CIPP / US Book - Part 2 Flashcards

Question 1

Q

Is there a private right of action available in telemarketing?

Answer

A

The tort of “intrusion on seclusion” imposes liability on “one who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns

Question 2

Q

To succeed in an intrusion on seclusion tort claim, the plaintiff must show that

Answer

A

With regard to a defendant who is a person, the intrusion would be highly offensive to a reasonable person. In contrast with intrusion tort requirements, telemarketing regulations in the United States address milder intrusions, which do not require a showing of “highly offensive” intrusion.

Question 3

Q

Who was the Telephone Consumer Protection Act of 1991 (TCPA) issued by?

Answer

A

The FCC issued regulations under the Telephone Consumer Protection Act of 1991 (TCPA)

Question 4

Q

Telephone Consumer Protection Act of 1991 (TCPA)

Answer

A

Place restrictions on unsolicited advertising by telephone and facsimile, and updated them in 2012 to address robocalls
The FCC has determined that these prohibitions encompass text messages

Question 5

Q

Who was the Telemarketing Sales Rule (TSR) issued by?

Answer

A

The FTC first issued its Telemarketing Sales Rule (TSR) in 1995, implementing the Telemarketing and Consumer Fraud and Abuse Prevention Act

Question 6

Q

How is telemarketing defined under the Telemarketing Sales Rule (TSR)?

Answer

A

A plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call

Question 7

Q

Who enforces the Do Not Call (DNC) Registry?

Answer

A

The FTC, the FCC and state attorneys general enforce the DNC Registry, which now contains over 220 million participating phone numbers—and is still growing

Question 8

Q

Consequences for violating DNC Registry?

Answer

A

Violations of the rule can lead to civil penalties of up to $40,654 per violation. In addition, violators may be subject to nationwide injunctions that prohibit certain conduct and may be required to pay redress to injured consumers

Question 9

Q

How often do sellers and telemarketers have to update their call lists?

Answer

A

every 31 days

Question 10

Q

How is the DNC registry accessed?

Answer

A

The registry is accessed via an automated website at www.telemarketing.donotcall.gov. Only sellers, telemarketers and their service providers may access the registry

Question 11

Q

How is the DNC registry accessed for sellers?

Answer

A

Each seller must establish a profile by providing identifying information about the organization. The seller then receives a unique Subscription Account Number (SAN) upon payment of the appropriate fee

Question 12

Q

How is the DNC registry accessed for telemarketers?

Answer

A

Telemarketers accessing the registry on behalf of seller-clients are required to identify the seller-clients and provide the seller-client’s unique SAN. (Telemarketers access the registry, at no cost, through the use of their seller-client’s unique SANs. Their access is limited to the area codes requested and paid for by the seller-client.)

Question 13

Q

What is considered a violation of the DNC registry?

Answer

A

It is a violation of the TSR to place any call to a consumer (absent an exception) unless the registry is checked. In other words, even a call to a consumer whose phone number is not on the registry is a violation of the TSR if the registry was not checked prior to the call

Question 14

Q

DNC rules do not apply to:

Answer

A

Nonprofits calling on their own behalf
Calls to customers with an existing relationship within the last 18 months
Inbound calls, provided that there is no “upsell” of additional products or services
Most business-to-business calls

Question 15

Q

Existing Business Relationship Exception

Answer

A

Sellers (and telemarketers calling on their behalf) may call a consumer with whom a seller has an established business relationship (EBR), provided the consumer has not asked to be on the seller’s entity-specific DNC list

Question 16

Q

What is required for an existing business relationship exception?

Answer

A

An EBR exists w/ a customer if the consumer has purchased, rented or leased the seller’s goods or services (or completed a financial transaction with the seller) within 18 months preceding a telemarketing call.
- The 18-month period runs from the date of the last payment, transaction or shipment between the consumer and the seller.
An EBR exists with a prospect if the consumer has made an application or inquiry regarding the seller’s goods and services. This EBR runs for 3 months from the date of the person’s inquiry or application

Question 17

Q

TSR: Exception Based on Consent

What are the requirements for consent?

Answer

A

The TSR allows sellers and telemarketers to call consumers who consent to receive such calls. This consent must be in writing, must state the number to which calls may be made and must include the consumer’s signature. (A valid electronic signature is acceptable.)

Question 18

Q

TSR: what is required for a seller or telemarketer to meet the consent requirements?

Answer

A

The seller’s request for consent must be “clear and conspicuous.”
If in writing, the request “cannot be hidden; printed in small, pale, or noncontrasting type; hidden on the back or bottom of the document; or buried in unrelated information where a person would not expect to find such a request.”
If online, the “please call me” button may not be prechecked

Question 19

Q

The Do Not Call Safe Harbor

Answer

A

The TSR has a “DNC Safe Harbor” that sellers and telemarketers can use to reduce the risk of liability
This DNC Safe Harbor provides an important protection for sellers and telemarketers because violations of the TSR can result in civil penalties, as of the writing of this book, of up to $40,654 per call

Question 20

Q

What are the requirements for the Do Not Call Safe Harbor?

Answer

A

Seller or telemarketer has established and implemented written procedures to honor consumers’ requests that they not be called
Seller or telemarketer has trained its personnel, and any entity assisting in its compliance, in these procedures
Seller, telemarketer, or someone else acting on behalf of the seller . . . has maintained and recorded an entity-specific Do Not Call list,
Seller or telemarketer uses, and maintains records documenting, a process to prevent calls to any telephone number on an entity-specific Do Not Call list or the - National Do Not Call Registry. This, provided that the latter process involves using a version of the National Registry from the FTC no more than 31 days before the date any call is made
Seller, telemarketer, or someone else acting on behalf of the seller. . . monitors and enforces compliance with the entity’s written Do Not Call procedures, [then]
The call is a result of error

Question 21

Q

The TSR requires covered organizations to:

Answer

A

R DISC RCDC
- Retain records for at least 24 hours

Display caller ID information
Identify themselves and what they are selling
Screen and scrub names against the national DNC list
Call only between 8 a.m. and 9 p.m.
Respect requests to call back
Comply with special rules for automated dialers
Disclose all material information and terms
Comply with special rules for prizes and promotions

Question 22

Q

TSR and preemption

Answer

A

Neither the TSR nor the FCC rules preempt state law. As the FTC notes, compliance is required both of “telemarketers,” entities that initiate or receive telephone calls to or from consumers, and “sellers,” the entities that provide or arrange to provide the goods and services being offered

Question 23

Q

Entity-Specific Suppression Lists

Answer

A

TSR prohibits any seller (or telemarketer calling on the seller’s behalf) from calling any consumer who has asked not to be called again. Sellers and telemarketers are required to maintain internal suppression lists to respect these DNC requests
TSR does provide some latitude for companies that have distinct corporate divisions. In general, such divisions are considered separate sellers under the rule

Question 24

Q

The FTC specifies two factors that should be used to determine whether DNC requests should be shared among divisions:

Answer

A

(1) whether there is substantial diversity between the operational structure of the divisions and
(2) whether the goods or services sold by the divisions are substantially different from each other

If a consumer tells one division of a company not to call again, a distinct corporate division of the same company may still make calls to that consumer

Question 25

Q

The TSR requires that, at the beginning of the call, before delivering any sales content, telemarketers disclose:

