CIPP / US Book Flashcards

Question

Data processor

Answer 1

An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller. Under the Health Insurance Portability and Accountability Act (HIPAA) medical privacy rule, these data processors are called “business associates.”

Answer 2

1. Remedy past injustices 2. Ensure consistency with European privacy laws 3. Promote electronic commerce

Answer 3

Emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models Ex./ Children’s Online Privacy Protection Act in the United States

Answer 4

- Emphasizes creation of codes of practice for the protection of personal info by a company, industry or independent body - In contrast to the co-regulatory model, there may be no generally applicable data protection law that creates a legal framework for the self-regulatory code Examples: Payment Card Industry Data Security Standard (PCI-DSS), seal programs

Answer 5

CAN-SPAM provides the FTC and the FCC with the authority to issue regulations that set forth exactly how the opt-out mechanism must be offered and managed

Answer 6

Requires the senders of commercial email messages to offer an “opt-out” option to recipients of these messages

Answer 7

Notices have two purposes: (1) consumer education and (2) corporate accountability

Answer 8

“May we share your information?” Failure to answer would result in the information not being shared

Answer 9

If a company states “unless you tell us not to, we may share your information,” the person has the ability to opt out of the sharing by saying no. Failure to answer would result in the information being shared

Answer 10

The FTC has general authority to enforce against unfair and deceptive trade practices, notably including the power to bring “deception” enforcement actions where a company has broken a privacy promise. In certain areas, such as marketing communications and children’s privacy, the FTC has specific regulatory authority

Answer 11

Federal banking regulatory agencies (such as the Consumer Financial Protection Bureau, Federal Reserve, and Office of the Comptroller of the Currency), the FCC, the U.S. Department of Transportation, and the U.S. Department of Health and Human Services, through its Office of Civil Rights

Answer 12

- Network Advertising Initiative - The Direct Marketing Association - The Children’s Advertising Review Unit

Answer 13

1. Who is covered by this law? 2. What types of information (and what uses of information) are covered? 3. What exactly is required or prohibited? 4. Who enforces the law? 5. What happens if I don't comply? 6. Why does this law exist?

Answer 14

- Entities that do business in California and that own or license computerized data, including personal info. It applies to natural persons, legal persons and gov't agencies. - Companies in MN or NY don't count (altho they may wish to be careful about what counts as “doing business”), even if they conduct business in CA, it doesn't count if they don’t have computerized data

Answer 15

Regulates the computerized personal information of CA. “Personal information” is an individual’s name in combination with any one or more of the following: (1) Social Security number; (2) California identification card number; (3) driver’s license number; or (4) financial account, credit, or debit card number in combination with security code, access code or password information required to permit access to an individual’s financial account, when either the name or the data elements are NOT ENCRYPTED

Answer 16

- Requires all persons to disclose any breach of system security to any resident of California whose unencrypted personal info was or is reasonably believed to have been acquired by an unauthorized person - A breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal info maintained by the person - Disclosure must be made in as expedient a manner as possible. Exceptions: good faith acquisition of personal information by an employee or agent of the business, provided the personal information is not used or subject to further unauthorized disclosure

Answer 17

The California attorney general enforces the law, and there is a private right of action

Answer 18

The California attorney general or any citizen can file a civil lawsuit against a noncompliant party seeking damages and forcing compliance

Answer 19

SB 1386 was enacted because security breaches of computerized databases are feared to cause identity theft—and individuals should be notified about these breaches so they can take steps to protect themselves. Anyone with a security breach that puts people at real risk of identity theft should consider notifying them even if they are not subject to this law

Answer 20

Are carried out pursuant to the statutes that create and empower an agency, such as the FTC and the FCC

Answer 21

- The FTC was founded in 1914 to enforce antitrust laws, and its general consumer protection mission was established by a statutory change in 1938. - The FTC navigates both roles today, and privacy and computer security issues have become an important part of its work. - The FTC is an independent agency instead of falling under the direct control of the president

Answer 22

Has been increasingly active over time on privacy, especially by negotiating internationally on privacy issues with other countries and in multinational groups such as the United Nations or the Organization for Economic Co-operation and Development (OECD)

Answer 23

Plays a leading role in federal privacy policy development and administers the Privacy Shield Framework between the United States and the EU

Answer 24

- The agency responsible for transportation companies under its jurisdiction and for enforcing violations of the Privacy Shield Framework between the U.S. and the EU for some transportation companies. - Within DOT, the Federal Aviation Administration (FAA) has recently played an increasing role for drones. - The National Highway Traffic Safety Administration (NHTSA), also within DOT, addresses privacy and security issues for connected cars

Answer 25

The lead agency for interpreting the Privacy Act of 1974, which applies to federal agencies and private-sector contractors to those agencies. The OMB also issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments

Answer 26

Faces numerous privacy issues, such as the E-Verify program for new employees, rules for air traveler records (Transportation Security Administration), as well as immigration and other border issues (Immigration and Customs Enforcement)

Answer 27

- Any such regulation must comply with the complex and lengthy procedures under the Magnuson-Moss Warranty Federal Trade Commission Improvement Act of 1975. - As of the date of writing, the FTC had not put forth any privacy or information security regulation under its Magnuson-Moss authority

Answer 28

The FTC has broad investigatory authority, including the authority to subpoena witnesses, demand civil investigation and require businesses to submit written reports under oath aka Step 1 of FTC action

Answer 29

The commission may initiate an enforcement action if it has reason to believe a law is being or has been violated

Answer 30

An administrative trial can proceed before an ALJ. If a violation is found, the ALJ can enjoin the company from continuing the practices that caused the violation

Answer 31

The decision of the ALJ can be appealed to the five commissioners. That decision, in turn, can be appealed to federal district court

Answer 32

Company: avoids a prolonged trial, negative ongoing publicity, avoids having the details of its business practices exposed to the public FTC: (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial and (3) gains an enforcement advantage because monetary fines are much easier to assess in federal court if a company violates a consent decree than if no decree is in place

Answer 33

Under the FTC’s “Sunset Policy,” administrative orders such as consent decrees are imposed for up to 20 years

Answer 34

Its Bureau of Consumer Protection negotiated such decrees for other consumer protection issues such as false advertising or unfair debt collection practices under Section 5 of the FTC Act

Answer 35

- GeoCities operated a website that provided an online community through which users could maintain personal home pages. Users were required to fill out an online form that requested certain personal info, w/ which Geocities created an extensive info database. - Geocities promised on its website that the collected info would not be sold or distributed w/o user consent - FTC alleged GeoCities misrepresented how it would use info collected from its users by reselling the info to 3rd parties, which violated its privacy notice - GeoCities settled the action and the FTC issued a consent order >> required GeoCities to post and adhere to a conspicuous online privacy notice that disclosed to users how it would collect and use personal info

Answer 36

- Eli Lilly and Company (pharmaceutical manufacturer) maintained a website where users could provide personal info for messages and updates reminding them to take their medication - The website included a privacy notice that made promises about the security and privacy of the info provided - Eli Lilly decided to end the program >> sent subscribers an email announcement >> accidentally revealed the email addresses of all subscribers - FTC and Eli Lilly reached a settlement >> required Eli Lilly to adhere to representations about how it collects, uses, and protects user info - It required, for the first time in an online privacy and security case, that Eli Lilly develop and maintain an information privacy and security program

Answer 37

For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances

Answer 38

- False promises - Misrepresentations - Failures to comply with representations made to consumers, such as statements in privacy policies and Safe Harbor or Privacy Shield certifications

Answer 39

- Nomi provided a service to brick-and-mortar businesses whereby Nomi placed sensors in these retail businesses to detect the MAC addresses of mobile devices that are searching for Wi-Fi service - Nomi used the info that it collected to provide analytics reports to its business clients about their customers’ retail traffic patterns - According to the FTC, Nomi misled consumers about the ability to opt out of their service and failed to inform these consumers about the location of stores where the tracking was taking place. - The consent order that Nomi entered into w/ the FTC restricted the company from continuing to engage in these business practices for 20 years

Answer 40

- Snapchat promised its customers that its app provided a private, short-lived messaging service - The consumer set a timer for the snap to be viewed, and after that time expired the snap disappeared “forever.” - Snapchat’s app included a feature to “Find Friends” that appeared to the user as the only means to choose to provide info to the company about individuals the user knew. - According to the FTC, Snapchat was aware of numerous methods that could be employed to save chats indefinitely, and it was actually collecting the names and phone numbers of all contacts in the user’s mobile device address book >> Snapchat failed to adequately secure the Find Friends feature. - Because of the lax security measures, hackers managed to compile a database of millions of user names and phone numbers and subjected these individuals to spam, phishing, and other unsolicited communications. - Snapchat entered into a consent order w/ the FTC in 2014 agreeing that it would not engage in these business practices for the next 20 yrs

Answer 41

- TRUSTe, Inc. (now doing business as TrustArc) is a business that provides certifications to companies regarding privacy issues. - The business has provided a seal to companies that have privacy practices in compliance with standards such as COPPA and the U.S.-EU Safe Harbor Framework. - According to the FTC, TRUSTe failed to conduct annual recertifications in more than 1,000 instances from 2006 to Jan 2013, despite claiming to conduct recertifications every year on its website - In the settlement agreement w/ FTC, TRUSTe was required to maintain comprehensive records for 10 yrs related to its certifications and to pay a $200,000 civil penalty

Answer 42

Unfair claims can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers

Answer 43

The FTC has sanctioned companies for unfair practices when they failed to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosures to consumers. In 2015, the federal appellate court determined that the company does not act appropriately “when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business. (“FTC v. Wyndham Worldwide Corp.).

