CIPP/US Exam

Spear Phishing

A phishing attempt directed at a specific individual or company. An attacker first gathers information about their high profile target to increase probability of a successful attack. Then they get user to provide sensitive data by return message since they have personalized the outgoing message

Security Rule (HIPAA)

Deals with specifically ePHI, in accordance with this rule, there are three types of security safeguards to protect ePHI: Administrative, physical, and technical. For each, the rule identifies security standards and for each standard it provides both required and addressable implementation specifics.

Mobile Computing

Most people carry a mobile computing device which is connected to the internet. Many concerns exist including how they store, distribute and secure location data (GPS is a chief privacy concern).

PIPEDA

Canadian data privacy law that codifies the fair information principles. Annual privacy notices are not required but consent for use of PI is needed as well as individual having right of access and it can only be used for purposes it was collected. Applies to all organizations across Canada.

States have private right of action for breech laws

California, Alaska, South Carolina, etc

Physical Safeguards

Mechanisms that physically protect or prevent access to a resource. Examples include cable locks for laptops and security guards to prevent unauthorized access.

What a privacy notice should include: (5)

1. A description of the types of information collected 2. Any uses or disclosures of the information 3. Choices available to the website user (opt in/opt out) 4. Contact information for the organization 5. Effective date of the notice.

Data Lifecycle (4 stages)

1. Collection 2. Use 3. Disclosure 4. Retention or destruction

4 Major Models of Privacy Protection

1. Comprehensive Model 2. Co-Regulatory 3. Sectoral 4. Self-regulatory

Information Security Program Establishment Steps (5 steps)

1. Define Security Policy 2. Identify and Evaluate Risks 3. Select appropriate controls to address risks 4. Obtain management approval of the program 5. Monitor and review compliance

Incident Management Containment/Response Process (Steps and explanations)

1. Incident Discovery 2. Containment and Analysis: After a breach is discovered, it should be maintained by disabling affected user accounts. Also involves analysis of the breach to determine what occurred. 3. Notification: When and who to notify will depend on an organization's information security and privacy policies as well as applicable laws. 4. Eradication and future prevention: Once it is known what ocured and how, appropriate remedial steps should be taken as soon as possible.

Types of Privacy (4 types)

1. Information Privacy 2. Bodily Privacy 3. Communication Privacy 4. Territorial Privacy

Five Characteristics of Cloud Computing

1. On demand self-service 2. Broad network access 3. Resource pooling 4. Rapid elasticity 5. Measured service

Source of Information (3 types and what they are)

1. Public Records are information collected by and maintained by government and available to the public 2. Publicly available data is data in any form that is accessible to the interested public 3. Non-public information is data that has not been made available to the public.

3 areas majority of states have enacted legislation

1. Security breach notification 2. Data disposal 3. Financial privacy

Consent Decree

A formal document stating specific steps the entity needs to perform to rectify the violation. Sometimes includes monetary fine. When entering into a consent decree, the charged entity does not admit fault or liability. Cannot be used as evidence of fault in any other civil action that may be brought by those harmed by the unfair or deceptive practice.

Responsibilities of users of a credit report

1. Users must certify to the CRA their permissible purpose and certify the information contained will not be used for any other purpose 2. If a user of consumer report for adverse action with respect to a consumer based on the information contained in a consumer report the user must provide notice of adverse action to the consumer, disclose the name, address, and number of the CRA furnishing information to the user and notify the customer about the right to request a free copy of the report from the CRA if the request is made within 60 days of receiving the adverse notice. 3. Before furnishing for employment purposes, a CRA must receive certification from the user of the report that the user has written authorization from the consumer to obtain the report.

HITECH (Health Information Technology for Economic and Clinical Health) (What did it expand, how, new rules)

2009 This act expanded HIPAAs Privacy and Security Rules to directly regulate business associates of covered entities. Business associates are persons or organizations that process PHI on behalf of a covered entity. Previously, covered entities were only required to enter into a contractual agreement with them to ensure privacy and security of PHI. Today HIPAA applies to both covered entities and their business associates. This act also sets forth specific rules that they must adhere to when there is a data breach involving unsecured PHI, and it has been or believed to have been accessed, acquired or disclosed. The covered entity must provide notice to each affected individual and HHS within 60 calendar days after discovery. When it affects 500 or more individuals in one state or jurisdiction, the covered entity must notify the media as well. Applies only to unsecured health information.

Consumer Data Privacy in a Networked World: A Framework For Protecting Privacy and Promoting Innovation in the Global Economy

2012 Obama administration report where Obama summarized framework in the US, saying it relies on fundamental privacy values, common law practices and consumer protection statutes, FTC enforcement. Information privacy is an important right in the US and protected by an interrelated network of industry specific laws.

PaaS

A cloud provider that delivers a computing platform, typically including an operating system, database and a webserver. Web developers build and publish web apps using the platform.

Hybrid Clouds

A composition of at least one private cloud and at least one public cloud. Can be offered typically in one of two ways: A vendor has a private cloud and forms a partnership with a public cloud provider or a public cloud provider forms a partnership with a vendor that provides private cloud platforms.

The Privacy Act of 1974 (What sector and purpose)

A public sector regulation, establishes fair information principles for collection, maintenance, use and dissemination of PII that is maintained in systems operated by the federal government. This act prohibits the disclosure of information from a federally operated system of records absent the written consent of the data subject. It also provides individuals with a means by wish to seek access to their records and sets forth various agency record-keeping requirements.

Spyware (what is it, classification 4 types, what can't it do)

A software that gathers information about a person or organization without their knowledge and that may send such information to another entity without the person's consent. It may also assert control over a computer without the owner's knowledge. It is generally classified into 4 types: system monitors, Trojans, Adware, and tracking cookies. It does not have the ability to grant a user access to a resource the user is not authorized access to.

Privacy Audit or Assessment (What is it, when does it happen and who performs it)

A systematic examination of an organization's compliance with its privacy policy and procedures, applicable laws, and other agreements and contracts concerning personal information. Audits should be conducted on a regular basis or at the request of a regulatory authority. Typically conducted by internal taskforce, but if they were the ones that developed the program it may make sense to have a third party.

Privacy Impact Assessment (PIA) (What is it and when should it occur)

A systematic process for identifying potential privacy related risks of a proposed system. When conducting, an organization analyzes how information is collected, stored, protected, shared, and managed to ensure that an organization has consciously incorporated privacy protection measures throughout the lifecycle of the data. It should be carried out whenever a new data processing system or project is proposed or when there are revisions to existing data practices.

Information Management Program

A tool that provides a framework for making well-reasoned decisions regarding company's processing of personal information. Also helps to comply with legal obligations associated.

Rule of least privileges

A user should only be provided the minimum access needed to accomplish a legitimate business task. It limits the damage that can be caused by a rogue employee by limiting level of access.

Co-Regulatory Model of Data Protection (and countries who adopt it)

A variant of the comprehensive model in which specific industries develop rules for the protection of privacy within that industry that are enforced by the industry and overseen by a privacy agency. Canada, Australia, and New Zealand employ a co-regulatory model of privacy.

URL (Uniform Resource Locator)

A webpage written in HTML is access by an HTTP client through uniform resource locator (URL), this is a specific character string that acts as a reference to an online resource. Typically it consists of a protocol identifier (http) followed by a second level domain (website name) followed by a top level domain (.com). Some include a sub-domain (www).

Habaes Data

A writ and constitutional remedy available in most Latin American countries. The literal translation from Latin of habeas data is "you have the data", designed to protect, by constitutional court, the image, privacy, honor, and freedom information of a person.

