CIPP / US Book - Part 2 Flashcards

Question

The TSR requires that, at the beginning of the call, before delivering any sales content, telemarketers disclose:

Answer 1

(1) The identity of the seller (2) That the purpose of the call is to sell goods or services (must be honest >> name all purposes) (3) The nature of those goods or services (4) In the case of a prize promotion, that no purchase or payment is necessary to participate or win, and that a purchase or payment does not increase the chances of winning

Answer 2

- TSR prohibits misrepresentations during the sales call. Telemarketers must provide accurate and complete information about the products and services being offered. - They may not omit any material facts about the products or services

Answer 3

CRAMP CNDM 1. Cost and quantity 2. Refund, repurchase or cancellation policies 3. Affiliations, endorsements, or sponsorships 4. Material restrictions, limitations, or conditions 5. Performance, efficacy, or central characteristics 6. Credit card loss protection 7. Negative option features 8. Debt relief services 9. Material aspects of prize promotions and investment opportunities

Answer 4

TSR requires entities that make telemarketing calls to transmit accurate call identification information so that it can be presented to consumers with caller ID services

Answer 5

Each telemarketer may transmit its own name and phone number, or it may substitute the name of the seller on whose behalf the telemarketer is making the call. The telemarketer may also substitute the seller’s customer-service telephone number for its number, provided that the seller’s number is answered during normal business hours

Answer 6

- Telemarketers are not liable if, for some reason, caller ID information does not reach a consumer, provided that the telemarketer has arranged with its carrier to transmit this information in every call - The FTC guidance states that “telemarketers who can show that they took all available steps to ensure transmission of Caller ID information in every call will not be liable for isolated inadvertent instances when the Caller ID information fails to make it to the consumer’s receiver

Answer 7

- TSR expressly prohibits telemarketers from abandoning an outbound telephone call with either “hang-ups” or “dead air.” - Under the TSR, an outbound telephone call is “abandoned” if a person answers it and the telemarketer does not connect the call to a live sales representative within two seconds of the person’s completed greeting

Answer 8

The use of prerecorded-message telemarketing, where a sales pitch begins with or is made entirely by a prerecorded message, also violates the TSR because the telemarketer is not connecting the call to a live sales representative within 2 seconds of the called person’s completed greeting

Answer 9

For a company to use prerecorded sales messages, it must have the prior express consent (opt-in) of the consumer

Answer 10

According to the FTC guidance, the abandoned call Safe Harbor provides that a telemarketer will not face enforcement action for violating the call abandonment prohibition if the telemarketer: (1) Uses technology that ensures abandonment of no more than 3 percent of all calls answered by a live person, measured per day per calling campaign (2) Allows the telephone to ring for 15 seconds or four rings before disconnecting an unanswered call (3) Plays a recorded message stating the name and telephone number of the seller on whose behalf the call was placed whenever a live sales representative is unavailable within two seconds of a live person answering the call (4) Maintains records documenting adherence to the preceding three requirements

Answer 11

To take advantage of the Safe Harbor, a telemarketer must first ensure that a live representative takes at least 97 percent of the calls answered by consumers

Answer 12

The Safe Harbor also requires the telemarketer to let the phone ring at least four times (or for 15 seconds). This requirement is designed to ensure that consumers have sufficient time to answer a call.

Answer 13

For the small number of calls that are abandoned, the TSR’s Safe Harbor requires the telemarketer to play a recorded greeting, consisting of the company’s name and phone number and a statement that the call was for telemarketing purposes. This recorded message may not contain a sales pitch

Answer 14

Yes, telemarketers must keep records that demonstrate its compliance with the other Safe Harbor provisions The records must demonstrate both that the per-day, per-campaign abandonment rate has not exceeded three percent and that the ring time and recorded message requirements have been met

Answer 15

- Obtain from the customer at least the last four digits of the account number to be charged - Obtain the customer’s express agreement to be charged for the goods or services using the account number for which the customer has provided at least the last four digits - Make and maintain an audio recording of the entire telemarketing transaction

Answer 16

In 2012, the FCC revised its Telephone Consumer Protection Act (TCPA) rules governing prerecorded calls (robocalls) and the use of automatic telephone dialing systems (autodialers) to reconcile its rules with the TSR

Answer 17

- Now, even if a company has an established business relationship with a consumer, it is required to receive “prior express written consent” for all robocalls to residential lines. - Second, the rules include a provision that allows consumers to “opt out of future robocalls during a robocall.”

Answer 18

In addition, the revisions increase harmonization with the FTC’s rules to require “assessment of the call abandonment rate to occur during a single calling campaign over a 30-day period, and if the single calling campaign exceeds a 30-day period, we require that the abandonment rate be calculated each successive 30-day period or portion thereof during which the calling campaign continues

Answer 19

are exempt from the above requirements

Answer 20

- FCC issued an order explicitly stating that text messages sent to wireless devices are subject to the same consumer protections as voice calls under the TCPA. - This means that the TCPA prohibits companies from sending text messages via equipment that sends the messages without human intervention, known as “robotexts”—absent express consent

Answer 21

(1) consent can be revoked by the consumer at any time by any reasonable means, (2) the mere fact that a consumer’s wireless number appears in the contact list of another wireless customer is not sufficient to establish consent and (3) when a caller has consent for a wireless number and the number has been reassigned, the caller is not liable for the first call but will be liable for subsequent calls if the new consumer makes the caller aware of the change

Answer 22

In general, the following records must be maintained for 2 years from the date that the record is produced: - Advertising and promotional materials - Information about prize recipients - Sales records - Employee records - All verifiable authorizations or records of express informed consent or express agreement

Answer 23

Sales records must include: (1) the name and last known address of each customer, (2) the goods or services purchased, (3) the date the goods or services were shipped or provided and (4) the amount the customer paid for the goods or services

Answer 24

(1) the name (and any fictitious name used), (2) the last known home address and telephone number and (3) the job title(s) of each employee. - Additionally, if fictitious names are used by employees, the TSR also requires that each fictitious name be traceable to a specific employee

Answer 25

Violations of the TSR are currently punishable by civil penalties of up to $40,654 per call. The FCC and state attorneys general also actively enforce their counterpart regulations. Additionally, some states have their own versions of telemarketing sales rules that carry additional penalties and may have different requirements

Answer 26

TCPA, enforced by the FCC, prohibits unsolicited commercial fax transmissions

Answer 27

Penalties include a private right of action and statutory damages of up to $500 per fax

Answer 28

In 2005, Congress passed the Junk Fax Prevention Act (JFPA) in part to clarify whether consent was required for commercial faxing

Answer 29

Provides that consent can be inferred from an EBR, and it permits sending of commercial faxes to recipients based on an EBR, as long as the sender offers an opt-out in accordance with the act

Answer 30

Notably, California attempted to eliminate the TCPA’s EBR exception with legislation applicable to unsolicited faxes sent to or from a fax machine located within the state. The law, however, was declared unconstitutional when applied to interstate fax transmissions due to the TCPA’s preemption of interstate regulation

Answer 31

The law covers the transmission of commercial email messages whose primary purpose is advertising or promoting a product or service

Answer 32

The act applies to anyone who advertises products or services by electronic mail directed to or originating from the United States

Answer 33

CAN-SPAM was never intended to eliminate all unsolicited commercial email, but rather to provide a mechanism for legitimate companies to send emails to prospects and respect individual rights to opt-out of unwanted communications

Answer 34

A law that created the rules of the road for how legitimate organizations send emails, including clear identification of the sender and a simple unsubscribe or opt-out

Answer 35

- Requires commercial emails to contain a functioning, clearly and conspicuously displayed return email address that allows the recipient to contact the sender - Requires all commercial emails to include clear and conspicuous notice of the opportunity to opt-out along with a cost-free mechanism for exercising the opt-out, such as by return email or by clicking on an opt-out link - Requires all commercial email to include (1) clear and conspicuous identification that the message is a commercial message (unless the recipient has provided prior affirmative consent to receive the email) and (2) a valid physical postal address of the sender (which can be a post office box) - Requires all commercial email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email)

Answer 36

- Prohibits false or misleading headers - Prohibits deceptive subject lines - Prohibits sending commercial email (following a grace period of 10 business days) to an individual who has asked not to receive future email - Prohibits “aggravated violations” relating to commercial emails such as (1) address-harvesting and dictionary attacks, (2) the automated creation of multiple email accounts and (3) the retransmission of commercial email through unauthorized accounts

