The National Institute of Standards and Technology (NIST) has announced it is developing a framework to guide organization on how they can protect the personal information of customers and manage risk. Housed in the US Department of Commerce, the non-regulatory federal agency is responsible for setting scientific standards that enhance security and improve quality of life.
The NIST will begin gathering public feedback for the effort with a public workshop scheduled for October 16 in Austin, Texas. The workshop will be held alongside the International Association of Privacy Professionals' "Privacy.Security.Risk.2018" conference. It will be the first in a series of workshops organized to gather current practices, challenges and needs to manage privacy risks beyond general cybersecurity practices.
“Consumers’ privacy expectations are evolving at the same time that there are multiplying visions inside and outside the U.S. about how to address privacy challenges,” Lefkovitz said in a statement. “NIST’s goal is to develop a framework that will bridge the gaps between privacy professionals and senior executives so that organizations can respond effectively to these challenges without stifling innovation.”
The new guidance will go beyond basic cyber hygiene and security practices to help organizations manage privacy risk and protect individuals' personal information.
"While good cybersecurity practices
help manage privacy risk by
protecting people’s information,
privacy risks also can arise from how
organizations collect, store, use, and
share this information to meet their
mission or business objective, as
well as how individuals interact with
products and services," an NIST factsheet on the project reads. "NIST aims to collaboratively develop the Privacy
Framework as a voluntary, enterprise-level tool
that could provide a catalog of privacy outcomes
and approaches to help organizations prioritize
strategies that create flexible and effective
privacy protection solutions, and enable
individuals to enjoy the benefits of innovative
technologies with greater confidence and trust."
The initiative comes amid rising concerns over user privacy and security following the Facebook-Cambridge Analytica scandal. It also comes amid the recent uptick in data breaches and leaks worldwide - both malicious and accidental - that have resulted in hundreds of millions of people's information compromised. The EU's recently enacted GDPR also aims to hold companies collecting, handling and storing personal information of EU residents responsible in the event of such breaches or leaks.
“We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan said. “The development of a privacy framework through an open process of stakeholder engagement is intended to deliver practical tools that allow continued U.S. innovation, together with stronger privacy protections.”