Privacy Notice

AN external statement that is directed to an organization's potential and actual customers or users. Describes how the organization will process personal information and typically describes options a data subject has with respect to the organization's processing of personal information.

Consumer vs. Customer

According to GLBA, a consumer is a person who obtains or has obtained a financial product or service from a financial institution that is to be used for personal, family, or household purposes primarily. A customer is a consumer with a continuing relationship. Customers must be given a copy of the privacy notice when the relationship begins.

Phishing

Act of acquiring information such as usernames, passwords and credit card numbers by masquerading as a trustworthy entity in electronic communication.

Active vs Passive data collection

Active data collection occurs when a user deliberately enters information into a web form or otherwise actively provides information for processing. Passive data collection occurs when data is indirectly collected without any overt user interaction. Passive is generally used to capture user preferences and usage behavior. Most widely used example is the placement of web cookies on a user's computer to capture Internet Browsing history.

Layered Privacy Notice

Addresses concern of privacy notices being drafted in a verbose and legally formalistic manner by presenting the user with a short notice that is simple and concise. It summarizes the organization's information handling practices and the choices available to users. The full privacy notice is typically accessible by a hyperlink if the user wants more information.

Administrative Law

Administrative and regulatory agencies promulgate rules and regulations that form a new body of administrative law.

National Security Letter

Administrative subpoenas issued by FBI in authorized national security investigations. Today there are five federal statutes authorizing officials to request information by issuing them. They apply to communications providers, financial institutions, and credit bureaus. Consists of all information they could provide. NSLs may be issued at FBI HQ or in the field without prior approval from a judge. Can't be used to obtain contents of a communication. Limited solely to transactional or record info. NSL must be relevant to investigation to protect against international terrorism or foreign spying. Entities receiving an NSL may be prohibited from disclosing that fact to others if the investigative agency has certified that the disclosure may endanger any individual or national security of US, interfere with diplomatic relations, or interfere with criminal or intelligence investigation. This non-disclosure is commonly referred to as a gag order.

General Data Protection Regulation

Adopted by the European council, this law replaces EU Data Protection Directive and took effect in 2018. This aims to strengthen and unify data protection for individuals within the EU. Like the Directive, this also addresses export of personal data outside of the EU. However GDPR requires data processors to maintain a written record of processing activities carried out on behalf of each data controller.

Non personal Data types

Aggregated, de-identified, and anonymized data are non-personal because it can't be traced back to an identified or identifiable individual

European Convention on Human Rights (ECHR) (What it is and Article 8)

All member states of the EU are signatories of this. Article 8 provides that every individual has the right to respect for his private and family life, his home and his correspondence, subject to certain restrictions. Any interference with an individual's right of privacy must be in accordance with law and necessary in a democratic society, in view of such public interests as national security and the prevention of crime.

EU E-Privacy Directive

Also known as the cookie directive, recognizes the importance and usefulness of cookies for the functioning of modern internet but warns the danger that they may present to privacy. So the directive requires that a user provides affirmative consent before the cookie is stored on the user's computer. Much of Europe has adopted an opt-in approach to persistent web cookies, requiring a user's informed consent before cookies be stored on the user's computer.

State Financial Privacy Laws

Although FCRA preempts all state laws relating to consumer reports, state laws can preempt GLBA. So states are free to enact consumer protection laws more protective than GLBA. One example is California's SB1

FTC's Amended COPPA Rule (4 new categories)

Amended COPPA rule went into effect in 2013, added 4 new categories: 1. Geolocational information 2. Photos or videos containing a child's image or audio files with a child's voice 3. Screen or user name and 4. Persistent identifiers that can be used to recognize a user over time and across different websites or online services. Violations up to $16,000 per violation.

FACTA (Fair and Accurate Transactions Act of 2003)

Amended FCRA to include a "Red Flags" rule designed to combat identity theft and a Disposal Rule that took effect in 2005.

Deceptive Trade Practice

An act or practice is deceptive when 1. a representation, omission, or practice misleads or is likely to mislead the consumer 2. A consumer's interpretation of the representation, omission, or practice is considered reasonable under the circumstances and 3. the misleading representation, omission, or practice is material

Unfair Trade Practice

An act or practice is unfair when it 1. causes or is likely to cause injury to consumers, 2. cannot reasonably be avoided by consumers; and 3. is not outweighed by countervailing benefits to consumers or to competition.

Information Security Policy

An internal statement that an organization adopts to describe the procedures in place to protect its informational assets. Should include the restrictions placed on the systems like password policies and access controls as well as the users of the systems who could be employees or outside vendors.

Privacy Policy

An internal statement that describes an organization's information handling practices and procedures. Directed at employees and agents of the organization.

Legal Risk

An organization must comply with all applicable local, state and federal laws, rules and regulations--if it does not, subject to this risk. Also occurs if organization does not comply with its privacy program and other obligations it has made.

Countries deemed adequate by the EU to transfer personal data out of and to that country

Andorra, Argentina, Canada, Iceland, Israel, Liechtenstein, Switzerland, and Uruguay

Consumer Reporting Agency

Any entity that regularly engages in the practice of assembling or evaluating consumer credit information or other information on consumers for the purposes of furnishing consumer reports to a third party.

Who Data Breech Laws in Connecticut Apply to

Any person who conducts business in state and who in ordinary course of business, owns, licenses or maintains computerized data that includes personal information.

North Carolina

Applies to any business that conducts business in NC and maintains or possesses info of a resident of NC. Must take reasonable measures to safeguard against unauthorized access to in connection with or after its disposal with exemptions for those complying with GLBA, HIPAA, etc.

State Data Disposal Laws

At least 30 states have enacted laws that require entities to destroy, dispose of, or otherwise make personal information unreadable or undecipherable.

Agencies who enforce GLBA

Banks, credit unions and other affiliated domestic financial institutions are regulated by Office of the Comptroller of the Currency, Federal Reserve Board, FDIC, Office of Thrift Supervision, NCUA. Brokers, dealers, investment advisors, and investment companies are regulated by SEC. All other financial institutions not otherwise subject to enforcement by another regulator are regulated by FTC.

Redaction

Because all court filings and records are available to public (in US), if a document contains sensitive information a party can ask the court to redact certain portions of the document.

Information Security vs. Information Privacy

Both information security and privacy deal with access, use and confidentiality, but information security is just one necessary component of information privacy. Information privacy also addresses the data subject's rights with respect to the personal information.

Investment Risk

Building and implementing the program requires investment of resources, both personnel and technology. An organization should ensure it receives adequate ROI by constantly monitoring costs associated with the program.

Torts

Civil wrongs recognized by law as grounds for a lawsuit.

Community Clouds

Collaborated efforts in which infrastructure is shared between several organizations from a specific community.

Reputational Risk

Consumer confidence and trust can have a direct and profound effect on an organization's revenue, so it should ensure it follows through on the promises contained in its privacy policy, building and maintaining the reputation with customers.

Responsibilities of a CRA

Consumer reporting agencies may only furnish consumer reports to persons having a permissible purpose, they must ensure it doesn't contain prohibited information like bankruptcies over 10 years old and accounts placed in collection more than 7 years old, they must follow reasonable procedures to assure accuracy of information, they must clearly and accurately disclose to the consumer all info in customer's file at time of request and every person who procured it. If the completeness or accuracy of the info is disputed by the consumer and they notify the agency of the dispute, the agency must, free of charge, conduct an investigation to determine if the information is accurate. They must annually provide a free copy of a consumer's report upon request.

