C. Information Management from a US Perspective

Steps for Information Management: (4) Evolve

1. Affirmation and monitoring 2. Adaptation Once an information management program is established, there must be a process for review and update.

Key Terms to Include Vendor Contracts

1. Confidentiality Provision 2. No Further Use of Shared Information 3. Use of Subcontractors 4. Requirement to Notify and to Disclose Breach 5. Information Security Provisions

Data Sharing and Transfer Practices and Controls (4)

1. Data Inventory 2. Data Classification 3. Data Flows Documentation 4. Data Accountability

Security Program Reqs for Safeguards Rule

1. Designate an employee to coordinate the safeguards 2. Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling those risks 3. Design and implement a safeguard program and regularly monitor and test it 4. Select appropriate service providers and enter into agreements with them to implement safeguards 5. Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring of safeguards.

Four Basic Steps for Information Management

1. Discover 2. Build 3. Communicate 4. Evolve

Steps for Information Management: (3) Communicate

1. Documentation 2. Education Written privacy notices must be accurately reflect the company's practices and be communicated to internal and external audiences. Internal audiences must be trained on policies and procedures, with individual accountability for compliance.

Steps for Information Management: (1) Discover

1. Issue identification and self-assessment 2. Determination of best practices These steps make sure you consider the company's environment, information goals and cop orate culture. It also helps to give you an accurate understanding of company's actual data practices, as well as intended data use.

Risks of Using PI Improperly (4)

1. Legal 2. Reputational 3. Operational 4. Investment

4 Methods to Communication Privacy Policy through a Notice

1. Make the notice accessible in places of business 2. Make the notice accessible online 3. Provide updates and revisions (required annually for institutions covered by GLBA) 4. Ensure that the appropriate personnel are knowledgeable about the policy.

Steps for Information Management: (2) Build

1. Procedure development and verification 2. Full implementation

Vendor Due Diligence

1. Reputation 2. Financial condition and insurance 3. Information Security Controls 4. Point of Transfer 5. Disposal of Information 6. Employee training and user awareness 7. Vendor Incident response

Challenges of Managing User Preference

1. Scope of an opt-out or other user preference can vary. An organization must decide how broadly an opt-out or other user preference will apply. 2. Mechanism for providing an opt-out or other user preference can vary, but a good rule is that the channel for marketing should be the channel for exercising a user preference. 3. Linking, an organization should implement the opt-out or other user preference across channels and platforms. 4. Time Period for implementing user preferences is sometimes provided by law. 5. Third-party vendors often process PI on behalf of the company that has the customer relationship. User preferences expressed to the first organization should be honored by the vendor.

Four Requirements for Users of Consumer Reports under the FCRA

1. Third-party data for substantive decision making must be appropriately accurate, current, and complete. 2. Consumers must receive notice when third-party data is used to make adverse decisions about them. 3. Consumer reports may be used only for permissible purposes. 4. Consumers must have access to their consumer reports and ad opportunity to dispute them or correct any errors.

Notice Requirements under the FCRA

1. User must have a permissible purpose 2. Must provide certifications that there is permissible purpose 3. Users must notify consumers when adverse actions are taken.

Data Sharing and Transfer: Data Accountability Due Diligence (7)

1. Where, how and for what length of time is the data stored? 2. How sensitive is the information? 3. Should the information be encrypted? 4. Will the information be transferred to or form other countries, and if so, how will it be transferred? 5. Who determines the rules that apply to the information? 6. How is the information to be processed, and how will these processes be maintained? 7. Is the use of such data dependent upon other systems?

Consumer Reporting Agency ("CRA") under the FCRA

A CRA is any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

GLBA Opt-Out

A bank receiving an opt-out request from a customer must comply across all communications regardless of the media used to communicate the request.

Consumer Report under the FCRA

A consumer report is any communication by a CRA related to an individual that pertains to : 1. creditworthiness 2. credit standing 3. Credit capacity 4. Character 5. General reputation 6. Personal Characteristics 7. Mode of Living and is used in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment or other business purpose.

Policy Version Control

An organization's privacy policy will need to be updated as information collection, use, and transfer needs evolve. New versions must be drafted regularly and replacement of the old policy should occur systematically across all areas of posting. It is useful to save and store older versions of the privacy policy and its associated notice.

CAN-SPAM Act Consent Requirements

CAN-SPAM requires e-mail marketers to provide an opt-out. The opt-out must be in the same channel as the marketing.

Enforcement of GLBA

CFPB assumed rule-making authority from FTC after the passage of Dodd-Frank Act. Failure to comply with GLBA requirements may be subject to penalties under the Financial Institutions Reform, Recovery and Enforcement Act. Penalties range from $5,500 for violations of law, to $27,500 if violations are unsafe, and $1.1 million for knowing violations.

COPPA Consent Requirement

COPPA requires express consent from a parent before a child's PI is collected

Data Sharing and Transfer: Data Classification

Classify data according to its level of sensitivity. The data classification level defines the clearance of individuals who can access or handle that data, as well as the level protection appropriate for that data.

Data Sharing and Transfer: Data Flows Documentation

Company data flows should be examined and documented to help map out the systems, applications, and processes handling data. Documenting data flows helps identify areas for compliance attention.

