Ch 12 - Privacy Issues - Civil Litigation & Gov't Investigations Flashcards
1
Q
What are 5 elements of a good Information Management Plan for responding to discovery requests?
A
An Information Management Plan should include:
- when or under what conditions private information can be disclosed;
- how private information can be disclosed;
- any required organizational authorizations required for releasing private information;
- audit trails; and
- IT systems implementation.
2
Q
What amendment offers U.S. citizens protection over unreasonable searches and seizures?
A
The U.S. Constitution offers citizens protection against unreasonable searches and seizures in the 4th Amendment.
3
Q
What is a 4th Amendment search warrant?
A
A search warrant for probable cause that a crime has been, or will be, committed.
4
Q
What are the 4 required conditions for obtaining a valid 4th Amendment search warrant?
A
The warrant must:
(1) be filed in good faith by a law enforcement officer;
(2) be based on reliable information showing probable cause to search;
(3) be issued by a neutral and detached magistrate; and
(4) state specifically the place to be searched and the items to be seized.
5
Q
Generally, under what conditions may a wiretap be obtained?
a. Fourth Amendment probable cause
b. All other alternatives for obtaining the information have been exhausted
c. Law enforcement wants to monitor a suspect’s conversations
d. a and b
A
d. a and b
6
Q
Which of the following is a big challenge when responding to discovery requests?
a. Providing information based on a specific request
b. Finding all the data requested
c. Providing too much or too little information
d. None of the above
A
c. Providing too much or too little information.
7
Q
What are some examples of reporting requirements by federal regulation or law?
A
Examples of reporting to government agencies:
- BSA reporting of suspicious financial activities related to terrorism or money laundering;
- FDA reporting by regulated industries (drug manufacturers, health professionals) for serious adverse events; product problems, medication errors;
- OSHA reporting by employers of workplace injuries/illnesses;
- State reporting regarding certain injuries/medical conditions;
- HIPAA reporting permitted to other agencies when required by law.
8
Q
What is the purpose of the Right to Financial Privacy Act (RFPA)?
A
The Right to Financial Privacy Act regulates the disclosure of personal information by financial institutions to federal government agencies requesting the information.
9
Q
What is the purpose of the Electronic Communications Privacy Act?
a. Changes the privacy requirements for electronic communications such as email
b. Extends prohibition of wiretaps on phone calls to include electronic communication such as email
c. Provides clarity that electronic communications have always been included in coverage
d. All of the above
A
b. Extends prohibition of wiretaps on phone calls to include electronic communication such as email
10
Q
Which of the following types of surveillance on wire communications are included in the scope of the Title III of the Omnibus Crime Control and Safe Streets Act of 1968?
a. Aural communication made through a network, such as phone calls
b. Oral communications such as hidden bugs or microphones
c. Electronic communications, such as emails, that are not wire or oral communications
d. All of the above
A
d. All of the above
Title III generally applies to surveillance on wire communications, including:
- aural communication made through a network, such as phone calls;
- oral communications, such as hidden bugs or microphones,
- electronic communications, such as emails, that are not wire or oral communications.
11
Q
When is a communication considered to be subject to a search warrant?
a. When the persons involved in the communication have no expectation of privacy
b. When the persons involved in the communication have a reasonable expectation of privacy
c. When the persons involved in the communication state something openly in public
d. None of the above
A
b. When the persons involved in the communication have a reasonable expectation of privacy
12
Q
What is the “reasonable expectation of privacy” test?
A
The outcome of the 1967 Katz v. U.S. case in which there was a concurring opinion stated by Justice John Marshall Harlan:
- the person has exhibited an actual expectation of privacy, and
- the expectation is one that society is prepared to recognize as ‘reasonable.’
13
Q
What are some exceptions to the 4th Amendment requirement to obtain a warrant where a reasonable expectation of privacy exists?
A
- “In public” rule: what a person knowingly exposes to the public;
- “Third-party” rule: information a person puts into the hands of someone else.
14
Q
When is the “reasonable expectation of privacy” test used?
A
To determine whether information that was obtained without a warrant is admissible evidence.