Answer 37

CAN-SPAM is enforced primarily by the FTC and carries penalties of fines of up to $40,654 per violation. - In addition, deceptive commercial email is subject to laws banning false or misleading advertising - FTC has the authority to issue regulations implementing the CAN-SPAM Act and did so in 2008 to clarify a number of statutory definitions

Answer 38

messages whose primary purpose is to: - Facilitate or confirm an agreed-upon commercial transaction - Provide warranty or safety information about a product purchased or used by the recipient - Provide certain information regarding an ongoing commercial relationship - Provide information related to employment or a related benefit plan - Deliver goods or services to which the recipient is entitled under the terms of an agreed-upon transaction

Answer 39

The FTC issued a regulation in 2008 clarifying that the entity identified in the “from” line can generally be considered the single sender as long as there is compliance with the other provisions of CAN-SPAM

Answer 40

(1) the "from" in the subject line (2) a prohibition on having the email recipient pay a fee to opt-out, (2) the definition of “valid physical postal address” and (3) the application of the term person to apply beyond natural persons

Answer 41

FTC and other federal regulators, along with state attorneys general and other state officials

Answer 42

- Yes, Violators for injunctive relief and monetary damages - Unlike some state spam laws that are now preempted, the act does not provide for a right of action for other parties - For those authorized to sue, the act provides for injunctive relief and damages up to $250 per violation, with a maximum award of $2 million

Answer 43

For those authorized to sue, the act provides for injunctive relief and damages up to $250 per violation, with a maximum award of $2 million. The act further provides that a court may increase a damage award up to three times the amount otherwise available in cases of willful or aggravated violations. Certain egregious conduct is punishable by up to five years imprisonment

Answer 44

A federal judge shut down a company called 3FN based on the FTC’s allegations that it had knowingly distributed spam and malware as well as hosted illegal content, such as child pornography

Answer 45

- CAN-SPAM preempts most state laws that restrict email communications - Although state spam laws are not superseded by CAN-SPAM to the extent such laws prohibit false or deceptive activity

Answer 46

- Mobile service commercial messages (MSCMs): “a commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscriber of a commercial mobile service.” - The message must have (or utilize) a unique electronic address that includes “a reference to an Internet domain.”

Answer 47

The FCC rule defers to the FTC rules and interpretation regarding the definitions of “commercial” and “transactional” (with respect to the mail messages) as well as the mechanisms for determining the “primary purpose” of messages. Accordingly, the FCC rule must be analyzed in the context of the FTC regulatory framework for the CAN-SPAM Act

Answer 48

The CAN-SPAM Act prohibits senders from sending any MSCMs without the subscriber’s “express prior authorization"

Answer 49

1. Express prior authorization must be “express" >> consumer has taken an affirmative action to give “the entity that is being authorized to send the MSCMs. - FCC rule prohibits any sender from sending MSCMs on behalf of other third parties, including affiliates and marketing partners 2. Authorization may be obtained in any format, oral or written, including electronic - FCC requires that each sender of MSCMs must document authorization and be able to demonstrate that a valid authorization (meeting all the other requirements) existed prior to sending the commercial message. - The burden of proof rests w/ the sender 3. With regard to revocations, senders must enable consumers to revoke authorizations using the same means the consumers used to grant authorizations. (Ex./ if a consumer authorizes MSCMs electronically, the company must permit the consumer to revoke the authorization electronically.) 4. MSCMs themselves must include functioning return email addresses or another Internet-based mechanism that is clearly and conspicuously displayed for the purpose of receiving opt-out requests. - Consumers must not be required to view or hear any further commercial content during the opt-out process (other than institutional identification). 5. The FCC rule maintains the CAN-SPAM–mandated 10-business-day grace period following a revoked authorization, after which messages cannot be sent.

Answer 50

To help senders of commercial messages determine whether those messages might be MSCMs (rather than regular commercial email), the FCC has created a registry of wireless domain names (available on the FCC website). It is updated on a periodic basis, as new domains are added

Answer 51

Senders are responsible for obtaining this list and ensuring that the appropriate authorizations exist before sending commercial messages to addresses within the domains

Answer 52

According to the FCC guidance, messages that are not sent to an address for a wireless device, but are only forwarded to a wireless device, are not subject to FCC rules on MSCMs

Answer 53

The providers are also responsible for updating information on the domain name list to the FCC within 30 days before issuing any new or modified domain names.

Answer 54

The statute imposed new restrictions on the access, use and disclosure of customer proprietary network information (CPNI)

Answer 55

Section 222 of the act governs the privacy of customer information provided to and obtained by telecommunications carriers. Prior to the act, carriers were permitted to sell customer data to third-party marketers without consumer consent

Answer 56

CPNI is information collected by telecommunications carriers related to their subscribers. This includes subscription information, services used, and network and billing information as well as phone features and capabilities. It also includes call log data such as time, date, destination and duration of calls. Certain PI such as name, telephone number and address is not considered CPNI

Answer 57

Telecommunications carriers and voice-over-Internet protocol (VoIP) providers that are interconnected with telephone service

Answer 58

- The Act imposes requirements on carriers to limit access, use and disclosure of CPNI. Specifically, carriers can use and disclose CPNI only with customer approval or “as required by law.” - However, carriers do not need approval to use, disclose or provide marketing offerings among service categories that customers already subscribe to - Carriers can also use CPNI for billing and collections, fraud prevention, customer service and emergency services

Answer 59

The Tenth Circuit found that the opt-in requirement violated the First Amendment speech rights of the carriers. Thus, the standard shifted to an opt-out system for carriers’ own use of CPNI

Answer 60

The 2007 CPNI order requires customers to expressly consent, or opt in, before carriers can share their CPNI with joint venture partners and independent contractors for marketing purposes

Answer 61

1st. Carriers must notify law enforcement when CPNI is disclosed in a security breach within seven business days of that breach 2nd. Customers must provide a password before they can access their CPNI via telephone or online account services

Answer 62

The Cable Communications Policy of 1984 regulates the notice a cable television provider must furnish to customers, the ability of cable providers to collect PI, the ability of cable providers to disseminate PI and the retention and destruction of PI by cable television providers

Answer 63

The Act provides a private right of action for violations of the aforementioned provisions, and allows for actual or statutory damages, punitive damages and reasonable attorney’s fees and court costs

Answer 64

The act does not regulate the provision of broadband Internet services via cable because the act defines a “cable service” as “one-way transmission to subscribers of . . . video programming or . . . other programming service, and . . . subscriber interaction, if any, which is required for the selection or use of such video programming or other programming service

Answer 65

give subscribers a privacy notice that “clearly and conspicuously” informs subscribers of: (1) the nature of the PI collected, (2) how such information will be used, (3) the retention period of such information and (4) the manner by which a subscriber can access and correct such information

Answer 66

The “written or electronic consent” of the subscriber, unless the disclosure is subject to a specified exception

Answer 67

Disclosures may be made: (1) to the extent necessary to render services or conduct other legitimate business activities, (2) subject to a court order with notice to the subscriber or (3) if the disclosure is limited to names and addresses and the subscriber is given an option to opt-out

Answer 68

The act applies to “video tape service providers,” who are defined as anyone “engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” as well as individuals who receive PI in the ordinary course of a videotape service provider’s business or for marketing purposes

Answer 69

The act applies to “video tape service providers,” who are defined as anyone “engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” as well as individuals who receive PI in the ordinary course of a videotape service provider’s business or for marketing purposes

Answer 70

Videotape service providers are prohibited from disclosing customer PI unless an enumerated exception applies

Answer 71

(1) is made to the consumer themselves; (2) is made subject to the contemporaneous written consent of the consumer; (3) is made to law enforcement pursuant to a warrant, subpoena or other court order; (4) includes only the names and addresses of consumers; (5) includes only names, addresses and subject matter descriptions and the disclosure is used only for the marketing of goods or services to the consumers; (6) is for order fulfillment, request processing, transfer of ownership or debt collection; or (7) is pursuant to a court order in a civil proceeding and the consumer is granted a right to object

Answer 72

The act requires that PI be destroyed “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information"

