CIPP/US Flashcards

Question

Vendor/3rd party management

Answer 1

- Contract provisions - confidentiality, limited use, subcontractors, cross border, breach notification, security controls, return/delete data, etc. - Due diligence - references, finances/resources, insurance, evidence of controls, audit, compliance certifications, employee training, incident response, monitor/audit 3rd party, risk assessment, cloud

Answer 2

Approaches = pre-authorized safeguards, adequacy determinations, SCCs, trade Ks, standards/initiatives, binding corporate rules/BCRs Multilateral Ks - OECD guidelines, APEC cross-border privacy rules, EU convention 108 & 108+

Answer 3

Controller - determines purposes and means of processing PI Processor - processes PI on behalf of controller

Answer 4

HIPPA - preempts lesser, states can build GLBA - preempts lesser, states can build FCRA - preempts lesser, states can build COPPA - preempts lesser, states can build ECPA - preempts lesser, states can build SUD Rule (42 CFR Part 2) - preempts lesser, states can build GINA - states can build FTC Act - implied preempts lesser/conflicting, states can build FERPA - no preemption TCPA - preempts state DNC lists must align w/ TCPA, preempts lesser/conflict, states may build (1/2 states w/ license/register, state DNC list, identifying self, terminate if request, written contract for some sales) FACTA - preempts stricter (except ID theft and identified laws - credit scores, state insurance laws, frequency of free reports, privacy/consumer protection that don't conflict) CAN-SPAM - preempts most state laws restricting commercial email, state spam laws not preempted if prohibit false/deceptive activity

Answer 5

3rd amend - quartering soldiers 4th amend - unreasonable search/seizure 5th amend - self incrimination 14th amend - no deprive w/o due process; right to privacy via penumbras (warren/brandeis), bodily privacy/abortion (roe v wade) CA/11 states constitution privacy right; UN declaration of human rights; EU convention for protection of human...

Answer 6

Reasonably linkable to particular person, including - online identifiers (IP address, cookies, device/MAC ID), loyalty card numbers, name, phone, address, SSN, bank/credit account numbers, financial data, biometric info, medical history/condition/treatment, other if when combined can identify

Answer 7

(1) Verifiable (signed, credit card, phone) and clear/accessible express parent consent prior to PI collection for child (under 13), including ads (2) Clear/conspicuous notice - what info collected, how used, whether shared, how parents can review/delete and revoke consent, third parties that collect/use (3) Limited collection - min. amount necessary (4) Parent access - to child PI, request updates/delete (5) Confidentiality/security - reasonable steps (6) Deletion - no retention longer than necessary (7) Third party management for compliance w/ COPPA PI - name/part of, email/screen name/personal, personal identifier (address/phone/SSN), identifiers (cookies/IP address/device ID), photo/audio/vidoe w/ identifying info, geolocation if identify child's coordinates), any other usable to identify (and combo) FTC Scrutiny for EdTech Companies

Answer 8

Products/service providers are 'biz associates' subject to HIPPA FDA regulated - (1) software as 'Medical Device,' (2) cybersecurity guidance for internet connection (stakeholders in ecosystem, lifecycle, etc.) FTC Section 5 applies

Answer 9

'Covered Entities' (CE) = health care providers, insurers/plans, health clearinghouses, and 'business associates' that receive PHI from covered entity NOT - cash-only DR w/ no insurance billing or electronic transactions, websites, conversations, online, etc. 'Business Associates' (BA) = cloud provider w/ PHI (even unknowingly); service provider of CE if use PHI (e.g. claims processing, data analysis, billing, legal, actuarial, accounting, consulting, administrative, accreditation, financial services, etc.)

Answer 10

(1) Identifies an individual or reasonable basis for identification (e.g. name, SSN, and indirect: dates, geo location) (2) relates to past/present/future physical or mental condition, health care, or payment, (3) in any form (electronic, paper, oral), (4) transmitted, maintained or held by CE/BA in process (5) created or received by covered entity or employer in providing health services/processing related benefits ePHI = electronic media PHI (not paper to paper fax, voice/phone)

Answer 11

(1) Privacy notice - specific elements including: how use/disclose PHI, consumer rights including complaints, CE duties to safeguard PHI, contact point, (i) provided on/before first service (exceptions - emergency & indirect relationship) (2) Authorizations for use/disclosure (i) no auth - use/disclose for essential health purposes/TPO (treatment, payment, operations), comply w/ law (reporting, legal proceeding), psychotherapy limited circumstances*, to patient, billing/claims, health operations (ii) auth required - any use outside of TPO/legal (e.g. marketing, research, third-party disclosures not under normal operations) - specify which PHI use/disclosed, purpose of use/disclose, person/entity that receives (3) Min. necessary - for purpose/treatment (4) Patient access - designated record set, accounting of disclosures; amend PHI or file included statement (5) Safeguards - administrative, physical, technical, security rules for for EPHI, backup & recovery rules (6) Accountability - DPO, training, policies

Answer 12

TPO, de-identified (18 elements/expert), research (board approve), public health, abuse/neglect/violence, legal proceeding, law enforcement, gov functions, compliance investigation, etc. Opt-in/consent 512(f) disclosure to law enforcement if 3 criteria (relevant/material, specific and limited, de-identified info...?) Court order, grand jury subpoena, administrative request

Answer 13

(1) Reasonable security measures - policies to prevent, detect, contain & correct (i) Required vs addressable/document/alt (2) Administrative - training, DPO, analysis, incident contingency, etc (3) Physical - facility access, device and media controls, etc. (4) Technical - access controls, audit, authentication, encryption, etc. (5) Breach notification rule ePHI, CE & BA notify consumer & HHS (sometimes media) (6) BA Agreements - follow HIPAA security

Answer 14

EDI standards for electronic exchange of healthcare info (code sets - diagnoses, procedures, meds, etc.) Scope - electronic transfer of PHI between CEs/BAs Operational rules for key Transactions - claims, benefit inquiry, referral/authorization, payment/remittance Goals - streamline admin & reduce paperwork, improve efficiency

Answer 15

(1) Presumed Breach = unauthorized acquisition, access, use or disclose of unsecured PHI is presumed breach, UNLESS risk assessment shows low probability security/privacy of info compromised.(e.g. unsecured info, no encryption); burden of proof on CE/BA (a) Notifications - BA must notify CE; if > 500, notify HHS; if > 500 in same J notify media; report to HHS annually all breaches requiring notice (i) INCLUDES - cloud services, medical apps/wearables (2019 FTC statement) (ii) 60 days to notify individuals? (2) Electronic Health Records (EHR) - incentive to use to get funding; sharing for TPO; no sales w/o consent (exceptions); no payment for marketing (exceptions) (a) Patient request - provide copy of EHR, and all nonverbal disclosures within 3 years? (3) Data limitation for all disclosures (min. necessary); FTC & HHS rule-making for data breaches; codified privacy & security rules, which apply to BAs

Answer 16

(1) Information blocking prohibition - Healthcare IT devs, providers & info exchanges can't unreasonably block patient access to their EHI or restrict interoperability (a) Exceptions - privacy, security, infeasibility, harm prevention (a) Scope - healthcare providers, health IT developers, health info exchanges & networks (2) Patient access - w/o special effort, delays or fees (3) Interoperability - open APIs for health IT systems of seamless data sharing; FHIR standard (4) Devs of certified EHR tech (CEHRT) must disclose business practices including: restrictions on sharing, fees associated w/ EHR access/exchange

Answer 17

(1) Applies to - any program w/ fed funding and diagnosis/treatment/referral for SUDs, state licensing, controlled substances for detox (DEA license) (a) Includes hospitals, clinics, private practices, programs within criminal justice & education settings (b) SUD = substance use disorder (c) Stricter than HIPAA; entities subject to rule likely subject to HIPAA also (2) Info protected - no disclosure/use of info that could identify a person as having an SUD (treatment, diagnoses, medications, fact of seeking treatment) (a) Restrictions on use of info that could lead to/substantiate criminal charges. (3) Disclosure rules - patient written consent to disclose, must include: (a) Who disclosing & who receiving (b) Purpose of disclosure, and (c) Type of info shared (i) Exceptions - medical emergency, qualified audits/evals, court order, reporting crimes on program premises or against staff, child abuse (ii) Re-disclosure - Recipients cannot re-disclose unless patient express consent or exception (4) Security Rules - formal policies/procedures, rules for paper vs EHI NO preemption of stricter state rules

Answer 18

(1) Genetic info = genetic tests of individual & family (up to 4th degree), family medical history, participation in genetic services/research, info about fetus/embryo for pregnancy/assisted reproduction (2) Protections - no use of genetic info in insurance and employment, no discrimination, no request genetic testing. (a) Insurance - eligibility, coverage, premium rates/adjustments, underwriting (b) Employment - hiring, firing, promotion, job assignments, retaliation if complaint (3) Exceptions = inadvertent disclosure, voluntary wellness program w/ consent, compliance with FMLA/similar state law, certain public health activities (workplaces w/ toxic exposure w/ consent); diseases already manifested; (i) Employers w/ less than 15 employees (ii) Insurance exceptions? - life insur., disability insur., long-term care insur. (iii) Outside scope = life insurers, mortgage lenders, schools, others CalGINA - prohibits genetic discrimination in emergency medical, mortgage lending, housing, education, other state-funded programs

Answer 19

Differs - comprehensive med privacy, medtech laws, at-home genetic testing, consumer genetic testing, etc. CA Confidentiality of Medical Info Act (CMIA) - Right to pursue legal action for violation of law for compensatory and punitive damages.

