On September 4, 2018, the Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced a collaborative project to develop a voluntary privacy framework to help organizations manage privacy risk. The announcement states that the effort is motivated by innovative new technologies, such as the Internet of Things and artificial intelligence, as well as the increasing complexity of network environments and detail of user data, which make protecting individuals’ privacy more difficult. “We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. Continue Reading NIST Launches Privacy Framework Effort
On January 4, 2017, the National Institute of Standards and Technology (“NIST”) announced the final release of NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems. NISTIR 8062 describes the concept of applying systems engineering practices to privacy and sets forth a model for conducting privacy risk assessments on federal systems. According to the NIST, NISTIR 8062 “hardens the way we treat privacy, moving us one step closer to making privacy more science than art.” Continue Reading NIST Releases Privacy Engineering and Risk Management Guidance for Federal Agencies
On September 15-16, 2014, the National Institute of Standards and Technology (“NIST”) will sponsor a workshop to further its Privacy Engineering initiative. The workshop will focus on developing draft privacy engineering definitions and concepts that will be explored in a forthcoming NIST report.
On December 12, 2013, Fred H. Cate, Senior Policy Advisor in the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”), submitted comments in response to the National Institute of Standards and Technology’s (“NIST’s”) Preliminary Cybersecurity Framework (the “Preliminary Framework”). On October 22, NIST issued the Preliminary Framework, as required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (“Executive Order”), and solicited comments on the Framework. The Preliminary Framework includes standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.
On November 15, 2013, the U.S. Government Accountability Office (“GAO”) released a report (the “Report”) finding that the current federal statutory privacy scheme contains “gaps” and “does not fully reflect” the Fair Information Practice Principles (“FIPPs”). The Report focused primarily on companies that gather and resell consumer personal information, and on the use of consumer personal information for marketing purposes.
On February 28, 2013, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) announced the release of “Big Data and Analytics: Seeking Foundations for Effective Privacy Guidance,” a paper intended to help organizations and policymakers develop a governance framework for using analytics in a way that protects privacy and promotes innovation. The paper, which is the product of an industry-sponsored initiative led by the Centre, suggests a two-phase approach that separates how organizations discover what data can reveal from how those insights are applied to knowledge development and decisionmaking. This approach lays the foundation for workable, effective governance.
On December 12, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released an accountability self-assessment tool designed to help organizations evaluate their internal privacy programs and practices. The tool is the product of the Global Accountability Project for which the Centre serves as Secretariat.
On August 15, 2012, Philippines President Benigno S. Aquino III signed the Data Privacy Act of 2012 passed earlier this year by the Philippine Senate and House of Representatives. Concerns about the creation of the National Privacy Commission and the criminal penalties associated with the Act delayed final enactment.
On August 8, 2012, the Federal Trade Commission settled with HireRight Solutions, Inc. (“HireRight”) for failure to comply with certain Fair Credit Reporting Act (“FCRA”) requirements. At first blush, the case may appear to be a simple FCRA matter – the FTC alleged that HireRight functioned as a consumer reporting agency when providing employment screening services to companies, but then failed to take steps to assure the accuracy of those reports and prevented consumers from dispute inaccurate information. Despite initial appearances, however, the case has broader geopolitical implications.
- transparent privacy and data security practices;
- expect that companies will collect, use and disclose data in a manner consistent with the context in which it was collected;
- have their data handled in a secure manner;
- access and correct personal data;
- set reasonable limits on the personal data that companies collect and retain; and
- have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.