Answer 73

- It affords a private right of action for violations and allows for actual or statutory damages, punitive damages, and reasonable attorney’s fees and court costs. - Statutory damages are set at $2,500. - Cases against Blockbuster, Netflix, and Redbox, suggest that the private right of action extends only to disclosure-related violations and not violations based merely on improper retention

Answer 74

The VPPA does not preempt more protective state laws, which may give rise to stricter penalties

Answer 75

Allowed for one-time consumer consent that was valid for up to two years, replacing the contemporaneity requirement

Answer 76

- Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising and - The Network Advertising Initiative (NAI) Code of Conduct

Answer 77

A nonprofit organization that collaborates with businesses, public policy groups and public officials to establish and enforce “responsible privacy practices across industry for relevant digital advertising, providing consumers with enhanced transparency and control

Answer 78

- A nonprofit self-regulatory association comprised exclusively of third-party digital advertising companies. - The NAI Code of Conduct is a list of self-regulatory principles that all NAI members agree to uphold. - The Code requires notice and choice with respect to interest-based advertising, limits on the types of data that member companies can use for advertising purposes, and a number of substantive restrictions on member companies’ collection, use, and transfer of data used for online behavioral advertising

Answer 79

An important effect of the reclassification is that broadband Internet providers also became subject to other requirements of the Telecommunications Act of 1996, notably including the CPNI privacy requirements in Section 222

Answer 80

(1) required customer opt-in for uses of sensitive personal information, (2) allowed the use of customer opt-out for uses not involving sensitive personal information and (3) permitted inferred customer consent for providing the underlying services and related uses

Answer 81

- Amended by Assembly Bill 370; these amendments, which required privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. - The law also requires privacy policies to state whether third parties can collect PII about the site’s users

Answer 82

- The categories of PII collected through the site - The categories of third-party entities with whom the operator may share PII or other content - How the operator responds to web browsers’ Do Not Track signals or other mechanisms that provide consumers the ability to choose regarding collection of PII about an individual consumer’s online activities overs time and across third-party websites - Whether other parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website

Answer 83

- The U.S. Const. has signiﬁcant workplace privacy provisions that apply to the federal and state governments, but it does not affect private-sector employment - The 4th Amendment prohibits unreasonable searches and seizures by state actors Courts have interpreted this amendment to place limits on the ability of government employers to search employees’ private spaces, such as lockers and desks. - Some states, including California, have extended their constitutional rights to privacy to private-sector employees

Answer 84

The most important contracts concerning employee privacy are collective bargaining agreements

Answer 85

- intrusion on seclusion - publicity given to private life - defamation

Answer 86

One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person

Answer 87

One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public

Answer 88

So to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.

Answer 89

1. HIPAA contains privacy and security rules that regulate “protected health information” for health insurers, including self-funded health plans. 2. COBRA requires qualiﬁed health plans to provide continuous coverage after termination to certain beneﬁciaries. 3. The Employee Retirement Income Security Act (ERISA) ensures that employee beneﬁts programs are created fairly and administered properly 4. The Family and Medical Leave Act (FMLA) entitles certain employees to unpaid leave in the event of birth or illness of self or a family member

Answer 90

1. Fair Credit Reporting Act (FCRA) regulates the use of “consumer reports” obtained from consumer reporting agencies (CRAs) in reference checking and background checks of employees 2. Fair Labor Standards Act (FLSA) establishes the minimum wage and sets standards for fair pay 3. Occupational Safety and Health Act (OSHA) regulates workplace safety 4. Whistleblower Protection Act protects federal employees and applicants for employment who claim to have been subjected to personnel actions because of whistleblowing activities 5. National Labor Relations Act (NLRA) sets standards for collective bargaining, which also applies in social media communications 6. Immigration Reform and Control Act (IRCA) requires employment eligibility veriﬁcation 7. Securities Exchange Act of 1934 requires disclosures about payment and other information about senior executives of publicly traded companies, as well as registration requirements for market participants such as broker-dealers and transfer agents

Answer 91

1. The Employee Polygraph Protection Act of 1988, which limits employer use of lie detectors 2. Electronic surveillance laws, including the Wiretap Act, the Electronic Communications Privacy Act and the Stored Communications Act (SCA)

Answer 92

- U.S. Department of Labor - The Equal Employment Opportunity Commission (EEOC) - Federal Trade Commission (FTC) - The Consumer Financial Protection Bureau (CFPB) - The National Labor Relations Board (NLRB)

Answer 93

- Oversees the welfare of job seekers, wage earners, and retirees of the US by improving their working conditions, advancing their opportunities for proﬁtable employment, protecting their retirement and health care beneﬁts, helping employers ﬁnd workers, strengthening free collective bargaining, and tracking changes in employment, prices, and other national economic measurements - To achieve this mission, the department administers a variety of federal laws, FLSA, OSHA and ERISA

Answer 94

- Works to prevent discrimination in the workplace - The EEOC oversees many laws, including Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA) and Titles I and V of the Americans with Disabilities Act of 1990 (ADA)

Answer 95

Both the FTC and the CFPB regulate unfair and deceptive practices and enforce a variety of laws, including the FCRA, which limits employers’ ability to receive an employee’s or applicant’s credit report, driving records, criminal records and other consumer reports obtained from a CRA

Answer 96

Administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions

Answer 97

Before employment, employers should consider rules and best practices about background screening, including rules for accessing employee information under the FCRA

Answer 98

During employment, major topics include polygraphs and psychological testing; substance testing; employee monitoring, including of phone calls and emails; and emerging issues such as social network monitoring and “bring your own device (BYOD)"

Answer 99

After employment, the main issues are terminating access to physical and informational assets, and proper human resources practices post-employment

Answer 100

True. Employment laws in the United States often provide employers with more discretion than laws in the EU and other countries in the handling of personal information

Answer 101

- The terrorist attacks of September 11, 2001, resulted in heightened attention to security issues and support for more stringent identity-veriﬁcation requirements - Greater attention to child abuse and abductions has led to laws in almost every state requiring criminal background checks for people who work with children - Business governance scandals, such as those at Enron and WorldCom, spurred passage of the Sarbanes-Oxley Act in 2002, which has increased the incentives for corporate leaders to scrutinize practices in the areas they manage - The rapid increase of information about candidates from online search and social media sites has made background checks easier

Answer 102

- Typically, anyone who works with the elderly, children or the disabled must now undergo background screening. - The federal National Child Protection Act authorizes state ofﬁcials to access the Federal Bureau of Investigation’s National Crime Information Center database for some positions that involve contact with children. - Many state and federal gov't jobs require rigorous background checks to obtain a security clearance

Answer 103

denying employment based on criminal convictions, to ensure that their requirements are job related and consistent with business necessity

Answer 104

1. Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex and national origin. 2. The Equal Pay Act of 1963 bars wage disparity based on sex. 3. The Age Discrimination Act bars discrimination against individuals over 40 4. The Pregnancy Discrimination Act bars discrimination due to pregnancy, childbirth and related medical conditions 5. ADA bars discrimination against qualiﬁed individuals with disabilities 6. GINA 7. The Bankruptcy Act provision 11 U.S.C. § 525(b) prohibits employment discrimination against persons who have ﬁled for bankruptcy. There is some ambiguity, however, as to whether the statute applies to discrimination prior to the extension of an offer of employment, and courts have read the statute both ways

Answer 105

. . .about current or intended pregnancy under the Pregnancy Discrimination Act, about age under the Age Discrimination Act, or about disability under the Americans with Disabilities Act (ADA)

Answer 106

For instance, the company faces a greater risk of pregnancy or sex discrimination claims if women—but not men—are asked about how long they expect to stay on the job

Answer 107

- Created important restrictions on medical screening of candidates before employment. - The law forbids employers with 15 or more employees from discriminating against a “qualiﬁed individual with a disability because of the disability of such individual,” and speciﬁcally covers “medical examinations and inquiries” as grounds for discrimination

Answer 108

(1) all entering employees are subjected to such an examination regardless of disability, (2) conﬁdentiality rules are followed for the results of the examination and (3) the results are used only in accordance with the statutory prohibitions against discrimination on the basis of disability

Answer 109

ADA requires an employer to provide reasonable accommodation to qualiﬁed individuals who are employees or applicants for employment, unless to do so would cause undue hardship

Answer 110

ADA does not cover the use of drugs or alcohol, although it does cover questions about recovered drug addicts and alcoholics

