Ch. 1: Introduction to the U.S. Privacy Environment Flashcards
What are the primary regulatory authorities that regulate privacy in the U.S.?
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking Regulators
What are the primary banking regulators that regulate privacy in the U.S.?
i. Federal Reserve Board
ii. Comptroller of the Currency
iii. Consumer Financial Protection Bureau (CFPB)
iv. Federal Deposit Insurance Corporation (FDIC)
v. National Credit Union Administration
Federal Trade Commission (FTC)
General authority to enforce the rules against unfair and deceptive trade practices (including the power to bring deception enforcement actions where an individual has broken a privacy promise).
- Lead agency for privacy enforcement
- Protects consumers against unfair and deceptive practices
- Enforces Children’s Online Privacy Protection Act (COPPA)
- Lacks authority over financial institutions
Federal Communications Commission (FCC)
Summary: Regulates interstate and international communications providers
Detail: Places significant compliance regulations on and govern the communications industry, such as television, radio, and telemarketing, and more recently, with online marketing developing such laws as the Telemarketing Sales Rule and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act).
Department of Health and Human Services (HHS)
Creates regulations to protect the privacy and security of healthcare information. Responsible for enforcing HIPAA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Healthcare Act (HI-TECH Act)
Federal Reserve Board (Fed)
Responsible for enforcing provisions of specific federal financial regulatory mandates, such as the Gramm-Leach-Bliley Act (GLBA)
Comptroller of the Currency
Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Ensures fair access to financial services and compliance with financial privacy laws and regulations.
Consumer Financial Protection Bureau
Summary: Regulates how financial institutions handle personal information
Detail: An independent bureau under the Federal Reserve. CFPB has rule marking authority for laws related to financial privacy and oversees the relationship between consumers and financial products and services providers
State Attorney General
Chief legal advisor to the state government / state’s chief law enforcement officer. Authority to take enforcement action on a state’s unfair and deceptive practice law, HIPAA, GLBA, the Telemarketing Sales Rule, and violations of breach notification laws
Self-Regulation Model
Organizations that monitor privacy through internal privacy practices, frameworks/guidelines, policies and procedures, created and monitored by industry groups
Payment Card Industry Data Security Standard (PCI DSS)
One of the most successful self-regulatory frameworks ever
Trust Marks
Images or logos of third-party seal and certification programs that are displayed on websites to indicate that it has adopted the guidelines or a program and passed a security and privacy test
Criminal Liability
Violations of criminal law with charges by the government. Parties that include depriving someone of their liberty.
Mens rea
The mens rea standard requires that a person had criminal intent
Civil Liability
Failure to carry out a legal duty owed to another party. Charges brought to courts by the claimant.
What are the three categories of legal liability?
- Legal Liability - contracts, torts, civil enforcement
- Negligence
- Strict Liability
Contract
Agreement by two parties. Made up of three parts: (1) Offer; (2) Acceptance; and (3) Consideration. Contracts are legally binding agreement between two parties and are enforceable in court.
What are the basic conditions of a contract?
i. Capacity to enter contract
ii. Offer
iii. Acceptance
iv. Consideration
v. Mutual intent to be bound.
vi. Breach of Contract – handled in civil court
Tort
Civil wrongs recognized by law as grounds for a lawsuit. These wrongs result in an injury or harm that constitutes a basis for a claim
Civil Enforcement
A person may sue based on a violation of a law when a law creates a private right of action
Negligence
An organization will be liable for damages if it breaches a legal duty to protect person information and an individual is harmed by that breach.
Negligence Liability Factors
- Duty of care
- Breach of duty
- Damages
- Causation
Invasion of Privacy
The violation of a person’s reasonable expectation to be left alone.
Four legal standards of an invasion of privacy
- Invasion of solitude
- Disclosure of private facts
- False light
- Appropriation
Strict Liability
Responsibility for actions even if they could not reasonably anticipate the adverse outcome.
Can practices be both unfair and deceptive?
Yes.
Unfair Trade Practices
Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.
What are the three requirements to be an unfair trade practice?
- Must cause or be likely to cause substantial injury
- Must not be reasonably avoidable
- Must not be outweighed by the benefits
Deceptive Trade Practices
Corporate entities who mislead or misrepresent products or services to consumers and customers.
What are the three requirements to be a deceptive trade practice?
