CIPP/US, CIPP/US Practice Questions, CIPP/US, CIPP US
What 3 areas does the FTC emphasize as themes?
"1. Privacy by Design;
What six questions are necessary to understand a law, statute, or regulation?
"1. Who is covered by this law?
What are the two purposes of a notice?
"1. consumer education
The Obama report defines the "Consumer Privacy Bill of Rights for commercial uses of Personal Data as encompassing what 7 rights?
"1. individual control;
In which areas does the FTC have specific regulatory authority?
"1. marketing communications;
In what ways can the enforcement action be brought to the FTC's attention?
"1. press reports covering the questionable practices
What services do federal agencies provide?
"1. promulgate rules and enforce them;
What two areas of the case must the court have jurisdiction over?
"1. subject matter jurisdiction
HITECH impact on healthcare
-Provided incentive payments to hospitals and healthcare providers to adopt health IT. -"Meaningful Use"- criteria required to be met that demonstrated meaningful use of electronic health records (EHR). EHR technology must be used to achieve certain objectives.
What are the three categories of security that span multiple regulations?
1. Administrative 2. Technical 3. Physical
What are the three elements of data subject preference and access
1. Opt-in, opt-out, no option 2. Managing preferences 3. Access and redress
When did FTC bring an action against Eli Lilly & Co?
2004.
When did the FTC settle an enforcement action for deceptive practices with Facebook?
2011.
When does an order by the commission become final?
60 days after it is served on the company.
Personal Health Information (PHI)
Any individually indentifiable health information with data elements which could reasonably be expected to allow individual identification.
Which South American countries have been deemed adequate by the EU?
Argentina and Uruguay,
Which agencies enforce the CAN-SPAM Act?
FTC and FCC.
What does the CA data breach law cover?
It regulates computerized PI of CA residents.
What does the CA Data Breach Notification law require or prohibit?
It requires you to disclose any breach of system security to any resident of CA whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
Common Law
Legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations.
According to the EU article 29 Working Party, what is the guiding principle for determining the legality of data processing for discovery purposes?
Legitimate purpose and subject to contractual clauses
Does HIPAA preempt stronger state laws?
No
Medical Privacy Laws
Office for Civil Rights, Dept of health & Human Services (HHS) Health Insurance Portability & Accountability Act (HIPPA)
Correct formula for assessing risk
Risk = Threat X Vulnerability X Loss
What is the single most important piece of US privacy law?
Section 5 of the FTC Act.
Sensitive Personal Information
That which is more significantly related to the notion of a reasonable expectation of privacy. One's medical or financial information is often considered sensitive personal information (SPI), but other types of personal information might be as well.
What does the APA contain?
The APA sets forth basic rules for adjudication within an agency, where court-like hearings may take place before an administrative law judge.
Who enforces the CA law?
The CA Attorney General enforces the law.
What does the CA law regulate?
The CA Data Breach Notification Law regulates entities that do business in CA and that own or license computerized data, including PI.
What happens if one doesn't comply with the CA law?
The CA attorney general or any citizen can file a civil lawsuit against you, seeking damages and forcing you to comply.
What marks the beginning of the FTC's enforcement of privacy violations?
The Fair Credit Reporting Act of 1970.
Which legislation expanded the use of NSLs?
The Patriot Act
Negligence
The failure to exercise the care that a reasonably prudent person would exercise in like circumstances, leading to unintended harm.
Qualified Protection Order (QPO)
Under HIPAA, "it" prohibits the use of disclosure of PHI for any purpose other than the litigation for which the information was requested; it also requires the return of PHI to the covered entity at the close of litigation.
FTC Section 5
Unfair and Deceptive Acts or Practices in or affecting commerce are unlawful
What does the consent decree usually state?
What affirmative actions the respondent needs to take and which practices their respondent must refrain from engaging in.
When is a delay in providing notice permissible?
When a delay is requested by law enforcement.
What are member countries asked to do by the 2007 OECD Recommendation
"1. Discuss the practical aspects of privacy law enforcement cooperation.
What are the FTC's five priority areas for attention?
"1. Do No Track;
Name two special privilege rules.
"1. Doctor-patient privilege
Aside from the ability to make and enforce laws and regs, what does the U.S. legal system rely on?
"1. Legal precedent based on court decisions
What are some actions allowed under the FTC's broad investigative authority?
"1. subpoenas of witnesses
What are some reasons for knowing a law's scope when you don't have to follow it?
"1. the law may suggest good practices that you want to emulate
What report did the FTC issue that, together with the Obama framework, illustrates the evolution from earlier methods of privacy enforcement to current approaches?
"Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy makers."
Name one trend and one example of cross-border enforcement.
"Trend: enforcement agencies in different countries must engage in closer cooperation.
What does Section 5 of the FTC Act state:
"Unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful."
What are some current privacy torts?
"a. intrusion on seclusion;
What are two other names for privacy notices?
"a. privacy statements
What are the goals of tort law?
"a. provide relief for damages incurred;
What enforcement method was adopted by Chairmen Muris and Majoris in the mid-2000s?
"harm-based model" - used in the Gateway and BJ's cases; placed new emphasis on addressing substantial injury, as required under the FTC's unfiarness authority.
What was the FTC's primary method of enforcement used in the late 1990s?
"notice and choice approach" - emphasis was placed on having companies provide privacy notices on their websites and offering choice to consumers about whether info would be shared with third parties. Enforcement actions were based on deception and the failure to comply with a privacy promise rather than specific, tangible harm to consumers.
Consumer Privacy Bill of Rights
1)Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it 2)Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices. 3)Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data 4)Security. Consumers have a right to secure and responsible handling of personal data. 5)Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. 6)Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain 7)Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Consumer Privacy Bill of Rights
1)Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it 2)Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices. 3)Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data 4)Security. Consumers have a right to secure and responsible handling of personal data.\ 5)Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. 6)Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain 7)Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
The Fair Credit Reporting Act of 1970 (FCRA)
1. Accurate and relevant data collection required 2. Consumers can access and correct information 3. Limitation on use of credit reports
The Genetic Information Nondiscrimination Act of 2008 (GINA)
1. Addresses potential abuses based on genetic information in the absence of the manifestation of a condition 2. Amends federal healthcare and employment-related laws - ERISA - Social Security Act - Civil Rights Act - Public Service Health Act - HIPAA 3. Empowers government enforcement 4. Creates review commission in 2014 5. Applies prohibitions to health insurance providers
When an FTC investigation finds a company guilty of violating privacy, what are its two recourses?
1. Administrative trial 2. Consent decree
The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
1. Amends FCRA, preempting state laws 2. Requires truncation of credit and debit card numbers 3. Consumers have rights to explanation of credit score 4. Free annual credit report 5. Opt-out for marketing 6. The Disposal Rule 7. The Red Flags Rule
No Child Left Behind Act 2001 (NCLB)
1. Broadened PPRA survey restrictions - Enact policies - Parental review of surveys prior to use - Advance notice - Opt out
Information Life Cycle Phases
1. Collect/Derive 2. Use/Process 3. Disclose/Transfer 4. Store/Retain/Archive/Delete
8 OECD Principals
1. Collection Limitation 2. Data Quality 3. Purpose Specification 4. Use Limitation 5. Security Safeguards 6. Openness 7. Individual Participation 8. Accountability
What are the elements of the HIPAA Security Rule?
1. Confidentiality, integrity and availability of ePHI 2. Protection against threats to ePHI 3. No unreasonable uses or disclosures of information not required under the Privacy Rule
What are the two elements of vendor management?
1. Contracts - Confidentiality - No further use - Subcontractors - Breach disclosure - Information security 2. Due diligence - Reputation - Financial condition, insurance - Information security - Point of transfer - Disposal - Training and user awareness - Incident response
Dodd-Frank Wall Street Reform and Consumer Protection Act (2010)
1. Created the Consumer Financial Protection Bureau (CFPB) within the Federal Reserve 2. Oversees the relationship between consumers and providers of financial products and services 3. Can enforce against "abusive acts and practices"
What are the elements of data sharing and transfer?
1. Data inventory 2. Data classification 3. Data flows 4. Accountability
What are the six phases of privacy incident response programs?
1. Detection 2. Prevent further activity 3. Investigation 4. Notice 5. Review 6. Corrective actions
Four Steps for Information Management
1. Discover 2. Build 3. Communicate 4. Evolve
What are the four phases of privacy program development?
1. Discover - Issue identification - Identify best practices - Perform PIA 2. Build - Procedure development and identification - Full implementation 3. Communicate - Documentation (Training and Awareness) 4. Evolve - Affirmation and Monitoring - Adaptation
What are member countries asked to do by the 2007 OECD Recommendation
1. Discuss the practical aspects of privacy law enforcement cooperation. 2. share best practices in addressing cross-border challenges 3. work to develop shared enforcement priorities 4. support joint enforcement initiatives and awareness campaign
What are the FTC's five priority areas for attention?
1. Do No Track;2. Mobile;3. Data Brokers;4. Large platform providers;5. Promoting enforceable self-regulatory codes.
What does the "Consumer Privacy Bill of Rights" prioritize?
1. Do not track 2. Mobile 3. Large platform providers 4. Enforceable self-regulation
Name two special privilege rules.
1. Doctor-patient privilege2. attorney-client confidentiality.
Health Information Technology for Economic and Clinical Health, 2009 (HITECH)
1. Enacted as a part of the American Recovery and Reinvestment Act of 2009. 2. Amends HIPAA - Regulates personal health records (PHR) - Covered entities and PHR vendors must provide breach notification to consumers, HHS and FTC - Extends HIPAA safeguard and breach notice requirements to business associates - Increased penalties for non-compliance - Provides state attorneys general with enforcement authority
Protection of Pupil Rights Amendment 1978 (PPRA)
1. Extended protections to parents of minors relative to surveys collecting sensitive information 2. Applies to all elementary and secondary schools receiving federal funding
What are the three goals of APEC Cross-border Privacy Enforcement Arrangement (CPEA)
1. Facilitate information sharing 2. Promote effective cross-border cooperation 3. Encourage information sharing and investigative/enforcement cooperation
The Financial Services Modernization Act of 1999 - "Gramm-Leach-Bliley" (GLBA)
1. GLBA Privacy Rule - Initial and annual privacy notice required - Provide right to opt out - No disclosure of account numbers to third parties - Comply with regulatory standards 2. GLBA Safeguards Rule - Administrative Security - Technical Security - Physical Security
List the three HIPAA covered entities
1. Healthcare providers that conduct transactions in electronic form 2. Health insurers 3. Health clearinghouses
What are the four elements of privacy policies and disclosure?
1. How many policies? 2. Policy review and approval 3. Privacy notice 4. Policy version control
Aside from the ability to make and enforce laws and regs, what does the U.S. legal system rely on?
1. Legal precedent based on court decisions2. Doctrines implicit in legal precedent3. Customs and uses of legal precedent
What are the three components of self-regulatory enforcement?
1. Legislation - Who determines the rules? 2. Enforcement - Who initiates actions? 3. Ajudication - Who decides if something is in violation?
List the five theories of legal liability
1. Negligence - absence of, or failure to exercise, proper or ordinary care. 2. Breach of Warranty - failure of a seller to fulfill the terms of a promise, claim, or representation. 3. Misrepresentation - false security about the safety of a particular product. 4. Defamation - an untruth about another which untruth will harm the reputation of the person defamed (wrtten defamation is libel; oral defamation is slander). 5. Strict tort liability - extending the responsibility of the vendor or manufacturer to all individuals who might be injured by the product.
Fair Information Practices (FIP)
1. Notice and awareness 2. Choice and Consent 3. Access and Participation 4. Integrity and security 5. Enforcement and redress
Family Educational Rights and Privacy Act of 1974 (FERPA)
1. Places control over disclosure and access to educational records (with exceptions) 2. Provides students right to access and correct education records 3. Applies to all educational institutions that receive federal funding.
What does the "Consumer Privacy Bill of Rights" emphasize?
1. Privacy by Design 2. Simplified choice 3. Transparency
The "FTC Report" emphasizes:
1. Privacy by Design; 2. Simplified consumer choice; 3. Transparency.
What 3 areas does the FTC emphasize as themes?
1. Privacy by Design;2. Simplified consumer choice;3. Transparency.
What are the elements of the HIPAA Privacy Rule?
1. Privacy notice 2. Authorizations for use and disclosure 3. "Minimum necessary" use and disclosure 4. Access and accounting of disclosures 5. Safeguards 6. Accountability 7. De-identification 8. Research 9. Other exceptions (law enforcement investigations)
What is Children's Online Privacy Protection Act of 1998 (COPPA)?
1. Regulates collection and use of children's information by commercial website operators. 2. Compels website owners to adhere to specific notice and choice practices. 3. Applies to websites and services targeted to children under 13.
