Alphabet Soup Flashcards
FTC
Federal Trade Commission.
* Lead Agency for Privacy Enforcement
*Protects consumers against unfair and deceptive practices
* Enforces COPPA
*Lacks authority over financial institutions
OCC
Office of the Comptroller of the Currency. Supervises national banks and thrift initiatives as well as foreign banks that have federal licenses to operate in the united states.
HHS
Department of Health and Human Services.
HIPAA
Health Insurance Portability and Accountability Act.
* Applies to PHI
* Applies to covered entities.
FCC
Federal Communications Commission.
DOC
Department of Commerce
*Implements the EU-US Privacy Shield
CCPA
California Consumer Privacy Act
NAI
Network Advertising Initiative
BBB
Better Business Bureau
PCIDSS
Payment Card Industry Data Security Standard.
OECD
Organization for Economic Cooperation and Development. Developed GPEN. The US is a member to both.
GPEN
Global Privacy Enforcement Network - 5 Goals
*Exchange information about privacy issues
*Encourages sharing of information expertise
*Promotes dialogue among enforcement groups
*Facilitates international cooperation
*SUpports international privacy practices
GDPR
General Data Protection Regulation
*Claims worldwide jurisdiction over the personal information of EU residents
Standard Contractual Clauses
Binding Corporate Rules
Privacy Shield safe harbor
Not currently available. Schrems II.
APEC
Asia-Pacific Economic Cooperation
HIPAA Penalties
Civil
*$100 for first-time unknowing offenses - $50,000 for uncorrected willful neglect
Criminal
*$50k and one year in prison knowingly obtaining protected information up to $250k and 10 years in prison if intent to use to commercial advantage, personal gain, or malicious harm
Unfair Business Practices
3 Requirements
*Must cause or likely to cause substantial injury to customers
* Must not be reasonably avoidable
*Must not be outweighed by the benefits
Deceptive Business Practices
3 Requirements
*Must be making a misleading representation, omission, or practice
*Must be analyzed from the perspective of a reasonable customer
*Must be material
How many people are in the House of Representatives?
435 members
How many people are in the Senate?
100 members
How many votes to overcome a veto?
2/3 Majority in the house and senate
Where are federal administrative laws encoded?
CFR - Code of Federal Regulations
How many votes to amend the constitution?
2/3 Majority in congress and 3/4 ratification by the States.
CFR
Code of Federal Regulations. Where federal administrative law is codified
Article 1
Legislative Branch
Article 2
Executive Branch
Article 3
Judicial Branch
UCC
Uniform Commerical Code
Article 4
Relationship between states
Article 5
Amending the constitution
Article VI
Supreme Law
Article Vii
Ratification
\
Supremacy Clause
FTC Enforcement Actions
Most FTC complaints are not resolved through formal processes but use two other settlement mechanisms.
* The FTC and the accused company may decide to informally resolve minor complaints by adjusting the company’s business practices.
* In more serious cases, the FTC and the company may enter into a consent decree.
Consent Decree
This is a formal, enforceable, agreement between the company and the government requiring the modification of business practices. Generally lasts 20 years unless otherwise specified. “Sunset Policy”
LifeLock
Violated at FTC consent decree and was forced to renew the consent decree and pay a fine of $100m
CFBP
Consumer Financial Protection Bureau. Overall authority for protecting consumers in the financial industry.
Federal Reserve
Supervises and regulates banks operating in the US
NCUA
National Credit Union Association. Similar regulations to the federal reserve.
FDIC
The Federal Deposit Insurance Corporation. Holds regulatory authority to examine and supervise financial institutions for safety, soundness, and consumer protection.
Chief Privacy Officer
A chief privacy officer has broad oversight over an organization’s privacy practices
Consent
Two types:
Opt-In Consent - Affirmative consent takes place when the user explicitly agrees to a privacy practice
Opt-Out Consent - Implicit consent occurs when the user does not take action to explicitly deny consent
PII
Personally Identifiable Information
Any information that can be used to distinguish an individual’s identity or any information that is either linked or linkable to an individual.
