CIPP/US Flashcards
Laws Requiring Opt-In
COPPA - parent consent to collect/use/disclose child PI
HIPPA - marketing (except promo gifts & face-to-face convo), psychotherapy notes (exceptions), disclosed to 3rd party (exceptions)
NOT - TPO, emergency, legal
FCRA - employment/background use of consumer report, investigative report, non-permissible purpose
VPPA - before disclose to third party
GDPR - for marketing, sensitive D
TCPA - DNC list and…(telemarket = written)…
(i) Prerecorded - wireless (telemarketing & info), residential (telemarketing, NOT info)
(ii) Robo-call/text - wireless (telemarketing & info), residential (telemarketing)
(iii) EXCEPT - politics, survey, charity, gov, emergency, package delivery
FERPA - from parent/student b4 disclose to third parties (exceptions - school officials, other schools, directory info, emergency, law, fin aid, gov audit, studies)
FTC - Material change privacy notice
States - sensitive data
CCPA - selling PI of 13-16 yr old, collecting under 13 yr old
BIPA - collecting/using
Laws Requiring Opt-Out
GLBA - transfer to unaffiliated 3rd party for their use (no required opt-in to share w/ affiliates)
VPPA - if using for marketing after initial consent
CAN-SPAM - emails
Do-not-call rules allow opt-out
FCRA - opt-out for sharing among affiliates for marketing
COPPA - parents can opt-out
TCPA - opt-out required for robocalls, texts, faxes
HIPAA - opt-out for fundraising/marketing
GDPR - opt-out of activities (e.g. direct marketing)
DPPA - marketing, non-permissible purpose
CCPA - opt-out of sale/sharing (Do Not Sell/Share my PI link)
VA/CO/CT/UT - opt-out for certain processing (targeted ads, data sales)
Jurisdiction
Court (to hear issue) - subject matter J & personal J
General authority - over field of activity
Specific authority - singular activities outlined
Both - FTC general UDAP, specific COPPA
Sectoral (GLBA/FCRA/HIPPA); broad (FTC/UDAP); geographic (CPA/state UDAP)
Key Regulators
FTC, FCC, DoC, HHS, Banking (Fed Reserve Board, Comptroller of Currency/OCC), state AGs, state data protection agencies (GDPR/CA), self-regulatory systems; DOS; DOC; DOT; FAA; FHTSA; OMB; IRS; DHS; TSA; ICE; DOE; DOJ
Law Scope & Application of Laws
Who covered; what types of info; what is required; prohibitions; enforcers; penalties; purpose; preemption; etc.
Civil Liability
Contract; statutory; tort (intentional, negligent,& strict liability)
4 Privacy Torts + privacy negligence
- Intrusion on seclusion
- Public revelation of private fact
- Interfere w/ right of publicity
- False light casying
Negligence - fail adequate safeguards for PI causing harm due to disclosure
FTC Jurisdiction
All areas of commerce (NOT non-profit or certain regulated industries like banks)
Cases = cybersecurity unfairness; hacks
Specific = COPPA, HITECH, FCRA, CAN-SPAM
Broad - Section 5, UDAP
NO J = common carriers engaging in common carrier duties
FTC UDAP
- Promise level of security & don’t fulfill
- Material misstatement or omission
- Fail to comply w/ representations
- Fail reasonable security measures
- Failure monitor employee access
- Failure to secure sensitive data
- Fail to disclose breach
- Internal governance failures to notify GC/execs
FTC monetary damages
- Monetary relief if violate C&D
- SCOTUS 2001 AMG Capital - FTC no monetary relief under FTC Act/13(b), only injunctions
- Statutes providing monetary relief - COPPA, TSR
- Fed/state partnerships to get monetary relief
FTC rule making authority
- General authority for rules on UDAP (not normal APA?), must establish prevalence of acts, UDAP & economic effect
- Magnuson-Moss Warranty
FTC enforcement processes
- Investigation authority - subpoena, civil investigation, reports under oath
- Complaint - administrative trial before ALJ, appeal before 5 commissioners, appeal to fed court
- Consent orders/decrees - settlement, no admit fault, proof of compliance, audits, etc.
Data inventory
- Types, sources, uses, collection, disclosure of PI,
- Lifecycle (creation, storage, sharing, use, archive, deletion)
- Customer D, employee D, B2B D?
Data classification
- Classic categories = public, confidential, proprietary, sensitive, restricted, etc.
- Considerations - level of sensitive, protection, who has access, location, segregated from other D (as needed), etc.
Data flow mapping
General - what D, where, why, which systems connect/use, process for handling D
Top-down (GDPR) - record of processing activities, document purpose of processing, parties who PI disclosed, retention, safeguards
Bottom-up - data, inventory & classify, describe process, document lienage of data & metadata
4 Steps of info management
- discovery environment/goals/regs
- Build policies/experts/procedures
- Communicate w/ internal/external stakeholders
- Evolve to changes in law/tech/market/other
Privacy Policy (internal)
Implement company policy; inform employees; compliance; penalties; operations.
Multiple for defined divisions or lines of business
Privacy Policy (external)
Informs customers/users/employees on D collection, use, storage, sharing/disclosure, how to exercise choices
Statutory requirements - GLBA, etc.
Accessibility - online or physical biz copy; GLBA annual w/ clear opt-out notice; notice on revision; long v. short versions; notice at/before collection;
Deceptive/contract to violate; dated/version
Data breach readiness assessment
Level of risk, likelihood and severity of breach, type and nature of data, technical safeguards, impact on data subject, possibility of damage, etc.
Security
Key controls - administrative, technical, physical
Established controls - firewalls, encryption, levels, etc.
NIST Cyber framework (6 key principles)
- Identify - people, systems, data, capabilities
- Protect/safeguard
- Detect/identify
- Incident/anomalies
- Respond
- Recover
Opt-out scope & mechanism
- By channel (calls, emails, etc.)
- Channel of marketing = channel for opt-out
- CAN-SPAM - requires online opt-out (no mail/call)
- GLBA - apply opt-out regardless of media used
- Third parties should honor opt-out to main party
Implied authority/opt-in
2012 FTC report - no choice needed if consistent w/ context of transaction, company relationship w/ consumer, etc.
Employee training
HIPPA requires - sensitive data; keep records of who is trained.
Vendor/3rd party management
- Contract provisions - confidentiality, limited use, subcontractors, cross border, breach notification, security controls, return/delete data, etc.
- Due diligence - references, finances/resources, insurance, evidence of controls, audit, compliance certifications, employee training, incident response, monitor/audit 3rd party, risk assessment, cloud
International data transfers
Approaches = pre-authorized safeguards, adequacy determinations, SCCs, trade Ks, standards/initiatives, binding corporate rules/BCRs
Multilateral Ks - OECD guidelines, APEC cross-border privacy rules, EU convention 108 & 108+
GDPR parties
Controller - determines purposes and means of processing PI
Processor - processes PI on behalf of controller
Federal statute preemption
HIPPA - preempts lesser, states can build
GLBA - preempts lesser, states can build
FCRA - preempts lesser, states can build
COPPA - preempts lesser, states can build
ECPA - preempts lesser, states can build
SUD Rule (42 CFR Part 2) - preempts lesser, states can build
GINA - states can build
FTC Act - implied preempts lesser/conflicting, states can build
FERPA - no preemption
TCPA - preempts state DNC lists must align w/ TCPA, preempts lesser/conflict, states may build (1/2 states w/ license/register, state DNC list, identifying self, terminate if request, written contract for some sales)
FACTA - preempts stricter (except ID theft and identified laws - credit scores, state insurance laws, frequency of free reports, privacy/consumer protection that don’t conflict)
CAN-SPAM - preempts most state laws restricting commercial email, state spam laws not preempted if prohibit false/deceptive activity
US Constitutional Privacy
3rd amend - quartering soldiers
4th amend - unreasonable search/seizure
5th amend - self incrimination
14th amend - no deprive w/o due process; right to privacy via penumbras (warren/brandeis), bodily privacy/abortion (roe v wade)
CA/11 states constitution privacy right; UN declaration of human rights; EU convention for protection of human…
FTC definition of PI
Reasonably linkable to particular person, including - online identifiers (IP address, cookies, device/MAC ID), loyalty card numbers, name, phone, address, SSN, bank/credit account numbers, financial data, biometric info, medical history/condition/treatment, other if when combined can identify
COPPA - Children’s Online Privacy Protection Act
(7) Requirements
PI definition
(1) Verifiable (signed, credit card, phone) and clear/accessible express parent consent prior to PI collection for child (under 13), including ads
(2) Clear/conspicuous notice - what info collected, how used, whether shared, how parents can review/delete and revoke consent, third parties that collect/use
(3) Limited collection - min. amount necessary
(4) Parent access - to child PI, request updates/delete
(5) Confidentiality/security - reasonable steps
(6) Deletion - no retention longer than necessary
(7) Third party management for compliance w/ COPPA
PI - name/part of, email/screen name/personal, personal identifier (address/phone/SSN), identifiers (cookies/IP address/device ID), photo/audio/vidoe w/ identifying info, geolocation if identify child’s coordinates), any other usable to identify (and combo)
FTC Scrutiny for EdTech Companies
MedTech & Telemedicine
Products/service providers are ‘biz associates’ subject to HIPPA
FDA regulated - (1) software as ‘Medical Device,’ (2) cybersecurity guidance for internet connection (stakeholders in ecosystem, lifecycle, etc.)
FTC Section 5 applies
HIPAA Parties
(Health Insurance Portability and Accountability Act)
‘Covered Entities’ (CE) = health care providers, insurers/plans, health clearinghouses, and ‘business associates’ that receive PHI from covered entity
NOT - cash-only DR w/ no insurance billing or electronic transactions, websites,
conversations, online, etc.
