Alphabet Soup Flashcards

Question 1

Q

FTC

Answer

A

Federal Trade Commission.
* Lead Agency for Privacy Enforcement
*Protects consumers against unfair and deceptive practices
* Enforces COPPA
*Lacks authority over financial institutions

Question 2

Q

OCC

Answer

A

Office of the Comptroller of the Currency. Supervises national banks and thrift initiatives as well as foreign banks that have federal licenses to operate in the united states.

Question 3

Q

HHS

Answer

A

Department of Health and Human Services.

Question 4

Q

HIPAA

Answer

A

Health Insurance Portability and Accountability Act.
* Applies to PHI
* Applies to covered entities.

Question 5

Q

FCC

Answer

A

Federal Communications Commission.

Question 6

Q

DOC

Answer

A

Department of Commerce
*Implements the EU-US Privacy Shield

Question 7

Q

CCPA

Answer

A

California Consumer Privacy Act

Question 8

Q

NAI

Answer

A

Network Advertising Initiative

Question 9

Q

BBB

Answer

A

Better Business Bureau

Question 10

Q

PCIDSS

Answer

A

Payment Card Industry Data Security Standard.

Question 11

Q

OECD

Answer

A

Organization for Economic Cooperation and Development. Developed GPEN. The US is a member to both.

Question 12

Q

GPEN

Answer

A

Global Privacy Enforcement Network - 5 Goals
*Exchange information about privacy issues
*Encourages sharing of information expertise
*Promotes dialogue among enforcement groups
*Facilitates international cooperation
*SUpports international privacy practices

Question 13

Q

GDPR

Answer

A

General Data Protection Regulation
*Claims worldwide jurisdiction over the personal information of EU residents

Question 14

Q

Standard Contractual Clauses

Question 15

Q

Binding Corporate Rules

Question 16

Q

Privacy Shield safe harbor

Answer

A

Not currently available. Schrems II.

Question 17

Q

APEC

Answer

A

Asia-Pacific Economic Cooperation

Question 18

Q

HIPAA Penalties

Answer

A

Civil
*$100 for first-time unknowing offenses - $50,000 for uncorrected willful neglect

Criminal
*$50k and one year in prison knowingly obtaining protected information up to $250k and 10 years in prison if intent to use to commercial advantage, personal gain, or malicious harm

Question 19

Q

Unfair Business Practices

Answer

A

3 Requirements
*Must cause or likely to cause substantial injury to customers
* Must not be reasonably avoidable
*Must not be outweighed by the benefits

Question 20

Q

Deceptive Business Practices

Answer

A

3 Requirements
*Must be making a misleading representation, omission, or practice
*Must be analyzed from the perspective of a reasonable customer
*Must be material

Question 21

Q

How many people are in the House of Representatives?

Answer

A

435 members

Question 22

Q

How many people are in the Senate?

Answer

A

100 members

Question 23

Q

How many votes to overcome a veto?

Answer

A

2/3 Majority in the house and senate

Question 24

Q

Where are federal administrative laws encoded?

Answer

A

CFR - Code of Federal Regulations

Question 25

Q

How many votes to amend the constitution?

Answer

A

2/3 Majority in congress and 3/4 ratification by the States.

Question 26

Q

CFR

Answer

A

Code of Federal Regulations. Where federal administrative law is codified

Question 27

Q

Article 1

Answer

A

Legislative Branch

Question 28

Q

Article 2

Answer

A

Executive Branch

Question 29

Q

Article 3

Answer

A

Judicial Branch

Question 30

Q

UCC

Answer

A

Uniform Commerical Code

Question 31

Q

Article 4

Answer

A

Relationship between states

Question 32

Q

Article 5

Answer

A

Amending the constitution

Question 33

Q

Article VI

Answer

A

Supreme Law

Question 34

Q

Article Vii

Answer

A

Ratification
\

Question 35

Q

Supremacy Clause

Question 36

Q

FTC Enforcement Actions

Answer

A

Most FTC complaints are not resolved through formal processes but use two other settlement mechanisms.
* The FTC and the accused company may decide to informally resolve minor complaints by adjusting the company’s business practices.
* In more serious cases, the FTC and the company may enter into a consent decree.

