chevron-down Created with Sketch Beta.
September 19, 2018 Practice Points

NIST Launches Voluntary Privacy Framework

By Leonard Wills

The National Institute of Standards and Technology (NIST) has begun a collaborative effort to develop a voluntary privacy framework to assist organizations with identifying and mitigating privacy risks and to protect consumer data. The privacy framework provides an enterprise-level approach for organizations to create strategies that prioritize privacy protections without compromising business needs. To accomplish this task, NIST will hold public workshops on the privacy framework at the International Association of Privacy Professionals’ Privacy. Security. Risk. 2018 conference in Austin, Texas on October 16, 2018.

“We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said undersecretary of commerce for standards and technology and NIST director Walter Copan.

Stakeholder engagement remains central to NIST as consumers’ privacy expectations continually evolve, and many perspectives exist on how best to manage those privacy challenges.

“The development of a privacy framework through an open process of stakeholder engagement is intended to deliver practical tools that allow continued U.S. innovation, together with stronger privacy protections,” said Copan.

Michelle Dennedy, chief privacy officer at Cisco, said, "When best practices around data protection and compliance are not strictly enforced, the risks of this data becoming a liability extends across all levels of the company, both financially and operationally."

Organizations can leverage privacy frameworks to provide guidance on industry best practices, which give organizations a more robust privacy program. Such a program can lead to fewer data breaches or data exposure to unwanted parties and entities.

Organizations that neglect implementing best privacy practices—whether leveraging a framework or other policy documents—expose themselves to adverse legal consequences. In FTC v. Eli Lilly, No. 012-3214, (2002), the commission charged that the pharmaceutical company, failed to adequately protect consumer health information from exposure to unwanted parties—the company sent a massive email to its customers that listed hundreds of customer email addresses in the “To” section.

The FTC complaint stated that the company failed to provide appropriate training for employees regarding consumer privacy and information security. Additionally, it failed to implement appropriate checks and controls on the process, such as reviewing the computer program internally before sending out the email.

In the Matter of Microsoft Corp., No. 012-3240  (2002), the commission ordered Microsoft to establish a  “comprehensive security program,” and to conduct annual audits to assess its security practices.

The commission found that Microsoft falsely represented that (1) it employs reasonable and appropriate measures to maintain and protect the privacy and confidentiality of consumers’ personal information collected through its Passport and Passport Wallet services, (2) purchases made with Passport Wallet are generally safer or more secure than purchases made at the same site without Passport Wallet, and (3) Passport did not collect any personally identifiable information other than that described in its privacy policy.

Now for the next five years, Microsoft will make all documents related to security practices and all compliance documents available to the FTC. This order is in place until December 2022. 

In each of these instances, the FTC charged that the organization failed to have a comprehensive privacy program which resulted in privacy violations. These violations would have been avoided with a robust privacy program. For instance, such a program provides policy on employee privacy training, how to secure and protect consumer data, and how to meet the legal requirements associated with the collected data.

As privacy risks and technology continuously evolve, NIST seeks stakeholder engagement to gather many voices to provide various and nuanced perspectives on privacy management. NIST recognizes that this strategy can create a comprehensive privacy framework that better protects consumer data without compromising business needs. As with other NIST frameworks, this privacy framework leads the nation in the right direction toward cybersecurity and data protection resilience.


Leonard Wills is a presidential management fellow in Washington D.C.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).