15
Q
Which of the following best describes what “discovery” means in litigation?
a. Exchange of legal information and known facts of a case disclosed in a lawsuit during the trial
b. Exchange of legal information and known facts of a case disclosed in the rules of civil and criminal procedure
c. Exchange of legal information and known facts of a case disclosed in a lawsuit before trial
d. None of the above
A
c. Exchange of legal information and known facts of a case disclosed in a lawsuit before trial
16
Q
What is a subpoena?
A
A subpoena is a written instruction to produce a witness or records.
17
Q
What are the 4 requirements of a subpoena under Federal Rule of Civil Procedure 45?
A
Federal Rule of Civil Procedure 45 requires that the subpoena:
- state which court issued it;
- state the title of action and action number;
- command each person to attend and testify, produce specific evidence, or permit inspection at a time and place; and
- include rules regarding the person’s right to challenge or modify the subpoena.
18
Q
What does it mean to “serve” a subpoena?
A
To deliver the subpoena in a legal way, put a person on notice of obligation to respond and their right to seek to quash or modify the subpoena.
19
Q
What are the consequences of a person failing to obey a subpoena?
A
Failure to obey a subpoena without an adequate excuse may result in being held in contempt of court, fines, and/or imprisonment.
20
Q
What are the conditions for obtaining a pen register order?
A
A pen register order may be issued when the information is relevant to an ongoing investigation.
21
Q
What is a pen register?
A
A pen register is a record of dialed numbers or outgoing calls. It may also include internet communications. It includes communications metadata, but does not include the content of the communications.
22
Q
Which of the following is a source of of law used to obtain a search warrant?
a. 18 USC 2703(d) of the Stored Communications Act (SCA)
b. Fourth Amendment of the U.S. Constitution
c. Wire Tap Act
d. All of the above
A
18 USC 2703(d) of the Stored Communications Act (SCA)
Fourth Amendment of the U.S. Constitution
Wire Tap Act
23
Q
Which of the following is a required basis for obtaining a search warrant under the Stored Content Act (SCA)?
a. Specific articulable facts
b. Reasonable grounds
c. Relevant to the investigation
d. All of the above
A
d. All of the above
A search warrant to obtain evidence from electronics communications service providers under the Stored Content Act must be based on:
- Specific articulable facts showing
- Reasonable grounds
- Relevant to the investigation.
24
Q
What are the requirements for obtaining a search warrant under the Fourth Amendment?
A
There must be probable cause that a crime has been or will be committed.
25
For what 4 purposes does the HIPAA Privacy Rule allow disclosure of PHI?
1. As state laws require (for example, reporting of medical information);
2. Public health reasons
3. Law Enforcement investigations
4. National security matters
26
How does HIPAA address conflicts between regulatory requirements and state laws?
HIPAA permits disclosure of PHI where required by law.
27
Under the BSA Hacker Trespasser Exception, which of the following is not a condition under which law enforcement can access personal information on a victim's computer?
a. Owner/operator provides authorization
b. Acting under legal engagement in an investigation
c. Law enforcement has legal grounds the communication is relevant to the investigation
d. All communications that were transmitted by the suspect are accessed/intercepted
d. All communications that were transmitted by the suspect are accessed/intercepted
Law enforcement can access/intercept a trespasser's (hacker's) communications when:
1. Owner/operator provides authorization
2. Acting under legal engagement in an investigation
3. Law enforcement has legal grounds the communication is relevant to the investigation
4. Only communications that were transmitted are accessed/intercepted
28
What type of disclosure of covered personal information to third parties is prohibited under HIPAA and COPPA?
a. Disclosure without consent of data subject
b. Disclosure without data subject's written acknowledgement
c. Disclosure that does not meet conditions of an exception
d. Only a and c
d. Only a and c
29
Which regulation is triggered by violations to HIPAA, COPPA, or GLBA information sharing requirements?
Section 5 (UDAP) under the FTC Act.
30
What are 3 examples of legal privilege that generally require confidential communications to be excluded from the rules of discovery and testimony?
Attorney-client, doctor-patient, priest-penitent, spousal, self-incrimination (under the 5th Amendment)
31
What are the exceptions that allow communications normally covered under legal privilege to be included in an investigation or court case?
Client consent
| To prevent imminent harm
32
Which federal act provides public access to federal records with certain exceptions?
