Ch. 1: Introduction to the U.S. Privacy Environment

Question 1

What are the primary regulatory authorities that regulate privacy in the U.S.?

Answer 1

i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking Regulators

Question 2

What are the primary banking regulators that regulate privacy in the U.S.?

Answer 2

i. Federal Reserve Board
ii. Comptroller of the Currency
iii. Consumer Financial Protection Bureau (CFPB)
iv. Federal Deposit Insurance Corporation (FDIC)
v. National Credit Union Administration

Question 3

Federal Trade Commission (FTC)

Answer 3

General authority to enforce the rules against unfair and deceptive trade practices (including the power to bring deception enforcement actions where an individual has broken a privacy promise).

1. Lead agency for privacy enforcement
2. Protects consumers against unfair and deceptive practices
3. Enforces Children’s Online Privacy Protection Act (COPPA)
4. Lacks authority over financial institutions

Question 4

Federal Communications Commission (FCC)

Answer 4

Summary: Regulates interstate and international communications providers

Detail: Places significant compliance regulations on and govern the communications industry, such as television, radio, and telemarketing, and more recently, with online marketing developing such laws as the Telemarketing Sales Rule and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act).

Question 5

Department of Health and Human Services (HHS)

Answer 5

Creates regulations to protect the privacy and security of healthcare information. Responsible for enforcing HIPAA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Healthcare Act (HI-TECH Act)

Question 6

Federal Reserve Board (Fed)

Answer 6

Responsible for enforcing provisions of specific federal financial regulatory mandates, such as the Gramm-Leach-Bliley Act (GLBA)

Question 7

Comptroller of the Currency

Answer 7

Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Ensures fair access to financial services and compliance with financial privacy laws and regulations.

Question 8

Consumer Financial Protection Bureau

Answer 8

Summary: Regulates how financial institutions handle personal information

Detail: An independent bureau under the Federal Reserve. CFPB has rule marking authority for laws related to financial privacy and oversees the relationship between consumers and financial products and services providers

Question 9

State Attorney General

Answer 9

Chief legal advisor to the state government / state’s chief law enforcement officer. Authority to take enforcement action on a state’s unfair and deceptive practice law, HIPAA, GLBA, the Telemarketing Sales Rule, and violations of breach notification laws

Question 10

Self-Regulation Model

Answer 10

Organizations that monitor privacy through internal privacy practices, frameworks/guidelines, policies and procedures, created and monitored by industry groups

Question 11

Payment Card Industry Data Security Standard (PCI DSS)

Answer 11

One of the most successful self-regulatory frameworks ever

Question 12

Trust Marks

Answer 12

Images or logos of third-party seal and certification programs that are displayed on websites to indicate that it has adopted the guidelines or a program and passed a security and privacy test

Question 13

Criminal Liability

Answer 13

Violations of criminal law with charges by the government. Parties that include depriving someone of their liberty.

Question 14

Mens rea

Answer 14

The mens rea standard requires that a person had criminal intent

Question 15

Civil Liability

Answer 15

Failure to carry out a legal duty owed to another party. Charges brought to courts by the claimant.

Question 16

What are the three categories of legal liability?

Answer 16

1. Legal Liability - contracts, torts, civil enforcement
2. Negligence
3. Strict Liability

Question 17

Contract

Answer 17

Agreement by two parties. Made up of three parts: (1) Offer; (2) Acceptance; and (3) Consideration. Contracts are legally binding agreement between two parties and are enforceable in court.

Question 18

What are the basic conditions of a contract?

Answer 18

i. Capacity to enter contract
ii. Offer
iii. Acceptance
iv. Consideration
v. Mutual intent to be bound.
vi. Breach of Contract – handled in civil court

Question 19

Tort

Answer 19

Civil wrongs recognized by law as grounds for a lawsuit. These wrongs result in an injury or harm that constitutes a basis for a claim

Question 20

Civil Enforcement

Answer 20

A person may sue based on a violation of a law when a law creates a private right of action

Question 21

Negligence

Answer 21

An organization will be liable for damages if it breaches a legal duty to protect person information and an individual is harmed by that breach.