‘Business Associates’ (BA) = cloud provider w/ PHI (even unknowingly); service provider of CE if use PHI (e.g. claims processing, data analysis, billing, legal, actuarial, accounting, consulting, administrative, accreditation, financial services, etc.)
-HIPAA - PHI & ePHI definitions
(1) Identifies an individual or reasonable basis for identification (e.g. name, SSN, and indirect: dates, geo location)
(2) relates to past/present/future physical or mental condition, health care, or payment,
(3) in any form (electronic, paper, oral),
(4) transmitted, maintained or held by CE/BA in process
(5) created or received by covered entity or employer in providing health services/processing related benefits
ePHI = electronic media PHI (not paper to paper fax, voice/phone)
6 Privacy Rule requirements (HIPAA & 2002 HITECH revisions)
(1) Privacy notice - specific elements including: how use/disclose PHI, consumer rights including complaints, CE duties to safeguard PHI, contact point,
(i) provided on/before first service (exceptions - emergency & indirect relationship)
(2) Authorizations for use/disclosure
(i) no auth - use/disclose for essential health purposes/TPO (treatment, payment, operations), comply w/ law (reporting, legal proceeding), psychotherapy limited circumstances*, to patient, billing/claims, health operations
(ii) auth required - any use outside of TPO/legal (e.g. marketing, research, third-party disclosures not under normal operations) - specify which PHI use/disclosed, purpose of use/disclose, person/entity that receives
(3) Min. necessary - for purpose/treatment
(4) Patient access - designated record set, accounting of disclosures; amend PHI or file included statement
(5) Safeguards - administrative, physical, technical, security rules for for EPHI, backup & recovery rules
(6) Accountability - DPO, training, policies
HIPAA Exceptions
TPO, de-identified (18 elements/expert), research (board approve), public health, abuse/neglect/violence, legal proceeding, law enforcement, gov functions, compliance investigation, etc.
Opt-in/consent
512(f) disclosure to law enforcement if 3 criteria (relevant/material, specific and limited, de-identified info…?)
Court order, grand jury subpoena, administrative request
Security Rule (6) requirements (HIPAA + HITECH + 2003 HHS)
(1) Reasonable security measures - policies to prevent, detect, contain & correct
(i) Required vs addressable/document/alt
(2) Administrative - training, DPO, analysis, incident contingency, etc
(3) Physical - facility access, device and media controls, etc.
(4) Technical - access controls, audit, authentication, encryption, etc.
(5) Breach notification rule ePHI, CE & BA notify consumer & HHS (sometimes media)
(6) BA Agreements - follow HIPAA security
Transactions and Code Sets Rule (HIPAA, HITECH & ACA)
EDI standards for electronic exchange of healthcare info (code sets - diagnoses, procedures, meds, etc.)
Scope - electronic transfer of PHI between CEs/BAs
Operational rules for key Transactions - claims, benefit inquiry, referral/authorization, payment/remittance
Goals - streamline admin & reduce paperwork, improve efficiency
HITECH - Health Information Technology for Economic and Clinical Health Act 2009 (updated HIPPA)
(1) Presumed Breach = unauthorized acquisition, access, use or disclose of unsecured PHI is presumed breach, UNLESS risk assessment shows low probability security/privacy of info compromised.(e.g. unsecured info, no encryption); burden of proof on CE/BA
(a) Notifications - BA must notify CE; if > 500, notify HHS; if > 500 in same J notify media; report to HHS annually all breaches requiring notice
(i) INCLUDES - cloud services, medical apps/wearables (2019 FTC statement)
(ii) 60 days to notify individuals?
(2) Electronic Health Records (EHR) - incentive to use to get funding; sharing for TPO; no sales w/o consent (exceptions); no payment for marketing (exceptions)
(a) Patient request - provide copy of EHR, and all nonverbal disclosures within 3 years?
(3) Data limitation for all disclosures (min. necessary); FTC & HHS rule-making for data breaches; codified privacy & security rules, which apply to BAs
21st Century Cures Act of 2016
(1) Information blocking prohibition - Healthcare IT devs, providers & info exchanges can’t unreasonably block patient access to their EHI or restrict interoperability
(a) Exceptions - privacy, security, infeasibility, harm prevention
(a) Scope - healthcare providers, health IT developers, health info exchanges & networks
(2) Patient access - w/o special effort, delays or fees
(3) Interoperability - open APIs for health IT systems of seamless data sharing; FHIR standard
(4) Devs of certified EHR tech (CEHRT) must disclose business practices including: restrictions on sharing, fees associated w/ EHR access/exchange
Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2)
(1) Applies to - any program w/ fed funding and diagnosis/treatment/referral for SUDs, state licensing, controlled substances for detox (DEA license)
(a) Includes hospitals, clinics, private practices, programs within criminal justice & education settings
(b) SUD = substance use disorder
(c) Stricter than HIPAA; entities subject to rule likely subject to HIPAA also
(2) Info protected - no disclosure/use of info that could identify a person as having an SUD (treatment, diagnoses, medications, fact of seeking treatment)
(a) Restrictions on use of info that could lead to/substantiate criminal charges.
(3) Disclosure rules - patient written consent to disclose, must include:
(a) Who disclosing & who receiving
(b) Purpose of disclosure, and
(c) Type of info shared
(i) Exceptions - medical emergency, qualified audits/evals, court order, reporting crimes on program premises or against staff, child abuse
(ii) Re-disclosure - Recipients cannot re-disclose unless patient express consent or exception
(4) Security Rules - formal policies/procedures, rules for paper vs EHI
NO preemption of stricter state rules
Genetic Information Nondiscrimination Act (GINA) 2008 & CalGINA
(1) Genetic info = genetic tests of individual & family (up to 4th degree), family medical history, participation in genetic services/research, info about fetus/embryo for pregnancy/assisted reproduction
(2) Protections - no use of genetic info in insurance and employment, no discrimination, no request genetic testing.
(a) Insurance - eligibility, coverage, premium rates/adjustments, underwriting
(b) Employment - hiring, firing, promotion, job assignments, retaliation if complaint
(3) Exceptions = inadvertent disclosure, voluntary wellness program w/ consent, compliance with FMLA/similar state law, certain public health activities (workplaces w/ toxic exposure w/ consent); diseases already manifested;
(i) Employers w/ less than 15 employees
(ii) Insurance exceptions? - life insur., disability insur., long-term care insur.
(iii) Outside scope = life insurers, mortgage lenders, schools, others
CalGINA - prohibits genetic discrimination in emergency medical, mortgage lending, housing, education, other state-funded programs
State Health Privacy Laws
Differs - comprehensive med privacy, medtech laws, at-home genetic testing, consumer genetic testing, etc.
CA Confidentiality of Medical Info Act (CMIA) - Right to pursue legal action for violation of law for compensatory and punitive damages.
Fair Credit Reporting Act (FCRA)
Amended in 1996 and by FACTA
Consumer report = info about creditworthiness, credit standing, credit capacity, character, general reputation, lifestyle used to determine eligibility for: credit (loans/cards), employment, insurance, housing (rent/mortgage), other legit biz needs
Consumer reporting agency (CRA) = person/entity compiling consumer data and provide in form of consumer report to biz evaluating creditworthiness, employment, insurance or rentals
Users (of consumer report) = lenders, insurers, employers, others
(a) User requirements = permissible purpose & certify PP; notify of adverse action; record keeping; securely dispose of report data; employer requirements
(i) Permissible purposes = written consent, extension of credit, review/collection of account, employment purposes (hiring/promotion w/ consent), underwriting insurance, legit biz need for consumer initiated transaction, review account, determine eligibility for license/gov benefit, assessment of credit/prepayment risk, gov. determine child support; court order/subpoena; prescreening of credit/insurance
Furnishers (of consumer info) = lenders, retailers, others that furnish credit history
(a) Duties - accurate info, correct/update, notice of dispute, respond to info from ID theft, ensure correct person, prevent change in date of first delinquency, maintain records for period of time, no report info known to be inaccurate, notify CRA if incorrect/incomplete, notify CRA if dispute, investigation of dispute, procedure for max accuracy, not report negative outdated info (7 year account data, 10 year bankruptcy)
7 Key rights = (1) access reports (1 free per year); (2) accuracy & dispute rights (inaccurate or incomplete, 30 days to correct); (3) notice of adverse actions (deny, employment, insurance) based on credit report; (4) details about CRA that supplied report; (4) know who accessed; (5) limits on negative info (7 years payments, 10 bankruptcy); (6) Opt-opt of pre-screenings; (7) limit use to ‘permissible purposes’
Adverse action - all biz/credit/employment action w/ negative impact (denying/cancelling credit/insurance/employment/promotion (not counteroffer)
(a) Include - name, address, phone of CRA; statement CRA did not make adverse decision; statement of rights to obtain free report within 60 days; statement of right to dispute w/ CRA
Employment use - written notice (single solo doc) before obtaining; certify to CRA no violation of fed/state discrimination law; if adverse action provide copy of report an summary of rights, adverse action notice if obtained from affiliate
(a) Investigation of suspected misconduct -
Investigative use (character, reputation, personal characteristics, mode of living via personal interviews) - special rights, (1) section 606 disclose its use to consumer within 3 days, (2) statement informing of right to request additional disclosures of nature/scope within 5 days, (3) summary of consumer rights if adverse action, (4) certify to CRA disclosure made
Pre-screening (firm unsolicited offers of credit/insur.) - pre-established criteria before offer made, maintain on file for 3 years, short/long form opt-out notices (info in CRA used, satisfied criteria, not extended if don’t meet, may prohibit use)
Fair and Accurate Credit Transactions Act (FACTA) 2003
New consumer protections - truncated credit/debit numbers; rights to explanation of credit scores; free annual report from each major CRA, 90 day fraud alerts, active duty alerts for military, ID theft victim request fraud accounts blocked form CR, CRA investigate within 30 days dispute, mortgage lenders disclose scores and key factors during applications, etc.