Privacy Notice Components (Generally)
*Types of information collected
*Purpose of data collection
*Methods of collection
*Times of collection
*Sharing of information
*Security controls
*Opt-in and opt-out procedures
*Contact information
Difference between Privacy Policy and Privacy Notice (1 key distinction)
Generally, Privacy Policies are internal documents, Privacy Notices are external documents
NIST
National Institute of Standards and Technology
NiST 800-61
Computer Security Incident Handling Guide
Incident response plan
Should include 5 components (per NIST 800-61)
*Policy and plan documentation
*Procedures for incident handling
*guidelines for communicating externally
*structure and staffing model for the team
*Description of relationships with other groups
Incident Response Policy
The cornerstone of the Incident Response Plan (Shouldn’t change often)
*Provides foundational authority for the program
*Defines incidents that fall under the policy
*Include an incident prioritization scheme
Incident Response Procedures
Contain the details of the plan.Should be written clearly and provide actionable advice. Should include procedures for:
*notification
*escalation
*Reporting
*system isolation
*forensic analysis
*evidence handling
What to know about reporting a cyber security incident to law enforcement.
Generally not required. An investigation invites additional risks and regulations. The likelihood that details of the incident will become public. Always report to law enforcement if there is a threat to safety or if you have a legal obligation to do so.
Basis for FTC Enforcement Actions
Corporate privacy policies often provide the basis for FTC enforcement actions.
COPPA
Children’s Online Privacy Protection Act
* Protects the PII of children under the age of 13
* Applies to commercial sites that are directed at children under the age of 13 or if commercial sites have knowledge that their site is being used by children under the age of 13.
* Companies may avoid enforcement actions through self-regulation by participating in COPPA Safe Harbor Programs.
Enforced by the FTC
* COPPA does not apply to most nonprofit orgs
COPPA Privacy Requirements
*Post a clear and comprehensive privacy policy
* Notify parents of privacy practices
* Obtain verifiable parental consent prior to collecting, using, or disclosing information from children.
* Provide parents with the ability to review collected information and prohibit further use
COPPA Security Requirements
- Protect the confidentiality, security, and integrity of personal information
- Delete information when no longer needed
- Do not require that children provide unnecessary information
Wyndham
FTC alleged Wyndham suffered a series of data breaches as the direct result of their failure to implement reasonable security controls. FTC prevailed at the Court of Appeals.
HIPAA Covered Entities
- Healthcare providers who engage in certain electronic transactions
*Health plans - Health information clearinghouses
- Business partners of HIPAA covered entities
PHI
Protected health information
BAAs
Business associate agreements
* Extend HIPAA to the business partners of covered entities
HIPAA Exceptions
- Employer records
- Education records covered by FERPA
- Deidentified information
HIPAA Privacy Rule key provisions
Governs the privacy of protected health information (PHI)
* Notify of privacy practices
* Permitted uses of PHI
* Minimum use and disclosure of PHI
* Right to review records
* Controls to protect confidentiality and integrity of PHI
HIPAA Security Rule
Governs the security of electronically protected health information (ePHI)
* Controls to protect confidentiality, integrity, and availability
* Identify and protect against threats
* Protect against impermissible uses of disclosures
* Ensure workforce compliance
HITECH
Health Information Technology for Economic and Clinical Health Act (2009) with the intent of modernizing health care.
*Incentivized the use of electronic health records.
EHR
Electronic health records.
HITECH updates to HIPAA
- Breach notification requirements.
- Business associates must comply with the provisions of HIPAA allowing the federal government to take direct action against business associates who fail to comply with HIPAA rules.
- Strengthened privacy protectio
Breach Notification Exceptions (HITECH–>HIPAA)
- Encrypted information
- Unintentional access by employees (good faith)
- Inadvertent disclosures between authorized individuals.
- Disclosures to individuals who would not be able to retain the information.