Question 22

Negligence Liability Factors

Answer 22

1. Duty of care
2. Breach of duty
3. Damages
4. Causation

Question 23

Invasion of Privacy

Answer 23

The violation of a person’s reasonable expectation to be left alone.

Question 24

Four legal standards of an invasion of privacy

Answer 24

1. Invasion of solitude
2. Disclosure of private facts
3. False light
4. Appropriation

Question 25

Strict Liability

Answer 25

Responsibility for actions even if they could not reasonably anticipate the adverse outcome.

Question 26

Can practices be both unfair and deceptive?

Answer 26

Yes.

Question 27

Unfair Trade Practices

Answer 27

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.

Question 28

What are the three requirements to be an unfair trade practice?

Answer 28

1. Must cause or be likely to cause substantial injury 2. Must not be reasonably avoidable 3. Must not be outweighed by the benefits

Question 29

Deceptive Trade Practices

Answer 29

Corporate entities who mislead or misrepresent products or services to consumers and customers.

Question 30

What are the three requirements to be a deceptive trade practice?

Answer 30

1. Must involve a misleading representation, omission, or practice 2. Must be analyzed from the perspective of a reasonable consumer 3. Must be material

Question 31

Who brings forward state enforcement of unfair and/or deceptive trade practices?

Answer 31

The State Attorney General Most states have similar laws to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.

Question 32

Global Privacy Enforcement Network (GPEN)

Answer 32

GPEN is the Global Privacy Enforcement Network. It aims to promote cross border information sharing as well as investigation and enforcement cooperation among privacy authorities. In summary, GPEN: • Exchanges information about privacy issues • Encourages sharing of enforcement expertise • Promotes dialogue among enforcement groups • Facilitates international cooperation • Supports international privacy practices

Question 33

What are the three traditional separation of power components for self-regulation?

Answer 33

i. Legislation – questions of who should define appropriate rules for the privacy ii. Enforcement – questions of who should initiate enforcement actions iii. Adjunction – who should decide whether a company has violated privacy rules and with what penalties. Within Section 5 of the FTC and UDAP laws, self-regulation occurs at the legislation stage as companies write their own privacy policies.

Question 34

Data Inventory

Answer 34

Involves an inventory of PI (employee and customer) that the organization collects, stores, uses, or discloses. IT should document data location and flow as well as evaluate how, when, and with whom the organization shares such information and the means for data transfer and uses

Question 35

Personally Identifiable Information (PII)

Answer 35

Any information that can be used to distinguish an individual’s identity or any information that is either linked or linkable to an individual.

Question 36

What are some common activities in a business that involve PII?

Answer 36

``` o New employee onboarding o Benefits program administration o Customer interactions o Independent contractor tax reporting o Walk the employee and customer journeys to identify other PII uses ```

Question 37

What are some common components of a data inventory?

Answer 37

``` o Name of business process o Reason for using PII o Legitimacy of use o Storage and transmission of PII o Access list o Third-party involvement ```

Question 38

Data Classification

Answer 38

Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for the data

Question 39

Data Flow Mapping

Answer 39

The mapping and documenting of systems, applications, and processes handling data. Key employee interviews are a good starting point. Data Flow diagrams trace the PII journey.

Question 40

Privacy Program Framework

Answer 40

An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.

Question 41

What are some key components of a privacy program framework?

Answer 41

i. Establishes accountability for privacy practices. ii. A Chief Privacy Officer has broad oversight over an organization’s privacy practices. Subordinate privacy officials may have authority over specific functions or subject areas iii. Privacy is the responsibility of every employee who handles PII iv. Privacy programs must track information related to privacy practices v. Managing User Preferences

Question 42

Managing User Preferences

Answer 42

Organizations must often obtain consent from individuals prior to collecting or using their PII.

Question 43

What are the two ways consent are obtained?