Permissible Purposes for furnishing Consumer Report (according to FCRA)

Consumer reporting agencies may only furnish consumer reports to persons having a permissible purpose--including use in connection with: 1. Credit Transactions, 2. Employment purposes, 3. Underwriting of insurance, and 4. eligibility for a license.

Type of Law for employee agreement

Contract Law

ISO (ISO 27001)

Developed standards related to information security. 27001 specifies a management system that is intended to bring information security under explicit management control. It requires that management systematically examines the organization's information security risks, designs and implements a coherent and comprehensive suite of information security controls to address risks that are deemed unacceptable and adopt an overarching management process to ensure the controls meet the organization's security needs on an ongoing basis. 27002 is a standard that provides best practices (utilizes CIA triad). Organizations can use ISO 27001 and 27002 as a framework for an effective information security program.

World wide web consortium

Developing standards for a Do Not Track Approach to online targeted advertising, and other standards for online targeted advertising.

U.S. Equal Employment Opportunity Commission (EEOC)

Each law of employment is enforced by this agency. Most employers with at least 15 employers are covered by EEOC laws, 20 in age discrimination cases. EEOC has authority to investigate charges of discrimination against employers who are covered by the law. Workplace privacy also governed by FTC, National Labor Relations Board, DOL, and CFPB. For example Occupational Safety and Health act of 1970 is enforced by DOL and National Labor Reflations Act is enforced by NLRB.

Employee Monitoring in the EU

Employee monitoring is permitted only when necessary for a specific purpose.

Privacy in Post Termination

Employers must ensure that any information provided about a former employer is accurate. Most of the time they only include factual information like salary, start date, etc. This prevents terminated employees filing claims for defamation. Another privacy issue that exists post termination involves the release of any records or files related to the former employee. Employer has an obligation to protect former employees' PI.

Freedom of Information Act

Enacted in 1966, this federal information law allows for the full or partial disclosure of previously unreleased information and documents controlled by the US governments. The law defines agency records subject to disclosure, outlines mandatory disclosure procedures, and grants nine statutory exemptions to disclose such as federal records containing trade secrets.

Federal Wiretap Act

Enacted in 1968 as Title III of Omnibus Crime and Safe Streets, originally regulated only wire and oral communications but was extended to include all electronic communications. It prohibits intentional interception, use or disclosure of all wired an electronic communications unless a statutory exception applies. This prohibition bars third parties from installing surveillance equipment from reading internet traffic and disclosing contents of intercepted communications. Does not prohibit disclosure of transaction based communication such as communication or participants. Exceptions include if there is one person on call who consents (state laws make it both parties) and other is in order to combat fraud and theft of service.

HIPAA (Health Insurance Portability and Accountability Act) (When, what, purpose, who applies to, other parts)

Enacted in 1996, regulated the processing of personal information in the healthcare industry in the US. Purpose is to define policies, procedures, and guidelines that covered entities must adhere to for maintaining the privacy and security of individually identifiable protected health information (PHI). Applies to covered entities, meaning healthcare clearinghouses, employer sponsored heath plans, health insurers and health care providers. Title II of HIPAA creates the Privacy Rule and Security rule to address handling of PHI.

FCRA (Fair Credit Reporting Act) (When, purpose, requirements, who applies to, updated/replaced by)

Enacted in 1970. Purpose was to increase the accuracy and fairness of credit reporting and to limit the use of consumer reports to permissible purposes such as for employment and underwriting of insurance. Requires users of the reports to provide notice to the consumer, obtain only for permissible purpose and to provide certification of the user's permissible purpose to the CRA. Applies to consumer reporting agencies and users of credit reports. In terms of violations, private right of action can occur with no cap for damages. In addition to damages, violators are subject to statutory damages of at least $1000/violation and at least $2500 for willful violations.

PPRA (Protection of Pupil Rights Amendment)

Enacted in 1978 and amended FERPA in 2 ways: 1. Requires that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with a DOE funded study. 2. Requires schools and contractors obtain written parental consent before the children participate in said study.

Foreign Intelligence Surveillance Act (FISA)

Enacted in 1978 in response to revelations regarding gov's past abuses of electronic surveillance for national security purposes. FISA establishes two special courts US Foreign Intelligence Surveillance Court and Foreign Intelligence Surveillance court of Review, receive and review apps for court orders authorizing electronic surveillance, physical searches, pen register and trap and trace and production of tangible things. Surveillance is conducted under FISC order unless fits within 3 exceptions: 1. Electronic surveillance of foreign powers for up to one year without a court order upon Attorney general certification. 2. Emergency electronic surveillance upon Attorney general certification up to 72 hours while FISC order is being sought, 3. Electronic surveillance for 15 calendar days after a congressional declaration of war. FISA also contains minimization requirements that mandate certain procedures to minimize the collection, retention and dissemination of information about US persons. Persons in violation can face criminal penalties or civil for use and disclosure of wrongfully used electronic surveillance

Right to Financial Privacy Act

Enacted in 1978 to protect the confidentiality of financial records. The Act governs disclosures to the federal government, its officers, agents, agencies, and departments. Not private business or state and local. It prohibits financial institutions from disclosing a customer's financial records to the federal government except pursuant to the following circumstances: 1. customer's authorization, 2. administrative subpoena, 3. Search warrant 4. Judicial subpoena or formal request in connection with law enforcement inquiry

Privacy Protection Act

Enacted in 1980 to protect journalists from searches by government. Passed because of 1978 court decision holding that Stanford Daily search was unlawful. Act prevents the government from seizing a journalist's materials during investigation unless there is a belief the person had a connection with the crime. Protects both work product and documentary materials. Search or seizure without subpoena is permitted if it is necessary to prevent death or injury or there is probable cause to believe the person has committed or is committing a criminal offense to which materials relate.

CCPA (Cable Communications Policy Act)

Enacted in 1984 to promote competition and deregulate cable companies. Requires cable operators to provide notice to subscribers regarding nature of PI being collected. Requires prior written or electronic consent before cable operators collect PI. Prohibits disclosure of PI and requires them to prevent unauthorized access to PI already collected. Exceptions include collection of PI if necessary to render service or detect unauthorized reception of cable communications, also if consumer failed to opt-out after they provided opportunity to and if it does not reveal the extent of use or transactions made by subscribers. They must provide access to PI collected, and what is not needed must be destroyed. Civil penalties include reasonable attorney's fees, damages not less than $100/day or $1000/violation, whichever is greater and 3. Punitive damages.

ECPA (Electronic Communications Privacy Act)

Enacted in 1986 to update federal wiretap act, it protects wire, oral, and electronic communications while happening, in transit, and stored. 3 titles: Title I expands wiretap act to prohibit intentional, actual or attempted interception or use of communications. Also prohibits illegally obtained communications as evidence in court. Title II is the Stored Communications Act that protects privacy of contents of files stored by service providers and of records held by service providers relating to a subscriber. Title III addresses pen register and trap and trace, gov entities must obtain a court order authorizing installation

VPPA (Video Privacy Ptoection Act)

Enacted in 1988 to prevent the wrongful disclosure of video tape rental or sale records of similar audio visual materials like video games and DVDs. Prohibits providers from knowingly disclosing the PI of a consumer including video viewing history to a third party without consumer consent in writing. Also contains a requirement the video stores destroy rental records one year at most after an account is terminated. Provides private right of action and permits a court to award statutory damages of at least 2,500 per violation and attorney fees. Does not preempt state law. (states can enact broader protections).