FTC Telemarketing Sales Rule (TSR) Telephone Consumer Protection Act of 1991 - FCC regulations
1. Who can be called? - Prohibits calls to cell phones - U.S. National Do Not Call Registry 2. Rules governing calls - 8am - 9pm as one example 3. Call abandonment 4. Unathorized billing 5. Record keeping 6. Robocall rules (2012) 7. Does not preempt state law
What are the six questions you should ask in understanding a law?
1. Who is covered by this law? 2. What types of information and what uses of information are covered? 3. What exactly is required and/or prohibited? 4. Who enforces the law? 5. What happens if I don't comply? 6. Why does this law exist?
California SB-1 requires:
1. Written opt-in/out to share info. with nonaffiliated third-parties 2. Opt-in must be presented in an enumerated format in simple English. 3. Opt-out of info. sharing between their FIs and affiliates not in the same line of business. *no consent required to share non-medical info with wholly owned subsidiaries in the same line of business if subject to same functional regulator.
What are the two purposes of a notice?
1. consumer education2. corporate accountability
The Obama report defines the "Consumer Privacy Bill of Rights for commercial uses of Personal Data as encompassing what 7 rights?
1. individual control;2. transparency;3. respect for context;4. security;5. access and accuracy;6. focused collection;7. accountability.
In which areas does the FTC have specific regulatory authority?
1. marketing communications;2. children's privacy
In what ways can the enforcement action be brought to the FTC's attention?
1. press reports covering the questionable practices 2. complaints from consumer groups of competitors
What services do federal agencies provide?
1. promulgate rules and enforce them;2. provide guidance in the form of opinions.
What two areas of the case must the court have jurisdiction over?
1. subject matter jurisdiction2. personal jurisdiction
What are some actions allowed under the FTC's broad investigative authority?
1. subpoenas of witnesses2. civil investigative demands3. requirements for businesses to submit written reports under oath
What are some reasons for knowing a law's scope when you don't have to follow it?
1. the law may suggest good practices that you want to emulate2. it may provide an indication of legal trends3. i may provide a proven way to achieve a particular results (i.e. protecting individuals in a given situation)
The federal appeals courts are divided into how many circuits?
12 regional circuits; each district court is assigned to a appeals court which decides the appeals for that circuit.
When was the FTC founded?
1914
GeoCities, Inc
1st FTC Internet Privacy Action Offered websites to users, promised information would not be sold without consent. Two FTC actions for Unfair and Deceptive Practices - misrepresented how info would be used by reselling to 3rd partied - collected and maintained children's PI without parental consent Consent Order requiring privacy notice and required to obtain parental consent
Microsoft
2002 - Passport single sign-on service. FTC alleged that the representations of high-level online security were misleading because the security of the PI was within the control of a 3rd party and that they shared more PI than disclosed and had inadequate controls for children's info. First time FTC required a company to undergo biannual third-party audits
In what year was the CAN-SPAM Act passed?
2003
In what year was the CAN-SPAM Act passed?
2003.
When did FTC bring an action against Eli Lilly & Co?
2004
Eli Lilly
2004 - Pharma Manufacturer's website privacy notice made promises about security and privacy of the information provided by users. An email was sent to all users, revealing all of their identities First time FTC required a company to develop and maintain an information privacy and security program.
Gateway Learning Corp Hooked on Phonics
2004. Their privacy notice stated that it would not sell, rent or loan any personal information with out explicit customer consent. Instead they rented this info out to third parties regardless if they chose to opt-out and retroactively updated their privacy notice. FTC stated that the retroactive application of material changes to the data sharing policy was unfair trade practice. The FTC made them switch to an affirmative opt-in. First FTC case based on unfairness
BJ's Wholesale Club
2005. First time the FTC alleged ONLY unfair and not deceptive trade practices. Failing to implement basic security controls to protect consumer information alone constitutes an enforceable unfair trade practice. Facts: BJ's failed to encrypt personal and financial information and to secure wireless networks to prevent unauthorized access and security lapses.
What is the current choice rule for CPNI disclosure?
2007 CPNI order requires customers to expressly consent, or opt in, before carriers can share their CPNI with joint venture partner & independent contractors for marketing purposes.
When did the FTC settle an enforcement action for deceptive practices with Facebook?
2011
Google, Inc.
2011. Google Buzz autoenrolled gmail users without consent and exposed PI. FTC alleged that auto-enrollment without prior notice and explicit consent was a deceptive trade practice. First consent decree requiring a "comprehensive privacy program" and first U.S.-EU Safe Harbor enforcement by the FTC.
Consumer Financial Protection Bureau (CFPB)
A U.S. government agency that helps protect consumers by regulating financial products and services. Can enforce against unfair and deceptive acts and abusive acts and practices. Assumes rule-making authority for specific existing laws related to financial privacy and other consumer issues such as the FCRA, GLBA and Fair Debt Collection Practices Act.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt-in before their information can be shared with other organizations - although there are important exceptions such for treatment, payment and healthcare operations.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. Requires the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt-in before their information can be shared with other organizations - although there are important exceptions such for treatment, payment and healthcare operations.
What is a trustmark?
A badge, image or logo found on an electronic commerce website that indicates the site is a member of a professional organization or has passed security tests.
Stored Communications
A category of data prohibited from unauthorized acquisitionn, alteration or blocking while stored in a facility through which electronic communications service is provided.
Electronically Stored Information (ESI)
A category of information that can include e-mail, word-processing documents, server logs, instant messaging transcripts, voicemail systems, social networking records, thumb drives, or data on SD cards.
National Security Letter (NSL)
A category of subpoena generally issued to seek records considered relevant to protect against international terrorism or clandestine intelligence activities.
What begins the typical FTC enforcement action?
A claim that a company has committed an unfair or deceptive practice OR has violated a specific consumer protection law.
Given an example of "opt-out" behavior
A company says "Unless you tell us not to, we may share your information." The person then has the ability to opt out of the sharing by saying no. Failure to answer would result in the information being shared.
Describe how self-regulation occurs under Section 5 of the FTC Act.
A company writes its own privacy policy or an industry group drafts a code of conduct that companies agree to follow. Under Sec 5, the FTC can then decide whether to bring an enforcement action, and adjudication can occur in front of an administrative law judge, with appeal to federal court. Although it's called "self-regulation", a government agency is involved at the enforcement and adjudication stage.
If a company located in Massachusetts maintains all of its employees' personal information in a hosted online database inf Florida, what must the third-party service provider agree to?
A confidentiality provision
What ends the original offer?
A counteroffer.
What is an injunction?
A court order mandating the defendant to stop engaging in certain behaviors. Maybe awarded to plaintiff in civil litigation.
Notice
A description of an organization's information management practices, with the purposes of consumer education and corporate accountability.
What did the EU Council introduce in early 2012?
A draft Data Protection Regulation with provisions that would replace the Data Protection Directive.
Equal Employment Opportunity Commission (EEOC)
A federal agency overseeing many laws preventing discrimination in the workplace, include Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA) and Titles I and V of the Americans with Disabilities Act of 1990 (ADA).
Cases decided by a district court can be referred to what?
A federal appellate court (also called a "circuit court").
FERPA (Family Educational Rights and Privacy Act)
A federal law that regulates the management of student records and disclosure of information from those records. The Act has its own administrative enforcement mechanism and mostly preempts state laws.
Protective Order
A judge-issued determination of what information contained in court records should not be made public and what conditions apply to who may access the protected information.
Consent Decree
A judgment entered by consent of the parties (a federal or state agency and an adverse party) whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing.
Adequate Level of Protection
A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by the European Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right of scrutiny by the European Parliament and adoption by the European Commission.
Gramm-Leach-Bliley Act (GLBA)
A law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. Does not preempt stricter state laws No private right to action Enforced by: FTC, CFPB, AGs, Federal Financial Regulators
Comprehensive Model
A method of data protection to govern the collection, use and dissemination of personal information in the public and private sectors, generally with an official or agency responsible for overseeing enforcement.
Organisation for Economic Co-operation and Development (OECD)
A multinational organization with the goal of creating policies that contribute to the economic, environmental, and social well-being of its member countries.
Sedona Conference
A nonprofit research and educational institute responsible for the establishment of standards and best practices for managing electronic discovery compliance through data retention policies.
Give an example of "opt-in" behavior.
A person opts in if he says yes when asked, "May we share your information?" Failure to answer would result in the information not being shared.
Describe a possible civil litigation scenario involving contracts.
A plaintiff might sue for breach of a contract that promised confidential treatment of personal information.
Describe a possible civil litigation scenario involving torts.
A plaintiff might sue for invasion of privacy where defendant surreptitiously took pictures in a changing room and broadcast the pictures to the public.
What did the International Chamber of Commerce release in early 2012?
A policy statement entitled "Cross-border Law Enforcement access to Company Data - Current Issues Under Data Protection and Privacy Law." It highlights problems that may arise when law enforcement compliance requirements conflict with data protection and privacy commitments, provides analysis of these issues, and recommendations for law enforcement bodies facing these challenges.
Personal Health Record (PHR)
A record maintained by the patient to track health and medical care information across a duration of time.
Suspicious Activity Report (SAR)
A report that must be filed with the US Dept of Treasury's Financial Crimes Enforcement Network whenever a firm suspects that transactions of $5000 or more may be related to illegal activities
Madrid Resolution
A resolution that was adopted by the International Conference of Data Protection and Privacy Commissioners, consisting of 80 data protection authorities from 42 countries around the world, including members of the Article 29 Working Party. Principles include: lawfulness and fairness; purpose specification; proportionality; data quality; openness; accountability.
Privilege
A rule of evidence that protects confidential information communicated between a client and legal advisor.
Define "Preemption"
A superior government's ability to have its laws supersede those of an inferior government
Who are business associates under HIPPA?
A third party person or organization that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI.
Publicity Given to Private Life
A tort claim that considers publicity given to an individual's private life by another is an invasion of privacy and subject to liability.
Define "private right of action"
Ability of an individual harmed by a violation of a law to file a lawsuit against the violator.
Access
Ability to view personal information held by an organization
Define "access."
Access is the ability to view personal information held by an organization.
Illinois HB 1260
Added new protections for state residents and has more clearly defined what actions could result in public notification following a data breach. Changes expand the definition of PPI to include usernames and email addresses when combined with other information allowing a 3rd party to access an online account Companies are required to alert affected parties to change their credentials if a combination of personal identifies have been compromised.
To what does adjudication in self-regulation refer?
Adjudication refers to the question of who should decide whether a company has violated the privacy rules and with what penalties.
3 types of data safeguards
Administrative Safeguards. Physical Safeguards. Technical Safeguards.
APEC (Asia-Pacific Economic Cooperation)
Adopted a self-regulatory code of contact designed to create more consistent
Authorization
After authentication, the proces of determining if the end user is permitted to have access to the desired resource, such as the information asset or the information system containing the asset.
Which states currently have no breach notification law?
Alabama, Kentucky, New Mexico, and South Dakota
Who does FERPA apply to?
All educational institutions that receive federal funding
Under FCRA, what is included in the term consumer report?
All written, oral or other communications bearing on the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living.
What are some other, more recent, privacy-related torts considered by courts?
Allegations that a company was negligent for failing to provide adequate safeguards for PI, thus causing harm due to disclosure of the data. Lack of adequate safeguards therefore may expose a company to damages under tort law.
What has happened since CA passed the first breach notification law in 2002?
Almost every state has passed a similar breach notification law, many of which require orgs to furnish the state attorney general with reports about breaches when they occur. They also impose enforcement responsibility on state attorney generals if they breach notification reveals the implementation of inadequate security controls.
Gramm-Leach Bliley Act (GLBA)
Alo known as the Financial Services Modernization Act of 1999, "this" is a United States federal law to control the ways that financial institutions deal with the private information of individuals.
Gramm-Leach Bliley Act (GLBA)
Alo known as the Financial Services Modernization Act of 1999, GLBA is a United States federal law to control the ways that financial institutions deal with the private information of individuals.
Unfair Trade Practices
Along with deceptive trade practices, behavior of an organization that can be enforced against by the FTC.
Deceptive Trade Practices
Along with unfair trade practices, behavior of an organization that can be enforced against by the FTC.
FACTA - Fair & Accurate Credit Transactions Act
Amendment to FCRA. Provides help with identity theft and credit fraud, employee misconduct investigations by third parties.
FACTA - Fair and Accurate Credit Transaction Act
Amends FCRA to help fight identity theft CFPB = authority Mandates limits on information sharing Entitles consumers to annual free credit report Allows one to place fraud alerts, credit freezes requires businesses to truncate credit/debit card numbers on receipts Mandates businesses to secure and properly dispose of sensitive personal information in a consumer's credit report Red Flag Rules requires financial institutions and creditors to implement a written identity theft prevention program
What happens after the commission issues a complaint?
An administrative trial can proceed before an administrative law judge (ALJ).
Define "person".
An entity with legal rights, including an individual ("natural person") or a corporation ("legal person")
Privacy Notice
An external communication from an organization to consumers, customers or users to describe an organization's privacy practices.
What motivated the FTC and Commerce Department to begin convening public workshops and conduction other activities to highlight the importance of privacy protection on websites?
An increase in commercial activity on the Internet that became significant in the mid-1990s.
National Labor Relations Board (NLRB)
An independent agency of the United States government responsible for investigating and remedying unfair labor practices.
Federal Trade Commission (FTC)
An independent consumer protection agency governed by a chairman and four other commissioners with the authority to enforce against unfair and deceptive trade practices.
Data Processor
An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller.
data processor
An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller.
How does California Assembly Bill 1950 (AB1950) define personal information?
An individual's name in combination with any one or more: SSN DL # or CA ID # Financial account number or CC number Medical Information Health Insurance Information Data collected from automated license plate recognition system
Privacy Policy
An internal standards document to describe an organization's privacy practices.
Data Protection Authority (DPA)
An official, or body, who ensures compliance with the law and investigates alleged breaches of the law's provisions.
Data Controller
An organization that has the authority to decide how and why personal information is to be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership.
Major countries that have been deemed adequate by the EU
Andorra, Argentina, Canada, Iceland, Isreal, Liechtenstein, Switzerland and Uruguay
Defamation
Any act or communication intending to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.
What constitutes PHI?
Any individually identifiable health information that is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of health care or payment for health care to that individual.
Health Information
Any information related to the past, present or future physical or mental condition, provision of health care or payment for health care for a specific individual.
Consumer Reporting Agency (CRA)
Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
Because the FTC's regulations re: unfair and deceptive acts are not promulgated under the usual procedures of the Administrative Procedure Act, describe how they are handled?
Any such regulation must comply with the more complex and lengthy procedures under the Magnuson-Moss Warranty Federal Trade Commission Improvement Act of 1975.
Example of Processing Personal Data
Anything you do with PI. Use, retrieval, consultation, erasure, destruction, recording, dissemination, organization, linking, storage, updating, collection
What responsibilities do individual employees have in ensuring information security?
Apply security in accordance to established policies and procedures
What is privacy?
Appropriate use of Personal Information under the circumstances. An individual's right to control the collection, use and disclosure of personal information.
What is the Wireless Domain Registry?
As part of the federal CAN-SPAM Act, the FCC must require cell providers (i.e. commercial mobile radio services) to turn over the names of the internet domains on which they provide service.
How do precedents handle the passing of time?
As time passes, precedents often change to reflect technological and societal changes in values and laws.
Name another cross-border enforcement cooperation effort.
Asia-Pacific Economic Cooperation (APEC). The APEC Cross-border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating members to share info and evidence in cross-border investigations and enforcement actions in the APJ region; it also facilitates cooperation and communication between APEC and non-APEC members.
What authority does the FTC have?
Authority to enforce against "unfair and deceptive trade practices", as well as specific statutory responsibility for issues such as (a) children's privacy online and (b) commercial e-mail marketing.
What authorities does the CFPB hold?
Authority to issues rules and guidance for the FCRA and GLBA, and shares enforcement authority with the FTC for financial institutions that are not covered by a separate financial regulator.
Americans with Disabilities Act (ADA)
Bars discrimination against qualified individuals with disabilities; places restrictions on pre-employment medical screening.
When should companies obtain affirmative express consent?
Before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes.
Which of the following is considered an acceptable method for U.S. based multinational transportation companies to achieve compliance with the EU Data Protection Directive? Global Consent Transparency Binding Corporate Rules Disclosure
Binding Corporate Rules Model contracts and binding corporate rules are acceptable methods for US based multinational transportation companies to achieve compliance with the EU Data Protection Directive.
What do the company and FTC have incentive to do?
Both have incentives to negotiate a consent decree rather than proceed with a full adjudication process.
What general information must the breach-of-personnaly-identifiably-information notification letter to the individual include?
Brief description of the incident, type of information involved, and a toll-free number for answers to questions. Most states do not have specify what should be included in the notification letter so these guidelines should be used.
What does the FB case indicate?
Broader government efforts to hold companies accountable for information handling practices.
How do anti-discrimination laws limit background screening?
By limiting the questions that can be asked
What does the CAN-SPAM Act require?
CAN-SPAM Act requires the senders of commercial e-mail messages to offer an "opt-out" option to recipients of those messages.
Financial Privacy
CFPB Federal Reserve Office of the Comptroller of the Currency Gramm-Leach-Bliley Act
In what area has the FTC entered into numerous consent decrees with companies as a result of alleged violations of privacy laws.
COPPA has allowed for several consent decrees, which require violators to pay money to the government and agree not to violate the relevant law in the future.
In which state was the first security breach notification law enacted?
California.
Which state expressly recognizes a right to privacy in its constitution?
California.
Which countries take a co-regulatory approach to privacy protection?
Canada, Australia and New Zealand
What is case law?
Case law refers to the final decisions made by judges in court cases.
Give an example of a negligent tort.
Causing a car accident by not obeying traffic rules or not having appropriate security controls.
Privacy Impact Assessment (PIA)
Checklists or tools to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to legal, regulatory and industry standards, and maintains consistency between policy and practice.
How does punishment differ in civil and criminal cases?
Civil is usually monetary fines. Criminal is imprisonment and fines.
How is criminal litigation different from civil litigation?
Civil lit involves an effort by a private party to correct specific harms. Criminal prosecution, brought by gov, can lead to imprisonment and criminal fines.
What is civil litigation?
Civil litigation occurs in the courts, when one person (plaintiff) sues another person (defendant) to redress a wrong. Plaintiff often seeks monetary judgment from defendant. Plaintiff may also seek an injunction.
How does punishment differ in civil and criminal cases?
Civil punishments are compensation such as monetary and injunctive while criminal punishments include fine, incarceration, and death.
What is common law?
Common law refers to legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations.
What are common law's rules in regards to privacy?
Common law upholds special privilege rules, even in the absence of statutes protecting that confidentiality.
What are companies increasingly subjected to or required to do re: privacy cases?
Companies are subject to periodic outside audits or reviews of their practices, or they may be required to adopt and implement a comprehensive privacy program.
Privacy by Design is what?
Companies should promote consumer privacy throughout their org and at every stage in the development of their products and services. Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.
What is Simplified Consumer Choice?
Companies should simplify consumer choices; they don't need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company's relationship with the consumer, or are required or specifically authorized by law. Where appropriate, companies should offer the choice at a time and in a context in which the consumer is making a decision about his/her data.
Which companies are subject to the EU data laws?
Companies with assets and employees in the EU, who also operate in the EU, are subject to the EU data protection laws.
Four Models of Privacy Protection
Comprehensive Model Co-regulatory Model Sectoral model Self-regulatory Model
What are the three key attributes of information security represented by the acronym CIA?
Confidentiality Integrity Availability
What can Congress do when enacting legislation?
Congress can delegate the power to promulgate regulations to federal agencies (such as the FTC).
What does the legislative branch do?
Congress confirms presidential appointees, and can override vetoes.
What laws has Congress enacted involving the FTC?
Congress has enacted several laws that give the U.S. Federal Trade Commission the authority to issue regulations to implement the laws.
What is a judgment entered by consent of the parties whereby the defendant agrees to stop alleged illegal activity?
Consent Decree.
What forms does consideration typically take?
Consideration usually takes the form of money, property or services.
What is the bargained-for exchange?
Consideration.
What is habeas data?
Constitutional guarantees that citizens may have the data archived about them by governmental and commercial repositories. Basically citizens have the right to access, correct and limit distribution. (Latin America countries use this)
Habeas Data
Constitutional guarantees that the citizenry may "have the data" archived about them by governmental and commercial repositories.
Until the creation of which agency did the FTC issue rules and guidance for the Fair Credit Reporting act and Gramm-Leach-Bliley Act?
Consumer Financial Protection Bureau (CFPB)
Which agencies oversee financial privacy?
Consumer Financial Protection Bureau for financial consumer protection issues generally; federal financial regulators such as the Federal Reserve and the Office of Comptroller of the Currency, for institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA)
Who does the FCRA apply to?
Consumer Reporting Agencies (CRA)
Define "access and accuracy"
Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Define "transparency"
Consumers have a right to easily understandable and accessible information about privacy and security practices.
Define "individual control."
Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
Define "respect for context"
Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Define "accountability"
Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Define "focused collection"
Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Define "security"
Consumers have a right to secure and responsible handling of personal data.
What is a legally binding agreement enforceable in a court of law?
Contract
What is the fundamental basis of the relationship between employer and employee in the U.S.
Contract Law
What are important categories of civil litigation?
Contracts and torts.
What are two key areas of the common law?
Contracts and torts.
What is the CAN-SPAM Act?
Controlling the Assault of Non-Solicited Pornography and Marketing Act.
What does HIPAA require?
Covered entities to protect health information that is transmitted or maintained in any form or medium
Dodd-Frank Wall Street Reform and Consumer Protection Act
Created the Consumer Financial Protection Bureau (CFPB) to oversee the relationship between consumers and providers of financial products and services.
What is criminal litigation?
Criminal lit involves lawsuits brought by the government for violations of criminal laws.
What has driven the recent prominence of state enforcement of info sec lapses?
Data breach notifications.
What is involved in data classification?
Data is classified according to level of sensitivity. Data is also classified by the clearance level of individuals authorized to access it. More sensitive data is segregated from less sensitive data.
What are the basic FCRA requirements?
Data must be appropriately accurate, current and complete consumers must receive notice when data is used for adverse decisions reports may only be used for permissible purposes consumers must have access to their reports and opportunity to dispute or correct errors
What is the focus of early privacy and security enforcement actions?
Deceptive practices
Data Classification
Defines the clearance of individuals who can access or handle a given set of data, as well as the baseline level of protection that is appropriate for that data.
Which US state requires daily electronic notice in order for an employer to monitor or intercept electronic mail?
Delaware
Trust Marks
Demonstration of compliance with self-regulatory programs by display of a seal, logo, or certification.
Which agency plays a leading role in federal privacy policy development and administers the Safe Harbor agreement between the US and EU?
Department of Commerce.
Which agency is responsible for educational privacy?
Department of Education
Which agencies are responsible for educational privacy?
Department of Education for the Family Educational Rights and Privacy Act.
Who prosecutes criminal laws?
Department of Justice in the federal government. For states, the state attorney general and local officials (district attorney) usually have criminal prosecutorial power.
What is the sole federal agency to bring criminal enforcement actions which can results in imprisonment or criminal fines?
Department of Justice.
Which agency is responsible for transportation companies under its jurisdiction and for enforcing violations of Safe Harbor agreement between US and EU?
Department of Transportation.
Education Privacy
Dept of Education for the Family Educational Rights and Privacy Act
What steps should be followed in response to a security incident?
Determine if breach occurred Containment Notify affected parties Implement follow-up
What is the DAA and how does it's icon program serve as a self-regulatory effort?
Digital Advertising Alliance is a coalition of media and advertising organizations; it developed an icon program to inform consumers about how they can exercise choice with respect to online behavioral advertising.
CALEA (Communications Assistance for Law Enforcement Act) is also known as
Digital Telephony Act
Four Steps for Information Management
Discover Build Communicate Evolve
Electronic Discovery (e-discovery)
Discovery in civil litigation dealing with the exchange of information in electronic format, often requiring digital forensics analysis.
Define civil litigation
Disputes between individuals and/or organizations
What are the lowest courts called in the federal court system (judicial branch)?
District Courts. These serve as federal trial courts.
FTC 5 priorities
Do not track Mobile Data Brokers Large platform providers Enforceable self-regulatory codes
Confidentiality of Substance Use Disorder Patient Records Rule
Does not preempt state laws Scope: covers the disclosure of "patient identifying" info by treatment program for alcohol and substance abuse Applies to: any program that receives federal funding Disclosure: must obtain written patient consent Exceptions to consent requirements: Medical emergencies, scientific research, audits and evals, court order, child abuse reporting, crimes against personnel
HIPPA (Health Insurance Portability and Accountability Act)
Does not preempt state laws No private right to action Applies to "covered entities" - healthcare providers, insurers, clearinghouses, business associates
When did the FTC begin bringing privacy enforcement cases under its powers to address unfair and deceptive practices?
During the 1990s.
What are some of the privacy issues faced by the Department of Homeland Security?
E-Verify program for new employees, rules for air traveler records (Transportation Security Administration), and immigration and other border issues (Immigration and Customs Enforcement)
What is the basis of privacy/data protection rights in the EU? In the US?
EU = Comprehensive Model US = Sectoral Model
What provisions do most states have in place?
Each state has a law roughly similar to Section 5 of the FTC Act, commonly known as Unfair and Deceptive Acts and Practices (or UDAP) statutes.
In what year did the Obama administration issue a report titled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy"
Early 2012.