Answer 20

Consumer report = info about creditworthiness, credit standing, credit capacity, character, general reputation, lifestyle used to determine eligibility for: credit (loans/cards), employment, insurance, housing (rent/mortgage), other legit biz needs Consumer reporting agency (CRA) = person/entity compiling consumer data and provide in form of consumer report to biz evaluating creditworthiness, employment, insurance or rentals Users (of consumer report) = lenders, insurers, employers, others (a) User requirements = permissible purpose & certify PP; notify of adverse action; record keeping; securely dispose of report data; employer requirements (i) Permissible purposes = written consent, extension of credit, review/collection of account, employment purposes (hiring/promotion w/ consent), underwriting insurance, legit biz need for consumer initiated transaction, review account, determine eligibility for license/gov benefit, assessment of credit/prepayment risk, gov. determine child support; court order/subpoena; prescreening of credit/insurance Furnishers (of consumer info) = lenders, retailers, others that furnish credit history (a) Duties - accurate info, correct/update, notice of dispute, respond to info from ID theft, ensure correct person, prevent change in date of first delinquency, maintain records for period of time, no report info known to be inaccurate, notify CRA if incorrect/incomplete, notify CRA if dispute, investigation of dispute, procedure for max accuracy, not report negative outdated info (7 year account data, 10 year bankruptcy) 7 Key rights = (1) access reports (1 free per year); (2) accuracy & dispute rights (inaccurate or incomplete, 30 days to correct); (3) notice of adverse actions (deny, employment, insurance) based on credit report; (4) details about CRA that supplied report; (4) know who accessed; (5) limits on negative info (7 years payments, 10 bankruptcy); (6) Opt-opt of pre-screenings; (7) limit use to 'permissible purposes' Adverse action - all biz/credit/employment action w/ negative impact (denying/cancelling credit/insurance/employment/promotion (not counteroffer) (a) Include - name, address, phone of CRA; statement CRA did not make adverse decision; statement of rights to obtain free report within 60 days; statement of right to dispute w/ CRA Employment use - written notice (single solo doc) before obtaining; certify to CRA no violation of fed/state discrimination law; if adverse action provide copy of report an summary of rights, adverse action notice if obtained from affiliate (a) Investigation of suspected misconduct - Investigative use (character, reputation, personal characteristics, mode of living via personal interviews) - special rights, (1) section 606 disclose its use to consumer within 3 days, (2) statement informing of right to request additional disclosures of nature/scope within 5 days, (3) summary of consumer rights if adverse action, (4) certify to CRA disclosure made Pre-screening (firm unsolicited offers of credit/insur.) - pre-established criteria before offer made, maintain on file for 3 years, short/long form opt-out notices (info in CRA used, satisfied criteria, not extended if don't meet, may prohibit use)

Answer 21

New consumer protections - truncated credit/debit numbers; rights to explanation of credit scores; free annual report from each major CRA, 90 day fraud alerts, active duty alerts for military, ID theft victim request fraud accounts blocked form CR, CRA investigate within 30 days dispute, mortgage lenders disclose scores and key factors during applications, etc. Disposal Rule - users of CRs (or info derived from such) dispose in way preventing unauthorized access & misuse (a) Factors - sensitivity of info, costs/benefits, tech, etc. Red Flags Rule - ID theft detection, prevention & mitigation programs; response to 'red flags' signaling ID theft (patterns, practices, forms of activity), update program (a) Examples - alerts, notis, warnings from CRA, suspicious docs, suspicious personal ID data, unusual use, etc. 2010 Red Flag Clarification Act - narrows definition of creditor (no entities extend credit for expenses incidental to a service), but those in regular course of biz - obtain/use CR for credit transactions, furnish info to CRAs for credit transaction, advance funds to/on behalf of someone, biz w/ accounts subject to reasonably forseebale risk of ID theft Risk-based pricing rule = Disclosure/notice if less favorable terms (than available to substantial proportion) because of credit report

Answer 22

Financial Institutions (broad) - company 'significantly engaged' in financial activities (banks, insur. providers, securities firms, payment settlement services, check-cashing services, credit counselors, mortgage lenders/brokers, financial advisors, debt collectors, payday lenders, some fintech companies) Nonpublic Personal Information (NPI) collected from consumers - includes any PIFI provided by, resulting from, or obtained about consumer during financial transaction/service. (a) Includes - non-financial info (name, relationship w/ institution), income, employment history, account numbers, balances, payments, overdrafts, loan details, portfolios, transaction data, info frmo other sources (credit reports) (b) Excludes - publicly available info, aggregated/anonymized/de-identified data (c) Consumer = primarily for personal, family or household services (d) Customer = ongoing relaitonship w/ fin. institution No pretexting - obtaining PI under false pretense; safeguards to detect and prevent pretexting, employee training, etc. DOE guidance - finaid info covered by GLBA (universities in possession)

Answer 23

Privacy notice - clear, conspicuous, at time of establishing relationship (and annual), (a) Content - what info collected, how shared/disclosed, how protected, right to opt-out of certain sharing within 30 days (w/ non-affiliated third parties for marketing) (b) If met = can share w/ affiliates & joint marketing partners advertising your products/services, nonaffiliated (i) Always prohibited - share account numbers to nonaffiliate for telemarketing/direct mail (c) 2009 Model short privacy notice (safe harbor) Opt-out right exceptions - affiliates for financial products/services; third parties for processing transactions, fraud, legal requirements; consent; Limits on disclosure - no disclose sensitive fin. info for certain purposes w/o consumer consent (marketing non-financial products, insurance/services not related to primary financial products) Exceptions - public data, data not covered by GLBA (unless combined with NPI)

Answer 24

Security program required - written, appropriate to size, complexity and nature (risk-based approach) (a) Info Security Officer required - oversee program & ensure compliance (b) Risk Assessment - threats/vulnerabilities, all areas where NPI stored (data centers, employee access, vendor relationships, etc.) (c) Administrative safeguards - Training, background checks, access controls, vendor oversight (d) Technical safeguards - encryption, firewalls, secure transmissions, computer systems, networks, applications, access controls, etc. (e) Physical safeguards - facilities, data storage, locked officers/server rooms, environmental, biz continuity, disaster recovery (f) Ongoing monitoring - monitoring, testing (g) Vendor management - contracts, requirements, etc. (h) Incident response plan - identifying, containing, reporting breaches (i) Board reporting - senior management informed of program effectiveness, reports on status of program, identified vulnerabilities and incidents

Answer 25

California Financial Privacy Act (CFIPA) - increased disclosure requirements, consumer rights & statutory damages (a) Opt-in required - sharing NPI w/ non-affiliated third parties for marketing (stricter than GLBA which allows opt-out in many cases) (b) Opt-out option for sharing w/ affiliates for marketing (not a right under GLBA) CCPA exempts GLBA data (not entities) NYDFS Cybersecurity Regs: (a) Covered Entities - banks/trust companies, insurance, mortgage lenders/brokers, money services businesses, credit unions, certain fintech & insurtech companies, investment companies, savings/loan companies (i) Exemptions - less than 10 employees, less than 5M gross annual revenue, OR less than 10M total assets (b) Cybersecurity Program - protect NPI, detect/respond to events, recover from incidents (c) Chief Info Security Officers (CISO) - annual reports to board on risks, incident responses, program effectiveness (d) Risk Assessments - internal and external threats, informs program & controls (e) Technical/admin controls - MFA required for external network access & privileged accounts, encryption, malware monitoring, audit trails (5 maintain for 5 years), employee training, penetration testing & vulnerability assessments (f) Encryption - in transit and at rest (g) Third-party vendors - contract standards (h) Incident response plan - written, roles/duties, procedures, communications (i) Breach notification - notify NYDFS within 72 hours of qualifying incident (if - reasonable likelihood of harm to normal operators or unauthorized access to NPI) (j) Employee training - (k) Annual compliance certification/attestation to NYDFS each year

