CIPP/US Exam
The FTC and state Attorneys General are responsible for?
Enforcing federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP)
Federal consumer protection law enforcement is under the jurisdiction of which regulatory group?
FTC
FCRA
Fair Credit Reporting Act
What is the Function, Make up, Checks & Balances of the Judicial Branch?
Function: Interpretation of laws Made up of: Federal Courts Checks & Balances: Determines if laws are constitutional
Which federal agency notes that individuals privacy rights are protected by the following: Internal Revenue Code, Privacy Act of 1974, Freedom of Information Act and IRS policies and practices?
IRS
Department of Health & Human Services
Oversees HIPAA
PHI
Personal Health Information
Random Testing
Substance-use testing acceptable on existing employees in highly regulated industries where employee has diminished expectation of privacy / where testing is critical to public safety or nat'l security.
What is PCI DSS also known as?
The "digital dozen".
Consent decrees are signed by
The company and the FTC
According to the FTC Act, violations of an FTC order may be punishable of fines up to:
$11,000 per violation
The state attorneys general filed a complaint against Eli Lilly's service. The fine imposed for deceptive trade practices was:
$160,000
What are the 3 main stages of compliance for PCI DSS?
1) Collecting and storing 2) Reporting 3) Monitoring and Alerting
Role of the Federal Reserve System
1) Conduct nation's monetary policy 2) Supervise and regulate banking institutions 3) Maintain stability of the financial system 4) Provide financial services to depository institutions, US government and foreign official institutions.
Privacy Enforcement Authorities are responsible for:
1) Discuss practical aspects of privacy law enforcement coop 2) Share best practices in cross- border challenges 3) Work to develop shared enforcement priorities 4) Support joint enforcement initiatives and awareness campaigns
What are 3 ways that the US Census Bureau protect personal information?
1) Federal Law 2) Privacy Principles 3) Statistics Safeguards
What's the Federal Reserve's responsibilities with regards to consumer protection?
1) Writing & interpreting regulations 2) Review bank compliance w/ regs 3) Investigate complaints from the public banks compliance with consumer protection laws. 4) Address issues of state and federal jurisdiction 5) Testify before Congress on consumer protection issues. 6) Conduct community development activities.
How is a law analyzed?
1. Why does this law exist? 2. Who is covered? 3. What is covered? 4. What is required or prohibited? 5. Who enforces the law? 6. What happens if there is no compliance?
In May 2002, the FTC and Eli Lilly entered into a consent decree to resolve privacy issues with their Medi-messenger service. The order required the company notify the FTC in the event of any change that may affect its compliance. Such notices were to be provided within:
120 days
The FTC and Petco entered into a consent decree to resolve security flaws with their web applications. Petco was ordered to carry out a third-party audit within:
180 days after service of order
Fair Credit Reporting Act
1970 to regulate consumer reporting industry and provide privacy rights to consumer reports.
In June 2002, a number of state attorneys general filed a complaint against Eli Lilly. As a result, the company was required to conduct a written review within:
90 days
Federal Open Market Committee
A body established by the Federal Reserve Act to govern the system's operations. Principal source on US national monetary policy.
This is NOT a common element of an FTC settlement agreement
A relegation of responsibility to the FTC to develop an information security program.
What is an information system?
A set of people, data and procedures that work together to provide useful information.
Gramm-Leach Bliley Act
AKA Financial Services Modernization Act of 1999. US Federal law controlling way that financial institutions deal with private information of individuals.
Preemption
Ability for one government's laws to supersede those of another (I.e. federal law overriding individual state law)
Private Right of Action
Ability of an individual harmed by violation of law to bring suit against the violator.
________refers to a real or perceived likelihood that the actions, decisions or behaviours of an individual, group or organization will be evaluated by some salient audience and that there exists the potential for the individual, group or org to receive either rewards or sanctions based on this expected evaluation.
Accountability
What does FCRA mandate?
Accurate and relevant data collection, consumer ability to access and correct their info, limited use of consumer reports for intended purpose.
ADA
Americans with Disabilities Act (ADA)
A security incident refers to...
An adverse event in an information system and/or network, or threat of the occurrence of such an event.
Defamation
Any act or communication intending to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.
Health Information
Any info related to past, present or future physical / mental condition, provision of health care or payment for health care for an individual.
The Chief Legal Office of at state is known as the:
Attorney General (AG)
The chief legal officer of a state is known as the:
Attorneys General
These regulators do NOT operate on the federal level
Attorneys General (AGs)
Which regulators do NOT operate on the federal level?
