CIPP/US Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

What were the facts of the Lilly Case?

A

An employee accidentally sent an email to ALL users with all personal emails viewable. This was unreasonable handling of PI. No fine, but consent decree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

FTC has regulatory authority over.

A

COPPA, FCC, Telemarketing sales rule, can spam act, health and human services (HIPAA stuff), and FCRA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

FCC

A

Federal Communications Commission. - Federal Financial institution regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

HHS

A

Health and Human Services

  • OCR: Office of Civil Rights
  • CMS - Center for Medicare and Medicaid services

promulgated regulations to protect the PRIVACY and SECURITY of health info for HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DOT

A

Department of Transportation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

FTC enforcement process

A
  1. Claim (press report or consumer complaint)
  2. If minor - mutual resolution FTC/respondant
  3. IF significant or pattern - investigation.
  4. If violation? Admin trial w/civil penalties if found OR consent decree (up to $16,000 per violation but no admit wrong) and fed district ct if violation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

3 criteria for unfair trade practices

A
  1. Substantial Injury
  2. w/o offsetting benefits
  3. Consumers could not reasonably avoid.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the facts of the Gateway case?

A

unfairness case. Owned “hooked on phonics” and promised they would not share PI but could change info at any time. Did not seek consent (but revised policy with a PO box to opt-out) and released age range and gender PI to third parties for marketing. Fined

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the facts of the BJs case?

A

unfairness case. They had security flaws in their network access. Caused identity theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the facts of the Google case?

A

Violated their own privacy policy. Consent decree was entered into and they agreed to form a comprehensive privacy program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

OECD

A
  1. Organization for Economic Cooperation and Development - focuses on privacy on a global scale
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

APEC

A

Asia Pacific Economic Cooperation.
- cross-border privacy enforcement arrangement is the CPEA (cross-border privacy enforcement arrangement)

  • FTC was first privacy enforcement authority.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Steps in developing a privacy program.

A
  1. Discover
  2. Build
  3. Communicate
  4. Evolve
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Basic Elements of Incident Response (breach)

A

a. Detection - determine if it actually occurred
b. Containment/analysis and investigation- Prevent further activity
d. Notice
e. Review and follow-up/ corrective actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

HIPAA

A

Health Insurance Portability and Accountability Act of 1996

  • Does not preeempt state laws.
  • enforced by OCR (office of civil rights)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HIPAA Privacy Rules

A

a. Must post privacy policy on website
b. Allow access to only the minimum necessary data to carry out treatment and payment.
c. Keep track of disclosures.
d. Have safeguards in place via security rules (accountability, de-identification, sometimes need notice and consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

HIPAA Security Rule

A

CIA - Confidentiality, Integrity, Availability

- risk assessments should be done once a year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

HITECH

A
  1. Health Info Tech for Economic and Clinical Health
    - Amended HIPAA by expanding to business associates involving the use or disclosure of PHI.

If significant risk of harm - must notify individual within 60 days.

Must notify HHS immediately if affects 500+ people. (and media if the 500 are in the same population.

Penalties up to 1.5 mil.

EHR - electronic health records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

GINA

A

Genetic Info Nondiscrimination Act of 2008
- made genetic info another PHI element to prevent hiring or insurance premiums discrimination.

  • some exceptions if commercially/publicly available info, it was inadvertent, signed consent for special program, need to collect info for law enforcement /quality control.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

FCRA

A
  1. Fair Credit Reporting Act.
    a. Mandates fair and accurate info
    b. Provides users ability to access and correct the info.
    f. Enforced by the FTC, CFPB, and state AGs.
    g. Private right of action with damages in 6 figures. (up to 1k per violations and 2.5 k for willful)

Under Dodd-Frank, rule making shifted from here to CFPB.

Users must have a permissible purpose in order to obtain an individual’s credit report. Among these permissible purposes is the determination of a consumer’s eligibility for a license. Library records, purchase transactions and academic records do not represent a permissible purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

FACTA

A

The Fair and Accurate Credit Transaction Act. (not preempted)

i. Can’t show credit numbers on receipts!
ii. You get one free credit report a year!
iii. In the past it sold a lot of info for marketing purposes.