Answer 26

Bank Secrecy Act (BSA & Foreign Transaction Reporting Act of 1970) Covered Entities (broad) = banks, credit union, broker-dealers, MSBs, insurance companies, casinos, precious metals dealers, crypto exchanges and hosted wallet providers, mixets/tumblers (some exempt like DEX & mining pools), (1) CTR (Currency Transaction Report) - cash trans. over 10k in single day, customer ID, transaction details (amount, type, date), within 15 days (2) SAR (Suspicious Activity Report) - suspect laundering, terrorist financing, fraud/crimes, $5k or more OR evidence of illegal activity, within 30 days, confidential (not disclosed to person involved) (3) FBAR (Foreign Bank & Financial Accounts Report) - US person/entity w/ foreign account over 10K must file by 4/15 (extension 10/15). (4) CIP (customer ID program) - verify customer identities when opening (KYC) (5) Record keeping - (i) MIL monetary instruments (cashier check, money order) between 3k to 10k, (ii) records of wire transfers over 3k (sender & recipient info) (a) Name, address, SSN, date, instrument, serial numbers, dollar amounts (b) 5 yrs from date of filing (CTR, SAR, FBAR); 5 yrs after account closed (CIP); 5 yrs from transaction (MIL); 5 yrs casino reports; 5 yrs beneficial ownership records (6) AML program - written, policies & procedures, compliance officer, employee training, independent testing (audits) (7) Travel Rule - transfers over 3K, info must travel w/ transfer (name, address, account #, identity info (SSN/EIN/passport/ID), beneficiary info (name, address, account #), retain 5 years, 2019 FINECN VASPs for crypto (i) Exceptions - internal transfers w/ same institution, debit/credit/prepaid card (if via visa/mastercard/other), ACH, check clearing, securities & futures if info already on file FINECN, FATF internaitonal standards US Patriot Act (2001) - strengthened BSA, stricter KYC, beneficial owners, new reporting/record requirements for diff. industries, global reach/foreign banks (1) CIP program, 4 year retention, records of foreign bank accounts if correspondent account in US (2) EDD (Enhanced due diligence) - foreign correspondent accounts, private accounts of non-US person if $1M or more (3) Info sharing between gov. & institution - review accounts against FINCEN list, report matches within 14 days, and voluntary sharing (4) AML Program - internal controls, designate officer, employee training, independent audits (5) NO Shell banks - prohibits US institution from maintaining correspondent accounts for foreign banks w/ no physical presence, no affiliated regulated financial group Anti-Money Laundering Act (2020) - enhanced BSA around beneficial ownership (1) Beneficial Ownership Reporting (CTA act) - US biz report beneficial ownership (25% ownership or substantial control) (exceptions - public, bank, insur, > 20 employees and 5M revenue) (2) Risk-based AML program (3) Whistleblower protections - 30% rewards (4) Info sharing between FINCEN & law enforcement & FI (5) Updates - CTRs & SARs, new industries (antiquities, VASPs/crypto exchanges, study real estate), foreign bank subpoenas, cooperation w/ internationals

Answer 27

EFT (electronic funds transfer) - any transfer through electronic system instructing a debit or credit on customers account (i) Includes - ATM, debit card/POS, direct deposits, electronic bill payments, P2P payments (venmo/paypal), phone/online banking transfers (ii) Excludes - wire transfers (UCC article 4a), credit card payments, checks (1) Disclosures - (a) initial (terms & fees, before first EFT), (b) periodic statements (monthly summaries of transactions, fees and balances), (c) receipts (ATMS, POS, online platforms) (2) Error resolution - customer 60 day to report, institution 10 days to investigate, resolve/credit account, written explanation of findings (3) Preauthorizations - written auth from customer, advance notices of changes in amount or date of transfer

Answer 28

Scope = all education institutions w/ fed funding (k-12 & university) Student - individual in attendance (incl. online), NOT applicants or non-enrollees Holder of rights - parent until age 18, student once 18 or in college (college classes in high school = high school rules/18), or student consent for parent permission (i) Exception - may disclose to parent if student claimed as dependent Education record (broad) - all records related to student, maintained by or on behalf of school (grades, fin-aid, disciplinary records, etc.); handwritten/print/electronic/visual/audio/film (i) Exceptions - campus police record, employment record, applicant records, alumni records, peer-graded papers (before faculty collected), treatment or health records PII - name, name of parent/family, address, personal identifiers (SSN/school ID), DOB, place of birth, other info linkable to student (reasonable certainty) (i) Exception for Directory Info - info not harmful/invasion of privacy if disclosed (e.g. name, date & place of birth, address, email, phone, field of study, honors received), but NOT exempt (SSN/student ID unless can't be used to access records w/o another factor) (ii) Opt-out required (block release of info) before declaring info as directory info Disclosures - only if: not PII from education record, consent, directory info, disclosure to rights holder, statutory exceptions (see consent exceptions) Rights - access (45 days & explanation, exceptions - non-educational record, treatment, privileged, parent financial info, confidential letter of rec.), corrections (hearing if denied, notice, representation, decision in writing, right to statement about contested record), consent to disclosures, opt-out of directory info Consent - signed, dated, written, identify records/purpose/recipient Exceptions - school official w/ legit ed. interest, other ed. institution for enrollment/transfer, fin-aid, research, accrediting orgs, sex offenses, disclosure to creator of record, legal/subpoena/order, health/safety emergency (articulable, significant, totality of circumstances, rational) HIPPA/health - HIPPA entity-level exemption Health records - if subject to FERPA, not subject to HIPAA College health clinic - FERPA applies to student health records, HIPPA applies to nonstudent health records (faculty, staff, non-student) Medical info related to student's education is generally FERPA, unless setting separate from education Private school (no FERPA) = HIPPA

Answer 29

CA SOPIPA - prohibit use of student data for targeted ads for noneducational purposes; requires reasonable security measures NY Ed Law 2-d - cybersecurity policies that adhere to NIST Data breach notification laws

Answer 30

FERPA Holder of Rights = new rights regarding: (a) surveys collecting sensitive data, (b) marketing activities involving students, (c) certain physical exams or screenings Survey rights = opt-in/consent (if fed funding) if questions about 8 areas - political, mental/psychological, sex, illegal/demeaning behavior, criticism of fam relationship, privileged relationship (lawyer/doctor/clergy), religious, income Marketing rights = notify parent if student PI collected for marketing or sale; consent to use PI for commercial purpose (doesn't apply to FERPA data) Physical exam/screening = opt-out right for non-emergency physical exams/screenings by school (a) Exceptions - exams required by state law (vision, hearing, scoliosis), emergency medical situation Parent Rights = inspect survey & instructions & dates, instrument to collect PI; annual notice of right to opt-out (survey, marketing collection, non-emergency exam) School policies - parent access to surveys by third parties (even if no fed funding), collection/disclosure/use of student PI for marketing, sales or distribution, parent opt-out rights, annual notice (policies, dates, opt-out rights)

Answer 31

Children w/ disabilities = 'Free appropriate public education' (FAPE) in 'lease restrictive environment' (LRE) via 'individualized education program' (IEP) (a) Disability (3 yrs to 21 yrs) = autism, deafness, emotional, intellectual, multiple, orthopedic, health, ADHD, dyslexia, learning, speech, brain, visual/blind FAPE = school must provide tailored education at no cost (special education & related services) LRE = educated w/ non-disabled peers to max extent appropriate, removal from general ed setting only if disability prevents progress IEP = each eligible student gets IEP document outlining (current academic level, annual goals, special ed services & accomoddations, methods to measure progress) - by team, educators, parents, specialists, reviewed annually (a) written notice before changes; confidentiality; dispute resolution options Evaluations - comprehensive, non-discriminatory, whether disability, what needs/services, parent consent, multiple assessment tools Parent rights - participate in all decisions, access ed records, provide/reject consent for evaluations and services, due process hearing & mediation