Attorneys General (AGs)
What countries are part of the Global Privacy Enforcement Network (GPEN)?
Canada, US, France, New Zealand, Israel, Italy, Australia, Ireland, Spain, UK, Netherlands and Germany
Stored Communications
Category of data prohibited from unauthorized acquisition, alteration or blocking while stored in facility through which electronic acquisition, alteration / blocking while stored ...
National Security Letter
Category of subpoena generally issued to seek records considered relevant to protect against international terrorism or clandestine intelligence activities.
CMS
Center for Medicare & Medicaid Services
Federal Reserve System (the Fed)
Central bank of the US
The FTC brought complaint against Petco Inc. because:
Clients' credit card info was not being appropriately protected. Petco's website was vulnerable to SQL searches, which revealed clients' credit card info.
Department of Commerce
Collaborates with the FTC on Safe Harbor
Federal Communications Commission
Collaborates with the FTC on TCPA and CAN-SPAM
What is a Trust Mark?
Considered to be a symbol that represents an assurance of some understood message (i.e. seal of approval).
CFPB
Consumer Financial Protection Bureau
CRA
Consumer Reporting Agency
Regarding the Nov 2014 Petco case, the FTC deemed the company's actions as deceptive, but did not allege this:
Consumer injury
Who created the Fed and why?
Created by Congress to provide the US with a "safer, more flexible and more stable monetary and financial system. An independent entity subject to oversight by the Congress who can alter its responsibilities by statute.
Reasonable suspicion
Criteria for substance testing in an employment-setting
A company makes a promise about the level of security it offers its clients. The company then fails to uphold that promise. This is referred to as a :
Deceptive trade practice
Consumer injury does not necessarily have to result for this to be actionable:
Deceptive trade practices
Case Law
Decisions published by the cours
DoD
Department of Defense
HHS
Department of Health & Human Services
This regulator would conduct investigations to enforce the HIPAA Privay Rule
Department of Health and Human Services Office of Civil Rights (OCR)
DOT
Department of Transportation
e-Discovery
Discovery in civil litigation dealing the exchange of info in electronic format, often requiring digital forensics analysis.
Which agency has a Privacy Act Statement with the following: "If you choose to provide us with personal information... we will only use that information to respond to your message or request. We will only share the information you give us with another government agency if your inquiry relates to the agency, or as otherwise required by law..."
DoD
______ is the process of identifying, preserving, collecting, preparing, reviewing and producing electrically stored information (ESI) within any medium or any designated tangible thing.
Electronic Discovery (e-Discovery)
ESI
Electronically stored Information (i.e. e-mail, word-processing docs, server logs, IM, transcripts, voicemail, social networking, thumb drives, or data on SD cards.
The newfound MIS capability not only allows more timely decision making, it also does this...
Enables better control of foreign subsidiaries or operations.
The Federal Reserve Act
Enacted in 1913 due to failure of national banks to provide effective funding. Comprised of the Board of Governors in Washington and 12 Fed Reserve Banks situated throughout the US.
The Office of the Comptroller of the Currency cannot carry out the enforcement of these laws:
Enforce Federal consumer protection laws
The Office of the Comptroller of the Currency cannot carry out the following:
Enforce Federal consumer protection laws.
What is the GPEN responsible for?
Enforcing laws and investigations to protect personal data and encourage members to develop shared enforcement policies.
EEOC
Equal Employment Opportunity Commission
Global Privacy Enforcement Network
Est. 2010 by FTC and enforcement authorities around the world. Promotes cross-border info sharing as well as investigation and enforcement cooperation among privacy authorities globally.
The National Monetary Commission
Established by Congress due to a severe crisis in 1907. The commission made proposals to create an institutions that would prevent financial disruptions (the Fed).
What are the three branches of Government?
Executive Branch, Legislative Branch, Judicial Branch
What did the Wheeler-Lea Act do when it was created in 1938?
Expanded FTC authority under Section 5 to include 'unfair or deceptive acts or practices.'
Privacy Notice
External communication from an org to consumers, customers or users to describe org's privacy practices.
Which group does NOT aggressively enforce privacy and consumer protection laws?
FCC
Who are the privacy regulators in the US?
FTC FCC Department of Commerce OCC HHS OCR CMS DOT State Attorneys General
Negligence
Failure to exercise the care that a reasonably prudent person would exercise in like circumstances, leading to unintended harm.