This controls CRA (credit reporting agencies like experian)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

FACTA red flags rule

A

a. aimed at combatting ID theft. Mandates rules to combat this. Requires financial entities to implement written ID protection programs that explain the red flags that indicate ID theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

GLBA (general and privacy rules)

A

Gramm-Leach-Bliley Act: Born from the financial services modernization act of 1999. (Not preempted)

GLBA Privacy Rules: Financial Institutions must:
1. Store info securely and provide notice of policies re: sharing of personal fin info.
Prepare and provide clear and conspicuous privacy notice in 9 categories (must be provided when relationship is established then annually.)
2. Provide right to opt-out of 3rd party sharing (process w/i 30 days) (Exceptions: Joint marketing and processing.)
3. Don’t disclose to third party exception consumer reporting agency
4. Comply with regulatory gov standards
5. Privacy policy that is clear, conspicuous, and accurate. Include what info is collected, how it is protected, and opt out info.

Has nothing to do with Dept. of Commerce

No private right of action

Financial institutions are prohibited from disclosing consumer account numbers to nonaffiliated companies even if the consumer has not opted out of sharing information, but other information can be shared without obtaining an opt in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Dodd-Frank Wall Street Reform and Consumer Protection Act

A

Response to 2008 financial crisis.

Can enforce against abusive acts or practices –

i. if they materially interfere with consumers ability to understand a product or service, or
ii. takes advantage of inability to understand the risk, or
iii. inability to protect interests, or
iv. reasonable reliability on a covered person to act in the consumers interests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CFPB

A

Consumer Financial Protection Bureau. -

part of the federal reserve. Rule making authority for the FCRA, GLBA, and Fair Debt Collection Practices Act.

Created by the Dodd-Frank…Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

BSA

A
  1. Bank Secrecy Act.

contains regulations relating to currency transactions, transportation of monetary instruments and the purchase of currency-like instruments.

SAR is filed if it is suspected this is violated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Anti-Money Laundering Laws

A
  1. BSA
  2. Currency and foreign transaction report (1970)
  3. US Patriot Act
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The International Money Laundering abatement and Anti-Terrorism Financing Act.

A
  1. Part of the Patriot Act.

expanded reach of BSA and made changes to anti-money-laundering laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

SAR

A

Suspicious Activities report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

When does a financial institution have to file a SAR ?

A

i. Suspects an insider is committing or aiding in a crime
ii. When entity detects possible crime of $5,000 or more and substantial basis to ID suspect.
iii. When entity detects possible crime of $25,000 or more even without basis to ID suspect.
iv. When entity suspects currency transactions $5000 + that involve potential money laundering or violation of acts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

FERPA (aka Buckley Amendment)

A
  1. Family Educational Rights and Privacy Act.
    i. No private right of action (doesn’t cover private schools)
    ii. Employee and alumni records are NOT educational record.
    iii. Education records may be disclosed when (just need one)…
  2. Not PI
  3. Directory info that has not been blocked.
  4. Student provided consent
  5. Student makes the disclosure.
  6. A statutory exception applies.

Provides for major aspects of FIPPS (fair info practice principles) including notice, consent, access, and correction, security, and accountability.

If student requests their records - institute must provide access to those records within 45 days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

PPRA

A
  1. Protection of Pupil Rights Amendment (FERPA amended)
    - includes private family info as PI and gave rights to parents of minors with regard to collection of sensitive information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

NCLB

A
  1. No Child Left Behind Act

Broadened PPRA to limit the collection and disclosure of student survey info. Added collection, access, notice, and opt-out rights to parents re: child info.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Intrusion on seclusion

A

Tort right of action (can use for telemarketing). Must prove the intrusion is highly offensive to a reasonable person. One exception is unwanted and deceptive marketing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

TSR

A

Telemarketing Sales Rule. implemented 1995 and most recently amended 2010.

requires telemarketers to keep records of anything related to telemarketing for 2 years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

TCPA

A

1991 (amd. 2012) Telephone Consumer Protection Act. - FTC enforced.