Breach notification requirements (HITECH–>HIPAA)
Breach notification requirements.
* Notify affected individuals within 60 days. (small breach)
* Notify the media if the breach affected more than 500 individuals (large breach)
* Notify covered entities of breaches by business associates
* Notify HHS of all data breaches. (within 60 days for large data breach, smaller breaches within the calendar year)
21st Century Cures Act
Introduces penalties for information blocking
* Fines up to $1m per violation.
Allows compassionate sharing of mental health and substance abuse treatment information with families and caregivers.
Introduces privacy provisions to facilitate biomedical research
Confidentiality of Substance Use Disorder Patient Records regulations
42 CFR Part 2.
Covers treatment records that could identify a patient
Applies to any substance abuse treatment program accepting federal funding.
Violations are criminal offenses with fines of up to $500- $5000 per violation.
Requires written patient consent for all disclosures of information
Exceptions to consent of Confidentiality of Substance Use Disorder Patient Records regulations
- medical emergencies
- Research
- audits and evaluations
- qualified service organizations
- child abuse and neglect
- reporting on-premises crimes and crimes against program personnel
- Court-ordered disclosures
FCRA
Fair Credit Reporting Act (1970). Applies to consumer reporting agencies.
* Limites permissible uses of credit reports
* Requires fair and accurate information reporting. (correct and current). Negative information may only be on an account for seven years.
* Provides right to access and dispute information. Disputes must be resolved within 30 days. requires notifying consumers of adverse actions taken because of any information provided in the report.
* Requires notification of adverse actions
Defining credit reports
written, oral, or any other form of communication by a consumer reporting agency that provides information that may be used for the purpose of credit or employment purposes
* creditworthiness
* credit standing
* credit capacity
* character
* general reputation
* personal characteristics
* mode of living
Consumer Reporting Agencies
Any person or organization who regularly engages in the practice of assembling or evaluating consumer credit information and shares reports about that information with third parties.Users of credit reports must provider certification of their intended use.
When is sharing permitted with a third-party under the FCRA?
- responding to a court order
- with the written permission of the consumer
- or with the third-party meeting certain criteria including
1. facilitating credit transactions
2. making employment decisions
3. underwriting insurance policies
4. issuing licenses and government benefits
5. other legitimate business needs
Adverse Action Notices
Provided with an adverse action is taken because of information provided in a credit report. Requires:
* Contact information for a credit reporting agency (CRA)
* A statement that the CRA did not make the adverse decision
* Notice of right to access report
* Notice of right to dispure report
* Credit scores used to make decisions.
CRA
Credit Reporting Agency.
FCRA Penalties
Weighted in favor of consumer rights. Consumers may recover
* Actual damages
* Punitive damages
* legal costs
FACTA
The Fair and Accurate Credit Transactions Act seeks to limit the risk of identity theft. (2003). Modifies FCRA. Largely used to limit information obtained in a credit report for identity theft.
* Consumers may obtain free copies of their credit reports annually.
* May place 90-day fraud alerts on their credit files. (may extend to 7 years if a victim in fact)
* Reciepts may contain no more than 5 digits of a credit card on a receipt.
* Red Flag Rule
* DIsposal Rule (reasonable and appropriate destruction)
Red Flags Rule
Under FACTA. Requires institutions to have a written identity theft protection program. Doesn’t specify how per se beyond industry experience.
*Requires address change validation
*CRA’s notify users when there is an address discrepancy.
GLBA
Gramm-Leach-Bliley Act overhauled the regulation of financial institutions in the United States. Officailly called the Financial Services Modernization Act of 1999.
* Applies to all businesses that are significantly engaged in providing financial products and services
* Financial Privacy Rule
* Safeguards Rule
GLBA Financial Privacy Rule
Limits how financial institutions may collect and share nonpublic personal (NPI) of consumers.