Equal Employment Opportunity Commission
Federal Agency overseeing many laws preventing discrimination in the workplace, including Title VII of the Civil Rights Act, ADEA and Titles I and V of the ADA
FCC
Federal Communications Commission
The Communications Act is enforced by:
Federal Communications Commission (FCC)
This regulator does NOT enforce privacy and consumer protection laws
Federal Communications Commission (FCC)
FOMC
Federal Open Market Committee
FTC
Federal Trade Commission
What was the case of GeoCities about?
First, it allegedly misrepresented how it would use its privacy notice. Second, it collected and maintained children's personal info without parental consent.
What is the Function, Make up, Checks & Balances of the Legislative Branch?
Function: Creation of laws Made up of: Congress (House & Senate) Checks & Balances: Congress confirms any presidential appointees, Congress can override presidential vetoes
What is the Function, Make up, Checks & Balances of the Executive Branch?
Function: Enforcement of laws Made up of: President, Vice-President, Cabinet, Federal Agencies Checks & Balances: President appoints Federal Judges, President able to veto laws passed by Congress
Employment at Will
General rule in the US which grants the employer broad discretion to fire an employee.
This was the first FTC Internet privacy enforcement action
GeoCities
GPEN
Global Privacy Enforcement Network
GLBA
Gramm-Leach Bliley Act
The FTC ordered Petco to conduct a risk assessment, which included all of the following areas of focus EXCEPT: Employee training HR policies and practices information systems potential systems failures.
HR policies & practices
HIPAA
Health Insurance Portability and Accountability Act of 1996
National Labor Relations Board
Independent agency of US gov't responsible for investigating and remedying unfair labor practices.
Federal Trade Commission
Independent consumer protection agency governed by a chairman and four other commissioners with authority to enforce against unfair and deceptive trade practices.
Personal Health Information
Individually identifiable health information with data elements which could reasonably be expected to allow ind identification.
Privacy Policy
Internal standards doc to describe an orgs privacy practices.
Protective Order
Judge-issued determination of what info contained in court records should not be made public and what conditions apply to who may access the protected info.
Consent Decree
Judgement entered by consent of the parties (a federal or state agency and an adverse party) whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing.
The FTC suspects that a company has not complied with privacy/security regulations. The FTC will most likely do what?
Launch an investigation of the company
Common Law
Legal principles that have devleoped over time in judicial decisions (case law), often drawing on social customs and expectations
Self-regulation can occur through these three traditional separation of powers:
Legislation, enforcement and adjudication
Statutes
Local, state or federal laws that have been enacted by Congress
MIS
Management Information System
An organizations __________________ is a system for obtaining, processing and delivering information that can be used in managing the orgs in order to improve the performance of the orgs through the implementation of IT.
Management Information System (MIS)
The conflict between US e-discovery and EU data protections means....
Many multinational companies have to choose between restricting an e-discovery or acting in breach of data protection legislation.
Polygraph
Monitoring practice limited in use under FCRA
MNC
Multi-National Corporation
Org for Economic Co-operation and Development
Multinational org with the goal of creating polices that contribute to the economic, environmental and social well-being of its member countries.
NLRB
National Labor Relations Board
NSL
National Security Letter
In May 2002, The FTC and Eli Lilly entered into a consent decree to resolve privacy issues with their Medi-messenger service. The fine imposed for deceptive trade practices was:
None. The FTC did not impose a fine.
The fine imposed for deceptive trade practices in December 2002, when the FTC entered into a consent decree with Microsoft to resolve issues with their Passport technology was:
None. The FTC did not impose a fine.
Sedona Conference
Nonprofit research & educational institute responsible for est of standards and best practices for managing electronic discovery compliance through data retention policies.
OCR
Office of Civil Rights
OCC
Office of the Comptroller of the Currency
OBA
Online Behavioral Advertising
OECD
Organization for Economic Co-operation and Development
What's the basic rule of HIPAA?
Patients must opt-in BEFORE their info can be shared with other orgs-- some exceptions for treatment, payment and healthcare options.
PCI DSS
Payment Card Industry Data Security Standard
What is PCI DSS?
Payment Card Industry Security Standard developed in 2004 and applies to all payment channels: retail, mail orders, phone orders and e-commerce.
Consumer Reporting Agency (CRA)
Person / entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
PHR
Personal Health Record
Redaction
Practice of identifying and removing / blocking info from docs being produced pursuant to a discovery request / evidence in a court proceeding.
Background Screening
Pre-employment review of criminal, commercial and financial records of an individual or org, regulated by federal and state laws.
PEAs
Privacy Enforcement Authorities
Evidentiary Privilege
Privileges limiting or prohibiting disclosure of personal information in the context of investigations and litigation, such as attorney-client privilege.
What is the role of the US Census Bureau?
Produce accurate, relevant stats on US economy and population.
Self-regulatory principles for online behavioral advertisements
Published by FTC and includes and provides businesses the flexibility to apply regulations.
Regulations
Published by regulatory agencies (FTC; Federal Trade Commission)
QPO
Qualified Protective Order
Any gov't agnecy that has the ability to investigate a company's information handling practices and take action in the case of violations is referred to as a(n)?
Regulator
State Attorneys General
Responsible for enforcement of privacy legislation
Privilege
Rule of evidence that protects confidential information communicated between a client and legal advisor.
What is the most important part of the Federal Trade Commission Act and what does it say?
Section 5 - in 1914 - proscribes unfair competition and authorizes the FTC to issue order prohibiting 'unfair methods of competition'.
Payment Card Industry Data Security Standard
Set of rules developed by the PCI DSS Council to provide enforceable security standard for payment card data.
The FTC may not preclude/supersede state action of this independent authority:
State AGs
State AGs are able to bring actions which enforce the following legislation:
State and Federal
In addition to FTC actions against Eli Lilly in the Medi-messenger case, complaints were made by:
State attorneys general
Attorneys General operate on what level?
State level
What are the sources of law in the US?
Statutes, regulations, case law, common law
Bring Your Own Device (BYOD)
Strategy allowing employees to use their personal computing devices for work purposes. Benefits include more flexibility, efficiency and productivity in employee work schedules; challenges are primarily security-based as employers lack control over employee devices.
If the FTC notices a company's pattern of non-compliance with privacy/security regulations, it will most likely do what?
Take formal enforcement action against the company.
What was the outcome in the matter of GeoCities?
The action was settled. The FTC issued a consent order which required the business to post and adhere to a conspicuous online privacy notice that disclosed to users how it would collect and use personal information. They were also required to obtain parental / guardian consent before collecting information from children 12 years of age or under.
What happened with the state of Maine's consumer protections?
Their state's consumer protections are more restricitive than the federal laws with cigarette labeling.The Supreme Court decision upheld the State's right to pass more restrictive legislation.
Publicity given to private life
Tort claim that considers publicity given to an individual's private life by another is an invasion of privacy and subject to liability.
Online Behavioral Advertising
Tracking of consumers' online activities in order to deliver personal advertising. Allows business to specifically target their ads towards individuals.
As a result of their information handling practices, companies face:
Two types of legal claims from regulators.
Antidiscrimination Laws
US federal laws that prohibit discrimination in employment and have sometimes been used to limit background checks.
Health Insurance Portability and Accountability Act of 1996
US law passed to create national standards for electronic healthcare transactions, and other things. Required US Department of Health and Human Services (DHHS) to create regs to protect personal health information.
The act or practice causing substantial injury to consumers, consumers must not reasonably be able to avoid injury, injury must not be outweighed by other benefits to consumers or to corporate competition, public policy must be considered... all these acts or practices are deemed to be __________________.
Unfair practices.
The Federal Trade Commission (FTC) differentiates between which of the following statements: Unfair trade practices and deceptive trade practices. Illegal trade practices and unfair trade practices. Deceptive trade practices and questionable trade practices. Misguided trade practices and misleading trade practices.
Unfair trade practices and deceptive trade practices.
What is a consent decree?
When the FTC sites a business in violation of unfair or deceptive trade practices or violation of a specific consumer protection law. The respondent does not admit fault, but promises to change its practices.
Office of the Comptroller of the Currency
Works with FTC on FCRA
Qualified Protective Order
[Under HIPAA] Prohibits the use / disclosure of PHI for any purpose other than litigation for which info was requested--also requires the return of PHI to the covered entity at the close of litigation.
Which of the following statutes are enforced by the FTC?
a) Fair Credit Reporting Act (FCRA) b) Children's Online Privacy Protection c) Telemarketing Sales Rule (TSR)
What are the two main types of legal claims?
a) Regarding the violation of a law or regulation b) regarding the violation of a general consumer law.
Which of the following statements describes an unfair trade practice? a) It causes substantial injury to consumers. b) It cannot be reasonable avoided by consumers. c) It does not offer offsetting benefits to consumers or competition. d) All of the above.
d) All of the above.