Answer 43

1. Opt-In Consent 2. Opt-Out Consent Many privacy regulations require opt-in consent.

Question 44

Opt-In Consent

Answer 44

Affirmative consent takes place when the user explicitly agrees to a privacy practice

Question 45

Opt-Out Consent

Answer 45

Implicit consent occurs when the user does not take action to explicitly deny consent

Question 46

What are the five key components of an incident response program?

Answer 46

i. Policy and plan documentation ii. Procedures for incident handling iii. Guidelines for communicating externally iv. Structure and staffing model for the team v. Description of relationships with other groups

Question 47

Workforce Training

Answer 47

Privacy education helps protect organizations from privacy risks.

Question 48

Accountability

Answer 48

The responsibility to assure compliance with privacy laws and policies

Question 49

Data Retention

Answer 49

Within information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose. Securely dispose of information when it is no longer needed.

Question 50

Privacy notices

Answer 50

A statement made to a data subject that describes how an organization collects, uses, retains, and discloses PI. May be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy.

Question 51

Vendor Management

Answer 51

Vendor agreements should contain clear data ownership language i. Data Ownership Provisions: 1. Customer retains uninhibited data ownership 2. Vendor’s right to use information is limited to activities performed on behalf of the customer 3. Vendor’s right to use information is limited o activities performed with the customer’s knowledge 4. Vendor must delete information at the end of the contract

Question 52

EU - U.S. Safe Harbor Agreement

Answer 52

An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield

Question 53

Privacy Shield

Answer 53

Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.

Question 54

Binding Corporate Rules (BCRs)

Answer 54

An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.

Question 55

Standard Contractual Clauses

Answer 55

Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

Question 56

Certification Mechanisms

Answer 56

Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.

Question 57

Electronic Discovery (e-Discovery)

Answer 57

Requires civil litigants to turn over large volumes of a company’s electronic records in litigation

Question 58

EU Data Protection Directive

Answer 58

Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use

Question 59

GDPR requirements

Answer 59

Broad privacy law that regulates almost all personal information for EU residents.

Question 60

APEC Privacy Framework

Answer 60

A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.

Question 61

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called? A. A consent decree B. Stare decisis decree C. A judgment rider D. Common law judgment

Question 62

Right to Financial Privacy Act of 1978

Answer 62

Summary: 1. Request must reasonably identify the records 2. Requests must be justified by one of the following: o Customer authorization o Admin subpoena or summons o Judicial subpoena or summons o Written law enforcement request 3. Agencies must provide the customers written notice of the request and wait 10 days from service or 14 days from mailing to access records Detail: Governs the release of customer financial information to federal government authorities. The act defines both the circumstances under which a financial institution can volunteer information about a customers’ financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers’ financial information.

Question 63

Bank Secrecy Act of 1970 (BSA)

Answer 63

Summary: 1. Requires financial institutions to maintain records for customer activity for five years 2. Currency Transaction Reports (CTR) – must report cash transactions totaling more than $10,000 in a single day 3. Suspicious Activity Report (SAR) – institutions must report suspected money laundering, or a customer is deliberately taking actions to miss the CTR limits. Detail: A US federal law that requires US financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasions, terrorist financing, and various other domestic and international criminal activities.

Question 64

First privacy text in us

Answer 64

1890 HBS the right to privacy by Samuel Warren and Louis Brandeis

Question 65

FCRA

Answer 65

Fair credit reporting act

Question 66

FACTA

Answer 66

Fair and accurate credit transactions act

Question 67

GLBA

Answer 67

Gramm-leach-bliley act

Question 68

FERPA

Answer 68

Family educational rights and privacy act

Question 69

PPRA

Answer 69

Protection of pupil rights amendment

Question 70

COPPA

Answer 70

Children's online privacy protection act

Question 71

When did UN take privacy into account?

Answer 71

Art. 12 of Universal Declaration of Human rights in 1948

Question 72

When was the FCRA?

Answer 72

1970

Question 73

When US DoH FIPS?

Answer 73

1973

Question 74

When did Europe take privacy into account?