Freedom of Information Act (FOIA)
33
What are some examples of records generally available through state laws?
Birth, death, professional licenses, business licenses, real estate, appraisal, and voter records
34
Which types of criminal and civil trial records are generally protected from public access?
a. banking, real estate, and phone number
b. juvenile, financial, and medical records
c. real estate, financial and juvenile
d. none of the above
b. juvenile, financial, and medical records
35
What is a protective order and how is it used?
Under Rule 26(c) of the Federal Rules of Civil Procedure, a protective order is reviewed by a judge who determines what information in a case record should be made public, and under what conditions; and the information that should not be made public.
36
What is the 3 part test a court applies to determine if the party presenting the protective order during litigation has good cause to have the information protected?
1. Resisting party: must show the information is confidential.
2. Requesting party: must show the information is relevant and necessary to the case.
3. Court: must determine if need for the information outweighs the harm of disclosure.
37
Under HIPAA, which of the following is an element of a qualified protective order (QPO)?
a. Used in state courts not covered by the Federal Rules of Civil Procedure
b. Prohibits the use of PHI for any purpose other than the specific litigation or proceeding
c. Requires the return or destruction of the PHI after its intended purpose has been met
d. All of the above
d. All of the above
38
Which of the following is a redaction requirement for paper and electronic documents accessed under Rule 5.2, Federal Rules of Civil Procedure?
a) only the last 4 digits of SSN/TIN or financial account number
b) only the individual's birth year
c) if a minor, only the minor's initials
d) all of the above
Rule 5.2 of the Federal Rules of Civil Procedure, "Privacy Protection for Filings Made with the Court" requires the following restrictions in paper and electronic filings prior to submission for court filing:
d) all of the above
39
Which of the following is an exception to redaction requirements for court filings?
a. Court orders may require that unredacted documents be sealed
b. Protective orders may include more restrictive electronic access
c. Protective orders may include more restrictive redaction requirements
d. All of the above are exceptions to redaction requirements
d. All of the above are exceptions to redaction requirements
40
What are the main exemptions to the public's right to view or request access to agency records under FOIA?
* Classified documents
* Records containing personal privacy information
* Records containing trade secrets
* Records containing privileged information
* Records containing information that may cause harm to national security or law enforcement
41
In addition to the 4 redaction requirements of Rule 5.2, Privacy Protection for Filings Made with the Court, what additional redaction requirements are there in Rule 49.1 Federal Criminal Rules of Procedure and Rule 9037 Federal Rules of Bankruptcy Procedure?
a. City and state of home address
b. Business address
c. Previous surnames
d. All of the above
a. City and state of home address
42
What types of electronically stored information (ESI) should be considered as part of a well-managed data retention program?
a. Email, electronic files, and instant messaging
b. Web pages, server logs, thumb drives, and databases
c. Voicemail, social networking, and micro secure digital cards
d. All of the above
d. All of the above
43
What were the main best practices concerning email set forth at the Sedona Conference that should be developed to meet the functional requirements of an organization?
a. Email retention policies developed by cross-functional teams
b. Continual evolution of policies and practices, and gap analysis
c. Consensus of stakeholders for policies, and consideration of industry standards
d. All of the above
d. All of the above
44
Which of the following best describes the Sedona Principles' recommendation for preserving transient data, such as IM data, for retrieval during litigation discovery?
a. Organizations may consider transient data that requires extra steps to retrieve and store to be outside its duty of preservation for a litigation discovery request
b. Organizations should include all transient data to be included for retrieval for a litigation discovery request
c. Organizations are required to include all data that has ever been stored or been transmitted in any way through the organization to be included for a litigation discovery request
d. None of the above
a. Organizations may consider transient data that requires extra steps to retrieve and store to be outside its duty of preservation for a litigation discovery request
45
Which of the following is a best practice to include in a retention policy for electronically stored information?
a. Employee assigned computers should only be used for work-related activities
b. Hard drives should be preserved rather than wiped prior to reassignment
c. Employees should not use personal computers for storing work-related data
d. All of the above
d. All of the above
46
What is the 3-factor test a court is likely to apply when there is a conflict between a corporate retention policy and a discovery request?
a. Reasonableness of policy, number of related complaints, intent of organization in instituting the policy (good faith?)
b. Reasonableness of policy, number of related complaints, how long the policy has been in effect
c. Policy intent, company resources available to write policy, policy infractions by employees
d. None of the above
a. Reasonableness of policy, number of related complaints, intent of organization in instituting the policy (good faith?)