Answer

A

(1) The identity of the seller
(2) That the purpose of the call is to sell goods or services (must be honest&raquo_space; name all purposes)
(3) The nature of those goods or services
(4) In the case of a prize promotion, that no purchase or payment is necessary to participate or win, and that a purchase or payment does not increase the chances of winning

Question 26

Q

TSR: Misrepresentations and Material Omissions

Answer

A

TSR prohibits misrepresentations during the sales call. Telemarketers must provide accurate and complete information about the products and services being offered.
They may not omit any material facts about the products or services

Question 27

Q

There are ten broad categories of information that must always be disclosed:

Answer

A

CRAMP CNDM

Cost and quantity
Refund, repurchase or cancellation policies
Affiliations, endorsements, or sponsorships
Material restrictions, limitations, or conditions
Performance, efficacy, or central characteristics
Credit card loss protection
Negative option features
Debt relief services
Material aspects of prize promotions and investment opportunities

Question 28

Q

TSR: Transmission of Caller ID Information

Answer

A

TSR requires entities that make telemarketing calls to transmit accurate call identification information so that it can be presented to consumers with caller ID services

Question 29

Q

TSR: Transmission of Caller ID Information - substitution

Answer

A

Each telemarketer may transmit its own name and phone number, or it may substitute the name of the seller on whose behalf the telemarketer is making the call. The telemarketer may also substitute the seller’s customer-service telephone number for its number, provided that the seller’s number is answered during normal business hours

Question 30

Q

TSR: Transmission of Caller ID Information - what if the called ID information does not reach the consumer?

Answer

A

Telemarketers are not liable if, for some reason, caller ID information does not reach a consumer, provided that the telemarketer has arranged with its carrier to transmit this information in every call
The FTC guidance states that “telemarketers who can show that they took all available steps to ensure transmission of Caller ID information in every call will not be liable for isolated inadvertent instances when the Caller ID information fails to make it to the consumer’s receiver

Question 31

Q

TSR: Prohibition on Call Abandonment

Answer

A

TSR expressly prohibits telemarketers from abandoning an outbound telephone call with either “hang-ups” or “dead air.”
Under the TSR, an outbound telephone call is “abandoned” if a person answers it and the telemarketer does not connect the call to a live sales representative within two seconds of the person’s completed greeting

Question 32

Q

TSR: Prerecorded messages

Answer

A

The use of prerecorded-message telemarketing, where a sales pitch begins with or is made entirely by a prerecorded message, also violates the TSR because the telemarketer is not connecting the call to a live sales representative within 2 seconds of the called person’s completed greeting

Question 33

Q

TSR: when are prerecorded messages allowed?

Answer

A

For a company to use prerecorded sales messages, it must have the prior express consent (opt-in) of the consumer

Question 34

Q

TSR: Abandonment Safe Harbor

Answer

A

According to the FTC guidance, the abandoned call Safe Harbor provides that a telemarketer will not face enforcement action for violating the call abandonment prohibition if the telemarketer:

(1) Uses technology that ensures abandonment of no more than 3 percent of all calls answered by a live person, measured per day per calling campaign
(2) Allows the telephone to ring for 15 seconds or four rings before disconnecting an unanswered call
(3) Plays a recorded message stating the name and telephone number of the seller on whose behalf the call was placed whenever a live sales representative is unavailable within two seconds of a live person answering the call
(4) Maintains records documenting adherence to the preceding three requirements

Question 35

Q

TSR: To take advantage of the Safe Harbor, a telemarketer must first ensure that a live representative takes ______

Answer

A

To take advantage of the Safe Harbor, a telemarketer must first ensure that a live representative takes at least 97 percent of the calls answered by consumers

Question 36

Q

TSR: Under the safe harbor rule, how long must a telemarketer let the phone ring?

Answer

A

The Safe Harbor also requires the telemarketer to let the phone ring at least four times (or for 15 seconds). This requirement is designed to ensure that consumers have sufficient time to answer a call.

Question 37

Q

For the small number of calls that are abandoned, the TSR’s Safe Harbor requires the telemarketer to play a ________, consisting of the company’s name and phone number and a statement that the call was for telemarketing purposes. This recorded message may not contain ______

Answer

A

For the small number of calls that are abandoned, the TSR’s Safe Harbor requires the telemarketer to play a recorded greeting, consisting of the company’s name and phone number and a statement that the call was for telemarketing purposes. This recorded message may not contain a sales pitch

Question 38

Q

TSR: Under the safe harbor rule, must telemarketers keep the recordings of calls?

Answer

A

Yes, telemarketers must keep records that demonstrate its compliance with the other Safe Harbor provisions

The records must demonstrate both that the per-day, per-campaign abandonment rate has not exceeded three percent and that the ring time and recorded message requirements have been met

Question 39

Q

TSR: If preacquired account information is used in connection with a free-to-pay conversion offer, the telemarketer must:

Answer

A

Obtain from the customer at least the last four digits of the account number to be charged
Obtain the customer’s express agreement to be charged for the goods or services using the account number for which the customer has provided at least the last four digits
Make and maintain an audio recording of the entire telemarketing transaction

Question 40

Q

In 2012, the FCC revised its Telephone Consumer Protection Act (TCPA) rules governing prerecorded calls (robocalls) and the use of automatic telephone dialing systems (autodialers) to reconcile its rules with the ______

Answer

A

In 2012, the FCC revised its Telephone Consumer Protection Act (TCPA) rules governing prerecorded calls (robocalls) and the use of automatic telephone dialing systems (autodialers) to reconcile its rules with the TSR

Question 41

Q

Business relationship exemption with respect to robocalls - can it end?

Answer

A

Now, even if a company has an established business relationship with a consumer, it is required to receive “prior express written consent” for all robocalls to residential lines.
Second, the rules include a provision that allows consumers to “opt out of future robocalls during a robocall.”

Question 42

Q

The call abandonment rate for robocalls requirements

Answer

A

In addition, the revisions increase harmonization with the FTC’s rules to require “assessment of the call abandonment rate to occur during a single calling campaign over a 30-day period, and if the single calling campaign exceeds a 30-day period, we require that the abandonment rate be calculated each successive 30-day period or portion thereof during which the calling campaign continues

Question 43

Q

Robocalls to residential lines made by healthcare-related entities governed by HIPAA

Answer

A

are exempt from the above requirements

Question 44

Q

Robocalls vs. robotexts sent

Answer

A

FCC issued an order explicitly stating that text messages sent to wireless devices are subject to the same consumer protections as voice calls under the TCPA.
This means that the TCPA prohibits companies from sending text messages via equipment that sends the messages without human intervention, known as “robotexts”—absent express consent

Question 45

Q

FCC’s guidance on robotexts include:

Answer

A

(1) consent can be revoked by the consumer at any time by any reasonable means,
(2) the mere fact that a consumer’s wireless number appears in the contact list of another wireless customer is not sufficient to establish consent and
(3) when a caller has consent for a wireless number and the number has been reassigned, the caller is not liable for the first call but will be liable for subsequent calls if the new consumer makes the caller aware of the change

Question 46

Q

TSR: record-keeping requirements

Answer

A

In general, the following records must be maintained for 2 years from the date that the record is produced:

Advertising and promotional materials
Information about prize recipients
Sales records
Employee records
All verifiable authorizations or records of express informed consent or express agreement

Question 47

Q

TSR: record-keeping requirements for sales records

Answer

A

Sales records must include:

(1) the name and last known address of each customer,
(2) the goods or services purchased,
(3) the date the goods or services were shipped or provided and
(4) the amount the customer paid for the goods or services

Question 48

Q

TSR: record-keeping requirements for all former and current employees involved in telephone sales

Answer

A

(1) the name (and any fictitious name used),
(2) the last known home address and telephone number and
(3) the job title(s) of each employee.