Describe the contents of a comprehensive website policy
Effective date Scope of notice types of personal information collected information uses and disclosures choices available to the end user methods for accessing, correcting or modifying PI or preferences Methods for contacting the organization or filing a dispute Processes for how policy changes will be communicated to the public
What are the facts of Eli Lilly & Co case?
Eli Lilly is a pharaceutical manufacturer that maintained a website where users would provide PI for messages and updates reminding them to take their medication. The website included a privacy notice that made promises about the security and privacy of the info provided. When Eli Lilly ended the program, it sent subscribers an e-mail announcement, inadvertently addressed to and revealing the e-mail addresses of all subscribers.
Sanctions and fines were imposed by the FTC on which company for failure to evidence appropriate privacy training to employees?
Eli Lily
Under the Children's Online Privacy Protection Act, what is an accepted means for an organization to validate parental consent when it intends to disclose a child's information to a third party?
Email a consent form. The parent can provide consent by signing and mailing back the form.
Which one of the following categories defines data elements that are considered non-public personal information under the GLBA? Customer's Full Name Home address telephone number email address
Email address
What are the Sedona Standards for e-discovery?
Email retention policies, policies & procedures, technical solutions, industry standards
How are employers allowed to use genetic information of employees and applicants?
Employer offered wellness program where the employee voluntarily participates with written authorization FMLA requests for use with legally required toxin exposure monitoring in the workplace DNA analysis for law enforcement purposes
Fair Credit Reporting Act (FCRA)
Enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports, FCRA mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes.
Fair Credit Reporting Act (FCRA)
Enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports. "This" mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes.
Examples of technical safeguards
Encryption Password authentication smart cards
Who enforces the FCRA and what are the punishments?
Enforced by the FTC and state attorneys general and non-compliance leads to civil and crimal penalties and fines
What was the basis of the GeoCities action brought by the FTC?
Enforcement actions was for two separate unfair and deceptive practices. First, the FTC alleged that GeoCities misrepresented how it would use info collected from its users by reselling the information to third parties, which violated its privacy notice. Second GeoCities collected and maintain children's PI without parental consent.
In addition to covering unfair and deceptive practices, what do some state statutes allow?
Enforcement against "unconscionable" practices, a contract law term for a range of harsh seller practices.
To what does enforcement in self-regulation refer?
Enforcement refers to the question of who should initiate enforcement actions.
Workplace Privacy
Equal Employment Opportunity ADA
Which agencies are responsible for workplace privacy?
Equal Employment Opportunity Commission for the Americans with Disabilities Act and other anti-discrimination statutes.
Global Privacy Enforcement Network (GPEN)
Established in 2010 by the FTC and enforcement authorities from around the world, "it" aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
Global Privacy Enforcement Network (GPEN)
Established in 2010 by the FTC and enforcement authorities from around the world, the GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website operator does not, in fact, encrypt the data.
Example of Unfair Trade Practice because the website operator is not being deceptive but the potential harm caused by not encrypting the sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control.
An organization promises to honor opt out requests within 10 days but fails to honor opt out requests within stated timeframe
Example of deceptive trade practice. When companies state they will safeguard personal information but fail to do so. A violation of a promise made in a privacy notice is an example of deceptive trade practice.
What exceptions exist in the EPPA?
Exception of government employees, employees of manufactured drugs, defense contractors, national security.
21st Century Cures Act 2016
Expedite research, quicken drug approval, reform mental health Certain biomedial research exempt from FOIA Researchers can remotely view PHI info blocking prohibited certificates of confidentiality for research can share mental health/substance abuse info with family
Which federal privacy law preempts stricter state laws?
FACTA
FCRA was amended by
FACTA (Fair Credit Reporting Act)
True/False: The FTC's decisions are under the president's control.
FALSE
True/false: Government agencies do not have jurisdictional limits.
FALSE
True/false: Today's FTC does not include privacy and computer security issues as an important part of its work.
FALSE
True/false: if you do business only in Montana or NY, you are still subject to this CA law.
FALSE
What did the FTC's 8-count complaint allege, among other things, against Facebook?
FB deceived consumers by repeatedly making changes to services so that information designated as private was made public. This violated promises FB made in its privacy notice.
With which agency does the FTC share rule-making and enforcement power under the Telemarketing Sales Rule and the CAN-SPAM Act?
FCC
What laws with employment privacy implications regulate data collection and record keeping?
FCRA, FLSA, OSHA, NLRA, IRCA, Whistleblower Protection Act, Securities and Exchange Act of 1934
What federal agency is the most active in enforcing privacy rights?
FTC
Who handles the enforcement of CAN-SPAM?
FTC
Who handles the enforcement of COPPA?
FTC
What regulatory agencies are required by law to issue regulations and rules
FTC (Federal Trade Commission) or the FCC (Federal Communications Commission).
Protecting Consumer Privacy in an Era of Rapid Change
FTC Report 2012
What were the FTC assertions in their charges?
FTC alleged that automatic enrollment without prior notice and explicit consent was a deceptive trade practice. It also asserted that Google was in violation of the US-EU Safe Harbor Framework, which provides a method for US companies to transfer personal data from the EU to the US in compliacne with UE Data protection requirements.
What was the basis of the FTC's finding against BJ's Wholesale Club?
FTC alleged unfair trade practice. BJ's failed to encrypt the information and failed to secure wireless networks to prevent unauthorized access. FTC established that failing to implement basic security controls to protect consumer information alone constitutes an enforceable unfair trade practice, without any need for the FTC to allege deception.
What did BJ's establish for all future FTC enforcement case scopes?
FTC established its view that failing to implement basic security controls to protect consumer info alone constitutes an enforceable unfair trade practice, without any need for the FTC to allege deception. Even without heightened security requirements under sector-specific statutes (HIPAA, COPPA, GLBA), companies not face potential enforcement action based on the FTC's Section 5 unfairness authority.
Describe the situation surrounding FTC and the APA rule-making authority.
FTC has supported congressional proposals to provide the FTC with APA rule-making authority; such proposal shave not been successful to date, in part due to opposition from companies that are against increased regulation.
What options might the FTC exercise if the complaint is minor?
FTC may work with the company to resolve the problem without launching a formal investigation.
For what purpose was the FTC founded?
FTC was founded to enforce antitrust laws.
At the federal level, which agencies engage in regulatory activities concerning the private sector?
FTC, federal banking regulatory agencies (Consumer Financial Protection Bureau, Federal Reserve, Office of the Comptroller of the Currency), the FCC, DOT, Dept. of Health and Human Services through its Office for Civil Rights.
Who is the rule-making and enforcement agency for COPPA?
FTC.
True/False: The FTC's decisions are under the president's control.
False
True/false: Government agencies do not have jurisdictional limits.
False
True/false: Today's FTC does not include privacy and computer security issues as an important part of its work.
False
True/false: if you do business only in Montana or NY, you are still subject to this CA law.
False
True/False: The FTC can assess civil penalties.
False, the FTC lacks authority to assess civil penalties.
True/false: the FTC is not a CPEA participant.
False.
True/false: State common law is not a source of privacy enforcement
False. Plaintiffs can sue under the privacy torts, which traditionally have been categorized as intrusion upon seclusion, appropriation of name or likeness, publicity given to private life and publicity placing a person in a false light. Plaintiffs may also sue under a contract theory in some situations.
True/false: Every agreement is a legally binding contract.
False. There are three fundamental requirements for forming a binding contract.
Which agencies oversee telemarketing and marketing privacy?
Federal Communications Commission (along with the FTC) under the Telephone Consumer Protection Act and other statutes.
Telemarketing/Marketing Privacy
Federal Communications Commission and FTC Telephone Consumer Protection Act
Which federal agency has specific statutory responsibility for issues such as children's privacy online and commercial email marketing?
Federal Trade Commission
Who can legally enforce the promises made in a company's privacy notice?
Federal Trade Commission and states.
What is the appeals process for agency enforcement actions?
Federal agency adjudications can generally be appealed to federal court.
What are the sources of law in the U.S.?
Federal and state constitutions, legislation, case law (contracts and torts), and agency-issued regulations.
Under what conditions can a government authority gain access to financial records from a financial institution?
Financial records are reasonably described and customer authorizes access or subpoena/search warrant
Which condition must be met to satisfy the Right to Financial Privacy Act requirements for disclose of individual records by financial institutions.
Financial records are reasonably described.
What are the punishments for non-compliance of HIPAA?
Fines up to $250K and/or 10 years imprisonment
California Assembly Bill 1950 - AB1950
First privacy law. Encouraged businesses to provide reasonable security to protect the personal information of Californians. Companies subject to HIPPA or GLBA are exempt. Encrypted information is excluded.
What are the basic Telecommunications Act Requirements?
Follow the rules for when calls can be made and identifying themselves and what they are selling maintain Entity-specific suppression lists disclose identity of seller, purpose of the call, nature of the goods/services, purchase necessary disclaimer no misrepresentations or material omissions transmit accurate information on caller id no call abandonment / or abandonment safe harbor no unauthorized billing robocalls are prohibited without written consent must maintain records for two years
Once an individual or company has agreed to a consent decree, what can violations of that decree lead to?
Following an FTC investigation, it can lead to enforcement in the federal district court, including civil penalties as discussed above.
Unfairness
For a practice to be considered unfair, the injury must be: 1)Substantial 2)Without offsetting benefits 3)One that consumers cannot reasonably avoid
The FTC is a participant in which two international privacy enforcement organizations?
GPEN and APEC CPEA
What are the facts of Gateway?
Gateway Learning Corporation marketed and sold popular educational aids under the "Hooked on Phonics" product line. it's website privacy notice stated that Gateway Learning would not sell, rent, loan any PI without explicit customer consent. It also stated that Gateway would provide consumers with an opportunity to opt out of having their info shared in this practice changed. Gateway then began renting personal customer info to third-party marketers and advertisers without providing the opt-out. It later revised its website privacy notice to allow for disclosing to third-party advertisers and continued to rent consumer information without providing notice to customers about the change in policy.
What are the facts of Gateway?
Gatewya Learning Corporation marketed and sold popular educational aids under the "Hooked on Phonics" product line. it's website privacy notice stated that Gateway Learning would not sell, rent, loan any PI without explicit customer consent. It also stated that Gateway would provide consumers with an opportunity to opt out of having their info shared in this practice changed. Gateway then began renting personal customer info to third-party marketers and advertisers without providing the opt-out. It later revised its website privacy notice to allow for disclosing to third-party advertisers and continued to rent consumer information without providing notice to customers about the change in policy.
What authority does the FTC have re: privacy in the private sector?
General authority to enforce against "unfair and deceptive trade practices."
What are the facts of the GeoCities case?
GeoCities operated a website that provided an online community through which users could maintain personal home pages. To register and become a member of GeoCities, users were required to fill out an online form that requested PI, with which GeoCities created an extensive info database. GeoCities promised on its website that the collected information would not be sold or distributed without user consent.
What was the outcome of the GeoCities action?
GeoCities settled the action and the FTC issued a consent order, which required GeoCities to post and adhere to a conspicuous online privacy notice that disclosed to users how it would collect and use PI. It was also required to obtain parental or guardian consent before collective information from children 12 years of age or under.
GPEN
Global Privacy Enforcement Network Aims to promote cross-boarder information sharing as well as investigation and enforcement corporation
What are the facts of the Google case?
Google Buzz was a social networking service integrated with Google's e-mail service, Gmail. When it launched, consumers were automatically enrolled in Buzz services without having to provide consent. Buzz also exposed PI harvested from Gmail to the public without making this clear to users. These actions conflicted without Google's privacy notice on tis site.
Who initiates criminal litigation?
Government
With which agency does the FTC share rule-making and enforcement power for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009?
HHS
With which agency does the FTC share rule-making and enforcement power for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009?
HHS.
What is one area of law where states may pass privacy/other laws with stricter requirements than federal law?
HIPAA medical privacy rule.
Name one statue that provides for both civil and criminal enforcement
HIPAA.
Under which laws are disclosures of personal information prohibited?
HIPPA, COPPA, GLBA
FTC primary method of enforcement 2000
Harm-based model addressing substantial injury under the unfairness authority
Consumer Financial Protection Bureau (CFPB)
Has enforcement power for unfair, deceptive or abusive acts and practices for financial institutions.
HITECH name
Health Information Technology for Economic and Clinical Health Act
Who are covered entities according to HIPAA
Healthcare providers Clearinghouses Insurers
HIPPA applies to
Healthcare providers that conduct certain electronic transactions health plans (insurers) Healthcare clearinghouses (3rd parties)
What does the U.S. Supreme Court do?
Hears appeals from the circuit courts and decides questions of federal law; also interprets the U.S. Constitution. May also hear appeals from the highest state courts or function as a trial court in rare instances.
What purpose do privacy notices serve?
Help inform customers about how their PI was being collected and used, as well as helping with enforcement purposes.
What is the most significant threat to online privacy?
