Overview
On April 14, 2025, the National Institute of Standards and Technology (NIST) released a draft update to the NIST Privacy Framework 1.1. The updates are meant to enhance organizations’ data governance and risk management and integrate privacy into artificial intelligence (AI) governance. The updates also align the Privacy Framework with the widely used NIST Cybersecurity Framework 2.0 (CSF) to help organizations manage data privacy practices in a way that helps businesses prevent cybersecurity risks.
The NIST Privacy Framework is a voluntary tool used by organizations to better understand and assess privacy risks arising from their day-to-day activities. State consumer privacy laws in several states require businesses to conduct regular privacy and data protection assessments. The Privacy Framework is one tool that privacy professionals can use in completing these assessments.
In Depth
NOTABLE UPDATES IN THE DRAFT PRIVACY FRAMEWORK
The draft Privacy Framework includes updates to help businesses assess the relationship between AI and privacy risks and identify privacy practices that promote strong cybersecurity safeguards. Specifically, the draft:
- Introduces a stand-alone governance category for privacy roles, emphasizing that such roles should be adequately resourced, and aims to ensure that leadership bears responsibility and accountability for privacy risks and outcomes. Governance is an ongoing process that requires organizations to monitor risk tolerances and legal obligations.
- Attempts to align the Privacy Framework with the CSF to facilitate the use of both frameworks together in risk management activities. The proposed integrations of the frameworks should increase the organization’s efficiency when it comes to risk management and result in more robust outcomes. That is, the two now “speak” to each other in a way that coordination of assessments should be an easier process.
- Now includes specific discussion of privacy risks of AI systems, including: (i) the potential for malicious use of AI systems that may reveal individuals’ data through data reconstruction, prompt injection, or membership inference; (ii) failing to use adequate privacy safeguards to protect training data; and (iii) computational or human biases. The proposed section on AI and Privacy Risk Management aims to help organizations manage AI privacy risks and ensure that organizational privacy values are reflected in the development and use of AI systems.
BUSINESS ACTION ITEMS
The comment period on the Privacy Framework is open through June 13, 2025. NIST is seeking comment on whether the Privacy Framework (1) addresses current privacy risk management needs, (2) sufficiently aligns with the CSF, and (3) can be practically operationalized.
McDermott regularly assists clients in compliance, audit, and enforcement activities regarding privacy, security, and security breach notification for businesses subject to US state data privacy laws, state AI laws, the Health Insurance Portability and Accountability Act, and cybersecurity laws. We have developed compliance materials that include template policies and procedures, notices, forms, and security risk self-assessment tools to enable businesses to implement required privacy, security, and breach notification standards. We also regularly assist clients in tailoring the materials to their respective business needs.
For more information, please contact your regular McDermott lawyer or one of the authors.