Answer 32

Subject to FERPA, state, PPA & IDEA (as applicable) 2014 DOE Guidelines - how FERPA applies online (case-by-case), school duties to ensure FERPA met 2020 Guidance - Resources related to virtual learning Self-regulation - future of privacy forum, software & info industry association, student privacy pledges (2014 & 2020) - no selling student PI, ban on use of PI for behavioral targeting, no profiles on students, no deceptive acts FTC Scrutiny for EdTech Companies - no ed info for commercial purpose (advertising), no unreasonable mandatory collection, no retention longer than necessary, confidentiality/security/integrity procedures

Answer 33

Prohibit unsolicited telemarketing calls if: (a) Automatic Tele Dialing System (ATDS/robocalls) - includes text messages, limited to random/sequential number generator (facebook ruling) (b) Artificial/prerecorded voice messages - Telemarketing = plan, program, campaign to induce purchase of good/service or charitable contribution (w/ more than 1 interstate call) Telemarketers & their sellers (provide/arrange goods/services) Exceptions - nonprofit (unless seeking donation), EBR within 18 months, inbound calls (no upsell), most B2B calls Existing Business Relationship (EBR) exemption - purchase/rent/lease goods/services within 18 months (date of last payment/transaction/shipment) OR application//inquiry (3 months), UNLESS request DNC EBR exemption not applicable - ATDS to residential line Prior express written consent - before telemarketing robocalls/robotexts or prerecorded voice message; clear/unambiguous; can't be condition to purchase goods/services; signed writing (esign ok); number to call; no pre-check DNC registry - telemarketers check/honor (31 days), opt-out right, monitor & enforce compliance Internal DNC - consumer can opt-out from specific biz, must maintain internal DNC list Safe Harbor - written policy to honor DNC, training, maintain internal DNC, maintain records for process to prevent DNC calls, monitor & enforce, bona-fide error Non-telemarketing (informational) - prior express consent (oral or written) Fax - unsolicited ads prohibited w/o prior express consent or EBR; include opt-out for future faxes Texts - same as ATDS; disclose via ATDS/prerecorded; no consent as requirement for purchase; consent revocable anytime Timing - telemarketing only 8am - 9pm (recipient's time) Disclosures - (1) entity on whose behalf they're calling, (2) provide contact info, (3) disclose purpose of call and what selling, (4) caller ID info (own number/name or seller's), (5) truthful, (6) ten categories (cost/quantity, materials conditions, characteristics, cancel/refund policy, material details of prizes/investments, affiliation/sponsors, credit card loss protection, negative option features, debt relief services) Multi-purpose call = disclosure (^) for sales purposes before going into others Call abandonment - no hangup/dead air for outbound call (2 seconds) Safe harbor - (1) tech for 3% answered by live person, (2) 15 seconds/four rings before disconnect, (3) recorded message w/ name/number of seller if live agent unavialable within 2 seconds (4) records documenting compliance w/ 1-3 Billing - express informed consent Payments other than credit/debit - express verifiable authorization (high standard) Pre-acquired billing info - last 4 digits, express consent, recording of entire call Records - keep for 24 hrs (some), others 2 years from date produced (ads/promos, info on prize receipts, sales records (name, addresses, purchase, date, shipping, price), employee records (name, address, phone, title), authorizations/consents) (a) seller or telemarketer (any format); successor upon sale. FCC Updates - allow opt-out of ATDS during ATDS; assess abandonment rate 30-day window, Reassigned numbers - not liable for 1st contact(liable for subsequent if aware of change) Enforcement - FCC, private right of action, 500/violation (triple if willful/knowing), class actions - 50k max (private action) - Class action = must show 'actual harm' (not mere risk of such)

Answer 34

LA - lesser time frames; EBR limited to 6 months; penalties CA - eliminateEBR exception for fax (preempted for interstate fax)

Answer 35

Consent - express or inferred via EBR Scope - commercial fax Opt-out required Exception - fax invitaiton for market research survey in exchange for money Private right of action - $500/fax 2019 FCC - online cloud-based fax service not under TCPA/JFPA

Answer 36

Scope - unsolicited advertising of products/services by email Primary purpose - advertising/promoting Transaction/relationship purpose - facilitate/confirm agreed-upon transaction, warranty/safety info, info on ongoing commercial relationship, employment/benefits info, delivery of goods/services Sender - who initiates email, can be more than 1 party (1) No false/misleading headers (from, to, reply to) (2) No deceptive subject line (3) Identify message as ad/commercial message (unless prior consent) (4) Include physical address/return email address (5) Provide opt-out (clear/conspicuous, free) (6) Monitor third party compliance (hiring party to do email ads) (7) Warning label for sex content

Answer 37

MSCM = commercial electronic messages sent to wireless device using internet-to-phone gateway (email to text) Opt-in/prior express consent - required before sending MSCM (no negative option, cost free) Contents - agree to receive MSCM on device from identified seller, may be charged by wireless provider, may revoke anytime, any format, document auth. Opt-out - clear way to opt out of future MSCM (revoke by any means, return address or electronic means (10 days)) Identification - message must clearly identify sender, include contact info TCPA/CAN-SPAM interplay: standard email (can-spam), email-to-text (MSCM rules), standard SMS/MMS (TCPA) Primary purpose - same as CAN-SPAM FCC wireless domain registry? - obtain list, verify authorizations

Answer 38

Customer Proprietary Network Info (CPNI) - customer data collected by telecom providers during usage (call details, time, duration, destination, service types and features, billing info), phone features NOT CPNI - name, telephone number, address Scope.= telecomm carriers, ISPs, and voice-over-internet protocol providers (VoIP) NOT - streaming companies (OTT) when content via internet/mobile device Opt-in consent - to use/disclose, including third-party access/disclosure NO consent required - essential services like billing/collections, fraud prevention, emergency services, customer services, marketing offerings among service categories customer already subscribes? Safeguards - procedures to protect CPNI, report breaches to consumers & FCC & law enforcement? (if CPNI in security breach) Caller ID - consumer right to block their number from appearing on caller ID; telemarketers prohibited from using tech to hide/spoof caller ID Customer access to CPNI via phone/online Annual certify compliance & summary

Answer 39

Scope = cable subscribers and cable operators (NOT broadband internet services) Privacy notice - at time of subscription & annually Content - PII collected, how used, how long retained, how disclosed, subscriber rights under this act, how to access & correct Opt-in - required for collect/disclose PII w/o prior consent (names, addressses, viewign habits, billing details) Disclosures - None w/o consent or exception (necessary to provide services, legit biz activity, billing, account management, service improvements, court order (notify subscriber, opportunity to contest), name/address if opt-out opportunity, non-identifiable aggregated data) Limited retention - only as long as necessary for purpose of collection Secure destruction - once no longer needed Subscriber rights - access/inspect PI collected, correction if inaccurate, opt-out of certain data uses (marketing communications using PII)

Answer 40

Video tape service providers - in biz of renting, selling, delivering prerecorded video materials (similar audio/visual content), parties that receive PI in ordinary course fo service provider's biz/marketing GPT? - Extended to cover modern streaming/online services (Netflix, Hulu) PII = info identifying specific person and video content choices (titles watched, rental history, etc.) Consent - required for disclosure of PII; clear, informed, specific (electronic allowed, lasts 2 yrs?) Exceptions - law enforcement, biz necessity (billing, account management, operators), marketing of similar products/services (must include opt-out option), aggregated data w/o PII Consumer rights - sue/privacy right of action (2.5k/violation, actual damages if higher, punitive damages, attorneys fees, court costs) Destruction - destroy PII when no longer necessary for purpose it was collected (not later than 1 yr once no longer necessary) NO preemption

Answer 41

Scope - prohibits DMV's (and employees) from releasing PI w/o express consent or exemption PI = name, address (excluding zip), DOB, phone number, SSN, driver's license number, medical or disability info High sensitivity info = greater protections (SSN, medical data) Disclosures - prohibited w/o express consent (can be explicit and informed) 14 Exceptions - gov agencies/functions, legal proceedings, vehicle safety/theft, biz use, insurance activities, towing/parkign enforcement, research/statistics, court order/subpoena Never permitted - DMV data for stalking, harassment, ID theft Consent - explicit and informed, what data and what purpose SCOTUS Maracich (2013) - DMV data to solicit clients for legal services violates DPPA, strict limitations on solicitation and marketing