Disposal Rule - users of CRs (or info derived from such) dispose in way preventing unauthorized access & misuse
(a) Factors - sensitivity of info, costs/benefits, tech, etc.
Red Flags Rule - ID theft detection, prevention & mitigation programs; response to ‘red flags’ signaling ID theft (patterns, practices, forms of activity), update program
(a) Examples - alerts, notis, warnings from CRA, suspicious docs, suspicious personal ID data, unusual use, etc.
2010 Red Flag Clarification Act - narrows definition of creditor (no entities extend credit for expenses incidental to a service), but those in regular course of biz - obtain/use CR for credit transactions, furnish info to CRAs for credit transaction, advance funds to/on behalf of someone, biz w/ accounts subject to reasonably forseebale risk of ID theft
Risk-based pricing rule = Disclosure/notice if less favorable terms (than available to substantial proportion) because of credit report
Gramm-Leach-Bliley Act (GLBA) - general definitions
(aka) Financial Services Modernization Act of 1999
Financial Institutions (broad) - company ‘significantly engaged’ in financial activities (banks, insur. providers, securities firms, payment settlement services, check-cashing services, credit counselors, mortgage lenders/brokers, financial advisors, debt collectors, payday lenders, some fintech companies)
Nonpublic Personal Information (NPI) collected from consumers - includes any PIFI provided by, resulting from, or obtained about consumer during financial transaction/service.
(a) Includes - non-financial info (name, relationship w/ institution), income, employment history, account numbers, balances, payments, overdrafts, loan details, portfolios, transaction data, info frmo other sources (credit reports)
(b) Excludes - publicly available info, aggregated/anonymized/de-identified data
(c) Consumer = primarily for personal, family or household services
(d) Customer = ongoing relaitonship w/ fin. institution
No pretexting - obtaining PI under false pretense; safeguards to detect and prevent pretexting, employee training, etc.
DOE guidance - finaid info covered by GLBA (universities in possession)
GLBA Privacy Rule
Privacy notice - clear, conspicuous, at time of establishing relationship (and annual),
(a) Content - what info collected, how shared/disclosed, how protected, right to opt-out of certain sharing within 30 days (w/ non-affiliated third parties for marketing)
(b) If met = can share w/ affiliates & joint marketing partners advertising your products/services, nonaffiliated
(i) Always prohibited - share account numbers to nonaffiliate for telemarketing/direct mail
(c) 2009 Model short privacy notice (safe harbor)
Opt-out right exceptions - affiliates for financial products/services; third parties for processing transactions, fraud, legal requirements; consent;
Limits on disclosure - no disclose sensitive fin. info for certain purposes w/o consumer consent (marketing non-financial products, insurance/services not related to primary financial products)
Exceptions - public data, data not covered by GLBA (unless combined with NPI)
GLBA Safeguards Rule
Security program required - written, appropriate to size, complexity and nature (risk-based approach)
(a) Info Security Officer required - oversee program & ensure compliance
(b) Risk Assessment - threats/vulnerabilities, all areas where NPI stored (data centers, employee access, vendor relationships, etc.)
(c) Administrative safeguards - Training, background checks, access controls, vendor oversight
(d) Technical safeguards - encryption, firewalls, secure transmissions, computer systems, networks, applications, access controls, etc.
(e) Physical safeguards - facilities, data storage, locked officers/server rooms, environmental, biz continuity, disaster recovery
(f) Ongoing monitoring - monitoring, testing
(g) Vendor management - contracts, requirements, etc.
(h) Incident response plan - identifying, containing, reporting breaches
(i) Board reporting - senior management informed of program effectiveness, reports on status of program, identified vulnerabilities and incidents
State financial privacy (CA & NY)
California Financial Privacy Act (CFIPA) - increased disclosure requirements, consumer rights & statutory damages
(a) Opt-in required - sharing NPI w/ non-affiliated third parties for marketing (stricter than GLBA which allows opt-out in many cases)
(b) Opt-out option for sharing w/ affiliates for marketing (not a right under GLBA)
CCPA exempts GLBA data (not entities)
NYDFS Cybersecurity Regs:
(a) Covered Entities - banks/trust companies, insurance, mortgage lenders/brokers, money services businesses, credit unions, certain fintech & insurtech companies, investment companies, savings/loan companies
(i) Exemptions - less than 10 employees, less than 5M gross annual revenue, OR less than 10M total assets
(b) Cybersecurity Program - protect NPI, detect/respond to events, recover from incidents
(c) Chief Info Security Officers (CISO) - annual reports to board on risks, incident responses, program effectiveness
(d) Risk Assessments - internal and external threats, informs program & controls
(e) Technical/admin controls - MFA required for external network access & privileged accounts, encryption, malware monitoring, audit trails (5 maintain for 5 years), employee training, penetration testing & vulnerability assessments
(f) Encryption - in transit and at rest
(g) Third-party vendors - contract standards
(h) Incident response plan - written, roles/duties, procedures, communications
(i) Breach notification - notify NYDFS within 72 hours of qualifying incident (if - reasonable likelihood of harm to normal operators or unauthorized access to NPI)
(j) Employee training -
(k) Annual compliance certification/attestation to NYDFS each year
Anti-Money Laundering
Bank Secrecy Act (BSA & Foreign Transaction Reporting Act of 1970)
Covered Entities (broad) = banks, credit union, broker-dealers, MSBs, insurance companies, casinos, precious metals dealers, crypto exchanges and hosted wallet providers, mixets/tumblers (some exempt like DEX & mining pools),
(1) CTR (Currency Transaction Report) - cash trans. over 10k in single day, customer ID, transaction details (amount, type, date), within 15 days
(2) SAR (Suspicious Activity Report) - suspect laundering, terrorist financing, fraud/crimes, $5k or more OR evidence of illegal activity, within 30 days, confidential (not disclosed to person involved)
(3) FBAR (Foreign Bank & Financial Accounts Report) - US person/entity w/ foreign account over 10K must file by 4/15 (extension 10/15).
(4) CIP (customer ID program) - verify customer identities when opening (KYC)
(5) Record keeping -
(i) MIL monetary instruments (cashier check, money order) between 3k to 10k,
(ii) records of wire transfers over 3k (sender & recipient info)
(a) Name, address, SSN, date, instrument, serial numbers, dollar amounts
(b) 5 yrs from date of filing (CTR, SAR, FBAR); 5 yrs after account closed (CIP); 5 yrs from transaction (MIL); 5 yrs casino reports; 5 yrs beneficial ownership records
(6) AML program - written, policies & procedures, compliance officer, employee training, independent testing (audits)
(7) Travel Rule - transfers over 3K, info must travel w/ transfer (name, address, account #, identity info (SSN/EIN/passport/ID), beneficiary info (name, address, account #), retain 5 years, 2019 FINECN VASPs for crypto
(i) Exceptions - internal transfers w/ same institution, debit/credit/prepaid card (if via visa/mastercard/other), ACH, check clearing, securities & futures if info already on file
FINECN, FATF internaitonal standards
US Patriot Act (2001) - strengthened BSA, stricter KYC, beneficial owners, new reporting/record requirements for diff. industries, global reach/foreign banks
(1) CIP program, 4 year retention, records of foreign bank accounts if correspondent account in US
(2) EDD (Enhanced due diligence) - foreign correspondent accounts, private accounts of non-US person if $1M or more
(3) Info sharing between gov. & institution - review accounts against FINCEN list, report matches within 14 days, and voluntary sharing
(4) AML Program - internal controls, designate officer, employee training, independent audits
(5) NO Shell banks - prohibits US institution from maintaining correspondent accounts for foreign banks w/ no physical presence, no affiliated regulated financial group
Anti-Money Laundering Act (2020) - enhanced BSA around beneficial ownership
(1) Beneficial Ownership Reporting (CTA act) - US biz report beneficial ownership (25% ownership or substantial control) (exceptions - public, bank, insur, > 20 employees and 5M revenue)
(2) Risk-based AML program
(3) Whistleblower protections - 30% rewards
(4) Info sharing between FINCEN & law enforcement & FI
(5) Updates - CTRs & SARs, new industries (antiquities, VASPs/crypto exchanges, study real estate), foreign bank subpoenas, cooperation w/ internationals
Electronic Funds Transfer Act (EFTA)/Reg E
EFT (electronic funds transfer) - any transfer through electronic system instructing a debit or credit on customers account
(i) Includes - ATM, debit card/POS, direct deposits, electronic bill payments, P2P payments (venmo/paypal), phone/online banking transfers
(ii) Excludes - wire transfers (UCC article 4a), credit card payments, checks
(1) Disclosures - (a) initial (terms & fees, before first EFT), (b) periodic statements (monthly summaries of transactions, fees and balances), (c) receipts (ATMS, POS, online platforms)
(2) Error resolution - customer 60 day to report, institution 10 days to investigate, resolve/credit account, written explanation of findings
(3) Preauthorizations - written auth from customer, advance notices of changes in amount or date of transfer
Family Educational Rights and Privacy Act (FERPA 1974) & Buckley Amendment
Scope = all education institutions w/ fed funding (k-12 & university)
Student - individual in attendance (incl. online), NOT applicants or non-enrollees
Holder of rights - parent until age 18, student once 18 or in college (college classes in high school = high school rules/18), or student consent for parent permission
(i) Exception - may disclose to parent if student claimed as dependent
Education record (broad) - all records related to student, maintained by or on behalf of school (grades, fin-aid, disciplinary records, etc.); handwritten/print/electronic/visual/audio/film
(i) Exceptions - campus police record, employment record, applicant records, alumni records, peer-graded papers (before faculty collected), treatment or health records
PII - name, name of parent/family, address, personal identifiers (SSN/school ID), DOB, place of birth, other info linkable to student (reasonable certainty)
(i) Exception for Directory Info - info not harmful/invasion of privacy if disclosed (e.g. name, date & place of birth, address, email, phone, field of study, honors received), but NOT exempt (SSN/student ID unless can’t be used to access records w/o another factor)