Additionally, if fictitious names are used by employees, the TSR also requires that each fictitious name be traceable to a specific employee

Question 49

Q

Consequences for violations of the TSR

Answer

A

Violations of the TSR are currently punishable by civil penalties of up to $40,654 per call. The FCC and state attorneys general also actively enforce their counterpart regulations. Additionally, some states have their own versions of telemarketing sales rules that carry additional penalties and may have different requirements

Question 50

Q

Fax marketing

Who was it enforced by?
What does it require?

Answer

A

TCPA, enforced by the FCC, prohibits unsolicited commercial fax transmissions

Question 51

Q

Consequences for violating fax marketing rules?

Answer

A

Penalties include a private right of action and statutory damages of up to $500 per fax

Question 52

Q

Origin of Junk Fax Prevention Act (JFPA)

Answer

A

In 2005, Congress passed the Junk Fax Prevention Act (JFPA) in part to clarify whether consent was required for commercial faxing

Question 53

Q

Junk Fax Prevention Act (JFPA)

Answer

A

Provides that consent can be inferred from an EBR, and it permits sending of commercial faxes to recipients based on an EBR, as long as the sender offers an opt-out in accordance with the act

Question 54

Q

Some states have enacted their own laws regulating unsolicited commercial fax transmissions, such as

Answer

A

Notably, California attempted to eliminate the TCPA’s EBR exception with legislation applicable to unsolicited faxes sent to or from a fax machine located within the state. The law, however, was declared unconstitutional when applied to interstate fax transmissions due to the TCPA’s preemption of interstate regulation

Question 55

Q

What does the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act cover?

Answer

A

The law covers the transmission of commercial email messages whose primary purpose is advertising or promoting a product or service

Question 56

Q

Who does the CAN-SPAM Act apply to?

Answer

A

The act applies to anyone who advertises products or services by electronic mail directed to or originating from the United States

Question 57

Q

Why was the CAN-SPAM Act created?

Answer

A

CAN-SPAM was never intended to eliminate all unsolicited commercial email, but rather to provide a mechanism for legitimate companies to send emails to prospects and respect individual rights to opt-out of unwanted communications

Question 58

Q

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act

Answer

A

A law that created the rules of the road for how legitimate organizations send emails, including clear identification of the sender and a simple unsubscribe or opt-out

Question 59

Q

CAN-SPAM Act requires

Answer

A

Requires commercial emails to contain a functioning, clearly and conspicuously displayed return email address that allows the recipient to contact the sender
Requires all commercial emails to include clear and conspicuous notice of the opportunity to opt-out along with a cost-free mechanism for exercising the opt-out, such as by return email or by clicking on an opt-out link
Requires all commercial email to include (1) clear and conspicuous identification that the message is a commercial message (unless the recipient has provided prior affirmative consent to receive the email) and (2) a valid physical postal address of the sender (which can be a post office box)
Requires all commercial email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email)

Question 60

Q

CAN-SPAM Act prohibits

Answer

A

Prohibits false or misleading headers
Prohibits deceptive subject lines
Prohibits sending commercial email (following a grace period of 10 business days) to an individual who has asked not to receive future email
Prohibits “aggravated violations” relating to commercial emails such as (1) address-harvesting and dictionary attacks, (2) the automated creation of multiple email accounts and (3) the retransmission of commercial email through unauthorized accounts

Question 61

Q

Consequences for violating the CAN-SPAM Act?

Answer

A

CAN-SPAM is enforced primarily by the FTC and carries penalties of fines of up to $40,654 per violation.

In addition, deceptive commercial email is subject to laws banning false or misleading advertising
FTC has the authority to issue regulations implementing the CAN-SPAM Act and did so in 2008 to clarify a number of statutory definitions

Question 62

Q

CAN-SPAM distinguishes commercial email messages from “transactional or relationship messages,” which are

Answer

A

messages whose primary purpose is to:

Facilitate or confirm an agreed-upon commercial transaction
Provide warranty or safety information about a product purchased or used by the recipient
Provide certain information regarding an ongoing commercial relationship
Provide information related to employment or a related benefit plan
Deliver goods or services to which the recipient is entitled under the terms of an agreed-upon transaction

Question 63

Q

How did the CAN-SPAM Act change the “from” in the subject line?

Answer

A

The FTC issued a regulation in 2008 clarifying that the entity identified in the “from” line can generally be considered the single sender as long as there is compliance with the other provisions of CAN-SPAM

Question 64

Q

CAN -SPAM was amended in 2008 providing more clarity - what did it clarify?

Answer

A

(1) the “from” in the subject line
(2) a prohibition on having the email recipient pay a fee to opt-out,
(2) the definition of “valid physical postal address” and
(3) the application of the term person to apply beyond natural persons

Answer 65

A

FTC and other federal regulators, along with state attorneys general and other state officials

Answer 66

A

Yes, Violators for injunctive relief and monetary damages
Unlike some state spam laws that are now preempted, the act does not provide for a right of action for other parties
For those authorized to sue, the act provides for injunctive relief and damages up to $250 per violation, with a maximum award of $2 million

Answer 67

A

For those authorized to sue, the act provides for injunctive relief and damages up to $250 per violation, with a maximum award of $2 million. The act further provides that a court may increase a damage award up to three times the amount otherwise available in cases of willful or aggravated violations. Certain egregious conduct is punishable by up to five years imprisonment

Answer 68

A

A federal judge shut down a company called 3FN based on the FTC’s allegations that it had knowingly distributed spam and malware as well as hosted illegal content, such as child pornography

Answer 69

A

CAN-SPAM preempts most state laws that restrict email communications
Although state spam laws are not superseded by CAN-SPAM to the extent such laws prohibit false or deceptive activity

Answer 70

A

Mobile service commercial messages (MSCMs): “a commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscriber of a commercial mobile service.”
The message must have (or utilize) a unique electronic address that includes “a reference to an Internet domain.”

Answer 71

A

The FCC rule defers to the FTC rules and interpretation regarding the definitions of “commercial” and “transactional” (with respect to the mail messages) as well as the mechanisms for determining the “primary purpose” of messages. Accordingly, the FCC rule must be analyzed in the context of the FTC regulatory framework for the CAN-SPAM Act

Answer 72

A

The CAN-SPAM Act prohibits senders from sending any MSCMs without the subscriber’s “express prior authorization”

Answer 73

A

Express prior authorization must be “express”&raquo_space; consumer has taken an affirmative action to give “the entity that is being authorized to send the MSCMs.
- FCC rule prohibits any sender from sending MSCMs on behalf of other third parties, including affiliates and marketing partners
Authorization may be obtained in any format, oral or written, including electronic
- FCC requires that each sender of MSCMs must document authorization and be able to demonstrate that a valid authorization (meeting all the other requirements) existed prior to sending the commercial message.
- The burden of proof rests w/ the sender
With regard to revocations, senders must enable consumers to revoke authorizations using the same means the consumers used to grant authorizations. (Ex./ if a consumer authorizes MSCMs electronically, the company must permit the consumer to revoke the authorization electronically.)
MSCMs themselves must include functioning return email addresses or another Internet-based mechanism that is clearly and conspicuously displayed for the purpose of receiving opt-out requests.
- Consumers must not be required to view or hear any further commercial content during the opt-out process (other than institutional identification).
The FCC rule maintains the CAN-SPAM–mandated 10-business-day grace period following a revoked authorization, after which messages cannot be sent.

