Washington, D.C., October 24, 2019 — Today, BPI, through its technology policy division known as ‘BITS’, along with the American Bankers Association (ABA) and the Securities Industry and Financial Markets Association (SIFMA), submitted a comment letter to the U.S. Department of Commerce regarding the National Institute of Standards and Technology’s (NIST) preliminary draft of the Privacy Framework. The Privacy Framework is a voluntary tool designed to help organizations of all sizes identify and assess privacy risk and implement solutions to better protect consumers.

“Modernization and the digitization of our economy have created numerous benefits for individuals, businesses, and society, but we must ensure all organizations take responsibility for managing and protecting individuals’ information,” the Associations wrote in their letter.  “We believe that the NIST Privacy Framework can serve as a valuable tool that organizations may use to build and adapt a privacy program that fits the size, complexity, risk profile, and unique attributes of a particular institution and their sector.”

This is the Associations’ second comment letter on the Privacy Framework.  In the most recent draft of the Privacy Framework, NIST included many of the recommendations submitted in the Associations’ January 2019 joint comment letter. In today’s letter the Associations urge NIST to further refine the Privacy Framework in the following four ways:

1. Align definitions within the Framework to well-established privacy terms. The current draft includes a glossary of privacy terms but does not include or reference terms widely used by privacy professionals.
2. Ensure references to ethical decision making appropriately recognize the lack of objective standards. The agency should instead adopt the approach taken within the financial sector of “responsible” use of data.
3. Provide a mechanism to help organizations address conflicts of law and demonstrate compliance. Organizations are facing a patchwork of emerging state laws, data localization requirements, data security demands, and individual data rights, which creates inconsistencies and at times conflict, and poses considerable challenges that NIST could help to address.
4. Clarify intersections of the Privacy Framework with the NIST Cybersecurity Framework (CSF). Data privacy protections and cybersecurity are inter-related, and stronger cross-references could be established, specifically with regards to breaches.

-30-

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s nearly 1 million employees, we advocate for legislation, regulation and business policy, affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit http://www.sifma.org.