CIPP/US Exam

¡Supera tus tareas y exámenes ahora con Quizwiz!

The FTC and state Attorneys General are responsible for?

Enforcing federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP)

Federal consumer protection law enforcement is under the jurisdiction of which regulatory group?

FTC

FCRA

Fair Credit Reporting Act

What is the Function, Make up, Checks & Balances of the Judicial Branch?

Function: Interpretation of laws Made up of: Federal Courts Checks & Balances: Determines if laws are constitutional

Which federal agency notes that individuals privacy rights are protected by the following: Internal Revenue Code, Privacy Act of 1974, Freedom of Information Act and IRS policies and practices?

IRS

Department of Health & Human Services

Oversees HIPAA

PHI

Personal Health Information

Random Testing

Substance-use testing acceptable on existing employees in highly regulated industries where employee has diminished expectation of privacy / where testing is critical to public safety or nat'l security.

What is PCI DSS also known as?

The "digital dozen".

Consent decrees are signed by

The company and the FTC

According to the FTC Act, violations of an FTC order may be punishable of fines up to:

$11,000 per violation

The state attorneys general filed a complaint against Eli Lilly's service. The fine imposed for deceptive trade practices was:

$160,000

What are the 3 main stages of compliance for PCI DSS?

1) Collecting and storing 2) Reporting 3) Monitoring and Alerting

Role of the Federal Reserve System

1) Conduct nation's monetary policy 2) Supervise and regulate banking institutions 3) Maintain stability of the financial system 4) Provide financial services to depository institutions, US government and foreign official institutions.

Privacy Enforcement Authorities are responsible for:

1) Discuss practical aspects of privacy law enforcement coop 2) Share best practices in cross- border challenges 3) Work to develop shared enforcement priorities 4) Support joint enforcement initiatives and awareness campaigns

What are 3 ways that the US Census Bureau protect personal information?

1) Federal Law 2) Privacy Principles 3) Statistics Safeguards

What's the Federal Reserve's responsibilities with regards to consumer protection?

1) Writing & interpreting regulations 2) Review bank compliance w/ regs 3) Investigate complaints from the public banks compliance with consumer protection laws. 4) Address issues of state and federal jurisdiction 5) Testify before Congress on consumer protection issues. 6) Conduct community development activities.

How is a law analyzed?

1. Why does this law exist? 2. Who is covered? 3. What is covered? 4. What is required or prohibited? 5. Who enforces the law? 6. What happens if there is no compliance?

In May 2002, the FTC and Eli Lilly entered into a consent decree to resolve privacy issues with their Medi-messenger service. The order required the company notify the FTC in the event of any change that may affect its compliance. Such notices were to be provided within:

120 days

The FTC and Petco entered into a consent decree to resolve security flaws with their web applications. Petco was ordered to carry out a third-party audit within:

180 days after service of order

Fair Credit Reporting Act

1970 to regulate consumer reporting industry and provide privacy rights to consumer reports.

In June 2002, a number of state attorneys general filed a complaint against Eli Lilly. As a result, the company was required to conduct a written review within:

90 days

Federal Open Market Committee

A body established by the Federal Reserve Act to govern the system's operations. Principal source on US national monetary policy.

This is NOT a common element of an FTC settlement agreement

A relegation of responsibility to the FTC to develop an information security program.

What is an information system?

A set of people, data and procedures that work together to provide useful information.

Gramm-Leach Bliley Act

AKA Financial Services Modernization Act of 1999. US Federal law controlling way that financial institutions deal with private information of individuals.

Preemption

Ability for one government's laws to supersede those of another (I.e. federal law overriding individual state law)

Private Right of Action

Ability of an individual harmed by violation of law to bring suit against the violator.

________refers to a real or perceived likelihood that the actions, decisions or behaviours of an individual, group or organization will be evaluated by some salient audience and that there exists the potential for the individual, group or org to receive either rewards or sanctions based on this expected evaluation.

Accountability

What does FCRA mandate?

Accurate and relevant data collection, consumer ability to access and correct their info, limited use of consumer reports for intended purpose.

ADA

Americans with Disabilities Act (ADA)

A security incident refers to...

An adverse event in an information system and/or network, or threat of the occurrence of such an event.

Defamation

Any act or communication intending to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.

Health Information

Any info related to past, present or future physical / mental condition, provision of health care or payment for health care for an individual.

The Chief Legal Office of at state is known as the:

Attorney General (AG)

The chief legal officer of a state is known as the:

Attorneys General

These regulators do NOT operate on the federal level

Attorneys General (AGs)

Which regulators do NOT operate on the federal level?

Attorneys General (AGs)

What countries are part of the Global Privacy Enforcement Network (GPEN)?

