CIPP/US Flashcards
What were the facts of the Lilly Case?
An employee accidentally sent an email to ALL users with all personal emails viewable. This was unreasonable handling of PI. No fine, but consent decree.
FTC has regulatory authority over.
COPPA, FCC, Telemarketing sales rule, can spam act, health and human services (HIPAA stuff), and FCRA
FCC
Federal Communications Commission. - Federal Financial institution regulators
HHS
Health and Human Services
- OCR: Office of Civil Rights
- CMS - Center for Medicare and Medicaid services
promulgated regulations to protect the PRIVACY and SECURITY of health info for HIPAA
DOT
Department of Transportation
FTC enforcement process
- Claim (press report or consumer complaint)
- If minor - mutual resolution FTC/respondant
- IF significant or pattern - investigation.
- If violation? Admin trial w/civil penalties if found OR consent decree (up to $16,000 per violation but no admit wrong) and fed district ct if violation.
3 criteria for unfair trade practices
- Substantial Injury
- w/o offsetting benefits
- Consumers could not reasonably avoid.
What are the facts of the Gateway case?
unfairness case. Owned “hooked on phonics” and promised they would not share PI but could change info at any time. Did not seek consent (but revised policy with a PO box to opt-out) and released age range and gender PI to third parties for marketing. Fined
What are the facts of the BJs case?
unfairness case. They had security flaws in their network access. Caused identity theft.
What are the facts of the Google case?
Violated their own privacy policy. Consent decree was entered into and they agreed to form a comprehensive privacy program.
OECD
- Organization for Economic Cooperation and Development - focuses on privacy on a global scale
APEC
Asia Pacific Economic Cooperation.
- cross-border privacy enforcement arrangement is the CPEA (cross-border privacy enforcement arrangement)
- FTC was first privacy enforcement authority.
Steps in developing a privacy program.
- Discover
- Build
- Communicate
- Evolve
Basic Elements of Incident Response (breach)
a. Detection - determine if it actually occurred
b. Containment/analysis and investigation- Prevent further activity
d. Notice
e. Review and follow-up/ corrective actions
HIPAA
Health Insurance Portability and Accountability Act of 1996
- Does not preeempt state laws.
- enforced by OCR (office of civil rights)
HIPAA Privacy Rules
a. Must post privacy policy on website
b. Allow access to only the minimum necessary data to carry out treatment and payment.
c. Keep track of disclosures.
d. Have safeguards in place via security rules (accountability, de-identification, sometimes need notice and consent.
HIPAA Security Rule
CIA - Confidentiality, Integrity, Availability
- risk assessments should be done once a year.
HITECH
- Health Info Tech for Economic and Clinical Health
- Amended HIPAA by expanding to business associates involving the use or disclosure of PHI.
If significant risk of harm - must notify individual within 60 days.
Must notify HHS immediately if affects 500+ people. (and media if the 500 are in the same population.
Penalties up to 1.5 mil.
EHR - electronic health records
GINA
Genetic Info Nondiscrimination Act of 2008
- made genetic info another PHI element to prevent hiring or insurance premiums discrimination.
- some exceptions if commercially/publicly available info, it was inadvertent, signed consent for special program, need to collect info for law enforcement /quality control.
FCRA
- Fair Credit Reporting Act.
a. Mandates fair and accurate info
b. Provides users ability to access and correct the info.
f. Enforced by the FTC, CFPB, and state AGs.
g. Private right of action with damages in 6 figures. (up to 1k per violations and 2.5 k for willful)
Under Dodd-Frank, rule making shifted from here to CFPB.
Users must have a permissible purpose in order to obtain an individual’s credit report. Among these permissible purposes is the determination of a consumer’s eligibility for a license. Library records, purchase transactions and academic records do not represent a permissible purpose.
FACTA
The Fair and Accurate Credit Transaction Act. (not preempted)
i. Can’t show credit numbers on receipts!
ii. You get one free credit report a year!
iii. In the past it sold a lot of info for marketing purposes.
This controls CRA (credit reporting agencies like experian)
FACTA red flags rule
a. aimed at combatting ID theft. Mandates rules to combat this. Requires financial entities to implement written ID protection programs that explain the red flags that indicate ID theft.
GLBA (general and privacy rules)
Gramm-Leach-Bliley Act: Born from the financial services modernization act of 1999. (Not preempted)
GLBA Privacy Rules: Financial Institutions must:
1. Store info securely and provide notice of policies re: sharing of personal fin info.
Prepare and provide clear and conspicuous privacy notice in 9 categories (must be provided when relationship is established then annually.)
2. Provide right to opt-out of 3rd party sharing (process w/i 30 days) (Exceptions: Joint marketing and processing.)
3. Don’t disclose to third party exception consumer reporting agency
4. Comply with regulatory gov standards
5. Privacy policy that is clear, conspicuous, and accurate. Include what info is collected, how it is protected, and opt out info.
Has nothing to do with Dept. of Commerce
No private right of action
Financial institutions are prohibited from disclosing consumer account numbers to nonaffiliated companies even if the consumer has not opted out of sharing information, but other information can be shared without obtaining an opt in.
Dodd-Frank Wall Street Reform and Consumer Protection Act
Response to 2008 financial crisis.
Can enforce against abusive acts or practices –
i. if they materially interfere with consumers ability to understand a product or service, or
ii. takes advantage of inability to understand the risk, or
iii. inability to protect interests, or
iv. reasonable reliability on a covered person to act in the consumers interests.
CFPB
Consumer Financial Protection Bureau. -
part of the federal reserve. Rule making authority for the FCRA, GLBA, and Fair Debt Collection Practices Act.