- Must involve a misleading representation, omission, or practice
- Must be analyzed from the perspective of a reasonable consumer
- Must be material
Who brings forward state enforcement of unfair and/or deceptive trade practices?
The State Attorney General
Most states have similar laws to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
Global Privacy Enforcement Network (GPEN)
GPEN is the Global Privacy Enforcement Network. It aims to promote cross border information sharing as well as investigation and enforcement cooperation among privacy authorities.
In summary, GPEN:
• Exchanges information about privacy issues
• Encourages sharing of enforcement expertise
• Promotes dialogue among enforcement groups
• Facilitates international cooperation
• Supports international privacy practices
What are the three traditional separation of power components for self-regulation?
i. Legislation – questions of who should define appropriate rules for the privacy
ii. Enforcement – questions of who should initiate enforcement actions
iii. Adjunction – who should decide whether a company has violated privacy rules and with what penalties. Within Section 5 of the FTC and UDAP laws, self-regulation occurs at the legislation stage as companies write their own privacy policies.
Data Inventory
Involves an inventory of PI (employee and customer) that the organization collects, stores, uses, or discloses. IT should document data location and flow as well as evaluate how, when, and with whom the organization shares such information and the means for data transfer and uses
Personally Identifiable Information (PII)
Any information that can be used to distinguish an individual’s identity or any information that is either linked or linkable to an individual.
What are some common activities in a business that involve PII?
o New employee onboarding o Benefits program administration o Customer interactions o Independent contractor tax reporting o Walk the employee and customer journeys to identify other PII uses
What are some common components of a data inventory?
o Name of business process o Reason for using PII o Legitimacy of use o Storage and transmission of PII o Access list o Third-party involvement
Data Classification
Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for the data
Data Flow Mapping
The mapping and documenting of systems, applications, and processes handling data. Key employee interviews are a good starting point. Data Flow diagrams trace the PII journey.
Privacy Program Framework
An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.
What are some key components of a privacy program framework?
i. Establishes accountability for privacy practices.
ii. A Chief Privacy Officer has broad oversight over an organization’s privacy practices. Subordinate privacy officials may have authority over specific functions or subject areas
iii. Privacy is the responsibility of every employee who handles PII
iv. Privacy programs must track information related to privacy practices
v. Managing User Preferences
Managing User Preferences
Organizations must often obtain consent from individuals prior to collecting or using their PII.
What are the two ways consent are obtained?
- Opt-In Consent
- Opt-Out Consent
Many privacy regulations require opt-in consent.
Opt-In Consent
Affirmative consent takes place when the user explicitly agrees to a privacy practice
Opt-Out Consent
Implicit consent occurs when the user does not take action to explicitly deny consent
What are the five key components of an incident response program?
i. Policy and plan documentation
ii. Procedures for incident handling
iii. Guidelines for communicating externally
iv. Structure and staffing model for the team
v. Description of relationships with other groups
Workforce Training
Privacy education helps protect organizations from privacy risks.
Accountability
The responsibility to assure compliance with privacy laws and policies
Data Retention
Within information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose. Securely dispose of information when it is no longer needed.
Privacy notices
A statement made to a data subject that describes how an organization collects, uses, retains, and discloses PI. May be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy.
Vendor Management
Vendor agreements should contain clear data ownership language
i. Data Ownership Provisions:
1. Customer retains uninhibited data ownership
2. Vendor’s right to use information is limited to activities performed on behalf of the customer
3. Vendor’s right to use information is limited o activities performed with the customer’s knowledge
4. Vendor must delete information at the end of the contract
EU - U.S. Safe Harbor Agreement
An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield
Privacy Shield
Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.
Binding Corporate Rules (BCRs)
An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.
Standard Contractual Clauses
Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.
Certification Mechanisms
Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.
Electronic Discovery (e-Discovery)
Requires civil litigants to turn over large volumes of a company’s electronic records in litigation
EU Data Protection Directive
Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use
GDPR requirements
Broad privacy law that regulates almost all personal information for EU residents.
APEC Privacy Framework
A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?
A. A consent decree
B. Stare decisis decree
C. A judgment rider
D. Common law judgment
Right to Financial Privacy Act of 1978
Summary:
1. Request must reasonably identify the records
2. Requests must be justified by one of the following:
o Customer authorization
o Admin subpoena or summons
o Judicial subpoena or summons
o Written law enforcement request
3. Agencies must provide the customers written notice of the request and wait 10 days from service or 14 days from mailing to access records
Detail:
Governs the release of customer financial information to federal government authorities. The act defines both the circumstances under which a financial institution can volunteer information about a customers’ financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers’ financial information.