47
Which of the following is not a condition under which an organization may disclose personal health information (PHI) under HIPAA?
a. Consent of the data subject
b. Court order
c. Satisfactory assurances based on a Qualified Protective Order in which both parties, Organization and Court, are prohibited from disclosing for any other purpose
d. Inquiry by Law Enforcement
d. Inquiry by Law Enforcement
48
What legal conditions allow an organization to disclose non-public information (NPI) under GLBA without the consent of the data subject?
An organization may disclose information without the consent of the data subject in order to comply with laws, investigations, court orders, judicial process, and exams.
49
What are transborder data flows?
Transborder data flows occur when data flows between the U.S. and a foreign country.
50
In transborder data flows, where one jurisdiction has more restrictive data privacy practices than another, the Hague Convention uses a procedure where each contracting jurisdiction designates a "central authority" to:
a. Receive and review incoming "letters of request" for taking evidence in that country
b. Determine compliance with the requirements of the convention
c. Transmit letters of request to the "authority competent to execute" it (article 2), typically a court, when the Hague Convention does not apply
d. All of the above
d. All of the above
51
Which of the following are rules used to reconcile a conflict in discovery rules between the U.S. and a foreign jurisdiction?
a. Importance of documents/data to litigation and whether they originated in the U.S.
b. Specificity of request
c. Availability of an alternate means of securing the data, and extent of U.S. and foreign state interests that would be undermined by adverse ruling
d. All of the above
d. All of the above
52
What are the best practice standards for data culled for eDiscovery?
a. Data should be preserved in place or in a separate form
b. Data should be transferred using encryption, with a key transferred by secure 2nd method
c. Audit trail should be maintained
d. All of the above
d. All of the above
4. Additional methods that address sensitive personal information standards including:
* identifying
* redacting/withholding
* maintaining confidentiality
* clawback of inadvertent disclosures
53
What are the requirements for law enforcement searches under the 4th Amendment?
The 4th Amendment prohibits unreasonable searches and seizures" and is required for information where there was a "reasonable expectation of privacy."
A search warrant must be:
* approved by a neutral judge (magistrate);
* based on probable cause;
* describe a particular place to be searched;
* supported by specific testimony.
54
What is the 'exclusionary rule' for evidence submitted during the discovery period?
Evidence gathered without a proper search warrant is considered inadmissible.
55
What Supreme Court decision on wiretaps was the result of the 1928 case Olmstead vs. United States?
a. No warrant was required for wiretaps on telephone wires physically located outside the suspect's building
b. Search warrant was only required for suspect's private places
c. Search warrant was required for conversations in public the suspect had a reasonable expectation of privacy
d. a and b
d. a and b
56
What are the implications of the exclusionary rule on Company privacy policies and practices?
A company must consider under what conditions surveillance, wiretaps, and database searches may be conducted on employees, and whether they would be admissible as evidence in the event of litigation.
57
What was the finding of the Supreme Court in the 1967 case Katz v. United States in regard to wiretapping that overturned the Olmstead case of 1928?
a. A reasonable expectation of privacy includes “what a person seeks to preserve as private, even in an area accessible to the public”
b. Wiretaps could not be conducted on telephone lines or in public when the person had a "reasonable expectation of privacy"
c. A “reasonable expectation of privacy” may be protected by the U.S. Constitution
d. All of the above
d. All of the above
58
What legislation did Congress enact in 1968 as a result of the Supreme Court's opinion in the case Katz v. United States?
a. The Telephony Act
b. The 1974 Privacy Act
c. The Wiretap Act
d. None of the above
c. The Wiretap Act
59
Which of the following was a part of Justice John Marshall Harlan's requirement for determining when a person had a "reasonable expectation of privacy" in the case Katz v. United States in 1967?