Answer 74

A

To help senders of commercial messages determine whether those messages might be MSCMs (rather than regular commercial email), the FCC has created a registry of wireless domain names (available on the FCC website). It is updated on a periodic basis, as new domains are added

Answer 75

A

Senders are responsible for obtaining this list and ensuring that the appropriate authorizations exist before sending commercial messages to addresses within the domains

Answer 76

A

According to the FCC guidance, messages that are not sent to an address for a wireless device, but are only forwarded to a wireless device, are not subject to FCC rules on MSCMs

Answer 77

A

The providers are also responsible for updating information on the domain name list to the FCC within 30 days before issuing any new or modified domain names.

Answer 78

A

The statute imposed new restrictions on the access, use and disclosure of customer proprietary network information (CPNI)

Answer 79

A

Section 222 of the act governs the privacy of customer information provided to and obtained by telecommunications carriers. Prior to the act, carriers were permitted to sell customer data to third-party marketers without consumer consent

Answer 80

A

CPNI is information collected by telecommunications carriers related to their subscribers. This includes subscription information, services used, and network and billing information as well as phone features and capabilities. It also includes call log data such as time, date, destination and duration of calls. Certain PI such as name, telephone number and address is not considered CPNI

Answer 81

A

Telecommunications carriers and voice-over-Internet protocol (VoIP) providers that are interconnected with telephone service

Answer 82

A

The Act imposes requirements on carriers to limit access, use and disclosure of CPNI. Specifically, carriers can use and disclose CPNI only with customer approval or “as required by law.”
However, carriers do not need approval to use, disclose or provide marketing offerings among service categories that customers already subscribe to
Carriers can also use CPNI for billing and collections, fraud prevention, customer service and emergency services

Answer 83

A

The Tenth Circuit found that the opt-in requirement violated the First Amendment speech rights of the carriers. Thus, the standard shifted to an opt-out system for carriers’ own use of CPNI

Answer 84

A

The 2007 CPNI order requires customers to expressly consent, or opt in, before carriers can share their CPNI with joint venture partners and independent contractors for marketing purposes

Answer 85

A

1st. Carriers must notify law enforcement when CPNI is disclosed in a security breach within seven business days of that breach
2nd. Customers must provide a password before they can access their CPNI via telephone or online account services

Answer 86

A

The Cable Communications Policy of 1984 regulates the notice a cable television provider must furnish to customers, the ability of cable providers to collect PI, the ability of cable providers to disseminate PI and the retention and destruction of PI by cable television providers

Answer 87

A

The Act provides a private right of action for violations of the aforementioned provisions, and allows for actual or statutory damages, punitive damages and reasonable attorney’s fees and court costs

Answer 88

A

The act does not regulate the provision of broadband Internet services via cable because the act defines a “cable service” as “one-way transmission to subscribers of . . . video programming or . . . other programming service, and . . . subscriber interaction, if any, which is required for the selection or use of such video programming or other programming service

Answer 89

A

give subscribers a privacy notice that “clearly and conspicuously” informs subscribers of: (1) the nature of the PI collected, (2) how such information will be used, (3) the retention period of such information and (4) the manner by which a subscriber can access and correct such information

Answer 90

A

The “written or electronic consent” of the subscriber, unless the disclosure is subject to a specified exception

Answer 91

A

Disclosures may be made:

(1) to the extent necessary to render services or conduct other legitimate business activities,
(2) subject to a court order with notice to the subscriber or
(3) if the disclosure is limited to names and addresses and the subscriber is given an option to opt-out

Answer 92

A

The act applies to “video tape service providers,” who are defined as anyone “engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” as well as individuals who receive PI in the ordinary course of a videotape service provider’s business or for marketing purposes

Answer 93

A

The act applies to “video tape service providers,” who are defined as anyone “engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” as well as individuals who receive PI in the ordinary course of a videotape service provider’s business or for marketing purposes

Answer 94

A

Videotape service providers are prohibited from disclosing customer PI unless an enumerated exception applies

Answer 95

A

(1) is made to the consumer themselves;
(2) is made subject to the contemporaneous written consent of the consumer;
(3) is made to law enforcement pursuant to a warrant, subpoena or other court order;
(4) includes only the names and addresses of consumers;
(5) includes only names, addresses and subject matter descriptions and the disclosure is used only for the marketing of goods or services to the consumers;
(6) is for order fulfillment, request processing, transfer of ownership or debt collection; or
(7) is pursuant to a court order in a civil proceeding and the consumer is granted a right to object

Answer 96

A

The act requires that PI be destroyed “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information”

Answer 97

A

It affords a private right of action for violations and allows for actual or statutory damages, punitive damages, and reasonable attorney’s fees and court costs.
Statutory damages are set at $2,500.
Cases against Blockbuster, Netflix, and Redbox, suggest that the private right of action extends only to disclosure-related violations and not violations based merely on improper retention

Answer 98

A

The VPPA does not preempt more protective state laws, which may give rise to stricter penalties

Answer 99

A

Allowed for one-time consumer consent that was valid for up to two years, replacing the contemporaneity requirement

Answer 100

A

Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising and
The Network Advertising Initiative (NAI) Code of Conduct

Answer 101

A

A nonprofit organization that collaborates with businesses, public policy groups and public officials to establish and enforce “responsible privacy practices across industry for relevant digital advertising, providing consumers with enhanced transparency and control

Answer 102

A

A nonprofit self-regulatory association comprised exclusively of third-party digital advertising companies.
The NAI Code of Conduct is a list of self-regulatory principles that all NAI members agree to uphold.
The Code requires notice and choice with respect to interest-based advertising, limits on the types of data that member companies can use for advertising purposes, and a number of substantive restrictions on member companies’ collection, use, and transfer of data used for online behavioral advertising

Answer 103

A

An important effect of the reclassification is that broadband Internet providers also became subject to other requirements of the Telecommunications Act of 1996, notably including the CPNI privacy requirements in Section 222

Answer 104

A

(1) required customer opt-in for uses of sensitive personal information,
(2) allowed the use of customer opt-out for uses not involving sensitive personal information and
(3) permitted inferred customer consent for providing the underlying services and related uses

Answer 105

A

Amended by Assembly Bill 370; these amendments, which required privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms.
The law also requires privacy policies to state whether third parties can collect PII about the site’s users

Answer 106

A

The categories of PII collected through the site
The categories of third-party entities with whom the operator may share PII or other content
How the operator responds to web browsers’ Do Not Track signals or other mechanisms that provide consumers the ability to choose regarding collection of PII about an individual consumer’s online activities overs time and across third-party websites
Whether other parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website

Answer 107

A

The U.S. Const. has signiﬁcant workplace privacy provisions that apply to the federal and state governments, but it does not affect private-sector employment
The 4th Amendment prohibits unreasonable searches and seizures by state actors Courts have interpreted this amendment to place limits on the ability of government employers to search employees’ private spaces, such as lockers and desks.
Some states, including California, have extended their constitutional rights to privacy to private-sector employees

Answer 108

A

The most important contracts concerning employee privacy are collective bargaining agreements

Answer 109

A

intrusion on seclusion
publicity given to private life
defamation

Answer 110

A

One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person

Answer 111

A

One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public

Answer 112

A

So to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.