Answer 42

CalOPPA - Commercial website/apps if collect PII of CA resident (no CA presence required) Privacy notice requirement - conspicuously, easily noticeable, labeling Notice includes - types of PII, how used, how access/modify, how policy change communicated, effective date/last updated, whether third party may collect PII across different sites/services Do Not Track signals - explain how respond to DNT signals sent by browsers (need not respond, but must disclose whether you honor such or not) CA age-appropriate design act - minors up to 17 yrs old Scope - online products/services/features likely to be accessed by child under 18 (websites, apps, games, social media, likely to attract) Privacy by default - highest level of privacy default, no data collection/sharing/profiling unless strictly necessary Age verification - reasonable methods to estimate/verify age before collecting PI (age gates, DOB prompts, more advanced techniques) No dark patterns/nudge techniques No profiling w/o justification (compelling reason - safety, security) Privacy notice - child-friendly, easy to understand, age-appropriate language Warnings for risks to child well-being Geolocation protection - off by default unless strictly necessary; notify each time location data collected DPIA assessments for new product/service likely accessed by child - risks to child privacy/well-being, how data collected/processed/retained, steps to mitigate risks (AG can request copy) State privacy laws (e.g. CCPA) Self-regulation - DAA, BBB,, NAI (unfair/deceptive to agree and violate), IAE

Answer 43

Required disclosures - BSA, AML, FDA adverse events/problem/error, DOL/OSHA workplace injuries/illness, state laws (injuries, medical conditions, gunshot wounds, immunization records) Permitted disclosures - HIPPA privacy rule to individual, HHS in enforcement, public health, law enforcement, national security, HHS guidance on abortion post Roe v Wade overturn, Patriot act (defined circumstances - authorized, lawful investigation, reasonable grounds related to investigation, etc) Maybe - crime on premises, decedents of suspected crime, emergency, victims, limited info for identification and location purposes, certain laws... Forbidden disclosures - HIPPA & COPPA unless opt-in/exception, GLBA upon opt-out, in violation of an opt-out (FTC/Section 5), evidentiary privileges (attorney, doctor, priest, spousal, 5th amend)

Answer 44

Tradition - public records & open court rooms 2007 Fed Rules Civ Pro - redact sensitive PI (last 4 of SSN, year of birth, if minor only initials, last 4 of financial account, e-discovery rules (large-scale production) Bankruptcy rules - similar to above Filings under seal - request, additional redaction, restrict electronic access, etc. Criminal - city and state of address (no precise address) ESI - transitory data (may be outside duty of preservation), good faith exceptions (acts to avoid system destroying/alerting info), forensic images of hard drives Usage policies - discourage personal comms on company email/devices, limits on permitted uses to aid in preventing later forensic discovery, discourage company biz on personal device, etc. Discovery duties vs biz practices (3 part test) - retention policy reasonable, similar complaints against org, bad faith Protective orders - good cause, 3 part test (confidential, relevant/necessary, weigh harm vs need) Also - prohibit use/disclosure, no use outside litigation, return Extra protections for - juvenile, financial, & medical data Protections - preservation, transport, encrypted, audit trail, secure connection, etc.

Answer 45

Conflict = US duty to produce vs. GDPR/other prohibitions Some Js - require production if taking advantage of US J (e.g. plaintiff) Other Js - produce even parties not seeking benefit of US court (foreign law doesn't deprive US court of its powers Other Js - nature/type of docs (give log/descriptions w/o requiring actual docs) Hague Convention/treaty - party seeking to displace civ pro rules bears burden to demonstrate more appropriate to use Hague Convention (foreign law prohibits discovery sought, good faith, means of last resort) Common factors - importance of docs/data, specificity of request, whether info originated in US, alternative means of securing info, extent of undermining important interests of US and foreign state via ruling, etc.

Answer 46

Key = secure in persons/houses/papers/effects, no unreasonable searches/seizures and warrants w/o probable cause Warrant - probable cause crime occurred/likely, testimony/oath/affirmation, magistrate approval, NO general warrant (describe place/persons/things to be searched) Exclusionary rule - evidence in violation of 4th amend excluded from criminal trial Katz - exposed to public (no 4th amend protection) vs seeks to keep private (4th amend protection, even in areas accessible to public) Reasonable Expectation of Privacy Test - exhibit actual/subjective expectation of privacy & expectation one society prepared to recognize as reasonable Exceptions - plain view, in public, third party doctrine, consent, search incident to lawful arrest, exigent circumstances (immediate threat), automobile exception (if probable cause can search car), stop and frisk/terry stop (pat down if reasonable suspicion of criminal activity) Third party doctrine - info in another's hands is not protected, company can turn over info SCOTUS 2012/Jones - warrant needed for GPS device on car for over month (trespass) SCOTUS 2014/Riley - contents of cellphone searchable only w/ warrant (incident to arrest does not apply) SCOTUS 2018/Carpenter - reduced scope of 3rd party doctrine (warrant needed for certain records like cell site location info) Unlawful abortion data - law enforcement may use warrant; CA law prohibiting company from responding (conflict of law)

Answer 47

Prohibits disclosure to fed law enforcement unless requirements statutory requirements met Statutory requirements - written consent, subpoena/summons/search warrant/formal written request Exceptions - IRS investigation, SARs (aml), national security letters, debt collection on fed guaranteed loan, emergencies/imminent danger/crime prevention Notice/challenge - financial institution notify customer, 10 days to challenge request in court before records disclosed Financial institutions = banks, credit union, savings association, credit card issuer, broker-dealer NOT - merchants, non-bank lenders Remedies - civil action against gov and institution, damages, exclusion of evidence Scope = financial records of individuals and partnerships (fewer than 5 people)

Answer 48

Scope = wire communications (phone call, via network), oral communications (bugs, microphones), and electronic comms (email, text - via ECPA/SCA) Prohibition - illegal to intentionally intercept, disclose or use contents of any ^^^ Exceptions - court/wiretap order (probable cause, exhaustion of investigative methods, specificity on scope (who, what, where) - higher bar than normal warrant), consent, service providers can monitor for maintenance/protect own rights, exigent circumstances (emergencies, preventing harm, limited interception w/o warrant) Fed - one-party consent to record ('party to the call' exception) State - some are two/all-party consent to record

Answer 49

ECPA - prohibit unauthorized interception/access to electronic communications while in transit and storage (w/o consent, warrant/probable cause, court order, exception) Expanded wiretap act - includes email, phone call, cell phone, text Notify users if data accessed (can delay if hinders law enforcement investigation) Ordinary course of biz exception - employer provides comm service, biz routine monitoring/scanning for virus, not listening to personal calls (biz calls only) Pen register - records numbers of outgoing calls Trap & trace - record numbers of incoming calls Judge orders allowed if - relevant to ongoing investigation Patriot act - expanded beyond telephone numbers (dialing, routing, addressing/signaling info, national security investigation rules, prohibit bulk collection, restrict use to circumstances where specific selectors? SCA - Prohibits unauthorized access/altering/blocking of electronic comms while in electronic storage Exceptions - authorized by provider of wire/service or user of such Gov. preservation order - provider of electronic comms shall take all steps to preserve records and other evidence NO preemption - DE prohibits employers from onitoring/intercepting telephone, email, internet access/usage w/o prior written notice and daily electronic notice; CT also

Answer 50

Requires telecomm carriers & certain service providers to design systems to enable lawful government surveillance (wiretap-friendly) Lawful surveillance - valid court order or warrant Covered entities - telecomm carriers (AT&T/verizon), facilities based broadband internet providers (ISPs/comcast), VoIP services (vonage) Exempt - info services (email, web hosting, cloud storage) Outside scope - WhatsApp & Signal Cost - telecomm companies bore costs of modifying systems, some gov reimbursement Surveillance capabilities - real-time interception (voice & data), call-identifying info (phone numbers & IP addresses), deliver to law enforcement secure/effective Privacy - limit surveillance to only what's authorized by court order, prohibit disclosure of communication contents unless authorized

Answer 51

Permits info sharing between private sector & gov about cyberthreats Voluntary sharing - between companies & with/between gov via DHS portal (cyber threat indicators CTIs and defensive measures) PII scrubbing - remove PII not directly related to cyber threat before sharing data Monitoring authorization - monitor and operate defensive measures on own system Limit on use - cybersecurity & investigating specific serious crimes only (can be repurposed for non-cyber crimes?) Effect - non-waiver of privileges, exempt from FOIA, legal immunity if in compliance Limitations - can't use info shared to regulate/enforcement action

Answer 52

Limits gov. searches of newsrooms or journalistic 'work product' w/o subpoena or court order or voluntary consent Work product/documentary materials = notes, drafts, recording, unpublished materials Exceptions - probable cause journalist involved in crime (not applicable if only crime is possession/receipt of communication of work product), journalist possesses evidence of crime likely to be destroyed if not immediately seized, substantial threat to national security/risk of harm, death/serious injury Protects sources/informants Scope - traditional journalist materials, public comms? Unclear?? - digital content, online platforms, emails, social media, google docs, etc.