Canada, US, France, New Zealand, Israel, Italy, Australia, Ireland, Spain, UK, Netherlands and Germany

Stored Communications

Category of data prohibited from unauthorized acquisition, alteration or blocking while stored in facility through which electronic acquisition, alteration / blocking while stored ...

National Security Letter

Category of subpoena generally issued to seek records considered relevant to protect against international terrorism or clandestine intelligence activities.

CMS

Center for Medicare & Medicaid Services

Federal Reserve System (the Fed)

Central bank of the US

The FTC brought complaint against Petco Inc. because:

Clients' credit card info was not being appropriately protected. Petco's website was vulnerable to SQL searches, which revealed clients' credit card info.

Department of Commerce

Collaborates with the FTC on Safe Harbor

Federal Communications Commission

Collaborates with the FTC on TCPA and CAN-SPAM

What is a Trust Mark?

Considered to be a symbol that represents an assurance of some understood message (i.e. seal of approval).

CFPB

Consumer Financial Protection Bureau

CRA

Consumer Reporting Agency

Regarding the Nov 2014 Petco case, the FTC deemed the company's actions as deceptive, but did not allege this:

Consumer injury

Who created the Fed and why?

Created by Congress to provide the US with a "safer, more flexible and more stable monetary and financial system. An independent entity subject to oversight by the Congress who can alter its responsibilities by statute.

Reasonable suspicion

Criteria for substance testing in an employment-setting

A company makes a promise about the level of security it offers its clients. The company then fails to uphold that promise. This is referred to as a :

Deceptive trade practice

Consumer injury does not necessarily have to result for this to be actionable:

Deceptive trade practices

Case Law

Decisions published by the cours

DoD

Department of Defense

HHS

Department of Health & Human Services

This regulator would conduct investigations to enforce the HIPAA Privay Rule

Department of Health and Human Services Office of Civil Rights (OCR)

DOT

Department of Transportation

e-Discovery

Discovery in civil litigation dealing the exchange of info in electronic format, often requiring digital forensics analysis.

Which agency has a Privacy Act Statement with the following: "If you choose to provide us with personal information... we will only use that information to respond to your message or request. We will only share the information you give us with another government agency if your inquiry relates to the agency, or as otherwise required by law..."

DoD

______ is the process of identifying, preserving, collecting, preparing, reviewing and producing electrically stored information (ESI) within any medium or any designated tangible thing.

Electronic Discovery (e-Discovery)

ESI

Electronically stored Information (i.e. e-mail, word-processing docs, server logs, IM, transcripts, voicemail, social networking, thumb drives, or data on SD cards.

The newfound MIS capability not only allows more timely decision making, it also does this...

Enables better control of foreign subsidiaries or operations.

The Federal Reserve Act

Enacted in 1913 due to failure of national banks to provide effective funding. Comprised of the Board of Governors in Washington and 12 Fed Reserve Banks situated throughout the US.

The Office of the Comptroller of the Currency cannot carry out the enforcement of these laws:

Enforce Federal consumer protection laws

The Office of the Comptroller of the Currency cannot carry out the following:

Enforce Federal consumer protection laws.

What is the GPEN responsible for?

Enforcing laws and investigations to protect personal data and encourage members to develop shared enforcement policies.

EEOC

Equal Employment Opportunity Commission

Global Privacy Enforcement Network

Est. 2010 by FTC and enforcement authorities around the world. Promotes cross-border info sharing as well as investigation and enforcement cooperation among privacy authorities globally.

The National Monetary Commission

Established by Congress due to a severe crisis in 1907. The commission made proposals to create an institutions that would prevent financial disruptions (the Fed).

What are the three branches of Government?

Executive Branch, Legislative Branch, Judicial Branch

What did the Wheeler-Lea Act do when it was created in 1938?

Expanded FTC authority under Section 5 to include 'unfair or deceptive acts or practices.'

Privacy Notice

External communication from an org to consumers, customers or users to describe org's privacy practices.

Which group does NOT aggressively enforce privacy and consumer protection laws?

FCC

Who are the privacy regulators in the US?

FTC FCC Department of Commerce OCC HHS OCR CMS DOT State Attorneys General

Negligence

Failure to exercise the care that a reasonably prudent person would exercise in like circumstances, leading to unintended harm.

Equal Employment Opportunity Commission

Federal Agency overseeing many laws preventing discrimination in the workplace, including Title VII of the Civil Rights Act, ADEA and Titles I and V of the ADA

FCC

Federal Communications Commission

The Communications Act is enforced by:

Federal Communications Commission (FCC)

This regulator does NOT enforce privacy and consumer protection laws

Federal Communications Commission (FCC)

FOMC

Federal Open Market Committee

FTC

Federal Trade Commission

What was the case of GeoCities about?

