NIST launches data privacy initiative in midst of cyber metamorphosis


Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Naomi Lefkovitz, NIST

The National Institute of Standards and Technology is spearheading an initiative to help agencies and organizations fill in the holes when it comes to implementation of data privacy protections. A voluntary framework is being developed to provide the tools to do just that.

As technology continues to evolve, protecting complex networks that may hold detailed data about individuals is getting more difficult. However, the benefits of modern IT in many ways outweigh the risks. By developing a system to help organizations prioritize their data strategies, NIST wants individuals to be able to have more confidence and trust in the government, institutions they work for and programs they use on a daily basis.

Agencies and lawmakers have placed more emphasis on privacy in recent years. But there is a difference between a policy and actual implementation into systems and services, said Naomi Lefkovitz, NIST senior privacy policy advisor and program manager.

“There’s been a gap in that area,” Lefkovitz said on Federal Drive with Tom Temin. “For example, in cybersecurity there is a very robust body of work in terms of guidance and standards and tools that help organizations move from cybersecurity law and policy to implementation in their systems. What we’re trying to do is fill that same gap for privacy.”

Workshops

Organizations need the access to tools to better address the full scope of privacy risk, but what’s in their toolbox is likely to differ depending on domain. As digital systems become more sophisticated and personalized, having the right tools to ensure security becomes more critical.

Advertisement
This is one reason why NIST has invited industry and government to join in the development process through a year-long series of workshops.

“We want to develop a tool that organizations want to use and so it has to be valuable to them, and be helpful … so they really need to have input into what it looks like,” Lefkowitz said. “It should be able to be a good communication tool.”

The workshops will explore what experts on panels think the framework should consist of, including risk management policies. Anyone involved in privacy or risk management — or who are interested in understanding what goes into it — is invited to join in on the conversation, she said.

Lefkovitz said the team is still in the early stages of the process, and is not necessarily sure what the framework will look like. She did say, however, that NIST is heavily leaning on a risk-based, outcome based framework.

“We don’t want to prescribe exactly how organizations should develop privacy protection. Rather, if we set the outcomes, then that allows organizations to figure out the best way to get to that outcome,” she said. “That allows for innovation and not just innovation in products and services, but innovation in types of privacy solutions.”

NIST does understand that there is more than one way to manage privacy risk, she said.

Risk management

In September, Lefkovitz moderated a Brookings Institution panel of experts focused on the privacy framework and an industry-wide shift to more of a risk-management approach to privacy and security.

One panelist, Jenn Behrens, partner and executive vice president at KUMA, said she has yet to find an overarching framework for privacy risk management that she can confidently use for all of her projects. Instead, she finds herself compiling and “hodge-podging” different tools together to fit the needs of her clients — and she said she looks forward to having a mature model going  forward.

“I’m very excited to see this work effort coming out of NIST, to be able to support the risk management within organizations that are trying to put more meaning behind just a policy statement or just saying we do privacy,” Behrens said.

There will always be a new frontier to explore when it comes to privacy. There’s always a new technology and a new way of using data. But how can an organization provide a risk-based lens when it comes to developing programs and tools with privacy in mind?

“I think this is a great vehicle that NIST is building in order to help organizations of all types figure out how to negotiate risk as well as organizational business decisions that’s grounded in some semblance of a cohesive framework,” Behrens said. “I am really excited to see this move forward.”

Next steps

It all starts with the organization’s first data privacy public workshop on Oct. 16. Lefkowitz said the guest-list is full and on a waitlist, but a public Q&A webinar is scheduled around November.

The public will have a chance to comment on the framework when a full draft is released.