Alphabet Soup Flashcards

Question

How many votes to amend the constitution?

Answer 1

2/3 Majority in congress and 3/4 ratification by the States.

Answer 2

Code of Federal Regulations. Where federal administrative law is codified

Answer 3

Legislative Branch

Answer 4

Executive Branch

Answer 5

Judicial Branch

Answer 6

Uniform Commerical Code

Answer 7

Relationship between states

Answer 8

Amending the constitution

Answer 9

Supreme Law

Answer 10

Ratification \

Answer 11

Most FTC complaints are not resolved through formal processes but use two other settlement mechanisms. * The FTC and the accused company may decide to informally resolve minor complaints by adjusting the company's business practices. * In more serious cases, the FTC and the company may enter into a consent decree.

Answer 12

This is a formal, enforceable, agreement between the company and the government requiring the modification of business practices. Generally lasts 20 years unless otherwise specified. "Sunset Policy"

Answer 13

Violated at FTC consent decree and was forced to renew the consent decree and pay a fine of $100m

Answer 14

Consumer Financial Protection Bureau. Overall authority for protecting consumers in the financial industry.

Answer 15

Supervises and regulates banks operating in the US

Answer 16

National Credit Union Association. Similar regulations to the federal reserve.

Answer 17

The Federal Deposit Insurance Corporation. Holds regulatory authority to examine and supervise financial institutions for safety, soundness, and consumer protection.

Answer 18

A chief privacy officer has broad oversight over an organization's privacy practices

Answer 19

Two types: Opt-In Consent - Affirmative consent takes place when the user explicitly agrees to a privacy practice Opt-Out Consent - Implicit consent occurs when the user does not take action to explicitly deny consent

Answer 20

Personally Identifiable Information Any information that can be used to distinguish an individual's identity or any information that is either linked or linkable to an individual.

Answer 21

*Types of information collected *Purpose of data collection *Methods of collection *Times of collection *Sharing of information *Security controls *Opt-in and opt-out procedures *Contact information

Answer 22

Generally, Privacy Policies are internal documents, Privacy Notices are external documents

Answer 23

National Institute of Standards and Technology

Answer 24

Computer Security Incident Handling Guide

Answer 25

Should include 5 components (per NIST 800-61) *Policy and plan documentation *Procedures for incident handling *guidelines for communicating externally *structure and staffing model for the team *Description of relationships with other groups

Answer 26

The cornerstone of the Incident Response Plan (Shouldn't change often) *Provides foundational authority for the program *Defines incidents that fall under the policy *Include an incident prioritization scheme

Answer 27

Contain the details of the plan.Should be written clearly and provide actionable advice. Should include procedures for: *notification *escalation *Reporting *system isolation *forensic analysis *evidence handling

Answer 28

Generally not required. An investigation invites additional risks and regulations. The likelihood that details of the incident will become public. Always report to law enforcement if there is a threat to safety or if you have a legal obligation to do so.

Answer 29

Corporate privacy policies often provide the basis for FTC enforcement actions.

Answer 30

Children's Online Privacy Protection Act * Protects the PII of children under the age of 13 * Applies to commercial sites that are directed at children under the age of 13 or if commercial sites have knowledge that their site is being used by children under the age of 13. * Companies may avoid enforcement actions through self-regulation by participating in COPPA Safe Harbor Programs. Enforced by the FTC * COPPA does not apply to most nonprofit orgs

Answer 31

*Post a clear and comprehensive privacy policy * Notify parents of privacy practices * Obtain verifiable parental consent prior to collecting, using, or disclosing information from children. * Provide parents with the ability to review collected information and prohibit further use

Answer 32

* Protect the confidentiality, security, and integrity of personal information * Delete information when no longer needed * Do not require that children provide unnecessary information

Answer 33

FTC alleged Wyndham suffered a series of data breaches as the direct result of their failure to implement reasonable security controls. FTC prevailed at the Court of Appeals.