TCPA (Telephone Consumer Protection Act)

Enacted in 1991 and enforced/designed by FCC. Allows individuals to file lawsuits and collect damages for receiving unsolicited telemarketing calls, faxes, pre-recorded and auto-dialed calls. In 2013, anyone engaged in telemarketing needs prior express written consent for prerecorded telemarketing calls or text messages automatically. The TCPA includes private right of action allowing claims of up to $500 per call or actual damages for any violations (or up to 3 times for knowing)

CALEA (Communications Assistance for Law Enforcement Act)

Enacted in 1994, requires telecommunications carriers to ensure that their equipment facilities and service enable enforcement officials to conduct electronic surveillance pursuant to a court order or other lawful authorization. In order to preserve ability of law enforcement agencies to conduct electronic surveillance, making companies design equipment to ensure that they have necessary surveillance capabilities. 2006 updated the all broadband Internet access providers of interconnected Voice over Internet Protocol service to comply with CALEA obligations.

Administrative Safeguards (and examples)

Management related policies and procedures for protecting personal information. An incident management plan and privacy policy are examples.

COPPA (Children's Online Privacy Protection Act) (When enacted, why, what required, who applies to)

Enacted in 1998 to curtail the collection of personal information from children. In addition to requiring operators of those websites to conspicuously post a privacy notice, it requires that the website operator obtain verifiable parental consent prior to any collection, use or disclosure of personal information from persons under 13. The Act applies to websites and online services operated for commercial purposes that are either directed to children under 13 or have knowledge that children under 13 provide information online.

GLBA (Gramm-Leach-Bliley Act) (When enacted, requirements, who applies to, other important provisions)

Enacted in 1999. Requires financial institutions among other requirements, to provide an initial privacy notice when the customer relation is established (and annually thereafter) and provide OPT-OUT notice prior to sharing non-public personal information (like emails) with unaffiliated third parties. Applies to domestic financial institutions, or institutions that are significantly engaged in financial activities in the US (banks, auto dealers, savings and loans, credit unions, insurance companies, brokerages, and security firms). Other important provisions, GLBA prohibits pretexting, or obtaining customer information from financial institutions under false pretenses, and domestic financial institutions are prohibited from disclosing customer account numbers to non affiliated companies when it comes to telemarketing.

CalOPPA Act (California Online Privacy Protection Act)

Enacted in 2003, requires operators of commercial websites that collect PII from CA residents to conspicuously post and comply with a privacy policy that meets certain requirements. Operator must post a distinctive and easily found link to the website's privacy policy and it must detail kinds of info gathered by website, how it's shared with others, and describe process user can use to review and make changes to stored information. Must include policy effective date and a description of any changes since the effective date. Those who fail to comply are in violation if they do not post a compliant privacy policy within 30 days of being notified. Does not provide private right of action but CA attorney general can bring enforcement action, civil penalties up to $2500 per violation.

GINA (Genetic Health Nondiscrimination Act)

Enacted in 2008, it protects individuals against discrimination based on their genetic information in health coverage and in employment. Two titles, Title 1 prevents discrimination based on genetic information in health coverage, Title 2 prevents discrimination based on genetic information in employment. One goal is to encourage individuals to obtain genetic screenings without fear of discrimination based on the results of the screening.

CFPB (Consumer Financial Protection Bureau) (When established, why, jurisdiction, mission, and all things it does/promotes)

Established by Dodd Frank Act in 2010, this is an independent agency in the US government responsible for consumer protection in the financial sector. It was designed to consolidate employees and responsibilities from a number of other federal regulatory bodies, like Federal Reserve, FTC, FDIC, NCUA and HUD. Jurisdiction of CFPB includes banks, credit unions, securities firms, payday lenders, mortgage servicing operations, foreclosure relief services, debt collectors and other financial companies in the US. The mission is to protect consumers by carrying out federal consumer privacy laws. They write rules, supervise companies, enforce federal consumer financial protection laws, restrict unfair, deceptive, or abusive acts or practices, take consumer complaints, promote financial education, monitor financial markets for risk, and enforce laws that outlaw discrimination and other unfair treatment in consumer finance.

National Do Not Call Registry

Established by TSR, requires telemarketers to search the registry every 31 days and avoid calling any phone numbers that are on the registry. If they do receive a call and has been on the registry for 31 days, can file a complaint and the telemarketer could be fined up to $16,000. Will block many calls but calls on behalf of political orgs, charities, and telephone surveyors are permitted as well as organizations with an established business relationship up to 18 months since last purchase, payment or delivery. Also noted one can still ask charities not to call and they must honor it.

BSA (Bank Secrecy Act) (When established, why, what it must report, how, fines)

Established in 1970, requires financial institutions in the US to assist government agencies in detecting and preventing money laundering. It requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of these instruments of more than $10,000.00 and report suspicious activity that might signify money laundering, tax evasion or other criminal activities. Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs) are used by banks to satisfy BSA. Violations of the BSA will result in a fine of $500.00 per occurance if civil, between $25K-$100K if civil and willful.

Session Cookie

Exists in temporary memory only while the user is reading and navigating the website. Web browsers delete session cookies when the user closes the browser or restarts the computer.

Application Layer Attack

Exploit applications running on network servers like email and database application. Most common type of attack.

TSR (Telemarketing Sales Rule)

FTC issued amendments to this in 2003, 2008 and 2010, but originally enacted in 1995. Puts consumers in charge of number of telemarketing calls they receive at home, established Do not call registry to reduce number of unwanted telemarketing sales calls. FTC, FCC and individual states began enforcing National Do Not Call Registry in 2003. Also prohibits deceptive and abusive telemarketing acts and practices and sets the standards of conduct for telmarketing. (restricted to 8am-9pm, must identify seller and that it is a sales call, and disclose all material information about goods and services offered). Also, they must get your express, informed consent to be charged and to charge a specific account. Must give full info to your caller ID service and most need written permission before robocalls. Telemarketing is a plan, program or campaign conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate call.

Subpoena

Formal order from a court or governmental agency compelling the third party to comply with a discovery request. Those who don't comply may be sanctioned by the court or agency issuing the subpoena or request.

Privacy By Design

Framework developed by the Information Privacy Commissioner of Ontario to include seven principles for privacy design. Updated in 2011 to provide guidance for Utility Companies. The seven principles are 1. Proactive not reactive; preventative not remedial; 2. Privacy as the default setting 3. Privacy embedded into design 4. Full functionality, 5. End to end security--full lifecycle protection 6. Visibility and Transparency and 7. Respect for user privacy--Keep it User-centric.

Web Cookies (Definition, 1st party, third party)

Frequently used for online behavioral advertising, a web cookie is a small piece of data sent from a website and stored in a user's web browser. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's presence and activity. Classified as either first party or third party. First party cookies are the ones that belong to the same domain as the webpage that a user is currently viewing. Third party cookies are ones that belong to domains different from the one shown in the address bar.

Data breech laws-Massachusetts

Generally considered the most prescriptive. Requires businesses to implement information security controls.

Country requiring Data protection officer of organization

Germany. Data protection officer is an individual responsible for maintaining privacy and protection ant an organization. Companies that permanently employ ten or more are required to appoint a DPO and they must have knowledge of Germany's data protection process.

