{"id":15424,"date":"2019-05-29T11:10:08","date_gmt":"2019-05-29T19:10:08","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/05\/29\/news-9173\/"},"modified":"2019-05-29T11:10:08","modified_gmt":"2019-05-29T19:10:08","slug":"news-9173","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/05\/29\/news-9173\/","title":{"rendered":"NIST’s privacy framework lets privacy tell its own story"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 29 May 2019 18:51:40 +0000<\/strong><\/p>\n

Online privacy remains unsolved. Congress prods at it<\/a>, some companies fumble with it<\/a> (while a small handful excel), and the public demands it<\/a>. But one government agency is trying to bring everyone together to fix it.<\/p>\n

As the Senate sits on no fewer than four data privacy bills that their own members wrote\u2014with no plans to vote on any\u2014and as the world\u2019s largest social media company braces for an anticipated multibillion-dollar privacy blunder<\/a>, the US National Institute of Standards and Technology (NIST) has published what it calls a \u201cprivacy framework\u201d draft. <\/p>\n

Non-binding, unenforceable, and entirely voluntary to adopt, the NIST privacy framework draft serves mainly as a roadmap. Any and all companies, organizations, startups, and agencies can look to it for advice in managing the privacy risks of their users. <\/p>\n

The framework draft offers dozens of actions that a company can take on to investigate, mitigate, and communicate its privacy risks, both to users and executives within the company. Nearly no operational idea is left unturned. <\/p>\n

Have a series of third-party vendors in a large supply chain? The NIST framework has a couple of ideas on how to secure that. What about countless employees with just as many logins and passwords? The framework considers that, too. Ever pondered the enormous meaning of \u201cdata security\u201d for your company? The NIST framework has a couple of entry points for how to protect data at rest and in transit. <\/p>\n

Though wrought in government-speak and at times indecipherable nomenclature (suggested company actions are called \u201csubcategories\u201d), the 37-page privacy framework, according to one of its authors, has a simple and equally elegant purpose: It could finally let privacy tell its own story. <\/p>\n

\u201cTo date, security [professionals] are telling a dramatic story. \u2018We had these threats. Look what happened to these companies here,\u2019\u201d said NIST Senior Privacy Policy Advisor Naomi Lefkovitz. \u201cBut privacy [professionals] are over here saying \u2018Privacy is a very important value,\u2019 which is true, but it\u2019s not quite as compelling when resources are being allocated.\u201d<\/p>\n

Lefkovitz continued: \u201cWe want privacy to be able to tell an equally compelling story.\u201d<\/p>\n

If successful, the NIST privacy framework could improve user privacy within organizations across the United States. It could better equip privacy officers to convince their companies to bulk up internal controls. And it could create an agreed-upon direction for privacy. <\/p>\n

There are, of course, obstacles. A voluntary framework is only as successful as it is attractive\u2014overly ambitious guidelines could turn the framework into a dud, tossed aside by the companies that handle the most user data. <\/p>\n

Also, the framework should work in coordination with current data protection laws, rather than trying to overwrite those laws\u2019 requirements. For example, as companies have built up their internal controls to comply with the European Union\u2019s sweeping data protection law, the General Data Protection Regulation<\/a>, a new approach to privacy could be seen as time-consuming, costly, and unnecessary. <\/p>\n

Despite the potential roadblocks, NIST has been here before. Six years ago, the government agency was tasked with making a separate framework\u2014one for cybersecurity. <\/p>\n

The NIST cybersecurity framework<\/h3>\n

In 2013, through Executive Order 13636<\/a>, President Barack Obama asked NIST to develop a strategy on securing the nation\u2019s critical infrastructure from cyberattacks. This strategy, or framework, would include \u201cstandards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.\u201d It would be voluntary, flexible, repeatable, and cost-effective for organizations to take on. <\/p>\n

On February 12, 2014, NIST published the first version of its cybersecurity framework. The framework\u2019s so-called \u201ccore\u201d includes five functions that a company can take on to manage cybersecurity risks. Those functions are:<\/p>\n