Answer 34

* Healthcare providers who engage in certain electronic transactions *Health plans * Health information clearinghouses * Business partners of HIPAA covered entities

Answer 35

Protected health information

Answer 36

Business associate agreements * Extend HIPAA to the business partners of covered entities

Answer 37

* Employer records * Education records covered by FERPA * Deidentified information

Answer 38

Governs the privacy of protected health information (PHI) * Notify of privacy practices * Permitted uses of PHI * Minimum use and disclosure of PHI * Right to review records * Controls to protect confidentiality and integrity of PHI

Answer 39

Governs the security of electronically protected health information (ePHI) * Controls to protect confidentiality, integrity, and availability * Identify and protect against threats * Protect against impermissible uses of disclosures * Ensure workforce compliance

Answer 40

Health Information Technology for Economic and Clinical Health Act (2009) with the intent of modernizing health care. *Incentivized the use of electronic health records.

Answer 41

Electronic health records.

Answer 42

* Breach notification requirements. * Business associates must comply with the provisions of HIPAA allowing the federal government to take direct action against business associates who fail to comply with HIPAA rules. * Strengthened privacy protectio

Answer 43

* Encrypted information * Unintentional access by employees (good faith) * Inadvertent disclosures between authorized individuals. * Disclosures to individuals who would not be able to retain the information.

Answer 44

Breach notification requirements. * Notify affected individuals within 60 days. (small breach) * Notify the media if the breach affected more than 500 individuals (large breach) * Notify covered entities of breaches by business associates * Notify HHS of all data breaches. (within 60 days for large data breach, smaller breaches within the calendar year)

Answer 45

Introduces penalties for information blocking * Fines up to $1m per violation. Allows compassionate sharing of mental health and substance abuse treatment information with families and caregivers. Introduces privacy provisions to facilitate biomedical research

Answer 46

42 CFR Part 2. Covers treatment records that could identify a patient Applies to any substance abuse treatment program accepting federal funding. Violations are criminal offenses with fines of up to $500- $5000 per violation. Requires written patient consent for all disclosures of information

Answer 47

* medical emergencies * Research * audits and evaluations * qualified service organizations * child abuse and neglect * reporting on-premises crimes and crimes against program personnel * Court-ordered disclosures

Answer 48

Fair Credit Reporting Act (1970). Applies to consumer reporting agencies. * Limites permissible uses of credit reports * Requires fair and accurate information reporting. (correct and current). Negative information may only be on an account for seven years. * Provides right to access and dispute information. Disputes must be resolved within 30 days. requires notifying consumers of adverse actions taken because of any information provided in the report. * Requires notification of adverse actions

Answer 49

written, oral, or any other form of communication by a consumer reporting agency that provides information that may be used for the purpose of credit or employment purposes * creditworthiness * credit standing * credit capacity * character * general reputation * personal characteristics * mode of living

Answer 50

Any person or organization who regularly engages in the practice of assembling or evaluating consumer credit information and shares reports about that information with third parties.Users of credit reports must provider certification of their intended use.

Answer 51

* responding to a court order * with the written permission of the consumer * or with the third-party meeting certain criteria including 1. facilitating credit transactions 2. making employment decisions 3. underwriting insurance policies 4. issuing licenses and government benefits 5. other legitimate business needs

Answer 52

Provided with an adverse action is taken because of information provided in a credit report. Requires: * Contact information for a credit reporting agency (CRA) * A statement that the CRA did not make the adverse decision * Notice of right to access report * Notice of right to dispure report * Credit scores used to make decisions.

Answer 53

Credit Reporting Agency.

