October Is National Cyber Security Awareness Month: NTIA Requests Comment on a Proposed Risk-Management Approach to Consumer Data Privacy
Welcome to October! October 2018 marks the 15th year of the observance of National Cyber Security Awareness Month, a joint effort of the U.S. Department of Homeland Security and the National Cyber Security Awareness Alliance. We’ll be keeping you updated on all things privacy and security throughout the month.
On September 26, 2018, the National Telecommunications and Information Administration (NTIA)published a request for comment (RFC) from the public on a proposed set of principles and goals that can underpin federal action to promote consumer privacy. NTIA notes that this RFC is operating in parallel to an effort by the National Institute of Standards and Technology to develop a “voluntary risk-based Privacy Framework” for organizations, something NIST has previously done for cybersecurity. This RFC is also the latest in a line of privacy efforts by NTIA, including workshops, green papers, and other requests for comment, on topics ranging from facial recognition to big data to drones.
NTIA is clear that the goal of this RFC is not the creation of a statutory standard. Rather, “[t]hese comments will help to inform future Administration policy, actions, and engagement on consumer privacy.” The RFC characterizes NTIA’s approach as “outcome-based,” emphasizing flexibility and clarity, and focused on managing risk and the overall context in which a service operates and collects data. NTIA’s preference for an outcome-based approach reflects its view that “[b]eing overly prescriptive can result in compliance checklists that stymie innovative privacy solutions... [and] does not necessarily provide measurable privacy benefits.”
- Transparency. Organizations should move away from lengthy privacy policies by focusing on how the average user interacts with their product or service.
- Control. Users should have reasonable control over the collection, use, storage, and disclosure of their personal information. The controls offered by organizations should depend on context, including user expectations and data sensitivity.
- Reasonable Minimization. Organizations should take a risk management approach to reasonably minimize data collection, use, storage, and sharing.
- Security. Security measures should meet or exceed current consensus best practices, accounting for the level of risk associated with loss or improper access to personal data.
- Access and Correction. Users should have some access to personal data they provide and to correct or delete that data.
- Risk Management. Users should expect organizations to work to manage or mitigate the risk of harmful uses or exposure of personal data.
- Accountability. Organizations should be accountable externally and should take steps to ensure that their vendors are likewise accountable.
The second part of NTIA’s proposed approach is “a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections.” These include:
- Harmonize the Regulatory Landscape. Duplicative and contradictory privacy-related obligations should be avoided.
- Legal Clarity While Maintaining the Flexibility to Innovate. Clear privacy rules should provide legal clarity, but allow for a variety of methods to achieve consumer-privacy and enable novel business models and technologies.
- Comprehensive Application. Any action addressing consumer privacy should apply to all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws.
- Employ a Risk and Outcome-based Approach. As it has been successful in approaches to cybersecurity, the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes.
- Interoperability. The government should seek to reduce friction placed on data flows by developing a regulatory landscape that is consistent with international norms and frameworks in which the U.S. participates.
- Incentivize Privacy Research. Privacy research will inform the development of standards frameworks, models, methodologies, tools, and products that enhance privacy.
- FTC Enforcement. With exceptions for certain sectoral laws, the FTC should be given the resources and statutory authority to enforce consumer privacy laws.
- Scalability. Government efforts to incentivize strong consumer privacy outcomes should be deployed in proportion to the scale and scope of the information an organization is handling.
The RFC asks generally for public comment on this approach, along with several specific related questions. For example, NTIA asks whether other principles and goals should be included and whether any of the terms used in the document require more precise definitions. One specific question highlighted in the RFC asks whether meeting the goals laid out in this RFC would require “changes need to be made with regard to the FTC’s resources, processes, and/or statutory authority.”
Comments are due October 26, 2018.