Do Not Call Consent Requirements

Do Not Call rules provide the opportunity to opt-out of telemarketing phone calls, both in general or on a company-by-company basis.

Operational Risks

Ensure that the privacy program is administratively efficient and cost-effective.

Investment Risks

Ensure that you receive an appropriate return on investment in information, information technology, and information processing programs, in light of evolving privacy regulations, enforcement, and expectations.

The Fair and Accurate Credit Transactions Act

FACTA requires truncation of credit and debit card numbers, it consumer rights to get an explanation of their credit scores, and to request a free annual credit report. It also requires regulators to implement Disposal Rule and Red Flags Rule.

The Fair Credit Reporting Act

FCRA was enacted in 1970, and mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes. FCRA regulates any consumer reporting agency that furnishes a consumer report.

Legal Risks

Failure to comply with: 1. Applicable state, federal, and international laws 2. Contractual commitments and promises 3. Industry standards

3 Levels of Security Req'd for GLBA Safeguards Rule

Financial Institution must provide the following 3 levels of security for consumer information: 1. Administrative security, which includes program definition, management of workforce risks, employee training and vendor oversight. 2. Technical security, which covers computer systems, networks and applications in addition to access controls and encryption. 3. Physical Security, which includes facilities, environmental safeguards, business continuity and disaster recovery

Privacy Notices under GLBA

Financial institution must provide initial and annual privacy notices to consumers on nine categories of information, and must process opt-outs within 30 days.

Gramm-Leach-Bliley Act

Financial services are required to: 1. Store personal information in a secure manner 2. Provide notice of their policies regarding the sharing of personal financial information 3. Provide consumers with the choice to opt-out of sharing some personal financial information

Scope of GLBA

GLBA applies to financial institutions, which are defined broadly as any US company significantly engaged in financial services.

GLBA Consent Requirements

GLBA requires an opt-out before transferring the pI of a customer of a financial institution to an unaffiliated third party for its own use, but sharing with affiliates does not require an opt-out.

HIPAA Consent Requirement

HIPAA requires opt-in consent before personal health information is disclosed to third parties, subject to important exceptions.

Policy Review and Approval

Legal consultation and executive approval should be received before finalizing a privacy policy. If a privacy policy is revised, the organization should announce the change first to employees, then to both current and former customers in the form of a notice.

Reputational Risks

Legal enforcement and repetitional harm can follow, if you announce privacy policies but do not carry them out.

Adverse Actions based on information obtained from affiliates

Must notify consumer of adverse action, may obtain disclosure if requested within 60 days, and user must provide info no later than 30 days.

Under what circumstances is no consumer choice appropriate?

Product fulfillment and internal operations such as improving services offered, fraud prevention, legal compliance, and first-party marketing by the seller to the customer. Companies do not need to provide choice before collecting and using consumer's data for practices that are consistent with the context of the transaction, consistent with the company's relationship with the consumer, or as required or authorized by law.

Disposal Rule Enforcement

The Disposal Rule is enforced by the FTC, the federal banking regulator and the CFPB. Violators may face civil liability as well as federal and state enforcement actions.

Disclosures under the FCRA

The FCRA requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property.

Adverse Actions from CRA (FCRA)

The FCRA requires the user to notify the consumer, in writing, orally, or electronically. Consumer can request free disclosure of their report in if requested within 60 days.

FTC Consent Preferences

The FTC believes that opt-in consent should occur before PI collected under one privacy notice is processed under a materially changed privacy notice.

The Video Privacy Protection Act Consent requirements

The VPPA requires an opt-out before covered movie and other rental data is provided to a third party.

The Fair Credit Reporting Act Consent Requirement

The fair credit reporting act requires opt-in consent before a consumers credit report may be provided to an employer,lender, or other authorized recipient.

The Disposal Rule

The rule requires any individual or entity that uses a consumer report, or information derived from a consumer report for business purpose to dispose of that consumer information in a way that prevents unauthorized access and misuse of the data.

The Red Flags Rule

The rule requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the "red flags". The rule specifically applies to financial institutions and creditors.

Risk-based Pricing Notice

This notice is required if a consumer report is used by an individual or organization in connection with an application for credit or grant, extension or provision of credit to a consumer on terms that are less favorable than the most favorable terms available to a substantial proportion of consumers acquiring loans from or through that person.

FCRA Rule-making Authority

Under Dodd-Frank, rule-making authority shifted from the FTC to the CFPB.

Data Sharing and Transfer: Data Inventory

Undertake an inventory of the PI that your organization collects, stores, uses, or discloses, including both employee and customer data. Data inventory is legally required for institutions covered by the GLBA Safe Guards Rule.

Violations of the FCRA

Violations of the FCRA are enforced by the FTC, the CFPB, and state attorneys general. Noncompliance can include civil and criminal penalties. In addition to actual damages, violators are subject to statutory damages of at least $1,000 per violation, and at least $2,500 for willful violations.

Adverse actions based on information obtained from third parties that are not CRAs

may obtain disclosure if requested within 60 days, and user must provide info in a reasonable amount of time.