Answer 54

Weighted in favor of consumer rights. Consumers may recover * Actual damages * Punitive damages * legal costs

Answer 55

The Fair and Accurate Credit Transactions Act seeks to limit the risk of identity theft. (2003). Modifies FCRA. Largely used to limit information obtained in a credit report for identity theft. * Consumers may obtain free copies of their credit reports annually. * May place 90-day fraud alerts on their credit files. (may extend to 7 years if a victim in fact) * Reciepts may contain no more than 5 digits of a credit card on a receipt. * Red Flag Rule * DIsposal Rule (reasonable and appropriate destruction)

Answer 56

Under FACTA. Requires institutions to have a written identity theft protection program. Doesn't specify how per se beyond industry experience. *Requires address change validation *CRA's notify users when there is an address discrepancy.

Answer 57

Gramm-Leach-Bliley Act overhauled the regulation of financial institutions in the United States. Officailly called the Financial Services Modernization Act of 1999. * Applies to all businesses that are significantly engaged in providing financial products and services * Financial Privacy Rule * Safeguards Rule

Answer 58

Limits how financial institutions may collect and share nonpublic personal (NPI) of consumers. * provided to customers upon engagement and annually * describe privacy policies and practices *disclose third-party information sharing *describe information security policies and practices *provide the ability to opt out

Answer 59

nonpublic personal information of consumers

Answer 60

Requires that financial institutions develop a written information security plan. Requires how institutions protect the *Confidentiality *Integrity *Availability of financial information.

Answer 61

This applies to all businesses that are significantly engaged in providing financial products and services. Including: * banks *non-bank lenders *financial advisors *check cashing services * payday lenders *real estate appraisers *tax preparers *mortgage brokers *ATM operators *Colleges and Universities that issue student loans

Answer 62

* provided to customers upon engagement and annually * describe privacy policies and practices *disclose third-party information sharing *describe information security policies and practices *provide the ability to opt out

Answer 63

Consumers are individuals who engage in transactions with a financial institution. May be a one-time engagement. (Cashing a check). Consumers may receive a short-form notice of privacy requirements under the GLBA. Customers are consumers who have an ongoing relationship with a financial institution. (opening an account). Customers must receive the institution's full privacy notice.

Answer 64

Under the GLBA Safeguards Rule. Must: * Designate one or more responsible employees. * Identify and assess risks * Evaluate safeguard effectiveness. *Monitor and test safeguards * Use secure service providers *Evaluate and Adjust program as circumstances change

Answer 65

CCPA specifically excludes financial information collected under GLBA. This does not exclude financial institutions from the requirements of CCPA. *California *Colorado *Nevada *Virginia`

Answer 66

Dodd-Frank Wall Street Reform and Consumer Protection Act of 2008 reorganized the regulation of financial institutions. Most significantly, established the CFPB.

Answer 67

Consumer Financial Protection Bureau took over rule-making authority for the FCRA and GLBA. Has the power to regulate unfair, deceptive, or abusive acts and practices by consumers of financial products and services. Also regulates the use of credit reports in employee background checks.

Answer 68

unfair, deceptive, or abusive acts and practices. Unfair and Deceptive similar to the definitions used by the FTC. Abusive Practice is new. Each act may be separate.

Answer 69

New under the CFPB. * Materially interferes with the ability of a consumer to understand a term or condition. *Takes unreasonable advantage of 1) lack of consumer understanding, 2) inability to protect interests, or 3) reasonable reliance of providers to act in the consumer's interest

Answer 70

Family Educational and Privacy Act (1974). Applies to most educational institutions in the US. * Covers all educational records * Most colleges and universities * Most public schools *Does not apply to most private schools * Parents maintain rights under the age of 18; Students maintain rights over 18 or postsecondary education. * Annual notice of rights to students/parents

Answer 71

* Control disclosure of records to third parties * Access student educational records * Dispute information in student educational records

Answer 72

* Grades * Transcripts * Class lists * Course schedules * Health records (k-12) * Financial records (postsecondary) * Disciplinary records

Answer 73

* Law enforcement records maintained by campus police * Application records of nonstudents * Alumni records created after a student graduates * Medical and mental health records for the treatment of students (usually) * Sole-possession records unless shared (eg. created by an individual faculty member) * Peer graded work before it's entered as a grade.