(ii) Opt-out required (block release of info) before declaring info as directory info
Disclosures - only if: not PII from education record, consent, directory info, disclosure to rights holder, statutory exceptions (see consent exceptions)
Rights - access (45 days & explanation, exceptions - non-educational record, treatment, privileged, parent financial info, confidential letter of rec.), corrections (hearing if denied, notice, representation, decision in writing, right to statement about contested record), consent to disclosures, opt-out of directory info
Consent - signed, dated, written, identify records/purpose/recipient
Exceptions - school official w/ legit ed. interest, other ed. institution for enrollment/transfer, fin-aid, research, accrediting orgs, sex offenses, disclosure to creator of record, legal/subpoena/order, health/safety emergency (articulable, significant, totality of circumstances, rational)
HIPPA/health - HIPPA entity-level exemption
Health records - if subject to FERPA, not subject to HIPAA
College health clinic - FERPA applies to student health records, HIPPA applies to nonstudent health records (faculty, staff, non-student)
Medical info related to student’s education is generally FERPA, unless setting separate from education
Private school (no FERPA) = HIPPA
State Educational Privacy Laws
CA SOPIPA - prohibit use of student data for targeted ads for noneducational purposes; requires reasonable security measures
NY Ed Law 2-d - cybersecurity policies that adhere to NIST
Data breach notification laws
Protection of Pupil Rights Amendment (PPRA 1978)
amended by No Child Left Behind Act (2001)
FERPA Holder of Rights = new rights regarding: (a) surveys collecting sensitive data, (b) marketing activities involving students, (c) certain physical exams or screenings
Survey rights = opt-in/consent (if fed funding) if questions about 8 areas - political, mental/psychological, sex, illegal/demeaning behavior, criticism of fam relationship, privileged relationship (lawyer/doctor/clergy), religious, income
Marketing rights = notify parent if student PI collected for marketing or sale; consent to use PI for commercial purpose (doesn’t apply to FERPA data)
Physical exam/screening = opt-out right for non-emergency physical exams/screenings by school
(a) Exceptions - exams required by state law (vision, hearing, scoliosis), emergency medical situation
Parent Rights = inspect survey & instructions & dates, instrument to collect PI; annual notice of right to opt-out (survey, marketing collection, non-emergency exam)
School policies - parent access to surveys by third parties (even if no fed funding), collection/disclosure/use of student PI for marketing, sales or distribution, parent opt-out rights, annual notice (policies, dates, opt-out rights)
Individuals with Disabilities Education Act (IDEA)
Children w/ disabilities = ‘Free appropriate public education’ (FAPE) in ‘lease restrictive environment’ (LRE) via ‘individualized education program’ (IEP)
(a) Disability (3 yrs to 21 yrs) = autism, deafness, emotional, intellectual, multiple, orthopedic, health, ADHD, dyslexia, learning, speech, brain, visual/blind
FAPE = school must provide tailored education at no cost (special education & related services)
LRE = educated w/ non-disabled peers to max extent appropriate, removal from general ed setting only if disability prevents progress
IEP = each eligible student gets IEP document outlining (current academic level, annual goals, special ed services & accomoddations, methods to measure progress) - by team, educators, parents, specialists, reviewed annually
(a) written notice before changes; confidentiality; dispute resolution options
Evaluations - comprehensive, non-discriminatory, whether disability, what needs/services, parent consent, multiple assessment tools
Parent rights - participate in all decisions, access ed records, provide/reject consent for evaluations and services, due process hearing & mediation
EdTech
Subject to FERPA, state, PPA & IDEA (as applicable)
2014 DOE Guidelines - how FERPA applies online (case-by-case), school duties to ensure FERPA met
2020 Guidance - Resources related to virtual learning
Self-regulation - future of privacy forum, software & info industry association, student privacy pledges (2014 & 2020) - no selling student PI, ban on use of PI for behavioral targeting, no profiles on students, no deceptive acts
FTC Scrutiny for EdTech Companies - no ed info for commercial purpose (advertising), no unreasonable mandatory collection, no retention longer than necessary, confidentiality/security/integrity procedures
Telephone Consumer Protection Act (TCPA) & Telemarketing Sales Rule (TSR)
Prohibit unsolicited telemarketing calls if:
(a) Automatic Tele Dialing System (ATDS/robocalls) - includes text messages, limited to random/sequential number generator (facebook ruling)
(b) Artificial/prerecorded voice messages -
Telemarketing = plan, program, campaign to induce purchase of good/service or charitable contribution (w/ more than 1 interstate call)
Telemarketers & their sellers (provide/arrange goods/services)
Exceptions - nonprofit (unless seeking donation), EBR within 18 months, inbound calls (no upsell), most B2B calls
Existing Business Relationship (EBR) exemption - purchase/rent/lease goods/services within 18 months (date of last payment/transaction/shipment) OR application//inquiry (3 months), UNLESS request DNC
EBR exemption not applicable - ATDS to residential line
Prior express written consent - before telemarketing robocalls/robotexts or prerecorded voice message; clear/unambiguous; can’t be condition to purchase goods/services; signed writing (esign ok); number to call; no pre-check
DNC registry - telemarketers check/honor (31 days), opt-out right, monitor & enforce compliance
Internal DNC - consumer can opt-out from specific biz, must maintain internal DNC list
Safe Harbor - written policy to honor DNC, training, maintain internal DNC, maintain records for process to prevent DNC calls, monitor & enforce, bona-fide error
Non-telemarketing (informational) - prior express consent (oral or written)
Fax - unsolicited ads prohibited w/o prior express consent or EBR; include opt-out for future faxes
Texts - same as ATDS; disclose via ATDS/prerecorded; no consent as requirement for purchase; consent revocable anytime
Timing - telemarketing only 8am - 9pm (recipient’s time)
Disclosures - (1) entity on whose behalf they’re calling, (2) provide contact info, (3) disclose purpose of call and what selling, (4) caller ID info (own number/name or seller’s), (5) truthful, (6) ten categories (cost/quantity, materials conditions, characteristics, cancel/refund policy, material details of prizes/investments, affiliation/sponsors, credit card loss protection, negative option features, debt relief services)
Multi-purpose call = disclosure (^) for sales purposes before going into others
Call abandonment - no hangup/dead air for outbound call (2 seconds)
Safe harbor - (1) tech for 3% answered by live person, (2) 15 seconds/four rings before disconnect, (3) recorded message w/ name/number of seller if live agent unavialable within 2 seconds (4) records documenting compliance w/ 1-3
Billing - express informed consent
Payments other than credit/debit - express verifiable authorization (high standard)
Pre-acquired billing info - last 4 digits, express consent, recording of entire call
Records - keep for 24 hrs (some), others 2 years from date produced (ads/promos, info on prize receipts, sales records (name, addresses, purchase, date, shipping, price), employee records (name, address, phone, title), authorizations/consents)
(a) seller or telemarketer (any format); successor upon sale.
FCC Updates - allow opt-out of ATDS during ATDS; assess abandonment rate 30-day window,
Reassigned numbers - not liable for 1st contact(liable for subsequent if aware of change)
Enforcement - FCC, private right of action, 500/violation (triple if willful/knowing), class actions
- 50k max (private action)
- Class action = must show ‘actual harm’ (not mere risk of such)
State TCPA
LA - lesser time frames; EBR limited to 6 months; penalties
CA - eliminateEBR exception for fax (preempted for interstate fax)
Junk Fax Prevention Act (2015)
Consent - express or inferred via EBR
Scope - commercial fax
Opt-out required
Exception - fax invitaiton for market research survey in exchange for money
Private right of action - $500/fax
2019 FCC - online cloud-based fax service not under TCPA/JFPA
Combatting Assault of Non-Solicited Porn and Marketing Act (CAN-SPAM 2023)
Scope - unsolicited advertising of products/services by email
Primary purpose - advertising/promoting
Transaction/relationship purpose - facilitate/confirm agreed-upon transaction, warranty/safety info, info on ongoing commercial relationship, employment/benefits info, delivery of goods/services
Sender - who initiates email, can be more than 1 party
(1) No false/misleading headers (from, to, reply to)
(2) No deceptive subject line
(3) Identify message as ad/commercial message (unless prior consent)
(4) Include physical address/return email address
(5) Provide opt-out (clear/conspicuous, free)
(6) Monitor third party compliance (hiring party to do email ads)
(7) Warning label for sex content
FCC Rules for Mobile Service Commercial Messages (MSCMs)
MSCM = commercial electronic messages sent to wireless device using internet-to-phone gateway (email to text)
Opt-in/prior express consent - required before sending MSCM (no negative option, cost free)
Contents - agree to receive MSCM on device from identified seller, may be charged by wireless provider, may revoke anytime, any format, document auth.
Opt-out - clear way to opt out of future MSCM (revoke by any means, return address or electronic means (10 days))
Identification - message must clearly identify sender, include contact info
TCPA/CAN-SPAM interplay: standard email (can-spam), email-to-text (MSCM rules), standard SMS/MMS (TCPA)
Primary purpose - same as CAN-SPAM
FCC wireless domain registry? - obtain list, verify authorizations
Telecommunications Act of 1996
Customer Proprietary Network Info (CPNI) - customer data collected by telecom providers during usage (call details, time, duration, destination, service types and features, billing info), phone features
NOT CPNI - name, telephone number, address
Scope.= telecomm carriers, ISPs, and voice-over-internet protocol providers (VoIP)
NOT - streaming companies (OTT) when content via internet/mobile device
Opt-in consent - to use/disclose, including third-party access/disclosure
NO consent required - essential services like billing/collections, fraud prevention, emergency services, customer services, marketing offerings among service categories customer already subscribes?