Answer 44

Wyndham Worldwide Corporation, a hotel company that suffered three hacks to its systems from 2008 to 2009 >> FTC investigated Wyndham for unfair and deceptive trade practices >> FTC asserted that Wyndham: - Stored credit card info in unencrypted text - Permitted passwords for property management systems to be easily guessable - Failed to use firewalls between individual hotels, corporate systems and the Internet - Allowed out-of-date operating systems to run on property management systems and failed to update these computers w/ timely security updates - Failed to adequately control computer access by 3rd-party vendors - Did not have unauthorized access detection measures in place - Failed to add security measures after they suffered known breaches FTC sought to sanction >> Wyndham initially chose not to settle the case. In 2012, the FTC filed suit against the company in U.S. District Court. Wyndham challenged the FTC’s authority to require the company to meet more than the minimum standards set forth in the FTC Act, Sec 5 >> Dist Ct ruled for the FTC >> 3d Cir. Ct affirmed for the FTC, the FTC’s longstanding authority to regulate “unfair methods of competition in or affecting commerce” under the FTC Act Sec 5 extended to regulation of cyberspace practices that are harmful to consumers

Answer 45

- LabMD was significantly hacked on two separate occasions in 2009 and 2012. - According to the FTC’s complaint, sensitive patient info for thousands of LabMD customers was taken in the 1st hack and placed on a peer-to-peer file-sharing network. Info included names, Social Security numbers, birth dates, health insurance provider info, and standardized medical treatment codes - LabMD was hacked a 2nd time >> at least 500 customer names and Social Security numbers being found in the possession of identity thieves - FTC brought an enforcement action under FTC Act, Sec 5 claiming that LabMD engaged in unfair trade practices by failing to take appropriate measures to prevent unauthorized disclosure of sensitive data on its network - Rather than enter into a consent order w/ FTC, LabMD chose to proceed w/ an administrative hearing before an ALJ

Answer 46

- LifeLock case illustrates the ongoing consequences for a company operating under an FTC consent decree - In 2006, LifeLock began an advertising campaign claiming that it could prevent all identity theft in exchange for consumers paying a monthly fee for its services. - Prominent in the LifeLock ads was the Social Security number of the company’s CEO. - In 2010 FTC enforcement action against the company, asserting LifeLock’s business practice was deceptive because its approach to protecting customers against identity theft addressed only certain forms of identity theft. - FTC alleged that LifeLock failed to encrypt its customers’ data or to properly restrict access to data held by the company, putting the data it held at risk

Answer 47

- DesignerWare case illustrated FTC unfairness concerns that go beyond data breach - DesignerWare licensed software to rent-to-own companies to help them track and recover rented computers >> the software could log keystrokes, capture screenshots, and take photographs using a computer’s webcam - Data gathered by DesignerWare and provided to rent-to-own stores revealed sensitive info about computer users: user names and passwords; Social Security numbers; medical and financial records; and webcam pictures of children, partially undressed individuals, and intimate activities. - DesignerWare used geolocation tracking software w/o obtaining permission of the computer users and presented a fake software program registration screen on the users’ computer that tricked individuals into providing their personal contact info. - FTC alleged that DesignerWare and 7 rent-to-own companies involved engaged in unfair practices of surreptitiously collecting webcam photos and consumer info and inappropriately using geolocation info, and the deceptive practice of using fake software registration >> consent order entered into w/ FTC, the companies agreed not to engage in these practices for 20 yrs

Answer 48

IRS TAFA 1. Individual control 2. Respect for context 3. Security 4. Transparency 5. Access and accuracy 6. Focused collection 7. Accountability

Answer 49

1. Privacy by design 2. Simplified consumer choice 3. Transparency

Answer 50

1. Do not track mechanism 2. Mobile 3. Data brokers 4. large platforms providers 5. Promotion of enforceable self-regulatory codes

Answer 51

- ASUS failed to address security issues with routers, and hackers exploited these security flaws to gain unauthorized access to the storage units of 12,900 customers. - TRENDnet failed to secure live video feeds from 700 customers, allowing hackers to post links to these live video feeds.

Answer 52

Yes. Plaintiffs can sue under the privacy torts, which traditionally have been categorized as intrusion upon seclusion, appropriation of name or likeness, publicity given to private life, and publicity placing a person in false light

Answer 53

Failure to comply can lead exclusion from Visa, MasterCard or other major payment card systems, as well as penalties of $5,000 to $100,000 per month

Answer 54

Third-party privacy seal and certification programs play an important role in providing assurances that companies are complying with self-regulatory programs

Answer 55

A coalition of media and advertising organizations. The DAA helped develop an icon program, intended to inform consumers about how they can exercise choice with respect to online behavioral advertising. The AdChoices system allows users to click on an icon near an ad or to visit the AdChoices website and choose to what extent the user will view behavioral ads from participating advertisers

Answer 56

- Discuss the practical aspects of privacy law enforcement cooperation - Share best practices in addressing cross-border challenges - Work to develop shared enforcement priorities - Support joint enforcement initiatives and awareness campaigns

Answer 57

In response to the recommendation, the FTC, along with enforcement authorities from around the world, established the Global Privacy Enforcement Network (GPEN) in 2010

Answer 58

GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world

Answer 59

Aims to establish a framework for participating members to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region

Answer 60

1. legal risks 2. reputational risks 3. operational risks 4. investment risks

Answer 61

1. Discover - Issue identification and self-assessment - Determination of best practices 2. Build - Procedure development and verification - Full implementation 3. Communicate - Documentation - Education 4. Evolve - Affirmation and monitoring - Adaptation

Answer 62

This inventory should include both customer and employee data records. It should document data location and flow as well as evaluate how, when and with whom the organization shares such information—and the means for data transfer used. This sort of inventory is legally required for some institutions, such as those covered by the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. The benefits of the inventory apply more generally, because it identifies risks that could affect reputation or legal compliance

Answer 63

- Defines the clearance of individuals who can access or handle that data, as well as the baseline level of protection appropriate for that data. - Most orgs handle different types of PI, such as personnel and customer records, as well as other info the orgs treats as sensitive, such as trade secrets and business plans - In the U.S., classification is often important for compliance purposes because of sector-specific privacy and security laws

Answer 64

An organization chart can be useful to help map and document the systems, applications and processes for handling data. Documenting data flows helps identify areas for compliance attention

Answer 65

Some helpful questions for privacy professionals when doing due diligence and for an organization to consider as it addresses privacy risks: LSEWHU - Where, how and for what length of time is the data stored? - How sensitive is the info? - Should the info be encrypted? - Will the info be transferred to or from other countries, and if so, how will it be transferred? - Who determines the rules that apply to the info? - How is the information to be processed, and how will these processes be maintained? - Is the use of such data dependent upon other systems?

Answer 66

One policy will work if an organization has a consistent set of values and practices for all its operations. Multiple policies may make sense for a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically share PI with other divisions, and is perceived in the marketplace as a different business

Answer 67

If the policy is not strict enough, then consumers, regulators, and the press may criticize the company for its failure to protect privacy.

Answer 68

If a policy is too strict, then open-ended statements or overly ambitious security promises can result in legal penalties or reputational problems if the organization cannot satisfy its promises

Answer 69

If a privacy policy is revised, the organization should announce the change first to employees, then to both current and former customers through its privacy notice. The FTC stated that a “material” change “at a minimum includes sharing consumer information with third parties after committing at the time of collection not to share the data.

Answer 70

1. Make the notice accessible online 2. Make the notice accessible in places of business - Clearly post the organization’s privacy notice at the location of business in areas of high customer traffic and in legible form - Organization staff also should have ready access to copies of the up-to-date company privacy policy in case a customer wishes to obtain a copy for review. 3. Provide updates and revisions 4. Ensure that the appropriate personnel are knowledgeable about the policy

Answer 71

COPPA, HIPAA, FCRA

Answer 72

The 2010 preliminary FTC staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called these situations “commonly accepted practices.” In such situations, an organization has been given implied authority to share PI

Answer 73

This privacy notice creates an enforceable promise. If an individual sells the information for individuals who have opted out, the FTC or state enforcers may bring suit under the unfair and deceptive trade practices laws

Answer 74

The Video Privacy Protection Act requires an opt-out before covered movie and other rental data is provided to a third party

Answer 75

The CAN-SPAM Act requires email marketers to provide an opt-out

Answer 76

GLBA requires an opt-out before transferring the PI of a customer of a financial institution to an unaffiliated third party for the latter’s own use

Answer 77

Opt-outs are required for companies that subscribe to any of a number of self-regulatory systems. Ex./ the Data and Marketing Association has long operated an opt-out system for consumers who do not wish to receive commercial mail sent to their homes, the Network Advertising Initiative, TrustArc, and the Digital Advertising Alliance operate opt-out systems in connection with online advertising

Answer 78

1. The scope of an opt-out can vary 2. The mechanism for providing an opt-out or another user preferences can also vary 3. Linking a user’s interactions through multiple channels, including in person, by phone, by email or by web, can be a management challenge when customers interact with an organization 4. The time period for implementing user preferences is sometimes provided by law 5. Third-party vendors often process PI on behalf of the company that has the customer relationship

Answer 79

Individuals have the right to access their credit reports under FCRA and rectify incorrect data

Answer 80

Patients can access their medical records under HIPAA, with records that the patient believes are incorrect noted as such in the patient files

Answer 81

1. Confidentiality provision 2. No further use of shared information 3. Use of subcontractors 4. Requirement to notify and to disclose breach 5. Information security provisions

Answer 82

1. Reputation 2. Financial condition and insurance 3. Information security controls 4. Point of transfer 5. Disposal of information 6. Employee training and awareness 7. Vendor incident response 8. Audit rights

Answer 83

(1) notification of security breaches, (2) new requirements for processors (contractors who act on behalf of data controllers), (3) designation of data protection officers, (4) accountability obligations, (5) rules for international transfers and (6) sanctions of up to 4 percent of worldwide revenues

Answer 84

European Court of Justice struck down the Safe Harbor program in significant part based on U.S. government surveillance concerns raised by the 2013 Snowden disclosures

Answer 85

(1) The Privacy Shield Framework, (2) Standard Contract Clauses (SCCs) and (3) Binding Corporate Rules (BCRs)

Answer 86

(1) commitments by U.S. companies, (2) detailed explanations of U.S. laws, and (3) commitments by U.S. authorities. U.S. companies wishing to import personal data from the EU under the Privacy Shield accept obligations on how that data can be used, and those commitments are legally binding and enforceable.

Answer 87

Are an additional basis for transferring data, providing that a multinational company can transfer data between countries after certification of its practices by an EU privacy supervisory agency

Answer 88

- The legality of SCCs has been challenged in the EU, again based largely on the fact that the U.S. government can conduct national security surveillance on data that enters the country. - At the time of this writing, the case has been referred to the EU’s highest court, the European Court of Justice, to determine whether SCCs may be used to transfer data to the United States

Answer 89

ARPAnet, a military computer network developed in the early 1960s by the U.S. Advanced Research Projects Agency (ARPA)

Answer 90

1. Hypertext transfer protocol (HTTP) | 2. Hypertext markup language (HTML)

Answer 91

An application protocol that manages data communications over the Internet, defines how messages are formatted and transmitted over a TCP/IP network (defined below) for websites. Further, it defines what actions web servers and web browsers take in response to various commands.

Answer 92

- A content-authoring language used to create web pages - The web browser interprets the HTML markup language within a web page to determine how the content on the page should be rendered - Document “tags” can be used to format and lay out a web page’s content and to “hyperlink”—connect dynamically—to other web content - Forms, links, pictures and text may all be added with minimal commands. Headings are also embedded into the text and are used by web servers to process commands and return data with each request

Answer 93

Allows the transfer of data from a browser to a website over an encrypted connection. By early 2016, HTTPS traffic became greater than HTTP traffic

Answer 94

5th and most recent version of the HTML standard - New capabilities and features: the ability to run video, audio, and animation directly from websites w/o the need for a plug-in (a piece of software that runs in the browser and renders media such as audio or video) - It had significant implications for the rapidly expanding mobile ecosystem, as many mobile devices do not support Flash (discussed further below). - Features: increases security, the ability to store information offline, in web applications that can run when not connected to the Internet

Answer 95

Another language that facilitates the transport, creation, retrieval and storage of documents. Like HTML, XML uses tags to describe the contents of a web page or file. HTML describes the content of a web page in terms of how it should be displayed. Unlike HTML, XML describes the content of a web page in terms of the data that is being produced, enabling automatic processing of data in large volumes and necessitating attention to privacy issues

Answer 96

The address of documents and other content that are located on a web server. An example of a URL is “https://iapp.org.” This URL contains: (1) an HTTPS prefix to indicate its use of the protocol; “www” to signify a location on the World Wide Web, (3) a domain name (e.g., “iapp”) and (4) an indicator of the top-level domain (e.g., “com” for a commercial organization, “org” for an organization,“gov” for government,“edu” for an educational institution, or a two-letter country code, such as “uk” for United Kingdom or “jp” for Japan).

Answer 97

Used to connect an end user to other websites, parts of websites, and/or web-enabled services. The URL of another site is embedded in the HTML code of a site so that when a user clicks on the link in the web browser, the end user is transported to the destination website or page

Answer 98

A computer that is connected to the Internet, hosts web content and is configured to share that content. Documents that are viewed on the web are actually located on individual web servers and accessed by a browser

Answer 99

- An intermediary server that provides a gateway to the web - Employee access to the web often goes through a proxy server - A proxy server typically masks what is happening behind the org’s firewall, so that an outside website sees only the IP address and other characteristics of the proxy server, and not detailed info about which part of an organization is communicating with the outside website

Answer 100

Are an important category of proxy server, widely used in the United States for employee web access, but not nearly as widely used by consumers. VPNs encrypt the information from the user to the organization’s proxy server, thus masking from the ISP both the content and web destinations of that user

Answer 101

Occurs when web browsers and proxy servers save a local copy of the downloaded content, reducing the need to download the same content again from the web server. To protect privacy, pages that display personal information should be set to prohibit caching

Answer 102

Sometimes automatically created when a visitor requests a web page. Ex./ of the information automatically logged include the IP address of the visitor, the date and time of the web page request, the URL of the requested file, the URL visited immediately prior to the web page request, and the visitor’s web browser type and computer operating system

Answer 103

Specifies the format of data packet that travels over the Internet and also provides the appropriate addressing protocol. An IP address is a unique number assigned to each connected device—it is similar to a phone number because the IP address shows where data should be sent from the website

Answer 104

Often assigns a new IP address on a session-by-session basis. When the IP address used by an individual thus shifts with each session, this approach is referred to as a “dynamic” IP address. Conversely, “static” IP addresses have become more common in recent years. A static IP address remains the same over time for a particular device. In such cases, a website can use the static IP address as a way to recognize a device that returns to the site

Answer 105

Enables two devices to establish a stream-oriented reliable data connection. A combination of TCP and IP is used to send data over the Internet. Data is sent in the form of packets, which contain message content and a header that specifies the destination of the packet.

Answer 106

- A protocol that ensures privacy between a user and a web server. - When a server and client communicate, TLS secures the connection to ensure that no 3rd party can eavesdrop on or corrupt the message - TLS is a successor to secure sockets layer (SSL)

Answer 107

A scripting language used to produce a more interactive and dynamic website. Javascript has vulnerabilities and problems interacting with some programs and systems. A common malicious practice is cross-site scripting (XSS). Simple additions to coding such as an infinite loop can overwhelm the memory and impose a denial of service attack. Information security professionals should examine the risks that can arise from the use of Javascript

Answer 108

The language used to describe the presentation of web pages. This includes colors, layout and font. This language allows for adaptation of the web page to different types of devices. CSS and HTML are independent of each other

Answer 109

A bandwidth-friendly interactive animation and video technology that has been widely used to enliven web pages and advertisements. Compatibility and security problems, however, have led to a decrease in use. Some security experts now discourage users from installing Flash. As HTML5 becomes more widely adopted, and as the mobile computing environment grows, use of external plug-ins such as Flash may diminish. As of the writing of this book, Flash is used in less than 10 percent of websites

Answer 110

Emails or other communications that are designed to trick a user into believing that he or she should provide a password, account number or other information. The user then typically provides that information to a website controlled by the attacker. Ex./ These emails or websites appear to originate from legitimate organizations—such as recognized banks or retailers—and may include seemingly legitimate trademarks, colors, logos or other corporate signatures

Answer 111

A phishing attack that is tailored to the individual user, for example, when an email appears to be from the user’s boss instructing the user to provide information Ex./ the message may appear to come from the recipient’s coworker, or from someone who has recently been in a meeting with the recipient.

Answer 112

A general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability. The social engineer is intent on gaining access to private information and targets an individual or group within an organization that may have such access. Techniques include using an assumed identity in communications, eavesdropping on private conversations or calls, or impersonating an employee or hired worker

Answer 113

- Structured query language (SQL) injection, cookie poisoning or use of malware. In these attacks, the attacker exploits a technical vulnerability or inserts malicious code. - One technical but common threat to online privacy is XSS. XSS is code injected by malicious web users into web pages viewed by other users. Often, the unauthorized content resulting from XSS appears on a web page and looks official, so the users are tricked into thinking the site is legitimate and uncorrupted. XSS is the basis for many convincing phishing attacks and browser exploits.

Answer 114

security practitioners

Answer 115

hackers and exploit artists

Answer 116

An organization should have a comprehensive defense plan and a procedure in place to effectively address information security threats

Answer 117

- A standard method for encrypting the transmission of personally identifiable info over the web—including the verification of end user info required for website access - Replaced SSL, which is no longer considered secure - TLS is widely used for handling transmission of sensitive online data such as passwords or bank account numbers between web computers

Answer 118

- Login/password/PINs - Software - Wireless networks (Wi-Fi) - File sharing

Answer 119

Unsolicited commercial email

Answer 120

- Requires a commercial email to have a clear and conspicuous way for the user to unsubscribe from future emails. - Since the enactment of CAN-SPAM in 2003, commercial companies are required to provide an easy way for users to prevent future emails from that company. - Enforcement actions under CAN-SPAM have resulted in high fines and even jail sentences, pushing spammers to countries outside the US

Answer 121

A specialized type of spear phishing that is targeted at C-suite executives, celebrities, and politicians. The aim is the same as spear phishing—to use an email or website to obtain personal and/or sensitive information from the victim

Answer 122

- Used to describe malicious software that is designed to disrupt or damage a computer, a network or an electronic device, and provide an attacker unauthorized control over a remote computer - As mobile devices become increasingly popular, mobile malware has also become more prevalent - Ex./ viruses, worms, spyware, and ransomware.

Answer 123

Software that is downloaded covertly, without the understanding or consent of the end user. Spyware is used to fraudulently collect and use sensitive personal information such as bank account credentials and credit card numbers. Some spyware, for instance, can report each keystroke by a user back to the entity that controls the spyware

Answer 124

A type of malware with which the malicious actor either (1) locks a user’s operating system, restricting the user’s access to their data and/or device, or (2) encrypts the data so that the user is prevented from accessing his or her files. As the name implies, the victim is then told to pay a ransom to regain access. For victims who choose to pay the ransom, access may or may not be returned.

Answer 125

To protect children’s use of the Internet—particularly websites and services targeted toward children

Answer 126

Requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires consent by parents prior to collection of personal information for children under the age of 13.

Answer 127

- Individuals under the age of 18 have the right to request removal of information posted online - Statute prohibits online advertising to minors related to products that these consumers are not legally permitted to buy and also restricts certain online advertising practices based on the minors’ personal info

Answer 128

Contains similar categories of restrictions related to advertising to minors (as California’s Privacy Rights for California Minors in the Digital World)

Answer 129

- Effective date - Scope of notice - Types of personal info collected (both actively and passively) - Info uses and disclosures - Choices available to the end user - Methods for accessing, correcting or modifying personal info or preferences - Methods for contacting the organization or registering a dispute - Processes for how any policy changes will be communicated to the public

Answer 130

- Say what the organization does and do what is stated - Tailor disclosures to the actual business operations model - Do not treat privacy statements as disclaimers - Revisit the privacy statement frequently to ensure it reflects current business and data collection practices - Communicate these privacy practices to the entire company

Answer 131

Trustmarks are images or logos that are displayed on websites to indicate that a business is a member of a professional organization or to show that it has passed security and privacy tests. They are designed to give customers confidence that they can safely engage in e-commerce transactions. TrustArc, Norton and the Better Business Bureau are examples of trustmarks

Answer 132

Are a response to problems with a single long notice. The basic idea is to offer “layers” that provide the key points on top in a short notice, but give users the option to read a detailed notice or click through to greater detail on particular parts of the notice

Answer 133

The top layer. Often using a standard format, it summarizes the notice scope as well as basic points about the organization’s practices for personal information collection, choice, use and disclosure. Details for contacting the organization on information privacy matters are also included along with links to the full notice.

Answer 134

The bottom layer. Often referenced from the short notice via a hyperlink, it is a comprehensive information disclosure that articulates the organization’s privacy notice in its entirety. The full notice is thus available for end users who are interested. The full notice also guides an organization’s employees on permitted data practices and can be used for accountability by enforcement agencies or the general public

Answer 135

Privacy by design (or even privacy by default), transparency, and simplification of consumer choices

Answer 136

Such access and opportunity for correction should be provided except where: (i) the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy in the case in question; (ii) the information should not be disclosed due to legal or security reasons or to protect confidential commercial information; or (iii) the information privacy of persons other than the individual would be violated.