Prohibits automatic telephone dialing systems from making calls to any call phonr or other service “for which the called party is charged for the call.”

unauthorized faxes not allowed. Must have consent or valid business relationship.

i. Telemarketing – Uses one or more telephones and involving 1 or more interstate call.
ii. Must maintain DNC lists (*must call between 8a-9p) or pay up to $16,000 per violation.
iii. Exceptions – Nonprofits and existing business relationships (EBRS) and consumer opt-in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

DNC Safe Harbor

A

Do Not Call safe harbor. Seller must comply with rules (see below) and …

i. Provide training to staff
ii. ID how to get DNC and ensure compliance
iii. Must have documentation
iv. People responsible and accountable
v. Must have program to monitor/enforce policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

DNC rules

A
  1. Between 8am -9pm
  2. Avoid people on DNC list.
  3. Must display accurate id info
  4. Must immediately ID themselves and what they’re selling.
  5. Disclose all material info and terms
  6. Comply with prize and promo terms
  7. Respect call-back and end-call requests.
  8. Retain records for 24 hours.
  9. Prior express consent for robocalls.

No preemption – so state laws can be stricter.

No disclosures required if no intent to sell goods or services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

CAN-SPAM

A

a. Controlling the assault of non-solicited pornography and marketing act of 2003.
i. Must clearly ID sender.
ii. Must provide opt out-unsubscribe
iii. Rules for MSCMs – mobile service commercial messages.
1. Have unique electronic address
2. Wireless domain name list is maintained – and the rules only apply to these.
3. Must have express prior positive authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Telecommunications Act

A
  1. CPNI is PI
    a. Can use for billing, collections, fraud prevention, customer service, and emergency services. Otherwise they can only use with opt-in, express consent, or as required by law.
    b. Now people need passwords to access phone activities and CPNI.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

CPNI

A

Consumer Proprietary Network Info.

Info collected by telecommunications carriers related to their subscribers.

carriers must get express consent to share with 3rd parties but can share if there is a joint venture or independent contractors unless opt-out within 30 days of being notified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Cable Television Privacy Act

A
  1. Protects the personal information of customers of cable service providers. Incorporates OECD guidelines.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

VPPA

A
  1. Video Privacy Protection Act - Regulates use and disclosure of PI collected by cable providers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Situations where an organization must disclose to the gov.

A

a. FDA requires serious adverse events or product problems under Food Drug and Cosmetic act.
b. Dept of Labor, Health and Safety requires compilations and reporting about workplace injuries and illnesses.
c. Wiretaps – super strict and needs PC
d. HIPAA and COPPA – forbid 3rd party disclosure without opt-in.
e. GLBA – – forbid 3rd party disclosure unless did-not opt out.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

4th Amdt. general concept.

A

“right to be secure…against unreasonable searches and seizures…without probable cause.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

ECPA

A
  1. Electronic Communications Privacy Act. Does not preempt state law.

“trap and trace” devices and pen registries ok if a part of an ongoing investigation.

Extends ban on interception in e-communications. (with Title 3 laws)

There IS private right of action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Telephone Wiretap Law –>

Olmstead, Kats and Jones holdings

A

Olmestead. Holding: Don’t need a warrant.
Katz – Holding: Need a warrant for wiretap
Jones – Holding: it was a trespass to track a car

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

SCA

A
  1. Stored communications act generally prohibits collection or blocking while in storage w/o warrant.

Creates prohibition of acquisition or blocking of e-communications.

Exception: conduct authorized by entity when providing a service. Also, if use of that service intended for this purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

RFPA

A
  1. Right to Financial Privacy Act.

No govt access unless reasonably described and meet one of the following

  1. Customer authorize
  2. Appropriate subpoena or summons
  3. Warrant
  4. Judicial subpoena
  5. Formal written request from gov authority.
50
Q

PPA

A
  1. Privacy Protection Act. (exception to RFPA). Protects the Media in the course of criminal investigation.

Exception – if PC that a reporter has committed or is in the process of committing a crime (doesn’t count if in possession or receipt of work product only)

51
Q

Zurcher vs. Stanford Dailey

A

Searched unpublished photos. SCOTUS decided search warrants were valid to search any property with probable cause that evidence of a crime will be found.