Answer 74

Art. 8 in European convention of human rights in 1950

Question 75

What is personal data?

Answer 75

Identified or identifiable individual

Question 76

What is a privacy policy?

Answer 76

It is an internal statement governing privacy practices in a company.

Question 77

What are the four classes of privacy?

Answer 77

Information Bodily Territorial Communication

Question 78

In the US and other countries, laws about the protection of information about individuals is known as what?

Answer 78

* Privacy law * Data privacy law * Information privacy law

Question 79

In the EU and other countries, laws about the protection of information about individuals is known as what?

Answer 79

Data protection law

Question 80

How did Samuel Warren and Louis Brandeis define privacy in their 1890 Harvard Law Review article, "The Right to Privacy"?

Answer 80

The right to be let alone

Question 81

What is information privacy concerned with?

Answer 81

Establishing rules that govern the collection and handling of personal information

Question 82

What are some examples of data covered under information privacy?

Answer 82

* Financial information * Medical information * Government records * Internet activity records

Question 83

What is bodily privacy concerned with?

Answer 83

A person’s physical being and any invasion thereof

Question 84

What are some examples of data covered under bodily privacy?

Answer 84

* Genetic testing * Drug testing * Body cavity searches * Birth control * Abortion * Adoption

Question 85

What is territorial privacy concerned with?

Answer 85

Placing limits on the ability to intrude into another individual’s environment

Question 86

What are some examples of data covered under territorial privacy?

Answer 86

* Video surveillance | * ID checks

Question 87

What is communications privacy concerned with?

Answer 87

Protection of the means of correspondence

Question 88

What are some examples of data covered under communications privacy?

Answer 88

* Postal mail | * Telephone conversations Email

Question 89

What English Act called for the arrest of "peeping Toms" and eavesdroppers?

Answer 89

The Justices of the Peace Act of 1361

Question 90

Which US Constitutional Amendments indirectly address privacy?

Answer 90

* The Third Amendment bans quartering of soldiers in a person's home. * The Fourth Amendment requires a search warrant before the police can enter a home or business. * The Fourteenth Amendment requires due process under the law, including for intrusions into a person's bodily autonomy.

Question 91

In what year did the California add an explicit "right to privacy" guarantee to the California Constitution?

Answer 91

1974

Question 92

In what year did the General Assembly of the United Nations adopt and proclaim the Universal Declaration of Human Rights, which formally announced that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”?

Answer 92

1948

Question 93

What type of practices have been a significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to personal information?

Answer 93

* Fair Information Practices (FIPs) | * Sometimes called fair information privacy practices or principles (FIPPs)

Question 94

What are 5 examples of codifications of Fair Information Practices (FIPs)?

Answer 94

* The 1973 U.S. Department of Health, Education and Welfare Fair Information Practice Principles * The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”) * The 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (“Convention 108”) * The Asia-Pacific Economic Cooperation (APEC), which in 2004 agreed to a Privacy Framework * The 2009 Madrid Resolution—International Standards on the Protection of Personal Data and Privacy

Question 95

What is a Fair Information Practices (FIP)?

Answer 95

FIPs are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving.

Question 96

What are the four categories of Fair Information Practices (FIP)?

Answer 96

* Rights of individuals * Controls on the information * Information life cycle and management

Question 97

With regard to the rights of individuals, what should organizations address?

Answer 97

* Notice * Choice and consent * Data subject access

Question 98

When it comes to the rights of individuals, what kinds of notice should organizations provide?

Answer 98

Organizations should provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained and disclosed.

Question 99

When it comes to the rights of individuals, what should organizations do with respect to choice and consent?

Answer 99

Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information.

Question 100

When it comes to the rights of individuals, which is consent especially important>

Answer 100

Consent is often considered especially important for disclosures of personal information to other data controllers.

Question 101

When it comes to the rights of individuals, what should organizations do with respect to data subject access?

Answer 101

Organizations should provide individuals with access to their personal information for review and update.