Safeguards - procedures to protect CPNI, report breaches to consumers & FCC & law enforcement? (if CPNI in security breach)
Caller ID - consumer right to block their number from appearing on caller ID; telemarketers prohibited from using tech to hide/spoof caller ID
Customer access to CPNI via phone/online
Annual certify compliance & summary
Cable Communications Policy Act (1984)
Scope = cable subscribers and cable operators (NOT broadband internet services)
Privacy notice - at time of subscription & annually
Content - PII collected, how used, how long retained, how disclosed, subscriber rights under this act, how to access & correct
Opt-in - required for collect/disclose PII w/o prior consent (names, addressses, viewign habits, billing details)
Disclosures - None w/o consent or exception (necessary to provide services, legit biz activity, billing, account management, service improvements, court order (notify subscriber, opportunity to contest), name/address if opt-out opportunity, non-identifiable aggregated data)
Limited retention - only as long as necessary for purpose of collection
Secure destruction - once no longer needed
Subscriber rights - access/inspect PI collected, correction if inaccurate, opt-out of certain data uses (marketing communications using PII)
Video Privacy Protection Act (VPPA 1998)
Video tape service providers - in biz of renting, selling, delivering prerecorded video materials (similar audio/visual content), parties that receive PI in ordinary course fo service provider’s biz/marketing
GPT? - Extended to cover modern streaming/online services (Netflix, Hulu)
PII = info identifying specific person and video content choices (titles watched, rental history, etc.)
Consent - required for disclosure of PII; clear, informed, specific (electronic allowed, lasts 2 yrs?)
Exceptions - law enforcement, biz necessity (billing, account management, operators), marketing of similar products/services (must include opt-out option), aggregated data w/o PII
Consumer rights - sue/privacy right of action (2.5k/violation, actual damages if higher, punitive damages, attorneys fees, court costs)
Destruction - destroy PII when no longer necessary for purpose it was collected (not later than 1 yr once no longer necessary)
NO preemption
Driver’s Privacy Protection Act (DPPA)
Scope - prohibits DMV’s (and employees) from releasing PI w/o express consent or exemption
PI = name, address (excluding zip), DOB, phone number, SSN, driver’s license number, medical or disability info
High sensitivity info = greater protections (SSN, medical data)
Disclosures - prohibited w/o express consent (can be explicit and informed)
14 Exceptions - gov agencies/functions, legal proceedings, vehicle safety/theft, biz use, insurance activities, towing/parkign enforcement, research/statistics, court order/subpoena
Never permitted - DMV data for stalking, harassment, ID theft
Consent - explicit and informed, what data and what purpose
SCOTUS Maracich (2013) - DMV data to solicit clients for legal services violates DPPA, strict limitations on solicitation and marketing
Digital advertising laws (state)
CalOPPA - Commercial website/apps if collect PII of CA resident (no CA presence required)
Privacy notice requirement - conspicuously, easily noticeable, labeling
Notice includes - types of PII, how used, how access/modify, how policy change communicated, effective date/last updated, whether third party may collect PII across different sites/services
Do Not Track signals - explain how respond to DNT signals sent by browsers (need not respond, but must disclose whether you honor such or not)
CA age-appropriate design act - minors up to 17 yrs old
Scope - online products/services/features likely to be accessed by child under 18 (websites, apps, games, social media, likely to attract)
Privacy by default - highest level of privacy default, no data collection/sharing/profiling unless strictly necessary
Age verification - reasonable methods to estimate/verify age before collecting PI (age gates, DOB prompts, more advanced techniques)
No dark patterns/nudge techniques
No profiling w/o justification (compelling reason - safety, security)
Privacy notice - child-friendly, easy to understand, age-appropriate language
Warnings for risks to child well-being
Geolocation protection - off by default unless strictly necessary; notify each time location data collected
DPIA assessments for new product/service likely accessed by child - risks to child privacy/well-being, how data collected/processed/retained, steps to mitigate risks (AG can request copy)
State privacy laws (e.g. CCPA)
Self-regulation - DAA, BBB,, NAI (unfair/deceptive to agree and violate), IAE
Gov & Court Access to private sector info
Required disclosures - BSA, AML, FDA adverse events/problem/error, DOL/OSHA workplace injuries/illness, state laws (injuries, medical conditions, gunshot wounds, immunization records)
Permitted disclosures - HIPPA privacy rule to individual, HHS in enforcement, public health, law enforcement, national security, HHS guidance on abortion post Roe v Wade overturn, Patriot act (defined circumstances - authorized, lawful investigation, reasonable grounds related to investigation, etc)
Maybe - crime on premises, decedents of suspected crime, emergency, victims, limited info for identification and location purposes, certain laws…
Forbidden disclosures - HIPPA & COPPA unless opt-in/exception, GLBA upon opt-out, in violation of an opt-out (FTC/Section 5), evidentiary privileges (attorney, doctor, priest, spousal, 5th amend)
Litigation disclosures
Tradition - public records & open court rooms
2007 Fed Rules Civ Pro - redact sensitive PI (last 4 of SSN, year of birth, if minor only initials, last 4 of financial account, e-discovery rules (large-scale production)
Bankruptcy rules - similar to above
Filings under seal - request, additional redaction, restrict electronic access, etc.
Criminal - city and state of address (no precise address)
ESI - transitory data (may be outside duty of preservation), good faith exceptions (acts to avoid system destroying/alerting info), forensic images of hard drives
Usage policies - discourage personal comms on company email/devices, limits on permitted uses to aid in preventing later forensic discovery, discourage company biz on personal device, etc.
Discovery duties vs biz practices (3 part test) - retention policy reasonable, similar complaints against org, bad faith
Protective orders - good cause, 3 part test (confidential, relevant/necessary, weigh harm vs need)
Also - prohibit use/disclosure, no use outside litigation, return
Extra protections for - juvenile, financial, & medical data
Protections - preservation, transport, encrypted, audit trail, secure connection, etc.
Trans-border data flows (in litigation)
Conflict = US duty to produce vs. GDPR/other prohibitions
Some Js - require production if taking advantage of US J (e.g. plaintiff)
Other Js - produce even parties not seeking benefit of US court (foreign law doesn’t deprive US court of its powers
Other Js - nature/type of docs (give log/descriptions w/o requiring actual docs)
Hague Convention/treaty - party seeking to displace civ pro rules bears burden to demonstrate more appropriate to use Hague Convention (foreign law prohibits discovery sought, good faith, means of last resort)
Common factors - importance of docs/data, specificity of request, whether info originated in US, alternative means of securing info, extent of undermining important interests of US and foreign state via ruling, etc.
4th amendment
Key = secure in persons/houses/papers/effects, no unreasonable searches/seizures and warrants w/o probable cause
Warrant - probable cause crime occurred/likely, testimony/oath/affirmation, magistrate approval, NO general warrant (describe place/persons/things to be searched)
Exclusionary rule - evidence in violation of 4th amend excluded from criminal trial
Katz - exposed to public (no 4th amend protection) vs seeks to keep private (4th amend protection, even in areas accessible to public)
Reasonable Expectation of Privacy Test - exhibit actual/subjective expectation of privacy & expectation one society prepared to recognize as reasonable
Exceptions - plain view, in public, third party doctrine, consent, search incident to lawful arrest, exigent circumstances (immediate threat), automobile exception (if probable cause can search car), stop and frisk/terry stop (pat down if reasonable suspicion of criminal activity)
Third party doctrine - info in another’s hands is not protected, company can turn over info
SCOTUS 2012/Jones - warrant needed for GPS device on car for over month (trespass)
SCOTUS 2014/Riley - contents of cellphone searchable only w/ warrant (incident to arrest does not apply)
SCOTUS 2018/Carpenter - reduced scope of 3rd party doctrine (warrant needed for certain records like cell site location info)
Unlawful abortion data - law enforcement may use warrant; CA law prohibiting company from responding (conflict of law)
Right to Financial Privacy Act (RFPA - 1978)
Prohibits disclosure to fed law enforcement unless requirements statutory requirements met
Statutory requirements - written consent, subpoena/summons/search warrant/formal written request
Exceptions - IRS investigation, SARs (aml), national security letters, debt collection on fed guaranteed loan, emergencies/imminent danger/crime prevention
Notice/challenge - financial institution notify customer, 10 days to challenge request in court before records disclosed
Financial institutions = banks, credit union, savings association, credit card issuer, broker-dealer
NOT - merchants, non-bank lenders
Remedies - civil action against gov and institution, damages, exclusion of evidence
Scope = financial records of individuals and partnerships (fewer than 5 people)
Wiretap act (title III of 1968 anticrime law)
Scope = wire communications (phone call, via network), oral communications (bugs, microphones), and electronic comms (email, text - via ECPA/SCA)
Prohibition - illegal to intentionally intercept, disclose or use contents of any ^^^
Exceptions - court/wiretap order (probable cause, exhaustion of investigative methods, specificity on scope (who, what, where) - higher bar than normal warrant), consent, service providers can monitor for maintenance/protect own rights, exigent circumstances (emergencies, preventing harm, limited interception w/o warrant)
Fed - one-party consent to record (‘party to the call’ exception)
State - some are two/all-party consent to record
Electronic Communications Privacy Act (ECPA)
Store Communications Act (SCA)
Pen Register & Tape and Trace Devices Act
ECPA - prohibit unauthorized interception/access to electronic communications while in transit and storage (w/o consent, warrant/probable cause, court order, exception)
Expanded wiretap act - includes email, phone call, cell phone, text
Notify users if data accessed (can delay if hinders law enforcement investigation)
Ordinary course of biz exception - employer provides comm service, biz routine monitoring/scanning for virus, not listening to personal calls (biz calls only)
Pen register - records numbers of outgoing calls
Trap & trace - record numbers of incoming calls
Judge orders allowed if - relevant to ongoing investigation
Patriot act - expanded beyond telephone numbers (dialing, routing, addressing/signaling info, national security investigation rules, prohibit bulk collection, restrict use to circumstances where specific selectors?
