Ch 12 - Privacy Issues - Civil Litigation & Gov't Investigations Flashcards
What are 5 elements of a good Information Management Plan for responding to discovery requests?
An Information Management Plan should include:
- when or under what conditions private information can be disclosed;
- how private information can be disclosed;
- any required organizational authorizations required for releasing private information;
- audit trails; and
- IT systems implementation.
What amendment offers U.S. citizens protection over unreasonable searches and seizures?
The U.S. Constitution offers citizens protection against unreasonable searches and seizures in the 4th Amendment.
What is a 4th Amendment search warrant?
A search warrant for probable cause that a crime has been, or will be, committed.
What are the 4 required conditions for obtaining a valid 4th Amendment search warrant?
The warrant must:
(1) be filed in good faith by a law enforcement officer;
(2) be based on reliable information showing probable cause to search;
(3) be issued by a neutral and detached magistrate; and
(4) state specifically the place to be searched and the items to be seized.
Generally, under what conditions may a wiretap be obtained?
a. Fourth Amendment probable cause
b. All other alternatives for obtaining the information have been exhausted
c. Law enforcement wants to monitor a suspect’s conversations
d. a and b
d. a and b
Which of the following is a big challenge when responding to discovery requests?
a. Providing information based on a specific request
b. Finding all the data requested
c. Providing too much or too little information
d. None of the above
c. Providing too much or too little information.
What are some examples of reporting requirements by federal regulation or law?
Examples of reporting to government agencies:
- BSA reporting of suspicious financial activities related to terrorism or money laundering;
- FDA reporting by regulated industries (drug manufacturers, health professionals) for serious adverse events; product problems, medication errors;
- OSHA reporting by employers of workplace injuries/illnesses;
- State reporting regarding certain injuries/medical conditions;
- HIPAA reporting permitted to other agencies when required by law.
What is the purpose of the Right to Financial Privacy Act (RFPA)?
The Right to Financial Privacy Act regulates the disclosure of personal information by financial institutions to federal government agencies requesting the information.
What is the purpose of the Electronic Communications Privacy Act?
a. Changes the privacy requirements for electronic communications such as email
b. Extends prohibition of wiretaps on phone calls to include electronic communication such as email
c. Provides clarity that electronic communications have always been included in coverage
d. All of the above
b. Extends prohibition of wiretaps on phone calls to include electronic communication such as email
Which of the following types of surveillance on wire communications are included in the scope of the Title III of the Omnibus Crime Control and Safe Streets Act of 1968?
a. Aural communication made through a network, such as phone calls
b. Oral communications such as hidden bugs or microphones
c. Electronic communications, such as emails, that are not wire or oral communications
d. All of the above
d. All of the above
Title III generally applies to surveillance on wire communications, including:
- aural communication made through a network, such as phone calls;
- oral communications, such as hidden bugs or microphones,
- electronic communications, such as emails, that are not wire or oral communications.
When is a communication considered to be subject to a search warrant?
a. When the persons involved in the communication have no expectation of privacy
b. When the persons involved in the communication have a reasonable expectation of privacy
c. When the persons involved in the communication state something openly in public
d. None of the above
b. When the persons involved in the communication have a reasonable expectation of privacy
What is the “reasonable expectation of privacy” test?
The outcome of the 1967 Katz v. U.S. case in which there was a concurring opinion stated by Justice John Marshall Harlan:
- the person has exhibited an actual expectation of privacy, and
- the expectation is one that society is prepared to recognize as ‘reasonable.’
What are some exceptions to the 4th Amendment requirement to obtain a warrant where a reasonable expectation of privacy exists?
- “In public” rule: what a person knowingly exposes to the public;
- “Third-party” rule: information a person puts into the hands of someone else.
When is the “reasonable expectation of privacy” test used?
To determine whether information that was obtained without a warrant is admissible evidence.
Which of the following best describes what “discovery” means in litigation?
a. Exchange of legal information and known facts of a case disclosed in a lawsuit during the trial
b. Exchange of legal information and known facts of a case disclosed in the rules of civil and criminal procedure
c. Exchange of legal information and known facts of a case disclosed in a lawsuit before trial
d. None of the above
c. Exchange of legal information and known facts of a case disclosed in a lawsuit before trial
What is a subpoena?
A subpoena is a written instruction to produce a witness or records.
What are the 4 requirements of a subpoena under Federal Rule of Civil Procedure 45?
Federal Rule of Civil Procedure 45 requires that the subpoena:
- state which court issued it;
- state the title of action and action number;
- command each person to attend and testify, produce specific evidence, or permit inspection at a time and place; and
- include rules regarding the person’s right to challenge or modify the subpoena.
What does it mean to “serve” a subpoena?
To deliver the subpoena in a legal way, put a person on notice of obligation to respond and their right to seek to quash or modify the subpoena.
What are the consequences of a person failing to obey a subpoena?
Failure to obey a subpoena without an adequate excuse may result in being held in contempt of court, fines, and/or imprisonment.
What are the conditions for obtaining a pen register order?
A pen register order may be issued when the information is relevant to an ongoing investigation.
What is a pen register?
A pen register is a record of dialed numbers or outgoing calls. It may also include internet communications. It includes communications metadata, but does not include the content of the communications.
Which of the following is a source of of law used to obtain a search warrant?
a. 18 USC 2703(d) of the Stored Communications Act (SCA)
b. Fourth Amendment of the U.S. Constitution
c. Wire Tap Act
d. All of the above
18 USC 2703(d) of the Stored Communications Act (SCA)
Fourth Amendment of the U.S. Constitution
Wire Tap Act
Which of the following is a required basis for obtaining a search warrant under the Stored Content Act (SCA)?
a. Specific articulable facts
b. Reasonable grounds
c. Relevant to the investigation
d. All of the above
d. All of the above
A search warrant to obtain evidence from electronics communications service providers under the Stored Content Act must be based on:
- Specific articulable facts showing
- Reasonable grounds
- Relevant to the investigation.
What are the requirements for obtaining a search warrant under the Fourth Amendment?
There must be probable cause that a crime has been or will be committed.
For what 4 purposes does the HIPAA Privacy Rule allow disclosure of PHI?
- As state laws require (for example, reporting of medical information);
- Public health reasons
- Law Enforcement investigations
- National security matters
How does HIPAA address conflicts between regulatory requirements and state laws?
HIPAA permits disclosure of PHI where required by law.
Under the BSA Hacker Trespasser Exception, which of the following is not a condition under which law enforcement can access personal information on a victim’s computer?
a. Owner/operator provides authorization
b. Acting under legal engagement in an investigation
c. Law enforcement has legal grounds the communication is relevant to the investigation
d. All communications that were transmitted by the suspect are accessed/intercepted
d. All communications that were transmitted by the suspect are accessed/intercepted
Law enforcement can access/intercept a trespasser’s (hacker’s) communications when:
- Owner/operator provides authorization
- Acting under legal engagement in an investigation
- Law enforcement has legal grounds the communication is relevant to the investigation
- Only communications that were transmitted are accessed/intercepted
What type of disclosure of covered personal information to third parties is prohibited under HIPAA and COPPA?
a. Disclosure without consent of data subject
b. Disclosure without data subject’s written acknowledgement
c. Disclosure that does not meet conditions of an exception
d. Only a and c
d. Only a and c
Which regulation is triggered by violations to HIPAA, COPPA, or GLBA information sharing requirements?
Section 5 (UDAP) under the FTC Act.
What are 3 examples of legal privilege that generally require confidential communications to be excluded from the rules of discovery and testimony?
Attorney-client, doctor-patient, priest-penitent, spousal, self-incrimination (under the 5th Amendment)
What are the exceptions that allow communications normally covered under legal privilege to be included in an investigation or court case?
Client consent
To prevent imminent harm
Which federal act provides public access to federal records with certain exceptions?