Answer 137

A portion of a web page that contains blank fields, text boxes, check boxes or other input areas that end users complete by providing data (which may or may not include personal information)

Answer 138

- Used to capture specific pieces of info such as name, city, credit card number or search terms - A label requesting a clear-cut entry is typically present - An important privacy consideration is that limitations should be placed on one-line text boxes to ensure they are used only as intended (e.g., a maximum of 14 characters for a first name) - Failure to set such limits can result in security vulnerabilities

Answer 139

Used to capture a sentence or more of text. These are frequently used when an unspecified answer is desired. For instance, a common use is a request for support. Scrolling text boxes should be used with caution since little control exists over what information a user submits

Answer 140

Used to collect answers to structured questions. Check boxes allow multiple answers to be selected out of a list of items, while radio buttons limit the user to one answer. Both options are more secure than fields that require the user to type text—the input is limited to the given options, and the content of the answer is not communicated over the web

Answer 141

Occurs when the end user deliberately provides information to the website through the use of one of the input mechanisms described above

Answer 142

Occurs when information is gathered automatically— often without the end user’s knowledge—as the user navigates from page to page on a website

Answer 143

The boundaries between websites are becoming blurred through the emergence of syndicated content, web services, co-branded online ventures, widgets, and online advertising networks

Answer 144

- Not actually created by the host site, but rather is developed by and/or purchased or licensed from outside sources such as news organizations - One concern with such content is that it might contain malicious code that is then unwittingly incorporated into the organization’s own website source code. - Ex./ XSS allows attackers to inject scripts into web pages for malicious purposes, taking advantage of the trust users have for a given site

Answer 145

- Facilitate direct communication between computers - They make it possible for organizations to interconnect with their suppliers online, or for users to get content from a site that has contracted with the site the user has selected to visit.

Answer 146

Online partnerships between two or more content or service providers. Sharing of information between the partners is often allowed on co-branded sites as long as it is disclosed in the privacy notice

Answer 147

Applications that can be installed on a web page, blog, social profile or other HTML page. Typically they are executed by the third party, although they appear on the page itself. The application can be executed by the owner of the page to deliver new website features or increased functionality. Widgets are frequently used as tools or content to make the site more dynamic

Answer 148

Connect online advertisers with web publishers that host advertisements on their sites. The networks enable media buyers to coordinate ad campaigns across sites. Through these targeted campaigns, advertisers can reach broad or focused audiences. Ad networks themselves vary in focus and size.

Answer 149

Comes from EU law, where processors act on behalf of, and are subject to, the direction of the controller

Answer 150

Used for hospitals and other entities covered by HIPAA

Answer 151

Used for banks and other financial institutions regulated under The Gramm-Leach-Bliley Act (GLBA)

Answer 152

Where other third parties receive data to do their own marketing, or further their other purposes, they become controllers as well. Ex./ a third party may receive data to conduct a sweepstakes or target marketing to the individuals - In many jurisdictions, including the EU, the original controller remains responsible for proper handling by third parties who receive personal information through onward transfer - In the US, the FTC considers onward transfer to be the responsibility of the host website—not the third party—and has issued guidance and brought enforcement actions toward this end - Onward transfer of EU data by U.S. companies is addressed as part of the Privacy Shield

Answer 153

when such transfers occur that (a) their personal information will be in the custody of a third party engaged by the host site and (b) they have the ability to make a choice, typically by opting out, if they desire to prevent the onward transfer

Answer 154

Composed of desktop/laptop advertising and mobile advertising. An increasingly large portion of the total digital advertising ecosystem is made up of mobile advertising, and this proportion is projected to continue to grow in the near future.

Answer 155

Advertising messages that appear to the end user in a separate browser window in response to browsing behavior or viewing of a site

Answer 156

Software that is installed on a user’s computer, often bundled with freeware (free software), such as online games. It monitors the end user’s online behavior so that additional advertising can be targeted to that person based on his or her specific interests and behaviors. Unless there is clear consent by users to this monitoring, however, such adware may be considered spyware by privacy enforcement agencies

Answer 157

- Term in programming languages for a piece of information shared between cooperating pieces of software - Cookies are widely used on the Internet to enable someone other than the user to link a computing device to previous web actions by the same device - The standard cookie, or HTML, cookie is a small text file that a web server places on the hard drive of a user’s computer - Cookies enable a range of functions, including authentication of web visitors, personalization of content and delivery of targeted advertising

Answer 158

Has taken the position that information stored in cookies is generally personal data, so that individual consent is needed before the cookie can be placed on a user’s hard drive

Answer 159

Stored only while the user is connected to the particular web server—the cookie is deleted when the user closes the web browser

Answer 160

Set to expire at some point in the future, from a few minutes to days or even years from initial delivery. Until expiration, the organization that set the cookie can recognize that it is the same cookie on the same device, and thus often the same user, that earlier visited the website

Answer 161

Set and read by the web server hosting the website the user is visiting. For instance, an online retailer or government agency can set a first-party cookie on the hard drive of a user who chooses to visit the retailer’s or agency’s site

Answer 162

- Set and read by or on behalf of a party other than the web server that is providing a service. (The second party is understood to be the user who is surfing the web.) - Online advertising networks set third-party cookies, as do companies that provide analytics of web usage across sites. - Some websites enable widgets or other software that appears on the first party’s website but interacts with a third party, which may set a third-party cookie

Answer 163

Are stored and accessed by Adobe Flash, a browser plug-in historically used by many Internet sites. While online, an individual’s Internet browser collects and stores information from sites visited in the form of cache, or cookies.

Answer 164

- Aka a web bug, pixel tag or clear GIF - A web beacon is a clear, one-pixel-by-one-pixel graphic image that is delivered through a web browser or HTML-compliant email client application to an end user’s computer—usually as part of a web page request or in an HTML email message, respectively - The web beacon operates as a tag that records an end user’s visit to a particular web page

Answer 165

Can identify a device based on information revealed to the website by the user. When a web page is requested, there is no automatic identification of who is seeking to download the content. The web server, though, typically receives certain information connected to the request, and maintains logs, which are used for security and system maintenance purposes.

Answer 166

- The use of personal information in connection with search engines is important because of the central role search engines perform in determining how people access information on the Internet. - When using cookies or other tracking techniques, the issues concerning search engines are generally similar to those for cookies

Answer 167

The use of cookies - Cookies are used to track the activities of devices as they visit particular web pages, allowing advertisers to build profiles of a device’s online activities; these profiles can then be used to create targeted advertising tailored to the user of that device

Answer 168

(1) App-based usage and (2) mobile browser settings. - In a mobile operating system, each individual application is run in a separate, secure sandbox - Whereas a mobile browser can use cookies to identify a user across different websites and visits, each mobile app has to create its identifier for a user. This means a single user on three different apps on the same device will appear as three different users

Answer 169

Importantly, mobile device tracking is valuable because mobile devices are rarely shared among users. Unlike a traditional desktop or laptop, which may be shared among the various members of a family, mobile devices are rarely shared in the United States. Therefore, once the device is identified, by default, so is the device’s user

Answer 170

A tool an advertising tracking company deploys for combining information about each of a user’s devices to track as close to 100 percent of that individual’s history of Internet activity as possible.

Answer 171

deterministic tracking, because the identical login provides a basis for determining that it is the same user

Answer 172

The protection of information for the purpose of preventing loss, unauthorized access or misuse

Answer 173

1. Confidentiality—access to data is limited to authorized parties 2. Integrity—assurance that the data is authentic and complete 3. Availability—knowledge that the data is accessible, as needed, by those who are authorized to use it

Answer 174

Are mechanisms put in place to prevent, detect, or correct a security incident.

Answer 175

1. Physical controls—such as locks, security cameras, and fences 2. Administrative controls—such as incident response procedures and training 3. Technical controls—such as firewalls, antivirus software, and access logs

Answer 176

To “encourage businesses that own or license personal information about Californians to provide reasonable security.” - Specifically, the law requires a business “that owns or licenses personal information about a California resident” to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure."

Answer 177

(1) Social Security number, (2) driver’s license number or California identification card number, (3) financial account number or credit or debit card number “in combination with any required security code, access code or password that would permit access to an individual’s financial account,” (4) medical information, (5) health insurance information, and (6) data collected from automated license plate recognition systems

Answer 178

False. New York

Answer 179

Massachusetts state security law, 201 CMR 17.00, has generally been considered the most prescriptive in the nation.

Answer 180

1. Designate an individual who is responsible for information security 2. Anticipate risks to personal information and take appropriate steps to mitigate such risks 3. Develop security program rules 4. Impose penalties for violations of the program rules 5. Prevent access to personal information by former employees 6. Contractually obligate third-party service providers to maintain similar procedures 7. Restrict physical access to records containing personal information 8. Monitor the effectiveness of the security program 9. Review the program at least once a year and whenever business changes could impact security 10. Document responses to incidents

Answer 181

Permits financial institutions to recover the costs associated with reissuance of credit and debit cards from large processors whose negligence in the handling of credit card data is the proximate cause of the breach.

Answer 182

1. Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail 2. Hacking or malware—electronic entry by an outside party, malware and spyware 3. Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals 4. Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information 5. Physical loss—lost, discarded or stolen nonelectronic records such as paper documents; 6. Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape 7. Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility 8. Unknown or other

Answer 183

Step 1: determining whether a breach has actually occurred Step 2: containment and analysis of the incident Step 3: notify affected parties Step 4: organizations should implement effective follow-up methods

Answer 184

- Designate the members who will make up a breach response team - Identify applicable privacy compliance documentation - Share information concerning the breach to understand the extent of the breach - Determine what reporting is required - Assess the risk of harm for individuals potentially affected by the breach - Mitigate the risk of harm for individuals potentially affected by the breach - Notify the individuals potentially affected by the breach

Answer 185

As of 2017, 48 of the 50 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands have enacted state breach notification laws

Answer 186

An individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number, (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account

Answer 187

Idaho, Louisiana and Michigan, which do not include such an exception in their laws

Answer 188

Any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.

Answer 189

Georgia law applies only to information brokers. Texas law specifically requires notification to be sent to residents of other states that do not have a similar law requiring notification

Answer 190

Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable

Answer 191

There is unauthorized acquisition of the personal information that “compromises the confidentiality, security or integrity” of the information

Answer 192

to notify not only Texas residents but also residents of states lacking a data protection notification law

Answer 193

- A description of the incident in general terms - A description of the type of personal information that was subject to the unauthorized access and acquisition - A description of the general acts of the business to protect the personal information from further unauthorized access - A telephone number for the business that the person may call for further information and assistance, if one exists - Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports - The toll-free numbers and addresses for the major consumer reporting agencies - The toll-free numbers, addresses and website addresses for the FTC Commission and the North Carolina attorney general’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft

Answer 194

States generally provide notification options, but a written notice to the data subject is always required first. Telephonic and electronic messages are typical alternatives, but usually only if the data subject has previously explicitly chosen one of those as the preferred communication method

Answer 195

1. Exception allowed by states is for entities subject to other, more stringent data breach notification laws (e.g. HIPAA, GLBA) 2. Most states allow exceptions for entities that already follow breach notification procedures as part of their own information security policies as long as these are compatible with the requirements of the state law 3. In most states, a safe harbor exists for data that was encrypted, redacted, unreadable or unusable

Answer 196

Process of encoding information so that only the sender and intended recipients can access it. Encryption systems often use a public key, available to the public, and a private key, which allows only the intended recipient to decode the message

Answer 197

The Massachusetts Personal Information Security Regulation states that all parties that “own or license” personal information pertaining to Massachusetts residents must encrypt all personal information stored on laptops or other portable devices, as well as wireless transmissions and transmissions sent over public networks

Answer 198

As with the California data breach law, the level and type of encryption required is not specified Later in 2016, California changed its data breach notification law to require notice that a breach occurred related to: (1) both encrypted data and the encryption key or (2) encrypted data when the business has a reasonable belief that the encryption key or security credentials can be obtained by the hacker

Answer 199

Tennessee the first state in the country to broadly require notification regardless of whether the information was encrypted In 2017, Tennessee again amended its statute. The change clarified that encrypted data receives the protection of the safe harbor, unless the encryption key is also acquired in the breach

Answer 200

Arizona law applies only to paper records.

Answer 201

Requires “shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable

Answer 202

California requires destruction such that records are “unreadable or undecipherable through any means” (emphasis added)

Answer 203

Illinois and Utah apply only to government entities

Answer 204

Massachusetts stipulates steep penalties of “not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal

Answer 205

Consumer reports

Answer 206

1. medical information is related to the inner workings of one’s body or mind. One’s individual sense of self may be violated if others have unfettered access to this information. 2. most doctors believe that patients will be more open about their medical conditions if they have assurance that embarrassing medical facts will not be revealed. 3. medical privacy protections can protect employees from the risk of unequal treatment by employers.

Answer 207

- Scope: covers the disclosure and use of “patient identifying” information by treatment programs for alcohol and substance abuse - Applicability: the law applies to any program that receives federal funding - Disclosure: the program must obtain written patient consent before disclosing information subject to the Rule - Redisclosure: redisclosing information obtained from a program is prohibited when that information would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment - Security of records: an entity lawfully holding patient-identifying information must have formal policies and procedures in place to protect the security

Answer 208

- Medical emergencies - Scientific research - Audits and evaluations - Communications with a qualified service organization (QSO) related to information needed by the organization to provide services to the program - Crimes on program premises or against program personnel - Child abuse reporting - Court order

Answer 209

The first violation results in a fine of not more than $500. Each subsequent offense is fined not more than $5,000. These violations are reported to the U.S. Attorney’s Office

Answer 210

To improve efficiency, HIPAA required entities receiving federal healthcare payments such as Medicare and Medicaid to shift reimbursement requests to electronic formats

Answer 211

Defined as any individually identifiable health information that: is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of health care or payment for health care to that individual

Answer 212

Any PHI that is transmitted or maintained in electronic media (such as computer hard drives, magnetic tapes or disks, or digital memory cards, all of which are considered electronic storage media). Paper records, paper-to-paper fax transmissions, and voice communications (e.g., telephone) are not considered transmissions via electronic media