First, it allegedly misrepresented how it would use its privacy notice. Second, it collected and maintained children's personal info without parental consent.

What is the Function, Make up, Checks & Balances of the Legislative Branch?

Function: Creation of laws Made up of: Congress (House & Senate) Checks & Balances: Congress confirms any presidential appointees, Congress can override presidential vetoes

What is the Function, Make up, Checks & Balances of the Executive Branch?

Function: Enforcement of laws Made up of: President, Vice-President, Cabinet, Federal Agencies Checks & Balances: President appoints Federal Judges, President able to veto laws passed by Congress

Employment at Will

General rule in the US which grants the employer broad discretion to fire an employee.

This was the first FTC Internet privacy enforcement action

GeoCities

GPEN

Global Privacy Enforcement Network

GLBA

Gramm-Leach Bliley Act

The FTC ordered Petco to conduct a risk assessment, which included all of the following areas of focus EXCEPT: Employee training HR policies and practices information systems potential systems failures.

HR policies & practices

HIPAA

Health Insurance Portability and Accountability Act of 1996

National Labor Relations Board

Independent agency of US gov't responsible for investigating and remedying unfair labor practices.

Federal Trade Commission

Independent consumer protection agency governed by a chairman and four other commissioners with authority to enforce against unfair and deceptive trade practices.

Personal Health Information

Individually identifiable health information with data elements which could reasonably be expected to allow ind identification.

Privacy Policy

Internal standards doc to describe an orgs privacy practices.

Protective Order

Judge-issued determination of what info contained in court records should not be made public and what conditions apply to who may access the protected info.

Consent Decree

Judgement entered by consent of the parties (a federal or state agency and an adverse party) whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing.

The FTC suspects that a company has not complied with privacy/security regulations. The FTC will most likely do what?

Launch an investigation of the company

Common Law

Legal principles that have devleoped over time in judicial decisions (case law), often drawing on social customs and expectations

Self-regulation can occur through these three traditional separation of powers:

Legislation, enforcement and adjudication

Statutes

Local, state or federal laws that have been enacted by Congress

MIS

Management Information System

An organizations __________________ is a system for obtaining, processing and delivering information that can be used in managing the orgs in order to improve the performance of the orgs through the implementation of IT.

Management Information System (MIS)

The conflict between US e-discovery and EU data protections means....

Many multinational companies have to choose between restricting an e-discovery or acting in breach of data protection legislation.

Polygraph

Monitoring practice limited in use under FCRA

MNC

Multi-National Corporation

Org for Economic Co-operation and Development

Multinational org with the goal of creating polices that contribute to the economic, environmental and social well-being of its member countries.

NLRB

National Labor Relations Board

NSL

National Security Letter

In May 2002, The FTC and Eli Lilly entered into a consent decree to resolve privacy issues with their Medi-messenger service. The fine imposed for deceptive trade practices was:

None. The FTC did not impose a fine.

The fine imposed for deceptive trade practices in December 2002, when the FTC entered into a consent decree with Microsoft to resolve issues with their Passport technology was:

None. The FTC did not impose a fine.

Sedona Conference

Nonprofit research & educational institute responsible for est of standards and best practices for managing electronic discovery compliance through data retention policies.

OCR

Office of Civil Rights

OCC

Office of the Comptroller of the Currency

OBA

Online Behavioral Advertising

OECD

Organization for Economic Co-operation and Development

What's the basic rule of HIPAA?

Patients must opt-in BEFORE their info can be shared with other orgs-- some exceptions for treatment, payment and healthcare options.

PCI DSS

Payment Card Industry Data Security Standard

What is PCI DSS?

Payment Card Industry Security Standard developed in 2004 and applies to all payment channels: retail, mail orders, phone orders and e-commerce.

Consumer Reporting Agency (CRA)

Person / entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

PHR

Personal Health Record

Redaction

Practice of identifying and removing / blocking info from docs being produced pursuant to a discovery request / evidence in a court proceeding.

Background Screening

Pre-employment review of criminal, commercial and financial records of an individual or org, regulated by federal and state laws.

PEAs

Privacy Enforcement Authorities

Evidentiary Privilege

Privileges limiting or prohibiting disclosure of personal information in the context of investigations and litigation, such as attorney-client privilege.

What is the role of the US Census Bureau?

Produce accurate, relevant stats on US economy and population.

Self-regulatory principles for online behavioral advertisements

Published by FTC and includes and provides businesses the flexibility to apply regulations.