SCA - Prohibits unauthorized access/altering/blocking of electronic comms while in electronic storage
Exceptions - authorized by provider of wire/service or user of such
Gov. preservation order - provider of electronic comms shall take all steps to preserve records and other evidence
NO preemption - DE prohibits employers from onitoring/intercepting telephone, email, internet access/usage w/o prior written notice and daily electronic notice; CT also
US Communications Assistance to Law Enforcement Act/Telephone Bill (CALEA 1994)
Requires telecomm carriers & certain service providers to design systems to enable lawful government surveillance (wiretap-friendly)
Lawful surveillance - valid court order or warrant
Covered entities - telecomm carriers (AT&T/verizon), facilities based broadband internet providers (ISPs/comcast), VoIP services (vonage)
Exempt - info services (email, web hosting, cloud storage)
Outside scope - WhatsApp & Signal
Cost - telecomm companies bore costs of modifying systems, some gov reimbursement
Surveillance capabilities - real-time interception (voice & data), call-identifying info (phone numbers & IP addresses), deliver to law enforcement secure/effective
Privacy - limit surveillance to only what’s authorized by court order, prohibit disclosure of communication contents unless authorized
Cybersecurity Information Sharing Act (CISA 2015)
Permits info sharing between private sector & gov about cyberthreats
Voluntary sharing - between companies & with/between gov via DHS portal (cyber threat indicators CTIs and defensive measures)
PII scrubbing - remove PII not directly related to cyber threat before sharing data
Monitoring authorization - monitor and operate defensive measures on own system
Limit on use - cybersecurity & investigating specific serious crimes only (can be repurposed for non-cyber crimes?)
Effect - non-waiver of privileges, exempt from FOIA, legal immunity if in compliance
Limitations - can’t use info shared to regulate/enforcement action
Privacy Protection Act (PPA 1980)
Limits gov. searches of newsrooms or journalistic ‘work product’ w/o subpoena or court order or voluntary consent
Work product/documentary materials = notes, drafts, recording, unpublished materials
Exceptions - probable cause journalist involved in crime (not applicable if only crime is possession/receipt of communication of work product), journalist possesses evidence of crime likely to be destroyed if not immediately seized, substantial threat to national security/risk of harm, death/serious injury
Protects sources/informants
Scope - traditional journalist materials, public comms?
Unclear?? - digital content, online platforms, emails, social media, google docs, etc.
US Clarifying Lawful Overseas Use of Data Act (CLOUD Act 2018)
Cross-border access to electronic data in criminal investigations
US gov. access/warrants to tech companies to require them to provide data stored on servers located in other countries (even if data protected by foreign law)
Foreign gov. access from US companies for criminal investigations pursuant to bilateral executive/data sharing agreement.
Executive agreements (UK, Australia, Canada?) - safeguards to ensure privacy, human rights standards, compliance w/ foreign country’s law and civil liberty protections
Companies/scope - if subject to US J (do biz in US, incorporated in US)
Alternative to CLOUD Act = Multilateral legal assistance treaty, but warrant w/ probable cause can take 10-ish months
Budapest Convention (2014)
International treaty for cybercrime, international cooperation in combating crimes involving computers, network systems & the internet
Outlaw certain cybercrimes - illegal access, interceptions, tampering (malware), cyber fraud, ID theft, child exploitation/porn, copyright violations
Enact evidence-gathering rules - real-time interceptions, search/seize electronic evidence on computers/networks/clouds, safeguards (proportional/justified, reps, contract)
Cooperate w/ investigation across borders (64+ countries & USA) - required assistance, sharing evidence, searches, info, extraditing accused, 24/7 contact points
Protect critical infrastructure, personal data, privacy
Foreign Intelligence Surveillance Act (FISA - 1978)
Framework for surveillance and collection of foreign intelligence information, ensure US citizen constitutional rights protected & enable national security operations (focus = foreign intelligence rather than typical criminal activity; lesser probable cause standard?)
Electronic surveillance (wiretaps, pen register, tap & trace, data collection, video, etc) for gathering foreign intelligence and preventing threats to US nat. sec., business records, domestic
Warrantless (S. 702) = foreign target located outside US suspected of terrorism or foreign intelligence activities
FISA Court (FISC) - secret/ex parte, review request from US law enforcement and intel. agencies for warrants and orders to surveil
Foreign power - surveillance of foreign govs, orgs, individuals, espionage/related
Agent of FP - spies, terrorist activities
Terrorism - FISA authority extends to terrorist org & individuals
US citizens - in certain circumstances (showing that target acting on behalf of FP or espionage/terrorism activities)
Minimization when US incidentally surveilled - deleting & redacting
FREEDOM/2015 act (amendments) - curtailed certain surveillance powers, ended bulk collection (section 215 PATRIOT), oversight, requests need to use specific ‘selectors,’ etc.
Immunity to telecom companies, 4th amend protections for US persons in criminal proceedings
PATRIOT Act (2001)
Expanded gov. power for surveillance, counter terrorism and info sharing
Surveillance - roving writetaps (calls/emails/etc) w/o specifying exact device/location, biz records, sneak and peak warrants (search property w/o notice), wiretaps on email/web traffic
National security letters (NSLs) - Category of subpoena, statutory access w/o court order to telecomm provider, financial institutions, consumer credit agencies, travel agencies
2006 amendment - can petition fed court to modify/set aside NSL (unreasonable, oppressive)
NO disclosure of NSL (if interference w/ investigation/other)
Disclosures allowed - attorney, as necessary to comply, petition court
NSL terminates - investigation closed or 3 yrs?
Info sharing - between intel agencies, law enforcement, foreign intel info, etc.
Terrorism - increased penalties (providing support, acts, planning), terrorist financing (investigate/track financial transactions, freeze assets suspected of terrorism),
Definition of Terrorism - acts of violence, threats, & domestic terrorism (individuals/groups in US)
Immigration/border security powers, track foreign nationals entering, detail non-citizens suspected of terrorism, terrorist watchlists
Sunset provisions - some powers renewed over time, some expired
Workplace privacy
Key laws = constitution, state contract, state tort, state statute, fed statute, regulators, etc.
Fed statutes in specific areas (not overreaching) - discrimination, employment screenings, HIPPA privacy, COBRA coverage, ERISA benefits, FMLA leave birht/illness, FCRA, FLSA min wage, OSHA safety, whistleblower protection act, NLRA collective bargaining, ICRA eligibility verification, polygraph protection act, ADA, ADEA, civil rights act, GINA, ECPA, SCA, etc.
State contractor - employer/employee, at-will, employer rights to define relationship, collective bargaining
State statutes - labor laws, min wage, minors, unemployment, employee rehab, safety, no disclose social media password, etc.
Regulators = FTC, DOL, EEOC, NLRB, OSHA, SEC, CFPB, etc.
Consent decrees - between gov & party, agree to sotp/pay/do, usually w/o admit guilt, approved by judge, effect of court decision
Rules, formal opinions (not law), informal guidance, websites, testimony, speeches
Phases of employment relationship
Evaluation & hiring, management, monitoring, termination/departure, computer & smartphones, use of customer data, etc.
HR - handling PI/confidential info, segregated records, IT access controls
Employee background screening
Job-related, biz necessity
Sometimes required - caretaker of elder/child/disabled, nat. child protection act, gov. jobs, emergency jobs, drivers, firefighter, trainer, repair, etc.
Can help fight claims of negligent hiring/screening
Public info search - usually reasonable, no impermissible purpose (discrimination), stat elaw prohibit providing passwords
Employee discrimination
Title VII of Civ rights act (race, color, religion, sex, sex orientation, gender identity), GINA, bankruptcy act, state laws (sex preference, marital status)
Americans with Disabilities Act (ADA 1990)
Prohibit discrimination based on disability (employment, public accommodations, transportation, telecomms)
Covered entities (greater than 14 employees): No discriminate against qualified w/ disability, exams job-related/biz necessity, reasonable accomodations unless undue hardship)
No asking - prior injuries/illnesses, piror worker comp claims, drug/alcohol addicts
Medical exam - only if all employees subjected, confidential, results in accordance w/ prohibition on discrimination of disability, psychological may qualify as disability?