Question 37

Q

Consent Decree

Answer

A

This is a formal, enforceable, agreement between the company and the government requiring the modification of business practices. Generally lasts 20 years unless otherwise specified. “Sunset Policy”

Question 38

Q

LifeLock

Answer

A

Violated at FTC consent decree and was forced to renew the consent decree and pay a fine of $100m

Question 39

Q

CFBP

Answer

A

Consumer Financial Protection Bureau. Overall authority for protecting consumers in the financial industry.

Question 40

Q

Federal Reserve

Answer

A

Supervises and regulates banks operating in the US

Question 41

Q

NCUA

Answer

A

National Credit Union Association. Similar regulations to the federal reserve.

Question 42

Q

FDIC

Answer

A

The Federal Deposit Insurance Corporation. Holds regulatory authority to examine and supervise financial institutions for safety, soundness, and consumer protection.

Question 43

Q

Chief Privacy Officer

Answer

A

A chief privacy officer has broad oversight over an organization’s privacy practices

Question 44

Q

Consent

Answer

A

Two types:
Opt-In Consent - Affirmative consent takes place when the user explicitly agrees to a privacy practice

Opt-Out Consent - Implicit consent occurs when the user does not take action to explicitly deny consent

Question 45

Q

PII

Answer

A

Personally Identifiable Information
Any information that can be used to distinguish an individual’s identity or any information that is either linked or linkable to an individual.

Question 46

Q

Privacy Notice Components (Generally)

Answer

A

*Types of information collected
*Purpose of data collection
*Methods of collection
*Times of collection
*Sharing of information
*Security controls
*Opt-in and opt-out procedures
*Contact information

Question 47

Q

Difference between Privacy Policy and Privacy Notice (1 key distinction)

Answer

A

Generally, Privacy Policies are internal documents, Privacy Notices are external documents

Question 48

Q

NIST

Answer

A

National Institute of Standards and Technology

Question 49

Q

NiST 800-61

Answer

A

Computer Security Incident Handling Guide

Question 50

Q

Incident response plan

Answer

A

Should include 5 components (per NIST 800-61)
*Policy and plan documentation
*Procedures for incident handling
*guidelines for communicating externally
*structure and staffing model for the team
*Description of relationships with other groups

Question 51

Q

Incident Response Policy

Answer

A

The cornerstone of the Incident Response Plan (Shouldn’t change often)
*Provides foundational authority for the program
*Defines incidents that fall under the policy
*Include an incident prioritization scheme

Question 52

Q

Incident Response Procedures

Answer

A

Contain the details of the plan.Should be written clearly and provide actionable advice. Should include procedures for:
*notification
*escalation
*Reporting
*system isolation
*forensic analysis
*evidence handling

Question 53

Q

What to know about reporting a cyber security incident to law enforcement.

Answer

A

Generally not required. An investigation invites additional risks and regulations. The likelihood that details of the incident will become public. Always report to law enforcement if there is a threat to safety or if you have a legal obligation to do so.

Question 54

Q

Basis for FTC Enforcement Actions

Answer

A

Corporate privacy policies often provide the basis for FTC enforcement actions.

Question 55

Q

COPPA

Answer

A

Children’s Online Privacy Protection Act
* Protects the PII of children under the age of 13
* Applies to commercial sites that are directed at children under the age of 13 or if commercial sites have knowledge that their site is being used by children under the age of 13.
* Companies may avoid enforcement actions through self-regulation by participating in COPPA Safe Harbor Programs.
Enforced by the FTC
* COPPA does not apply to most nonprofit orgs

Question 56

Q

COPPA Privacy Requirements

Answer

A

*Post a clear and comprehensive privacy policy
* Notify parents of privacy practices
* Obtain verifiable parental consent prior to collecting, using, or disclosing information from children.
* Provide parents with the ability to review collected information and prohibit further use

Question 57

Q

COPPA Security Requirements

Answer

A

Protect the confidentiality, security, and integrity of personal information
Delete information when no longer needed
Do not require that children provide unnecessary information

Question 58

Q

Wyndham

Answer

A

FTC alleged Wyndham suffered a series of data breaches as the direct result of their failure to implement reasonable security controls. FTC prevailed at the Court of Appeals.

Question 59

Q

HIPAA Covered Entities

Answer

A

Healthcare providers who engage in certain electronic transactions
*Health plans
Health information clearinghouses
Business partners of HIPAA covered entities

Question 60

Q

PHI

Answer

A

Protected health information

Question 61

Q

BAAs

Answer

A

Business associate agreements
* Extend HIPAA to the business partners of covered entities

Question 62

Q

HIPAA Exceptions

Answer

A

Employer records
Education records covered by FERPA
Deidentified information

Question 63

Q

HIPAA Privacy Rule key provisions

Answer

A

Governs the privacy of protected health information (PHI)
* Notify of privacy practices
* Permitted uses of PHI
* Minimum use and disclosure of PHI
* Right to review records
* Controls to protect confidentiality and integrity of PHI

Question 64

Q

HIPAA Security Rule

Answer

A

Governs the security of electronically protected health information (ePHI)
* Controls to protect confidentiality, integrity, and availability
* Identify and protect against threats
* Protect against impermissible uses of disclosures
* Ensure workforce compliance

Answer 62

A

Health Information Technology for Economic and Clinical Health Act (2009) with the intent of modernizing health care.
*Incentivized the use of electronic health records.

Answer 63

A

Electronic health records.

Answer 64

A

Breach notification requirements.
Business associates must comply with the provisions of HIPAA allowing the federal government to take direct action against business associates who fail to comply with HIPAA rules.
Strengthened privacy protectio

Answer 65

A

Encrypted information
Unintentional access by employees (good faith)
Inadvertent disclosures between authorized individuals.
Disclosures to individuals who would not be able to retain the information.

Answer 66

A

Breach notification requirements.
* Notify affected individuals within 60 days. (small breach)
* Notify the media if the breach affected more than 500 individuals (large breach)
* Notify covered entities of breaches by business associates
* Notify HHS of all data breaches. (within 60 days for large data breach, smaller breaches within the calendar year)

Answer 67

A

Introduces penalties for information blocking
* Fines up to $1m per violation.
Allows compassionate sharing of mental health and substance abuse treatment information with families and caregivers.
Introduces privacy provisions to facilitate biomedical research

Answer 68

A

42 CFR Part 2.
Covers treatment records that could identify a patient
Applies to any substance abuse treatment program accepting federal funding.
Violations are criminal offenses with fines of up to $500- $5000 per violation.
Requires written patient consent for all disclosures of information

Answer 69

A

medical emergencies
Research
audits and evaluations
qualified service organizations
child abuse and neglect
reporting on-premises crimes and crimes against program personnel
Court-ordered disclosures

Answer 70

A

Fair Credit Reporting Act (1970). Applies to consumer reporting agencies.
* Limites permissible uses of credit reports
* Requires fair and accurate information reporting. (correct and current). Negative information may only be on an account for seven years.
* Provides right to access and dispute information. Disputes must be resolved within 30 days. requires notifying consumers of adverse actions taken because of any information provided in the report.
* Requires notification of adverse actions

Answer 71

A

written, oral, or any other form of communication by a consumer reporting agency that provides information that may be used for the purpose of credit or employment purposes
* creditworthiness
* credit standing
* credit capacity
* character
* general reputation
* personal characteristics
* mode of living

Answer 72

A

Any person or organization who regularly engages in the practice of assembling or evaluating consumer credit information and shares reports about that information with third parties.Users of credit reports must provider certification of their intended use.

Answer 73

A

responding to a court order
with the written permission of the consumer
or with the third-party meeting certain criteria including
1. facilitating credit transactions
2. making employment decisions
3. underwriting insurance policies
4. issuing licenses and government benefits
5. other legitimate business needs

Answer 74

A

Provided with an adverse action is taken because of information provided in a credit report. Requires:
* Contact information for a credit reporting agency (CRA)
* A statement that the CRA did not make the adverse decision
* Notice of right to access report
* Notice of right to dispure report
* Credit scores used to make decisions.

Answer 75

A

Credit Reporting Agency.

