Ch. 1: Introduction to the U.S. Privacy Environment Flashcards

Question 1

Q

What are the primary regulatory authorities that regulate privacy in the U.S.?

Answer

A

i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking Regulators

Question 2

Q

What are the primary banking regulators that regulate privacy in the U.S.?

Answer

A

i. Federal Reserve Board
ii. Comptroller of the Currency
iii. Consumer Financial Protection Bureau (CFPB)
iv. Federal Deposit Insurance Corporation (FDIC)
v. National Credit Union Administration

Question 3

Q

Federal Trade Commission (FTC)

Answer

A

General authority to enforce the rules against unfair and deceptive trade practices (including the power to bring deception enforcement actions where an individual has broken a privacy promise).

Lead agency for privacy enforcement
Protects consumers against unfair and deceptive practices
Enforces Children’s Online Privacy Protection Act (COPPA)
Lacks authority over financial institutions

Question 4

Q

Federal Communications Commission (FCC)

Answer

A

Summary: Regulates interstate and international communications providers

Detail: Places significant compliance regulations on and govern the communications industry, such as television, radio, and telemarketing, and more recently, with online marketing developing such laws as the Telemarketing Sales Rule and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act).

Question 5

Q

Department of Health and Human Services (HHS)

Answer

A

Creates regulations to protect the privacy and security of healthcare information. Responsible for enforcing HIPAA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Healthcare Act (HI-TECH Act)

Question 6

Q

Federal Reserve Board (Fed)

Answer

A

Responsible for enforcing provisions of specific federal financial regulatory mandates, such as the Gramm-Leach-Bliley Act (GLBA)

Question 7

Q

Comptroller of the Currency

Answer

A

Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Ensures fair access to financial services and compliance with financial privacy laws and regulations.

Question 8

Q

Consumer Financial Protection Bureau

Answer

A

Summary: Regulates how financial institutions handle personal information

Detail: An independent bureau under the Federal Reserve. CFPB has rule marking authority for laws related to financial privacy and oversees the relationship between consumers and financial products and services providers

Question 9

Q

State Attorney General

Answer

A

Chief legal advisor to the state government / state’s chief law enforcement officer. Authority to take enforcement action on a state’s unfair and deceptive practice law, HIPAA, GLBA, the Telemarketing Sales Rule, and violations of breach notification laws

Question 10

Q

Self-Regulation Model

Answer

A

Organizations that monitor privacy through internal privacy practices, frameworks/guidelines, policies and procedures, created and monitored by industry groups

Question 11

Q

Payment Card Industry Data Security Standard (PCI DSS)

Answer

A

One of the most successful self-regulatory frameworks ever

Question 12

Q

Trust Marks

Answer

A

Images or logos of third-party seal and certification programs that are displayed on websites to indicate that it has adopted the guidelines or a program and passed a security and privacy test

Question 13

Q

Criminal Liability

Answer

A

Violations of criminal law with charges by the government. Parties that include depriving someone of their liberty.

Question 14

Q

Mens rea

Answer

A

The mens rea standard requires that a person had criminal intent

Question 15

Q

Civil Liability

Answer

A

Failure to carry out a legal duty owed to another party. Charges brought to courts by the claimant.

Question 16

Q

What are the three categories of legal liability?

Answer

A

Legal Liability - contracts, torts, civil enforcement
Negligence
Strict Liability

Question 17

Q

Contract

Answer

A

Agreement by two parties. Made up of three parts: (1) Offer; (2) Acceptance; and (3) Consideration. Contracts are legally binding agreement between two parties and are enforceable in court.

Question 18

Q

What are the basic conditions of a contract?

Answer

A

i. Capacity to enter contract
ii. Offer
iii. Acceptance
iv. Consideration
v. Mutual intent to be bound.
vi. Breach of Contract – handled in civil court

Question 19

Q

Tort

Answer

A

Civil wrongs recognized by law as grounds for a lawsuit. These wrongs result in an injury or harm that constitutes a basis for a claim

Question 20

Q

Civil Enforcement

Answer

A

A person may sue based on a violation of a law when a law creates a private right of action

Question 21

Q

Negligence

Answer

A

An organization will be liable for damages if it breaches a legal duty to protect person information and an individual is harmed by that breach.

Question 22

Q

Negligence Liability Factors

Answer

A

Duty of care
Breach of duty
Damages
Causation

Question 23

Q

Invasion of Privacy

Answer

A

The violation of a person’s reasonable expectation to be left alone.

Question 24

Q

Four legal standards of an invasion of privacy

Answer

A

Invasion of solitude
Disclosure of private facts
False light
Appropriation

Question 25

Q

Strict Liability

Answer

A

Responsibility for actions even if they could not reasonably anticipate the adverse outcome.

Question 26

Q

Can practices be both unfair and deceptive?