* provided to customers upon engagement and annually
* describe privacy policies and practices
*disclose third-party information sharing
*describe information security policies and practices
*provide the ability to opt out
NPIC
nonpublic personal information of consumers
GLBA Safeguards Rule
Re
GLBA Safeguards Rule
Requires that financial institutions develop a written information security plan. Requires how institutions protect the
*Confidentiality
*Integrity
*Availability
of financial information.
GLBA Scope
This applies to all businesses that are significantly engaged in providing financial products and services. Including:
* banks
*non-bank lenders
*financial advisors
*check cashing services
* payday lenders
*real estate appraisers
*tax preparers
*mortgage brokers
*ATM operators
*Colleges and Universities that issue student loans
GLBA Privacy notice requirements
- provided to customers upon engagement and annually
- describe privacy policies and practices
*disclose third-party information sharing
*describe information security policies and practices
*provide the ability to opt out
Customers vs. Consumers according to the GLBA
Consumers are individuals who engage in transactions with a financial institution. May be a one-time engagement. (Cashing a check). Consumers may receive a short-form notice of privacy requirements under the GLBA.
Customers are consumers who have an ongoing relationship with a financial institution. (opening an account). Customers must receive the institution’s full privacy notice.
GLBA security plans
Under the GLBA Safeguards Rule. Must:
* Designate one or more responsible employees.
* Identify and assess risks
* Evaluate safeguard effectiveness.
*Monitor and test safeguards
* Use secure service providers
*Evaluate and Adjust program as circumstances change
States with GLBA Exemptions
CCPA specifically excludes financial information collected under GLBA. This does not exclude financial institutions from the requirements of CCPA.
*California
*Colorado
*Nevada
*Virginia`
Dodd-Frank Act
Dodd-Frank Wall Street Reform and Consumer Protection Act of 2008 reorganized the regulation of financial institutions. Most significantly, established the CFPB.
CFPB
Consumer Financial Protection Bureau took over rule-making authority for the FCRA and GLBA. Has the power to regulate unfair, deceptive, or abusive acts and practices by consumers of financial products and services. Also regulates the use of credit reports in employee background checks.
UDAAPs
unfair, deceptive, or abusive acts and practices. Unfair and Deceptive similar to the definitions used by the FTC. Abusive Practice is new. Each act may be separate.
Abusive Practice
New under the CFPB.
* Materially interferes with the ability of a consumer to understand a term or condition.
*Takes unreasonable advantage of 1) lack of consumer understanding, 2) inability to protect interests, or 3) reasonable reliance of providers to act in the consumer’s interest
FERPA and scope
Family Educational and Privacy Act (1974). Applies to most educational institutions in the US.
* Covers all educational records
* Most colleges and universities
* Most public schools
*Does not apply to most private schools
* Parents maintain rights under the age of 18; Students maintain rights over 18 or postsecondary education.
* Annual notice of rights to students/parents
Parental rights under FERPA
- Control disclosure of records to third parties
- Access student educational records
- Dispute information in student educational records
Educational Record types under FERPA
- Grades
- Transcripts
- Class lists
- Course schedules
- Health records (k-12)
- Financial records (postsecondary)
- Disciplinary records
FERPA record exclusions
- Law enforcement records maintained by campus police
- Application records of nonstudents
- Alumni records created after a student graduates
- Medical and mental health records for the treatment of students (usually)
- Sole-possession records unless shared (eg. created by an individual faculty member)
- Peer graded work before it’s entered as a grade.
Permitted disclosures under FERPA
- Consent
- Not personally identifiable
- directory information (not generally be considered harmful or an invasion of privacy if disclosed: name, phone, address, major, etc.)
- Health or safety emergency
Permitted recipients of protected FERPA information without consent
- School officials with “legitimate educational interest”
- Other educational institutions
- Financial aid organization
- Researchers
- Accrediting agencies
- Law enforcement agencies
TCPA
Telephone Consumer Protection Act grants authority to FCC regulated unsolicited advertising by phone and fax.
TSR
Telemarketing Sales Rule established by the FTC.
