In a January 15, 2014 update, the National Institutes of Standards and Technology (“NIST”) announced that it would eliminate contentious privacy provisions in Appendix B of the Preliminary Cybersecurity Framework. The appendix was originally intended “to protect individual privacy and civil liberties” as part of the February 2012 Executive Order 13636 requiring NIST to establish a framework to manage cybersecurity risk. The proposed privacy provisions generated widespread controversy, however, because “the methodology did not reflect consensus private sector practices and therefore might limit use of the Framework.” As a result, NIST determined that the appendix “did not generate sufficient support through the comments to be included in the final Framework.”

For more information about the alternative privacy methodology that will replace the appendix and other aspects of the NIST update, please see my post on the ABA Privacy and Information Security Committee blog, available here.