NIST developing 'voluntary privacy framework' to help organizations protect customer information

• The new guidance will go beyond basic cyber hygiene and security practices to help organizations manage privacy risk and protect individuals' data.
• The initiative comes amid rising concerns over user privacy and security following the Facebook-Cambridge Analytica scandal and uptick in security breaches and leaks.

The National Institute of Standards and Technology (NIST) has announced it is developing a framework to guide organization on how they can protect the personal information of customers and manage risk. Housed in the US Department of Commerce, the non-regulatory federal agency is responsible for setting scientific standards that enhance security and improve quality of life.

The NIST will begin gathering public feedback for the effort with a public workshop scheduled for October 16 in Austin, Texas. The workshop will be held alongside the International Association of Privacy Professionals' "Privacy.Security.Risk.2018" conference. It will be the first in a series of workshops organized to gather current practices, challenges and needs to manage privacy risks beyond general cybersecurity practices.

NIST Senior Privacy Policy Advisor and lead for the project, Naomi Lefkovitz said these workshops and outreach efforts will help them "gather the best ideas from many stakeholders so that the privacy framework tool we develop is useful and effective for a wide range of organizations.”

“Consumers’ privacy expectations are evolving at the same time that there are multiplying visions inside and outside the U.S. about how to address privacy challenges,” Lefkovitz said in a statement. “NIST’s goal is to develop a framework that will bridge the gaps between privacy professionals and senior executives so that organizations can respond effectively to these challenges without stifling innovation.”

The new guidance will go beyond basic cyber hygiene and security practices to help organizations manage privacy risk and protect individuals' personal information.

"While good cybersecurity practices help manage privacy risk by protecting people’s information, privacy risks also can arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services," an NIST factsheet on the project reads. "NIST aims to collaboratively develop the Privacy Framework as a voluntary, enterprise-level tool that could provide a catalog of privacy outcomes and approaches to help organizations prioritize strategies that create flexible and effective privacy protection solutions, and enable individuals to enjoy the benefits of innovative technologies with greater confidence and trust."

The initiative comes amid rising concerns over user privacy and security following the Facebook-Cambridge Analytica scandal. It also comes amid the recent uptick in data breaches and leaks worldwide - both malicious and accidental - that have resulted in hundreds of millions of people's information compromised. The EU's recently enacted GDPR also aims to hold companies collecting, handling and storing personal information of EU residents responsible in the event of such breaches or leaks.

“We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan said. “The development of a privacy framework through an open process of stakeholder engagement is intended to deliver practical tools that allow continued U.S. innovation, together with stronger privacy protections.”