PPA later passed that those searchers were unlawful UNLESS PC that a reporter has committed or is in the process of committing a crime (doesn’t count if in possession or receipt of work product only)

52
Q

215 of Patriot Act

A
  1. Can demand production of info from companies for anti-terrorism.
53
Q

NSL

A

National Security Letter - Prior to 2001 this was used narrowly only with FBI order. This was expanded in Patriot Act.

2006 – Can be issued by authorize officials now. Generally can issue w/o any judicial involvement. Recipients can petition – however, if oppressive or unreasonable.
1. Request may be disclosed to legal counsel and those necessary to comply.

  1. Recipients can also petition a court to modify or end secrecy requirement.
  2. 5+ years in prison and fines up to 250,000 for individual If improper disclosure.
54
Q

FISA

A
  1. Foreign Intelligence Surveillance Act -
    as amended by US Patriot Act

Standards and procedures for electronic surveillance.

If Co. receive FISA order, then the recipient Co. cannot disclose the fact of the order to the target of the investigation.

FISA gave legal authorization of some new surveillance practices

55
Q

PO or QPO

Rule 26(c) of Civ Pro
Rule 49.1 of Crim Pro
Rule 9037 of Bankruptcy Pro

A

Qualified Protective Order- When requesting health info, this order states the acquired health info can only be used for litigation.

Redaction utilized (last 4 digits of sensitive ID #s and PCI, DOB, all minor info (use initials))

56
Q

PI disclosure is prohibited with the following acts

A

COPPA, GLBA, and HIPAA (not the ECPA)

57
Q

COPPA

A

Children’s Online Privacy Protection Act.

regulates collection and use of kid’s under 13 info by commercial website operators.

No private right of action. Enforcement actions include consent decrees ranging from 50k to 3 million.

Exceptions to the notice rule include if its collected along with parents to get consent, to respond once if they delete the kids email right away or sends notice to parent., and for safety of the kid.

COPPA safe harbor programs -
CARU - the BBB Children’s Advertising Review Unit.
ESRB - Entertainment Software Rating Board
Truste
Privo, Inc
Aristotle Int. Inc.

58
Q

CALEA or “Digital Telephony Bill”

A
  1. Communication Assistance to Law Enforcement Act. -

Requires telecommunications companies to keep different types of data depending on investigative warrants

59
Q

Common Torts actions re: Workplace Privacy

A

i. Intrusion upon seclusion
ii. Publicity given to private life/facts
iii. Defamation or false light(ie false drug test or factually incorrect reference)

60
Q

General Workplace Privacy rules to remember

A
  1. This is a matter of K law in US.
  2. Can’t ask for history of workman’s comp.
  3. In Delaware, no Co can monitor or intercept phone convos without notice once a day.
61
Q

Laws that protect employee privacy.

A

HIPAA, COBRA, ERISA, Fam and Med leave Act.

62
Q

COBRA

A
  1. Consolidated Omnibus Budget Reconciliation Act

Requires qualified health plans to still provide coverage after termination of certain beneficiaries

63
Q

ERISA

A
  1. Employee Retirement Income Security Act.

Ensures emp. benefits programs are created fairly w/ proper admin.

health plan providers cannot adjust premiums based on genetics

64
Q

Family and Medical Leave Act

A

Right to time off for birth or illness for self or family.

65
Q

Fed Agencies that enforce employment privacy

A

Dept. of Labor, EEOC, FTC, CFPB, NLRB (NLRA board)

66
Q

Department of Labor

A

Helps find work, and help with national efforts

67
Q

EEOC

A

Equal Employment Opportunity Commission

  1. Prevents discrimination
  2. Enforces title 7, anti-age discrimination, 1990 ADA
68
Q

NLRB

A

The National Labor Relations Board

Administrates NLR Act and deals with unfair labor Practices

69
Q

NCPA

A

National Child Protection Act

Allows background check to work with kids and extra access to info.

70
Q

FCRA standards to meet to conduct background checks

A

i. Written notice and consent
ii. Use of qualified CRA
iii. Certification of a permissible purpose
iv. Must provide report to dispute if they are going to take adverse action (adverse action notice).