* Established Do Not Call Registry
* Calls may only be placed between 8 am-9 pm
* Must display valid caller ID
* Identify themselves
* Live person within 2 seconds
* Automated calls only with express consent of the consumer
Do Not Call Registry
- Contains 200 million numbers
- Prohibits unsolicited sales calls to landlines and cell phones without explicit consent
- Telemarketers must purchase a subscription to the registry, update their database every 31 days
- Fines for violators over $43k per violation.
- Applies to only unsolicited sales calls.
Dish Network
$280m fine for violating restrictions of the DO Not Call Registry
Exceptions to Do Not Call Registry
- Debt collection calls
- Nonprofits seekings gifts
- Political calls
- Surveys
- Prior customers (18 months)
- Prospective customers who have inquired (3 months)
EBR
Existing Business Relationship exception to telemarketing laws.
* Prior customers (18 months)
* Prospective customers who have inquired (3 months)
* For JFPA: voluntary provision of fax number with opt-out instructions on first page
Telemarketing Safe Harbor
The exception to accidental violation of Do Not Call Registry by a telemarketer.
* Must have written procedures for compliance
* Trained personnel on these procedures
* Monitor and enforce compliance
* Maintain internal do-not-call list
* Download the national registry every 31 days
* must be a mistake
JFPA
Junk Fax Prevention Act
Illegal to send unsolicited advertisement by fax
* $500 fine per page
* $1500 fine per page is knowing or willful
CAN-SPAM Act
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.
* Applies to commercial emails primarily
* FTC Enforcement - 7 rules
1. don’t use false or misleading header
2. don’t use deceptive subject line
3. identified as an advertisement
4. tell recipient where you’re located
5. provide opt-out instructions
6. honor opt-out promptly (within 10 business days)
7. monitor what others are doing on your behalf
Categories of emails under CAN-SPAM
Commercial, Transactional/Relationship, and other.
* Transactional: 1) facilitate or confirm a transaction, 2) provide warranty, etc. 3) change of terms, 4.) employment relationship, 5) delivery of goods/services
Telecommunications Act
Telecommunications Act of 1996. Particularly interest in the CPNI
CPNI
Customer Proprietary Network Information. Information related to a subscriber’s use of a telecommunications service. Regulated by the FCC
* call details, billing, services.
* may be used internally
* may be used for customer communication, customer service, fraud prevention, billing and collections, and court order or emergency.
* Other use require consent\
* pretext security requiring passwords or photo ID if in person.
* carriers require law enforcement notification if breach.
* annual compliance certification with the FCC
CCPA
Cable Communications Policy Act
* Regulated cable television industry.
* prohibited from collecting PII w/o prior consent unless necessary
* may not disclose PII unless required to provide service absent court order
* annual notice of privacy practices to customers
* customers may access PII and update/correct
* PII destruction mandated after necessary use
* Private right of action
VPPA
Video Privacy Protection Act of 1988 prohibits wrongful disclosure of videotape rental or sales records.
* Courts have adopted VPPA to video streaming services.
GAPP
Generally Accepted Privacy Principles - 10 principles
1. management - policies, procedures, governance structure for data. Clearly define roles of data owner, data steward, and data custodian.
2. Notice - subjects recieve notice and access
3. choice and consent
4. collection - only collect what is disclosed
5. use, retention, and disposal
6. access - review and update for subjects
7. disclosure to third parties
8. security
9. quality - accurate, complete, and relevant
10. monitoring and enforcement, with dispute resolution process.
DPPA
Driver’s Privacy Protection Act regulates sharing of driver records by state DMV. Several incidents of DMV’s sharing information with dangerous consequences. Third-party sharing also subject to DPPA provisions. May share with
* government agencies
* stolen vehicles
* managing records and titles
* impounded vehicles
* criminal or civil proceedings and investigations
* research absent PII
* Employer verification
* tolls
* operation of motor vehicles
* public safety
RFPA
Right to Financial Privacy Act. Broadly covers financial institutions (banks, credit unions, money services businesses, document firms, casinos, and the post office).