Question 27

Q

Unfair Trade Practices

Answer

A

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.

Question 28

Q

What are the three requirements to be an unfair trade practice?

Answer

A

Must cause or be likely to cause substantial injury
Must not be reasonably avoidable
Must not be outweighed by the benefits

Question 29

Q

Deceptive Trade Practices

Answer

A

Corporate entities who mislead or misrepresent products or services to consumers and customers.

Question 30

Q

What are the three requirements to be a deceptive trade practice?

Answer

A

Must involve a misleading representation, omission, or practice
Must be analyzed from the perspective of a reasonable consumer
Must be material

Question 31

Q

Who brings forward state enforcement of unfair and/or deceptive trade practices?

Answer

A

The State Attorney General

Most states have similar laws to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.

Question 32

Q

Global Privacy Enforcement Network (GPEN)

Answer

A

GPEN is the Global Privacy Enforcement Network. It aims to promote cross border information sharing as well as investigation and enforcement cooperation among privacy authorities.

In summary, GPEN:
• Exchanges information about privacy issues
• Encourages sharing of enforcement expertise
• Promotes dialogue among enforcement groups
• Facilitates international cooperation
• Supports international privacy practices

Question 33

Q

What are the three traditional separation of power components for self-regulation?

Answer

A

i. Legislation – questions of who should define appropriate rules for the privacy
ii. Enforcement – questions of who should initiate enforcement actions
iii. Adjunction – who should decide whether a company has violated privacy rules and with what penalties. Within Section 5 of the FTC and UDAP laws, self-regulation occurs at the legislation stage as companies write their own privacy policies.

Question 34

Q

Data Inventory

Answer

A

Involves an inventory of PI (employee and customer) that the organization collects, stores, uses, or discloses. IT should document data location and flow as well as evaluate how, when, and with whom the organization shares such information and the means for data transfer and uses

Question 35

Q

Personally Identifiable Information (PII)

Answer

A

Any information that can be used to distinguish an individual’s identity or any information that is either linked or linkable to an individual.

Question 36

Q

What are some common activities in a business that involve PII?

Answer

A

o	New employee onboarding
o	Benefits program administration
o	Customer interactions
o	Independent contractor tax reporting
o	Walk the employee and customer journeys to identify other PII uses

Question 37

Q

What are some common components of a data inventory?

Answer

A

o	Name of business process
o	Reason for using PII
o	Legitimacy of use
o	Storage and transmission of PII
o	Access list
o	Third-party involvement

Question 38

Q

Data Classification

Answer

A

Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for the data

Question 39

Q

Data Flow Mapping

Answer

A

The mapping and documenting of systems, applications, and processes handling data. Key employee interviews are a good starting point. Data Flow diagrams trace the PII journey.

Question 40

Q

Privacy Program Framework

Answer

A

An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.

Question 41

Q

What are some key components of a privacy program framework?

Answer

A

i. Establishes accountability for privacy practices.
ii. A Chief Privacy Officer has broad oversight over an organization’s privacy practices. Subordinate privacy officials may have authority over specific functions or subject areas
iii. Privacy is the responsibility of every employee who handles PII
iv. Privacy programs must track information related to privacy practices
v. Managing User Preferences

Question 42

Q

Managing User Preferences

Answer

A

Organizations must often obtain consent from individuals prior to collecting or using their PII.

Question 43

Q

What are the two ways consent are obtained?

Answer

A

Opt-In Consent
Opt-Out Consent

Many privacy regulations require opt-in consent.

Question 44

Q

Opt-In Consent

Answer

A

Affirmative consent takes place when the user explicitly agrees to a privacy practice

Question 45

Q

Opt-Out Consent

Answer

A

Implicit consent occurs when the user does not take action to explicitly deny consent

Question 46

Q

What are the five key components of an incident response program?

Answer

A

i. Policy and plan documentation
ii. Procedures for incident handling
iii. Guidelines for communicating externally
iv. Structure and staffing model for the team
v. Description of relationships with other groups

Question 47

Q

Workforce Training

Answer

A

Privacy education helps protect organizations from privacy risks.

Question 48

Q

Accountability

Answer

A

The responsibility to assure compliance with privacy laws and policies

Question 49

Q

Data Retention

Answer

A

Within information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose. Securely dispose of information when it is no longer needed.

Question 50

Q

Privacy notices

Answer

A

A statement made to a data subject that describes how an organization collects, uses, retains, and discloses PI. May be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy.

Question 51

Q

Vendor Management

Answer

A

Vendor agreements should contain clear data ownership language

i. Data Ownership Provisions:
1. Customer retains uninhibited data ownership
2. Vendor’s right to use information is limited to activities performed on behalf of the customer
3. Vendor’s right to use information is limited o activities performed with the customer’s knowledge
4. Vendor must delete information at the end of the contract

Question 52

Q

EU - U.S. Safe Harbor Agreement

Answer

A

An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield

Question 53

Q

Privacy Shield

Answer

A

Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.