Humans - intentional and unintentional actions
How do privacy notices help with enforcement?
If a company promised a certain level of privacy or security on a company website or elsewhere, and the company did not fulfill its promise, then the FTC considered that breach of promise a "deceptive" practice under Section 5 of the FTC Act.
When may a privacy notice constitute a contract?
If a consumer provides data to a company based on the company's promise to use the data in accordance with the terms of the notice.
Give an example of a time when the costs of compliance with a law might exceed the risks of noncompliance for a period of time.
If a system that is not appropriately compliant with a new law, but is going to be replaced in a few months, a company may decide that the risks of noncompliance outweigh the costs and risk of trying to accelerate the system transition.
What are the exceptions to the prohibition on intercepting communications?
If one or all parties have given consent Done in the normal course of business and the interception is also the normal course of business (call center monitoring calls)
When did the FTC bring an enforcement action against Microsoft Corp?
In 2002.
Where are the limits on trans-border data flows found?
In Articles 25 and 26 of the Data Protection Directive.
Where is the scope of the term "unfairness" clarified?
In a 1980 policy statement and in 1994 amendments to the FTC Act.
What is a consent decree?
In a consent decree, the respondent does not admit fault, but promises to change its practices.
What other issues does the FTC retain authority over?
In addition to the authority granted under Section 5, the FTC retains separate and specific authority over privacy and security issues under other federal statutes.
In what 2005 enforcement action did the FTC allege that a company did not engage in reasonable security practices to protect the personal and financial information of its consumers?
In the Matter of BJ's Wholesale Club, Inc.
What was the first FTC Internet privacy enforcement action?
In the Matter of GeoCities, Inc.
What was the first instance of the FTC basing an enforcement action on a company's material change to its PI-handling practices, as well as the first privacy case based on unfairness?
In the matter of Gateway Learning Corp, in 2004.
What was the outcome of the BJ's case?
In the settlement, the consent decree required BJ's to implement a comprehensive inofsec program, including regular audits. This was the first time the FTC alleged only unfair, and not deceptive, practices for the basis of a privacy or infosec case.
2 examples of administrative safeguards
Incident Management Plan Privacy Policy
Self-regulatory Model
Industry associations establish rules or regulations that are adhered to by industry participants. Examples include the Payment Card Industry (PCI DSS) and the privacy seal programs administered by the Online Privacy Alliance.
What are the three tort categories?
Intentional torts, negligent torts, and strict liability torts.
Give an example of an intentional tort.
Intentionally hitting a person or stealing personal information.
Which Department is subject to privacy rules concerning tax records, including disclosures of such records in the private sector?
Internal Revenue Service (IRS)
Privacy Policy
Internal, detailed statement for users of personal information that defines handling practices
What common-law torts can be relevant to employee privacy?
Intrusion upon seclusion (intrusion is highly offensive to a reasonable person) Publicity given to private life (highly offensive and not of legit public concern) Defamation (false statement, lowers reputation)
What happens during the discover phase of information management?
Issue identification and self-assessment Determination of best practices Understand the laws applicable to the company's data collection and use
Why would the FTC have incentives to negotiate?
It (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial, and (3) gains an enforcement advantage, due to the fact that monetary fines are much easier to assess in federal court if a company violates a consent decree.
To what does the FTC Act Section 5 apply and not apply?
It applies to "unfair and deceptive practices in commerce" and does not apply to nonprofit organizations. It's powers also do not extend to certain industries, such as banks and other federally regulated financial institutions, as well as common carriers such as transportation and communications industries.
To whom does the CA law apply?
It applies to natural persons, legal persons, and government agencies.
What can the federal court grant?
It can grant injunctions and other forms of relief.
What are three ways that self-regulation can occur?
It can occur through the 3 traditional separation of powers components: legislation, enforcement and adjudication.
What can the FTC do if its ruling is ignored?
It can seek civil penalties in federal court of up to $16,000 per violation and can seek compensation for those harmed by the unfair or deceptive practices.
What are the contents of the consent decree?
It describes the actions that the defendant will take and the decree may be subject to a public comment period.
What is the focus/content of the OECD's 2007 Recommendation?
It focuses on the need to address common privacy issues on a global scale, rather than focusing on country-by-country differences in law or enforcement power.
What does a consent decree accomplish?
It formalizes an agreement reached between a federal or state agency and an adverse party.
What does the Fair Credit Reporting Act allow?
It has a private right of action, which allows a person to sue a company if his consumer reports have been used inappropriately.
What does Article 3 of the draft Data Protection Regulation suggest?
It has language suggesting that EU law applies to online sellers who operate only in the US: "The Regulation applies where processing activities are related to (a) the offering of goods or services to such data subjects in the Union, or (b) the monitoring of their behavior; this Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law."
What does the 1998 Data Protection Directive say about whether a non-EU company is subject to enforcement there.
It is ambiguous. Companies wishing to transfer data from the EU to the US have various lawful options. They - and other multinational corporate entities with a presence in Europe - may draft binding corporate rules (BCR), subject to review and authorization by member states.
What does it mean that the FTC is an "independent" agency?
It is governed by the decisions of its chairman and four other commissioners, instead of falling under the direct control of the president.
Where is privacy mentioned in the U.S. Constitution?
It is not mentioned in the U.S. Constitution
What does the CAN-SPAM Act allow the FTC and FCC to do?
It provides the FTC and the FCC with the authority to issue regulations that set forth exactly how the opt-out mechanism must be offered and managed.
What is stare decisis?
It refers to a following of past precedent; stare decisis is a Latin term meaning "to let the decision stand."
What was the basis of the enforcement action against Eli Lilly by the FTC?
It reuslted in settlement terms, which required Eli Lilly to adhere to representations about how it collects, uses and protects user information. It also required, for the first time in an online privacy and security case, that Eli Lilly develop and maintain an information privacy and security program.
What does the U.S. Constitution say about laws under the Constitution?
It states that the Constitution and the laws passed pursuant to it, is "the supreme law of the land."
What does the typical notice contain?
It tells the individual what information is collected, how the information is used and disclosed, how to exercise any choices about uses or disclosures,and whether the individual can access or update the information.
What does Section 6 of the FTC Act do?
It vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath.
Where is privacy mentioned in the U.S. Constitution?
It's not. Usually privacy falls under the 4th amendment.
What is personal jurisdiction?
Jurisdiction over the parties (often based on their location)
What is subject matter jurisdiction?
Jurisdiction over the type of dispute / cause of action.
What precedent did Katz v. United States reverse?
Katz overturned the wiretap laws and gave us the "reasonable expectation of privacy rule" as it stated that "what a person seeks to preserve as private, even in a public area, may be constitutionally protected".
What are the privacy concerns surrounding cloud computing?
Large amounts of data are held in one location, so one breach can have a large impact Some cloud services do not encrypt data providers could disclose user data to 3rd parties for marketing or advertisment purposes or in response to gov't requests.
Under Rule 5.2 of the Fed Rules of Civ Pro, what personal information may remain in a redacted document?
Last four of the SSN Year of Birth Minors Initials Last four of financial account number
How is law-making power distributed in the U.S.?
Law-making power is shared between the national and state governments.
What changes did the FISA Amendments Act of 2008 make to the original Foreign Intelligence Surveillance Act of 1978? express authorization of foreign intelligence wiretaps legal authorization of some new surveillance packages a series of checks and balances on the president and attorney general access to stored communication records without judicial authorization
Legal authorization of some new surveillance packages including when one party is reasonably believed to be outside of the United States. It also granted immunity to the telephone companies so they would not be liable for the records they have provided to the government in the wake of 9/11.
Define criminal litigation
Legal punishment of criminal offenses
To what does legislation in self-regulation refer?
Legislation refers to the question of who should define appropriate rules for protecting privacy.
Which branch of the U.S. Federal Government makes laws?
Legislative
What branch of the US government makes laws?
Legislative Branch
The U.S. Constitution establishes what three branches of government?
Legislative, Executive, Judicial
In which areas do federal laws pre-empt state laws, preventing states from passing stricter provisions?
Limits on commercial e-mails in the CAN-SPAM Act.
What are the facts of the Microsoft action?
MS Passport was an online service that allowed customers to use single sing-in to access multiple web services. MS made claims about the high level of security used to protect users' personal and financial information, as well as Passport's parental controls for its children's services.
How did the Microsoft action resolve?
MS settled the action with the FTC. MS was prohibited from making future misrepresentations about the security and privacy of its products and was required to adopt and implement a comprehensive info sec program. MS was required to undergo a biannual third-party audit to ensure compliance with its program terms.
FCRA (Fair Credit Reporting Act)
Mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes
Which state was first to ban employers from asking employees or applicants for the social network login information and passwords?
Maryland in 2012
Which state prohibits reporting the number of affected individuals in a data breach notification?
Massachusetts
What are abusive acts and practices under CFPB?
Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service takes unreasonable advantage of a consumer's lack of understanding of the risks, costs and conditions, inability to protect their own interests or reasonable reliance that the company is acting in the consumer's best interest
States have other specialized statues protecting privacy in what other sectors?
Medical, financial, and workplace.
When did organizations begin to post public privacy notices on their websites?
Mid-1990s.
Which states have successfully pursued privacy actions related to unfair and deceptive practices?
Minnesota and Washington.
Four Options for Transferring Personal Data out of the EU to a county that has not been deemed adequate
Model Contracts Binding Corporate Rules (BCRs) Safe Harbor Program Unambiguous Consent
What privacy issues are emerging with BYOD?
Monitoring of the BYOD
Massachusetts State Security Law 201 CRM 17.00
Most prescriptive Law Establishes detailed minimum standards to safeguard PT on both paper and electronic records. Requires business holding PI to: Designate individual responsible for info sec Anticipate risks to PI and mitigate Develop security program rules Impose penalties for violations Prevent access to PI by former employees Contractually obligate 3rd party service providers to maintain similar procedures Restrict physical access to PI records Review the program at least once per year Document responses to incidents
Is the US deemed adequate by the EU
NO.
Give examples of self-regulatory regimes.
Network Advertising Initiative, Direct Marketing Association, Children's Advertising Review Unit.
Which state's data destruction law applies only to for-profit businesses?
New York
Does FTC Act Section 5 say anything specifically about privacy or information security?
No
Does FCRA preempt State law
No - FCRA does not preempt state from creating stronger laws
What are some common commercial email principals?
No false of misleading header information No deceptive subject lines opt-out option in each message notification that message contains an advertisement information about sending organization
Is there an omnibus federal law requiring companies to have public privacy notices?
No, Sector-specific statutes such as HIPAA, GLBA, and COPPA impose notice requirements
Does FTC Act Section 5 say anything specifically about privacy or information security?
No.
Does a consent decree typically admit guilt or wrongdoing?
No.
In which countries is a person's tax return considered public record?
Norway, Finland and Sweden These countries also include a person's salary as public record
Bank Secrecy Act Record Retention Requirements
Not all records must be maintained, only those with a high degree of usefulness. Must include: Borrower name and address credit amount purpose and date of credit Maintain for 5 years
FTC primary method of enforcement 1990
Notice and Choice Approach. Required privacy notices to be placed on websites.
California AB 2828
Now requires data breach notifications to be sent to residents when encrypted PI has been breached. CA Data Breach Notification Law requires notice that a breach occurred related to: both encrypted data and the encryption key Encrypted data when the business has a reasonable belief that the encryption key or security credentials can be obtained by the hacker
What are some of the other functions of the OMB?
OMB also issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments.
What is the proposed language to enter into a bargain?
Offer
What are the three factors required to form a contract?
Offer, Acceptance, Consideration.
Which agencies are responsible for medical privacy?
Office for Civil Rights in the Department of Health and Human Services (HHS), for the Health Insurance Portability and Accountability Act (HIPAA)
Define Privacy Policy.
Often used to refer to the internal standards used within the organization.
How much power does a consent decree hold?
Once approved, the consent decree has the effect of a court decision.
Before the Eli Lilly case, what had the FTC required of companies?
Only that they stop the current unfair and deceptive practices; after the settlement, it became clear that the scope of settlement terms had expanded to include implementation and evaluation of security programs.
Opt In
Opt in means an individual actively affirms that information can be shared with third parties (e.g., an individual checks a box stating that she wants her information to go to another organization).
Opt Out
Opt out means that, in the absence of action by the individual, information can be shared with third parties (e.g., unless the individual checks a box to opt out, her information can go to another organization).
Choice and Consent
Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is often considered especially important for disclosures of personal information to other data controllers.
Difference between opt-in and opt-out
Out-In is express. Must give permission. Out-out is implied. No permission needed, failure to answer means PI will be shared.
The Washington State Security Law House Bill 1149
Part of the growing trend to incorporate payment card industry data security standard into statute to ensure the security of credit card transactions and related PI Permits FIs to recover the costs associated with reissuance of credit and debit cards from large processors who's negligence resulted in breach.