Freedom of Information Act (FOIA)
What are some examples of records generally available through state laws?
Birth, death, professional licenses, business licenses, real estate, appraisal, and voter records
Which types of criminal and civil trial records are generally protected from public access?
a. banking, real estate, and phone number
b. juvenile, financial, and medical records
c. real estate, financial and juvenile
d. none of the above
b. juvenile, financial, and medical records
What is a protective order and how is it used?
Under Rule 26(c) of the Federal Rules of Civil Procedure, a protective order is reviewed by a judge who determines what information in a case record should be made public, and under what conditions; and the information that should not be made public.
What is the 3 part test a court applies to determine if the party presenting the protective order during litigation has good cause to have the information protected?
- Resisting party: must show the information is confidential.
- Requesting party: must show the information is relevant and necessary to the case.
- Court: must determine if need for the information outweighs the harm of disclosure.
Under HIPAA, which of the following is an element of a qualified protective order (QPO)?
a. Used in state courts not covered by the Federal Rules of Civil Procedure
b. Prohibits the use of PHI for any purpose other than the specific litigation or proceeding
c. Requires the return or destruction of the PHI after its intended purpose has been met
d. All of the above
d. All of the above
Which of the following is a redaction requirement for paper and electronic documents accessed under Rule 5.2, Federal Rules of Civil Procedure?
a) only the last 4 digits of SSN/TIN or financial account number
b) only the individual’s birth year
c) if a minor, only the minor’s initials
d) all of the above
Rule 5.2 of the Federal Rules of Civil Procedure, “Privacy Protection for Filings Made with the Court” requires the following restrictions in paper and electronic filings prior to submission for court filing:
d) all of the above
Which of the following is an exception to redaction requirements for court filings?
a. Court orders may require that unredacted documents be sealed
b. Protective orders may include more restrictive electronic access
c. Protective orders may include more restrictive redaction requirements
d. All of the above are exceptions to redaction requirements
d. All of the above are exceptions to redaction requirements
What are the main exemptions to the public’s right to view or request access to agency records under FOIA?
- Classified documents
- Records containing personal privacy information
- Records containing trade secrets
- Records containing privileged information
- Records containing information that may cause harm to national security or law enforcement
In addition to the 4 redaction requirements of Rule 5.2, Privacy Protection for Filings Made with the Court, what additional redaction requirements are there in Rule 49.1 Federal Criminal Rules of Procedure and Rule 9037 Federal Rules of Bankruptcy Procedure?
a. City and state of home address
b. Business address
c. Previous surnames
d. All of the above
a. City and state of home address
What types of electronically stored information (ESI) should be considered as part of a well-managed data retention program?
a. Email, electronic files, and instant messaging
b. Web pages, server logs, thumb drives, and databases
c. Voicemail, social networking, and micro secure digital cards
d. All of the above
d. All of the above
What were the main best practices concerning email set forth at the Sedona Conference that should be developed to meet the functional requirements of an organization?
a. Email retention policies developed by cross-functional teams
b. Continual evolution of policies and practices, and gap analysis
c. Consensus of stakeholders for policies, and consideration of industry standards
d. All of the above
d. All of the above
Which of the following best describes the Sedona Principles’ recommendation for preserving transient data, such as IM data, for retrieval during litigation discovery?
a. Organizations may consider transient data that requires extra steps to retrieve and store to be outside its duty of preservation for a litigation discovery request
b. Organizations should include all transient data to be included for retrieval for a litigation discovery request
c. Organizations are required to include all data that has ever been stored or been transmitted in any way through the organization to be included for a litigation discovery request
d. None of the above
a. Organizations may consider transient data that requires extra steps to retrieve and store to be outside its duty of preservation for a litigation discovery request
Which of the following is a best practice to include in a retention policy for electronically stored information?
a. Employee assigned computers should only be used for work-related activities
b. Hard drives should be preserved rather than wiped prior to reassignment
c. Employees should not use personal computers for storing work-related data
d. All of the above
d. All of the above
What is the 3-factor test a court is likely to apply when there is a conflict between a corporate retention policy and a discovery request?
a. Reasonableness of policy, number of related complaints, intent of organization in instituting the policy (good faith?)
b. Reasonableness of policy, number of related complaints, how long the policy has been in effect
c. Policy intent, company resources available to write policy, policy infractions by employees
d. None of the above
a. Reasonableness of policy, number of related complaints, intent of organization in instituting the policy (good faith?)
Which of the following is not a condition under which an organization may disclose personal health information (PHI) under HIPAA?
a. Consent of the data subject
b. Court order
c. Satisfactory assurances based on a Qualified Protective Order in which both parties, Organization and Court, are prohibited from disclosing for any other purpose
d. Inquiry by Law Enforcement
d. Inquiry by Law Enforcement
What legal conditions allow an organization to disclose non-public information (NPI) under GLBA without the consent of the data subject?
An organization may disclose information without the consent of the data subject in order to comply with laws, investigations, court orders, judicial process, and exams.
What are transborder data flows?
Transborder data flows occur when data flows between the U.S. and a foreign country.
In transborder data flows, where one jurisdiction has more restrictive data privacy practices than another, the Hague Convention uses a procedure where each contracting jurisdiction designates a “central authority” to:
a. Receive and review incoming “letters of request” for taking evidence in that country
b. Determine compliance with the requirements of the convention
c. Transmit letters of request to the “authority competent to execute” it (article 2), typically a court, when the Hague Convention does not apply
d. All of the above
d. All of the above
Which of the following are rules used to reconcile a conflict in discovery rules between the U.S. and a foreign jurisdiction?
a. Importance of documents/data to litigation and whether they originated in the U.S.
b. Specificity of request
c. Availability of an alternate means of securing the data, and extent of U.S. and foreign state interests that would be undermined by adverse ruling
d. All of the above
d. All of the above
What are the best practice standards for data culled for eDiscovery?
a. Data should be preserved in place or in a separate form
b. Data should be transferred using encryption, with a key transferred by secure 2nd method
c. Audit trail should be maintained
d. All of the above
d. All of the above
- Additional methods that address sensitive personal information standards including:
- identifying
- redacting/withholding
- maintaining confidentiality
- clawback of inadvertent disclosures
What are the requirements for law enforcement searches under the 4th Amendment?
The 4th Amendment prohibits unreasonable searches and seizures” and is required for information where there was a “reasonable expectation of privacy.”
A search warrant must be:
* approved by a neutral judge (magistrate);
* based on probable cause;
* describe a particular place to be searched;
* supported by specific testimony.
What is the ‘exclusionary rule’ for evidence submitted during the discovery period?
Evidence gathered without a proper search warrant is considered inadmissible.
What Supreme Court decision on wiretaps was the result of the 1928 case Olmstead vs. United States?
a. No warrant was required for wiretaps on telephone wires physically located outside the suspect’s building
b. Search warrant was only required for suspect’s private places
c. Search warrant was required for conversations in public the suspect had a reasonable expectation of privacy
d. a and b
d. a and b
What are the implications of the exclusionary rule on Company privacy policies and practices?
A company must consider under what conditions surveillance, wiretaps, and database searches may be conducted on employees, and whether they would be admissible as evidence in the event of litigation.
What was the finding of the Supreme Court in the 1967 case Katz v. United States in regard to wiretapping that overturned the Olmstead case of 1928?
a. A reasonable expectation of privacy includes “what a person seeks to preserve as private, even in an area accessible to the public”
b. Wiretaps could not be conducted on telephone lines or in public when the person had a “reasonable expectation of privacy”
c. A “reasonable expectation of privacy” may be protected by the U.S. Constitution
d. All of the above
d. All of the above
What legislation did Congress enact in 1968 as a result of the Supreme Court’s opinion in the case Katz v. United States?
a. The Telephony Act
b. The 1974 Privacy Act
c. The Wiretap Act
d. None of the above
c. The Wiretap Act