FIPS (Fair Information Principles) (Description and 5 Core principles)

Guidelines that represent widely accepted doctrines concerning fair processing information. It is the foundation of many international privacy initiatives like OECD guidelines for Protection of Privacy and Trans-border flows of Personal Data. The core principles of privacy are: 1. Notice and awareness (customers should be given notice of the practices before information is collected) 2. Choice and Consent (consumers should have options) 3. Access and participation (Customers should have the ability to view and contest information collected about them 4. Integrity and Security (Organizations should ensure data collected is accurate and secure) 5. Enforcement and Redress (Enforcement measures should be implemented to ensure organizations follow FIP)

HTTP vs. HTML

Hypertext Transfer Protocol is a protocol that facilitates the transfer of data on the internet. Generally, an HTTP client sends a request message to the HTTP server, the server then reurns a responsive message (the webpage). Hyptertext Markup Language is the main language for creating web pages and other info that can be displayed in the web bowser. The language instructs a web browser how to render a webpage. HTML and XML are technologies used to describe, create and transport online content. XML transports and stores and HTML renders and displays data.

Interactive Advertising Bureau

IAB has developed a comprehensive self-regulatory program for online behavioral advertising. The program promotes the use of an icon and accompanying language to be displayed in or near online advertisements or web pages where data is collected and used for behavioral advertising.

IPv6

IPv6 uses 128-bit addresses resulting in 3.4x10^38 unique addresses, or more than 17.9x10^28 times as many addresses as in IPv4, however when using the address auto-configuration, the interface identifier of an interface port is used to make its public IP address unique, potentially exposing hardware used and providing a unique handle for users online activity. So it may make it easier to associate an address with a specific individual, thereby creating a privacy concern

Under Seal

If an entire document contains sensitive info, a court may require that the document be filed under seal--therefore inaccessible to the public.

EU Protection Directive (When was it passed, what was addressed, conditions met, still in place?)

In 1995, EU adopted this directive to address the protection of individuals with regard to the processing of their personal data and the free movement of personal data within the EU. It states that personal data should not be processed unless the following conditions are met: transparency, legitimate purpose, and portability. Each member state must have a supervisory authority that will monitor the data protection level in each state, give advice on government regulations, and start legal proceedings when rights have been violated. Personal data may only be transferred to a country outside the EU if that country provides an adequate level of protection. If not adequate, the options that exist for transferring personal data out of the EU and to that country are model contracts, binding corporate rules, the Safe Harbor Program, and unambiguous consent.

Sedona Principles

In 2002, the Sedona Conference working group on Electronic Document Retention and Production, a group of attorneys and others experienced in electronic discovery met to address the production of electronic info in discovery. They were concerned about whether the rules developed for paper would be adequate for electronic. A set of core principles emerged for addressing the production of electronic info.1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units; 2. such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice; 3. interdisciplinary teams should reach consensus as to policies while looking to industry standards; 4. technical solutions should meet and parallel the functional requirements of the organization

California Breach Laws (What is law, what is exempt, who applies to, type of PI, notice timing, notice delivery, violations, 2012 updates, 2015 updates)

In 2003, CA was the first state to require notification of a security breach. Requires a business or state agency to notify any CA resident whose unencrypted PI was acquired by an unauthorized person. Encrypted information is exempt from the law. Applies to business and state agencies. Type of PI that triggers the requirement to notify is computerized data with name plus one other identifier. Notice must be given to individuals in the most expedient time possible without unreasonable delay. Only delayed if a law enforcement agency determines it would impede criminal investigation. Notice must be written in plain language, include name, contact information of the notifying entity, types of PI involved, contact information of CRA, and the known time of breach and description of the incident. Notice includes what the entity has done to protect individuals with advice. Any customer injured by a violation of the state's breach law may institute a civil action to recover damages. Since 2012, organizations required to notify individuals of breaches affecting more than 500 CA residents must submit a sample copy of the notice to CA Attorney General. January 2015, CA law also requires the source of the breach to provide appropriate identify theft prevention and mitigation services at no cost to the affected person for at least one year.

Madrid Resolution

In 2009, over 80 countries adopted and approved this resolution on international privacy. The purpose was two-fold, one was to define a set of principles and rights guaranteeing the effective and internationally uniform protection of privacy and the second is to facilitate the international flow of personal data needed in a globalized world. In accordance with this with this resolution the data controller, responsible party, has a duty of confidentiality with respect to a data subject's personal data. In addition, the data controller must protect personal data with appropriate technical and organizational measures to insure their integrity, confidentiality, and availability.

Do Not Track Proposal

In 2010, FTC proposed a framework for consumer data privacy allowing users to opt out of online behavioral advertising. It outlined placing a persistent cookie that would send a "Do Not Track" signal to the sites that the browser visits.

California's State Disposal Laws

In accordance with CA law a business must take all reasonable steps to dispose of customer records within its custody by shredding, erasing, or otherwise modifying PI in those records to make it unreadable or undecipherable through any means. It uses the definition of personal information name plus one other enumerated data element. Although the law does not set fort a specific time by which it must be destroyed, PI should be destroyed once there is no longer a business need for retaining the information. CA disposal rule is similar to FACTA because neither specifies a precise timeframe by which data must be disposed.

Privacy Rule (GLBA)

In accordance with this GLBA rule, domestic financial institutions are required to provide an initial privacy notice to all customers when the customer relationship is established and annually thereafter. The notice must be given to individual customers by mail or in person delivery. Other ways can be acceptable depending on the type of business the institution is engaged in. Also, the mechanism for providing opt-out must be reasonable and the institution must provide a reasonable time for opt-out.

Malware

Malicious software, it's a computer program used or designated by attackers to disrupt a computer's operation, gather sensitive info, or gain access to a private computer system.

Safeguards Rule

In accordance with this GLBA rule, domestic financial institutions must develop a written information secruity plan protecting customer information. Must be appropriate to company's size, complexity, nature, and scope of its activities, and sensitivity of customer information it handles. As part of the plan the company must designate one or more employees to coordinate the info security program, identify and assess risks to customer information in relevant areas of the operation and evaluate effectiveness of current safeguards for controlling these risks, design, implement, monitor, and test the program, select service providers that maintain appropriate safeguards, including having contract that requires them to maintain them, and evaluate the program in light of relevant circumstances.

APEC (Asia Pacific Economic Cooperation) (Descriptions and 21 Members)

In addition to the EU, another regional organization that adopted a major privacy initiative in 2004. This privacy system is a self-regulatory code of conduct designed to create the more consistent privacy protection for consumers when their data moves between counties with different privacy regimes in the APEC region. The FTC and US Department of Commerce helped to create.

Comprehensive Model of Data Protection (and countries who have adopted it)

In many countries, like those in the EU, there is a comprehensive or general law that governs the collection, use, and dissemination of personal information in both private and public sectors. An oversight body ensures compliance with general privacy law. In the EU, each country has a national data protection authority responsible for ensuring compliance with the country's privacy law, modeled after EU Protection directive. Most countries in Europe adopt this model.

Operational Risk

Inadequate or failed internal processes and systems may result in actual loss for an organization in terms of wasted resources. An organization should make sure its program is cost effective and administratively.

Self Regulatory Model of Data Protection (and Countries who adopt it)

Industry associations establish rules or regulations that are adhered to by industry participations. Examples include PCI DSS and the privacy seal programs administered by the Online Privacy Alliance. An organization's privacy policy is also a form of self regulation.

Technical Safeguards

Information technology Measures that protect personal information. Examples include password authentication schemes, encryption, and smart cards.

Common Law

Law developed by judges through decisions of courts (case law) and similar tribunals. Generally based on societal customs and expectations.

Branches of US Government

Legislative makes laws, Executive enforces laws, and Judicial evaluates and interprets laws for separation of powers.

Statutory Law

Legislatures create statutes, a form of written law. They may originate in congress, state legislature, or local municipalities. They are subordinate to the higher constitutional laws of the land. Federal laws may supersede state laws that regulate a similar area (preemption).