FCRA for Employment
FCRA scope - credit checks, criminal records, employment verification, education verification, driving records (any from CRA)
Employer obligations - (1) standalone written disclosure notice, (2) written consent, (3) pre-adverse action report (give copy, summary of FCRA rights, time/5 biz days to respond), (4) adverse action notice of decision, CRA contact info, statement CRA didn’t make hiring/employment decision, notice of rights to dispute inaccuracies
Consumer report - written, oral, other regarding creditworthiness, credit standing, credit capacity, character, reputation, personal characteristics, mode of living
Investigative report (special type of consumer report) - interviews w/ neighbors, friends, associates, acquaintances, reference checks
Notice must state - includes interviews w/ individuals about character, reputation, personal habits
Permissible purposes - employment purposes, prescreening, qualification of promotion/reassignment/retention
Preemption - some state laws preempted, others not (ICRAA notify intent to obtain and use report,) - 10 states limit use of credit info in employment (use only if substantial relationship to the position, predefined categories of financial/manager, etc)
Fair Chance to Compete on Jobs Act (2019)
Federal ‘ban the box’ law - restricts fed agencies and contractors about inquiring into criminal history
Fed contractor - when hiring for positions related to fed contracts
Restrict - inquiring about criminal history before making job offer, no questions on job apps or early interviews
Outside scope = job requiring access to classified info, law enforcement, national security positions, jobs where criminal check required before offer
Post-offer background check - once conditional offer made, can conduct criminal background check, if rescind offer provide applicant opportunity to respond
State versions - apply to private employers (CA & NY, IL, MA & others)
Social Media Screening (in employment)
Possibly FCRA if use agency/CRA
Avoid impermissible purpose - discrimination, social engineering/manipulation (false profile, request private info)
1/2 states prohibit asking login/password
AI in employment
Avoid potential bias
privacy considerations for video interviews
Employee Polygraph Protection Act (EPPA 1988)
Private employers restricted form using lie detector tests for hiring or employment decisions, employee refusal protected
NOT applicable to fed, state or local gov (law enforcement, nat. security)
Exceptions - security firms, pharmaceutical companies, gov ^, specific misconduct involving economic loss (theft, embezzlement, industrial espionage)
Lie detector - voice stress anlayzer, psychological stress eval, similar device
Procedural safeguards when allowed - notice, opportunity to refuse
record keeping for 3 yrs
Drug testing for employment
No fed statute, caselaw under 4th amend when testing reasonable
ADA - differs for illegal drugs vs. alcohol, current vs past use
Illegal drugs - not protected, test for drugs not medical exam
Alcohol disability - protected by ADA if qualified for essential job functions
Addiction/treatment screening - must be job-related and consistent w/ biz necessity
Required drug testing - some fed laws (customs/border, aviation, railroad, trucking)
Preempts state laws that would limit drug testing
Preemployment - drug testing allowed except lawful drugs and addiction to illegal drugs
Reasonable suspicion - facts/reason, inferences/appearance/behavior/speech/odor
Routine testing - if employees notified at time of hire
Post-accident testing - usually allowed (consider reasonable suspicion)
Random testing - sometimes required or prohibited, specific/narrow jobs in high regulated industries w/ diminished expectation of privacy, public safety/national security
State prohibitions (CT/IW/MN) - no drug test unless reasonable supicion, lots of variation, testing if regulated industry, protection of life, property or security, testing only after job offer
Invasive tests - blood sample, more scrutiny than less invasive
Litigation - defamation/inaccurate test, negligent testing, invasion of privacy, violation of K
Legal weed - some states include explicit employee protections
Fed regulated sectors (weed illegal) - trucking, aviation, railroad
Lifestyle outside of work (employment)
Smoking - no fed law protection, 1/2 states protect smokers if outside work
Biz reason for restrictions - insurance, various state laws
Examples - flight attendant weight, obesity due to psychological issue (court splits)
Employee Monitoring
Private sector - limited expectation of privacy, physical facilities (broad authority to monitor & search), computer/electronic (employer property = broad rights), formal policies & acceptable use policies, circumstances/approval for additional monitoring, notice to employees, monitoring internet usage on company network/devices
Policies - equipment (biz purpose), location of employees (CA prohibition), data loss prevention, monitor endpoint, encryption, etc.
Incentives to monitor - OSHA safety compliance (biometric, eye sensor for truck), quality assurances, customer service, training, security & liability, disputes/tort/litigation (negligent hiring, hostile work environment, employee theft), insurance discounts, location of company cars, access/locked rooms, cybersecurity (virus, intrusion, policy enforcement), protect trade secrets/IP, limit liability for transmission of copyrighted material, employee usage and location (at competitors), online monitoring (brand reputation), productivity, etc.
ECPA exceptions - party to call, consent, in ordinary course of biz
SCA exceptions - person/entity providing the wire, user of that service for info intended for that user
Photo/video (no sound) = outside wiretap/ECPA/SCA (no communications)
Personal call - court split on ordinary course of biz, risk violation
State laws
Recording - single party consent vs all party consent
Biometrics - notify employees, informed consent
Camera (no sound) - no bathroom/locker/changing room, torts
Personal devices - blurs lines, disclose & get consent, minimize privacy private data impact, loss of device could trigger breach notification, may need to be provided in discovery/litigation, deletion of company data on private device
Postal mail - once delivered representative can open (even if not intended recipient), some common law risk (policy - no personal mail, don’t read once personal aspect known, confidentiality, etc.)
Teleworking - privacy, cybersecurity, authentication, safety of network, security patches, training, endpoint security, data protection, privacy in home complicated (get consent & disclose extent of monitoring), minimize
Misconduct/investigation - increased liability for ignoring problem; employment agreement provisions, document misconduct, third party investigations may be subject to FCRA (FTC Vail letter) but FACTA amended if conditions met ((1) investigation of misconduct/compliance/policies, (2) not for creditworthiness, (3) not provided to any person except employer/gov/certain orgs, (4) disclose adverse action based on report).
EU = broader employee rights, more limited employer rights, biz reason needed to justify retaining PI
Social Security Act (1934) and SSNs
Permitted - furnishing SSN for unemployment and welfare
Prohibited - disclosure of SSN, having SSN visible through window of treasury-check envelops
Other SSN Laws:
DPPA curtailed widespread use of SSN by DMVs
State privacy laws
Data breach noti laws
State laws limiting biz right ot us SSN (CA Prohibitions)
State ID theft laws - 50 states
Data destruction laws
Fed sector laws (FTC disposal rule)
State laws - 2/3 states
Requirements - destroy/dispose of PI, no longer readable/decipherable, method of destruction differs per type of media
‘Covered Media’ - electronic, paper, etc.
Exemptions (GLBA, HIPAA, FCRA)
Security laws
CA data security law (2/3 states)
MA - most prescriptive - min standards, user auth, access controls, encryption, monitoring, firewall, updates, training
Fed - HIPAA, GLBA, FTC reasonable
Standards = reasonable security measures appropriate to nature of info OR specific security standards
Unauthorized access/destruction/use/modification/disclosure
Cookies & online tracking
CCPA & GDPR - notice before setting cookies (consent to set cookies, not full PP consent usually)
Session cookie - stored until web browser closed
Persistent cookie - saved indefinitely (recognize log-in, shopping cart, customization)
First party cookie - set from primary page
Third party cookie - set from company other than first-party bwesite provider
CCPA - notice & opt-out for third party cookies
Biometric privacy
IL BIPA - companies/employers notify of biometric practices, obtain informed consent prior to using, private right of action
State Consumer Privacy Laws
CA/CCPA/CPRA - (1) for-profit, (2) collect/process/sell PI of CA resident, and (3) 25M annual gross revenue, 50% revenues from selling/sharing, OR processing 100K consumers
PI - includes employees & B2B
VA/VDCPA - 100k consumers
More pro-biz; right to appeal; right to opt-in to sale of sensitive PI
CO/CPA - 25k consumers and any revenue or discount from selling data
Right to appeal; right to opt-in to sale of sensitive PI
CT/CTDPA - 25k consumers and 25% revenue from selling, OR processing 100k; excludes payment transactions from # of consumers in threshold?
Right to opt-out of sale of sensitive PI right to appeal
NV/SB260
UT/UCPA - 25m annual gross revenue & processes 100k consumers OR process 25k consumers and 50% revenue from selling
Key rights - access/confirm PI processing; correction; deletion, portability, opt-out of sales; opt-out of targeting/behavioral ads; opt out if automated decision making; sensitive PI rights; non discrimination
Deletion exceptions - completing transaction requested by consumer, detect/protect security incident, comply w/ legal obligations
‘Sale’ = monetary transaction; CA & CO also exchange of value
Sensitive PI rights - consent/opt-in (CO/CT/VA), child data, UT/CA notice & opportunity to opt-out
Biz obligations - privacy notice (categories, purpose, any sale, right/how to opt-out, categories shared w/ third party, how to exercise rights, CA duration of retention)
CA - ‘do not sell/share my PI (opt out of sale of PI); on web page, and ‘limit the use of my PI’ if use/disclose sensitive PI
CA - opt-in required to sell/share PI under age 16
CT/VO/VA - treat PI under age 13 as sensitive PI requiring opt-in consent
CO/CT/VA - processing limitations (no collect/process except specific purpose, necessary/proportionate to that purpose)
CA/CO/CT/VA - risk assessment, privacy/cubersecurity for processing w/ ‘heightened risk’ of harm to consumer (targeted ads, selling, sensitive PI, profiling)
Security requirements - reasonable admin, tech & physical
PI - CA broadest (associated or linked w/ individual - consumer & household, name, address, email, SSN, license/passport number, IP address, race/religion/disability/sex orientation/origin, commercial info (property, products/services purchased, etc), biometrics, internet & network activity (browsing,, search, interactions w/ websites/apps), geolocation info, audio/electronic/visual/thermal/olfactory/similar), employment info, educational info
Sensitive PI - citizenship, genetic, biometric, health, race/ethnicity, religion, sex orientation, child data (CA union membership, philosophy beliefs, content of mail/email/text),
Exemptions - (1) entity level (nonprofit, higher ed, gov, NSA) and data level (varying - HIPPA, GLBA< FCRA), commercial and employment contexts, deidentified info, publicly available, aggregate, etc.
‘Sale’ = UT/VA monetary consideration; CO/CA/CT exchange of value
NOT sale = to processor for processing, third party services, as directed by consumer, consumer use to interact w/ third party
CA ‘sharing’ = sharing, renting, leasing, disclosing, disseminating, making available, transferring, communicating PI to third party for cross-context behavioral ad
Cure periods
No private right of action - except CA for security breach compromising PI?