Created by the Dodd-Frank…Act.
BSA
- Bank Secrecy Act.
contains regulations relating to currency transactions, transportation of monetary instruments and the purchase of currency-like instruments.
SAR is filed if it is suspected this is violated.
Anti-Money Laundering Laws
- BSA
- Currency and foreign transaction report (1970)
- US Patriot Act
The International Money Laundering abatement and Anti-Terrorism Financing Act.
- Part of the Patriot Act.
expanded reach of BSA and made changes to anti-money-laundering laws.
SAR
Suspicious Activities report.
When does a financial institution have to file a SAR ?
i. Suspects an insider is committing or aiding in a crime
ii. When entity detects possible crime of $5,000 or more and substantial basis to ID suspect.
iii. When entity detects possible crime of $25,000 or more even without basis to ID suspect.
iv. When entity suspects currency transactions $5000 + that involve potential money laundering or violation of acts.
FERPA (aka Buckley Amendment)
- Family Educational Rights and Privacy Act.
i. No private right of action (doesn’t cover private schools)
ii. Employee and alumni records are NOT educational record.
iii. Education records may be disclosed when (just need one)… - Not PI
- Directory info that has not been blocked.
- Student provided consent
- Student makes the disclosure.
- A statutory exception applies.
Provides for major aspects of FIPPS (fair info practice principles) including notice, consent, access, and correction, security, and accountability.
If student requests their records - institute must provide access to those records within 45 days.
PPRA
- Protection of Pupil Rights Amendment (FERPA amended)
- includes private family info as PI and gave rights to parents of minors with regard to collection of sensitive information.
NCLB
- No Child Left Behind Act
Broadened PPRA to limit the collection and disclosure of student survey info. Added collection, access, notice, and opt-out rights to parents re: child info.
Intrusion on seclusion
Tort right of action (can use for telemarketing). Must prove the intrusion is highly offensive to a reasonable person. One exception is unwanted and deceptive marketing
TSR
Telemarketing Sales Rule. implemented 1995 and most recently amended 2010.
requires telemarketers to keep records of anything related to telemarketing for 2 years.
TCPA
1991 (amd. 2012) Telephone Consumer Protection Act. - FTC enforced.
Prohibits automatic telephone dialing systems from making calls to any call phonr or other service “for which the called party is charged for the call.”
unauthorized faxes not allowed. Must have consent or valid business relationship.
i. Telemarketing – Uses one or more telephones and involving 1 or more interstate call.
ii. Must maintain DNC lists (*must call between 8a-9p) or pay up to $16,000 per violation.
iii. Exceptions – Nonprofits and existing business relationships (EBRS) and consumer opt-in.
DNC Safe Harbor
Do Not Call safe harbor. Seller must comply with rules (see below) and …
i. Provide training to staff
ii. ID how to get DNC and ensure compliance
iii. Must have documentation
iv. People responsible and accountable
v. Must have program to monitor/enforce policies.
DNC rules
- Between 8am -9pm
- Avoid people on DNC list.
- Must display accurate id info
- Must immediately ID themselves and what they’re selling.
- Disclose all material info and terms
- Comply with prize and promo terms
- Respect call-back and end-call requests.
- Retain records for 24 hours.
- Prior express consent for robocalls.
No preemption – so state laws can be stricter.
No disclosures required if no intent to sell goods or services.
CAN-SPAM
a. Controlling the assault of non-solicited pornography and marketing act of 2003.
i. Must clearly ID sender.
ii. Must provide opt out-unsubscribe
iii. Rules for MSCMs – mobile service commercial messages.
1. Have unique electronic address
2. Wireless domain name list is maintained – and the rules only apply to these.
3. Must have express prior positive authorization
Telecommunications Act
- CPNI is PI
a. Can use for billing, collections, fraud prevention, customer service, and emergency services. Otherwise they can only use with opt-in, express consent, or as required by law.
b. Now people need passwords to access phone activities and CPNI.
CPNI
Consumer Proprietary Network Info.
Info collected by telecommunications carriers related to their subscribers.
carriers must get express consent to share with 3rd parties but can share if there is a joint venture or independent contractors unless opt-out within 30 days of being notified.
Cable Television Privacy Act
- Protects the personal information of customers of cable service providers. Incorporates OECD guidelines.
VPPA
- Video Privacy Protection Act - Regulates use and disclosure of PI collected by cable providers.
Situations where an organization must disclose to the gov.
a. FDA requires serious adverse events or product problems under Food Drug and Cosmetic act.
b. Dept of Labor, Health and Safety requires compilations and reporting about workplace injuries and illnesses.
c. Wiretaps – super strict and needs PC
d. HIPAA and COPPA – forbid 3rd party disclosure without opt-in.
e. GLBA – – forbid 3rd party disclosure unless did-not opt out.
4th Amdt. general concept.
“right to be secure…against unreasonable searches and seizures…without probable cause.”
ECPA
- Electronic Communications Privacy Act. Does not preempt state law.
“trap and trace” devices and pen registries ok if a part of an ongoing investigation.
Extends ban on interception in e-communications. (with Title 3 laws)
There IS private right of action
Telephone Wiretap Law –>
Olmstead, Kats and Jones holdings
Olmestead. Holding: Don’t need a warrant.
Katz – Holding: Need a warrant for wiretap
Jones – Holding: it was a trespass to track a car
SCA
- Stored communications act generally prohibits collection or blocking while in storage w/o warrant.
Creates prohibition of acquisition or blocking of e-communications.
Exception: conduct authorized by entity when providing a service. Also, if use of that service intended for this purpose.