Answer 113

A

HIPAA contains privacy and security rules that regulate “protected health information” for health insurers, including self-funded health plans.
COBRA requires qualiﬁed health plans to provide continuous coverage after termination to certain beneﬁciaries.
The Employee Retirement Income Security Act (ERISA) ensures that employee beneﬁts programs are created fairly and administered properly
The Family and Medical Leave Act (FMLA) entitles certain employees to unpaid leave in the event of birth or illness of self or a family member

Answer 114

A

Fair Credit Reporting Act (FCRA) regulates the use of “consumer reports” obtained from consumer reporting agencies (CRAs) in reference checking and background checks of employees
Fair Labor Standards Act (FLSA) establishes the minimum wage and sets standards for fair pay
Occupational Safety and Health Act (OSHA) regulates workplace safety
Whistleblower Protection Act protects federal employees and applicants for employment who claim to have been subjected to personnel actions because of whistleblowing activities
National Labor Relations Act (NLRA) sets standards for collective bargaining, which also applies in social media communications
Immigration Reform and Control Act (IRCA) requires employment eligibility veriﬁcation
Securities Exchange Act of 1934 requires disclosures about payment and other information about senior executives of publicly traded companies, as well as registration requirements for market participants such as broker-dealers and transfer agents

Answer 115

A

The Employee Polygraph Protection Act of 1988, which limits employer use of lie detectors
Electronic surveillance laws, including the Wiretap Act, the Electronic Communications Privacy Act and the Stored Communications Act (SCA)

Answer 116

A

U.S. Department of Labor
The Equal Employment Opportunity Commission (EEOC)
Federal Trade Commission (FTC)
The Consumer Financial Protection Bureau (CFPB)
The National Labor Relations Board (NLRB)

Answer 117

A

Oversees the welfare of job seekers, wage earners, and retirees of the US by improving their working conditions, advancing their opportunities for proﬁtable employment, protecting their retirement and health care beneﬁts, helping employers ﬁnd workers, strengthening free collective bargaining, and tracking changes in employment, prices, and other national economic measurements
To achieve this mission, the department administers a variety of federal laws, FLSA, OSHA and ERISA

Answer 118

A

Works to prevent discrimination in the workplace
The EEOC oversees many laws, including Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA) and Titles I and V of the Americans with Disabilities Act of 1990 (ADA)

Answer 119

A

Both the FTC and the CFPB regulate unfair and deceptive practices and enforce a variety of laws, including the FCRA, which limits employers’ ability to receive an employee’s or applicant’s credit report, driving records, criminal records and other consumer reports obtained from a CRA

Answer 120

A

Administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions

Answer 121

A

Before employment, employers should consider rules and best practices about background screening, including rules for accessing employee information under the FCRA

Answer 122

A

During employment, major topics include polygraphs and psychological testing; substance testing; employee monitoring, including of phone calls and emails; and emerging issues such as social network monitoring and “bring your own device (BYOD)”

Answer 123

A

After employment, the main issues are terminating access to physical and informational assets, and proper human resources practices post-employment

Answer 124

A

True. Employment laws in the United States often provide employers with more discretion than laws in the EU and other countries in the handling of personal information

Answer 125

A

The terrorist attacks of September 11, 2001, resulted in heightened attention to security issues and support for more stringent identity-veriﬁcation requirements
Greater attention to child abuse and abductions has led to laws in almost every state requiring criminal background checks for people who work with children
Business governance scandals, such as those at Enron and WorldCom, spurred passage of the Sarbanes-Oxley Act in 2002, which has increased the incentives for corporate leaders to scrutinize practices in the areas they manage
The rapid increase of information about candidates from online search and social media sites has made background checks easier

Answer 126

A

Typically, anyone who works with the elderly, children or the disabled must now undergo background screening.
The federal National Child Protection Act authorizes state ofﬁcials to access the Federal Bureau of Investigation’s National Crime Information Center database for some positions that involve contact with children.
Many state and federal gov’t jobs require rigorous background checks to obtain a security clearance

Answer 127

A

denying employment based on criminal convictions, to ensure that their requirements are job related and consistent with business necessity

Answer 128

A

Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex and national origin.
The Equal Pay Act of 1963 bars wage disparity based on sex.
The Age Discrimination Act bars discrimination against individuals over 40
The Pregnancy Discrimination Act bars discrimination due to pregnancy, childbirth and related medical conditions
ADA bars discrimination against qualiﬁed individuals with disabilities
GINA
The Bankruptcy Act provision 11 U.S.C. § 525(b) prohibits employment discrimination against persons who have ﬁled for bankruptcy. There is some ambiguity, however, as to whether the statute applies to discrimination prior to the extension of an offer of employment, and courts have read the statute both ways

Answer 129

A

. . .about current or intended pregnancy under the Pregnancy Discrimination Act, about age under the Age Discrimination Act, or about disability under the Americans with Disabilities Act (ADA)

Answer 130

A

For instance, the company faces a greater risk of pregnancy or sex discrimination claims if women—but not men—are asked about how long they expect to stay on the job

Answer 131

A

Created important restrictions on medical screening of candidates before employment.
The law forbids employers with 15 or more employees from discriminating against a “qualiﬁed individual with a disability because of the disability of such individual,” and speciﬁcally covers “medical examinations and inquiries” as grounds for discrimination

Answer 132

A

(1) all entering employees are subjected to such an examination regardless of disability,
(2) conﬁdentiality rules are followed for the results of the examination and
(3) the results are used only in accordance with the statutory prohibitions against discrimination on the basis of disability

Answer 133

A

ADA requires an employer to provide reasonable accommodation to qualiﬁed individuals who are employees or applicants for employment, unless to do so would cause undue hardship

Answer 134

A

ADA does not cover the use of drugs or alcohol, although it does cover questions about recovered drug addicts and alcoholics

Answer 135

A

Most importantly, the ADAAA legislatively overturned two U.S. Supreme Court cases under which ADA claims were frequently rejected: Sutton v. United Air Lines and Toyota v. Williams

Answer 136

A

In Sutton, the court held that pilots with severe myopia—but correctable with glasses—did not have a disability under the ADA because a “‘disability’ exists only where an impairment ‘substantially limits’ a major life activity, not where it ‘might,’ ‘could,’ or ‘would’ be substantially limiting if mitigating measures were not taken”

Answer 137

A

Toyota further limited the scope of the ADA, rejecting a claim that carpal tunnel syndrome limited a worker’s ability to work with power tools, holding that “an individual must have an impairment that prevents or severely restricts the individual from doing activities that are of central importance to most people’s daily lives. The impairment’s impact must also be permanent or long-term”

Answer 138

A

a “permissible purpose” exists

Answer 139

A

(1) preemployment screening for the purpose of evaluating the candidate for employment and
(2) determining if an existing employee qualiﬁes for promotion, reassignment or retention

Answer 140

A

The FCRA also permits employers to obtain an “investigative consumer report” on the applicant if a permissible purpose exists

Answer 141

A

Provide written notice to the applicant that it is obtaining a consumer report for employment purposes and indicate if an investigative consumer report will be obtained
Obtain written consent from the applicant
Obtain data only from a qualiﬁed consumer reporting agency, an entity that has taken steps to assure the accuracy and currency of the data
Certify to the CRA agency that the employer has a permissible purpose and has obtained consent from the employee
Before taking an adverse action, such as denial of employment, provide a pre-adverse-action notice to the applicant with a copy of the consumer report, in order to give the applicant an opportunity to dispute the report
After taking adverse action, provide an adverse action notice