Answer 76

A

Weighted in favor of consumer rights. Consumers may recover
* Actual damages
* Punitive damages
* legal costs

Answer 77

A

The Fair and Accurate Credit Transactions Act seeks to limit the risk of identity theft. (2003). Modifies FCRA. Largely used to limit information obtained in a credit report for identity theft.
* Consumers may obtain free copies of their credit reports annually.
* May place 90-day fraud alerts on their credit files. (may extend to 7 years if a victim in fact)
* Reciepts may contain no more than 5 digits of a credit card on a receipt.
* Red Flag Rule
* DIsposal Rule (reasonable and appropriate destruction)

Answer 78

A

Under FACTA. Requires institutions to have a written identity theft protection program. Doesn’t specify how per se beyond industry experience.
*Requires address change validation
*CRA’s notify users when there is an address discrepancy.

Answer 79

A

Gramm-Leach-Bliley Act overhauled the regulation of financial institutions in the United States. Officailly called the Financial Services Modernization Act of 1999.
* Applies to all businesses that are significantly engaged in providing financial products and services
* Financial Privacy Rule
* Safeguards Rule

Answer 80

A

Limits how financial institutions may collect and share nonpublic personal (NPI) of consumers.
* provided to customers upon engagement and annually
* describe privacy policies and practices
*disclose third-party information sharing
*describe information security policies and practices
*provide the ability to opt out

Answer 81

A

nonpublic personal information of consumers

Answer 82

A

Requires that financial institutions develop a written information security plan. Requires how institutions protect the
*Confidentiality
*Integrity
*Availability
of financial information.

Answer 83

A

This applies to all businesses that are significantly engaged in providing financial products and services. Including:
* banks
*non-bank lenders
*financial advisors
*check cashing services
* payday lenders
*real estate appraisers
*tax preparers
*mortgage brokers
*ATM operators
*Colleges and Universities that issue student loans

Answer 84

A

provided to customers upon engagement and annually
describe privacy policies and practices
*disclose third-party information sharing
*describe information security policies and practices
*provide the ability to opt out

Answer 85

A

Consumers are individuals who engage in transactions with a financial institution. May be a one-time engagement. (Cashing a check). Consumers may receive a short-form notice of privacy requirements under the GLBA.
Customers are consumers who have an ongoing relationship with a financial institution. (opening an account). Customers must receive the institution’s full privacy notice.

Answer 86

A

Under the GLBA Safeguards Rule. Must:
* Designate one or more responsible employees.
* Identify and assess risks
* Evaluate safeguard effectiveness.
*Monitor and test safeguards
* Use secure service providers
*Evaluate and Adjust program as circumstances change

Answer 87

A

CCPA specifically excludes financial information collected under GLBA. This does not exclude financial institutions from the requirements of CCPA.
*California
*Colorado
*Nevada
*Virginia`

Answer 88

A

Dodd-Frank Wall Street Reform and Consumer Protection Act of 2008 reorganized the regulation of financial institutions. Most significantly, established the CFPB.

Answer 89

A

Consumer Financial Protection Bureau took over rule-making authority for the FCRA and GLBA. Has the power to regulate unfair, deceptive, or abusive acts and practices by consumers of financial products and services. Also regulates the use of credit reports in employee background checks.

Answer 90

A

unfair, deceptive, or abusive acts and practices. Unfair and Deceptive similar to the definitions used by the FTC. Abusive Practice is new. Each act may be separate.

Answer 91

A

New under the CFPB.
* Materially interferes with the ability of a consumer to understand a term or condition.
*Takes unreasonable advantage of 1) lack of consumer understanding, 2) inability to protect interests, or 3) reasonable reliance of providers to act in the consumer’s interest

Answer 92

A

Family Educational and Privacy Act (1974). Applies to most educational institutions in the US.
* Covers all educational records
* Most colleges and universities
* Most public schools
*Does not apply to most private schools
* Parents maintain rights under the age of 18; Students maintain rights over 18 or postsecondary education.
* Annual notice of rights to students/parents

Answer 93

A

Control disclosure of records to third parties
Access student educational records
Dispute information in student educational records

Answer 94

A

Grades
Transcripts
Class lists
Course schedules
Health records (k-12)
Financial records (postsecondary)
Disciplinary records

Answer 95

A

Law enforcement records maintained by campus police
Application records of nonstudents
Alumni records created after a student graduates
Medical and mental health records for the treatment of students (usually)
Sole-possession records unless shared (eg. created by an individual faculty member)
Peer graded work before it’s entered as a grade.