What are other options for multinational corporations with an EU presence?
Participation in the US - EU Safe Harbor program; using contracts for data export that have been approved by a data protection authority.
Under Texas law, who must entities notify of a confirmed breach?
People in Texas, and residents in states lacking a data protection law.
What are the primary threats to information security?
People, technology, acts of nature
Safe Harbor Program
Permits the transfer of personal data out of the EU to the US to companies that agree to participate in the program
CA Security Breach Notification Law SB1386
Personal Information = Name plus one or more: SSN, DL#, ID#, Credit Card #
What is PI?
Personal information - an individual's name in combination with any one or more of (1) SSN, (2) CA identification card number, (3) Driver's License number, (4) financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account, when either the name or the data elements are not encrypted.
What is included in an information security program?
Physical, Administrative and Technical Controls
Under what conditions is it legitimate for an organization to conduct substance testing?
Pre-employment, reasonable suspicion, routine, post-accident, random testing.
What is the burden of proof for civil litigation?
Preponderance of evidence
What can the executive branch do?
President appoints federal judges. It can veto laws passed by Congress.
What are the three types of security controls?
Preventative Detective Corrective
Which terms of the offer must be specific and definite?
Price, quantity, and description.
HIPPA Privacy Rule Key Privacy Protections
Privacy Notice (must provide notice and describe rights) Authorization for uses and disclosures Minimum necessary use or disclosure Access and accounting of disclosures (individuals have the right to access and copy their own PHI. ALso have the right to amend or file comments) Safeguards (implement administrative, physical and technical safeguards) Accountability (must designate privacy officer) Enforcement - Office of Civil Rights, DOJ, FTC Exceptions: Deidentified Data, research
In addition to the Security Rule, what other rule was promulgated by Health and Human Services and mandated by the Health Insurance Portability and Accountability Act?
Privacy Rule
What are the requirements of the HIPPA privacy rule?
Privacy notices Authorizations for uses and disclosures minimum necessary use or disclosure access and accountings of disclosures safeguards accountability
What is Transparency?
Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
Who initiates civil litigation?
Private party
Evidentiary Privilege
Privileges limiting or prohibiting disclosure of personal information in the context of investigations and litigation, such as attorney-client privilege.
Where a statute provides for both civil and criminal enforcement, how is jurisdiction apportioned?
Procedures exist for the roles of both HHS and the Department of Justice (in HIPAAs case)'
What are some examples of strict liability torts?
Product liability torts (concern potential liability for making and selling defective products without the need for the plaintiff to show negligence by the defendant).
Red Flags Rule
Promulgated under FACTA, "this" requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft.
Red Flags Rule
Promulgated under FACTA, the Red Flags Rule requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft.
Where are consent decrees posted?
Publicly on the FTC's website.
Substitute Notice
Pursuant to breach notification laws, certain entities must provide for substitute notice of data breach in a situation where insufficient or out-of-date contact information is held.
What is the current status of privacy law in Africa?
Recently, a number of African countries have begun to pass data protection laws but due to staffing issues, it may take a while before enforcement is widespread.
Define Privacy Notice.
Refers to an external communication, issued to consumers, customers, or users.
What are some factors in evaluating data processing vendors?
Reputation Financial conditions and insurance Information security controls point of transfer disposal of information employee training and user awareness vendor incident response
What did the FB settlement require?
Required FB to provide users with clear notice and obtain user consent before making retroactive changes to material privacy terms, and barred FB from making any further deceptive privacy claims. FB was also required to establish and maintain a comprehensive privacy program. FB must obtain biannual independent third-party audits of its privacy program for the next 20 years.
FTC primary method of enforcement 2009
Requirement of a comprehensive privacy program in consent decrees
Gramm-Leach-Bliley Act Safeguards Rule
Requires FI to maintain security controls to protect the confidentiality and integrity of personal consumer information, including both electronic and paper records. Requires the creation of an information security program to address administrative, technical and physical safeguards
FACTA Disposal Rule 2003
Requires appropriate measures to dispose of sensitive information derived from consumer reports Enforced by: FTC, CFPB and Federal Banking Regulators Violations: Civil liability, federal and state enforcement
FACTA Red Flags Rule
Requires certain FI to develop and implement written identity theft detection programs that can identify and respond to the red flags that signal identity theft.
Tennessee SB 2005
Requires notice of breach regardless of whether information was encrypted or not 2017 amendment: the change clarified that encrypted data received the protection of the safe harbor, unless the encryption key is also acquired in the breach
What is a layered privacy notice?
Responses to problems with a single long notice. The basic idea is to offer layers that provide they key points on top in a short notice, but give users the option to read a detailed notice or click through to greater detail on particular parts of the notice.
What are the three functions within the governance of information asset management?
Retention of records Destruction and Duplication of Records Classification of Data (classified, sensitive, public)
What is the burden of proof for criminal litigation?
Reyond a reasonable doubt
Why does the CA data notification law exist?
SB 1386 was enacted because there is a fear that security breaches of computerized databases cause identity theft and individuals should be notified about the breach so that they can take steps to protect themselves. If you have a security breach that puts people at real risk of identity theft, you should consider notifying them even if you are not subject to this law.
What category of PI is typically excluded in breach notification laws?
SSN
What types of PII are exempt from trans-border data regulations? Medical History Credit History SSN Personnel Records
SSN
What does the FTC consider a deceptive practice?
Saying one thing and completely going against it
2 examples of physical safeguards
Security Guards for a building Cable locks for laptops
What are important considerations in physically locating sensitive personal data?
Separate and Safe, Encrypt, Access Control, monitoring
What role does the State Attorney General serve?
Serves as the chief legal advisor to the state government and as the state's chief law enforcement officer
HIPPA Security Rule
Sets forth the administrative, physical, and technical safeguards for covered entities in order to protect the confidentiality, integrity, and availability of PHI that is stored electronically.
What agencies are affected by the increasing development of smart grid?
Smart grid development is making privacy an important issues for the electric utility system, involving the Department of Energy.
The loss of names and what other data point from the list below would require an employer to notify the affected individuals? A. Student Records B. Intellectual Property C. Social Security Numbers D. Street Address
Social Security Numbers
In which service model of cloud computing are applications hosted by the cloud provider in the cloud and typically accessed by users through a web browser?
Software as a Service (SaaS)
Soleil is a chain of exercise clubs and resorts. The company offers excellent health benefits to its employees, including medical, dental and eye care. What is Soleil's privacy obligation?
Soleil is obligated to protect employee benefit information in accordance with their privacy policy only. (not required to follow HIPPA)
What are the other federal courts called?
Special courts include the U.S. Court of Federal Claims and the U.S. Tax Court.
Who brings privacy-related enforcement actions at the state level?
State Attorneys General
Which federal department has been increasingly active in privacy, negotiating internationally on privacy issues with other countries/multinational groups such as the UN and OECD?
State Department.
Who enforces UDAP statutes?
State attorney generals, who serve as the chief legal officers of each state.
What are other sources of law affecting privacy?
State constitutions may create stronger rights than are provided in the U.S. Constitution.
What is happening on a state level in relation to the smart grid?
State public utilities commissions have started to set rules for PI collected in connection with the smart grid.
Under Gramm-Leach-Bliley Act's privacy provisions, FI's are required to
Store personal financial info in a secure manner provide notice of their policies regarding the sharing of PFI provide consumers with choice to opt-out and process same within 30 days
HITECH Act of 2009
Strengthened HIPPA to address privacy impact on electronic health records Breach: must notify individuals within 60 days if more than 500 people, notify HHS immediately if 500 or more in same jurisdiction, notify media Avoid liability for using encryption software
True/false: Consent decree terms vary depending on the violation.
TRUE
True/false: The US - EU Safe Harbor Framework requires participating companies to name a compliance third party.
TRUE
Give examples of third-party privacy seal and certification programs that provide assurances that companies are complying with self-regulatory programs.
TRUSTe, Better Business Bureau.
What types of communication entities operate under CALEA?
Telecommunications carriers including providers of broadband internet access and VoIP services.
Telemarketing Sales Rule of 1995
Telemarketer must identify -the name of the company/service provider -product or service being provided -material facts such as whether the product comes with a warranty -cost of the product -quantity being offered • FCC issued regulations under the Telephone Consumer Protection Act of 1991 (TCPA) that place restrictions on unsolicited advertising by phone and facsimile. • Does not preempt stricter state laws o Some states require marketer obtain a license or register w/state o States can create their own DNC with differing exceptions/fines o Some states may require that a written contract be created for certain transactions • May have private right to action via the intrusion on seclusion tort • Enforcement: FTC, state AGs, or private individuals • Defines telemarketing as a plan, program, or campaign which is conducted to induce the purchase of goods or services or charitable contribution, by use of one or more telephones and which involve more than one interstate telephone call
Which investigative tactic requires a probable cause and other requirements, such as exhausting alternative means of acquiring the evidence? Telephone wiretap access to store emails per register order traditional search warrant
Telephone Wiretap
COPPA authorizes the FTC to confirm what?
That certification programs are in compliance with the law.
What did the White House recommend in it 2012 report?
That the Consumer Privacy Bill of Rights be included in Federal Legislation, with use of multistakeholder processes to develop enforceable codes of conduct until legislation is passed.
What does the Obama report recommend re: these 7 rights?
That they be included in federal legislation with the use of multistakeholder processes to develop enforceable codes of conduct until legislation is passed, emphasizing achieving international interoperability, including with trans-border cooperation on privacy enforcement (utilizing FTC).
Name the ways in which Congress added privacy-related responsibilities to the FTC over time.
The Children's Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Portnography and Marketing (CAN-SPAM) Act of 2003.
What is the supreme law in the U.S.?
The Constitution.
Who drafted the Constitution and when?
The Constitutional Convention drafted the Constitution in 1787.
Bank Secrecy Act is AKA
The Currency and Foreign Transaction Reporting Act
What role does the Department of Commerce play in privacy?
The DOC doesn't have regulatory authority for privacy, but often plays a role in privacy policy for the executive branch.
EU Data Protection Directive
The EU Directive was adopted in 1995 and became effective in 1998 and protects individuals' privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data.
With which agency does the FTC share rule-making and enforcement power under the Telemarketing Sales Rule and the CAN-SPAM Act?
The FCC.
What are some of the ways that the FTC has played a prominent role in the development of US privacy standards?
The FTC conducts public workshops on privacy issues, and reports on privacy policy and enforcement.
What does "do not track" encompass?
The FTC has encouraged industry to create a mechanism for consumers to signal if they do not wish to be tracked for online behavioral advertising purposes.
Describe FTC's regulation-issuing authority?
The FTC has general authority to issue regulations to implement protections against unfair and deceptive acts and practices.
Explain the FTC's prioritization of large platform providers.
The FTC is examining special issues raised by very large online companies that may do what the FTC calls "comprehensive" tracking.
What is the FTC's priority around Data brokers?
The FTC supports targeted legislation to provide consumers with access to info held about them by data brokers who are not already covered by the Fair Credit Reporting Act.
Which FTC division monitors and litigates violates of consent decrees in cooperation with the Department of Justice?
The FTC's Enforcement Division within the Bureau of Consumer Protection.
In response to the OECD Recommendation, what did the FTC do?
The FTC, along with enforcement authorities globally, established the Global Privacy Enforcement Network (GPEN) in 2010.
What amended the Fair Credit Reporting Act?
The Fair and Accurate Credit Transactions Act of 2003.
What is the judicial branch?
The Federal Courts.
What is the FTC?
The Federal Trade Commission is an independent agency governed by a chairman and four other commissioners.
Which parts of the Constitution directly affect privacy?
The Fourth Amendment limits on government searches.
Name a second reason the Google settlement was noteworthy.
The Google consent decree was the first substantial US-EU Safe Harbor enforcement by the FTC. Complaint stated that Google had represented it would use PI only for the purposes for which it was initially collected or consented to by users. The complaint stated that Google violated Section 5 and failed to live up to its promise to comply with the notice and choice principles of Safe Harbor.
What can the judicial branch do?
The Judicial branch determines whether the laws are constitutional. It also interprets laws, the meaning of a law, and how it is applied. It can also examine the intent behind a law's creation.
Which project helps coordinate the work of state attorneys general?
The National Association of Attorneys General Consumer Protection Project, which works to improve the enforcement of state and federal consumer protection laws by State Attorneys General, as well as multistate consumer protection enforcement efforts. It also promotes info exchange among the states with respect to investigations, litigation, consumer education, and both federal and state legislation.
Give an example of a self-regulatory system that goes through all 3 stages without government agency involvement.
The PCI DSS provides an enforceable security standard for PCI; the rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit ard companies. Compliance with the standard requires hiring a third party to conduct security assessments and detect violations; failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties of $5,000 to $100,000 per month.
Who makes up the executive branch?
The President, Vice President, cabinet, and federal agencies (such as the FTC).
