NIST Proposes Privacy Framework to Help Make Sense of Global Privacy Regulations by Stephanie Hazlewood (Security Intelligence)

In October 2018, NIST, collaborating with public and private stakeholders, started drafting its privacy framework. The framework is intended to serve as a guide for chief information security officers (CISOs), chief privacy officers (CPOs) and other internal privacy stakeholders and is geared toward helping them improve their organizational privacy posture. Like the NIST Cybersecurity Framework introduced in 2014, organizations that choose to comply with the privacy framework can do so voluntarily.

It is expected that the framework will be presented in language that can be understood by both privacy and security professionals, as well as executives and other business stakeholders who may have no expertise in privacy, and that’s a very good thing. The roles of the CISO and CPO are evolving to have complementary concerns, which means they must work more closely together, especially when it comes to privacy and personal data protection. Technical professionals and legal professionals speak in very different language in their day-to-day lives, so when it comes to implementing an effective privacy program, everyone had better be speaking the same language to establish a common understanding of what needs to get done.

NIST has been working quickly. A request for information (RFI) to gather input and guide the development of the framework wrapped up in January, and the outline of the NIST Privacy Framework was drafted and shared in March.

This is a welcome move from NIST. I hope that information security and privacy officers embrace the framework. I also hope that the federal government issues strong privacy legislation, similar to the GDPR, that is congruent with the United State constitution. We, the people, need some relief form the wonton collection and leverage of personal information.

It’s Time for Action on Privacy, Says Apple’s CEO Tim Cook by an author (Time)

One of the biggest challenges in protecting privacy is that many of the violations are invisible. For example, you might have bought a product from an online retailer—something most of us have done. But what the retailer doesn’t tell you is that it then turned around and sold or transferred information about your purchase to a “data broker”—a company that exists purely to collect your information, package it and sell it to yet another buyer.

The trail disappears before you even know there is a trail. Right now, all of these secondary markets for your information exist in a shadow economy that’s largely unchecked—out of sight of consumers, regulators and lawmakers.

Let’s be clear: you never signed up for that. We think every user should have the chance to say, “Wait a minute. That’s my information that you’re selling, and I didn’t consent.”

Image from flickr.

Woot! Best thing I’ve read all month! I fully support this. The EU GDPR document was a not a riveting read but is a punch to the groin for data aggregators and brokers. And it put in place fines, 4% of revenue, for violations. We need similar legislation here.