Answer 96

A

Consent
Not personally identifiable
directory information (not generally be considered harmful or an invasion of privacy if disclosed: name, phone, address, major, etc.)
Health or safety emergency

Answer 97

A

School officials with “legitimate educational interest”
Other educational institutions
Financial aid organization
Researchers
Accrediting agencies
Law enforcement agencies

Answer 98

A

Telephone Consumer Protection Act grants authority to FCC regulated unsolicited advertising by phone and fax.

Answer 99

A

Telemarketing Sales Rule established by the FTC.
* Established Do Not Call Registry
* Calls may only be placed between 8 am-9 pm
* Must display valid caller ID
* Identify themselves
* Live person within 2 seconds
* Automated calls only with express consent of the consumer

Answer 100

A

Contains 200 million numbers
Prohibits unsolicited sales calls to landlines and cell phones without explicit consent
Telemarketers must purchase a subscription to the registry, update their database every 31 days
Fines for violators over $43k per violation.
Applies to only unsolicited sales calls.

Answer 101

A

$280m fine for violating restrictions of the DO Not Call Registry

Answer 102

A

Debt collection calls
Nonprofits seekings gifts
Political calls
Surveys
Prior customers (18 months)
Prospective customers who have inquired (3 months)

Answer 103

A

Existing Business Relationship exception to telemarketing laws.
* Prior customers (18 months)
* Prospective customers who have inquired (3 months)
* For JFPA: voluntary provision of fax number with opt-out instructions on first page

Answer 104

A

The exception to accidental violation of Do Not Call Registry by a telemarketer.
* Must have written procedures for compliance
* Trained personnel on these procedures
* Monitor and enforce compliance
* Maintain internal do-not-call list
* Download the national registry every 31 days
* must be a mistake

Answer 105

A

Junk Fax Prevention Act
Illegal to send unsolicited advertisement by fax
* $500 fine per page
* $1500 fine per page is knowing or willful

Answer 106

A

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.
* Applies to commercial emails primarily
* FTC Enforcement - 7 rules
1. don’t use false or misleading header
2. don’t use deceptive subject line
3. identified as an advertisement
4. tell recipient where you’re located
5. provide opt-out instructions
6. honor opt-out promptly (within 10 business days)
7. monitor what others are doing on your behalf

Answer 107

A

Commercial, Transactional/Relationship, and other.
* Transactional: 1) facilitate or confirm a transaction, 2) provide warranty, etc. 3) change of terms, 4.) employment relationship, 5) delivery of goods/services

Answer 108

A

Telecommunications Act of 1996. Particularly interest in the CPNI

Answer 109

A

Customer Proprietary Network Information. Information related to a subscriber’s use of a telecommunications service. Regulated by the FCC
* call details, billing, services.
* may be used internally
* may be used for customer communication, customer service, fraud prevention, billing and collections, and court order or emergency.
* Other use require consent\
* pretext security requiring passwords or photo ID if in person.
* carriers require law enforcement notification if breach.
* annual compliance certification with the FCC

Answer 110

A

Cable Communications Policy Act
* Regulated cable television industry.
* prohibited from collecting PII w/o prior consent unless necessary
* may not disclose PII unless required to provide service absent court order
* annual notice of privacy practices to customers
* customers may access PII and update/correct
* PII destruction mandated after necessary use
* Private right of action

Answer 111

A

Video Privacy Protection Act of 1988 prohibits wrongful disclosure of videotape rental or sales records.
* Courts have adopted VPPA to video streaming services.

Answer 112

A

Generally Accepted Privacy Principles - 10 principles
1. management - policies, procedures, governance structure for data. Clearly define roles of data owner, data steward, and data custodian.
2. Notice - subjects recieve notice and access
3. choice and consent
4. collection - only collect what is disclosed
5. use, retention, and disposal
6. access - review and update for subjects
7. disclosure to third parties
8. security
9. quality - accurate, complete, and relevant
10. monitoring and enforcement, with dispute resolution process.

Answer 113

A

Driver’s Privacy Protection Act regulates sharing of driver records by state DMV. Several incidents of DMV’s sharing information with dangerous consequences. Third-party sharing also subject to DPPA provisions. May share with
* government agencies
* stolen vehicles
* managing records and titles
* impounded vehicles
* criminal or civil proceedings and investigations
* research absent PII
* Employer verification
* tolls
* operation of motor vehicles
* public safety

Answer 114

A

Right to Financial Privacy Act. Broadly covers financial institutions (banks, credit unions, money services businesses, document firms, casinos, and the post office).
* Applies only to requests made by federal agencies.
* Only covers specific customers.
* request must reasonably identify the records
* requests must be justified by one of the following: 1) customer authorization, 2) admin summons/subpoena, 3) judicial summons/subpoena, 4) search warrant, 5) written law enforcement request (absent summons/subpoena otherwise)
* Written notice to customer required and then 10 days from service or 14 days from mailing to access records.

Answer 115

A

Bank Secrecy Act of 1970 requires that financial institutions report certain customer information to the government. This act compels financial institutions to turn some records over to the government.
* Financial institutions must maintain records of customer activity for five years.
* CTR and SAR reporting required.
* Prohibits financial institutions from notifying customers they filed a SAR

Answer 116

A

Currency Transaction Reports
* Under the BSA institutions must report case transactions totaling more than 10k in a single day.

Answer 117

A

Suspicious Activity Report
* Under the BSA institutions must report suspected money laundering activity attempts to avoid CTRs

Answer 118

A

Creates the right to a “reasonable expectation of privacy”

Answer 119

A

The Electronic Communications Privacy Act regulates government access to communications. Consists of 3 individual titles.
* Title 1 - Wiretap Act covering oral communications. Primarily allowing one-party consent for wiretaps in the ordinary course of business.
* Title 2 - Stored Communications Act. Emails. Texts. Voicemails.
* Title 3 - Covers the use of pen registers and trap and trace devices

Answer 120

A

Pen registers record information about outbound communications; trap-and-trace capture inbound communications. The distinction is a relic; the same tech tracks both outbound and inbound communications today.

Answer 121

A

False. Not necessarily, state laws may have more stringent requirements. Most notably, many states require two-party consent to be recorded, while federally, one-party consent is the rule.

Answer 122

A

Communications Assistance to Law Enforcement Act. No new authority for federal wiretapping. Requires that telecommunications carriers assist with the implementation of authorized wiretaps.
* Applies to telephone companies
* ISPs
* Voice oper Internet Protocol service providers (VoIP)

Answer 123

A

Foreign Intelligence Surveillance Act of 1978. Passed after the Cold War. Section 702 of the FISA Amendments Act of 2008:
* The AG may authorize surveillance for one year if the sole purpose is to obtain foreign intelligence and there is no substantial likelihood of intercepting communications involving US persons.
* Court order may involve US persons if there is probable cause to believe that the person is an agent of a foreign power. Must be renewed every 90-120 days.
* Established Foreign Intelligence Surveillance Court consisting of 11 judges who hold secret hearings to decide matters involving classified evidence.

Answer 124

A

Introduced expanded powers.
* Loosened requirements for surveillance of US citizens
* Created “roving” wiretaps
* Strengthed rules against money laundering
* Broardened powers of NSL’s
* Allowed government to demand “tangible items” including call detail records.(Section 215)

Answer 125

A

National Security Letters. Administrative subpoenas to secretly demand records from communication service providers. Can be issued by the FBI without the need for a federal judge. Companies receiving a NSL are prohibited from talking about them.

Answer 126

A

Patriot Act of 2001 expired in 2015. USA Freedom Act 2015 extended some provisions and added new controls to the Patriot Act.
* Eliminated bulk collection of call details. (SEction 215)
* Prohibited protection orders of bulk “tangible things” from the FBI
* Required the use of specific selector terms (telephone, email address, etc)
* Requires judicial involvement
* Required expert opinions required in FISA court. May send questions of law to the Supreme Court, subject to the declassification of FISA orders.
* NSL’s must require specific selction terms, imposes a higher standard for gag orders, and allows recipients to challenge NSLs in court.
* Requires transparency letters by companies recieving NSLs.

Answer 127

A

The Cybersecurity Information Sharing Act of 2015 (CISA) facilitates information sharing. Does not require private orgs to share information with the government but seeks to make it easier to do so.
* Authorize sharing of threat intelligence between the government and the private sector
* Protects shared information from disclosure
* Requires redaction of personal information shared
* Limits liability for security monitoring.

Answer 128

A

Birth of the Third-Party Doctrine
* The 4th Amendment does not prohibit searches of third parties.
* The 1st Amendment does not prohibit searches of newspapers.

Answer 129

A

Passed in response to Zurcher v. Stanford Daily. Applies to disseminators of information to the public and protects work products and documentary materials from search warrants.
* requires the use of subpoena or voluntary cooperation

Answer 130

A

Introduced expanded powers.
* Loosened requirements for surveillance of US citizens
* Created “roving” wiretaps
* Strengthed rules against money laundering
* Broadened powers of NSL’s
* Allowed government to demand “tangible items” including call detail records.(Section 215)

Answer 131

A

Administers and Enforces over 100 labor laws, including:
* Fair Labor Standards Act (FLSA)
* Occupational Safety and Health Act (OSHA)
* Employee Retirement Income Security Act (ERISA)
* Employee Polygraph Protection Act (EPPA)
* Family and Medical Leave Act (FMLA)

Answer 132

A

Equal Opportunity Employment Commission enforces prohibitions on employment discrimination. Requires record retention on employment decisions for 1 year (generally), 2 years for federal stuff

Answer 133

A

National Labor Relations Board regulates the rights of workers to organize in labor unions.

Answer 134

A

The Securities and Exchange Commission requires reporting of human resources information by publicly traded companies. So far only requires reporting the number of people employed. May be new regulations in the future.

Answer 135

A

Title 7 of the Civil Rights Act.
Prohibits discrimination on the basis of sex, race, color, national origin, or religion.

Answer 136

A

American with Disabilities Act prohibits discrimination against individuals with disabilities. Must meet the requirements of the job and be able to perform the functions of the job with reasonable accommodation to gain protections in employment. Prohibits medical examinations from employment decision.

Answer 137

A

The Genetic Information Nondiscrimination Act prohibits the use of genetic information in employment decisions.

Answer 138

A

Fair Credit Reporting Act. Not limited to financial information.
* Must provide applicant written notice and obtain written consent
* Certify to the credit reporting agency that you provided notice, obtained consent, and will not discriminate
* Investigative report must include a description and scope of the investigation.

Answer 139

A

Employee Polygraph Protection Act prohibits the use of lie detectors in most employment settings. This does not apply to federal, state, local governments. May use in some cases for employee theft

Answer 140

A

Generally not prohibited by federal law, however, state laws vary widely and the ADA covers alcoholism and past drug use.

Answer 141

A

Stored Communications Act

Answer 142

A

The summary report must be provided to the employee and include the nature and substance of the report. It may exclude witness names. Report may only be shared within the organization or otherwise required by law.

Answer 143

A

California Financial Information Privacy Act, Senate Bill 1 (SB 1)
* Expands of GLBA
* Restricts financial institution sharing of customer information with third parties, shifts to opt-in consent requiring written consent
* Requires notification to customers on privacy policy on a separate document titled :Important Privacy Choices for Consumers”

Answer 144

A

California Electronic Communications Privacy Act expands on the federal ECPA. Restricts state law enforcement authority’s access to electronic information in two ways:
1) access to service provider records by warrant, court order, or subpoena,
2) access to electronic devices by warrant, wiretap order, consent of the customer, or certification of an emergency situation (death or serious injury)
*only applies to CA law enforcement agencies

Answer 145

A

California Consumer Privacy Act modeled after GDPR
* right to know what information is collected by businesses
* right to know how information is shared with third parties
* right to opt out of information sharing
* right to review information
* right to request deletion of information