Answer 142

A

If employers do not comply with these requirements, they may face civil and criminal penalties, including a private right of action

Answer 143

A

The amendments preempted a wide range of state laws on credit reporting, identity theft and other areas within the FCRA.
FACTA, however, speciﬁcally left some existing state laws in effect, notably the California Investigative Consumer Reporting Agencies Act (ICRAA)

Answer 144

A

Employers must notify applicants and employees of their intention to obtain and use a consumer report.
Once disclosure is made, the employer must obtain the applicant or employee’s written authorization prior to requesting the report.
On the notice and authorization form, employers must enable applicants and employees to check a box to receive a copy of their consumer report any time a background check is conducted.
If employers wish to take adverse employment action, they must provide the employee with a copy of the report, regardless of whether the employee waived the right to receive a copy. This exception does not apply to employees suspected of wrongdoing or misconduct

Answer 145

A

The fact that a report may be obtained
The permissible purpose of the report
The fact that the disclosure may include information on the consumer’s character, general reputation, personal characteristics and mode of living
The name, address and telephone number of the investigative consumer reporting agency

Answer 146

A

FRCA:

Allows employers to use the original written consent to get updates to the employee’s credit report as needed
Requires that an employer get written consent only if the employer obtains data from a consumer reporting agency
If the employer does the background check itself (for instance, by directly accessing public records from the gov’t records keeper and calling references), it does not need to obtain written consent under the FCRA

ICRAA:

Employer must obtain written consent every time a background check is requested under the ICRAA.
Requires employers to give the employee or applicant any public records resulting from an in-house background check unless the employee waives that right

Answer 147

A

The FCRA does not preempt states from creating stronger legislation in the area of employment credit history checks, such as the California ICRAA just discussed. Nine other states—Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington—currently limit the use of credit information in employment

Answer 148

A

Under the act and its regulations, issued by the Department of Labor, employers are prohibited from using “lie detectors” on incumbent workers or to screen applicants

Answer 149

A

A lie detector is deﬁned to include polygraphs, voice stress analyzers, psychological stress evaluators, or any similar device used for the purpose of rendering a diagnostic opinion regarding an individual’s honesty
The act prohibits employers from requiring or requesting that a prospective or current employee take a lie detector test

Answer 150

A

Government employees, employees in certain security services, those engaged in the manufacture of controlled substances, certain defense contractors and those in certain national security functions.
Tests are also allowed in connection with “an ongoing investigation involving economic loss or injury to the employer’s business,” such as theft, embezzlement or industrial espionage. Even for such investigations, there must be reasonable suspicion to test an employee, and other protections for the employee apply

Answer 151

A

EPPA requires employers to post the act’s essential provisions in a conspicuous location so that employees are aware of its existence

Answer 152

A

If the act is violated, employers may be subject to a ﬁne from the Department of Labor, as well as to private lawsuits

Answer 153

A

State laws are not preempted, and a large number of states have enacted laws further restricting the use of lie detectors in private employment

Answer 154

A

EPPA and the ADA together place signiﬁcant national limits on psychological testing in the workplace
Employers must comply with the rules limiting lie detectors as well as the ADA prohibitions on the use of medical tests, including those designed to test an impairment of mental health
Employers continue to use psychological tests measuring personality traits such as honesty, preferences and habits in hiring and employment, although one expert reports that such tests may be concentrated in speciﬁc positions such as management and sales

Answer 155

A

Federal law also creates regulation for drug testing for employees in the aviation, railroading and trucking industries

Answer 156

A

Preemployment—generally allowed if not designed to identify legal use of drugs or addiction to illegal drugs
Reasonable suspicion—generally allowed as a condition of continued employment if there is “reasonable suspicion” of drug or alcohol use based on speciﬁc facts as well as rational inferences from those facts (e.g., appearance, behavior, speech, odors)
Routine testing—generally allowed if the employees are notified at the time of hire, unless state or local law prohibits it
Post-accident testing—generally allowed to test as a condition of continued employment if there is “reasonable suspicion” that the employee involved in the accident was under the inﬂuence of drugs or alcohol
Random testing—sometimes required by law, prohibited in certain jurisdictions, but acceptable where used on existing employees in speciﬁc, narrowly deﬁned jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy or where testing is critical to public safety or national security

Answer 157

A

was amended in 2009 to protect a person who is 100 pounds overweight from discrimination based on a disability

Answer 158

A

No federal law protects smokers from discrimination

Answer 159

A

Follow workplace safety and other laws that require or encourage monitoring
Protect physical security (such as video cameras near entrances) and cybersecurity (such as activity on computer systems)
Protect trade secrets
Limit liability for unlicensed transmission of copyrighted material and other conﬁdential company information
Improve work quality, such as by monitoring service calls with customers
Try to keep employees on task rather than spending time on personal business, such as surﬁng the web

Answer 160

A

OSHA requires employers to provide a safe workplace that complies with occupational health and safety standards. These standards require employees to perform tasks in a safe manner, to avoid injury. Thus, ensuring compliance with OSHA is one legal reason to monitor employees

Answer 161

A

Cameras and video recordings that do not have sound recordings are outside the scope of the federal wiretap and stored-record statutes
Many U.S. employers use closed-circuit television (CCTV) or other video surveillance in the workplace

Answer 162

A

California is like other states in forbidding video recording in areas such as restrooms, locker rooms and places where employees change clothes
Michigan’s statute is broader, forbidding installation of a device for observing or photographing a “private place” as deﬁned by the statute
Even in the absence of a statute, employees may be able to bring a common-law tort claim for invasion of privacy, especially where a jury would ﬁnd the use of the camera to be offensive

Answer 163

A

Generally strict in prohibiting the interception of wire communications, such as telephone calls or sound recordings from video cameras; oral communications, such as hidden bugs or microphones; and electronic communications, such as emails

Answer 164

A

If a person is a party to a call or where one of the parties has given consent
The interception is done in the ordinary course of business

Answer 165

A

An employer who provides communication services, such as a company telephone, or email service, has the ability to intercept provided the interception occurs in the normal course of the user’s business

Answer 166

A

The SCA creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided

Answer 167

A

Violations for interceptions can lead to criminal penalties or a civil lawsuit

Answer 168

A

by the person or entity providing a wire or electronic communications service,” (often the employer)
by a user of that service with respect to a communication of or intended for that user

Answer 169

A

ECPA does not generally preempt stricter state privacy protections, and some state laws may protect e-mail communications

Answer 170

A

U.S. federal law generally prohibits interference with mail delivery. Mail is considered “delivered,” however, when it reaches a business
As a result, the opening of business letters and packages by a representative of the business does not violate that statute, even if that representative is not the intended recipient

Answer 171

A

Mobile phones, GPS devices and some tablet computers provide geolocation data, which enables tracking of the user’s physical location and movements.
This creates a category of personal information that typically did not exist before the prevalence of these mobile devices
Employers interested in monitoring the location of company vehicles equipped with GPS may generally do so without legal hindrance, provided that the monitoring occurs for business purposes during work hours and employees have been informed beforehand

