This fall, chief information officers and chief information security officers will be asked to voluntarily sign-on to a new set of standards and practices aimed at better protecting consumer data and privacy.

Developed by the Identity Ecosystem Steering Group (IDESG), the standards would be industry-wide, and would outline the steps that organizations should comply with in order to have trusted identity management practices in place.

“The goal is to have safe, secure, user-friendly opportunities for organizations [to collect customer data]. And for individuals -- from consumers to the everyday user that is going online to do online transactions -- that they can know that these companies abide by certain principles, and standards and practices that make their online use of the system safe,” explained Jenn Behrens, director and chair of the IDESG Privacy Coordination Committee.

“This has been work that has been coming for a while. The timing of it with current events (referring to the recent Radio Shack case of wanting to sell off customer data in order to help raise revenues during the company’s bankruptcy actions) has just been an intriguing coincidence.”

Getting Down to Business

According to Behrens, the work of the IDESG really kicked into high gear about two years ago.

“There was a realization that there needed to be a greater effort to provide this interoperable, secure and safe online commerce environment. This is something that the White House has been behind for a couple of terms now, and actually it crosses the Aisle so it’s not just supported by one party or the other. “ 

In many ways, the IDESG effort aligns very close with the NSICS (National Strategy for Identities in Cyberspace), Behrens explained, but it is squarely focused on the commercial sector.

“IDESG has really benefitted from a very supportive relationship, but also the encouragement to meet industry standards in the commercial sector,” Behrens said. “It’s been a several year process, and it’s one of those things where a lot of the thought leaders in industry came tougher and said, ‘there is a real need to tackle this in a way that is vendor agnostic and is healthy for online consumer relationships with organizations’.”

What to Expect

So what exactly should CIOs and CISOs be expecting?

“A couple of the proposed requirements are that if an organization is going to collect [customer] information that that organization be upfront and that they provide a concise, meaningful and timely communication to the users concerning how that information will be collected and used, disseminated and maintained. And we have specific examples about what that means,” Behrens noted.

“Also relevant to that, we have a specific requirement that says if an organization makes a material change to that notice that they’ve provided to the user – for example, the FTC has noted that some organizations changed their privacy practices in a more restrictive or less than efficient way for the user -- that they need to inform the user, so that the user then knows that the practice that they originally agreed to has been changed,” Behrens continued.

“Then you give them the opportunity to consent to having their data collected and maintained off of that new practice.”

The bottom line is that, “It’s all about communicating these things with users and then being open, and honest, and transparent -- providing that notice and saying, the organization will use this data for this specific purpose and nothing else, unless we tell you or ask you about it. It’s giving the user the individual control to consent.”

Referring back to the Radio Shack example, Behrens said that one of the requirements speaks to the situation of an organization getting consent from the end user to collect data and then passing that data along to a third party vendor or another organization. In such a situation the terms in which the user originally agreed that the data would be used “passes downstream from that initial party”

Wide Array of Stakeholders

These proposals have been the result of a lot of work by a lot of individuals and organizations, Behrens noted.

“In the last couple of years the different thought leaders and stakeholders within the IDESG have been building out the governance structure and the framework to support the practices and principles that will go into the framework. In the last [eight to ten] months, the group -- committees such as the standards committee, the user experience committee, and the privacy committee -- came forth with very specific requirements that will contribute into the greater framework,” Behrens explained.

On June 25 the ODESG held a plenary when stakeholders could comments on the proposals.

“There are a lot of different stakeholders, and these stakeholders come from every industry and sector that you can imagine,” Behrens said.

“We have different companies represented: private large companies, the federal government, individual citizens who feel very strongly about the user experience side of identity management. We have attorneys who specialize in digital identities.

"We have companies who represent large vendors – they could be service providers -- identity providers, credential service providers, retailers; or [anyone that needs to] offer an identity proofing or online management tool for the everyday user, whether it’s a simple logon on all the way up to a multi-factor authentication. Everybody helps.”

“All of these requirements have come together, they’ve been harmonized, they have been made more interoperable with one another and more understandable so that they have common terminology,” Behrens continued.

“Remember that we’re bringing a diverse array of stakeholders to the table that represent all these different sectors and industries, and a lot of work has gone into normalizing the vocabulary, making sure that it is approachable and implementable for the everyday practitioner not just the academics in the area.”

Welcoming All Voices

Behrens said she is especially excited about the process for recommending and then approving what standards go into the final framework.

“One of the things I love about the IDESG and one of the reasons I’m so committed to it is that this is very much an organization that was built and designed for every level of participation, whether it’s from John Doe who just believes very strongly in privacy or user experience, all the way up to the federal government, and across the board to major organizations who might provide identity online,” Behrens said.

“It gets everyone involved and everyone has the opportunity to participate at any level of activity that they want.

“It’s a very exciting, innovative process. We didn’t just take a government approach. We didn’t just take a private sector approach. We really came at it from all these different perspectives coming together to really give the richness to the framework.”

Next Steps

“One of the things that we hope in the fall when the identity ecosystem framework is pushed out for consumption is that the CIOs or the CISOs at organizations can actually start meeting these standards,” Behrens concluded.

“It can be another part of [the process] for the compliance department or unit. It really helps an organization to get past just being compliant, and to say ‘we are committed to privacy, and security, and user experience, and interoperability’. It helps an organization reach that next level by doing good for their end users and behaving well with their information.”

Title image by Elizabeth Lies.