Answer 213

``` Healthcare providers (e.g., a doctors’ offices, hospitals) that conduct certain transactions in electronic form Health plans (e.g., health insurers) Healthcare clearinghouses (e.g., third-party organizations that host, handle or process medical information) ```

Answer 214

It applies to these covered entities, but not to other healthcare providers and services. For instance, some doctors accept only cash or credit cards and do not bill for insurance. They are not covered by HIPAA. More broadly, individuals reveal medical information in a wide variety of settings, ranging from conversations with friends and colleagues, to purchasing books about healthcare, to surfing on healthcare websites and even posting medical information online. These sorts of healthcare information are outside the scope of HIPAA

Answer 215

Business associates were not subject to HIPAA but became subject to privacy and security protections under the written contracts they signed with covered entities. Under HITECH, however, HIPAA privacy and security rules are codified and apply directly to business associates

Answer 216

Any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI

Answer 217

Enter into a business associate agreement (a contract) with that other entity. This contract would include provisions that passed the privacy and security standard down to the contracting entity

Answer 218

reasonable, appropriate safeguards to protect PHI (in addition to signing a business associate agreement). As such, covered entities and business associates should implement security practices that, on the whole, comply with the Security Rule.

Answer 219

In August 2000, HHS promulgated the regulations on standard electronic formats for healthcare transactions, known as the “Transactions Rule.” This was followed in December 2000 by rules to protect the privacy of personal health information, known as the “Privacy Rule"

Answer 220

HIPAA provides perhaps the most detailed implementation of the Fair Information Privacy Practices, including requirements concerning privacy notices, authorizations for use and disclosure of PHI, limits on use and disclosure to the minimum necessary, individual access and accounting rights, security safeguards, and accountability through administrative requirements and enforcement

Answer 221

The Privacy Rule generally requires a covered entity to provide a detailed privacy notice at the date of first service delivery

Answer 222

- A privacy notice does not have to be provided when (1) the healthcare provider has an “indirect treatment relationship” with the patient OR (2) in the case of medical emergencies - The rule is quite specific about elements that must be included in the notice, including detailed statements about individuals’ rights with respect to their PHI

Answer 223

Consistent with the statutory goal of improving efficiency in the healthcare system, HIPAA itself authorizes the use and disclosure of PHI for essential healthcare purposes: treatment, payment and operations (collectively, TPO), as well as for certain other established compliance purposes. Other uses or disclosures of PHI require the individual’s opt-in authorization

Answer 224

The Privacy Rule requires that covered entities implement administrative, physical and technical safeguards to protect the confidentiality and integrity of all PHI

Answer 225

The HIPAA Security Rule requires both covered entities AND business associates to implement administrative, physical and technical safeguards only for ePHI. Like the Privacy Rule, the HIPAA Security Rule aims to prevent unauthorized use or disclosure of PHI. However, the Security Rule also aims to maintain the integrity and availability of ePHI. Accordingly, the Security Rule addresses data backup and disaster recovery, among other related issues

Answer 226

The primary enforcer for the Privacy Rule in HHS is the Office of Civil Rights (OCR), which processes individual complaints and can assess civil monetary penalties of up to approximately 1.6 million per year per type of violation, as of the writing of this book

Answer 227

WellPoint agreed to pay a civil penalty of $1.7 million in 2013 to settle allegations that it violated HIPAA when it did not adequately implement policies and procedures to protect the ePHI of 612,402 customers

Answer 228

In 2016, Feinstein Institute for Medical Research agreed to pay $3.9 million to settle claims that it violated the Family Educational Rights and Privacy Act (FERPA) when the ePHI of 13,000 patients and research participants was stolen in a laptop taken from an employee's vehicle

Answer 229

- The U.S. Department of Justice (DOJ) has criminal enforcement authority, with prison sentences of up to 10 years. - For the many companies within its jurisdiction, the FTC can bring enforcement actions for unfair and deceptive practices, even for entities covered by HIPAA - State attorneys general can also bring enforcement for unfair and deceptive practices, or pursuant to any applicable state medical privacy law

Answer 230

The rule does not require authorizations for (1) the major categories of treatment, payment and healthcare operations; (2) de-identified information; and (3) medical research

Answer 231

The Privacy Rule provides two methods for de-identifying data: (1) remove all of at least 17 data elements listed in the rule, such as name, phone number and address; or (2) have an expert certify that the risk of re-identifying the individuals is very small

Answer 232

- The Privacy Rule has detailed provisions for how PHI is used for medical research purposes - Research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects. - Research is permitted on de-identified information, and rules are more flexible if only a limited data set is released to researchers

Answer 233

The Privacy Rule contains other exceptions under which PHI may be used without consent. - information used for public health activities; - to report victims of abuse, neglect or domestic violence; - in judicial and administrative proceedings; - for certain law enforcement activities; and - for certain specialized governmental functions

Answer 234

- Establishes minimum security requirements for PHI that a covered entity receives, creates, maintains or transmits in electronic form - Designed to require covered entities to implement “reasonable” security measures in a technology-neutral manner - Goal: all covered entities to implement “policies and procedures to prevent, detect, contain, and correct security violations.

Answer 235

The Security Rule is comprised of “standards” and “implementation specifications,” which encompass administrative, technical and physical safeguards. Some of the implementation specifications are required, while others are considered “addressable"

Answer 236

1. Ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule 4. Ensure compliance with the Security Rule by its workforce

Answer 237

- The size, complexity and capabilities of the covered entity - The covered entity’s technical infrastructure, hardware and software security capabilities - The costs of security measures - The probability and criticality of potential risks to electronic protected health information

Answer 238

It is important to remember that HIPAA does not preempt state laws that provide more protection than the federal law

Answer 239

(1) additional patient rights, (2) added uses or disclosures for PHI, and (3) shortened deadlines for action

Answer 240

HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology

Answer 241

In the event of unauthorized acquisition, access, use or disclosure of information, a breach is presumed to have occurred, unless the covered entity demonstrates through a risk assessment that there is a low probability that the security or privacy of the information has been compromised

Answer 242

- HHS has issued a final rule pursuant to HITECH that allows for penalties of up to $1.5 million for the most willful violations and extends criminal liability to individuals who misuse PHI. - The enforcement rules provide for penalties even if the covered entity did not know of the violation

Answer 243

All disclosures by a covered entity should attempt to comply with the definition of a limited data set, and if this is not feasible, data disclosed must be the minimum amount necessary. The term limited data set refers to protected health information that includes direct identifiers of the individual.

Answer 244

The $19 billion in funding in HITECH created important incentives for health providers to use Electronic Health Records (EHRs) more extensively. Providers who make “meaningful use” of EHRs can qualify for these funds.

Answer 245

Prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms or from requesting that applicants receive genetic testing, and prohibits employers from using genetic information in making employment decisions

Answer 246

GINA amended a variety of existing pieces of legislation including, among others, the Employee Retirement Income Security Act (ERISA), the Social Security Act and the Civil Rights Act

Answer 247

adjusting premiums or other contribution schemes on the basis of genetic information, absent a manifestation of a disease or disorder

Answer 248

requesting or requiring genetic testing in connection with the offering of group health plans, although an exception is carved out for requests for voluntary testing in connection with research

Answer 249

Apply to participants in the individual health insurance market to prohibit adjustments to premiums or other contribution schemes on the basis of genetic information absent the manifestation of disease or disorder.

Answer 250

GINA also directs the secretary of HHS to revise HIPAA regulations such that genetic information is considered health information, and the disclosure of such information may not be disclosed by covered entities, pursuant to HIPAA

Answer 251

Aside from health care insurance, GINA also takes aim at the possibility of employment discrimination based on genetic information in the absence of the manifestation of a disease or disorder

Answer 252

Along with expressly prohibiting discrimination on the basis of genetic information, these portions of GINA prohibit employers from requiring, requesting or purchasing such genetic information about employees or family members unless an express exception applies

Answer 253

(1) such a request is inadvertent, (2) the request is part of an employer-offered wellness program that the employee voluntarily participates in with written authorization, (3) the request is made to comply with the Family and Medical Leave Act of 1993, (4) an employer purchases commercially and publicly available materials that include the information, (5) the information is used for legally required genetic monitoring for toxin exposure in the workplace if the employee voluntarily participates with written authorization or (6) the employer conducts DNA analysis for law enforcement purposes and requests the information for quality-control purposes (i.e., to identify contamination)

Answer 254

GINA itself does not provide for a private right of action, but—depending on the violation—private rights of action may be available under the federal laws that it revises, as well as under similar state laws

Answer 255

The purpose of the 21st Century Cures Act (“Cures Act”) is to expedite the research process for new medical devices and prescription drugs, quicken the process for drug approval, and reform mental health treatment

Answer 256

The Cures Act has numerous privacy-related provisions, and seeks a balance between the protection of personal data and the public interest in the appropriate utilization of this information

Answer 257

- Certain individual biomedical research information exempted from disclosure under Freedom of Information Act - Researchers permitted to remotely view PHI - Information blocking prohibited but HIPAA’s protection of PHI remains - “Certificates of confidentiality” for research” - “Compassionate” sharing of mental health or substance abuse information with family or caregivers”

Answer 258

The Fair Credit Reporting Act (FCRA) was enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports. The origins of the FCRA can be traced to the rise of consumer credit in the United States. In the post-World War II era, merchants began to share more in-depth customer data in order to facilitate lending to households. By the 1960s, consumer credit was critical, but increasingly, individuals were being harmed by inaccurate information that they could neither see nor correct. In response, Congress passed the FCRA, the first federal law to regulate the use of personal information by private businesses

Answer 259

The FCRA regulates any “consumer reporting agency” (CRA) that furnishes a “consumer report,” which is used primarily for assisting in establishing consumer’s eligibility for credit

Answer 260

A CRA is any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

Answer 261

Three well-known examples of CRAs are Experian, Equifax and TransUnion, which are leading providers of credit information and credit scores

Answer 262

- Creditworthiness - Credit standing - Credit capacity - Character - General reputation - Personal characteristics - Mode of living

Answer 263

1. Third-party data for substantive decision making must be appropriately accurate, current and complete 2. Consumers must receive notice when third-party data is used to make adverse decisions about them 3. Consumer reports may be used only for permissible purposes 4. Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors

Answer 264

(1) dispute resolution, (2) private litigation, and (3) government actions. The dispute resolution infrastructure permits the consumer to fill a request with the CRA to dispute the accuracy of information, and then requires the CRA to investigate the consumer’s complaint

Answer 265

Noncompliance with the FCRA can lead to civil and criminal penalties. In addition to actual damages, as of the writing of this book, violators are subject to statutory damages of at least $1,000 per violation, and at least $3,756 for willful violations

Answer 266

FTC, the CFPB, and state attorneys general

Answer 267

The state attorneys general are required to give notice to the FTC prior to filing suit and the FTC retains the authority to intervene in the cases brought by the state attorneys general

Answer 268

- In 2014 TeleCheck Services (large check authorization service company) and TRS Recovery Services (associated debt-collection company) agreed to pay $3.5 million to settle FTC charges for FCRA violations. - FTC alleged that TeleCheck, a CRA, did not comply w/ dispute procedures for consumers whose checks were denied based on info provided by the business - TRS, a company that handles consumer debt taken on by TeleCheck, was alleged to have violated requirements of the FTC’s Furnisher Rule, which requires entities furnishing info to CRAs to ensure the accuracy and integrity of the info provided. - The settlement was part of a broader initiative by the FTC to target the practices of data brokers that sell info to companies making decisions about consumers

Answer 269

- An example of CFPB enforcement - The CFPB alleged that Clarity failed to properly investigate consumers who attempted to dispute info on their credit reports and obtained credit reports w/o a permissible purpose - As a result, Clarity Services agreed to pay an $8 million civil penalty

Answer 270

1. Users must have a “permissible purpose" 2. Users must provide certifications 3. Users must notify consumers when adverse actions are taken

Answer 271

1. As ordered by a court or a federal grand jury subpoena 2. As instructed by the consumer in writing 3. For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account 4. For employment purposes, including hiring and promotion decisions, where the consumer has given written permission 5. For the underwriting of insurance as a result of an application from a consumer 6. When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer 7. To review a consumer’s account to determine whether the consumer continues to meet the terms of the account 8. To determine a consumer’s eligibility for a license or other benefit granted by a governmental “instrumentality required by law to consider an applicant’s financial responsibility or status 9. For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation 10. For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof 11. In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance”

Answer 272

Section 604(f) of the FCRA prohibits any person from obtaining a consumer report from a CRA unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

Answer 273

The term adverse action is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer

Answer 274

- Adverse actions based on information obtained from a CRA - Adverse actions based on information obtained from third parties that are not consumer reporting agencies - Adverse actions based on information obtained from affiliates

Answer 275

The FCRA requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property

Answer 276

1. Make a clear and conspicuous written notification to the consumer before the report is obtained, in a document that consists solely of the disclosure that a consumer report may be obtained by the employer. 2. Obtain prior written consumer authorization in order to obtain a consumer report. Authorization to access reports during the term of employment may be obtained at the time of employment. 3. Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer. 4. Before taking an adverse action, provide a copy of the report to the consumer as well as the summary of the consumer’s rights. (The user should receive this summary from the CRA.) An adverse action notice should be sent after the adverse action is taken