Which Supreme Court decisions affect privacy?
The S.C. has held that a person has a right to privacy over personal issues such as contraception and abortion, arising from more general protections of due process of law.
Give an example of a regulatory setting where government-created rules expect companies to sign up for self-regulatory oversight.
The Safe Harbor for companies that transfer personal information from the EU to the US.
What two parts make up the U.S. Congress?
The Senate and the House of Representatives (legislative branch)
Which Amendment to the Constitution states "the powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."?
The Tenth Amendment to the Constitution.
What establishes the three branches of the U.S. Government?
The U.S. Consitution
Who enforces HIPAA?
The U.S. Department of Health & Human Services (HHS)
What is the top court in the judicial branch?
The U.S. Supreme Court.
Give an example of a cross-border conflict.
The US generally permits a greater range of discovery in litigation than EU courts, with a party to the litigation in the US potentially facing fines or contempt of court if it does not product records. In contrast, the EU Data Protection Directive and laws of EU member states may prohibit disclosure of the same records.
Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy
The White House Report. 2012
Preemption
The ability for one government's laws to supersede those of another, such as federal law overriding individual state law.
Private Right of Action
The ability of an individual harmed by a violation of law to bring suit against the violator.
Define Choice.
The ability to specify whether personal information will be collected and/or how it will be used or disclosed.
Choice
The ability to specify whether personal information will be collected and/or how it will be used or disclosed. "It" can be express or implied.
Choice
The ability to specify whether personal information will be collected and/or how it will be used or disclosed. Choice can be express or implied.
In an information privacy context, what does "choice" mean?
The ability to specify whether personal information will be collected and/or how it will be used or disclosed. Choice can be express or implied.
Access
The ability to view personal information held by an organization. This may be supplemented by allowing updates or corrections to the information. U.S. laws often provide for "this" and correction when the information is used for any type of substantive decision making, such as for credit reports.
Access
The ability to view personal information held by an organization. This may be supplemented by allowing updates or corrections to the information. U.S. laws often provide for access and correction when the information is used for any type of substantive decision making, such as for credit reports.
What requirements must the acceptance meet?
The acceptance must comply with the terms of the offer and must be communicated to the person who proposed the deal.
Bank Secrecy Act
The act establishing the US Treasury Department as the lead agency for developing regulation in connection with anti-money laundering programs, which require broker/dealers to establish internal compliance procedures to detect abuses. Requires FIs to keep records and files reports on certain financial transactions (transactions over $10K, bank checks, drafts, cashier's checks, money orders over $3K)
What was the basis of the FTC action against Microsoft?
The action concerned MS's security representations about info collected through its "passport" website service. FTC alleged that representations of high level online security were misleading because the security of the PI was within the control, not of MS. but of MS's vendors and biz partners. FTC also asserted that the Passport service collected and shared more info than disclosed in its privvacy notice and claimed that the access controls for the children's website were inadequate.
What is acceptance?
The assent or agreement by the person to whom the offer was made that the offer is accepted.
What is usually a permissible reason for delaying a breach notification notice?
The breach is a result of criminal activity and investigation is pending
What were the charges in the FTC's 2010 case against Google?
The charges were that Google engaged in deceptive trade practices and violated its own privacy policies with the launch of its Google Buzz social networking service.
What may the commission do after an investigation?
The commission may initiate an enforcement action if it has reason to believe a law is being or has been violated. It issues a complaint.
Why would the company have incentives to negotiate?
The company avoids a prolonged trial, as well as negative, ongoing publicity; it also avoids the details of its business practices being exposed to the public.
What security flaws caused the enforcement action against BJ's?
The complaint stated that BJ's failed to encrypt the information and failed to secure wireless networks to prevent unauthorized access, among other security lapses.
What was the outcome of the Gateway case?
The consent decree stated that thte retroactive application of material changes to the company's data sharing policy was an unfair trade practice. The settlement prohibited Gateway from sharing any PI collected from users under its initial privacy notice unless it obtained an affirmative opt-in from users. It also required Gateway to relinquish the money earned from renting consumer info.
What can the court do if consumers are harmed by the act or practice?
The court can order "redress" or mandate an injunction against a violator.
When an FTC investigation finds a company guilty of violating privacy, what are its two recourses?
The decision of the ALJ can be appealed to the commission and to federal district court. Orders by the commission become final 60 days after served upon the company.
What can the details of these consent decrees be used to do?
The details of these decrees provide guidance about what practices the FTC considers inappropriate.
How must disclosure be carried out?
The disclosure must be made "in as expedient a manner as possible."
How are the courts involved in a consent decree?
The document is approved by a judge.
Under FCRA employee investigation is not treated as a consumer report so long as
The employer complies with FCRA No credit info is used Notice is given to the employee if adverse action is taken
What are the duties of the executive branch?
The executive branch's duties are to enforce and administer the law.
Authentication
The identification of an individual account user based on a combination of security measures.
Data Subject
The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company, or the customer of a retail store.
What three things are required for an injury to be considered "unfair"?
The injury caused must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid.
Data Breach
The intentional or unintentional release of secure information to an untrusted environment.
When did the concept of a personal privacy tort enter U.S. jurisprudence?
The late 1890s.
What is consideration?
The legal benefit received by one person and the legal detriment imposed on the other person.
What is the legislative branch's make-up?
The legislative branch is made up of elected representatives who write and pass laws. It includes the Congress (House and Senate).
Confidentiality
The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.
What actions must be taken with an offer for it to qualify to form a contract?
The offer must be communicated to another person and remain open until it is accepted, rejected, retracted or has expired.
Redaction
The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or evidence in a court proceeding.
What is "online behaviour advertising"?
The practice of tracking a consumer's online activities in order to deliver advertising targeted to a consumer's interest
OECD - Purpose Specification
The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes as specified o each occasion of change of purpose.
Preemption
The right of a federal law or a regulation to preclude enforcement of a state or local law or regulation.
What is the Red Flags Rule?
The rule requires certain financial institutions and creditors to develop and implement written identity theft detection programs that can identify and respond to the red flags that signal identity theft.
What are the facts of the BJ's case?
The security flaws caused substantial injury to consumers and resulted in almost eight hundred cases of customer identity theft.
What is a defense to some of the traditional privacy torts?
The speaker is exercising free speech rights under the First Amendment.
Which agency is affected by the increasing use of Unmanned Aerial Vehicles (drones)?
The surveillance implications have raised issues for the Federal Aviation Administration (FAA).
What similarities are found between state and federal government?
The three branches are also often found at the state and often the local levels.
What is the exception to the CA law?
There is an exception for the good faith acquisition of PI by an employee or agent of the business, provided the PI is not used or subject to further unauthorized disclosure.
What are administrative enforcement actions?
These are carried out pursuant to the statutes that create and empower an agency, such as the FTC.
What is a strict liability tort?
These are wrongs that don't depend on the degree of carelessness by the defendant, but are established when a particular action causes damage.
What is an Intentional tort?
These are wrongs that the defendant knew / should have known would occur through their actions or inactions.
What is a negligent tort?
These occur when the defendant's actions were unreasonably unsafe.
What do rules and regulations passed by regulatory agencies do?
These rules and regulations place specific compliance expectations on the marketplace.
Describe one way in which other parts of the Department of Treasury are also involved with financial records issues.
They are involved in money-laundering rules at the Financial Crimes Enforcement Network.
What do federal circuit courts do?
They are not trial courts; they serve as appeals courts for federal cases.
How are agency opinions interpreted and used?
They do not carry the weight of law, but do give specific guidance to interested parties trying to interpret agency rules and regulations.
What do federal agencies in the executive branch do?
They implement the laws through rule making and enforce the laws through civil and criminal procedures.
What do U.S. laws often require around access?
They often provide for access and correction when the information is used for any type of substantive decision making, such as for credit reports.
Users of consumer reports must meet which requirements?
Third party data for decision making must be accurate, current and complete Consumers must receive notice when 3rd party data is used to make adverse decisions May only be used for permissible purposes Consumers must have access to their consumer reports and an opportunity to dispute or correct errors
To whom and what does CAN-SPAM apply?
This Act applies to anyone who advertises products or services by electronic mail directed to or originating to the U.S. - it is designed to provide a mechanism for legit companies to send emails to prospects and respect individual rights to opt-out of unwanted communications.
Name one reason the Google settlement was noteworthy.
This consent decree was the first in which a company agreed to implement a "comprehensive privacy program." As of 2012, it was not clear what exact elements a "comprehensive" program should contain. However the term "comprehensive" seems to signal that the FTC believes privacy should be thoroughly integrated with product development and implementation. To enforce, Google agreed to undergo independent third-party privacy audits on a biannual basis.
Sectoral Model
This framework protects personal information by enacting laws that address a particular industry sector.
Sectoral Model
This framework protects personal information by enacting laws that address a particular industry sector. In these countries, enforcement is achieved through various mechanisms, including regulatory bodies such as the FTC. Used by the US and Japan.
What are the domains of the ISO 27002 standard?
This standard defines an overarching security framework consisting of 133 specific controls organized around 39 control objectives.
How have FTC privacy enforcement actions been settled in practice?
Through consent decrees and accompanying consent orders.
What do some federal statutes, such as CAN-SPAM, allow state attorneys general to do?
To bring enforcement actions along with relevant federal agencies; some states allow private rights of action under their state UDAP laws, so individuals can bring suit against violators.
What does the consent decree require of the respondent?
To maintain proof of compliance with the decree; inform all related individuals of the consent decree obligations; provide the FTC with confirmation of its compliance with the decree; inform the FTC if company changes will affect the respondent's ability to adhere to its terms.
What does California require of companies and organizations doing in-state business?
To post privacy policies on their websites.
What is the purpose of the GPEN?
To promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
What is the purpose of the three-branch government design?
To provide a separation of powers with a system of check and balances among the branches.
What is a tort?
Torts are civil wrongs recognized by law as the grounds for lawsuits. These wrongs are those that result in an injury or harm that constitutes the basis for a claim by the injured party.
The EU Protection Directive States that personal data should not be precessed unless 3 categories of conditions are met:
Transparency legitimate purpose proportionality
Name one trend and one example of cross-border enforcement.
Trend: enforcement agencies in different countries must engage in closer cooperation. Example: In 2007, the OECD adopted the Recommendation on Cross Border Co-operation in the Enforcement of Laws Protecting Privacy_
True / false: as of recently, the FTC has not put forth any privacy or information security regulation under its Magnuson-Moss authority.
True
True or False: US laws generally do not restrict geographic transfers of personal information
True
True/False: Each day the violator fails to comply with the order is considered a separate offense.
True
True/False: Each violation of such an order is treated as a separate offense.
True
True/false: A federal agency may sue a party in federal court, with the agency as the plaintiff in a civil action.
True
True/false: Consent decree terms vary depending on the violation.
True
True/false: The application of Section 5 to privacy and information security is clearly established today
True
True / false: as of recently, the FTC has not put forth any privacy or information security regulation under its Magnuson-Moss authority.
True.
True/False: An agreement without consideration is not a contract.
True.
True/False: Each day the violator fails to comply with the order is considered a separate offense.
True.
True/False: Each violation of such an order is treated as a separate offense.
True.
True/False: For enforcement under Section 5 of the FTC Act or state UDAP laws, self-regulation only occurs at the legislation stage.
True.
True/False: If your database contains only encrypted information, you are not subject to the CA law.
True.
True/False: If your databases contain only names and addresses, you are not subject to the CA law.
True.
True/False: Over time, consent decrees have become more specific in nature.
True.
True/False: The U.S. Constitution does not contain the word "Privacy".
True.
True/False: today, the FTC focuses on both antitrust law enforcement, and consumer protection
True.
True/false: A federal agency may sue a party in federal court, with the agency as the plaintiff in a civil action.
True.
True/false: Almost every agency in the federal government is or may soon become involved with privacy in some manner within that agency's jurisdiction.
True.
True/false: Review of nonprivacy decrees can be instructive for lawyers or others who seek to understand the FTC's approach to and priorities for consumer protection consent decrees.
True.
True/false: The application of Section 5 to privacy and information security is clearly established today
True.
True/false: The future of the DAA's self-regulatory program is closely linked to ongoing policy debates about whether and how a Do Not Track program will be instituted.
True.
True/false: U.S. privacy laws have additional notice requirements.
True.
True/false: common law contrasts with law created by statute.
True.
True/false: some trade associations issue rules or codes of conduct for members.
True.
True/false: the FTC encourages greater self-regulation around location and other mobile-related services.
True.
True/false: the law provides for a private cause of action.
True.
True/false: there is uncertainty about the extent to which the EU and other jurisdictions will bring enforcement actions against companies that operate only in the US.
True.
True/false: More recent actions indicate the FTC's willingness to impose stringent information-handling practices.
True. In addition to consent decrees with Google and Facebook, in 2010 Twitter entered a consent decree promising to protect privacy and security and to implement a comprehensive security program subject to outside audit.