Answer 53

Cross-border access to electronic data in criminal investigations US gov. access/warrants to tech companies to require them to provide data stored on servers located in other countries (even if data protected by foreign law) Foreign gov. access from US companies for criminal investigations pursuant to bilateral executive/data sharing agreement. Executive agreements (UK, Australia, Canada?) - safeguards to ensure privacy, human rights standards, compliance w/ foreign country's law and civil liberty protections Companies/scope - if subject to US J (do biz in US, incorporated in US) Alternative to CLOUD Act = Multilateral legal assistance treaty, but warrant w/ probable cause can take 10-ish months

Answer 54

International treaty for cybercrime, international cooperation in combating crimes involving computers, network systems & the internet Outlaw certain cybercrimes - illegal access, interceptions, tampering (malware), cyber fraud, ID theft, child exploitation/porn, copyright violations Enact evidence-gathering rules - real-time interceptions, search/seize electronic evidence on computers/networks/clouds, safeguards (proportional/justified, reps, contract) Cooperate w/ investigation across borders (64+ countries & USA) - required assistance, sharing evidence, searches, info, extraditing accused, 24/7 contact points Protect critical infrastructure, personal data, privacy

Answer 55

Framework for surveillance and collection of foreign intelligence information, ensure US citizen constitutional rights protected & enable national security operations (focus = foreign intelligence rather than typical criminal activity; lesser probable cause standard?) Electronic surveillance (wiretaps, pen register, tap & trace, data collection, video, etc) for gathering foreign intelligence and preventing threats to US nat. sec., business records, domestic Warrantless (S. 702) = foreign target located outside US suspected of terrorism or foreign intelligence activities FISA Court (FISC) - secret/ex parte, review request from US law enforcement and intel. agencies for warrants and orders to surveil Foreign power - surveillance of foreign govs, orgs, individuals, espionage/related Agent of FP - spies, terrorist activities Terrorism - FISA authority extends to terrorist org & individuals US citizens - in certain circumstances (showing that target acting on behalf of FP or espionage/terrorism activities) Minimization when US incidentally surveilled - deleting & redacting FREEDOM/2015 act (amendments) - curtailed certain surveillance powers, ended bulk collection (section 215 PATRIOT), oversight, requests need to use specific 'selectors,' etc. Immunity to telecom companies, 4th amend protections for US persons in criminal proceedings

Answer 56

Expanded gov. power for surveillance, counter terrorism and info sharing Surveillance - roving writetaps (calls/emails/etc) w/o specifying exact device/location, biz records, sneak and peak warrants (search property w/o notice), wiretaps on email/web traffic National security letters (NSLs) - Category of subpoena, statutory access w/o court order to telecomm provider, financial institutions, consumer credit agencies, travel agencies 2006 amendment - can petition fed court to modify/set aside NSL (unreasonable, oppressive) NO disclosure of NSL (if interference w/ investigation/other) Disclosures allowed - attorney, as necessary to comply, petition court NSL terminates - investigation closed or 3 yrs? Info sharing - between intel agencies, law enforcement, foreign intel info, etc. Terrorism - increased penalties (providing support, acts, planning), terrorist financing (investigate/track financial transactions, freeze assets suspected of terrorism), Definition of Terrorism - acts of violence, threats, & domestic terrorism (individuals/groups in US) Immigration/border security powers, track foreign nationals entering, detail non-citizens suspected of terrorism, terrorist watchlists Sunset provisions - some powers renewed over time, some expired

Answer 57

Key laws = constitution, state contract, state tort, state statute, fed statute, regulators, etc. Fed statutes in specific areas (not overreaching) - discrimination, employment screenings, HIPPA privacy, COBRA coverage, ERISA benefits, FMLA leave birht/illness, FCRA, FLSA min wage, OSHA safety, whistleblower protection act, NLRA collective bargaining, ICRA eligibility verification, polygraph protection act, ADA, ADEA, civil rights act, GINA, ECPA, SCA, etc. State contractor - employer/employee, at-will, employer rights to define relationship, collective bargaining State statutes - labor laws, min wage, minors, unemployment, employee rehab, safety, no disclose social media password, etc. Regulators = FTC, DOL, EEOC, NLRB, OSHA, SEC, CFPB, etc. Consent decrees - between gov & party, agree to sotp/pay/do, usually w/o admit guilt, approved by judge, effect of court decision Rules, formal opinions (not law), informal guidance, websites, testimony, speeches

Answer 58

Evaluation & hiring, management, monitoring, termination/departure, computer & smartphones, use of customer data, etc. HR - handling PI/confidential info, segregated records, IT access controls

Answer 59

Job-related, biz necessity Sometimes required - caretaker of elder/child/disabled, nat. child protection act, gov. jobs, emergency jobs, drivers, firefighter, trainer, repair, etc. Can help fight claims of negligent hiring/screening Public info search - usually reasonable, no impermissible purpose (discrimination), stat elaw prohibit providing passwords

Answer 60

Title VII of Civ rights act (race, color, religion, sex, sex orientation, gender identity), GINA, bankruptcy act, state laws (sex preference, marital status)

Answer 61

Prohibit discrimination based on disability (employment, public accommodations, transportation, telecomms) Covered entities (greater than 14 employees): No discriminate against qualified w/ disability, exams job-related/biz necessity, reasonable accomodations unless undue hardship) No asking - prior injuries/illnesses, piror worker comp claims, drug/alcohol addicts Medical exam - only if all employees subjected, confidential, results in accordance w/ prohibition on discrimination of disability, psychological may qualify as disability?

Answer 62

FCRA scope - credit checks, criminal records, employment verification, education verification, driving records (any from CRA) Employer obligations - (1) standalone written disclosure notice, (2) written consent, (3) pre-adverse action report (give copy, summary of FCRA rights, time/5 biz days to respond), (4) adverse action notice of decision, CRA contact info, statement CRA didn't make hiring/employment decision, notice of rights to dispute inaccuracies Consumer report - written, oral, other regarding creditworthiness, credit standing, credit capacity, character, reputation, personal characteristics, mode of living Investigative report (special type of consumer report) - interviews w/ neighbors, friends, associates, acquaintances, reference checks Notice must state - includes interviews w/ individuals about character, reputation, personal habits Permissible purposes - employment purposes, prescreening, qualification of promotion/reassignment/retention Preemption - some state laws preempted, others not (ICRAA notify intent to obtain and use report,) - 10 states limit use of credit info in employment (use only if substantial relationship to the position, predefined categories of financial/manager, etc)

Answer 63

Federal 'ban the box' law - restricts fed agencies and contractors about inquiring into criminal history Fed contractor - when hiring for positions related to fed contracts Restrict - inquiring about criminal history before making job offer, no questions on job apps or early interviews Outside scope = job requiring access to classified info, law enforcement, national security positions, jobs where criminal check required before offer Post-offer background check - once conditional offer made, can conduct criminal background check, if rescind offer provide applicant opportunity to respond State versions - apply to private employers (CA & NY, IL, MA & others)

Answer 64

Possibly FCRA if use agency/CRA Avoid impermissible purpose - discrimination, social engineering/manipulation (false profile, request private info) 1/2 states prohibit asking login/password

Answer 65

Avoid potential bias privacy considerations for video interviews

Answer 66

Private employers restricted form using lie detector tests for hiring or employment decisions, employee refusal protected NOT applicable to fed, state or local gov (law enforcement, nat. security) Exceptions - security firms, pharmaceutical companies, gov ^, specific misconduct involving economic loss (theft, embezzlement, industrial espionage) Lie detector - voice stress anlayzer, psychological stress eval, similar device Procedural safeguards when allowed - notice, opportunity to refuse record keeping for 3 yrs

Answer 67

No fed statute, caselaw under 4th amend when testing reasonable ADA - differs for illegal drugs vs. alcohol, current vs past use Illegal drugs - not protected, test for drugs not medical exam Alcohol disability - protected by ADA if qualified for essential job functions Addiction/treatment screening - must be job-related and consistent w/ biz necessity Required drug testing - some fed laws (customs/border, aviation, railroad, trucking) Preempts state laws that would limit drug testing Preemployment - drug testing allowed except lawful drugs and addiction to illegal drugs Reasonable suspicion - facts/reason, inferences/appearance/behavior/speech/odor Routine testing - if employees notified at time of hire Post-accident testing - usually allowed (consider reasonable suspicion) Random testing - sometimes required or prohibited, specific/narrow jobs in high regulated industries w/ diminished expectation of privacy, public safety/national security State prohibitions (CT/IW/MN) - no drug test unless reasonable supicion, lots of variation, testing if regulated industry, protection of life, property or security, testing only after job offer Invasive tests - blood sample, more scrutiny than less invasive Litigation - defamation/inaccurate test, negligent testing, invasion of privacy, violation of K Legal weed - some states include explicit employee protections Fed regulated sectors (weed illegal) - trucking, aviation, railroad