Answer 277

(1) the employer or its agent complies with the procedures set forth in the act, (2) no credit information is used and (3) a summary describing the nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation

Answer 278

character, general reputation, personal characteristics and mode of living, which is obtained through personal interviews by an entity or person that is a CRA

Answer 279

1. The consumer must be informed that an investigative consumer report may be obtained. 2. The disclosure must be in writing and must be mailed or otherwise delivered to the consumer some time before but not later than three days after the date on which the report was first requested. 3. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation, and the summary of consumer rights required by the FCRA. The summary of consumer rights will be provided by the CRA that conducts the investigation. 4. The user must certify to the CRA that the required disclosures have been made and that the user will make the necessary disclosure to the consumer. 5. Upon written request of a consumer made within a reasonable period of time after the required disclosures, the user must make a complete disclosure of the nature and scope of “the investigation. 6. The nature and scope disclosure must be made in a written statement that is mailed or otherwise delivered to the consumer no later than 5 days after the date on which the request was received from the consumer or the report was first requested, whichever is later

Answer 280

FCRA limits the use of medical information obtained from CRAs, other than payment information that appears in a coded form and does not identify the medical provider.

Answer 281

the consumer must provide consent to the user of the report, or the information must be coded

Answer 282

the consumer must provide specific written consent and the medical information must be relevant

Answer 283

necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation or order

Answer 284

Practice where FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with firm unsolicited offers of credit or insurance, under certain circumstances and conditions. This typically involves obtaining from a CRA a list of consumers who meet certain preestablished criteria

Answer 285

(1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer

Answer 286

1. Info contained in a consumer’s CRA file was used in connection with the transaction. 2. The consumer received the offer because he or she satisfied the criteria for creditworthiness or insurability used to screen for the offer. 3. Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on creditworthiness or insurability, or the consumer does not furnish required collateral. 4. The consumer may prohibit the use of info in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. 5. The statement must include the address and toll-free telephone number of the appropriate notification system.

Answer 287

Under FACTA, stricter state laws are preempted in most areas, although states retain some powers to enact laws addressing identity theft

Answer 288

- Required truncation of credit and debit card numbers, so that receipts do not reveal the full credit or debit card number. - Gave consumers new rights to an explanation of their credit scores. - Gave individuals the right to request a free annual credit report from each of the three national consumer credit agencies—Equifax, Experian and TransUnion. - Along with other identity theft protections, FACTA required regulators to promulgate a Disposal Rule and a Red Flags Rule

Answer 289

Requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that consumer information in a way that prevents unauthorized access and misuse of the data.

Answer 290

Consumer reports can be electronic or written

Answer 291

The rule applies to both small and large organizations, including consumer reporting agencies, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors and government agencies

Answer 292

Disposal includes any discarding, abandonment, donation, sale or transfer of information

Answer 293

The standard for disposal requires practices that are “reasonable” to protect against unauthorized access to or use of the consumer data

Answer 294

- Burn, pulverize or shred papers containing consumer report information so that the information cannot be read or reconstructed - Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed - Conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the rule

Answer 295

Enforcement of the Disposal Rule is by the FTC, the federal banking regulators and the CFPB

Answer 296

Violators may face civil liability as well as federal and state enforcement actions.

Answer 297

The FTC, together with federal banking agencies, authored the Red Flags Rule

Answer 298

Specifically, the rule applies to financial institutions and creditors. “Financial institution” is defined as all banks, savings and loan associations and credit unions. It also includes all other entities that hold a “transaction account” belonging to a consumer

Answer 299

The rule requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft

Answer 300

- Was passed in response to concern that the definition of creditor extended to implicate unintended entities, such as attorneys and health providers, simply because they allow customers to pay their bills after the time of service. - The clarification narrows the previously broad definition of creditor, as well as the circumstances under which they are covered by the rule - Eliminates entities that extend credit only “for expenses incidental to a service.

Answer 301

The rule still applies to entities that, regularly and in the course of business: - Obtain or use consumer reports in connection with a credit transaction - Furnish information to consumer reporting agencies in connection with a credit transaction - Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person The new law also authorizes regulations that apply the rule to businesses whose accounts should be “subject to a reasonably foreseeable risk of identity theft."

Answer 302

Title V of the Financial Services Modernization Act of 1999 led to the promulgation of both a Privacy Rule and a Safeguards Rule, aka GLBA

Answer 303

These privacy provisions were spurred by enforcement actions against major banks for controversial data practices. Prior to GLBA’s passage, a number of leading financial institutions were found to have shared detailed customer information, including account numbers and other highly sensitive data, with telemarketing firms. Subsequently, the firms used the account numbers to charge customers for unsolicited services

Answer 304

The Minnesota attorney general’s office brought suit in 1999, as Congress was considering GLBA. The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account. The allegations also stated that the marketing firm was using a “negative option,” where customers were charged automatically for services unless they later sent a specific request not to be billed. The U.S. Bancorp/MemberWorks case focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and third-party marketers

Answer 305

A group of 25 attorneys general brought additional actions against major financial institutions in an attempt to address these practices. Congress responded to these events by including significant privacy and security protections for consumers in GLBA and mandating further rulemaking on privacy and security by the FTC, federal banking regulators and state insurance regulators. Financial institutions were required to substantially comply with GLBA’s requirements in 2001

Answer 306

- Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial services companies - Financial institutions are required to: (1) Store personal financial information in a secure manner (2) Provide notice of their policies regarding the sharing of personal financial information (3) Provide consumers with the choice to opt-out of sharing some personal financial information - requires financial institutions to protect consumers’ nonpublic personal information under privacy rules that were promulgated originally by the FTC and FI regulators

Answer 307

GLBA applies to “financial institutions,” which are defined broadly as any U.S. companies that are “significantly engaged” in financial activities. Financial institutions include entities such as banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors and mortgage lenders, among others.

Answer 308

"nonpublic personal information,” defined as “personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution.” Excluded from the definition are publicly available information and any consumer list that is derived without using personally identifiable financial information

Answer 309

Banking and related financial “institutions that fail to comply with GLBA requirements can be subject to substantial penalties under the Financial Institution Reform, Recovery and Enforcement Act (FIRREA). FIRREA penalties range from up to $5,500 for violations of laws and regulations, to a maximum of $27,500 if violations are unsafe, unsound or reckless, to as much as $1.1 million for “knowing” violations.”

Answer 310

institutions that fail to comply with GLBA requirements can be subject to substantial penalties under the Financial Institution Reform, Recovery and Enforcement Act (FIRREA). FIRREA penalties range from up to $5,500 for violations of laws and regulations, to a maximum of $27,500 if violations are unsafe, unsound or reckless, to as much as $1.1 million for “knowing” violations

Answer 311

Stricter state laws are not preempted under GLBA. The validity of stricter state laws, however, can be subject to challenge because there is limited preemption under FCRA, so courts would need to determine which federal financial privacy statute governs for a particular state law

Answer 312

No. Although there is no private right of action under GLBA, failure to comply with certain notice requirements may be considered a deceptive trade practice by state and federal authorities. Some states also have private rights of action for this type of violation.

Answer 313

GLBA’s privacy protections generally apply to “consumers,” or individuals who obtain financial products or services from a financial institution to be used primarily for personal, family or household purposes. Many of the act’s requirements relate to the subset of consumers who are also “customers”—consumers with whom the organization has an ongoing relationship. Financial services companies that do not have such “consumer customers” are not subject to some of GLBA’s requirements, such as those related to notice.

Answer 314

1. Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices must be provided when a customer relationship is established and annually thereafter. 2. Clearly provide customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to significant exceptions, including for joint marketing and processing of consumer transactions) 3. Refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit or transaction account 4. Comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records and information, and protect against security threats and unauthorized access to or certain uses of such records or information

Answer 315

The privacy notice itself must be a clear, conspicuous and accurate statement of the company’s privacy practices and must include the following: - What information the financial institution collects about its consumers and customers - With whom it shares the information - How it protects or safeguards the information - An explanation of how a consumer may opt out of having his or her information shared through a reasonable opt-out process

Answer 316

No. GLBA prohibits financial institutions from disclosing consumer account numbers to nonaffiliated companies for purposes of telemarketing and direct mail marketing (including through email), even if the consumer has not opted out of sharing the information for marketing purposes. Also, a financial institution must ensure that service providers will not use provided consumer data for anything other than the intended purpose

Answer 317

- A financial institution shares information with outside companies that provide essential services like data processing or servicing accounts - The disclosure is legally required - A financial institution shares customer data with outside service providers that market the financial company’s products or services

Answer 318

GLBA requires financial institutions to maintain security controls to protect the confidentiality and integrity of personal consumer information, including both electronic and paper records

Answer 319

Develop and implement a comprehensive “information security program,” which is defined as a program that contains “administrative, technical and physical safeguards” to protect the security, confidentiality and integrity of customer information

Answer 320

Like the GLBA Privacy Rule, the Safeguards Rule distinguishes the concepts of security, confidentiality and integrity, but suggests that all three concepts are integral to a complete understanding of security

Answer 321

includes program definition, management of workforce risks, employee training and vendor oversight

Answer 322

covers computer systems, networks and applications in addition to access controls and encryption

Answer 323

includes facilities, environmental safeguards, business continuity and disaster recovery

Answer 324

(1) ensure the security and confidentiality of customer information, (2) protect against any anticipated threats or hazards to the security or integrity of the information and (3) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer

Answer 325

1. Designate an employee to coordinate the safeguards 2. Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling those risks 3. Design and implement a safeguard program and regularly monitor and test it 4. Select appropriate service providers and enter into agreements with them to implement safeguards 5. Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring of safeguards

Answer 326

- Aka California Financial Information Privacy Act, expands the financial privacy protections afforded under GLBA - SB-1 increases the disclosure requirements of financial institutions and grants consumers increased rights with regard to the sharing of information

Answer 327

Violation of SB-1 in cases of negligent noncompliance can be punished with statutory damages of $2,500 per consumer, up to a cap of $500,000 per occurrence. In cases of willful noncompliance, there is no $500,000 damage cap

Answer 328

It has both

Answer 329

Written opt-in consent is required for a financial institution to share personal information with nonaffiliated third parties. Opt-in provisions must be presented on a form titled “Important Privacy Choices for Consumers” and be written in simple English

Answer 330

SB-1 grants consumers the ability to opt out of information sharing between their financial institutions and affiliates not in the same line of business

Answer 331

A financial institution does not, however, need to obtain consumer consent in order to share nonmedical information with its wholly owned subsidiaries engaged in the same line of business—insurance, banking or securities—if they are regulated by the same functional regulator

Answer 332

In response to the financial crisis that became acute in 2008, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act, which was signed into law in June 2010

Answer 333

Title X of the act created the CFPB as an independent bureau within the Federal Reserve

Answer 334

The CFPB oversees the relationship between consumers and providers of financial products and services

Answer 335

FCRA, GLBA and Fair Debt Collection Practices Act

Answer 336

- The CFPB also can now bring enforcement actions for unfairness and deception - The CFPB has a new power to enforce against “abusive acts and practices"

Answer 337

- Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or - Takes unreasonable advantage of— (1) A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; (2) The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or (3) The reasonable reliance by the consumer on a covered person to act in the interests of the consumer

Answer 338

Civil penalties vary from $5,526 per day for federal consumer privacy law violations to $27,631 per day for reckless violations and $1,105,241 for knowing violations. Further, state attorneys general are also authorized to bring civil actions in enforcement of the law or regulations

Answer 339

U.S. anti-money-laundering laws stem from the Bank Secrecy Act of 1970, which targeted organized crime groups and others who used large cash transactions. The laws became stricter as part of the USA PATRIOT Act of 2001, with its focus on antiterrorism efforts.

Answer 340

The fundamental goal of anti-money-laundering laws is to “follow the money"

Answer 341

Aka Currency and Foreign Transaction Reporting Act of 1970, authorizes the U.S. treasury secretary to issue regulations that impose extensive record-keeping and reporting requirements on financial institutions

Answer 342

Specifically, financial institutions must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax or regulatory proceedings.

Answer 343

The BSA applies to banks, securities brokers and dealers, money services businesses, telegraph companies, casinos, card clubs, and other entities subject to supervision by any state or federal bank supervisory authority. The scope of covered institutions has expanded over time to address the problem that criminals have an incentive to exploit whatever institutions are not already covered by the anti-money-laundering laws