71
Q

ICRAA

A

Investigated Credit Reporting Agencies Act (state law) - not preempted

i. Must get written disclosure to get a report before it is obtained. Must say basically everything about the purpose of report and all the personal info they’re getting. And website and numbers where employee can find more info on privacy practices.
ii. Consent requirements – FCRA does not preempt states from conducting credit checks and only some state limit credit history for employment. (sometimes depends on the job being hired for)

72
Q

Monitoring state laws to remember

A

in CA no cameras in places ppl change clothes. MI – no cameras in private place.

should limit to “non-private” areas of the workplace to avoid suits. even absence of statutes can bring common-law tort claims.

73
Q

EPPA

A
  1. Employee Polygraph Protection Act.

psych screening tests, stress tests or lie detector tests are not allowed.

Exceptions: gov. employees, controlled substances professions , national security jobs, ongoing investigation, some contractors.

74
Q

Hiring and Drug use

A

Alcoholism must be disclosed (even though it is a disability) if necessary for the job

Not allowed to discriminate on past drug use unless it is clear from policy its needed for the job. Exceptions: transportation settings.

Allowed to ID illegal drugs if employer has a reasonable suspicion from behavior, looks, and odors. Employees must be notified at time of hire. (ADA excludes current illegal drug use from their protections)

75
Q

An employer may ask if employee needs reasonable accommodations at what time?

A

After an offer of employment.

76
Q

CA Assembly Bill – 1950

A

2004: CA companies must have reasonable data security and must have reasonable security controls for PI and contractually obligate vendors and sub-contractors to have the same standards.

77
Q

MA 201 CMR 17 - 2010

A

Detailed min standards and tech requirements for maintaining records and data. – must review at least once a year or if business changes.

78
Q

WA HB 1149 - 2010

A

a. incorporates PCI DSS standards. lets banks recover the cost of reissuing debit card from large processor who handled them negligently. Processor then should encrypt and notify w/I 1 year.
i. Example of trying to incorporate PCI standards. MI and NV enacted similar laws earlier.
ii. CA prevents use of SSNs

79
Q

Privacy Rights clearinghouse

A

database of data breach incidence since 2005

80
Q

States that have Data breach notification laws

A

Every state as of Jun 2012 besides New Mexico, South Dakota, Alabama, and Kentucky.

81
Q

Definitions of PI across states

A
  1. CT. first and last name (or initials) in convo with SSNs license, ID #. PCI, access codes/passwords.
  2. NV excludes last 4 SSN as PI
  3. AK, CA, MS, TX, an VG include med and healthcare info
  4. OR, NE, NC, and WIscon include unique biometric data
  5. WI includes DNA profile
  6. ND includes moms maiden name
  7. CA - name plus (1 of the following) SSN, ID #, license, or PCI. ORRRR card # with another code. (there is private right of action).
82
Q

Definitions of “data breach” across states

A
  1. CT - unauthorized access to or acquisition of electronic files containing PI when it is not secured by encryption or another anonymization of the info.
  2. FL – “material compromise”
  3. KS, SC – cause (or likely to cause) ID theft or material harm

CA - excludes encrypted data

Some states have private right of action - other reserve enforcement to the AG.

83
Q

Whom to and when to notify across states.

A

TX – must notify residents and notify AG and reporting agencies CRAs.

Idaho - gotta notify AG w/I 24 hours of detections

CA - gotta notify AG ASAP if >500 residents affected.

Puerto Rico – notification w/I 10 days of detection and the entity will make info public w/I 24 hours

MA – report to AG and prohibits reporting the number of affected individuals in a data breach notification.

LO - tell AG w/i 10 days

14 states gotta tell AG

84
Q

What to include in notification (NC ex.)

A
  1. Description of incident
  2. Description of type of info
  3. Description of what business has done to prevent further access
  4. Who they can call for further info
  5. A warning for them to stay vigilant
  6. Toll-free numbers for reportign agencies
  7. Toll-free numbers for FTC and NC AG telling them those sources have more info on ID theft.
85
Q

Destruction Laws by state

A

a. As of July 2012, 26 states have data destruction laws, often incorporated in breach notification laws.
i. Applicability
ii. Requirements
iii. Exemptions
iv. Covered media
v. Penalties

i. AZ – this law only applies to paper records
ii. Alaska – right to private action
iii. CA – “unreadable or undecipherable through any means”
iv. IL, UT – gov entities only
v. NY – for profit business only
vi. MA – steep penalties (not more than $100/data subject not to exceed $50,000 for each instance).

