Chapter 5: Private Sector Data Collection Flashcards
COPPA applies to… (3)
Online services intended for children
General online services where the operator knows they are gathering childrens data
Online services knowingly collecting children’s data from other online services
COPPA Online Services examples
Websites
Mobile apps
Smart Devices
etc.
Who enforces COPPA?
FTC
States
Specific agencies in their context
COPPA PI
Names
Addresses
SSN
Phone numbers
Screen names
geolocation
Media of a child’s image or voice
COPPA protects…
PI and any info combined with PI
Parents rights under COPPA
Consent
Revoking consent
Deletion
Limit collection to necessary information
COPPA 3rd party restriction
Parents can’t be forced to allow collection by 3rd parties
COPPA requirements for online services
Privacy Policies that meet COPPA requirements
Parental notification
Parental consent
Maintain way for parents to exercise their rights
Information security program
COPPA consent requirements
Consent form (including paper)
Validate parents identity
COPPA maximum fine
$43,280 per violation
Data Brokers
Buy datasets to be resold
Machine learning
Computer learns without human interaction
PHI
Personal Health Information. Medical info including records by insurance companies and billing.
ePHI
Medical records transferred electronically
HIPAA applies to…
Covered entities and covered transactions
HIPAA covered entities (3)
Insurance plans
Clearinghouses
Healthcare providers
Healthcare clearinghouse
Manages the sharing of healthcare info by standardizing data
HIPAA business associates
3rd party of a covered entity that works with PHI
HIPAA Business Associate Agreements
Agreements between covered entities and 3rd parties ensuring conformance with HIPAA
HIPAA doesn’t cover
Personel records
Academic records
Anonymized records
HIPAA privacy rule (3)
Requires privacy practices
Limites use and disclosure of data without authorization.
Gives patients rights, including right to view and correct records
Who enforces HIPAA
HHS OCR (Office of Civil Rights)
Where are privacy standards and practices documented for HIPAA
Privacy policy and procedures document
HIPAA compliance retention period
6 years
HIPAA privacy rule requires…
Privacy official
Process for privacy complaints
Training
Implementing reasonable safeguards
PHI Disclosure (3)
Sharing with 3rd parties
Only to provide services
Patients must consent (with a few exceptions)
HIPAA Authorizations requests must be specific
True
HIPAA Privacy Notice
Describes how data is used and shared
Privacy practices
Patients rights
HIPAA Acknowledgment or receiving privacy notice
Good faith effort required
Patients may access their records except…
Psychotherapy notes
Info regarding legal action
Certain restricted lab results covered by CLIA
If it will cause a person to harm themselves or others
HIPAA Hybrid entities
Only part of a business is covered by HIPAA
HIPAA personal representatives
Basically, healthcare proxies. Also, parents
HIPAA Preemption
State laws may not be weaker than HIPAA
HIPAA Voluntary Compliance
30 days to remediate as long as there wasn’t willful neglect
HIPAA fines range
$100-$50,000 per violation
$1.5 million/year for repeated violations
HIPAA criminal penalties
Up to 1 year in prison or up to 10 years
Up to $50K or up to $250K
HIPAA Security Rule protects…
ePHI
HIPAA Security Rule purpose
Information security framework for HIPAA compliance
HIPAA RIsk analysis
Required to find risks, severity of risks, and probability.
EHR
Electronic Health Records (HITECH)
HITECH encourages implementing…
EHR’s
HITECH Breach notification rule
Triggered when any unauthorized use or access of PHI occurs
HITECH breach notification factors (4)
Type of information and if patients are identified
Who the data was disclosed to. (Hacker vs. wrong doctor)
Likelihood that data was accessed/shared. (Unread email scenario)
How PHI is secured. (Inaccessible due to encryption)
HITECH breach notification thresholds
60 days
The media if it’s more than 500 people in a state
HITECH breach notification to HHS requirements
60 days for more than 500 people
Annually for less than 500 people
HITECH Business Associate breach notification requirements
60 days. Then covered entity notifies patients
Information blocking (21st century Cures Act)
Attempts to block lawful sharing of data between doctors or with patients
CURES act benefits
Exempts medical data from FOIA
Easier remote access of medical data
Increased confidentiality for research participants
Confidentiality of substance use disorder patient rule
Protects records from law enforcement with a few exceptions
Fines and possible criminal prosecution for violators
FCRA regulates…
Consumer reporting agencies
CRA’s are
agency that provides reports about individual consumers
What are these a factor of?
Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living
Credit report
3 well known CRA’s
Experian
Equifax
Transunion
FCRA requires CRA’s to…
Maintain accurate reports
Determining when reports can be shared
Properly managing information in credit reports
FCRA grants rights…
Right to requests reports
Right to be told about anything negative to make unfavorable decisions
Rights to control how report is shared
Unfavorable credit reports must include…
Contact info for the CRA
Explanation of consumer rights
Right to dispute anything incorrect
Who enforces FCRA?
FTC , CFPB, state AG’s
FACTA
2003 update to FCRA
FACTA’s most famous benefit
Free annual credit report
FACTA benefits (4)
Free credit reports
Fraud alerts placed on reports
Creditors must verify identity before checking credit.
Enhanced dispute rights
Financial Services Modernization Act of 1999 aka
GLBA
What qualifies as a “financial institution” under GLBA?
“Significantly involved” in financial services.
GLBA privacy rule
Financial institutions must share privacy notice annually
GLBA privacy notice requirements
Privacy policy
Disclose how consumer info is collected, used, and shared.
List of 3rd parties with access to data
GLBA customer vs. consumers
Customers have an ongoing relationship.
Consumers conduct isolated transactions (one offs like cashing checks)
GLBA customer vs. consumers notification requirements
Customers get full privacy notice
Consumers get pointed to privacy notice
GLBA Safeguards rule
Covers security practices
GLBA Safeguards rule requires
Security program
Anticipate threats and take actions to prevent them
Risk management
3rd Party Risk Management
Designated security personnel
GLBA 3 catagories of security controls
Training
Security Information Systems
Monitoring
GLBA Red Flags Rule
Creditors monitor consumer data for identity theft red flags
Red Flags Rule enforcement
SEC and CFTC for entities they regulate. Otherwise, FTC, CFPB, State AG
Law that is a good example of shared regulatory authority
Red Flag Rule
Dodd Frank centralized rulemaking for GLBA, FCRA/FACTA under what agency?
CFPB
Abusive practices
Practices that abuse misunderstanding by consumers.
Material interference with consumers ability to understand terms of a consumer financial product
FERPA applies to which records for what institutions?
Academic records for schools receiving federal funding
FERPA protects which records (2)
Student
3rd party records about a student
FERPA protected records (6)
Grades
Class rosters
Schedules
Health records
Financial info for higher ed students
Disciplinary records
FERPA excludes… (3)
Law enforcement records
Some application data
Applicant data from non-students
FERPA data disclosure requires…
Consent or anonymization
TCPA
TSR
Telephone consumer protection act
Telemarketing Sales Rule
TCPA regulates
Unsolicited sales and marketing calls (including autodialers and robocalls)
Texts
Which agency issued TSR?
FTC
TSR regulated by
FTC and FCC since FCC has jurisdiction for telemarketing
UDAAP’s
Unfair, Deceptive, Abusive Acts
Established Business Relationship Exemption (EBR)
Customer that has completed a purchase in last 18 months
TSR applies to…
Telemarketing firms
TSR Exemptions
Financial institutions
Non-profits
Airlines
Long distance phone providers
Certain insurance and investment sales activities
TSR calling rules
8AM-9PM
Valid caller ID
Connect to a live person within 2 seconds
Must identify as a sales call
Written permission for robocalls
DNC
Do Not Call Registry
DNC prohibits…
Sales and marketing calls
DNC exceptions
Politics
Charities
some non-profit
Surveys
Existing customers
How often must DNC be updated?
31 days at telemarketers expense
What is required to call someone on the DNC list?
Written permission
Who enforces DNC? (3)
FTC
FCC
States
DNC fines (FTC/FCC and States)
Fed: Up to $43,000
States: Up to $25,000
JFPA
Junk Fax Prevention Act
JFPA fine
$500-$1500 per page
CAN-SPAM Act commercial messages
Advertising or promitional
CAN-SPAM message “primary purpose”
If a reasonable person thinks the primary purpose is commercial, CAN-SPAM applies
CAN-SPAM electronic messages
Not limited to email. Ex. Facebook messenger
CAN-SPAM applies to:
All senders (not just businesses)
CAN-SPAM sender requirements
Inform about advertising purpose
Identify sender
Share senders physical location
Prohibits deceiving recipients
Simple opt-out
CAN-SPAM Opt-out requirements
Opt out up to 30 days from sending the message
10 days to cease all commercial messages
Not selling email address (keeping it private)
rCAN-SPAM enforced by…
FTC
CAN-SPAM ISP Rights
May take action if they are harmed
CAN-SPAM federal pre-emption
Doesn’t allow stricter laws
Wireless domain registry
Domain names that may not receive unsolicited email because they go to handheld devices
Wireless domain registry update time requirement
Within 30 days by wireless carriers
CPNI
Telephone call metadata
Consent requirement for sharing CPNI
Consent required
CPNI breach reporting
7 days to Law Enforcement
Then subscribers
FCC excludes what from CPNI?
Text messages (information services)
Cable Communications Policy Act
Consent required to collect PII (except to deliver services and block theft)
Cable Comms Policy act notification requirements
At sign up and then annually
Cable Communications Policy Act enforced by…
Multiple agencies
Private right of Action
VPPA
Video Privacy Protection Act
VPPA protects
PII collected by a Videotape Service Provider
Videotape service provider includes…
Streamers
Videotape service providers are allowed to share…
Customer names and addresses
VPPA enforced by…
Private right of action