* Applies only to requests made by federal agencies.
* Only covers specific customers.
* request must reasonably identify the records
* requests must be justified by one of the following: 1) customer authorization, 2) admin summons/subpoena, 3) judicial summons/subpoena, 4) search warrant, 5) written law enforcement request (absent summons/subpoena otherwise)
* Written notice to customer required and then 10 days from service or 14 days from mailing to access records.
BSA
Bank Secrecy Act of 1970 requires that financial institutions report certain customer information to the government. This act compels financial institutions to turn some records over to the government.
* Financial institutions must maintain records of customer activity for five years.
* CTR and SAR reporting required.
* Prohibits financial institutions from notifying customers they filed a SAR
CTR
Currency Transaction Reports
* Under the BSA institutions must report case transactions totaling more than 10k in a single day.
SAR
Suspicious Activity Report
* Under the BSA institutions must report suspected money laundering activity attempts to avoid CTRs
4th Amendment as applied to digital communications
Creates the right to a “reasonable expectation of privacy”
ECPA
The Electronic Communications Privacy Act regulates government access to communications. Consists of 3 individual titles.
* Title 1 - Wiretap Act covering oral communications. Primarily allowing one-party consent for wiretaps in the ordinary course of business.
* Title 2 - Stored Communications Act. Emails. Texts. Voicemails.
* Title 3 - Covers the use of pen registers and trap and trace devices
Pen Registers vs. Trap and Trace
Pen registers record information about outbound communications; trap-and-trace capture inbound communications. The distinction is a relic; the same tech tracks both outbound and inbound communications today.
True or false. Federal access to communications preempts state laws.
False. Not necessarily, state laws may have more stringent requirements. Most notably, many states require two-party consent to be recorded, while federally, one-party consent is the rule.
CALEA
Communications Assistance to Law Enforcement Act. No new authority for federal wiretapping. Requires that telecommunications carriers assist with the implementation of authorized wiretaps.
* Applies to telephone companies
* ISPs
* Voice oper Internet Protocol service providers (VoIP)
FISA
Foreign Intelligence Surveillance Act of 1978. Passed after the Cold War. Section 702 of the FISA Amendments Act of 2008:
* The AG may authorize surveillance for one year if the sole purpose is to obtain foreign intelligence and there is no substantial likelihood of intercepting communications involving US persons.
* Court order may involve US persons if there is probable cause to believe that the person is an agent of a foreign power. Must be renewed every 90-120 days.
* Established Foreign Intelligence Surveillance Court consisting of 11 judges who hold secret hearings to decide matters involving classified evidence.
USA Patriot Act
Introduced expanded powers.
* Loosened requirements for surveillance of US citizens
* Created “roving” wiretaps
* Strengthed rules against money laundering
* Broardened powers of NSL’s
* Allowed government to demand “tangible items” including call detail records.(Section 215)
NSLs
National Security Letters. Administrative subpoenas to secretly demand records from communication service providers. Can be issued by the FBI without the need for a federal judge. Companies receiving a NSL are prohibited from talking about them.
USA Freedom Act
Patriot Act of 2001 expired in 2015. USA Freedom Act 2015 extended some provisions and added new controls to the Patriot Act.
* Eliminated bulk collection of call details. (SEction 215)
* Prohibited protection orders of bulk “tangible things” from the FBI
* Required the use of specific selector terms (telephone, email address, etc)
* Requires judicial involvement
* Required expert opinions required in FISA court. May send questions of law to the Supreme Court, subject to the declassification of FISA orders.
* NSL’s must require specific selction terms, imposes a higher standard for gag orders, and allows recipients to challenge NSLs in court.
* Requires transparency letters by companies recieving NSLs.
CISA
The Cybersecurity Information Sharing Act of 2015 (CISA) facilitates information sharing. Does not require private orgs to share information with the government but seeks to make it easier to do so.
* Authorize sharing of threat intelligence between the government and the private sector
* Protects shared information from disclosure
* Requires redaction of personal information shared
* Limits liability for security monitoring.
Zurcher v. Stanford Daily
Birth of the Third-Party Doctrine
* The 4th Amendment does not prohibit searches of third parties.
* The 1st Amendment does not prohibit searches of newspapers.
Privacy Protection Act
Passed in response to Zurcher v. Stanford Daily. Applies to disseminators of information to the public and protects work products and documentary materials from search warrants.
* requires the use of subpoena or voluntary cooperation
USA Patriot Act
Introduced expanded powers.
* Loosened requirements for surveillance of US citizens
* Created “roving” wiretaps
* Strengthed rules against money laundering
* Broadened powers of NSL’s
* Allowed government to demand “tangible items” including call detail records.(Section 215)
Department of Labor Authority
Administers and Enforces over 100 labor laws, including:
* Fair Labor Standards Act (FLSA)
* Occupational Safety and Health Act (OSHA)
* Employee Retirement Income Security Act (ERISA)
* Employee Polygraph Protection Act (EPPA)
* Family and Medical Leave Act (FMLA)
EEOC
Equal Opportunity Employment Commission enforces prohibitions on employment discrimination. Requires record retention on employment decisions for 1 year (generally), 2 years for federal stuff
NLRB
National Labor Relations Board regulates the rights of workers to organize in labor unions.
SEC
The Securities and Exchange Commission requires reporting of human resources information by publicly traded companies. So far only requires reporting the number of people employed. May be new regulations in the future.
CRA
Title 7 of the Civil Rights Act.
Prohibits discrimination on the basis of sex, race, color, national origin, or religion.
ADA
American with Disabilities Act prohibits discrimination against individuals with disabilities. Must meet the requirements of the job and be able to perform the functions of the job with reasonable accommodation to gain protections in employment. Prohibits medical examinations from employment decision.
GINA
The Genetic Information Nondiscrimination Act prohibits the use of genetic information in employment decisions.
FCRA and background screening.
Fair Credit Reporting Act. Not limited to financial information.
* Must provide applicant written notice and obtain written consent
* Certify to the credit reporting agency that you provided notice, obtained consent, and will not discriminate
* Investigative report must include a description and scope of the investigation.
EPPA
Employee Polygraph Protection Act prohibits the use of lie detectors in most employment settings. This does not apply to federal, state, local governments. May use in some cases for employee theft
Drug testing regulations.
Generally not prohibited by federal law, however, state laws vary widely and the ADA covers alcoholism and past drug use.
SCA
Stored Communications Act
Does the target of an employer investigation require notice or consent?
Does the target of an employer investigation need to be given a copy of the investigation report?
No.
No.
If an employer take an adverse action on an employee based on an investigation into misconduct, what must be provided to the employee?
The summary report must be provided to the employee and include the nature and substance of the report. It may exclude witness names. Report may only be shared within the organization or otherwise required by law.
CFIPA
California Financial Information Privacy Act, Senate Bill 1 (SB 1)
* Expands of GLBA
* Restricts financial institution sharing of customer information with third parties, shifts to opt-in consent requiring written consent
* Requires notification to customers on privacy policy on a separate document titled :Important Privacy Choices for Consumers”
CalECPA
California Electronic Communications Privacy Act expands on the federal ECPA. Restricts state law enforcement authority’s access to electronic information in two ways:
1) access to service provider records by warrant, court order, or subpoena,
2) access to electronic devices by warrant, wiretap order, consent of the customer, or certification of an emergency situation (death or serious injury)
*only applies to CA law enforcement agencies
CCPA
California Consumer Privacy Act modeled after GDPR
* right to know what information is collected by businesses
* right to know how information is shared with third parties
* right to opt out of information sharing
* right to review information
* right to request deletion of information
What are the two CCPA acronyms?