Breach Notification Laws

Most states have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving PII. These laws have provisions regarding who must comply with the law what constitutes a breach, requirements, and exemptions do not trigger notification. Some states extend the notification requirement for breaches involving paper records (These states include Alaska, Hawaii, Indiana, Iowa, MA, NC, and Wisconsin)

Oregon Breach Notice Must contain

Must provide advice to report suspected individual. Also must notify the exact date of the breach.

Delaware Communication Laws

Notice of monitoring of telephone transmissions, electronic mail and internet usage states: "No employer, nor any agent or any representative of any employer, shall monitor or otherwise intercept any telephone conversation or transmission, electronic mail or transmission, or Internet access or usage of or by a Delaware employee unless the employer provides an electronic notice.

Opt-in consent

Occurs when a data subject affirmatively and explicitly indicates the desire to have his data processed by an organization. Usually reserved for more intrusive processing.

Opt-out consent

Occurs when a data subject implicitly consents by not indicating their disapproval of the requested processing.

Portrayal in a false light

Occurs when an employer gives publicity to a matter concerning another that places the other before the public in a false light if the light in which the other was placed would be highly offensive to a reasonable person, and if the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other was placed.

Public disclosure of private facts

Occurs when an employer gives publicity to a matter concerning the private life of another if the matter publicized is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public.

Separation of Duties

Occurs when more than one person is required to complete a business task. By separating the ability to do the task, an organization may deter fraud and reduce errors.

USA PATRIOT ACT (Section 314B, Fines)

October 26, 2001, George Bush signed this act to amend FISA. Expanded authority of government to issue NSLs which are administrative subpoenas issued by FBI in authorized national security investigations. national Section 314B of this act encourages financial institutions and associations to share info on individuals, entities, organizations, and countries suspected of engaging in possible terrorist activity or money laundering. With the BSA, provides financial institutions with discretion in detecting and preventing money laundering. Increased fines from BSA for certain violations between $100K to $1 million. Criminal penalties up to $10,000 and 5 years imprisonment.

Public Clouds

Offered to the general public via the internet and is less secure than private clouds.

Unambiguous Consent

One option for transferring personal data out of the EU per EU Data Protection Directive. The data subject may do this to the transfer, specifically in accordance with the directive, the data subject may provide any freely given specific and informed indication of his wishes to have the data transferred.

Safe Harbor Program

One option for transferring personal data out of the EU per EU Protection Directive, the US Department of Commerce in consultation with the European Commission developed this program which permits transfer of personal data out of the EU for companies that have agreed in program participation. Declared invalid in October 2015 and replaced by the EU US Privacy Shield.

Model Contracts

One option for transferring personal data out of the EU per EU Protection Directive, these are drafted by the European Commission and when executed by an organization importing data from the EU, ensures an adequate level of protection through contractual provisions in the contract.

Binding Corporate Rules

One option for transferring personal data out of the EU per EU Protection Directive, these are internal rules adopted by a multinational group of related organizations which permit international transfers of personal data to related companies located in countries which do not provide an adequate level of protection.

Private Clouds

Operated solely for a single organization, whether managed, hosted internally, or hosted externally.

Operators Covered By COPPA Rule (7 rules of what they need to do)

Operators covered by the COPPA Rule must 1. Post a clear and comprehensive online privacy policy describing information practices for PI collected online from children 2. Provide direct notice to parents and obtain parental consent with limited exceptions before collecting PI from children, 3. Give parents choice of consenting, but prohibiting disclosure to 3rd parties unless integral to services 4. Provide parent's access to children's PI to review and have info deleted 5. Give parents opportunity to prevent further use or online collection of child PI, 6. Maintain confidentiality, security, and integrity of information by taking reasonable steps to release such info to only parties capable of maintaining confidentiality. 7. Retain PI collected online from a child only as long as necessary to fulfill purpose for which it was collected. Delete using reasonable measures.

OECD Guidelines (Description and 8 Principles)

Organization for Economic Cooperation and Development in 1980 created guidelines that set forth eight privacy principles derived partly from the fairness information principles. These eight principles are: 1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use limitation Principle 5. Security Safeguards Principle 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle

Protective Order

Party or any person from whom discovery is sought may move for a protective order in the court where the action is pending if the person believes that compliance with the discovery request would cause a clearly defined and serious injury to that person. (Rule 26 of Federal Rules of Civil Procedure)

JFPA (Junk Fax Prevention Act)

Passed by congress in 2005 directs FCC to amend rules on fax advertising under TCPA by: 1. codify EBR exemption to the prohibition on sending unsolicited fax advertisements, 2. Define EBR for that purpose, 3. require sender of fax to provide notice and contact info on the fax that allow for opt out and 4. specify the circumstances under which a request to opt out complies with act. Also makes sending junk faxes from other country to US illegal. Still liable to $500 minimum.

Pen Register vs. Trap and Trace

Pen registers captures outgoing, trap and trace captures numbers of incoming calls.

Data Controller

Person or entity that determines the purpose and means of the processing of personal data.

Personal vs. Non-personal Information

Personal Information is any information that relates to or describes an individual. Non personal information is any data that couldn't reasonably relate to an identified or identifiable individual.

Technical Security Controls

Preventive: Controls designated to protect information before a security event occurs. Detective: Controls designed to protect information during a security event. Corrective: Controls designed to protect information after a security event occurs.

Age Discrimination in Employment Act of 1967 (ADEA)

Protects people who are 40 or older from discrimination due to age. Also makes it illegal to retaliate against a person because they complained about discrimination, filed a charge of discrimination, or participated in an employment discrimination investigation or lawsuit.

Illinois Right To Know Act

Provides that an operator of a commercial website or online service that collects PII through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. In Illinois, breach notification is required to be disclosed to the AG 5 days after discovery.

Privacy in employment (Drug testing, Wiretap, video surveillance, computer surveillance, best practices)

Public employers are limited to testing employees for drugs only if they have reasonable suspicion. Private are not subject to constitutional restraints in terms of drug testing but may be restricted based on common law or statutes. Employers must be extremely careful in conducting those procedures and highly discrete. ECPA prohibits private individuals and organizations from intercepting wire or oral communications and sets out rules for tape recording telephone calls. An employer may monitor employee conversations by listening in on an extension if doing so is in the ordinary course of business. With respect to video surveillance, employers should be cautious, of setting up video surveillance in areas of workplace where employees have reasonable expectations of privacy like bathrooms and locker rooms. Courts have upheld employers' interests in monitoring their employees use of their computer systems including email. The rationale for allowing employees to monitor computer activities is based on the fact that the corporation owns the computer. Best practice is for employers to give notice of monitoring to employees.

Information Classification (Categories and definitions with level of control)

Public: Information that is designed to be shared broadly, without restriction. Few controls needed but some can exist to prevent unauthorized modification or alteration. Access is unrestricted. Sensitive: Information that is considered internal and should not be released outside of the organization. Safeguards should prevent unauthorized modification and control access to sensitive information. Confidential: Information that is generally intended for a very specific purpose and should not be disclosed without a demonstrated need to know. Additional controls should be implemented abovve and beyond those in place for sensitive information. (NDAs, storing on a separate more secure server, etc.)

Formula for IT Risk

RIsk=Threat x Vulnerability x Expected loss from an event occurring (and total risk is the sum of all of the events)

Sensitive Data (According to the EU Data Protection Directive)

Referred to as "Special Categories of Data", this is information that reveals racial origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sex life. Noted that health data is classified as sensitive in most countries.