a. The person exhibited an actual expectation of privacy
b. The expectation of privacy is documented as being reasonable
c. The expectation of privacy is considered reasonable by society
d. a and c only
d. a and c only
60
Which of the following is an exception to a person's reasonable expectation of privacy under the Fourth Amendment?
a. Information a person knowingly exposes to the public
b. Information placed in the hands of a third party
c. Information a person unknowingly exposes to the public
d. Only a and b
1. Information a person knowingly exposes to the public; and
2. Information placed in the hands of a third party.
61
Which of the following is an example of a situation where a search warrant is not required under the exception to a person's reasonable expectation of privacy when information is placed in the hands of a third party?
a. The name of an employee suspected of fraud to law enforcement
b. Bank account information to law enforcement
c. Phone records from a phone company
d. Only b and c
Organizations may lawfully turn over the following information without a search warrant:
1. bank account information to law enforcement;
2. phone records from phone companies.
62
What is the significance of the 2012 case United States v. Jones on the "in-public" exception for search warrants as it relates to GPS trackers?
a. The court opined that GPS trackers are not included in the "in-public" exception, and require a search warrant
b. The court opined that GPS trackers are included in the "in-public" exception, and do not require a search warrant
c. The court opined that information obtained from GPS trackers are inadmissible due to poor technology
d. None of the above
a. The court opined that GPS trackers are not included in the "in-public" exception, and require a search warrant
63
What is the significance of the 2014 case Riley v. California on the "in-public" exception for search warrants as it relates to cell phones?
a. The court held that information on cell phones are quantitatively and qualitatively different from that found in a typical container
b. The court held that information on cell phones are not included in the "in-public" exception, and require a search warrant
c. The court held that information on cell phones does not require a search warrant
d. Only a and b
d. Only a and b
64
What federal statute was enacted in 1978 after the Supreme Court held that the 4th Amendment did not apply to checking accounts?
a. Gramm-Leach-Bliley Act (GLBA)
b. Fair Credit Reporting Act (FCRA)
c. Right to Financial Privacy Act (RFPA)
d. All of the above
c. Right to Financial Privacy Act (RFPA)
| Disclosure to Law Enforcement is prohibited unless statutory requirements are met.
65
What federal statute was enacted in 1986 after the Supreme Court held that the 4th Amendment did not apply to telephone numbers called?
a. Stored Communications Act (SCA)
b. Electronic Communications Privacy Act (ECPA)
c. Right to Financial Privacy Act (RFPA)
d. Gramm-Leach-Bliley Act (GLBA)
b. Electronic Communications Privacy Act (ECPA)
Disclosure to Law Enforcement is prohibited unless statutory requirements are met.
66
Under which of the following conditions does HIPAA allow PHI to be disclosed to third parties without an opt-in?
a. Court order, administrative request, or grand jury subpoena
b. Crime on premises or emergencies
c. Victims of a crime
d. All of the above
d. All of the above
67
Which of the following is a criterion HIPAA requires to be met before PHI can be disclosed under court order, grand jury subpoena, or administrative request?
a. Information is relative and material to the inquiry
b. Request is specific and limited in scope to purpose
c. De-identified information could not reasonably be used
d. All of the above
d. All of the above
68
What is allowed when HIPAA requirements and privacy laws conflict?
a. HIPAA allows "as required by law"
b. HIPAA allows a mediator to choose which should be followed
c. HIPAA allows law enforcement to decide
d. None of the above
a. HIPAA allows "as required by law"
69
Which type of communications monitoring is subject to the strictest federal law?
a. Monitoring of written communications
b. Monitoring of public speech
c. Monitoring of telephone and oral communications
d. Monitoring of published articles
c. Monitoring of telephone and oral communications
70
For which type of communications is it easiest for law enforcement to obtain a search warrant?
Video surveillance. There is very little applicable law.
71
Rate the ease of law enforcement obtaining a search warrant beginning with the most difficult for the following:
* Electronic communications
* Telephone and oral communications
* Video surveillance
1. Telephone and oral communications (most difficult)
2. Electronic communications
3. Video surveillance (easiest)
72
What is another name for Title III of the Omnibus Crime Control & Safe Street Act of 1968?
The Wiretap Act
73
What types of communication does the Wiretap Act apply to?