Name three countries with a sectoral approach to privacy
U.S. India South Korea
Which entity passed the CAN-SPAM Act?
U.S. Congress.
What is the name of the lead agency for interpreting the Privacy Act of 1974?
US Office of Management and Budget (OMB)
Define "breach of the security of the system".
Unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person.
When did the FTC begin to include the requirement of a comprehensive privacy program in consent decrees?
Under Chairman Leibowitz in 2009, as referenced in the Obama and FTC reports of 2012.
Qualified Protection Order (QPO)
Under HIPAA, a QPO prohibits the use of disclosure of PHI for any purpose other than the litigation for which the information was requested; it also requires the return of PHI to the covered entity at the close of litigation.
Texas Privacy Laws (Texas HIPAA)
Under the Texas law, covered entities (health care providers, health insurers, and health clearinghouses) must provide customized employee training regarding the maintenance and protection of electronic protected health information (PHI). Covered entities are required to tailor the employee training to reflect the nature of the covered entity's operations and each employee's scope of employment as they relate to the maintenance and protection of PHI. New employees must complete the training within 60 days of hire and all employees must complete training at least once every two years. Covered entities must maintain training attendance records for all employees. The Texas law requires covered entities to provide patients with electronic copies of their EHR within fifteen days of the patient's written request for the records. This provision of the Texas law reduces the timeframe a covered entity has to produce EHR following a patient's request from thirty days under HIPAA. The law charges the Texas Health and Human Services Commission with establishing a standard format for releasing patient EHR that is consistent with federal laws. HB 300 also requires the Texas Attorney General (AG) to establish and maintain a website that states and explains patients' privacy rights under Texas and federal law. The website will list the state agencies that regulate covered entities, and provide the agencies' contact information and each agency's complaint enforcement process. Under the new law, the AG must issue an annual report regarding the number and types of complaints pertaining to patient privacy issues.
What was the basis of the FTC's findings against BJ's Wholesale Club?
Unfair practices because private data was not encrypted during transmission
What did the FTC add to its enforcement scope in 2004?
Unfair practices, as well as the previously-enforced deceptive practices.
What can be used to supplement access?
Updates or corrections to the information may be allowed.
Which areas of information security and information privacy overlap?
Use Confidentiality Access
Co-regulatory Model
Used in Australia and New Zealand, this model emphasizes industry development of enforceable codes or standards for privacy and data protection, against the backdrop of legal requirements by the government.
Co-regulatory Model
Used in Canada, Australia and New Zealand, this model emphasizes industry development of enforceable codes or standards for privacy and data protection, against the backdrop of legal requirements by the government.
Comprehensive Model
Used in the EU, this method of data protection to govern the collection, use and dissemination of personal information in the public and private sectors, generally with an official or agency responsible for overseeing enforcement.
Explain what is involved in physical and environmental security
Varies based on the needs of each company but can include in-house security, cameras, alarm systems, key control management, fences, gates and security checkpoints
What is typically found in children's online privacy laws?
Website operators must provide clear and conspicuous notice of the data collection methods being used Age gate techniques Parental consent prior to the collection of PI for children under the age of 13
Give an example of when someone could sue under state common law on a contract theory.
When a physician, financial institution or other entity holding sensitive information breaches a promise of confidentiality and causes harm.
Deceptive trade practice under FTC Section 5.
When companies state they will safeguard personal information but fail to do so. A violation of a promise made in a privacy notice is an example of deceptive trade practice.
What does the FTC consider an unfair practice?
When reasonable practice are not being followed
How is case law utilized by the courts?
When similar issues arise in the future, judges look to past decisions as precedents and decide the new case in a manner consistent with past decisions.
When can cross-border conflicts arise?
When the privacy laws in one country prohibit disclosure of information, but laws in a different country compel disclosure.
In what circumstances do federal agencies wield power that is characteristic of all three branches of government?
When they are given authority by Congress to promulgate and enforce rules pursuant to law. This means they operate under statutes that give them legislative power to issue rules, executive power to investigate and enforce violations of rules/statutes, and judicial power to settle particular disputes.
What defines "meaningful" choice?
Where choice is offered, it should be meaningful, which is that it should be based on a real understanding of the implication of the decision.
When do states have the power to make laws?
Where federal law does not prevent it, states have the power to make law.
In what situations will the FTC proceed to full enforcement?
Where the violation is significant or there is a pattern of noncompliance.
What does the FTC investigate when a company posts a privacy notice?
Whether they adhere to their own policies; if not, the FTC will bring an enforcement action for deceptive trade practices.
Which state includes a DNA profile in its PI definition?
Wisconsin
What are legitimate reasons for employee monitoring?
Workplace safety, physical security, improve work quality, protect trade secrets, cybersecurity
Explain cross-site scripting
XXS is code injected by malicious web users into web pages viewed by other users. The unauthorized content resulting from XXS appears on a web page and looks official so the users are tricked into thinking the site is legitimate and uncorrupted. XSS is the basis for many phishing attacks and browser exploits.
Does the executive branch include federal agencies that report directly to the President?
Yes
Can financial institutions share customer information with non-affiliated third party companies without obtaining opt-in from the customer?
Yes - this is permitted under GLBA
Does FACTA preempt state laws
Yes but states retain some powers to enact laws addressing identity theft
Where there is no legal requirement to do so, do the vast majority of commercial websites post privacy websites?
Yes, according to an FTC survey conducted in 2000.
Are there other federal agencies involved in privacy enforcement?
Yes, although the FTC plays a leading role.
Do privacy rights ever create private rights of action?
Yes, and this allows an individual plaintiff to sue based on violations of the statute.
Can the decision of the five commissioners on appeal be appealed?
Yes, it can be appealed to the federal district court.
Can the Administrative Law Judge's opinion be appealed?
Yes, it can be appealed to the five commissioners.
Can FTC respondents face civil penalties for noncompliance with a consent decree?
Yes.
Can additional penalties be assessed if a company does not respond to a complaint or order?
Yes.
Even if you do business in this CA, what is required for this law to apply to you?
You must have computerized data.
Define "opt-out"
a choice can be implied by the failure of the person to object to the use or disclosure.
What changes to the FTC mission were affected in 1938?
a statutory change caused the FTC mission to shift to a consumer protection focus.
What are some current privacy torts?
a. intrusion on seclusion;b. public revelation of private facts;c. interfering with a person's right to publicity;d. casting a person in a false light.
What are two other names for privacy notices?
a. privacy statementsb. privacy policies (however, often internal only)
What are the goals of tort law?
a. provide relief for damages incurred;b. deter others from committing the same wrongs.
What kinds of safeguards does GLBA require?
administrative security - program definition, management of workforce risks, employee training and vendor oversight technical security - computer systems, networks and applications, access controls and encryption physical security - facilities, environment and disaster recovery
HIPPA covered entities must provide privacy and security training to
all employees
Define "opt-in"
an affirmative indication of choice based on an express act of the person giving the consent.
A consumer report is
any communication by a CRA related to an individual that pertains to a person's: Creditworthiness Credit standing credit capacity character general reputation personal characteristics mode of living and that is used in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment or other business purpose
FCRA regulates
any consumer reporting agency that furnishes a consumer report.
What areas are regulated by laws enacted by federal Congress and state legislatures?
applications of information (use of information for marketing or pre-employment screening), certain industries (such as financial institutions or healthcare providers), certain data elements (SSNs or driver's license info), or specific harms (identity theft or children's online privacy)
What should a U.S.-based organization do before it shares personal information with a U.S.-based third party?
assure appropriate privacy terms and conditions are included in a contract with the third party
When should choice and consent solicitations be made?
at the point of collection or as soon as practical afterwards
Define "jurisdiction"
authority of a court to hear a particular case
GINA (Genetic Information Nondiscrimination Act)
became law on May 21, 2008; its basic purpose is to protect people from discrimination by health insurers and employers based on genetic information. Amended: ERISA, SSA, Civil Rights Act No private right to action
FCRA violations include
civil/criminal penalties statutory damages of $1,000 per violation and $3,756 for willful violations
Under what conditions is a substitute breach notice allowed?
cost of notification
What provisions might a privacy contract contain?
data useage, data security, breach notification, jurisdiction, and damages. (A contract b/w an EU company and a US data processor might include provision requiring US co to be safe harbor certified/abide by framework)
Define "Notice"
description of an organization's information management practices.
A privacy impact assessment process helps
determine the risks associated with a new operation
FCRA is enforced by
dispute resolution, private right to action, and government actions (FTC, CFPB, State AGs)
EPHI
electronic protected health information
In what two forms is choice recognized?
express or implied.
To which agencies does the Privacy Act of 1974 apply?
federal agencies and private sector contractors to those agencies.
What is the primary basis of common law?
legal precedent and social customs
the act of video monitoring of the workplace is likely to survive a legal challenge under U.S. law provided that
monitoring is limited to non-private areas of the workplace
National Do Not Call Registry (2003)
o Requires sellers and marketers to update their call lists every 31 days. o Exceptions to list: ▪ Nonprofits calling on their own behalf ▪ Calls to customers with existing business relationships (EBRs) ▪ Inbound calls, provided there's no upsell of additional products/service ▪ Most business to business calls ▪ Consumer clearly and conspicuously opts in to calls o Telemarketers can avoid liability under the DNC safe harbor: ▪ Seller/telemarketer established and implemented written procedures to honor consumers' requests ▪ Seller/marketer has trained its personnel and any entity assisting in its compliance ▪ Seller/telemarketer has maintained and recorded an entity specific DNC ▪ Seller/telemarketer uses and maintains records documenting DNC and National DNC within 31 days of call ▪ Seller/telemarketer monitors and enforces compliance with entity's DNC procedures
Examples of "special categories of data" in the EU
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
PHI
protected health information, individually identifiable health information transmitted or maintained in any form, held by a covered entity or its associate which identifies the individual or provides reasonable basis for identification.
Under FCRA, CRA's are required to
provide consumers with access to info in report and chance to dispute/correct errors ensure maximum possible accuracy of report not report negative info that is outdates (7 yrs old) provide reports only to entities that have permissible purpose maintain records regarding entities that received reports provide consumer assistance as required by FTC
On what basis are state privacy enforcement actions brought?
pursuant to state laws prohibiting unfair and deceptive practices.
Is the US moving closer to the EU model of external regulation or closer to the self-regulatory model?
self-regulatory model, which allows the industry with greater expertise about their systems to create, establish and enforce the rules. The White House emphasizes a multistakeholder approach, including the consumer groups and other stakeholders outside the industry.
Data Controller
someone who determines why and how personal data is processed
Where are the rules found for agency enforcement actions in the federal government?
the Administrative Procedure Act (APA).
What methods were used before the FTC began to use consent decrees in privacy cases?
the FTC's Bureau of Consumer Protection negotiated such decrees for other consumer protection issues under Section 5 of the FTC Act.
Give an example of pre-emption.
the U.S. federal government has mandated that state governments cannot regulate e-mail marketing; the federal CAN-SPAM Act preempts state laws that might impose greater obligations on senders of commercial electronic messages.
Security laws in the U.S. states often restrict
the display of Social Security numbers on identification cards.
Authentication is
the process by which a person or computer determines that another entity actually is who/what it claims to be
Which is one reason consent decrees are posted publicly on the FTC website?
to provide guidance about what practices the FTC finds inappropriate
What does article 5 of the FTC Act declare unlawful?
unfair or deceptive acts or practices in or affecting commerce.
CRA notice provided to users must include
users must have a permissible purpose Users must provide certifications of permissible purpose user must notify consumers when adverse actions are taken and must include specific information about the CRA, the adverse action, statement of the users rights
In the EU, of what must a data subject be informed before processing?
who your company/organisation is (your contact details, and those of your DPO if any); why your company/organisation will be using their personal data (purposes) ; the categories of personal data concerned; the legal justification for processing their data; for how long the data will be kept; who else might receive it; whether their personal data will be transferred to a recipient outside the EU; that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights); their right to lodge a complaint with a Data Protection Authority (DPA); their right to withdraw consent at any time; where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
New Mexico HB15 - Breach Notification Law
• Breach notification law • The definition of "personal identifying information" includes biometric data, defined as an individual's "fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system or account." • The law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised. • Notice to the New Mexico Office of the Attorney General and the major consumer reporting agencies is required if more than 1,000 New Mexico residents are notified. • Notice must be made to New Mexico residents (and the Attorney General and Consumer Reporting agencies if over 1,000 residents are notified) within 45 calendar days of discovery of a security breach. • Third-party service providers are also required to notify the data owner or licensor within 45 days of discovery of a data breach. • Notice must be made to New Mexico residents (and the Attorney General and Consumer Reporting agencies if over 1,000 residents are notified) within 45 calendar days of discovery of a security breach. • Third-party service providers are also required to notify the data owner or licensor within 45 days of discovery of a data breach.