Answer 74

* Consent * Not personally identifiable * directory information (not generally be considered harmful or an invasion of privacy if disclosed: name, phone, address, major, etc.) * Health or safety emergency

Answer 75

* School officials with "legitimate educational interest" * Other educational institutions * Financial aid organization * Researchers * Accrediting agencies * Law enforcement agencies

Answer 76

Telephone Consumer Protection Act grants authority to FCC regulated unsolicited advertising by phone and fax.

Answer 77

Telemarketing Sales Rule established by the FTC. * Established Do Not Call Registry * Calls may only be placed between 8 am-9 pm * Must display valid caller ID * Identify themselves * Live person within 2 seconds * Automated calls only with express consent of the consumer

Answer 78

* Contains 200 million numbers * Prohibits unsolicited sales calls to landlines and cell phones without explicit consent * Telemarketers must purchase a subscription to the registry, update their database every 31 days * Fines for violators over $43k per violation. * Applies to only unsolicited sales calls.

Answer 79

$280m fine for violating restrictions of the DO Not Call Registry

Answer 80

* Debt collection calls * Nonprofits seekings gifts * Political calls * Surveys * Prior customers (18 months) * Prospective customers who have inquired (3 months)

Answer 81

Existing Business Relationship exception to telemarketing laws. * Prior customers (18 months) * Prospective customers who have inquired (3 months) * For JFPA: voluntary provision of fax number with opt-out instructions on first page

Answer 82

The exception to accidental violation of Do Not Call Registry by a telemarketer. * Must have written procedures for compliance * Trained personnel on these procedures * Monitor and enforce compliance * Maintain internal do-not-call list * Download the national registry every 31 days * must be a mistake

Answer 83

Junk Fax Prevention Act Illegal to send unsolicited advertisement by fax * $500 fine per page * $1500 fine per page is knowing or willful

Answer 84

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. * Applies to commercial emails primarily * FTC Enforcement - 7 rules 1. don't use false or misleading header 2. don't use deceptive subject line 3. identified as an advertisement 4. tell recipient where you're located 5. provide opt-out instructions 6. honor opt-out promptly (within 10 business days) 7. monitor what others are doing on your behalf

Answer 85

Commercial, Transactional/Relationship, and other. * Transactional: 1) facilitate or confirm a transaction, 2) provide warranty, etc. 3) change of terms, 4.) employment relationship, 5) delivery of goods/services

Answer 86

Telecommunications Act of 1996. Particularly interest in the CPNI

Answer 87

Customer Proprietary Network Information. Information related to a subscriber's use of a telecommunications service. Regulated by the FCC * call details, billing, services. * may be used internally * may be used for customer communication, customer service, fraud prevention, billing and collections, and court order or emergency. * Other use require consent\ * pretext security requiring passwords or photo ID if in person. * carriers require law enforcement notification if breach. * annual compliance certification with the FCC

Answer 88

Cable Communications Policy Act * Regulated cable television industry. * prohibited from collecting PII w/o prior consent unless necessary * may not disclose PII unless required to provide service absent court order * annual notice of privacy practices to customers * customers may access PII and update/correct * PII destruction mandated after necessary use * Private right of action

Answer 89

Video Privacy Protection Act of 1988 prohibits wrongful disclosure of videotape rental or sales records. * Courts have adopted VPPA to video streaming services.

Answer 90

Generally Accepted Privacy Principles - 10 principles 1. management - policies, procedures, governance structure for data. Clearly define roles of data owner, data steward, and data custodian. 2. Notice - subjects recieve notice and access 3. choice and consent 4. collection - only collect what is disclosed 5. use, retention, and disposal 6. access - review and update for subjects 7. disclosure to third parties 8. security 9. quality - accurate, complete, and relevant 10. monitoring and enforcement, with dispute resolution process.