Data Breach Notification Laws (all 50 states)
PI (differs from state privacy laws) - first name/initial w/ last name and SSN, driver’s license or state ID; financial account/credit/debit card number in combo w/ security code/password permitting access; 2/3 states include medical info, fed/state ID number, biometric data, DNA, tax info, maiden name, certain employee info, unencrypted and computerized info
Most - name in combo w/…
Most - exclude publicly available info
Entities included - conduct biz in state and, in ordinary course, maintain computerized data that includes PI
Breach - unauthorized access/acquisition of electronic files/data w/ PI, compromising confidentiality, security or integrity of info, when not secured by encryption or tech rendering PI unreadable/unusuable
Notifications - who, when, what to include, how to notify, notify AG, notify CRAs, exceptions, reasons to delay
Who - affected parties, 2/3 state AG (threshold) and/or CRA (threshold)
Timing - ASAP; no unreasonable delay; investigation allowed; AG upon/before noti to consumer; 14 days-45 days; delay if criminal activity if notification impedes investigation
Content (differs) - incident, approx, date, type of PI impacted, acts of biz to protect, telephone to call, notice on company website how to contact company; steps to protect against ID theft; toll-free numbers and address for major CRAs; FTC info (number/address/website), AG info, statement about getting more info
MA - prohibits description of breach and number affected
SSN involved - 3 states require 12 months free credit monitoring
Notify via - postal mail, email/phone only if previous/explicit choice as that being preferred comm. method; notice on website/media for certain circumstances (many consumers)
Exceptions - (1) more stringent law (HIPAA, GLBA, etc.), (2) own notification policy, (3) safe harbor (encrypted if key secure, redacted, unreadable, unusual, no risk of harm)
Encryption (some states) - creates exception from notice requirements
Enforcement - state AG, affected parties, class action, CA statutory damages, fines, criminal, etc.
15 states - capped damages, actual + attorneys fees
CA - need not provea ctual damages, 100-750/incident or actual damages
4 Core classes of privacy
Information - collection & handling
Bodily - physical being
Territorial - environment, video, ID, tech
Communication privacy
Privacy impact assessments
Requirements differ per law
Core steps - risk assessment, risk treatment/controls, implementation of controls/security, IT architecture, mitigation (retention, deidentifying info, limit access/purposes, avoid combining data/creating profiles), compliance lists, gap analyses
Types of cyber attacks
Phising attack
Spear phising - targeted individual
Whale phising - target high-end people
Smishing - via SMS
Vishing - voice message call/trick
Keyloggers
Adware
Trojans - appear as legit software
Ransomware - encrypts victim’s files
Virus - programs attach themselves to files, spread
Worms - exploit system vulnerabilities
Spyware - gathering infoMalware - broader range of harmful software
De-identified info
No longer able to be traced/linked to individuals
Approaches - remove ID values, generalize/replace detailed data w/ general data, using year instead of full DOB, noise addition of values
Anonymous - can’t identify, identification via combination not likely
Pseudonymized - use of unique identifer (can re-identify)
Strong identifier - clearly identifying
Weak identifier - used in combo w/ other info to determine identitty
Quasi-identifier - can be combined w/ external info to link data to individuals
HIPPA de-identification rule/safe harbor - (1) eliminate 18 types of PI (e.g. last 2 # of zip code), OR (2) expert determination method
Encryption & hashing
Encryption - convert data so crambled/can’t read (cypher-text)
Decryption - converts cypher-text back to original w/ key
Symmetric - private-key cryptography (same key to encrypt & decrypt)
Asymmetric - private-public key pair
Digital certificates - used for auth, verify source, cert. signed
Public key infrastructure (PKI) - policies, standards, people, systems, etc.
Hashing - one-way function transforming input into output of characters (crypto function)
Creates pseudonym - to show integrity of comms, digital signature, etc.
Salt - added to the hash
National Institute of Standards and Technology (NIST)
NIST - guidance, not legal requirements (usually), provides industry standards
NIST Cybersecurity Framework (CSF)
Standards = NIST SP 800-53 (security controls for fed systems) and SP 800-171 (protecting controlled unclassified info in non-fed systems)
NIST-F2 - standards for advanced encryption standard (AES) and SHA (secure hash algorithms)
5 core functions - (1) identify systems, assets, data & capabilities, (2) protect via safeguards, (3) detect cyber events, (4) respond to incidents, notice to gov/individuals, (5) recover via restore capabilites
Zero trust model (2022 US Gov) - no actor, system, network or service (outside or within) is trusted; verify everything; all traffic encrypted and authenticated
Lease privileged - each user, role-based access controls
Defense in depth - if get past first line, multiple obstacles
US Judicial Redress Act (2015)
Extends privacy rights to foreign citizens of designated countries, allows them to seek judicial remedies in US for disclosure of their PI by us gov. agencies
Includes - if foreign nationals take legal action if US agencies misuse PI
Supports data-sharing Ks (EU-US privacy shield, data privacy framework)
Designated countries - must provide reciprocal protections
Limited scope - data shared for law enforcement purposes only, not general commercial or consumer data
EU General Data Protection Regulation (GDPR)
Scope - assets or employees in US, sell to individuals in EU, data stored in EU, doing biz in EU, EU company processing PD of data subject outside of EU?, company outsider of EU monitoring behavior of/targeting goods/services of data subjects in EU
Fines - 2%-4% of worldwide revenues, criminal sanctions (10 countries)
Court of Justice of EU (CJEU) - decisions scrutinizing surveillance of countries where EU data sent
PD (broad) - any data related to identified or identifiable natural person, identified directly or indirectly, pieces of data that if grouped together can identify
Anonymized - only if process is reversible
Examples = first/last name, home address, email (including first and last name), ID card number, location data, IP address, cookie ID, advertising identifier on phone, data held by doctor/hospital (even if separate from patient name)-0p
Sensitive PD (additional protections) - race/ethnic origin, political opinions, reliigous/philosophical belief, trade union membership, genetic data, biometric data, health data, sex life/orientation
Explicit consent required to process sensitive PD (absent exemption)
Data subject - any natural person whose data processed/collected/stored
Controller - individual/entity that directs/determines the purposes and means of processing PD
Obligations - data protection by default/design, instructions to processors, ensure security, report breahces, cooperate with DPAs, appoint DPO, identify legal basis for processing, maintain data processing records, conduct data protection impact assessment (DPIA)
Processor - processing PD on behalf of controller
Obligations - compliance w/ controller instructions, confidentiality, record of processing activities, data security, data breach reporting, cooperation w/ DPAs (flows to subcontractor)
Consent = freely given, specific, informed, unambiguous indication of subject’s wishes (clear affirmative action/statement)
Include - controller identity, purpose of processing, types of data collected, right to withdraw consent, info about automated processing, risks of transfers outside of EU
Data protection authorities (DPAs) - enforcing at national level, provide guidance, investigate/enforce, on in each EU state (except germany?)
Data protection officer (DPO) - primary point of contact won data issues within biz based in EU
Qualifications - expertise in data proteciton law relevant to processing of company, no conflict of interest (no duties related to processing PD that conflict w/ monitoring duties)
Appointment - depends whether subjects in EU, data in/from EU, large-scale monitoring, large-scale processing of sensitive PD
No EU physical presence - must appoint EU representative
Key principles - (1) lawfulness/fairness/transparency (legal basis, subjects aware, privacy police concise/accessible/plain language), (2) purposeful limitation (lifecycle, determine what/why before collect, no processing incompatible w/ original purpose unless public interest, scientific/historical/stats), (3) minimization (limited to necessary, deletion or anonymization after no longer necessary, minimum retention period), (4) accuracy (UP accurate/up to date), (5) storage limitation (retention necessary for purposes), (6) integrity and confidentiality (level of security appropriate to risk, state of art, costs/risks/severity), (7) accountability (controller repsonsible, demonstrate compliance, document breaches, maintain record of processing, DPIA)
Rights of subject - (1) be informed (notice, info and handling of PD, source of PD from others, nature, circumstances, scope, context), (2) access (confirmation of processing, copy, other info in notice, what/why/how), (3) rectification (correct, complete, supplementary statement), (4) erasure/forgotten (certain circumstances - no longer necessary, withdraw consent, object to processing & no overriding legit grounds, unlawful processing, legal duty; includes backups unless exempt; reasonable measures to to inform other controllers/processors), (5) restrict processing (limit way PD processed, systems, unavailability, removing, communicate), (6) portability (structured, common, machine readable CSV/excel), (7) object (stop processing, reasons if object, refusal to act if legal grounds/necessary), (8) not subject to automated decision making (general prohibition on decision making/profiling w/ legal/significant effect - e.g. control, entitlement, denial of social benefit or citizenship)
Privacy notices - layered approach (short overview w/ links), just-in-time notice (about to be collected), privacy dashboards (preferences in centralized area)
Breach notifications - report to DPA within 72 hrs once ‘aware’ (reasonable degree of certainty), processors notify controllers w/o undue delay, notify subject if high risk to rights/freedoms (clear/plain language, DPO, likely consequences, measures taken to mitigate)
Exceptions - risk of harm is low (encrypted), steps taken to protect subject from harm, notice imposes disproportionate efforts (still document)
‘Breach’ = breach of security leading to accidental/unlawful destruciton, loss, alteration, unauthorized disclosure, access to PD
international Data Transfers
European economic area (EEA - EU, norway, liechtenstein, iceland) - NO transfers of PD to non-EEAA prohibited unless: adequacy decision, appropriate safeguards (SCCs), consent/exception
EU to USA - in flux…
SCCs - comply w/ EU law, submit to DPA
Binding corporate rules (BCRs) - after certification of practices by DPA
Schrems 1 - CJEU struck down EU-US safe harbor
Schrems 2 - CJEU struct down EU-US privacy shield
2023 EU-US Data Privacy Framework (Biden EO) - US ensure surveillance w/ necessity/proportionality, independent data protection review court for EU citizens if PD collected by US intelligence wrongly, EU/memebrs are qualifying states
APEC declaration - trade w/ privacy assurances, rules
202 international certification - (US, canada, japan, korea, philippines, singapore, china taipei)