Online Behavioral Advertising

Refers to a range of technologies and techniques used by online advertisers to increase the effectiveness of their advertising campaigns by capturing data generated by website visitors.

Electronic discovery

Refers to the production of electronically stored information (ESI) during the course of a governmental investigation or court proceeding. It is generally able to be a discover so long as it is relevant to an issue in the case. Can be any form of electronic stored info on any type of device, organizations are required to properly preserve ESI when litigation is reasonably foreseeable.

Persistent Cookie

Written to disk and stored until the expiration date contained in the cookie. May be used to record a vital piece of information, they enable remember me functionality found on most websites that automatically log a user back into the website.

EU US Privacy Shield

Replaced the Safe Harbor Program in 2016, provides a method for transferring personal data out of the EU, it provides stronger obligations on companies in the US to protect personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce and the FTC. This new framework also restricts US public authorities from accessing personal data transferred under the program unless subject to clear conditions, limitations, and oversight, thereby preventing generalized access. Europeans will also have the possibility to raise any inquiry or complaint with the new program with a dedicated ombudsperson.

Nevada SB 538 (2017)

Requires operators of websites and online services to provide notice to Nevada residents of their practices relating to the collection and disclosure of personally identifiable information (or "PII"). The new law makes Nevada the third state—after California and Delaware—to specifically legislate the information relating to the online collection and disclosure of "personally identifiable information" that must be included in privacy policies. Applies to "operators" that collect and maintain certain types of personally identifiable information about consumers.

Israel's Protection of Privacy Law

Requires registration of any database that includes sensitive information with the federal government.

When schools can disclose records without consent under FERPA

Schools must have written permission from parent or eligible student to release any info unless the following conditions occur: school officials with legitimate educational interest, other schools to which a student is transferring, audit, financial aid parties, certain studies from organizationss on behalf of school, accrediting, to comply with judicial order, appropriate officials in health and safety emergencies, and state and local authorities.

National Advertising Initiative

Self-regulatory principles that require NAI member companies to provide notice and choice with respect to interest based advertising. They must provide a choice about whether information collected about them is tracked and used to provide targeted advertising.

Washington Biometric Privacy Law (H.B. 1493) (2017)

Sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. Washington becomes the third state to pass legislation regulating the commercial use of biometric identifiers. Previously, both Illinois and Texas have. Person may not "enroll" a biometric identifier in a database for a commercial purpose without first providing notice, obtaining consent or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. In particular, the statute requires (1) reasonable care to guard against unauthorized access to and acquisition of biometric identifiers and (2) retention of biometric identifiers for no longer than necessary to comply with the law, protect against fraud, criminal activity, security threats or liability, or to provide the service for which the biometric identifier was enrolled.

SB1 (what is it, how is it different from GLBA, Violation in fines)

Signed into law August 27, 2003 and became effective in 2004. This act is CA state privacy law. Two distinctions between the GLBA and SB1 exist, one is that SB1 requires opt-in notice betore a financial institution can disclose customer information to nonaffiliated thrid parties for the marketing of non-financial products and services. GLBA requires only opt-out notice. Secod, in accordance with SB1, privacy notices may be delivered electronically if the fomply with the applicable provisions of the Electronic Signatures in Global and National Commerce Act (ESIGN). GLBA requires that initial and annual privacy notice is in writing. Violators of California's SB1 are subject to civil penalties up to $2,500 per incident.

SaaS

Software as a service, software delivery model in which applications and associated data are centrally hosted in the cloud. Customers typically access the applications through a web browser over the internet.

Firewall

Software or hardware solutions that prevent certain types of network traffic from entering an internal network in accordance with firewall policy.

Sectoral Model of Data Protection (and countries who adopt it)

Some countries enact sector specific laws instead of a general data protection law. In these countries, enforcement is achieved by various mechanisms, including regulatory bodies such as FTC in the US. The US and Japan adopt this model.

Collective Bargaining Agreement

Sometimes organizations representing a plurality of employees may enter into this with the employer that defines employment relationship for all covered individuals. They may specify privacy protections. Usually used when a union represents large blocks of employees.

EU Data Protection Directive defines sensitive personal data as

Special categories of data, including polictical opinions, racial or ethnic origin, philosophical beliefs, sex life, trade-union membership, and other private parts of a person's life.

Invasion of Privacy

Term that describes a collection of torts that protect employees at their workplace from unreasonable conduct by employers including intrusion into seclusion, public disclosure of private facts, and portrayal in a false light.

3 Main Input elements used by web forms to collect data

Text boxes, checkboxes, and radio buttons (second two are preferred because user's input is limited and confined.

New Jersey Personal Information and Privacy Protection Act (2017)

The Act limits the purposes for which retail establishments may lawfully scan a person's government-issued identification card, such as a driver's license. It also limits the data that can be collected from such scanning and how these data can be retained and used. When scanning a person's ID card, a retail establishment can only collect the person's name, address, birth date, ID card number, and the jurisdiction that issued the card. A retail establishment is allowed to scan an ID card for only eight purposes. Also a retail establishment may not "sell or disseminate to a third party any information obtained" in accordance with the Act for any purpose. The Act imposes a $2,500 civil penalty for a first violation and a $5,000 civil penalty for each violation thereafter.

Digital Advertising Alliance

The DAA Self regulatory program for Online Behavioral advertising was launched in 2010. DAA includes nations largest media and marketing associations including the 4As, ANA, AAF, DMA and IAB. They are committed to developing self-regulatory solutions to consumer choice in online behavioral advertising. DAA is designed to give consumers enhanced control over the collection and use of data regarding their Internet viewing for online behavioral advertising purposes.

Dodd Frank Act (When signed, by whom, purposes, and what it established)

The Dodd Frank Act was signed into law by President Obama in 2010. The act's purposes are to promote financial stability of the US by approving accountability and transparency within the financial system, end too big to fail, protect the American taxpayer by ending bailouts and to protect American consumers from abusive financial services practices. It established the Consumer Financial Protection Bureau.

Countries in the EEA (European Economic Area)

The EEA includes EU countries and also Iceland, Liechtenstein and Norway. It allows them to be part of the EU's single market. Does not include Switzerland.

Countries in EFTA

The European Free Trade Association, known simply as the EFTA, consists of four member nations: Norway, Switzerland, Liechtenstein, and Iceland.

Constitutional Law

The US and state constitutions are the primary source of law, state constitutions may afford greater protection than US constitution in important areas like privacy.

Discovery (Service)

The compulsory disclosure of relevant documents or testimony requested by a party in a court of action. Discoveries are served, service is the procedure in which a party to a lawsuit gives an appropriate notice to another person.

Red Flags Rule

The first rule established by FACTA in 2003, this rule requires creditors and financial institutions to address the risk of identity theft by developing and implementing written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities known as red flags that could indicate identity theft.

FTC (Federal Trade Commission) (What is it, when enacted, why established, section 5 and who it applies to)

The main federal agency in the United States responsible for implementing and enforcing privacy laws. Established in 1914 by the Federal Trade Commission Act originally to enforce antitrust laws, but now its primary mission is the promotion of consumer protection and elimination and prevention of anticompetitive business practices such as coercive monopolies. Section 5 of FTC Act grans them power to investigate and prevent unfair deceptive trade practices. Applies to all persons or entities engaged in commerce except for banks.

2 purposes of a privacy notice

Trust and Corporate Accountability

CIA Model

The most well known model for information security (referring to confidentiality, integrity and availability. It is a global framework and reflected in numerous laws across the world like 2009 Madrid Resolution. Confidentiality refers to preventing disclosure of information to unauthorized individuals or systems, integrity refers to maintaining and assuring the accuracy and consistency of information over the data lifecycle, and availability refers to the availability of authorized users to access information.

