You are here

Commerce Agencies Push for Light-Touch Approach to Data Privacy

With many Americans troubled by reports of widespread misuse of consumer data and social media manipulation, two Commerce Department agencies are leading efforts to restore trust in online services.

Both the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA) launched initiatives in September to develop new consumer privacy guidelines for federal agencies and private companies.

NIST announced on Sept. 4 that it had begun work on a privacy “framework” consisting of standardized policies and protocols that organizations can adopt to reduce their risk of data misuse or disclosure without user consent. Like its popular Cybersecurity Framework (CSF), NIST’s privacy framework will be developed in collaboration with industry, and adoption will be voluntary.

For public and private sector organizations, observing best practices in cybersecurity is necessary but not sufficient to protect users’ privacy, NIST director Walter Copan told attendees at a Sept. 24 Brookings Institution forum.

“The intent of the new framework is to increase the effectiveness of privacy protections by enabling conscious, well-considered choices made by organizations based on their customers’ needs that are clearly communicated and understood,” said Copan. “The ultimate purpose of this effort is improved trust between businesses and their customers and between organizations and the public.”

In parallel, the NTIA, which serves as the president’s chief adviser on telecommunications policy, released a public request for comment on Sept. 25 calling for industry recommendations on “ways to advance consumer privacy while protecting prosperity and innovation.”

The request outlined several objectives – perhaps previewing a future national privacy policy – such as the harmonization of interstate regulations, incentives for privacy research and development, and governmental enforcement of standards, but also flexibility to meet federal requirements while balancing business needs.

‘The Days of the Wild, Wild West Are Over’

Several factors are driving the Commerce Department’s efforts to overhaul U.S. privacy standards. First, privacy issues are becoming more salient to the public. Just as data breaches at companies such as Target Corp. and Equifax Inc. brought cybersecurity to consumers’ attention, the 2018 data abuse scandal involving Facebook Inc. and the U.K.-based Cambridge Analytica as well as other reports of “weaponized” social media have prompted a closer look at the ways companies collect and use consumer personally identifiable information (PII).

“I think there is a high chance that people realize that the days of the wild, wild West are over, that there needs to be some guardrails,” said Sen. Mark Warner, ranking Democrat on the Senate Intelligence Committee, at a Sept. 13 conference on digital privacy.

Second, federal agencies themselves are facing heightened scrutiny to protect consumer privacy. As agencies push to expand the variety of services they provide online, they are collecting and storing an unprecedented amount of digital PII. The government began overhauling its privacy policies with the 2016 requirement that agencies apply the NIST Risk Management Framework sp. 800-37 – known simply as the RMF – to manage privacy risks in addition to information security risks. NIST released a new draft of RMF on Oct. 2, 2018, in large part to integrate privacy with existing information risk management processes.

Third, the U.S. government is facing increasing pressure to respond to a new set of privacy regulations, such as the European Union’s General Data Protection Regulation, or GDPR, and California’s 2018 data protection law, known as AB 375. These laws apply to any organization that collects and stores citizens’ PII and impose strict penalties for unauthorized disclosure of that data. Inconsistencies between state and federal laws and with European laws have created compliance headaches for businesses, leading to calls for common standards.

U.S. lawmakers have responded by considering an array of new data privacy laws, ranging from nonbinding standards to GDPR-like regulations. Executives from several technology companies, including Facebook, Twitter Inc.Alphabet Inc.AT&T Inc., and Apple Inc., testified before the Senate Commerce Committee Sept. 26, to advocate self-regulation.

But it’s not just industry that prefers a light-touch approach. NIST director Copan expressed skepticism about sweeping regulatory efforts such as those seen in Europe and California, describing them as “unsustainable” despite being “driven by good intentions.”

“It’s too soon to tell how large an impact these regulations will ultimately have on products that require access to users’ data and whether there will be substantial, measurable improvement in desired privacy outcomes,” he said.

What’s Ahead

NIST will convene its first public workshop Oct. 16 in Austin, Texas, in conjunction with the International Association of Privacy Professionals. The workshop represents only the start of gathering input from industry and academia, a process that could take a year or more, Naomi Lefkowitz, NIST’s senior privacy policy adviser, told Bloomberg Government.

Comments on the NTIA’s request for comment are due Oct. 26.

These developments suggest that U.S. privacy policies will become more tightly integrated with existing enterprise risk management policies, as cybersecurity was only a few years ago. Just as federal contractors are now required to meet baseline cybersecurity standards to be considered for contracts, they should prepare to meet data privacy baselines as well.

For government technology leaders, privacy risk management is already required as part of the RMF. Meanwhile agencies like NIST are continually rolling out new tools and guidance to help agencies modernize and deliver new services while safeguarding citizens’ privacy.

The post Commerce Agencies Push for Light-Touch Approach to Data Privacy appeared first on Bloomberg Government.

itcon color logo