Answer 172

A

Individuals today have more information technology options than ever before
Computing devices range from traditional desktop computers and laptops to powerful smartphones, tablet computers and netbooks
Social networks, webmail and applications can be accessed across devices. Marked improvement in device capability and widespread Internet access allow employees to connect to their online networks from almost any location

Answer 173

A

If the employer is engaged in device monitoring or surveillance, it should disclose that information and obtain employee consent. When monitoring and searching the device, exposure of private employee data should be minimized

Answer 174

A

DLP is a strategy used by businesses to ensure that sensitive data is not accessed, misused or lost by unauthorized users
This goal is accomplished by DLP software and tools by monitoring and controlling endpoint activities as well as protecting data as it moves

Answer 175

A

D3 R3 TP

Data classification
Data governance
Data discovery
Risk assessment
Remediation processes
Regulatory and privacy compliance
Training and awareness
Policies, standards and procedures

Answer 176

A

Be careful to avoid liability or loss due to failure to take the allegations seriously. Ignoring a problem may allow it to grow or otherwise become more difﬁcult to resolve later.
Treat the employee with fairness during the investigation to reduce possible employee resentment as well as the risk that later litigation will result in harsher penalties if the employer is seen to have been unfair.
Follow laws and other corporate policies during the investigation. Particular attention should be given to collective bargaining agreements, which often contain provisions concerning investigations of employee misconduct.
Document the alleged misconduct and investigation to minimize risks from subsequent claims by the employee.
Consider the rights of people other than those being investigated, such as fellow employees who could be subject to retaliation or other problems

Answer 177

A

The communication is made to an employer in connection with the investigation of: (1) suspected misconduct related to employment, or (2) compliance with federal, state, or local laws and/or regulations, the rules of a self-regulatory organization, or any preexisting written employment policies
The communication is not made for the purpose of investigating a consumer’s creditworthiness, credit standing or credit “capacity and does not include information pertaining to those factors
The communication is not provided to any person except: (1) the employer or agent of the employer; (2) a federal or state ofﬁcer, agency, or department, or an ofﬁcer, agency, or department of a unit of general local government; (3) a self-regulating organization with authority over the activities of the employer or employee; (4) as otherwise required by law; or (5) pursuant to 15 U.S.C. § 1681f, which addresses disclosures to government agencies

Answer 178

A

that the employer disclose a summary of the nature and substance of the communication or report to the employee
- This report can be issued after the investigation has been conducted and allows employers to maintain the secrecy of the investigation

Answer 179

A

Secure the return of badges, keys, smartcards and other methods of physical access
Disable access for computer accounts
Ensure the return of laptops, smartphones, storage drives and other devices that may store company information
Seek, where possible, to have the employee return or delete any company data that is held by the employee outside of the company’s systems
Remind employees of their obligations not to use company data for other purposes
Clearly marked personal mail, if any, should be forwarded to the former employee, but work-related mail should be reviewed to ensure that proprietary company information is not leaked

Answer 180

A

to provide references, respond to inquiries about benefits and pensions, address health and safety issues that arise, respond to legal proceedings, and meet legal or regulatory retention requirements for particular types of records

Answer 181

A

The common law provides what is known as a “qualiﬁed privilege” for employers to report their experience with and impressions of the employee, to help in defense against defamation suits

Answer 182

A

In the United States, constitutional protections apply speciﬁcally to government employees. Contract and tort remedies can provide protections to employees, but they apply in a relatively narrow set of circumstances

Answer 183

A

(1) The Electronic Communications Privacy Act, (2) the Right to Financial Privacy Act (applying to financial institutions), and (3) the Privacy Protection Act (applying to reporters and media companies)
- Privacy professionals need to be aware of these statutes, as a company can face legal consequences, depending on the context, for turning over either too much or too little information

Answer 184

A

Telephone companies and other communications providers can face especially complex rules about when and in what way they are permitted or required to provide information to the government

Answer 185

A

Requires health professionals and drug manufacturers to report serious adverse events, product problems or medication errors suspected to be associated with the use of an FDA-regulated drug, biologic, device or dietary supplement under the Food, Drug and Cosmetic Act

Answer 186

A

Requires compilation and reporting of information about certain workplace injuries and illnesses

Answer 187

A

Permits disclosure of protected health information where disclosure is required by law
Many states require reporting of certain types of injuries and medical conditions, such as abuse, gunshot wounds, immunization records or specific contagious diseases

Answer 188

A

State the court from which it is issued
State the title of the action and its civil-action number
Command each person to whom it is directed to do the following at a specific time and place: attend and testify; produce designated documents, electronically stored information or tangible things in that person’s possession, custody or control; or permit the inspection of premises
Set out the text of the rules describing a person’s right to challenge or modify the subpoena

Answer 189

A

Permits (but does not require) companies to disclose PHI when required to do so by another applicable law, such as the state laws that require reporting of medical information
HIPAA also permits covered entities to disclose PHI for reasons including public health, law enforcement and national security

Answer 190

A

The owner or operator of a computer system can face penalties under the Electronic Communication Privacy Act for providing access to law enforcement without following legally mandated procedures
Permits, but does not require, the owner or operator of a computer system to provide such access in defined circumstances

Answer 191

A

The owner or operator of the protected computer authorizes the interception of the computer trespasser’s communications on the protected computer
The person acting under color of law (in an official capacity) is lawfully engaged in an investigation
The person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser’s communications will be relevant to the investigation
Such interception does not acquire communications other than those transmitted

Answer 192

A

HIPAA and the Children’s Online Privacy Protection Rule (COPPA) forbid disclosures of covered information to third parties, unless there is opt-in consent or a different exception applies

Answer 193

A

The Gramm-Leach-Bliley Act (GLBA) forbids disclosures to third parties if the individual has opted out

Answer 194

A

attorney-client priviliege
doctor-patient
priest-penitent
spousal privilege
Where these apply, a doctor, member of the clergy or spouse cannot be compelled to testify about the other party, absent consent or some other exception

Answer 195

A

The U.S. has a strong tradition of public access to government records

Answer 196

A

States that a party may seek a protective order providing that confidential info may not be revealed or must be revealed in “a particular way—such as “attorney’s eyes only”—during litigation
Moving party must demonstrate good cause, and a court will apply a 3-part test in deciding whether to grant the request:
(1st) The resisting party must show the information to be confidential
(2nd) The requesting party must show that the information is relevant and necessary to the case
(3rd) The court must weigh the harm of disclosure against the need for the information

Answer 197

A

Prohibits the parties from using or disclosing the protected health info for any purpose other than the litigation or proceeding for which such info was requested
Requires the return to the covered entity or destruction of the protected health info (including copies) at the end of the litigation
If a QPO is in place, a covered entity complies with privacy requirements for disclosure in litigation or administrative proceedings

Answer 198

A

Applies to both paper and electronic filings and to both parties and nonparties filing documents
Specifically, attorneys are required to redact documents so that no more than the following information is included in court filings:
(1) The last four digits of the Social Security number and taxpayer-identification number
(2) The year of the individual’s birth
(3) If the individual is a minor, only the minor’s initials
(4) The last four digits of the financial account number

Answer 199

A

Federal Criminal Rules of Procedure Rule 49.1

- Federal Rules of Bankruptcy Procedure Rule 9037

Answer 200

A

Has become an increasingly large focus of pretrial discovery in U.S. litigation
The discovery of ESI, generally known as e-discovery, has become an important subdiscipline in law and technology
E-discovery implicates both domestic privacy concerns and issues arising in transborder data flows