Answer 146

A

California Consumer Privacy Act
Cable Communications Policy Act

Answer 147

A

California Privacy Rights enforcement Act (2023)
* Creates new category of Sensitive Personal Information (SPI) that is more highly regulated under CPRA. Businesses need additional protections around ssns, driver’s license numbers, financial account information, geographic location information, the contents of non-public communication, health and genetic information, and information about an individual’s ethnicity, religion, philosophy, sex life, or union membership
* right to correct
* right to limit use and disclosure
* right to information about automated decision-making concering information
* right to opt-out of automated decision making

Answer 148

A

Similar to CCPA and CPRA.
* Applies to businesses that conduct business in Colorado or target residents of Colorado if handles information of 100,00 residents or handles PII of 25,000 or more residents and earns revenue from sharing that information.
* DOes apply to nonprofit organizations
* Does not apply to employers
* Does not contain a private right of action

Answer 149

A

Delaware Online Privacy and Protection Act
1. Websites must post privacy policies - must be conspicuous, identify PII collected and third party sharing, disclose d”o not track requests”, and notification of changes to the privacy policy
2. Ebook providers must safeguard user information absent court order or subpoena
3. Websites targeting children must restrict advertising (prohibited: alcohol/tobacco/drug paraphernalia, firearms/fireworks, tanning services, dietary supplements, lottery/gambling/body modification/sexually oriented material

Answer 150

A

Implement reasonable security measures to protect PII of Illinois residents
Delete PII when no longer needed
Notify residents of data breaches affecting their PII

Answer 151

A

Student Online Personal Protection Act (Illinois) similar to FERPA
* parents have greater control of student information
* requires data breach notification
* applies both to government agencies and educational technology companies

Answer 152

A

websites that collect any of the following PII are required to post a privacy policy. PII includes names, addresses, email addresses, phone numbers, ssns, and any identifiers
Notice requires 5 elements, 1, categories of PII. 2. describe process to review and correct, 3. notify process for policy changes, 4. disclose use of third-party tracking services, 5. include an effective date
violators subject to fines of $5k

Answer 153

A

Expanded law to cover data brokers who purchase PII

Answer 154

A

The New Jersey Personal Information and Privacy Act regulates the scanning of identification cards by retail establishments with several reasonable exceptions, prohibits sharing information collected for other purposes, and violations and breaches must be reported to authorities.
* includes private right of action and fines up to $5k

Answer 155

A

New York State Department of FInancial Services regulates banks, insurance companies, and financial service providers. Published a comprehensive cyber security regulation for affected industries.
* Requires all covered entities to create a risk based cybersecurity program that addresses confidentiality, integrety, and availability of security protocal
* Covered entities must designate a Cheif Information Security Officer (CISO)

Answer 156

A

VIrginai Consumer Data PRotection ACT (2023)
* Applies business conducted in Virginia and residents of Virginia
* Exemptions: Virginia government, business subject to GLBA, orgs subject to HIPPA, nonprofits, secondary schools
* no private right of action

Answer 157

A

controls commercial use of biometric information.
* Excludes photo, video, and audio recording
* Companies may not store biometric info collected absent notice, consent, and mechanism preventing commercial use
* limits sharing with third parties
* collected biometric data must be protected against unauthorized access, disposed of unneeded info, used only for agreed upon purpose

Answer 158

A

California (1st) and Alabama (last)

Answer 159

A

Includes encrypted information in definition of PII
Notice period of data breach to 14 days
Data breach includes access by employees for illegal purposes

Answer 160

A

Expands the definition of PII to include health records, biometric data, and usernames/passwords
* removes the encryption safe harbor if the key was compromised

Answer 161

A

removes the encryption safe harbor if the key was compromised
allows businesses to delay notification of a breach at the request of law enforcement

Answer 162

A

Includes biometric data in definition of PII
Requires breach notification to NM AG is more than 1000 residents affected
Exempts GLBA and HIPAA covered entities
requires secure data storage and disposal

Brainscape's Knowledge GenomeTM

Alphabet Soup Flashcards

Brainscape's Knowledge Genome^TM