Answer 111

Most importantly, the ADAAA legislatively overturned two U.S. Supreme Court cases under which ADA claims were frequently rejected: Sutton v. United Air Lines and Toyota v. Williams

Answer 112

In Sutton, the court held that pilots with severe myopia—but correctable with glasses—did not have a disability under the ADA because a “‘disability’ exists only where an impairment ‘substantially limits’ a major life activity, not where it ‘might,’ ‘could,’ or ‘would’ be substantially limiting if mitigating measures were not taken"

Answer 113

Toyota further limited the scope of the ADA, rejecting a claim that carpal tunnel syndrome limited a worker’s ability to work with power tools, holding that “an individual must have an impairment that prevents or severely restricts the individual from doing activities that are of central importance to most people’s daily lives. The impairment’s impact must also be permanent or long-term”

Answer 114

a “permissible purpose” exists

Answer 115

(1) preemployment screening for the purpose of evaluating the candidate for employment and (2) determining if an existing employee qualiﬁes for promotion, reassignment or retention

Answer 116

The FCRA also permits employers to obtain an “investigative consumer report” on the applicant if a permissible purpose exists

Answer 117

1. Provide written notice to the applicant that it is obtaining a consumer report for employment purposes and indicate if an investigative consumer report will be obtained 2. Obtain written consent from the applicant Obtain data only from a qualiﬁed consumer reporting agency, an entity that has taken steps to assure the accuracy and currency of the data 3. Certify to the CRA agency that the employer has a permissible purpose and has obtained consent from the employee 4. Before taking an adverse action, such as denial of employment, provide a pre-adverse-action notice to the applicant with a copy of the consumer report, in order to give the applicant an opportunity to dispute the report 5. After taking adverse action, provide an adverse action notice

Answer 118

If employers do not comply with these requirements, they may face civil and criminal penalties, including a private right of action

Answer 119

- The amendments preempted a wide range of state laws on credit reporting, identity theft and other areas within the FCRA. - FACTA, however, speciﬁcally left some existing state laws in effect, notably the California Investigative Consumer Reporting Agencies Act (ICRAA)

Answer 120

1. Employers must notify applicants and employees of their intention to obtain and use a consumer report. 2. Once disclosure is made, the employer must obtain the applicant or employee’s written authorization prior to requesting the report. 3. On the notice and authorization form, employers must enable applicants and employees to check a box to receive a copy of their consumer report any time a background check is conducted. 4. If employers wish to take adverse employment action, they must provide the employee with a copy of the report, regardless of whether the employee waived the right to receive a copy. This exception does not apply to employees suspected of wrongdoing or misconduct

Answer 121

- The fact that a report may be obtained - The permissible purpose of the report - The fact that the disclosure may include information on the consumer’s character, general reputation, personal characteristics and mode of living - The name, address and telephone number of the investigative consumer reporting agency

Answer 122

FRCA: - Allows employers to use the original written consent to get updates to the employee’s credit report as needed - Requires that an employer get written consent only if the employer obtains data from a consumer reporting agency - If the employer does the background check itself (for instance, by directly accessing public records from the gov't records keeper and calling references), it does not need to obtain written consent under the FCRA ICRAA: - Employer must obtain written consent every time a background check is requested under the ICRAA. - Requires employers to give the employee or applicant any public records resulting from an in-house background check unless the employee waives that right

Answer 123

The FCRA does not preempt states from creating stronger legislation in the area of employment credit history checks, such as the California ICRAA just discussed. Nine other states—Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington—currently limit the use of credit information in employment

Answer 124

Under the act and its regulations, issued by the Department of Labor, employers are prohibited from using “lie detectors” on incumbent workers or to screen applicants

Answer 125

- A lie detector is deﬁned to include polygraphs, voice stress analyzers, psychological stress evaluators, or any similar device used for the purpose of rendering a diagnostic opinion regarding an individual’s honesty - The act prohibits employers from requiring or requesting that a prospective or current employee take a lie detector test

Answer 126

- Government employees, employees in certain security services, those engaged in the manufacture of controlled substances, certain defense contractors and those in certain national security functions. - Tests are also allowed in connection with “an ongoing investigation involving economic loss or injury to the employer’s business,” such as theft, embezzlement or industrial espionage. Even for such investigations, there must be reasonable suspicion to test an employee, and other protections for the employee apply

Answer 127

EPPA requires employers to post the act’s essential provisions in a conspicuous location so that employees are aware of its existence

Answer 128

If the act is violated, employers may be subject to a ﬁne from the Department of Labor, as well as to private lawsuits

Answer 129

State laws are not preempted, and a large number of states have enacted laws further restricting the use of lie detectors in private employment

Answer 130

- EPPA and the ADA together place signiﬁcant national limits on psychological testing in the workplace - Employers must comply with the rules limiting lie detectors as well as the ADA prohibitions on the use of medical tests, including those designed to test an impairment of mental health - Employers continue to use psychological tests measuring personality traits such as honesty, preferences and habits in hiring and employment, although one expert reports that such tests may be concentrated in speciﬁc positions such as management and sales

Answer 131

Federal law also creates regulation for drug testing for employees in the aviation, railroading and trucking industries

Answer 132

- Preemployment—generally allowed if not designed to identify legal use of drugs or addiction to illegal drugs - Reasonable suspicion—generally allowed as a condition of continued employment if there is “reasonable suspicion” of drug or alcohol use based on speciﬁc facts as well as rational inferences from those facts (e.g., appearance, behavior, speech, odors) - Routine testing—generally allowed if the employees are notified at the time of hire, unless state or local law prohibits it - Post-accident testing—generally allowed to test as a condition of continued employment if there is “reasonable suspicion” that the employee involved in the accident was under the inﬂuence of drugs or alcohol - Random testing—sometimes required by law, prohibited in certain jurisdictions, but acceptable where used on existing employees in speciﬁc, narrowly deﬁned jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy or where testing is critical to public safety or national security

Answer 133

was amended in 2009 to protect a person who is 100 pounds overweight from discrimination based on a disability

Answer 134

No federal law protects smokers from discrimination

Answer 135

- Follow workplace safety and other laws that require or encourage monitoring - Protect physical security (such as video cameras near entrances) and cybersecurity (such as activity on computer systems) - Protect trade secrets - Limit liability for unlicensed transmission of copyrighted material and other conﬁdential company information - Improve work quality, such as by monitoring service calls with customers - Try to keep employees on task rather than spending time on personal business, such as surﬁng the web

Answer 136

OSHA requires employers to provide a safe workplace that complies with occupational health and safety standards. These standards require employees to perform tasks in a safe manner, to avoid injury. Thus, ensuring compliance with OSHA is one legal reason to monitor employees

Answer 137

- Cameras and video recordings that do not have sound recordings are outside the scope of the federal wiretap and stored-record statutes - Many U.S. employers use closed-circuit television (CCTV) or other video surveillance in the workplace

Answer 138

- California is like other states in forbidding video recording in areas such as restrooms, locker rooms and places where employees change clothes - Michigan’s statute is broader, forbidding installation of a device for observing or photographing a “private place” as deﬁned by the statute - Even in the absence of a statute, employees may be able to bring a common-law tort claim for invasion of privacy, especially where a jury would ﬁnd the use of the camera to be offensive

Answer 139

- Generally strict in prohibiting the interception of wire communications, such as telephone calls or sound recordings from video cameras; oral communications, such as hidden bugs or microphones; and electronic communications, such as emails

Answer 140

1. If a person is a party to a call or where one of the parties has given consent 2. The interception is done in the ordinary course of business

Answer 141

An employer who provides communication services, such as a company telephone, or email service, has the ability to intercept provided the interception occurs in the normal course of the user’s business

Answer 142

- The SCA creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided

Answer 143

Violations for interceptions can lead to criminal penalties or a civil lawsuit

Answer 144

1. by the person or entity providing a wire or electronic communications service,” (often the employer) 2. by a user of that service with respect to a communication of or intended for that user

Answer 145

ECPA does not generally preempt stricter state privacy protections, and some state laws may protect e-mail communications

Answer 146

- U.S. federal law generally prohibits interference with mail delivery. Mail is considered “delivered,” however, when it reaches a business - As a result, the opening of business letters and packages by a representative of the business does not violate that statute, even if that representative is not the intended recipient