* "any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under the circumstances justifying such expectation."
* phone calls
* other aural communications made through a network
* oral communications such as bugs and microphones
74
What type of offense is the interception of oral communications covered by the Wiretap Act?
Criminal offense
75
What type of monitoring is likely to result in claims under state invasion of privacy laws or common law?
Monitoring that is offensive to a reasonable person
76
What are the consequences of violating the Electronic Communications Privacy Act?
Fines, imprisonment, and private rights of action
77
What is the purpose of the Wiretap Act?
The Wiretap Act prohibits intercepting the contents of a communication without the consent of at least one of the parties to the communication.
78
What are the federal law exceptions for intercepting a call?
When one of the parties consents to interception
79
What are some of the stricter state law exceptions that may impact interception of a call?
Sometimes all parties are required to consent
80
Under what 3 conditions is interception of a communication permitted during the normal course of business?
1. subject's consent prior to interception
2. routine monitoring
3. scans for viruses/malware
81
The SCA is part of which act of legislation?
The Stored Communications Act is part of the Electronic Communications Act of 1986.
82
What is prohibited by the Stored Communications Act (SCA)?
The SCA prohibits unauthorized access, alteration or blocking of stored electronic communications.
83
Which of the following is an exception to the Stored Communications Act that permits disclosure of private electronic communications?
a. When the access is conducted by a person or entity providing service that facilitates the disclosure
b. When the access is conducted on company-owned equipment by an employer
c. When the access is conducted as authorized by the user for the said purpose
d. All of the above
d. All of the above
84
What are the consequences of violating the SCA?
Criminal penalties and civil actions
85
When does the ECPA not preempt state laws?
When the state laws are stricter.
86
What are the notification requirements for an employer to monitor electronic communications in Delaware?
a. The employer must give prior written notice for monitoring and intercepting phone conversations or electronic transmissions
b. The employer must give daily electronic notice for monitoring or intercepting phone conversations or electronic transmissions
c. The employer must give verbal notice at the time of hire for monitoring and intercepting phone conversations or electronic transmissions
d. Only a and b
d. Only a and b
87
What are the notification requirements for an employer to monitor electronic communications in Connecticut?
An employer is required to give prior notice to the employee and post the notice in a conspicuous place prior to monitoring or intercepting an employee's electronic communications.
88
What are the Stored Communications Acts' preservation requirements for responding to government requests for stored communications?
A provider must take all necessary steps to preserve records and/or evidence in possession pending issuance of court orders or legal process.
89
How did the USA Patriot Act extend communications covered under the ECPA?
The USA Patriot Act expanded definitions of communications beyond phone numbers to include "dialing, routing, addressing, and signaling information" transmitted to or from a device.
90
What is a Trap and Trace Order?
A Trap and Trace Order is a court order that allows law enforcement to obtain records of incoming phone calls and electronic communications.
91
What restrictions did the USA Freedom Act place on Pen Register Orders and Trap and Trace Orders?
The USA Freedom Act prohibits bulk collection of data and restricts data collection to circumstances with specific selectors such as email address and phone number.
92
What is CALEA and who oversees it?
The Communications Assistance to Law Enforcement Act enacted in 1994, also known as the "Digital Telephony Bill", overseen by the FCC.
93
What is the main purpose of CALEA?
Telecommunications services providers must design products and services that facilitate search warrants.
94
Who is exempted from the provisions of CALEA except under certain conditions?
CALEA does not apply to types of information services that are not considered telecommunications services providers, unless they interconnect with telephone services.
95
Why did the DOJ, FBI, and DEA petition the FCC to expand CALEA's coverage to include new technologies?
Technology was rapidly changing and more people were using internet service providers for voice communications. As a result, the FBI and other federal agencies successfully petitioned to include broadband internet access and voice over IP (VoIP) technologies in certain cases.
96
What is CISA?
CISA is the Cybersecurity Information Sharing Act of 2015, enacted to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes".
97
Is information shared under CISA subject to the Freedom of Information Act?
No - information provided by the government and businesses under the Cybersecurity Information Sharing Act is protected from the FOIA.
98
What protections are afforded to information sharers under the Cybersecurity Information Sharing Act?