Bank Secrecy Act of 1970 (BSA)
Summary:
- Requires financial institutions to maintain records for customer activity for five years
- Currency Transaction Reports (CTR) – must report cash transactions totaling more than $10,000 in a single day
- Suspicious Activity Report (SAR) – institutions must report suspected money laundering, or a customer is deliberately taking actions to miss the CTR limits.
Detail:
A US federal law that requires US financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasions, terrorist financing, and various other domestic and international criminal activities.
First privacy text in us
1890 HBS the right to privacy by Samuel Warren and Louis Brandeis
FCRA
Fair credit reporting act
FACTA
Fair and accurate credit transactions act
GLBA
Gramm-leach-bliley act
FERPA
Family educational rights and privacy act
PPRA
Protection of pupil rights amendment
COPPA
Children’s online privacy protection act
When did UN take privacy into account?
Art. 12 of Universal Declaration of Human rights in 1948
When was the FCRA?
1970
When US DoH FIPS?
1973
When did Europe take privacy into account?
Art. 8 in European convention of human rights in 1950
What is personal data?
Identified or identifiable individual
What is a privacy policy?
It is an internal statement governing privacy practices in a company.
What are the four classes of privacy?
Information
Bodily
Territorial
Communication
In the US and other countries, laws about the protection of information about individuals is known as what?
- Privacy law
- Data privacy law
- Information privacy law
In the EU and other countries, laws about the protection of information about individuals is known as what?
Data protection law
How did Samuel Warren and Louis Brandeis define privacy in their 1890 Harvard Law Review article, “The Right to Privacy”?
The right to be let alone
What is information privacy concerned with?
Establishing rules that govern the collection and handling of personal information
What are some examples of data covered under information privacy?
- Financial information
- Medical information
- Government records
- Internet activity records
What is bodily privacy concerned with?
A person’s physical being and any invasion thereof
What are some examples of data covered under bodily privacy?
- Genetic testing
- Drug testing
- Body cavity searches
- Birth control
- Abortion
- Adoption
What is territorial privacy concerned with?
Placing limits on the ability to intrude into another individual’s environment
What are some examples of data covered under territorial privacy?
- Video surveillance
* ID checks
What is communications privacy concerned with?
Protection of the means of correspondence
What are some examples of data covered under communications privacy?
- Postal mail
* Telephone conversations Email
What English Act called for the arrest of “peeping Toms” and eavesdroppers?
The Justices of the Peace Act of 1361
Which US Constitutional Amendments indirectly address privacy?
- The Third Amendment bans quartering of soldiers in a person’s home.
- The Fourth Amendment requires a search warrant before the police can enter a home or business.
- The Fourteenth Amendment requires due process under the law, including for intrusions into a person’s bodily autonomy.
In what year did the California add an explicit “right to privacy” guarantee to the California Constitution?
1974
In what year did the General Assembly of the United Nations adopt and proclaim the Universal Declaration of Human Rights, which formally announced that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”?
1948
What type of practices have been a significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to personal information?
- Fair Information Practices (FIPs)
* Sometimes called fair information privacy practices or principles (FIPPs)
What are 5 examples of codifications of Fair Information Practices (FIPs)?
- The 1973 U.S. Department of Health, Education and Welfare Fair Information Practice Principles
- The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”)
- The 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (“Convention 108”)
- The Asia-Pacific Economic Cooperation (APEC), which in 2004 agreed to a Privacy Framework
- The 2009 Madrid Resolution—International Standards on the Protection of Personal Data and Privacy
What is a Fair Information Practices (FIP)?
FIPs are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving.
What are the four categories of Fair Information Practices (FIP)?
- Rights of individuals
- Controls on the information
- Information life cycle and management
With regard to the rights of individuals, what should organizations address?
- Notice
- Choice and consent
- Data subject access
When it comes to the rights of individuals, what kinds of notice should organizations provide?
Organizations should provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained and disclosed.
When it comes to the rights of individuals, what should organizations do with respect to choice and consent?
Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information.
When it comes to the rights of individuals, which is consent especially important>
Consent is often considered especially important for disclosures of personal information to other data controllers.
When it comes to the rights of individuals, what should organizations do with respect to data subject access?
Organizations should provide individuals with access to their personal information for review and update.