Question 54

Q

Binding Corporate Rules (BCRs)

Answer

A

An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.

Question 55

Q

Standard Contractual Clauses

Answer

A

Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

Question 56

Q

Certification Mechanisms

Answer

A

Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.

Question 57

Q

Electronic Discovery (e-Discovery)

Answer

A

Requires civil litigants to turn over large volumes of a company’s electronic records in litigation

Question 58

Q

EU Data Protection Directive

Answer

A

Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use

Question 59

Q

GDPR requirements

Answer

A

Broad privacy law that regulates almost all personal information for EU residents.

Question 60

Q

APEC Privacy Framework

Answer

A

A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.

Question 61

Q

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

A. A consent decree
B. Stare decisis decree
C. A judgment rider
D. Common law judgment

Question 62

Q

Right to Financial Privacy Act of 1978

Answer

A

Summary:
1. Request must reasonably identify the records
2. Requests must be justified by one of the following:
o Customer authorization
o Admin subpoena or summons
o Judicial subpoena or summons
o Written law enforcement request
3. Agencies must provide the customers written notice of the request and wait 10 days from service or 14 days from mailing to access records

Detail:
Governs the release of customer financial information to federal government authorities. The act defines both the circumstances under which a financial institution can volunteer information about a customers’ financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers’ financial information.

Question 63

Q

Bank Secrecy Act of 1970 (BSA)

Answer

A

Summary:

Requires financial institutions to maintain records for customer activity for five years
Currency Transaction Reports (CTR) – must report cash transactions totaling more than $10,000 in a single day
Suspicious Activity Report (SAR) – institutions must report suspected money laundering, or a customer is deliberately taking actions to miss the CTR limits.

Detail:
A US federal law that requires US financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasions, terrorist financing, and various other domestic and international criminal activities.

Question 64

Q

First privacy text in us

Answer

A

1890 HBS the right to privacy by Samuel Warren and Louis Brandeis

Answer 63

A

Fair credit reporting act

Answer 64

A

Fair and accurate credit transactions act

Answer 65

A

Gramm-leach-bliley act

Answer 66

A

Family educational rights and privacy act

Answer 67

A

Protection of pupil rights amendment

Answer 68

A

Children’s online privacy protection act

Answer 69

A

Art. 12 of Universal Declaration of Human rights in 1948

Answer 70

A

Art. 8 in European convention of human rights in 1950

Answer 71

A

Identified or identifiable individual

Answer 72

A

It is an internal statement governing privacy practices in a company.

Answer 73

A

Information
Bodily
Territorial
Communication

Answer 74

A

Privacy law
Data privacy law
Information privacy law

Answer 75

A

Data protection law

Answer 76

A

The right to be let alone

Answer 77

A

Establishing rules that govern the collection and handling of personal information

Answer 78

A

Financial information
Medical information
Government records
Internet activity records

Answer 79

A

A person’s physical being and any invasion thereof

Answer 80

A

Genetic testing
Drug testing
Body cavity searches
Birth control
Abortion
Adoption

Answer 81

A

Placing limits on the ability to intrude into another individual’s environment

Answer 82

A

Video surveillance

* ID checks

Answer 83

A

Protection of the means of correspondence

Answer 84

A

Postal mail

* Telephone conversations Email

Answer 85

A

The Justices of the Peace Act of 1361

Answer 86

A

The Third Amendment bans quartering of soldiers in a person’s home.
The Fourth Amendment requires a search warrant before the police can enter a home or business.
The Fourteenth Amendment requires due process under the law, including for intrusions into a person’s bodily autonomy.

Answer 87

A

Fair Information Practices (FIPs)

* Sometimes called fair information privacy practices or principles (FIPPs)

Answer 88

A

The 1973 U.S. Department of Health, Education and Welfare Fair Information Practice Principles
The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”)
The 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (“Convention 108”)
The Asia-Pacific Economic Cooperation (APEC), which in 2004 agreed to a Privacy Framework
The 2009 Madrid Resolution—International Standards on the Protection of Personal Data and Privacy

Answer 89

A

FIPs are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving.

Answer 90

A

Rights of individuals
Controls on the information
Information life cycle and management

Answer 91

A

Notice
Choice and consent
Data subject access

Answer 92

A

Organizations should provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained and disclosed.

Answer 93

A

Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information.

Answer 94

A

Consent is often considered especially important for disclosures of personal information to other data controllers.

Answer 95

A

Organizations should provide individuals with access to their personal information for review and update.

Brainscape's Knowledge GenomeTM

Ch. 1: Introduction to the U.S. Privacy Environment Flashcards

Brainscape's Knowledge Genome^TM