Chapter 4: Information Management from a U.S. Perspective Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

What types of risks should be considered when using PI ?

A
  1. Legal Risks
  2. Reputation Risks
  3. Operational Risks
  4. Investment Risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What do the Legal Risks stem from?

A

Failure to comply with applicable law, contractual commitments, privacy promises, and industry standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do the Reputational Risks stem from?

A

Legal enforcement and if they announce privacy policies but do not carry them out. .

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What do the Operational Risks stem from?

A

Administrative efficiency and cost effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What do the Investment Risks stem from?

A

The ability to receive an appropriate return on it investments in information, information technology, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 4 basic steps for Information Management?

A
  1. Discover
  2. Build
  3. Communicate
  4. Evolve
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Discover

A
  • Issue identification and self-assessment

- Determine the best practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Build

A
  • Procedure development and verification

- Full implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Communicate

A
  • Documentation

- Education

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Evolve

A
  • Affirmation and monitoring

- Adaptation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should practices and controls that organizations use for managing PI address?

A
  1. Data Inventory
  2. Data Classification
  3. Documenting Data Flows
  4. Determining Data Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does Data Inventory involve?

A

An inventory of the PI (employee and customer) that the organization collects, stores, uses, or discloses. It should document data location and flow as well as evaluate how, when, and with whom the organization shares such information - and the means for data transfer used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does Data Classification involve?

A

Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for that data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does Documenting Data Flows involve?

A

The mapping and documenting of the systems, applications, and processes handling data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does Determining Data Accountability involve?

A

The responsibility to assure compliance with privacy laws and policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What do Privacy Policies do?

A

They inform relevant employees about how PI must be handled, and in some cases are made public in the form of a privacy notice.

17
Q

When does one Privacy Policy make sense?

A

When an organization has a consistent set of values and practices for all its operations.

18
Q

When do multiple Privacy Policies make sense?

A

When a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically, share PI with other divisions and is perceived in the marketplace as a different business.

19
Q

What should a company do if it revises its Privacy Policy?

A
  1. Announce the change to employees
  2. Announce the change to current and former customers
  3. Per the FTC, obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations
20
Q

What methods may a company communicate its Privacy Notice?

A
  1. Make the notice accessible in places of business
  2. Make the notice accessible online
  3. Provide updates and revisions
  4. Ensure that the appropriate personnel are knowledgeable about the policy.
21
Q

What is an opt-in?

A

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

22
Q

What legal bodies require opt-ins?

A

COPPA, HIPPA, FCRA

23
Q

What is an opt-out?

A

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

24
Q

What is no consumer choice or no option?

A

When companies use consumer data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.

25
Q

What are some management challenges of user preferences?

A
  1. The scope of the opt-out or other user preference can vary.
  2. The mechanism for providing an opt-out or other user preference can vary.
    3, Linking of a user’s interactions.
  3. The time period for implementing user preferences.
  4. Third party vendors often process PI on behalf of the company.
26
Q

What laws give consumers the right to access the PI held about them?

A
  1. FCRA
  2. HIPAA
  3. Statements on fair information practices - OECD Guidelines, APEC Principles
27
Q

What precautions should be included in vendor contracts?

A
  1. Confidentiality provision
  2. No further use of shared information.
  3. Use of subcontractors.
  4. Requirement to notify and to disclose breach
  5. Information security provisions
28
Q

What vender due diligence standards should a company consider using?

A
  1. Reputation.
  2. Financial Condition and insurance
  3. Information Security Controls
  4. Point of Transfer
  5. Disposal of information
  6. Employee Training and User Awareness
  7. Vendor incident response