California Consumer Privacy Act
Cable Communications Policy Act
CPRA
California Privacy Rights enforcement Act (2023)
* Creates new category of Sensitive Personal Information (SPI) that is more highly regulated under CPRA. Businesses need additional protections around ssns, driver’s license numbers, financial account information, geographic location information, the contents of non-public communication, health and genetic information, and information about an individual’s ethnicity, religion, philosophy, sex life, or union membership
* right to correct
* right to limit use and disclosure
* right to information about automated decision-making concering information
* right to opt-out of automated decision making
Colorado Privacy Act
Similar to CCPA and CPRA.
* Applies to businesses that conduct business in Colorado or target residents of Colorado if handles information of 100,00 residents or handles PII of 25,000 or more residents and earns revenue from sharing that information.
* DOes apply to nonprofit organizations
* Does not apply to employers
* Does not contain a private right of action
DOPPA
Delaware Online Privacy and Protection Act
1. Websites must post privacy policies - must be conspicuous, identify PII collected and third party sharing, disclose d”o not track requests”, and notification of changes to the privacy policy
2. Ebook providers must safeguard user information absent court order or subpoena
3. Websites targeting children must restrict advertising (prohibited: alcohol/tobacco/drug paraphernalia, firearms/fireworks, tanning services, dietary supplements, lottery/gambling/body modification/sexually oriented material
Illinois Personal Information Protection Act
- Implement reasonable security measures to protect PII of Illinois residents
- Delete PII when no longer needed
- Notify residents of data breaches affecting their PII
SOPPA
Student Online Personal Protection Act (Illinois) similar to FERPA
* parents have greater control of student information
* requires data breach notification
* applies both to government agencies and educational technology companies
Nevasa SB 538
- websites that collect any of the following PII are required to post a privacy policy. PII includes names, addresses, email addresses, phone numbers, ssns, and any identifiers
- Notice requires 5 elements, 1, categories of PII. 2. describe process to review and correct, 3. notify process for policy changes, 4. disclose use of third-party tracking services, 5. include an effective date
- violators subject to fines of $5k
Nevada SB 260
Expanded law to cover data brokers who purchase PII
NJPIPPA
The New Jersey Personal Information and Privacy Act regulates the scanning of identification cards by retail establishments with several reasonable exceptions, prohibits sharing information collected for other purposes, and violations and breaches must be reported to authorities.
* includes private right of action and fines up to $5k
NYDFS
New York State Department of FInancial Services regulates banks, insurance companies, and financial service providers. Published a comprehensive cyber security regulation for affected industries.
* Requires all covered entities to create a risk based cybersecurity program that addresses confidentiality, integrety, and availability of security protocal
* Covered entities must designate a Cheif Information Security Officer (CISO)
VCDPA
VIrginai Consumer Data PRotection ACT (2023)
* Applies business conducted in Virginia and residents of Virginia
* Exemptions: Virginia government, business subject to GLBA, orgs subject to HIPPA, nonprofits, secondary schools
* no private right of action
Washington State’s biometric privacy law
controls commercial use of biometric information.
* Excludes photo, video, and audio recording
* Companies may not store biometric info collected absent notice, consent, and mechanism preventing commercial use
* limits sharing with third parties
* collected biometric data must be protected against unauthorized access, disposed of unneeded info, used only for agreed upon purpose
Does the federal government have a data breach notification law?
NO.
First and Last states to pass data breach notification laws.
California (1st) and Alabama (last)
Tennessee SB 2005
- Includes encrypted information in definition of PII
- Notice period of data breach to 14 days
- Data breach includes access by employees for illegal purposes
Illinois HB 1260
Expands the definition of PII to include health records, biometric data, and usernames/passwords
* removes the encryption safe harbor if the key was compromised
California AB 2828
- removes the encryption safe harbor if the key was compromised
- allows businesses to delay notification of a breach at the request of law enforcement
New Mexico HB 15
- Includes biometric data in definition of PII
- Requires breach notification to NM AG is more than 1000 residents affected
- Exempts GLBA and HIPAA covered entities
- requires secure data storage and disposal