was “extremely important.” Organizations also said they needed the framework that would not stifle innovation, would embrace an “outcome-focused approach,” and would support their aims to “build the kind of culture of awareness in security and privacy.”

“Likewise, multiple organizations told us very clearly—very forcefully in some cases—that they needed a flexible tool,” Copan said. “So as a result, the privacy framework is not a checklist of requirements. It's a tool to allow organizations prioritize and design the most effective privacy solutions for their business environment and for their customers’ needs.”

NIST also heard that the tool needed to foster communication, and support organizations as they work with privacy, nonprivacy, cybersecurity and other professionals. “Find simple words,” Copan said. “Identify, govern, control, communicate, protect.” 

Like NIST’s cybersecurity framework, the final version of the privacy framework is broken up into three parts—and those five “simple” words Copan mentioned make up the set of privacy protection activities laid out in its Core. The other two sections include Profiles, which according to NIST “help determine which of the activities in the Core an organization should pursue to reach its goals most effectively,” as well as the Implementation Tiers, “which help optimize the resources dedicated to managing privacy risk.” The sections are meant to be flexible enough to be adapted by organizations of many sizes that can work through them in the way that best suits their needs. The framework also aims to enable those who use it to “continually reevaluate and adjust to new risks.”

“A tool is only as good as the results that it creates and our focus is on the outcomes ultimately that will be generated by the privacy framework. We want it to be an essential part of every organization’s toolkit for success in the United States and abroad,” Copan said. Though it’s meant to be continuously updated as society advances, the director said version 1.0 “has the potential to shape not just individual organizations, but to shape any approach to consumer privacy in [America] and internationally.”

Going forward, NIST aims to work directly with organizations to better understand how they are using the privacy-focused resources it provides to inform its next steps. The agency also created an online repository of related resources to support entities as they put the framework to use, an online collaboration space where users can make suggestions for improvements, and it also simultaneously released a companion roadmap with the framework that describes the key challenges to achieving privacy objectives. Copan announced at the event that NIST is also producing new supporting materials, including a new privacy guide with the explicit intent to help “small- and medium-sized businesses building privacy, as they seek to become the trusted big businesses of the future.”

“Over the next few months, we’ll be reaching out to these innovative smaller companies with their resource constraints understood to better have a sense of how the privacy framework can help enhance their work and their operations,” he said.

Following Copan’s talk a panel of experts and industry stakeholders discussed the framework’s value, but repeatedly iterated that entities are not required to comply, warranting what they view as a dire need for Congress to pass overarching privacy legislation. 

“If a company is a good company that wants to engage in good data practices, this tool will allow them to do a good job. If it’s a company that just wants to sort of check a box—or worse, maybe obscure practices that aren’t good—this is not a magic fix, it’s a voluntary process,” the Center for Democracy and Technology’s Interim Co-CEO and Vice President for Policy Chris Calabrese said. “At the end of the day, it’s not a substitute for a legislative approach or a regulatory approach, but it is a very useful supplement.”

General Manager for Microsoft’s Corporate Standards Group Jason Matusow and IBM’s Vice President for Ethics and Policy Michael Cronin also said their companies feel that the passage of comprehensive privacy legislation is necessary, particularly at this point in history, to help America’s business entities avoid confusing fragmentation. 

“Having the single law that deals with that would be a wonderful thing to do,” Cronin said. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.