The National Institute of Standards and Technology publishes security risk management standards and guidance that apply to public entities but have been influential throughout the private sector.  Now, NIST is looking to provide similar guidance on privacy risk management, holding its Second Privacy Engineering Workshop earlier this week to consider draft privacy engineering definitions and concepts. 

NIST has said that its work is “focused on providing guidance to developers and designers of information systems that handle personal information,” with the expectation that such guidance “may be used to decrease risks related to privacy harms, and to make purposeful decisions about resource allocation and the effective implementation of controls.”   According to the IAPP’s Privacy Advisor, this week’s workshop focused on defining terms, including “privacy engineering” and “problematic data actions,” and a theme that emerged was the difficulty in creating a “black-and-white standards framework” for privacy. 

NIST’s security standards focus on the objectives of Confidentiality, Integrity and Availability, and NIST has proposed that its privacy engineering standards similarly build on design objectives, proposing the following three:

  • Predictability or enabling reliable assumptions about the rationale for collecting personal information and the data actions to be taken with personal information.
  • Manageability or providing the capability for authorized modification of personal information, including alteration, deletion, or selective disclosure of personal information.
  • Confidentiality or preserving authorized restrictions on information access and disclosure.  (NIST has said it would use the same definition as Confidentiality is afforded in NIST Special Publication 800-53 Revision 4).

The public comment period for the NIST Privacy Engineering Objectives and Risk Model Discussion Draft has been extended until October 10.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”