Answer 68

Smoking - no fed law protection, 1/2 states protect smokers if outside work Biz reason for restrictions - insurance, various state laws Examples - flight attendant weight, obesity due to psychological issue (court splits)

Answer 69

Private sector - limited expectation of privacy, physical facilities (broad authority to monitor & search), computer/electronic (employer property = broad rights), formal policies & acceptable use policies, circumstances/approval for additional monitoring, notice to employees, monitoring internet usage on company network/devices Policies - equipment (biz purpose), location of employees (CA prohibition), data loss prevention, monitor endpoint, encryption, etc. Incentives to monitor - OSHA safety compliance (biometric, eye sensor for truck), quality assurances, customer service, training, security & liability, disputes/tort/litigation (negligent hiring, hostile work environment, employee theft), insurance discounts, location of company cars, access/locked rooms, cybersecurity (virus, intrusion, policy enforcement), protect trade secrets/IP, limit liability for transmission of copyrighted material, employee usage and location (at competitors), online monitoring (brand reputation), productivity, etc. ECPA exceptions - party to call, consent, in ordinary course of biz SCA exceptions - person/entity providing the wire, user of that service for info intended for that user Photo/video (no sound) = outside wiretap/ECPA/SCA (no communications) Personal call - court split on ordinary course of biz, risk violation State laws Recording - single party consent vs all party consent Biometrics - notify employees, informed consent Camera (no sound) - no bathroom/locker/changing room, torts Personal devices - blurs lines, disclose & get consent, minimize privacy private data impact, loss of device could trigger breach notification, may need to be provided in discovery/litigation, deletion of company data on private device Postal mail - once delivered representative can open (even if not intended recipient), some common law risk (policy - no personal mail, don't read once personal aspect known, confidentiality, etc.) Teleworking - privacy, cybersecurity, authentication, safety of network, security patches, training, endpoint security, data protection, privacy in home complicated (get consent & disclose extent of monitoring), minimize Misconduct/investigation - increased liability for ignoring problem; employment agreement provisions, document misconduct, third party investigations may be subject to FCRA (FTC Vail letter) but FACTA amended if conditions met ((1) investigation of misconduct/compliance/policies, (2) not for creditworthiness, (3) not provided to any person except employer/gov/certain orgs, (4) disclose adverse action based on report). EU = broader employee rights, more limited employer rights, biz reason needed to justify retaining PI

Answer 70

Permitted - furnishing SSN for unemployment and welfare Prohibited - disclosure of SSN, having SSN visible through window of treasury-check envelops Other SSN Laws: DPPA curtailed widespread use of SSN by DMVs State privacy laws Data breach noti laws State laws limiting biz right ot us SSN (CA Prohibitions) State ID theft laws - 50 states

Answer 71

Fed sector laws (FTC disposal rule) State laws - 2/3 states Requirements - destroy/dispose of PI, no longer readable/decipherable, method of destruction differs per type of media 'Covered Media' - electronic, paper, etc. Exemptions (GLBA, HIPAA, FCRA)

Answer 72

CA data security law (2/3 states) MA - most prescriptive - min standards, user auth, access controls, encryption, monitoring, firewall, updates, training Fed - HIPAA, GLBA, FTC reasonable Standards = reasonable security measures appropriate to nature of info OR specific security standards Unauthorized access/destruction/use/modification/disclosure

Answer 73

CCPA & GDPR - notice before setting cookies (consent to set cookies, not full PP consent usually) Session cookie - stored until web browser closed Persistent cookie - saved indefinitely (recognize log-in, shopping cart, customization) First party cookie - set from primary page Third party cookie - set from company other than first-party bwesite provider CCPA - notice & opt-out for third party cookies

Answer 74

IL BIPA - companies/employers notify of biometric practices, obtain informed consent prior to using, private right of action

Answer 75

CA/CCPA/CPRA - (1) for-profit, (2) collect/process/sell PI of CA resident, and (3) 25M annual gross revenue, 50% revenues from selling/sharing, OR processing 100K consumers PI - includes employees & B2B VA/VDCPA - 100k consumers More pro-biz; right to appeal; right to opt-in to sale of sensitive PI CO/CPA - 25k consumers and any revenue or discount from selling data Right to appeal; right to opt-in to sale of sensitive PI CT/CTDPA - 25k consumers and 25% revenue from selling, OR processing 100k; excludes payment transactions from # of consumers in threshold? Right to opt-out of sale of sensitive PI right to appeal NV/SB260 UT/UCPA - 25m annual gross revenue & processes 100k consumers OR process 25k consumers and 50% revenue from selling Key rights - access/confirm PI processing; correction; deletion, portability, opt-out of sales; opt-out of targeting/behavioral ads; opt out if automated decision making; sensitive PI rights; non discrimination Deletion exceptions - completing transaction requested by consumer, detect/protect security incident, comply w/ legal obligations 'Sale' = monetary transaction; CA & CO also exchange of value Sensitive PI rights - consent/opt-in (CO/CT/VA), child data, UT/CA notice & opportunity to opt-out Biz obligations - privacy notice (categories, purpose, any sale, right/how to opt-out, categories shared w/ third party, how to exercise rights, CA duration of retention) CA - 'do not sell/share my PI (opt out of sale of PI); on web page, and 'limit the use of my PI' if use/disclose sensitive PI CA - opt-in required to sell/share PI under age 16 CT/VO/VA - treat PI under age 13 as sensitive PI requiring opt-in consent CO/CT/VA - processing limitations (no collect/process except specific purpose, necessary/proportionate to that purpose) CA/CO/CT/VA - risk assessment, privacy/cubersecurity for processing w/ 'heightened risk' of harm to consumer (targeted ads, selling, sensitive PI, profiling) Security requirements - reasonable admin, tech & physical PI - CA broadest (associated or linked w/ individual - consumer & household, name, address, email, SSN, license/passport number, IP address, race/religion/disability/sex orientation/origin, commercial info (property, products/services purchased, etc), biometrics, internet & network activity (browsing,, search, interactions w/ websites/apps), geolocation info, audio/electronic/visual/thermal/olfactory/similar), employment info, educational info Sensitive PI - citizenship, genetic, biometric, health, race/ethnicity, religion, sex orientation, child data (CA union membership, philosophy beliefs, content of mail/email/text), Exemptions - (1) entity level (nonprofit, higher ed, gov, NSA) and data level (varying - HIPPA, GLBA< FCRA), commercial and employment contexts, deidentified info, publicly available, aggregate, etc. 'Sale' = UT/VA monetary consideration; CO/CA/CT exchange of value NOT sale = to processor for processing, third party services, as directed by consumer, consumer use to interact w/ third party CA 'sharing' = sharing, renting, leasing, disclosing, disseminating, making available, transferring, communicating PI to third party for cross-context behavioral ad Cure periods No private right of action - except CA for security breach compromising PI?