Delaware Online Privacy and Protection Act (2016)

The new law targets advertising to children (no inappropriate content), conspicuous posting of a compliant privacy policy; and, enhancing the privacy protections of users of digital books ("e-books" can't disclose info to third parties). The law grants the state's Consumer Protection Unit of the Department of Justice authority to investigate and prosecute violations.

West Virginia and Mass breach requires

The notification must include how an individual can obtain a police report and request a credit freeze.

Data Subject

The person about whom the personal data relates or describes.

Data Processor

The person or entity that processes personal data on behalf of the controller.

FERPA (Family Educational Rights and Privacy Act) (When, updated by, primary purpose, who enforces, rights of parents or eligible students)

The primary federal law regulating the processing of education records, enacted in 1974, and updated by PPRA. The primary purpose is to protect the privacy of student educational records and applies to schools that receive funds from US DOE. Gives parents several rights with respect to children's educational records that transfer to the student when they reach 18 or attend beyond high school (eligible students), two below: 1. Parents or eligible students have right to inspect and review student's educational records maintained by the schools. Schools may charge a fee and not required to provide copies unless they can't review in person. 2. Parents or eligible students have the right to request a school correct records that are incorrect or misleading. If the school does not, they have right to a hearing if school does not fix, they have right to place statement in records setting forth their view. Schools also can disclose directory information with informing parents and giving opt-out, also must annually notify parents of rights under FERPA.

Disposal Rule

The second rule established by FACT, went into effect in 2005, in accordance with this rule, any business or individual who uses a consumer report for a business purpose must ensure the proper disposal of information in the consumer report to protect against "unauthorized access to or use of the information". The standard for the proper disposal is flexible and allows organization and individuals covered to determine what measures are reasonable based on sensitivity of information.

Equal Pay Act of 1963

This act makes it illegal to discriminate against a woman because of pregnancy, childbirth, or a medical condition relating to pregnancy or childbirth. Also makes it illegal to retaliate against a person because they complained about discrimination, filed a charge of discrimination, or participated in an employment discrimination investigation or lawsuit.

Pregnancy Discrimination Act

This act makes it illegal to discriminate against a woman because of pregnancy, childbirth, or a medical condition relating to pregnancy or childbirth. Also makes it illegal to retaliate against a person because they complained about discrimination, filed a charge of discrimination, or participated in an employment discrimination investigation or lawsuit.

Title VII of the Civil Rights Act of 1964

This act makes it illegal to discriminate against someone on the basis of race, color, religion, national origin, or sex. Also makes it illegal to retaliate against a person because they complained about discrimination, filed a charge of discrimination, or participated in an employment discrimination investigation or lawsuit. Also requires employers reasonably accommodate applicants and employees sincerely held religious practices unless it would impose undue hardship on business operations.

California Electronic Communications Privacy Act

This bill prohibits a government entity from compelling the production of or access to electronic communication information or electronic device information, as defined, without a search warrant, wiretap order, order for electronic reader records, or subpoena issued pursuant under specified conditions, except if the authorized possessor of the information has specifically authorized its disclosure; the device containing the information is taken from an inmate of a prison; the situation is an emergency involving danger of death or serious physical injury; the device is believed to be lost, stolen, or abandoned.

Defamation

This is a term meaning either written (libel) or oral (slander) publication of a false statement to a third party that tends to diminish the esteem, respect, goodwill or confidence of the employee to excite adverse, de-regulatory or unpleasant feelings or opinions against the employee. Different from false light because it requires a single third party, so differs in size.

System Log

This records events that are logged by the OS and its components such as device drivers

Application Log

This records events triggered by the applications and used on a computer system like database applications. Events written to application log are determined by the developers of the software program.

Security Log

This records security related information on a computer. It contains records of login/logout activity and other security related events specified by the system's audit policy.

Title I of the Americans With Disabilities Act

This title makes it illegal to discriminate against a qualified person with a disability in the private sector and in state and local governments. The law also makes it illegal to retaliate against a person because they complained about discrimination, filed a charge of discrimination, or participated in an employment discrimination investigation or lawsuit. It also requires employee reasonably accommodate the known physical or mental limitations of an otherwise qualified individual with a disability who is an applicant or employee unless doing so would impose an undue hardship on the operation of the employer's business.

Network Layer Attack

Those that exploit the networking protocol, there is spoofing and denial of service.

Reason why many countries adopt comprehensive privacy and data protection laws. (2)

To remedy past injustices and encourage electronic commerce.

TCP and IP

Transmission control protocol and internet protocol provide end-to-end connectivity for clients and servers. These two protocols specify how data should be formatted, addressed, transmitted, routed and received on the internet.

TLS/SSL

Transport layer security and secure sockets security, they are cryptographic protocols that provide secure communications over the internet.

Privacy in Preemployment

Under EEOC laws, it is illegal to discriminate against someone due to race, color, religion, sex, national origin, age, disability or genetic info. Laws also prohibit an employer or covered entity from using neutral employment policies and practices that have a negative effect on applicants who are minorities. Also illegal to publish job advertisement showing preference for a type of candidate because of one of the attributes above. If required to take a test, it cannot discriminate against persons the attributes above.

Privacy Rule (HIPAA)

Under this rule covered entities may disclose PHI to facilitate treatment, payment, or health care operations without a patient's express written authorization. Any other disclosure of PHI requires written authorization from the data subject for the disclosure. In addition, when covered entity discloses PHI, it must make a reasonable effort to disclose only the minimum necessary information required. Does not apply to de-identified information

Spam

Unsolicited commercial email, also sometimes referred to as bulk email. Also can clog up a user's inbox and can contain inappropriate content.

Cloud Computing

Used to describe a variety of different types of computing concepts that involve a large number of computers connected through a real-time communications network (Internet). Cloud computing relies on the sharing of resources to achieve coherence and economies of scale over a computer network.

IAAS (Infrastructure as a Service)

Users rent computing resources like network capacity, storage, and processing power from a cloud provider. The cloud provider owns the equipment and is responsible for housing, running and maintaining it.

Public Key Cryptography vs Digital Signatures

Uses a pair of keys to encrypt and to decrypt, each user has a pair of keys, a public and a private decryption key. The public key is widely distributed while the private key is known only to the owner. The keys are related mathematically but the parameters used to generate the keys are chosen so that calculating the private key from the public key is virtually impossible. With public key cryptography=content encrypted with user's public key and decrypted with user's private key. With digital signatures, the sender uses his private key to sign the message and recipient uses the recipient's public key to decrypt.

Intrusion into Seclusion

When an employer intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another on his private affairs or concerns. This tort requires the intrusion to be highly offensive to a reasonable person.

CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Maerketing) (When enacted, why, what covers, 7 requirements, penalties)

nacted in 2003 to address increase in unsolicited commercial messages, law sets forth rules for sending commercial messages, gives recipients right to have you stop emailing and gives penalties. Covers all electronic commercial messages. Seven requirements: 1. Don't use false or misleading header information, all in the routing information must be accurate and identify business who initiated. 2. Don't use deceptive suject lines, 3. Identify message as an ad. 4. Tell recipients where you're located. 5. Tell them how to opt-out. 6. Honor opt-out, they have 30 days and must honor within 10. 7. Monitor what others are doing on your behalf, both company selling and sending are legally responsible. Each violation is subject to penalty up to 16,000.