86
Q

TX whom to notify provision

A

must know for some reason….

87
Q

Reliable methods to verify parental consent via COPPA

A
  1. provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method);
  2. require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card).
  3. maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; or
  4. obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.
88
Q

Appropriate reasons for disclosing empl. PI

A

Determining legal standing or citizen status, retirement planning and group insurance underwriting.

(NOT test marketing new products)

89
Q

Whats generally required in a breach notification letter

A
  1. A brief description of the incident,
  2. The type of information involved, and
  3. A toll-free number for answers to questions.
90
Q

What is a consent decree?

A

A judgement entered by consent of the parties whereby the defendant agrees to stop illegal activity without admitting guilt or wrongdoing.

91
Q

FTC

A

1914 (antitrust) then 1938 (for consumer protection) Federal Trade Commission.

Generally protects against deceptive and unfair practices. via title 5

92
Q

Dept of Commerce

A

plays leading role in Fed privacy development and administers Safe Harbor agreement. (now privacy shield)

93
Q

Magnuson-Moss Warranty FTC improvement act

A

1975 - businesses must comply with this to avoid being found to engage in deceptive or unfair practices by the FTC.

94
Q

What happened in the GoeCities, Inc case?

A

GeoCities was found to misrepresent how they used user info and they collected and maintained children’s PI w/o consent. consent order required them to post accurate and conspicuous privacy notice and get child parents consent

95
Q

What happened in the Microsoft Corp matter?

A

FTC found the “high-level” online security claims were misleading because this security process was in the control of 3rd party vendors. They also collected and shared more info than claimed int he privacy notice.

96
Q

What happened in the FB case?

A

deceptive case. FB repeatedly changed services so previously private info was made public. Settlement required FC to provide users with clear notice and obtain consent before making these changes.

97
Q

What was Obama’s big privacy report?

A

2012 - Consumer Data Privacy in a Networked Word: a Framework for protecting Privacy and Promoting innovation. Ushered in the “notice and consent approach.” The rights that were stressed to apply were

  1. Individual control
  2. Transparency
  3. Respect for context
  4. Security
  5. Access and Accuracy
  6. Focused collection
  7. Accountability
98
Q

FTC report written around the same time as the 2012 Obama. report.

A

Emphasizes three areas
1. Privacy by Design - incorporate privacy at all stages of business.
2. Simplified Consumer choice.
Transparency

also

Do Not Track
Mobile
Data brokers
Large platform providers
Promoting enforceable self-regulatory codes.
99
Q

UDAP statutes

A

Unfair and Deceptive Acts and Practices statutes (from Section 5 of the FTC act)

depends on state if private right of action.

100
Q

PCI DSS

A

Payment Card Institute Data Security Standard (PCI DSS)

101
Q

GPEN

A
  1. Global Privacy Enforcement Network - aims to promote cross-border sharing and investigation / enforcement.

response to the OECD recommendation on cross-border co-operationg in the enforcement of laws protecting privacy.

102
Q

4 requirements for users of consumer reports (under FCRA)

A
  1. Must be appropriately accurate, current, and complete.
  2. Consumers receive notice if used to make adverse decisions. (within 60 days)
  3. Reports only used for permissible purposes.
  4. Must have access to reports and ability to correct
103
Q

FACTA disposal rule

A

must dispose of consumer info in reports to prevent unauthorized access or misuse of data.

104
Q

FIRREA

A

Financial Institutions Reform, Recovery, and Enforcement Act.

Failing to comply with GLBA may be subject to penalties under this. Ranges from 5.5k to 27.5k if reckless. Up to 1.1 mil if “knowing” violaton.

105
Q

What agency implemented the model short privacy notice in 2009?

A

the Financial Services Regulatory Relief Act of 2006

106
Q

GLBA Safeguards Rule

A

Must have 3 levels of security

  1. Admin security
  2. Tech security
  3. Physical security
107
Q

What are NOT considered “educational records” under FERPA?

A
1. Campus police records.
Employment Records
2. Treatment Records
3. Applicant Records
4. Alumni records
5. Grades on peer-graded papers.
108
Q

DNC rules do not apply to …

A
  1. Nonprofits calling on their own behalf
  2. Calls to customers with an existing relationship within the last 18 months.
  3. Inbound calls, provided there is no “upselling”
  4. Most business-to-business calls.
109
Q

Abandonment Safe Harbor

A

Telemarketer must:

  1. Use tech to ensure no more than 3% of calls are abandoned. 97% must be a live rep.
  2. Allows the phone to ring 15 seconds or 4 rings before disconnecting unanswered calls.
  3. Within 2 seconds of answering a recorded message says the name, and phone# of seller when a live sales rep is unavailable.
110
Q

JFPA

A

2005, Junk Fax Prevention Act. - consent can be inferred from an existing business relationship (EBR)

111
Q

CAN SPAM

A
  1. Controlling of the Assault of Non-Solicited Pornography and Marketing Act.

Rules of the road for how the legit organizations send emails, including ID the sender and a simple unsubscribe or opt-out. Up to $16,000 per violation. Preempts most state laws.

No private right of action but provides for injunctive relief and damages up to $250 per violation with a max of 2 million in award. egregious violations = 5 years prison.

PROHIBITS:

  1. false/misleading headers
  2. deceptive subject lines
  3. commercial email (following a grace period of 10 business days) to someone who opted out of future email.
  4. Aggravated violations
  5. All sexually oriented material come with a warning label (unless consent)≥

REQUIRES

  1. functioning, clearly and conspicuously displayed return e-mail address.
  2. clear and conspicuous notice of opportunity to opt-out for free.
  3. Commercial emails must include 1) clear and conspicuous ID of the message (unless consent already given) and 2) valid postal address or PO box of sender
112
Q

CA Online Privacy Protection Act

A
  1. first state law to require owners and operators of websites and online services to conspicuously post a privacy notice on their website. (pg 112 for reqs of what the privacy notice requires).

If non-compliant they have 30 days to post an appropriate privacy notice.

no specific enforcement provisions - but may be enforce thorguh fraud business practices

113
Q

Disclosure to the gov forbidden by law.

A

HIPPA and COPPA forbid disclosures of covered info to 3rd parties unless opt-in. GLBA forbids disclosures unless opt-out.

114
Q

ESI

A

electronically stored info.

is a sub-discipline of e-discovery which implicates domestic and trans-border data flows.

115
Q

Aerospace v. Iowa

A

Set out factors for knowing if a trans-border transfer of data is appropriate.

  1. The importance of the documents or data to the litigation at hand.
  2. The specificity of the request
  3. Whether the info originated in the U.S.
  4. The availability of the alt means of security info.
  5. (most important) The extent to which the important interests of the US and the foreign state would be undermined by an adverse ruling.
116
Q

Federal Laws Protecting Employee Privacy

A

Civil Rights Act of 1964

Pregnancy Discrimination Act

ADA of 1991x

Age Discrimination Act

Equal Pay Act of 1963

GINA of 2008

117
Q

Laws regulating employee benefits management

A

HIPPA, COBRA, ERISA, FMLA

118
Q

FMLA

A

Family Medical Leave Act - entitles certain employees to leave in the event of birth or illness of self or family.

119
Q

Fed laws that help with employee privacy regarding data collection and record keeping

A

FCRA,
FLSA - fair labor standards act
OSHA - occupational safety and health act
Whistleblower protection act,
NLRA - national labor relations act
ICRA - Immigration reform and control act
Securities and Exchange Act

120
Q

Canada’s 1990s “privacy by design” framework”

A

(1) Proactive not Reactive; Preventative not Remedial; (2) Privacy as the Default Setting; (3) Privacy Embedded into Design, (4) Full Functionality — Positive-Sum, not Zero-Sum; (5) End-to-End Security — Full Lifecycle Protection; (6)Visibility and Transparency — Keep it Open; and (7) Respect for User Privacy — Keep it User-Centric.