Answer 76

PI (differs from state privacy laws) - first name/initial w/ last name and SSN, driver's license or state ID; financial account/credit/debit card number in combo w/ security code/password permitting access; 2/3 states include medical info, fed/state ID number, biometric data, DNA, tax info, maiden name, certain employee info, unencrypted and computerized info Most - name in combo w/... Most - exclude publicly available info Entities included - conduct biz in state and, in ordinary course, maintain computerized data that includes PI Breach - unauthorized access/acquisition of electronic files/data w/ PI, compromising confidentiality, security or integrity of info, when not secured by encryption or tech rendering PI unreadable/unusuable Notifications - who, when, what to include, how to notify, notify AG, notify CRAs, exceptions, reasons to delay Who - affected parties, 2/3 state AG (threshold) and/or CRA (threshold) Timing - ASAP; no unreasonable delay; investigation allowed; AG upon/before noti to consumer; 14 days-45 days; delay if criminal activity if notification impedes investigation Content (differs) - incident, approx, date, type of PI impacted, acts of biz to protect, telephone to call, notice on company website how to contact company; steps to protect against ID theft; toll-free numbers and address for major CRAs; FTC info (number/address/website), AG info, statement about getting more info MA - prohibits description of breach and number affected SSN involved - 3 states require 12 months free credit monitoring Notify via - postal mail, email/phone only if previous/explicit choice as that being preferred comm. method; notice on website/media for certain circumstances (many consumers) Exceptions - (1) more stringent law (HIPAA, GLBA, etc.), (2) own notification policy, (3) safe harbor (encrypted if key secure, redacted, unreadable, unusual, no risk of harm) Encryption (some states) - creates exception from notice requirements Enforcement - state AG, affected parties, class action, CA statutory damages, fines, criminal, etc. 15 states - capped damages, actual + attorneys fees CA - need not provea ctual damages, 100-750/incident or actual damages

Answer 77

Information - collection & handling Bodily - physical being Territorial - environment, video, ID, tech Communication privacy

Answer 78

Requirements differ per law Core steps - risk assessment, risk treatment/controls, implementation of controls/security, IT architecture, mitigation (retention, deidentifying info, limit access/purposes, avoid combining data/creating profiles), compliance lists, gap analyses

Answer 79

Phising attack Spear phising - targeted individual Whale phising - target high-end people Smishing - via SMS Vishing - voice message call/trick Keyloggers Adware Trojans - appear as legit software Ransomware - encrypts victim's files Virus - programs attach themselves to files, spread Worms - exploit system vulnerabilities Spyware - gathering infoMalware - broader range of harmful software

Answer 80

No longer able to be traced/linked to individuals Approaches - remove ID values, generalize/replace detailed data w/ general data, using year instead of full DOB, noise addition of values Anonymous - can't identify, identification via combination not likely Pseudonymized - use of unique identifer (can re-identify) Strong identifier - clearly identifying Weak identifier - used in combo w/ other info to determine identitty Quasi-identifier - can be combined w/ external info to link data to individuals HIPPA de-identification rule/safe harbor - (1) eliminate 18 types of PI (e.g. last 2 # of zip code), OR (2) expert determination method

Answer 81

Encryption - convert data so crambled/can't read (cypher-text) Decryption - converts cypher-text back to original w/ key Symmetric - private-key cryptography (same key to encrypt & decrypt) Asymmetric - private-public key pair Digital certificates - used for auth, verify source, cert. signed Public key infrastructure (PKI) - policies, standards, people, systems, etc. Hashing - one-way function transforming input into output of characters (crypto function) Creates pseudonym - to show integrity of comms, digital signature, etc. Salt - added to the hash

Answer 82

NIST - guidance, not legal requirements (usually), provides industry standards NIST Cybersecurity Framework (CSF) Standards = NIST SP 800-53 (security controls for fed systems) and SP 800-171 (protecting controlled unclassified info in non-fed systems) NIST-F2 - standards for advanced encryption standard (AES) and SHA (secure hash algorithms) 5 core functions - (1) identify systems, assets, data & capabilities, (2) protect via safeguards, (3) detect cyber events, (4) respond to incidents, notice to gov/individuals, (5) recover via restore capabilites Zero trust model (2022 US Gov) - no actor, system, network or service (outside or within) is trusted; verify everything; all traffic encrypted and authenticated Lease privileged - each user, role-based access controls Defense in depth - if get past first line, multiple obstacles

Answer 83

Extends privacy rights to foreign citizens of designated countries, allows them to seek judicial remedies in US for disclosure of their PI by us gov. agencies Includes - if foreign nationals take legal action if US agencies misuse PI Supports data-sharing Ks (EU-US privacy shield, data privacy framework) Designated countries - must provide reciprocal protections Limited scope - data shared for law enforcement purposes only, not general commercial or consumer data

Answer 84

Scope - assets or employees in US, sell to individuals in EU, data stored in EU, doing biz in EU, EU company processing PD of data subject outside of EU?, company outsider of EU monitoring behavior of/targeting goods/services of data subjects in EU Fines - 2%-4% of worldwide revenues, criminal sanctions (10 countries) Court of Justice of EU (CJEU) - decisions scrutinizing surveillance of countries where EU data sent PD (broad) - any data related to identified or identifiable natural person, identified directly or indirectly, pieces of data that if grouped together can identify Anonymized - only if process is reversible Examples = first/last name, home address, email (including first and last name), ID card number, location data, IP address, cookie ID, advertising identifier on phone, data held by doctor/hospital (even if separate from patient name)-0p Sensitive PD (additional protections) - race/ethnic origin, political opinions, reliigous/philosophical belief, trade union membership, genetic data, biometric data, health data, sex life/orientation Explicit consent required to process sensitive PD (absent exemption) Data subject - any natural person whose data processed/collected/stored Controller - individual/entity that directs/determines the purposes and means of processing PD Obligations - data protection by default/design, instructions to processors, ensure security, report breahces, cooperate with DPAs, appoint DPO, identify legal basis for processing, maintain data processing records, conduct data protection impact assessment (DPIA) Processor - processing PD on behalf of controller Obligations - compliance w/ controller instructions, confidentiality, record of processing activities, data security, data breach reporting, cooperation w/ DPAs (flows to subcontractor) Consent = freely given, specific, informed, unambiguous indication of subject's wishes (clear affirmative action/statement) Include - controller identity, purpose of processing, types of data collected, right to withdraw consent, info about automated processing, risks of transfers outside of EU Data protection authorities (DPAs) - enforcing at national level, provide guidance, investigate/enforce, on in each EU state (except germany?) Data protection officer (DPO) - primary point of contact won data issues within biz based in EU Qualifications - expertise in data proteciton law relevant to processing of company, no conflict of interest (no duties related to processing PD that conflict w/ monitoring duties) Appointment - depends whether subjects in EU, data in/from EU, large-scale monitoring, large-scale processing of sensitive PD No EU physical presence - must appoint EU representative Key principles - (1) lawfulness/fairness/transparency (legal basis, subjects aware, privacy police concise/accessible/plain language), (2) purposeful limitation (lifecycle, determine what/why before collect, no processing incompatible w/ original purpose unless public interest, scientific/historical/stats), (3) minimization (limited to necessary, deletion or anonymization after no longer necessary, minimum retention period), (4) accuracy (UP accurate/up to date), (5) storage limitation (retention necessary for purposes), (6) integrity and confidentiality (level of security appropriate to risk, state of art, costs/risks/severity), (7) accountability (controller repsonsible, demonstrate compliance, document breaches, maintain record of processing, DPIA) Rights of subject - (1) be informed (notice, info and handling of PD, source of PD from others, nature, circumstances, scope, context), (2) access (confirmation of processing, copy, other info in notice, what/why/how), (3) rectification (correct, complete, supplementary statement), (4) erasure/forgotten (certain circumstances - no longer necessary, withdraw consent, object to processing & no overriding legit grounds, unlawful processing, legal duty; includes backups unless exempt; reasonable measures to to inform other controllers/processors), (5) restrict processing (limit way PD processed, systems, unavailability, removing, communicate), (6) portability (structured, common, machine readable CSV/excel), (7) object (stop processing, reasons if object, refusal to act if legal grounds/necessary), (8) not subject to automated decision making (general prohibition on decision making/profiling w/ legal/significant effect - e.g. control, entitlement, denial of social benefit or citizenship) Privacy notices - layered approach (short overview w/ links), just-in-time notice (about to be collected), privacy dashboards (preferences in centralized area) Breach notifications - report to DPA within 72 hrs once 'aware' (reasonable degree of certainty), processors notify controllers w/o undue delay, notify subject if high risk to rights/freedoms (clear/plain language, DPO, likely consequences, measures taken to mitigate) Exceptions - risk of harm is low (encrypted), steps taken to protect subject from harm, notice imposes disproportionate efforts (still document) 'Breach' = breach of security leading to accidental/unlawful destruciton, loss, alteration, unauthorized disclosure, access to PD

Answer 85

European economic area (EEA - EU, norway, liechtenstein, iceland) - NO transfers of PD to non-EEAA prohibited unless: adequacy decision, appropriate safeguards (SCCs), consent/exception EU to USA - in flux... SCCs - comply w/ EU law, submit to DPA Binding corporate rules (BCRs) - after certification of practices by DPA Schrems 1 - CJEU struck down EU-US safe harbor Schrems 2 - CJEU struct down EU-US privacy shield 2023 EU-US Data Privacy Framework (Biden EO) - US ensure surveillance w/ necessity/proportionality, independent data protection review court for EU citizens if PD collected by US intelligence wrongly, EU/memebrs are qualifying states APEC declaration - trade w/ privacy assurances, rules 202 international certification - (US, canada, japan, korea, philippines, singapore, china taipei)