Answer 147

- Mobile phones, GPS devices and some tablet computers provide geolocation data, which enables tracking of the user’s physical location and movements. - This creates a category of personal information that typically did not exist before the prevalence of these mobile devices - Employers interested in monitoring the location of company vehicles equipped with GPS may generally do so without legal hindrance, provided that the monitoring occurs for business purposes during work hours and employees have been informed beforehand

Answer 148

- Individuals today have more information technology options than ever before - Computing devices range from traditional desktop computers and laptops to powerful smartphones, tablet computers and netbooks - Social networks, webmail and applications can be accessed across devices. Marked improvement in device capability and widespread Internet access allow employees to connect to their online networks from almost any location

Answer 149

If the employer is engaged in device monitoring or surveillance, it should disclose that information and obtain employee consent. When monitoring and searching the device, exposure of private employee data should be minimized

Answer 150

- DLP is a strategy used by businesses to ensure that sensitive data is not accessed, misused or lost by unauthorized users - This goal is accomplished by DLP software and tools by monitoring and controlling endpoint activities as well as protecting data as it moves

Answer 151

D3 R3 TP - Data classification - Data governance - Data discovery - Risk assessment - Remediation processes - Regulatory and privacy compliance - Training and awareness - Policies, standards and procedures

Answer 152

- Be careful to avoid liability or loss due to failure to take the allegations seriously. Ignoring a problem may allow it to grow or otherwise become more difﬁcult to resolve later. - Treat the employee with fairness during the investigation to reduce possible employee resentment as well as the risk that later litigation will result in harsher penalties if the employer is seen to have been unfair. - Follow laws and other corporate policies during the investigation. Particular attention should be given to collective bargaining agreements, which often contain provisions concerning investigations of employee misconduct. - Document the alleged misconduct and investigation to minimize risks from subsequent claims by the employee. - Consider the rights of people other than those being investigated, such as fellow employees who could be subject to retaliation or other problems

Answer 153

1. The communication is made to an employer in connection with the investigation of: (1) suspected misconduct related to employment, or (2) compliance with federal, state, or local laws and/or regulations, the rules of a self-regulatory organization, or any preexisting written employment policies 2. The communication is not made for the purpose of investigating a consumer’s creditworthiness, credit standing or credit “capacity and does not include information pertaining to those factors 3. The communication is not provided to any person except: (1) the employer or agent of the employer; (2) a federal or state ofﬁcer, agency, or department, or an ofﬁcer, agency, or department of a unit of general local government; (3) a self-regulating organization with authority over the activities of the employer or employee; (4) as otherwise required by law; or (5) pursuant to 15 U.S.C. § 1681f, which addresses disclosures to government agencies

Answer 154

that the employer disclose a summary of the nature and substance of the communication or report to the employee - This report can be issued after the investigation has been conducted and allows employers to maintain the secrecy of the investigation

Answer 155

- Secure the return of badges, keys, smartcards and other methods of physical access - Disable access for computer accounts - Ensure the return of laptops, smartphones, storage drives and other devices that may store company information - Seek, where possible, to have the employee return or delete any company data that is held by the employee outside of the company’s systems - Remind employees of their obligations not to use company data for other purposes - Clearly marked personal mail, if any, should be forwarded to the former employee, but work-related mail should be reviewed to ensure that proprietary company information is not leaked

Answer 156

to provide references, respond to inquiries about benefits and pensions, address health and safety issues that arise, respond to legal proceedings, and meet legal or regulatory retention requirements for particular types of records

Answer 157

The common law provides what is known as a “qualiﬁed privilege” for employers to report their experience with and impressions of the employee, to help in defense against defamation suits

Answer 158

In the United States, constitutional protections apply speciﬁcally to government employees. Contract and tort remedies can provide protections to employees, but they apply in a relatively narrow set of circumstances

Answer 159

(1) The Electronic Communications Privacy Act, (2) the Right to Financial Privacy Act (applying to financial institutions), and (3) the Privacy Protection Act (applying to reporters and media companies) - Privacy professionals need to be aware of these statutes, as a company can face legal consequences, depending on the context, for turning over either too much or too little information

Answer 160

Telephone companies and other communications providers can face especially complex rules about when and in what way they are permitted or required to provide information to the government

Answer 161

Requires health professionals and drug manufacturers to report serious adverse events, product problems or medication errors suspected to be associated with the use of an FDA-regulated drug, biologic, device or dietary supplement under the Food, Drug and Cosmetic Act

Answer 162

Requires compilation and reporting of information about certain workplace injuries and illnesses

Answer 163

- Permits disclosure of protected health information where disclosure is required by law - Many states require reporting of certain types of injuries and medical conditions, such as abuse, gunshot wounds, immunization records or specific contagious diseases

Answer 164

1. State the court from which it is issued 2. State the title of the action and its civil-action number 3. Command each person to whom it is directed to do the following at a specific time and place: attend and testify; produce designated documents, electronically stored information or tangible things in that person’s possession, custody or control; or permit the inspection of premises 4. Set out the text of the rules describing a person’s right to challenge or modify the subpoena

Answer 165

- Permits (but does not require) companies to disclose PHI when required to do so by another applicable law, such as the state laws that require reporting of medical information - HIPAA also permits covered entities to disclose PHI for reasons including public health, law enforcement and national security

Answer 166

- The owner or operator of a computer system can face penalties under the Electronic Communication Privacy Act for providing access to law enforcement without following legally mandated procedures - Permits, but does not require, the owner or operator of a computer system to provide such access in defined circumstances

Answer 167

1. The owner or operator of the protected computer authorizes the interception of the computer trespasser’s communications on the protected computer 2. The person acting under color of law (in an official capacity) is lawfully engaged in an investigation 3. The person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser’s communications will be relevant to the investigation 4. Such interception does not acquire communications other than those transmitted

Answer 168

HIPAA and the Children’s Online Privacy Protection Rule (COPPA) forbid disclosures of covered information to third parties, unless there is opt-in consent or a different exception applies

Answer 169

The Gramm-Leach-Bliley Act (GLBA) forbids disclosures to third parties if the individual has opted out

Answer 170

- attorney-client priviliege - doctor-patient - priest-penitent - spousal privilege - Where these apply, a doctor, member of the clergy or spouse cannot be compelled to testify about the other party, absent consent or some other exception

Answer 171

The U.S. has a strong tradition of public access to government records

Answer 172

- States that a party may seek a protective order providing that confidential info may not be revealed or must be revealed in “a particular way—such as “attorney’s eyes only”—during litigation - Moving party must demonstrate good cause, and a court will apply a 3-part test in deciding whether to grant the request: (1st) The resisting party must show the information to be confidential (2nd) The requesting party must show that the information is relevant and necessary to the case (3rd) The court must weigh the harm of disclosure against the need for the information

Answer 173

- Prohibits the parties from using or disclosing the protected health info for any purpose other than the litigation or proceeding for which such info was requested - Requires the return to the covered entity or destruction of the protected health info (including copies) at the end of the litigation - If a QPO is in place, a covered entity complies with privacy requirements for disclosure in litigation or administrative proceedings

Answer 174

- Applies to both paper and electronic filings and to both parties and nonparties filing documents - Specifically, attorneys are required to redact documents so that no more than the following information is included in court filings: (1) The last four digits of the Social Security number and taxpayer-identification number (2) The year of the individual’s birth (3) If the individual is a minor, only the minor’s initials (4) The last four digits of the financial account number

Answer 175

- Federal Criminal Rules of Procedure Rule 49.1 | - Federal Rules of Bankruptcy Procedure Rule 9037

Answer 176

- Has become an increasingly large focus of pretrial discovery in U.S. litigation - The discovery of ESI, generally known as e-discovery, has become an important subdiscipline in law and technology - E-discovery implicates both domestic privacy concerns and issues arising in transborder data flows

Answer 177

data retention program - In designing a retention policy, it should be remembered that ESI takes not only obvious forms such as email or word processing documents, but can also manifest itself as databases, web pages, server logs, instant messaging transcripts, voicemail systems, social networking records, thumb drives or even the microSD cards found in smartphones

Answer 178

Sedona Conference

Answer 179

1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units 2. Such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice 3. Interdisciplinary teams should reach consensus as to policies, while looking to industry standards 4. Technical solutions should meet and parallel the functional requirements of the organization

Answer 180

(1) a retention policy should be reasonable considering the facts of the situation, (2) courts may consider similar complaints against the organization and (3) courts may evaluate whether the organization instituted the policy in bad faith