Answer 344

The BSA generally requires currency transactions of $10,000 or more to be reported to the IRS per the regulations, using a Currency Transaction Report, Form 4789

Answer 345

The BSA regulations cover purchases of bank checks, drafts, cashier’s checks, money orders or traveler’s checks for $3,000 or more in currency

Answer 346

Certain funds transfers are exempted from the regulation, however, including funds transfers governed by the Electronic Funds Transfer Act and those made through an automated clearinghouse, ATM or point-of-sale system

Answer 347

Financial institutions are required to maintain records of all extensions of credit in excess of $10,000, but this does not include credit secured by real property. Not all records must be maintained—only those with a “high degree of usefulness" Records that are maintained must include the borrower’s name and address, credit amount, purpose of credit and date of credit

Answer 348

Records must be maintained for 5 years

Answer 349

A financial institution must keep the depositor’s taxpayer identification number, signature cards, and checks exceeding $100 that are drawn or issued and payable by the bank

Answer 350

With regard to certificates of deposit, the financial institution must obtain the customer name and address, a description of the CD and the date of the transaction

Answer 351

For wire transfers or direct deposits, a financial institution must maintain all deposit slips or credit tickets for transactions exceeding $100

Answer 352

A SAR must be filed with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) in the following circumstances: (1) when a financial institution suspects that an insider is committing (or aiding the commission of) a crime, regardless of dollar amount; (2) when the entity detects a possible crime involving $5,000 or more and has a substantial basis for identifying a suspect; (3) when the entity detects a possible crime involving $25,000 or more (even if it has no substantial basis for identifying a suspect) and (4) when the entity suspects currency transactions aggregating $5,000 or more that involve potential money laundering or a violation of the act.

Answer 353

Civil penalties, including fines up to the greater of $25,000 or the amount of the transaction (up to a $100,000 maximum) as well as penalties for negligence ($500 per violation); additional penalties up to $5,000 per day for failure to comply with regulations; penalties of up to $25,000 per day for failure to comply with the information-sharing requirements of the USA PATRIOT Act; and penalties up to $1 million against financial institutions that fail to comply with due diligence requirements

Answer 354

Criminal penalties include up to a $100,000 fine and/or one-year imprisonment and up to a $10,000 fine and/or five-year imprisonment

Answer 355

As part of the USA PATRIOT Act, the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 expanded the reach of the BSA and made other significant changes to U.S. anti-money-laundering laws

Answer 356

The act gave the U.S. treasury secretary the ability to promulgate broad rules to implement modified Know Your Customer requirements and to otherwise deter money laundering

Answer 357

For covered financial services companies, the major USA PATRIOT Act compliance issues can be grouped into the following categories: (1) Information-sharing regulations and participation in the cooperative efforts to deter money laundering, as required by Section 314 (2) Know Your Customer rules, including the identification of beneficial owners of accounts—procedures required by Section 326 (3) “Development and implementation of formal money-laundering programs as required by Section 352 (4) Bank Secrecy Act expansions, including new reporting and record-keeping requirements for different industries (such as broker-dealers) and currency transactions

Answer 358

- Seeks to target non-compliance with U.S. tax laws for U.S. taxpayers with foreign accounts - To deter tax evasion and require greater withholding of income to these taxpayers, FATCA requires more detailed “know your customer” documentation for both domestic and foreign financial institutions

Answer 359

- Letting customers know the type of authentication methods the financial institution has in place - Informing customers of the dangers of using public Wi-Fi connections - Empowering customers with information on mobile antivirus and malware detection software - Creating a mobile privacy policy and having it certified by a reputable third party - Fostering trust with customers by enabling them to decide which data to share and allowing them to opt out of mobile ad targeting

Answer 360

- Aka Buckley Amendment | - Provides students with control over disclosure and access to their education records

Answer 361

The statute generally prevents schools from divulging education record information, such as grades and behavior, to parties other than the student, without that student’s consent

Answer 362

FERPA includes major aspects of Fair Information Practice Principles, including: (1) notice, (2) consent, (3) access and correction, (4) security (5) accountability

Answer 363

FERPA applies to all educational institutions that receive federal funding Such funding exists for virtually all public and most private schools, especially at the postsecondary level

Answer 364

- Control the disclosure of their education records to others - Review and seek amendment of their own education records - Receive annual notice of their rights under FERPA - File complaints with the U.S. Department of Education

Answer 365

- FERPA defines it to include all records that are directly related to the student and maintained by the school or by a party on behalf of the school. This extends beyond grades and other academic records to include financial aid records, disciplinary records and others related to the student - FERPA defines “record” as “any information recorded in a way, not including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” All electronic records and emails are covered by the term “computer media"

Answer 366

- Campus police records created and maintained by school campus police for law enforcement purposes - Employment records, when the employee is not a student at the university - Treatment records or health records, subject to several requirements - Applicant records of those who are not enrolled in the university - Alumni records created by a school after the individual is no longer a student - Grades on peer-graded papers, before they are collected and recorded by a faculty member or other university representative

Answer 367

- The information is not “personally identifiable” - The information is “directory information” whose release the student has not blocked - Consent has been provided by: (1) the parent, or (2) the student once the rights transfer to the student when he or she reaches the age of 18 or attends only a postsecondary institution - The disclosure is made to (1) the parent or (2) the student himself or herself once the rights transfer to the student when he or she reaches the age of 18 or attends only a postsecondary institution - A statutory exception applies, such as for health or safety purposes

Answer 368

- The student’s name - The name of the student’s parent or other family members - The student or student’s family’s address Personal identifiers such as the Social Security number or student number - Other identifiers, such as date of birth - Other information that, alone or in combination, can be linked to a student and would allow the student to be identified with reasonable certainty - Information requested by a person whom the school reasonably believes knows the identity of the student to which the education record is linked

Answer 369

- "Directory information” is broadly defined by FERPA to include information that would not generally be considered an invasion of privacy or harmful if disclosed - FERPA does not designate specific information types as directory information for every educational institution but rather allows individual educational institutions to create their own definitions based on lists of examples provided in the statute and rules laid down by the Department of Education.

Answer 370

name, date of birth, address, email address, telephone number, field of study, and honors received

Answer 371

. . . . students with an opportunity to opt out, or block the release of their directory information. Students cannot use this opt-out to prevent the release of information that falls under a FERPA exception

Answer 372

The regulations promulgated under FERPA specifically exclude the use of Social Security numbers or student identification numbers as directory information. An educational institution, however, may use student identification numbers as directory information if that number cannot be used to access education records without another factor known only by the authorized user.

Answer 373

Valid student consent to disclosure must be signed (by hand or electronically), dated and written. It must also identify: (1) The record(s) to be disclosed (2) The purpose of disclosure (3) To whom the disclosure is being made

Answer 374

1. Disclosure to school officials who have determined a "legitimate educational interest” in the records 2. Disclosure to educational institutions in which a student seeks or intends to enroll, or is currently enrolled, when the disclosure is for a purpose related to the student’s enrollment or transfer. 3. Disclosure in connection w/ financial aid that the student has received or for which the student will apply, when the purpose of the disclosure is to determine the student’s eligibility for aid or conditions to or amount of financial aid. 4. Disclosure to orgs doing research studies for, or on behalf of, educational institutions for the purpose of developing predictive tests, administering student aid programs or improving school instruction. 5. Disclosure to accrediting organizations to fulfill accrediting duties. 6. Disclosure to the alleged victim of a forcible or nonforcible sex offense. 7. Disclosure of info related to sex offenders and others when the info is provided to the school under federal registration and disclosure requirements. 8. Disclosure to a person or entity that is verified as the party that provided or created that record. 9. Disclosure to law enforcement or otherwise to comply with a judicial order or subpoena. 10. Disclosure to appropriate parties in connection with a “health or safety emergency,” if knowledge of this information is necessary to protect the health or safety of the student or others

Answer 375

- A legitimate educational interest exists if the record is relevant and necessary to the school official’s responsibilities - This group includes school employees and board members as well as 3rd-party vendors (1) to whom the school outsources duties and (2) who are under the direct control of the school regarding use and maintenance of the record. - These 3rd parties are not permitted to disclose record info to any other party without consent, and cannot use the record for any other purpose than for which the disclosure was made

Answer 376

if a student transfers high schools, the second school can disclose a student’s transcript to the original school to verify its authenticity

Answer 377

The threat of harm must be “articulable and significant,” and the school can take the totality of the circumstances into account in making this determination. Information can be disclosed to any individual with the ability to assist in the situation—this includes parents, law enforcement, school officials, spouse or partner and other educational institutions, among others

Answer 378

A school is safe from federal scrutiny of its health and safety emergency determination as long as, based on the information available at the time, there is rational basis for the determination

Answer 379

FERPA provides students with the right to access and review their education records

Answer 380

- Once a student has issued a request, the educational institution must provide access to the records within 45 days of that request. - It also must respond to reasonable requests from students for explanations of the records

Answer 381

As with other disclosures to third parties, the educational institution must use reasonable measures to verify the identity of the student making the record request

Answer 382

- Students can request corrections to their education records if they believe the records to be inaccurate, misleading or in violation of their privacy. - This access is intended to allow students to address incorrect records and is not for other purposes - If the request is granted, the records must be corrected within a reasonable time

Answer 383

The student has a right to request a hearing

Answer 384

- The student must receive prior and reasonable notice of the time, place and date. - It must be held within a reasonable time after the request is made. - It must be conducted by a party without a direct interest in the outcome - The student must be afforded a “full and fair” opportunity to present his or her case, with or without assistance or representation. - The decision must be based on the evidence presented at the hearing, delivered, in writing, within a reasonable amount of time after the hearing, and must contain a summary and explanation for the decision

Answer 385

Congress responded to concerns about the collection and disclosure of student information for commercial purposes by amending FERPA in 1978 with the Protection of Pupil Rights Amendment (PPRA)

Answer 386

PPRA provides certain rights to parents of minors with regard to the collection of sensitive information from students through surveys.

Answer 387

- Political affiliations - Mental and psychological problems potentially embarrassing to the student and his/her family - Sex behavior and attitudes - Illegal, antisocial, self-incriminating and demeaning behavior - Critical appraisals of other individuals with whom respondents have close family relationships - Legally recognized privileged or analogous relationships, such as those of lawyers, physicians and ministers - Religious practices, affiliations or beliefs of the student or student’s parent - Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program)

Answer 388

The No Child Left Behind Act of 2001 broadened the PPRA to limit the collection and disclosure of student survey information

Answer 389

- Enact policies regarding the collection, disclosure or use of personal information about students for commercial purposes - Allow parents to access and inspect surveys and other commercial instruments before they are administered to students - Provide advance notice to parents about the approximate date when these activities are scheduled - Provide parents the right to opt-out of surveys or other sharing of student information for commercial purposes

Answer 390

PPRA requirements apply to all elementary and secondary schools that receive federal funding; the statute, however, does not apply to postsecondary schools

Answer 391

- If the school receives federal funding >> the health records are subject to FERPA—and not HIPAA—where a public elementary or secondary school provides a nurse for student health issues - By contrast, FERPA does not apply to private elementary or secondary schools that do not receive federal funding. Health records maintained by one of these private schools are thus subject to the HIPAA Privacy Rule if the school qualifies as a “covered entity” under the federal law

Answer 392

- A college or university with a healthcare clinic that treats only students is generally subject to the confidentiality requirements of FERPA relating to the student’s health-care records - Both FERPA and the HIPAA Privacy Rule typically apply to the college or university healthcare center that treats both students and nonstudents—such as faculty and staff - FERPA applies to the student health records, and the HIPAA Privacy Rule applies to the nonstudent health records

Answer 393

- In 2014, students in California who used Apps for Education sued Google, accusing the company of scanning millions of emails sent to and received by the students. - The Electronic Privacy Information Center, a nongovernmental organization focused on civil liberties and privacy, asserted that Google’s practice violated FERPA, and advocated for the Department of Education to investigate the company. - Soon after the lawsuit was filed, Google agreed to change its business practices to ensure that the information in the emails could not be used for commercial purposes

Answer 394

includes a dozen specific provisions, including a prohibition on selling student personal information and a ban on using information collected in schools for behavioral targeting of advertisements to students

Answer 395

Violation of the pledge would make a company subject to enforcement as a deceptive trade practice under Section 5 of the Federal Trade Commission Act

Answer 396

At 18, the student is the person in control of rights connected to education records, including grades, rather than the parents. If a student has left high school and is attending only a postsecondary institution, the rights under FERPA are held by the student—regardless of the student’s age

Answer 397

Even after the rights under FERPA have transferred to the student, however, a school may disclose to the parents the educational records of the student, without the student’s consent, in the circumstance where the student is a dependent for tax purposes

Answer 398

The tort of “intrusion on seclusion” imposes liability on “one who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns"