Chapter 5: Private Sector Data Collection

Question 1

COPPA applies to… (3)

Answer 1

Online services intended for children
General online services where the operator knows they are gathering childrens data
Online services knowingly collecting children’s data from other online services

Question 2

COPPA Online Services examples

Answer 2

Websites
Mobile apps
Smart Devices
etc.

Question 3

Who enforces COPPA?

Answer 3

FTC
States
Specific agencies in their context

Question 4

COPPA PI

Answer 4

Names
Addresses
SSN
Phone numbers
Screen names
geolocation
Media of a child’s image or voice

Question 5

COPPA protects…

Answer 5

PI and any info combined with PI

Question 6

Parents rights under COPPA

Answer 6

Consent
Revoking consent
Deletion
Limit collection to necessary information

Question 7

COPPA 3rd party restriction

Answer 7

Parents can’t be forced to allow collection by 3rd parties

Question 8

COPPA requirements for online services

Answer 8

Privacy Policies that meet COPPA requirements
Parental notification
Parental consent
Maintain way for parents to exercise their rights
Information security program

Question 9

COPPA consent requirements

Answer 9

Consent form (including paper)
Validate parents identity

Question 10

COPPA maximum fine

Answer 10

$43,280 per violation

Question 11

Data Brokers

Answer 11

Buy datasets to be resold

Question 12

Machine learning

Answer 12

Computer learns without human interaction

Question 13

PHI

Answer 13

Personal Health Information. Medical info including records by insurance companies and billing.

Question 14

ePHI

Answer 14

Medical records transferred electronically

Question 15

HIPAA applies to…

Answer 15

Covered entities and covered transactions

Question 16

HIPAA covered entities (3)

Answer 16

Insurance plans
Clearinghouses
Healthcare providers

Question 17

Healthcare clearinghouse

Answer 17

Manages the sharing of healthcare info by standardizing data

Question 18

HIPAA business associates

Answer 18

3rd party of a covered entity that works with PHI

Question 19

HIPAA Business Associate Agreements

Answer 19

Agreements between covered entities and 3rd parties ensuring conformance with HIPAA

Question 20

HIPAA doesn’t cover

Answer 20

Personel records
Academic records
Anonymized records

Question 21

HIPAA privacy rule (3)

Answer 21

Requires privacy practices
Limites use and disclosure of data without authorization.
Gives patients rights, including right to view and correct records

Question 22

Who enforces HIPAA

Answer 22

HHS OCR (Office of Civil Rights)

Question 23

Where are privacy standards and practices documented for HIPAA

Answer 23

Privacy policy and procedures document

Question 24

HIPAA compliance retention period

Answer 24

6 years

Question 25

HIPAA privacy rule requires…

Answer 25

Privacy official
Process for privacy complaints
Training
Implementing reasonable safeguards

Question 26

PHI Disclosure (3)

Answer 26

Sharing with 3rd parties
Only to provide services
Patients must consent (with a few exceptions)

Question 27

HIPAA Authorizations requests must be specific

Answer 27

True

Question 28

HIPAA Privacy Notice

Answer 28

Describes how data is used and shared
Privacy practices
Patients rights

Question 29

HIPAA Acknowledgment or receiving privacy notice

Answer 29

Good faith effort required

Question 30

Patients may access their records except…

Answer 30

Psychotherapy notes
Info regarding legal action
Certain restricted lab results covered by CLIA
If it will cause a person to harm themselves or others

Question 31

HIPAA Hybrid entities

Answer 31

Only part of a business is covered by HIPAA

Question 32

HIPAA personal representatives

Answer 32

Basically, healthcare proxies. Also, parents

Question 33

HIPAA Preemption

Answer 33

State laws may not be weaker than HIPAA

Question 34

HIPAA Voluntary Compliance

Answer 34

30 days to remediate as long as there wasn’t willful neglect

Question 35

HIPAA fines range

Answer 35

$100-$50,000 per violation
$1.5 million/year for repeated violations

Question 36

HIPAA criminal penalties

Answer 36

Up to 1 year in prison or up to 10 years
Up to $50K or up to $250K

Question 37

HIPAA Security Rule protects…

Answer 37

ePHI

Question 38

HIPAA Security Rule purpose

Answer 38

Information security framework for HIPAA compliance

Question 39

HIPAA RIsk analysis

Answer 39

Required to find risks, severity of risks, and probability.

Question 40

EHR

Answer 40

Electronic Health Records (HITECH)

Question 41

HITECH encourages implementing…

Answer 41

EHR’s

Question 42

HITECH Breach notification rule

Answer 42

Triggered when any unauthorized use or access of PHI occurs

Question 43

HITECH breach notification factors (4)

Answer 43

Type of information and if patients are identified
Who the data was disclosed to. (Hacker vs. wrong doctor)
Likelihood that data was accessed/shared. (Unread email scenario)
How PHI is secured. (Inaccessible due to encryption)

Question 44

HITECH breach notification thresholds

Answer 44

60 days
The media if it’s more than 500 people in a state

Question 45

HITECH breach notification to HHS requirements

Answer 45

60 days for more than 500 people
Annually for less than 500 people

Question 46

HITECH Business Associate breach notification requirements

Answer 46

60 days. Then covered entity notifies patients

Question 47

Information blocking (21st century Cures Act)

Answer 47

Attempts to block lawful sharing of data between doctors or with patients

Question 48

CURES act benefits

Answer 48

Exempts medical data from FOIA
Easier remote access of medical data
Increased confidentiality for research participants

Question 49

Confidentiality of substance use disorder patient rule

Answer 49

Protects records from law enforcement with a few exceptions
Fines and possible criminal prosecution for violators

Question 50

FCRA regulates…

Answer 50

Consumer reporting agencies

Question 51

CRA’s are

Answer 51

agency that provides reports about individual consumers

Question 52

What are these a factor of?

Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living

Answer 52

Credit report

Question 53

3 well known CRA’s

Answer 53

Experian
Equifax
Transunion

Question 54

FCRA requires CRA’s to…

Answer 54

Maintain accurate reports
Determining when reports can be shared
Properly managing information in credit reports

Question 55

FCRA grants rights…

Answer 55

Right to requests reports
Right to be told about anything negative to make unfavorable decisions
Rights to control how report is shared

Question 56

Unfavorable credit reports must include…

Answer 56

Contact info for the CRA
Explanation of consumer rights
Right to dispute anything incorrect

Question 57

Who enforces FCRA?

Answer 57

FTC , CFPB, state AG’s

Question 58

FACTA

Answer 58

2003 update to FCRA

Question 59

FACTA’s most famous benefit

Answer 59

Free annual credit report

Question 60

FACTA benefits (4)

Answer 60

Free credit reports
Fraud alerts placed on reports
Creditors must verify identity before checking credit.
Enhanced dispute rights

Question 61

Financial Services Modernization Act of 1999 aka

Answer 61

GLBA

Question 62

What qualifies as a “financial institution” under GLBA?

Answer 62

“Significantly involved” in financial services.

Question 63

GLBA privacy rule

Answer 63

Financial institutions must share privacy notice annually

Question 64

GLBA privacy notice requirements

Answer 64

Privacy policy
Disclose how consumer info is collected, used, and shared.
List of 3rd parties with access to data

Question 65

GLBA customer vs. consumers

Answer 65

Customers have an ongoing relationship.
Consumers conduct isolated transactions (one offs like cashing checks)

Question 66

GLBA customer vs. consumers notification requirements

Answer 66

Customers get full privacy notice
Consumers get pointed to privacy notice

Question 67

GLBA Safeguards rule

Answer 67

Covers security practices

Question 68

GLBA Safeguards rule requires

Answer 68

Security program
Anticipate threats and take actions to prevent them
Risk management
3rd Party Risk Management
Designated security personnel

Question 69

GLBA 3 catagories of security controls

Answer 69

Training
Security Information Systems
Monitoring

Question 70

GLBA Red Flags Rule

Answer 70

Creditors monitor consumer data for identity theft red flags

Question 71

Red Flags Rule enforcement

Answer 71

SEC and CFTC for entities they regulate. Otherwise, FTC, CFPB, State AG

Question 72

Law that is a good example of shared regulatory authority

Answer 72

Red Flag Rule

Question 73

Dodd Frank centralized rulemaking for GLBA, FCRA/FACTA under what agency?

Answer 73

CFPB

Question 74

Abusive practices

Answer 74

Practices that abuse misunderstanding by consumers.
Material interference with consumers ability to understand terms of a consumer financial product

Question 75

FERPA applies to which records for what institutions?

Answer 75

Academic records for schools receiving federal funding

Question 76

FERPA protects which records (2)

Answer 76

Student
3rd party records about a student

Question 77

FERPA protected records (6)

Answer 77

Grades
Class rosters
Schedules
Health records
Financial info for higher ed students
Disciplinary records

Question 78

FERPA excludes… (3)

Answer 78

Law enforcement records
Some application data
Applicant data from non-students

Question 79

FERPA data disclosure requires…

Answer 79

Consent or anonymization

Question 80

TCPA
TSR

Answer 80

Telephone consumer protection act
Telemarketing Sales Rule

Question 81

TCPA regulates

Answer 81

Unsolicited sales and marketing calls (including autodialers and robocalls)
Texts

Question 82

Which agency issued TSR?

Answer 82

FTC

Question 83

TSR regulated by

Answer 83

FTC and FCC since FCC has jurisdiction for telemarketing

Question 84

UDAAP’s

Answer 84

Unfair, Deceptive, Abusive Acts

Question 85

Established Business Relationship Exemption (EBR)

Answer 85

Customer that has completed a purchase in last 18 months

Question 86

TSR applies to…

Answer 86

Telemarketing firms

Question 87

TSR Exemptions

Answer 87

Financial institutions
Non-profits
Airlines
Long distance phone providers
Certain insurance and investment sales activities

Question 88

TSR calling rules

Answer 88

8AM-9PM
Valid caller ID
Connect to a live person within 2 seconds
Must identify as a sales call
Written permission for robocalls

Question 89

DNC

Answer 89

Do Not Call Registry

Question 90

DNC prohibits…

Answer 90

Sales and marketing calls

Question 91

DNC exceptions

Answer 91

Politics
Charities
some non-profit
Surveys
Existing customers

Question 92

How often must DNC be updated?

Answer 92

31 days at telemarketers expense

Question 93

What is required to call someone on the DNC list?

Answer 93

Written permission

Question 94

Who enforces DNC? (3)

Answer 94

FTC
FCC
States

Question 95

DNC fines (FTC/FCC and States)

Answer 95

Fed: Up to $43,000
States: Up to $25,000

Question 96

JFPA

Answer 96

Junk Fax Prevention Act

Question 97

JFPA fine

Answer 97

$500-$1500 per page

Question 98

CAN-SPAM Act commercial messages

Answer 98

Advertising or promitional

Question 99

CAN-SPAM message “primary purpose”

Answer 99

If a reasonable person thinks the primary purpose is commercial, CAN-SPAM applies

Question 100

CAN-SPAM electronic messages

Answer 100

Not limited to email. Ex. Facebook messenger

Question 101

CAN-SPAM applies to:

Answer 101

All senders (not just businesses)

Question 102

CAN-SPAM sender requirements

Answer 102

Inform about advertising purpose
Identify sender
Share senders physical location
Prohibits deceiving recipients
Simple opt-out

Question 103

CAN-SPAM Opt-out requirements

Answer 103

Opt out up to 30 days from sending the message
10 days to cease all commercial messages
Not selling email address (keeping it private)

Question 104

rCAN-SPAM enforced by…

Answer 104

FTC

Question 105

CAN-SPAM ISP Rights

Answer 105

May take action if they are harmed

Question 106

CAN-SPAM federal pre-emption

Answer 106

Doesn’t allow stricter laws

Question 107

Wireless domain registry

Answer 107

Domain names that may not receive unsolicited email because they go to handheld devices

Question 108

Wireless domain registry update time requirement

Answer 108

Within 30 days by wireless carriers

Question 109

CPNI

Answer 109

Telephone call metadata

Question 110

Consent requirement for sharing CPNI

Answer 110

Consent required

Question 111

CPNI breach reporting

Answer 111

7 days to Law Enforcement
Then subscribers

Question 112

FCC excludes what from CPNI?

Answer 112

Text messages (information services)

Question 113

Cable Communications Policy Act

Answer 113

Consent required to collect PII (except to deliver services and block theft)

Question 114

Cable Comms Policy act notification requirements

Answer 114

At sign up and then annually

Question 115

Cable Communications Policy Act enforced by…

Answer 115

Multiple agencies
Private right of Action

Question 116

VPPA

Answer 116

Video Privacy Protection Act

Question 117

VPPA protects

Answer 117

PII collected by a Videotape Service Provider

Question 118

Videotape service provider includes…

Answer 118

Streamers

Question 119

Videotape service providers are allowed to share…

Answer 119

Customer names and addresses

Question 120

VPPA enforced by…

Answer 120

Private right of action