Chapter 4: Information Management from a U.S. Perspective

Question 1

What types of risks should be considered when using PI ?

Answer 1

1. Legal Risks
2. Reputation Risks
3. Operational Risks
4. Investment Risks

Question 2

What do the Legal Risks stem from?

Answer 2

Failure to comply with applicable law, contractual commitments, privacy promises, and industry standards.

Question 3

What do the Reputational Risks stem from?

Answer 3

Legal enforcement and if they announce privacy policies but do not carry them out. .

Question 4

What do the Operational Risks stem from?

Answer 4

Administrative efficiency and cost effectiveness.

Question 5

What do the Investment Risks stem from?

Answer 5

The ability to receive an appropriate return on it investments in information, information technology, etc.

Question 6

What are the 4 basic steps for Information Management?

Answer 6

1. Discover
2. Build
3. Communicate
4. Evolve

Question 7

Discover

Answer 7

• Issue identification and self-assessment

- Determine the best practices

Question 8

Build

Answer 8

• Procedure development and verification

- Full implementation

Question 9

Communicate

Answer 9

• Documentation

- Education

Question 10

Evolve

Answer 10

• Affirmation and monitoring

- Adaptation

Question 11

What should practices and controls that organizations use for managing PI address?

Answer 11

1. Data Inventory
2. Data Classification
3. Documenting Data Flows
4. Determining Data Accountability

Question 12

What does Data Inventory involve?

Answer 12

An inventory of the PI (employee and customer) that the organization collects, stores, uses, or discloses. It should document data location and flow as well as evaluate how, when, and with whom the organization shares such information - and the means for data transfer used.

Question 13

What does Data Classification involve?

Answer 13

Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for that data.

Question 14

What does Documenting Data Flows involve?

Answer 14

The mapping and documenting of the systems, applications, and processes handling data.

Question 15

What does Determining Data Accountability involve?

Answer 15

The responsibility to assure compliance with privacy laws and policies.

Question 16

What do Privacy Policies do?

Answer 16

They inform relevant employees about how PI must be handled, and in some cases are made public in the form of a privacy notice.

Question 17

When does one Privacy Policy make sense?

Answer 17

When an organization has a consistent set of values and practices for all its operations.

Question 18

When do multiple Privacy Policies make sense?

Answer 18

When a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically, share PI with other divisions and is perceived in the marketplace as a different business.

Question 19

What should a company do if it revises its Privacy Policy?

Answer 19

1. Announce the change to employees
2. Announce the change to current and former customers
3. Per the FTC, obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations

Question 20

What methods may a company communicate its Privacy Notice?

Answer 20

1. Make the notice accessible in places of business
2. Make the notice accessible online
3. Provide updates and revisions
4. Ensure that the appropriate personnel are knowledgeable about the policy.

Question 21

What is an opt-in?

Answer 21

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Question 22

What legal bodies require opt-ins?

Answer 22

COPPA, HIPPA, FCRA

Question 23

What is an opt-out?

Answer 23

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

Question 24

What is no consumer choice or no option?

Answer 24

When companies use consumer data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.

Question 25

What are some management challenges of user preferences?

Answer 25

1. The scope of the opt-out or other user preference can vary.
2. The mechanism for providing an opt-out or other user preference can vary.
   3, Linking of a user’s interactions.
3. The time period for implementing user preferences.
4. Third party vendors often process PI on behalf of the company.

Question 26

What laws give consumers the right to access the PI held about them?

Answer 26

1. FCRA
2. HIPAA
3. Statements on fair information practices - OECD Guidelines, APEC Principles

Question 27

What precautions should be included in vendor contracts?

Answer 27

1. Confidentiality provision
2. No further use of shared information.
3. Use of subcontractors.
4. Requirement to notify and to disclose breach
5. Information security provisions

Question 28

What vender due diligence standards should a company consider using?

Answer 28

1. Reputation.
2. Financial Condition and insurance
3. Information Security Controls
4. Point of Transfer
5. Disposal of information
6. Employee Training and User Awareness
7. Vendor incident response