Answer 91

Driver's Privacy Protection Act regulates sharing of driver records by state DMV. Several incidents of DMV's sharing information with dangerous consequences. Third-party sharing also subject to DPPA provisions. May share with * government agencies * stolen vehicles * managing records and titles * impounded vehicles * criminal or civil proceedings and investigations * research absent PII * Employer verification * tolls * operation of motor vehicles * public safety

Answer 92

Right to Financial Privacy Act. Broadly covers financial institutions (banks, credit unions, money services businesses, document firms, casinos, and the post office). * Applies only to requests made by federal agencies. * Only covers specific customers. * request must reasonably identify the records * requests must be justified by one of the following: 1) customer authorization, 2) admin summons/subpoena, 3) judicial summons/subpoena, 4) search warrant, 5) written law enforcement request (absent summons/subpoena otherwise) * Written notice to customer required and then 10 days from service or 14 days from mailing to access records.

Answer 93

Bank Secrecy Act of 1970 requires that financial institutions report certain customer information to the government. This act compels financial institutions to turn some records over to the government. * Financial institutions must maintain records of customer activity for five years. * CTR and SAR reporting required. * Prohibits financial institutions from notifying customers they filed a SAR

Answer 94

Currency Transaction Reports * Under the BSA institutions must report case transactions totaling more than 10k in a single day.

Answer 95

Suspicious Activity Report * Under the BSA institutions must report suspected money laundering activity attempts to avoid CTRs

Answer 96

Creates the right to a "reasonable expectation of privacy"

Answer 97

The Electronic Communications Privacy Act regulates government access to communications. Consists of 3 individual titles. * Title 1 - Wiretap Act covering oral communications. Primarily allowing one-party consent for wiretaps in the ordinary course of business. * Title 2 - Stored Communications Act. Emails. Texts. Voicemails. * Title 3 - Covers the use of pen registers and trap and trace devices

Answer 98

Pen registers record information about outbound communications; trap-and-trace capture inbound communications. The distinction is a relic; the same tech tracks both outbound and inbound communications today.

Answer 99

False. Not necessarily, state laws may have more stringent requirements. Most notably, many states require two-party consent to be recorded, while federally, one-party consent is the rule.

Answer 100

Communications Assistance to Law Enforcement Act. No new authority for federal wiretapping. Requires that telecommunications carriers assist with the implementation of authorized wiretaps. * Applies to telephone companies * ISPs * Voice oper Internet Protocol service providers (VoIP)

Answer 101

Foreign Intelligence Surveillance Act of 1978. Passed after the Cold War. Section 702 of the FISA Amendments Act of 2008: * The AG may authorize surveillance for one year if the sole purpose is to obtain foreign intelligence and there is no substantial likelihood of intercepting communications involving US persons. * Court order may involve US persons if there is probable cause to believe that the person is an agent of a foreign power. Must be renewed every 90-120 days. * Established Foreign Intelligence Surveillance Court consisting of 11 judges who hold secret hearings to decide matters involving classified evidence.

Answer 102

Introduced expanded powers. * Loosened requirements for surveillance of US citizens * Created "roving" wiretaps * Strengthed rules against money laundering * Broardened powers of NSL's * Allowed government to demand "tangible items" including call detail records.(Section 215)

Answer 103

National Security Letters. Administrative subpoenas to secretly demand records from communication service providers. Can be issued by the FBI without the need for a federal judge. Companies receiving a NSL are prohibited from talking about them.

Answer 104

Patriot Act of 2001 expired in 2015. USA Freedom Act 2015 extended some provisions and added new controls to the Patriot Act. * Eliminated bulk collection of call details. (SEction 215) * Prohibited protection orders of bulk "tangible things" from the FBI * Required the use of specific selector terms (telephone, email address, etc) * Requires judicial involvement * Required expert opinions required in FISA court. May send questions of law to the Supreme Court, subject to the declassification of FISA orders. * NSL's must require specific selction terms, imposes a higher standard for gag orders, and allows recipients to challenge NSLs in court. * Requires transparency letters by companies recieving NSLs.

Answer 105

The Cybersecurity Information Sharing Act of 2015 (CISA) facilitates information sharing. Does not require private orgs to share information with the government but seeks to make it easier to do so. * Authorize sharing of threat intelligence between the government and the private sector * Protects shared information from disclosure * Requires redaction of personal information shared * Limits liability for security monitoring.

Answer 106

Birth of the Third-Party Doctrine * The 4th Amendment does not prohibit searches of third parties. * The 1st Amendment does not prohibit searches of newspapers.

Answer 107

Passed in response to Zurcher v. Stanford Daily. Applies to disseminators of information to the public and protects work products and documentary materials from search warrants. * requires the use of subpoena or voluntary cooperation

Answer 108

Introduced expanded powers. * Loosened requirements for surveillance of US citizens * Created "roving" wiretaps * Strengthed rules against money laundering * Broadened powers of NSL's * Allowed government to demand "tangible items" including call detail records.(Section 215)

Answer 109

Administers and Enforces over 100 labor laws, including: * Fair Labor Standards Act (FLSA) * Occupational Safety and Health Act (OSHA) * Employee Retirement Income Security Act (ERISA) * Employee Polygraph Protection Act (EPPA) * Family and Medical Leave Act (FMLA)

Answer 110

Equal Opportunity Employment Commission enforces prohibitions on employment discrimination. Requires record retention on employment decisions for 1 year (generally), 2 years for federal stuff

Answer 111

National Labor Relations Board regulates the rights of workers to organize in labor unions.

Answer 112

The Securities and Exchange Commission requires reporting of human resources information by publicly traded companies. So far only requires reporting the number of people employed. May be new regulations in the future.

Answer 113

Title 7 of the Civil Rights Act. Prohibits discrimination on the basis of sex, race, color, national origin, or religion.

Answer 114

American with Disabilities Act prohibits discrimination against individuals with disabilities. Must meet the requirements of the job and be able to perform the functions of the job with reasonable accommodation to gain protections in employment. Prohibits medical examinations from employment decision.

Answer 115

The Genetic Information Nondiscrimination Act prohibits the use of genetic information in employment decisions.

Answer 116

Fair Credit Reporting Act. Not limited to financial information. * Must provide applicant written notice and obtain written consent * Certify to the credit reporting agency that you provided notice, obtained consent, and will not discriminate * Investigative report must include a description and scope of the investigation.

Answer 117

Employee Polygraph Protection Act prohibits the use of lie detectors in most employment settings. This does not apply to federal, state, local governments. May use in some cases for employee theft

Answer 118

Generally not prohibited by federal law, however, state laws vary widely and the ADA covers alcoholism and past drug use.

Answer 119

Stored Communications Act

Answer 120

The summary report must be provided to the employee and include the nature and substance of the report. It may exclude witness names. Report may only be shared within the organization or otherwise required by law.

Answer 121

California Financial Information Privacy Act, Senate Bill 1 (SB 1) * Expands of GLBA * Restricts financial institution sharing of customer information with third parties, shifts to opt-in consent requiring written consent * Requires notification to customers on privacy policy on a separate document titled :Important Privacy Choices for Consumers"

Answer 122

California Electronic Communications Privacy Act expands on the federal ECPA. Restricts state law enforcement authority's access to electronic information in two ways: 1) access to service provider records by warrant, court order, or subpoena, 2) access to electronic devices by warrant, wiretap order, consent of the customer, or certification of an emergency situation (death or serious injury) *only applies to CA law enforcement agencies

Answer 123

California Consumer Privacy Act modeled after GDPR * right to know what information is collected by businesses * right to know how information is shared with third parties * right to opt out of information sharing * right to review information * right to request deletion of information

Answer 124

California Consumer Privacy Act Cable Communications Policy Act

Answer 125

California Privacy Rights enforcement Act (2023) * Creates new category of Sensitive Personal Information (SPI) that is more highly regulated under CPRA. Businesses need additional protections around ssns, driver's license numbers, financial account information, geographic location information, the contents of non-public communication, health and genetic information, and information about an individual's ethnicity, religion, philosophy, sex life, or union membership * right to correct * right to limit use and disclosure * right to information about automated decision-making concering information * right to opt-out of automated decision making

Answer 126

Similar to CCPA and CPRA. * Applies to businesses that conduct business in Colorado or target residents of Colorado if handles information of 100,00 residents or handles PII of 25,000 or more residents and earns revenue from sharing that information. * DOes apply to nonprofit organizations * Does not apply to employers * Does not contain a private right of action

Answer 127

Delaware Online Privacy and Protection Act 1. Websites must post privacy policies - must be conspicuous, identify PII collected and third party sharing, disclose d"o not track requests", and notification of changes to the privacy policy 2. Ebook providers must safeguard user information absent court order or subpoena 3. Websites targeting children must restrict advertising (prohibited: alcohol/tobacco/drug paraphernalia, firearms/fireworks, tanning services, dietary supplements, lottery/gambling/body modification/sexually oriented material

Answer 128

1. Implement reasonable security measures to protect PII of Illinois residents 2. Delete PII when no longer needed 3. Notify residents of data breaches affecting their PII

Answer 129

Student Online Personal Protection Act (Illinois) similar to FERPA * parents have greater control of student information * requires data breach notification * applies both to government agencies and educational technology companies

Answer 130

* websites that collect any of the following PII are required to post a privacy policy. PII includes names, addresses, email addresses, phone numbers, ssns, and any identifiers * Notice requires 5 elements, 1, categories of PII. 2. describe process to review and correct, 3. notify process for policy changes, 4. disclose use of third-party tracking services, 5. include an effective date * violators subject to fines of $5k

Answer 131

Expanded law to cover data brokers who purchase PII

Answer 132

The New Jersey Personal Information and Privacy Act regulates the scanning of identification cards by retail establishments with several reasonable exceptions, prohibits sharing information collected for other purposes, and violations and breaches must be reported to authorities. * includes private right of action and fines up to $5k

Answer 133

New York State Department of FInancial Services regulates banks, insurance companies, and financial service providers. Published a comprehensive cyber security regulation for affected industries. * Requires all covered entities to create a risk based cybersecurity program that addresses confidentiality, integrety, and availability of security protocal * Covered entities must designate a Cheif Information Security Officer (CISO)

Answer 134

VIrginai Consumer Data PRotection ACT (2023) * Applies business conducted in Virginia and residents of Virginia * Exemptions: Virginia government, business subject to GLBA, orgs subject to HIPPA, nonprofits, secondary schools * no private right of action

Answer 135

controls commercial use of biometric information. * Excludes photo, video, and audio recording * Companies may not store biometric info collected absent notice, consent, and mechanism preventing commercial use * limits sharing with third parties * collected biometric data must be protected against unauthorized access, disposed of unneeded info, used only for agreed upon purpose

Answer 136

California (1st) and Alabama (last)

Answer 137

* Includes encrypted information in definition of PII * Notice period of data breach to 14 days * Data breach includes access by employees for illegal purposes

Answer 138

Expands the definition of PII to include health records, biometric data, and usernames/passwords * removes the encryption safe harbor if the key was compromised

Answer 139

* removes the encryption safe harbor if the key was compromised * allows businesses to delay notification of a breach at the request of law enforcement

Answer 140

* Includes biometric data in definition of PII * Requires breach notification to NM AG is more than 1000 residents affected * Exempts GLBA and HIPAA covered entities * requires secure data storage and disposal