Regulations

Published by regulatory agencies (FTC; Federal Trade Commission)

QPO

Qualified Protective Order

Any gov't agnecy that has the ability to investigate a company's information handling practices and take action in the case of violations is referred to as a(n)?

Regulator

State Attorneys General

Responsible for enforcement of privacy legislation

Privilege

Rule of evidence that protects confidential information communicated between a client and legal advisor.

What is the most important part of the Federal Trade Commission Act and what does it say?

Section 5 - in 1914 - proscribes unfair competition and authorizes the FTC to issue order prohibiting 'unfair methods of competition'.

Payment Card Industry Data Security Standard

Set of rules developed by the PCI DSS Council to provide enforceable security standard for payment card data.

The FTC may not preclude/supersede state action of this independent authority:

State AGs

State AGs are able to bring actions which enforce the following legislation:

State and Federal

In addition to FTC actions against Eli Lilly in the Medi-messenger case, complaints were made by:

State attorneys general

Attorneys General operate on what level?

State level

What are the sources of law in the US?

Statutes, regulations, case law, common law

Bring Your Own Device (BYOD)

Strategy allowing employees to use their personal computing devices for work purposes. Benefits include more flexibility, efficiency and productivity in employee work schedules; challenges are primarily security-based as employers lack control over employee devices.

If the FTC notices a company's pattern of non-compliance with privacy/security regulations, it will most likely do what?

Take formal enforcement action against the company.

What was the outcome in the matter of GeoCities?

The action was settled. The FTC issued a consent order which required the business to post and adhere to a conspicuous online privacy notice that disclosed to users how it would collect and use personal information. They were also required to obtain parental / guardian consent before collecting information from children 12 years of age or under.

What happened with the state of Maine's consumer protections?

Their state's consumer protections are more restricitive than the federal laws with cigarette labeling.The Supreme Court decision upheld the State's right to pass more restrictive legislation.

Publicity given to private life

Tort claim that considers publicity given to an individual's private life by another is an invasion of privacy and subject to liability.

Online Behavioral Advertising

Tracking of consumers' online activities in order to deliver personal advertising. Allows business to specifically target their ads towards individuals.

As a result of their information handling practices, companies face:

Two types of legal claims from regulators.

Antidiscrimination Laws

US federal laws that prohibit discrimination in employment and have sometimes been used to limit background checks.

Health Insurance Portability and Accountability Act of 1996

US law passed to create national standards for electronic healthcare transactions, and other things. Required US Department of Health and Human Services (DHHS) to create regs to protect personal health information.

The act or practice causing substantial injury to consumers, consumers must not reasonably be able to avoid injury, injury must not be outweighed by other benefits to consumers or to corporate competition, public policy must be considered... all these acts or practices are deemed to be __________________.

Unfair practices.

The Federal Trade Commission (FTC) differentiates between which of the following statements: Unfair trade practices and deceptive trade practices. Illegal trade practices and unfair trade practices. Deceptive trade practices and questionable trade practices. Misguided trade practices and misleading trade practices.

Unfair trade practices and deceptive trade practices.

What is a consent decree?

When the FTC sites a business in violation of unfair or deceptive trade practices or violation of a specific consumer protection law. The respondent does not admit fault, but promises to change its practices.

Office of the Comptroller of the Currency

Works with FTC on FCRA

Qualified Protective Order

[Under HIPAA] Prohibits the use / disclosure of PHI for any purpose other than litigation for which info was requested--also requires the return of PHI to the covered entity at the close of litigation.

Which of the following statutes are enforced by the FTC?

a) Fair Credit Reporting Act (FCRA) b) Children's Online Privacy Protection c) Telemarketing Sales Rule (TSR)

What are the two main types of legal claims?

a) Regarding the violation of a law or regulation b) regarding the violation of a general consumer law.

Which of the following statements describes an unfair trade practice? a) It causes substantial injury to consumers. b) It cannot be reasonable avoided by consumers. c) It does not offer offsetting benefits to consumers or competition. d) All of the above.

d) All of the above.


Conjuntos de estudio relacionados

American Government - Rights and Responsibilities

View Set

DP-200: Implementing an Azure Data Solution

View Set

Lab Diagnostics - Cardiac Enzymes & Lactate

View Set

Intro to Java Programming Chapter 10

View Set

Human Development Final Exam Review

View Set

Chapter 2-ENTR-202: Small Business Entrepreneurs: Characteristics and Competencies

View Set

UWorld Gastrointestinal/Nutrition

View Set

Recursive Formulas for Arithmetic Sequences

View Set

SUBJECT and OBJECT PRONOUNS: Replace the object and subject with the correct pronoun!

View Set

Osha (this has some of the assessment questions you just have to search for it)

View Set