Answer 181

HIPAA Privacy Regulation specifically addresses when protected health information may be disclosed during discovery (1st) A covered entity may disclose PHI if the subject of those records authorizes their release. (2nd) Absent a release, a covered entity may release PHI subject to a court order (3rd) A covered entity may disclose PHI subject to a discovery request if satisfactory assurances are provided

Answer 182

- A financial institution may disclose otherwise protected information “to comply with federal, state, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by federal, state, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.” - Federal courts have been willing to read this clause to encompass civil discovery requests, although protective orders should still be obtained by those disclosing the information

Answer 183

- Complying with U.S. discovery rules that expressly recognize the importance of broad preservation, collection and production. The rules therefore generally require the disclosure of all info relevant to the claims or defenses in a case that are in a party’s possession, custody or control—and this extends to info globally - Parties may also face compliance obligations under foreign laws that place an emphasis of the protection of personal data and recognize privacy as a fundamental right. Ex./ EU's General Data Protection Regulation (GDPR) makes e-discovery with European nations subject to even more restrictions

Answer 184

Under the treaty, the party seeking to displace the Federal Rules of Civil Procedure bears the burden of demonstrating that it is more appropriate to use the Hague Convention and must establish that the foreign law prohibits the discovery sought

Answer 185

- Outlines the factors that an American court may use to reconcile the conflict - These factors include: (1) The importance of the documents or data to the litigation at hand (2) The specificity of the request (3) Whether the information originated in the United States (4) The availability of alternative means of securing the information (5) The extent to which the important interests of the U.S. and the foreign state would be undermined by an adverse ruling

Answer 186

- For example, when victims of a terrorist attack sued a British bank for aiding and abetting a terrorist organization, British bank secrecy laws did not preempt the discovery request because the information was central to the case and the disclosure would advance both American and British interests in combatting terrorism. - Courts have also been willing to look to additional factors, such as the good faith of the party resisting compliance, in applying such a test

Answer 187

The Article 29 Working Party, which produced a working paper that explored the relationship between the Data Protection Directive and pretrial discovery in transborder lawsuits

Answer 188

encrypted, and the key transferred by a secure second method of transport.

Answer 189

it should be transported in a manner that preserves an audit trail

Answer 190

secure file transfer protocol (SFTP)

Answer 191

The gov't must show “probable cause” that a crime has been, is or is likely to be committed. Search warrants must be supported by specific testimony, often provided by a police officer. A neutral magistrate (judge) approves the search warrant. They cannot be general warrants, but instead must describe the place to be searched with particularity

Answer 192

A majority of the Supreme Court held that no warrant was required for wiretaps conducted on telephone company wires outside of the suspect’s building

Answer 193

What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected

Answer 194

“reasonable expectation of privacy” test

Answer 195

- The Supreme Court signaled important changes to the “in public” and third-party exceptions - Holding: unanimously that a warrant was needed when the police placed a Global Positioning System (GPS) device on a car and tracked its location for over a month. - The majority decision emphasized that the police had trespassed onto the car when they physically attached the GPS device - 4/9 justices, however, would have held that a search occurred even without the physical attachment, and even for movements that took place entirely in public

Answer 196

- Supreme Court unanimously held that the contents of a cell phone cannot be searched unless law enforcement officers first obtain a search warrant - The justices ruled that the data on a cell phone was quantitatively (the amount of data) and qualitatively (the kind of data) different than the contents that would normally be found in a physical container, which was the analogy the government had proposed to the court - As to the quantity of data, the Court noted the immense storage capacity of cell phones as well as the ability to link to remote storage - With regard to the quality of data, the Court opined that Internet searches can reveal a person’s interests, and location information can pinpoint an individual’s movement over time

Answer 197

- Was passed after the Supreme Court held that the Fourth Amendment did not apply to checking accounts

Answer 198

- Was passed after the Court held that it did not apply to telephone numbers called

Answer 199

opt-in consent from the patient. - Unauthorized disclosures can lead to enforcement by HHS - Section 512(f), however, goes into considerable detail about precisely when disclosure to law enforcement is permitted

Answer 200

1. The information sought is relevant and material to a legitimate law enforcement inquiry 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought 3. De-identified information could not reasonably be used

Answer 201

(1) telephone monitoring and other tracking of oral communications; (2) privacy of electronic communications and (3) video surveillance, for which there is little applicable law

Answer 202

ECPA extended the ban on interception to “electronic communications,” which essentially are communications, including emails, that are not wire or oral communications

Answer 203

SCA was enacted as part of ECPA in 1986

Answer 204

creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided

Answer 205

Violations can lead to criminal penalties or a civil lawsuit, so an expert in the SCA should generally be consulted before turning over such records in a law enforcement investigation. For monitoring within a company, the exceptions are simpler than for interceptions

Answer 206

- The SCA has an exception for conduct authorized “by the person or entity providing a wire or electronic communications service,” which will often be the company. - It also has an exception for conduct authorized “by a user of that service with respect to a communication of or intended for that use." - In general, legal limits on interceptions are stricter than for access to stored records

Answer 207

- ECPA does not preempt stricter state privacy protections, and that state laws may protect email communications - Ex./ Delaware law prohibits employers from “monitor[ing] or otherwise intercept[ing] any telephone conversation or transmission, electronic mail or transmission, or Internet access or usage” without prior written notice and daily electronic notice. - Connecticut law requires that “each employer who engages in any type of electronic monitoring shall give prior written notice to all employees who may be affected, informing them of the types of monitoring which may occur”

Answer 208

Expanded the definitions beyond telephone numbers to include “dialing, routing, addressing, or signaling information” transmitted to or from a device or process

Answer 209

Set new rules for national security investigations, prohibiting the use of pen register and trap and trace orders for bulk collection and restricting their use to circumstances where there were specific selectors such as an email address or telephone number

Answer 210

Sometimes referred to as the Digital Telephony Bill) lays out the duties of defined actors in the telecommunications industry to cooperate in the interception of communications for law enforcement and other needs relating to the security and safety of the public. It notably requires telecommunications carriers to design their products and services to ensure that they can carry out a lawful order to provide government access to communications

Answer 211

CALEA applies to “telecommunications carriers,” but not to other “information services.” As enacted, therefore, the law was interpreted not to apply to Internet services

Answer 212

The statute permits the federal government to share unclassified technical data with companies about how networks have been attacked and how successful defenses against such attacks have been carried out

Answer 213

- Authorization for a company to share or receive “cyber threat indicators” or “defensive measures.” - Requirement for company to remove personal info before sharing - Sharing info with federal gov't does not waive privileges - Shared info exempt from federal and state FOIA laws - Prohibition on gov't using shared info to regulate or take enforcement actions against lawful activities - Authorization for company’s monitoring and operating defensive measures - Protection from liability for monitoring activities

Answer 214

- For sharing to qualify for protections under CISA, the company’s actions must be done in accordance with certain requirements. - Ex./ a company intending to share a “cyber threat indicator” must first remove, or implement a “technical capacity” configured to remove, any information that is not directly related to a threat and that the company is aware at the time relates to a specific individual

Answer 215

Sharing information with the federal government does not waive privileges, such as attorney-client privilege. Importantly, there is no similar provision for sharing with state and local governments or other companies

Answer 216

Information shared pursuant to CISA is exempt from disclosure under FOIA, as well as under any state or local provisions “requiring disclosure of information or records

Answer 217

Information shared under CISA “shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities related to monitoring, operating defensive measures, or sharing cyber threat indicators.” The information may be used, however, to develop or implement new cybersecurity regulations

Answer 218

According to the act, a company is authorized to “monitor” and “operate defensive measures” on its own information system—or, with written authorization, another party’s system— for cybersecurity purposes

Answer 219

Under CISA, the company is protected from liability for its monitoring activities. Note, however, that there is no corresponding liability protection for operating defensive measures

Answer 220

- Applies to disclosures by a variety of financial institutions, including banks, credit card companies and consumer finance companies - Applies only to requests from federal agencies, although over a dozen states have similar requirements - Applies to the financial records of individuals and partnerships of fewer than five people

Answer 221

RFPA states that “no Government authority may have access to or obtain copies of, or the info contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and meet at least 1 of these conditions: (1) The customer authorizes access (2) There is an appropriate administrative subpoena or summons (3) There is a qualified search warrant (4) There is an appropriate judicial subpoena (5) There is an appropriate formal written request from an authorized government authority

Answer 222

Provides an extra layer of protection for members of the media and media organizations from government searches or seizures in the course of a criminal investigation

Answer 223

- PPA was passed in the wake of the 1978 Supreme Court case of Zurcher v. Stanford Daily - PPA was drafted to respond to police physical searches of traditional newspaper facilities

Answer 224

- Police used a search warrant to look through a newspaper’s unpublished photographs of a demonstration - Lower courts found the search unlawful, saying that the government should have used less invasive methods than a full search of the newspaper’s premises - The Supreme Court, however, found that valid search warrants “may be used to search any property” where there is probable cause to believe that evidence of a crime will be found

Answer 225

To search or seize media work products or documentary materials “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast or other similar form of public communication.” In practice, rather than physically searching a newsroom, “the PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities.”

Answer 226

PPA applies to government officers or employees at all levels of government. It applies only to criminal investigations, not to civil litigation. Several states provide additional protections

Answer 227

Violation can lead to penalties of a minimum of $1,000, actual damages and attorney’s fees

Answer 228

(1) If there is probable cause to believe that a reporter has committed or is in the process of committing a crime - This PPA exception does not apply if the member of the media’s only crime is possession, receipt or “communication of the work product itself (2) Other exceptions exist, such as to prevent death or serious injury or where there is reason to believe documents will be destroyed or concealed if the materials were requested through a subpoena

Answer 229

Federal appellate court in New York ruled that the SCA did not require the company to provide electronic evidence that was stored outside of the US, meaning the warrant was not valid for the contents of an email account that Microsoft stored overseas

Answer 230

- This interpretation, that a warrant could not compel production of electronic evidence held by a U.S. company outside the U.S., surprised some commentators - Until the Microsoft Ireland case (so called because the evidence at issue was housed by Microsoft in Ireland), leading email and social network services have been based in the U.S., so the U.S. government could gain evidence in law enforcement investigations by ordering production through the U.S. corporate headquarters

Answer 231

The court specifically left undecided the extent of the president’s power to conduct wiretaps without warrants “with respect to the activities of foreign powers, within or without this country.

Answer 232

The original FISA statute was passed during the Cold War, when a major target of national security efforts was to track the activities of agents of the Soviet Union and its allied foreign nation states - Ex./ foreign intelligence wiretaps could be used in connection with communications of the Soviet Embassy or people who worked there

Answer 233

- This statute gave legal authorization to some of the new surveillance practices, especially where one party to the communication is reasonably believed to be outside of the United States - Granted immunity to the telephone companies, so they would not be liable for the records they had provided to the government in the wake of 9/11 - The new rules also required more reporting from the government to Congress, and put limits on some of the secrecy about NSLs and other government requests for records in the national security realm

Answer 234

USA FREEDOM Act in 2015, which among multiple provisions ended bulk collection under the Section 215 program, and the Judicial Redress Act of 2016, which extends U.S. Privacy Act protections to certain non-U.S. persons

Answer 235

- The FBI sought the assistance of Apple to gain access to the encrypted phone of one of the assailants in the San Bernardino shooting. - The FBI obtained a court order requiring Apple to assist the government by creating a custom operating system that would disable key security features on the iPhone. - Apple filed a motion with the court asking it to reconsider its decision, expressing the company’s concern that complying with the order would result in building a backdoor into the encryption for all iPhones of that particular model phone - On one side, law enforcement sought info in a mass shooting, and they secured a warrant before proceeding. - On the other side, a preeminent technology company warned that its compliance with the order could weaken the technology that protects privacy around the world

Answer 236

The specific court case involving Apple ended when the FBI announced that it had gained access to the encrypted phone without the assistance of the company, but the debate about the government accessing encrypted data led to hearings and proposed legislation in Congress

Answer 237

Establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the United States FISA orders can issue when foreign intelligence gathering is “a significant purpose” of the investigation

Answer 238

For law enforcement cases, court orders issue based on probable cause of a crime; FISA orders instead issue on probable cause that the party to be monitored is a “foreign power” or an “agent of a foreign power.” FISA orders issue from a special court of federal district court judges, the Foreign Intelligence Surveillance Court (FISC)

Answer 239

FISA authorizes pen register and trap and trace orders (for phone numbers, email addresses, and other addressing and routing information) and orders for video surveillance

Answer 240

False. There is generally no disclosure after the fact to the target of a FISA wiretap as there is for law enforcement wiretaps

Answer 241

- Provides that a federal court order can require the production of “any tangible thing” for defined foreign intelligence and antiterrorism investigations - Recipients of such an order receive notice that they were forbidden from disclosing the existence or contents of the order

Answer 242

- Disclosure is permitted, however, to the persons necessary to comply with the order (such as employees who gather the records) and to an attorney for purposes of receiving legal advice - Production of the records in good faith provides immunity for such production

Answer 243

- The USA FREEDOM Act ended bulk collection conducted under Section 215 - Going forward, requests by government officials must be based upon specific selectors, such as a telephone number

Answer 244

Applies to collection of electronic communications that take place within the United States and only authorizes access to the communications of targeted individuals for listed foreign intelligence purposes

Answer 245

The basic structure of Section 702 is that the FISC must annually approve certifications by the director of national intelligence and the attorney general setting the terms for Section 702 surveillance

Answer 246

The government must have a foreign intelligence purpose to conduct the collection and a reasonable belief that the person is a non-U.S. citizen located outside of the United States

Answer 247

PRISM and Upstream

Answer 248

- The PRISM program became famous when it was publicly named in one of the first stories based on the Snowden documents. - The operation of PRISM resembles data requests made in other settings to service providers - In PRISM collection, acting under a Section 702 court order, the government sends a judicially approved and judicially supervised directive requiring collection of certain “selectors,” such as an email address

Answer 249

- Upstream targets Internet-based communications as they pass through physical Internet infrastructure located within the Unites States - Upstream is designed to only acquire Internet communications that contain a tasked selector - To do so, Upstream filters Internet transactions that pass through the Internet backbone to eliminate potential domestic transactions; these are then further screened to capture only transactions containing a tasked selector

Answer 250

An NSL is a category of subpoena that, prior to the PATRIOT Act in 2001, was used narrowly, only for certain financial and communication records of an agent of a foreign power, and only with approval of FBI headquarters

Answer 251

The PATRIOT Act expanded use of NSLs

Answer 252

- NSLs can be issued by authorized officials, often the special agent in charge of an FBI field office. - The precise language in the statutes varies, but NSLs generally can seek records relevant to protect against international terrorism or clandestine intelligence activities. - NSLs can be issued without any judicial involvement

Answer 253

- Recipients were allowed to disclose the request to those necessary to comply with the request and to an attorney for legal assistance - Recipients could also petition a court to modify or end the secrecy requirement - Breach of the confidentiality requirements, however, was treated as a serious offense, punishable by up to five years’ imprisonment and fines of up to $250,000 for an individual

Answer 254

an investigation closes, or no more than three years after the opening of a full investigation

Answer 255

A term used to describe the nearly ubiquitous collection of data about individuals from multitudinous sources, coupled with the low costs to store such data and the new data mining techniques used to draw connections and make predictions based on this collected information

Answer 256

On the positive side, Big Data provides the basis for modern analytics, and the significant insights that can be derived from such data

Answer 257

On the cautionary side, Big Data and modern analytics can be a difficult fit for the fair information privacy practices (FIPPs), sometimes called fair information practices (FIPs), because there may not be clear notice of how data is used, and advanced analytics may not be within the purposes the individual expected when the data was collected

Answer 258

The data analyzed by analytics programs, algorithms, machine learning, and other data mining techniques—the underpinnings of the term Big Data—are often gathered by devices collectively

Answer 259

- In 1965, Moore published a now-iconic article in which he observed that the number of transistors that would fit onto a circuit board doubled each year. - A decade after this publication, the principle, dubbed “Moore’s Law,” was tweaked to say that the number of transistors on a circuit board doubled every 18 to 24 months

Answer 260

Moore’s Law is a useful way to explain the development of two of the technological phenomena emerging at the time of the writing of this book—Big Data and IoT

Answer 261

(1) Velocity (how fast the data is coming in) - come directly from greater processing capability (2) Volume (the amount of data coming in) - come directly from greater processing capability (3) Variety (what different forms of data are being analyzed) - derived from the combination of network environments, draws from disparate sources as well as disparate capabilities that can be turned into more uniform categories of data

Answer 262

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm” 2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law 3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law

Answer 263

1. Robots should always reveal the basis of their decisions | 2. Robots must always reveal their identities

Answer 264

- The ACF software collects a tremendous amount of data, with granular financial information about tens of millions of customers - Data at this scale enables advanced analytics, with potentially great benefits to customers (higher return on investment) and the bank (greater profit per customer)

Answer 265

One tip for senior managers in implementing the comprehensive information plan is the “friends and family test”—would the managers feel comfortable if data on themselves and their family and friends were in the database, subject to possible breach? For instance, would managers at the bank feel comfortable with their own family’s data going into the ACF database? If not, that is a reason to take greater precautions

Answer 266

into the Data Protection Directive and the General Data Protection Regulation

Answer 267

into companies’ privacy policies, and violation of those policies can lead to enforcement under the Federal Trade Commission (FTC) Act or other statutes

Answer 268

(1) data minimization, to avoid privacy and security risks of Big Data where possible and (2) de-identification, to avoid privacy and security risks that arise when previously de-identified data can be re-identified

Answer 269

The principle of data minimization is a useful way to summarize why more data is not always better

Answer 270

Ex./ The employees doing data analytics often have no need to see the customers’ names and full account numbers—the analytics can proceed just as well without those data fields - Identifiers are not needed for many Big Data applications, so the benefits of analytics can be achieved while reducing the privacy and security risks - Similarly, data should be disposed of when no longer needed by the organization—proper disposal reduces the risk that a security or privacy breach will occur down the road because of paper left in a dumpster or records left on an old hard drive

Answer 271

“direct identifiers,” which are data that identify an individual with little or no additional effort. A phone number is an example of a direct identifier, because there are look-up services that provide the name for most phone numbers

Answer 272

- Pseudonymous data - De-identified data - Anonymous data

Answer 273

Information from which the direct identifiers have been eliminated. Indirect identifiers remain intact

Answer 274

Direct and known indirect identifiers have been removed

Answer 275

Direct and indirect identifiers have been removed or technically manipulated to prevent re-identification

Answer 276

This technique reduces the precision of disclosed data to reduce the certainty of individual identification. For example, date of birth is highly identifying (because a small portion of people are born on a particular day of a particular year), but year of birth is less identifying. Similarly, a broader set of years (such as 1971-1980, or 1981-1990) is less identifying than year of birth

Answer 277

This technique masks the original values in a data set with the goal of data privacy protection. One way this may be accomplished is to use perturbation—make small changes to the data while maintaining overall averages—to make it more difficult to identify individuals

Answer 278

This technique uses a mathematical approach to ensure that the risk to an individual’s privacy is not substantially increased as a result of being part of the database

Answer 279

then the FTC or state attorneys general may have a valid claim for a deceptive trade practice

Answer 280

Collecting consumer data from numerous sources, usually without consumers’ knowledge or consent; storing billions of data elements on nearly every U.S. consumer; analyzing data about consumers to draw inferences about them; and combining online and offline data to market to consumers online

Answer 281

(1) marketing (such as appending data to customer information that a marketing company already has), (2) risk mitigation (such as information that may reduce the risk of fraud) and (3) location of individuals (such as identifying an individual from partial information)

Answer 282

- FTC successfully brought an enforcement action against LeapLab for its “failure to protect data that was sold to a third party. - According to the FTC, LeapLab bought sensitive info, including Social Security numbers and bank account numbers, from payday loan websites and, acting as a data broker, sold the information to businesses that LeapLab knew had no legitimate use for the info >> LeapLab’s actions allowed scammers to steal millions of dollars from individuals’ accounts - Court issued an order in 2016 prohibiting LeapLab from continuing these business practices and $5.7 million money judgment against the business and its officers, but suspended the payment of the judgment based on sworn affidavits that the (D)s could not pay the amount

Answer 283

Examples of the benefits: - providing healthcare tailored to individual patients, - enhancing educational opportunities by tailoring the experience to the individual student, and - increasing equal access to employment Examples of risks: - exposing sensitive information; - reinforcing existing disparities; and - creating new justifications for exclusion

Answer 284

- The Fair Credit Reporting Act - The Equal Credit Opportunity Act - The Federal Trade Commission Act

Answer 285

(1) the devices interact with software running elsewhere (often in the cloud) and function autonomously and (2) when coupled with data analysis, the devices may take proactive steps and make decisions about or suggest next steps for users

Answer 286

(1) limited user interfaces in the products; (2) lack of industry experience with privacy and cybersecurity; (3) lack of incentives in the industries to deploy updates after products are purchased; and (4) limitations of the devices themselves, such as lack of effective hardware security measures

Answer 287

- Electronic devices that are worn on the body and collect data in real time - They range from headwear used by soldiers on the battlefield to wrist devices that check heart beats during exercise

Answer 288

- Right to forget: users are concerned that tracking data daily will make it difficult for them to get rid of documentation of actions that they would rather forget - Impact of location disclosure: users expressed concern that criminals might gain access to this information to track or stalk them. - Concern that screens will be read: users pointed out that many devices, such as smart watches, have a display that can be read by those who are near the user - Video and audio recording where those involved were unaware - Lack of control of the data - Automatic syncing with social media - Facial recognition

Answer 289

- Connected cars collect and transmit data about the vehicle, the driver’s driving habits, and the driver’s preferences - Ex. 1 / a vehicle that wirelessly alerts the dealership when tires need to be rotated - Ex. 2/ an app from a car insurance company that records braking habits - Ex. 3/ information may be transmitted from the car to the Internet from multiple sources, such as users’ phones, video systems, cameras, GPS systems, and entertainment centers

Answer 290

- Smart homes have multiple devices that are connected to the Internet to enhance the home environment experience - These devices are typically user controlled—a task that is often accomplished via a smartphone or another small electronic device

Answer 291

- Smart thermostats - Smart TVs - Communications systems - Security systems

Answer 292

- Smart cities is a term that primarily refers to municipalities and other government entities using sensors to monitor functions and improve government services - Ex./ a city could embed wireless sensors into existing lighting fixtures, then analyze this data to allow targeted law enforcement practices, improved parking efficiency and increased environmental monitoring

Answer 293

- Changing seams: from the seams between legacy and new infrastructure to those between urban and rural systems, these boundaries are moving or disappearing as systems are networked and upgraded. - Inconsistent adoption: factors such as user preferences, resource availability and scale of technological system will lead to inconsistent adoption. These inevitable inconsistencies will introduce security challenges for industry, gov't and people living w/ the technology. - Increased automation: although automation can reduce certain risks, removal of human interaction from many aspects of cyber-physical infrastructure has the potential to introduce new security challenges, including increasing the number of access points (and the possible attack vectors), cascading failures (where no humans are present to witness developing problems), and unintentional removal of manual overrides

Answer 294

(1) IoT devices should follow security and encryption best practices (2) For devices that can be customized by the users, the company should test the IoT devices in different possible configurations (3) IoT devices should be designed to facilitate automated, secure software updates (4) IoT devices should be secured by default by the inclusion of a password (5) IoT devices should be shipped originally with reasonably up-to-date software (6) IoT devices should be shipped with a privacy policy that is understandable and easy to find (7) IoT devices should communicate with restrictive rather than permissive protocols (8) IoT devices should continue to function if Internet connectivity is disrupted or if cloud back-up fails

Answer 295

- FTC alleged that TRENDnet failed to encrypt customer log-in credentials and failed to test consumers’ privacy settings - Hackers utilized these security vulnerabilities to post hundreds of live video feeds featuring babies sleeping in cribs and adults engaging in daily activities - The agency’s complaint resulted in an order requiring the company to bring its practices into line with FTC requirements and to establish its compliance by undergoing assessments every 2 years for the next 20 years

Answer 296

- Implement security by design, - Ensure personnel employ good security, - Engage in good vendor management practices, - Utilize a defense-in-depth approach where security measures are considered at several levels, - Implement reasonable access controls to ensure that access by unauthorized persons to a customer’s device is limited, and - Continue to monitor products throughout the device’s lifecycle, patching vulnerabilities when possible