* Liability for information being shared
* Non-waiver of privileges (information still belongs to the sharer, etc.)
* Exempt from FOIA disclosure
99
What are information sharers under CISA required to do with sensitive information in the data they are sharing?
They are required to remove all personal information prior to sharing the information.
100
What is the RFPA?
The Right to Financial Privacy Act of 1978
101
What is the purpose of the RFPA?
To place standards and limitations on the government's ability to access consumers' financial records.
102
What are the RFPA requirements a federal government authority must comply with to access a consumer's financial records?
The records must be reasonably described; and one of the following:
* receive customer's authorization
* serve an appropriate administrative subpoena or summons
* serve a judicial subpoena
* present a qualified search warrant
* submit a formal written request from an authorized government authority
103
Whose records does the RFPA apply to?
* Individuals
| * Partnerships of less than 5 people
104
Under RFPA, what must a government agency do prior to requesting a customer's bank records?
* Give advance notice to the customer
| * Give the customer the right to challenge the disclosure
105
What is the financial institution eligible for after it responds to the government request for bank records under RFPA?
Reimbursement of costs related to fulfilling the request.
106
What types of penalties can a financial institution face if it does not comply with a government request under RFPA?
Financial institutions can face penalties such as:
* actual damages to customer
* punitive damages
* attorneys' fees
107
What is the purpose of the Privacy Protection Act of 1980?
The PPA was enacted by the DOJ in 1980 to protect journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public.
108
Under the Privacy Protections Act of 1980, what are government officials engaged in criminal investigations prohibited from doing?
The PPA prohibits government officials from searching or seizing media work products and documentary materials from those involved in 1st Amendment activities without a subpoena or voluntary cooperation.
109
What are the 2 exceptions of the PPA that allow government officials to search seize evidence from those engaged in 1st amendment activities (media)?
1. to prevent a death/injury
| 2. under a belief the documents will be destroyed
110
Who and what is subject to the PPA?
All government officials
| Criminal investigations
111
What are the 3 exemptions from the PPA?
1. Civil investigations
2. Probable cause a reporter committed a crime (subject to a search warrant
3. Types of media that apply more broadly such as blogs, social media, etc.
112
What was identified as an issue with warrants obtained under the SCA for electronic evidence stored in servers outside the U.S.?
The SCA did not apply to electronic evidence held outside of the U.S.; therefore, warrants obtained under the SCA for contents of those emails were not valid.
113
What act amended the SCA to help solve the problem of obtaining evidence from companies in the U.S. from servers held in other countries in the cloud?
The CLOUD Act amends the Stored Communications Act (SCA) to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
114
What is the purpose of the Foreign Intelligence Surveillance Act (FISA)?
FISA establishes standards and procedures for collecting foreign information through electronic surveillance within the U.S. without the requirements imposed by the 4th Amendment.
115
How did the amendments made in 2008 impact FISA?
The amendments:
* gave legal authorization to new surveillance practices where one party is believed to be outside the U.S.
* granted immunity to telephone companies that responded to surveillance requests
* required more reporting to congress
* placed limits on secrecy of NSLs and other government requests for records
116
How did the USA Patriot Act impact FISA in 2001?
It provided more flexibility in obtaining wire taps, without judicial authorization.
117
What impact did the Snowden revelations in 2013 have?
The revelations by Snowden about the vast amount of mass surveillance being performed by the federal government resulted in a revival in discussion about national security and information privacy.
118
What is the significance of the 2013 Report issued from the President's Review Group on Intelligence and Communications Technology?
46 recommendations were made in the report; 70% adopted with more adopted since that time.
119
What did the Privacy and Civil Liberties Oversight Board do as a response to the Snowden revelations?
The PCLOB released detailed reports to the government making 22 recommendations for changes to the USA Patriot Act (Section 215) and Section 702 of the FISA. All 22 recommendations were implemented.
120
What surveillance reforms were the result of the Snowden revelations?
USA Freedom Act was implemented in 2015 to end bulk collection of data under Section 215.
Judicial Redress Act in 2016 which extends protections to some non-US citizens.
121
What 3 types of risk does a company expose itself to when it provides too much information in response to a national security surveillance request?
increased legal, public relations, and civil liberties risk.
122
According to the National Security Act, under which of the following conditions does HIPAA permit disclosure of PHI?
a. Lawful intelligence
b. Counter-intelligence
c. National security threats
d. All of the above
d. All of the above
123
Under what national security related condition does GLBA permit NPPI disclosure?
"for an investigation on a matter related to public safety."
124
Under what national security related condition does COPPA permit disclosure of personal information?
COPPA has no national security exception
125
When responding to a national security request for information, what are the 3 primary things a privacy professional needs to determine?
1. types of National Security disclosure permitted;
2. types of records permitted; and
3. to which agencies.
126
What are some of the concerns in the ongoing debate about encrypted devices and investigations?
* Is a service provider required to provide a means for law enforcement to access data on a mobile device?
* What if providing the means to access the data allows a weakness in the encryption technology that results in a higher risk of data breaches?
* How do we balance the needs of national security and law enforcement during investigations with the civil liberties needs of our citizens?
127
What types of orders can be reviewed and authorized by the U.S. Foreign Intelligence Surveillance Court?
Wiretap
Pen Register
Trace and Trap
Surveillance Video
128
Under what conditions can a FISA surveillance order be issued by the Foreign Intelligence Surveillance Court?
The FISC can issue a surveillance order under:
* Foreign intelligence is a "significant purpose of the investigation."
* There is probable cause the party is a foreign power, or agent of a foreign power;
* The order is requested by a U.S. Attorney
129
What is "amicus curiae" under the U.S.A. Freedom Act?
A group of independent privacy and civil liberties experts who brief the Federal Intelligence Surveillance Court on significant matters of law.
130
What were 2 requirements made by the U.S.A. Freedom Act of the Foreign Surveillance Intelligence Court?
1. Create a group of independent expert advisers for privacy and civil liberties matters (Amicus Curiae);
2. Issue an annual transparency report that includes statistics on FISA orders issued.
131
What can a federal court require the production of under Section 215 of the U.S. Patriot Act?
"any tangible thing" to be used in investigations of foreign intelligence or anti-terrorism.
132
Under Section 215 of the US Patriot Act, how is "any tangible thing" defined?
Broadly, including "books, records, papers, documents, and other items."
133
Under what conditions is the producer of evidence given immunity under the U.S.A. Patriot Act?
When the evidence is produced in good faith.
134
Under what conditions does Section 702 (FISA) authorize collection of electronic communications content?
When it takes place in the U.S. and involves a targeted individual.
135
What does Section 702 (FISA) address regarding electronic content stored in the U.S.?
How to handle the interception of foreign to foreign communications often stored by U.S. service providers for webmail, social networks, and other services.
136
Who sets the terms for Section 702 surveillance?
Director of National Intelligence
| U.S. Attorney General
137
What criteria must be met before the government can collect data for a foreign intelligence purpose?
Reasonable belief the person is a non-U.S. citizen outside of the U.S.
138
What are 2 authorized surveillance programs under Section 702 (FISA)?
PRISM - collects data going to and from an email address.
Upstream - targets internet-based communications as they pass through physical internet infrastructure in the U.S., using filters.
139
What are National Security Letters?
National Security Letters are a type of subpoena that can be issued by government officials, without judicial involvement, to obtain records during investigations of international terrorism or
140
What types of activities are National Security Letters designed to protect against?
International terrorism
| Clandestine intelligence activities
141
Under what conditions can a recipient of an NSL petition a federal court for modification or setting aside of the NSL?
If compliance is unreasonable or oppressive
142
To whom can the recipient of an NSL disclose information about the request?
Those necessary to comply with the request
| An attorney for legal assistance
143
When is the secrecy requirement invoked for the recipient of an National Security Letter?
Recipients of NSLs must adhere to the secrecy requirement when there is risk of interferring with criminal or counter-terrorism investigations, or other reasons listed in the USA Patriot Act.
144
What are the consequences of breaching the secrecy requirement of National Security Letters under the USA Patriot Act?
Up to 5 years in prison
| up to $250,000 in fines for an individual
145
As of 2015, when does the FBI terminate NSL secrecy of an individual order?
When the investigation closes, or no more than 3 years after the full investigation is open.
