NIST Releases Version 1.0 of Privacy Framework

Tool will help optimize beneficial uses of data while protecting individual privacy.

WASHINGTON — Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk.

NIST - National Institute of Standards and TechnologyThe agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Developed from a draft version in collaboration with a range of stakeholders, the framework provides a useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data. The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework.

“Privacy is more important than ever in today’s digital age,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. “The strong support the Privacy Framework’s development has already received demonstrates the critical need for tools to help organizations build products and services providing real value, while protecting people’s privacy.”

Personal data includes information about specific individuals, such as their addresses or Social Security numbers, that a company might gather and use in the normal course of business. Because this data can be used to identify the people who provide it, an organization must frequently take action to ensure it is not misused in a way that could embarrass, endanger or compromise the customers.

The NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz, a senior privacy policy adviser at NIST and leader of the framework effort. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

Privacy as a basic right in the USA has roots in the U.S. Constitution, but its application in the digital age is still evolving, in part because technology itself is changing at a rapidly accelerating pace. New uses for data pop up regularly, especially in the context of the internet of things and artificial intelligence, which together promise to gather and analyze patterns in the real world that previously have gone unrecognized. With these opportunities come new risks.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years,” Lefkovitz said, “or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit. That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

The Privacy Framework 1.0 has an overarching structure modeled on that of the widely used NIST Cybersecurity Framework, and the two frameworks are designed to be complementary and also updated over time. Privacy and security are related but distinct concepts, Lefkovitz said, and merely adopting a good security posture does not necessarily mean that an organization is addressing all its privacy needs.

As with its draft version, the Privacy Framework centers on three sections: the Core, which offers a set of privacy protection activities; the Profiles, which help determine which of the activities in the Core an organization should pursue to reach its goals most effectively, and the Implementation Tiers, which help optimize the resources dedicated to managing privacy risk.

The NIST authors plan to continue building on their work to benefit the framework’s users. Digital privacy risk management is a comparatively new concept, and Lefkovitz said they received many requests for clarification about the nature of privacy risk, as well as for additional supporting resources.

“People continue to yearn for more guidance on how to do privacy risk management,” she said. “We have released a companion roadmap for the framework to point the way toward more research to address current privacy challenges, and we are building a repository of guidance resources to support implementation of the framework. We hope the community of users will contribute to it to advance privacy for the good of all.”

Source: NIST

A D V E R T I S E M E N T

BDPA2020 |  45th Anniversary & National Technology Conference

Advisory Outlining New Data Privacy Rights Issued for California Consumers

afcs-civ_banner

SACRAMENTO – California Attorney General Xavier Becerra has issued an advisory for consumers highlighting their new rights as part of the California Consumer Privacy Act (CCPA), which went into in effect on January 1, 2020. The advisory describes consumers’ basic privacy rights under the CCPA and methods for consumers to exercise those rights, information about the data broker registry, and new guidelines related to data security. Enforcement of CCPA is the responsibility of the Office of the Attorney General.

Sacramento-DGS-CapitolBldg“Knowledge is power, and in today’s world knowledge is derived from data. When it comes to your own data, you should be in control,” said Attorney General Becerra. “In California we are rebalancing the power dynamic by putting power back in the hands of consumers. I encourage all Californians to take a moment to understand their new rights and exercise these rights to take control of their personal data.”

CCPA grants new rights to California consumers

  • Right to know – Consumers may request that businesses disclose what personal information is collected, used, shared or sold by the business, in both categories and specific pieces of information;
  • Right to delete — Consumers may request that a business delete the consumer’s personal information held by both the business and by extension, the business’s service providers;
  • Right to opt-out  Consumers may direct a business to cease the sale of the consumer’s personal information. As required by the law, businesses must provide a “Do Not Sell” information link on their websites or mobile apps;
  • Rights for minors regarding opt-in consent — Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13; and
  • Right to non-discrimination — Businesses may not discriminate against consumers in terms of price or service when a consumer exercises a privacy right under CCPA.

Businesses subject to CCPA

Not all California businesses are subject to CCPA. A business is subject to CCPA if the business:

  • Has gross annual revenue in excess of $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

In addition, as proposed by the draft regulations, businesses that handle the personal information of more than four million consumers will have additional record-keeping obligations.

Data Broker Registry 

As required by California Civil Code section 1798.99.80, a data broker must register with the Attorney General at https://www.oag.ca.gov/data-broker/register. The law mandates that a data broker shall pay a registration fee and provide information including primary physical, email, and internet website addresses, as well as any additional information or explanation the data broker chooses to provide concerning its data collection practices. The registry is accessible to consumers.

Consumers’ private right of action in the case of a data breach 

Businesses are required to implement and maintain reasonable security procedures and practices to protect consumers’ personal information, and CCPA authorizes a consumer to institute a civil action if their personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5 is subject to an unauthorized breach as a result of a business’s failure to reasonably secure this data.

Consumers were able to begin exercising the rights listed above under the CCPA on January 1, 2020. Under Civil Code 1798.100 – 1798.199, businesses subject to CCPA were required to begin complying with the law on January 1, 2020.

Consumer complaints may be reported at oag.ca.gov/report or by calling (800) 952-5225. A factsheet regarding the CCPA and the draft regulations proposed by Attorney General Becerra are available at oag.ca.gov/ccpa.


A D V E R T I S E M E N T

hsv2020tech

Tech juggernauts are returning to Capitol Hill for a new round of hearings

WASHINGTON — Now under attack by POTUS, meet the new wolves of ‘K Street’.

Ahead of tech executives from Facebook, Google, and Twitter heading to more hearings in front of the U.S. Senate, in this video Loup Ventures’ Gene Munster discusses what he expects to hear from these powerful companies.

“Here’s the CODE…”

What are their new agenda items, hidden or otherwise? Legacy policies have eroded, our data and privacy are next to non-existent, artificial intelligence (Ai), social media, and search engine optimization (SEO) algorithms (“algos“) matter—regulations are inevitable.

M&A: A merger or an acquisition? How soon could artificial intelligence and machine learning subsume legislative processes and ‘become one’ with Federal, State, and Local lawmakers when governing bodies can no longer fully embrace software-defined  ecosystems, cybersecurity challenges,  nor keep pace with new technologies?  ‘Swiping left‘ or ‘swiping right‘ for proposals, bills, and votes in near real-time are distinct possibilities with human-in-the-loop machine learning.

Bail-Out: Oversight committees and regulatory demands for discriminatory algorithms, pleas for open source software, or mandatory transparency for pseudo-code or source code will not bode very well for search engine and social media business models.

When industry’s “Secret Sauce” no longer remains secret nor immune from new laws and regulations, alternative value propositions will respectfully be requested from lawmakers and appropriators by lobbyists, stakeholders and shareholders in order for powerful applications and algorithms to preserve industrial dominance across all industry sectors.

Powerful trends toward digital transformation, end-user empowerment, and global policies such as the European Union’s (EU) General Data Protection Regulation (GDPR) are just the beginning.

— Sources: CNBC and BDPA Washington

PTTV | Popular Technology TV

%d bloggers like this: