The Commodity Futures Trading Commission announced it will become the first federal agency to adopt the recently released privacy framework from the National Institute of Standards and Technology (NIST). The framework is a voluntary tool designed to improve privacy through enterprise risk management. The CFTC will integrate the framework into its enterprise risk portfolio and use it to better manage and communicate privacy risk throughout the agency.
“I am proud the CFTC is taking the lead by becoming the first federal agency to adopt the NIST Privacy Framework,” said CFTC Chairman Heath P. Tarbert. “Adopting this framework will put us on the cutting edge of data privacy protection.”
NIST is a physical science laboratory housed within the U.S. Department of Commerce that promotes U.S. innovation and industrial competitiveness by advancing standards and technology at both government and private organizations. It’s cybersecurity framework, first issued in 2014, has become the de facto cybersecurity standard among many companies.
A New Privacy Framework
NIST issued Version 1.0 of its Privacy Framework earlier this month. In a statement NIST said the framework, “provides a useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data.” The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework.
“Privacy is more important than ever in today’s digital age,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. “The strong support the Privacy Framework’s development has already received demonstrates the critical need for tools to help organizations build products and services providing real value, while protecting people’s privacy.”
Personal data includes information about specific individuals, such as their addresses or Social Security numbers, that a company might gather and use in the normal course of business. Because this data can be used to identify the people who provide it, an organization must frequently take action to ensure it is not misused in a way that could embarrass, endanger or compromise the customers.
The NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them, such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so. 