Answer 201

A

data retention program
- In designing a retention policy, it should be remembered that ESI takes not only obvious forms such as email or word processing documents, but can also manifest itself as databases, web pages, server logs, instant messaging transcripts, voicemail systems, social networking records, thumb drives or even the microSD cards found in smartphones

Answer 202

A

Sedona Conference

Answer 203

A

Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units
Such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice
Interdisciplinary teams should reach consensus as to policies, while looking to industry standards
Technical solutions should meet and parallel the functional requirements of the organization

Answer 204

A

(1) a retention policy should be reasonable considering the facts of the situation,
(2) courts may consider similar complaints against the organization and
(3) courts may evaluate whether the organization instituted the policy in bad faith

Answer 205

A

HIPAA Privacy Regulation specifically addresses when protected health information may be disclosed during discovery

(1st) A covered entity may disclose PHI if the subject of those records authorizes their release.
(2nd) Absent a release, a covered entity may release PHI subject to a court order
(3rd) A covered entity may disclose PHI subject to a discovery request if satisfactory assurances are provided

Answer 206

A

A financial institution may disclose otherwise protected information “to comply with federal, state, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by federal, state, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.”
Federal courts have been willing to read this clause to encompass civil discovery requests, although protective orders should still be obtained by those disclosing the information

Answer 207

A

Complying with U.S. discovery rules that expressly recognize the importance of broad preservation, collection and production. The rules therefore generally require the disclosure of all info relevant to the claims or defenses in a case that are in a party’s possession, custody or control—and this extends to info globally
Parties may also face compliance obligations under foreign laws that place an emphasis of the protection of personal data and recognize privacy as a fundamental right. Ex./ EU’s General Data Protection Regulation (GDPR) makes e-discovery with European nations subject to even more restrictions

Answer 208

A

Under the treaty, the party seeking to displace the Federal Rules of Civil Procedure bears the burden of demonstrating that it is more appropriate to use the Hague Convention and must establish that the foreign law prohibits the discovery sought

Answer 209

A

Outlines the factors that an American court may use to reconcile the conflict
These factors include:
(1) The importance of the documents or data to the litigation at hand
(2) The specificity of the request
(3) Whether the information originated in the United States
(4) The availability of alternative means of securing the information
(5) The extent to which the important interests of the U.S. and the foreign state would be undermined by an adverse ruling

Answer 210

A

For example, when victims of a terrorist attack sued a British bank for aiding and abetting a terrorist organization, British bank secrecy laws did not preempt the discovery request because the information was central to the case and the disclosure would advance both American and British interests in combatting terrorism.
Courts have also been willing to look to additional factors, such as the good faith of the party resisting compliance, in applying such a test

Answer 211

A

The Article 29 Working Party, which produced a working paper that explored the relationship between the Data Protection Directive and pretrial discovery in transborder lawsuits

Answer 212

A

encrypted, and the key transferred by a secure second method of transport.

Answer 213

A

it should be transported in a manner that preserves an audit trail

Answer 214

A

secure file transfer protocol (SFTP)

Answer 215

A

The gov’t must show “probable cause” that a crime has been, is or is likely to be committed. Search warrants must be supported by specific testimony, often provided by a police officer. A neutral magistrate (judge) approves the search warrant. They cannot be general warrants, but instead must describe the place to be searched with particularity

Answer 216

A

A majority of the Supreme Court held that no warrant was required for wiretaps conducted on telephone company wires outside of the suspect’s building

Answer 217

A

What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected

Answer 218

A

“reasonable expectation of privacy” test

Answer 219

A

The Supreme Court signaled important changes to the “in public” and third-party exceptions
Holding: unanimously that a warrant was needed when the police placed a Global Positioning System (GPS) device on a car and tracked its location for over a month.
The majority decision emphasized that the police had trespassed onto the car when they physically attached the GPS device
4/9 justices, however, would have held that a search occurred even without the physical attachment, and even for movements that took place entirely in public

Answer 220

A

Supreme Court unanimously held that the contents of a cell phone cannot be searched unless law enforcement officers first obtain a search warrant
The justices ruled that the data on a cell phone was quantitatively (the amount of data) and qualitatively (the kind of data) different than the contents that would normally be found in a physical container, which was the analogy the government had proposed to the court
As to the quantity of data, the Court noted the immense storage capacity of cell phones as well as the ability to link to remote storage
With regard to the quality of data, the Court opined that Internet searches can reveal a person’s interests, and location information can pinpoint an individual’s movement over time

Answer 221

A

Was passed after the Supreme Court held that the Fourth Amendment did not apply to checking accounts

Answer 222

A

Was passed after the Court held that it did not apply to telephone numbers called

Answer 223

A

opt-in consent from the patient.

Unauthorized disclosures can lead to enforcement by HHS
Section 512(f), however, goes into considerable detail about precisely when disclosure to law enforcement is permitted

Answer 224

A

The information sought is relevant and material to a legitimate law enforcement inquiry
The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought
De-identified information could not reasonably be used

Answer 225

A

(1) telephone monitoring and other tracking of oral communications;
(2) privacy of electronic communications and
(3) video surveillance, for which there is little applicable law

Answer 226

A

ECPA extended the ban on interception to “electronic communications,” which essentially are communications, including emails, that are not wire or oral communications

Answer 227

A

SCA was enacted as part of ECPA in 1986

Answer 228

A

creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided

Answer 229

A

Violations can lead to criminal penalties or a civil lawsuit, so an expert in the SCA should generally be consulted before turning over such records in a law enforcement investigation. For monitoring within a company, the exceptions are simpler than for interceptions

Answer 230

A

The SCA has an exception for conduct authorized “by the person or entity providing a wire or electronic communications service,” which will often be the company.
It also has an exception for conduct authorized “by a user of that service with respect to a communication of or intended for that use.”
In general, legal limits on interceptions are stricter than for access to stored records

Answer 231

A

ECPA does not preempt stricter state privacy protections, and that state laws may protect email communications
Ex./ Delaware law prohibits employers from “monitor[ing] or otherwise intercept[ing] any telephone conversation or transmission, electronic mail or transmission, or Internet access or usage” without prior written notice and daily electronic notice.
Connecticut law requires that “each employer who engages in any type of electronic monitoring shall give prior written notice to all employees who may be affected, informing them of the types of monitoring which may occur”

Answer 232

A

Expanded the definitions beyond telephone numbers to include “dialing, routing, addressing, or signaling information” transmitted to or from a device or process

Answer 233

A

Set new rules for national security investigations, prohibiting the use of pen register and trap and trace orders for bulk collection and restricting their use to circumstances where there were specific selectors such as an email address or telephone number

Answer 234

A

Sometimes referred to as the Digital Telephony Bill) lays out the duties of defined actors in the telecommunications industry to cooperate in the interception of communications for law enforcement and other needs relating to the security and safety of the public. It notably requires telecommunications carriers to design their products and services to ensure that they can carry out a lawful order to provide government access to communications

Answer 235

A

CALEA applies to “telecommunications carriers,” but not to other “information services.” As enacted, therefore, the law was interpreted not to apply to Internet services

Answer 236

A

The statute permits the federal government to share unclassified technical data with companies about how networks have been attacked and how successful defenses against such attacks have been carried out

Answer 237

A

Authorization for a company to share or receive “cyber threat indicators” or “defensive measures.”
Requirement for company to remove personal info before sharing
Sharing info with federal gov’t does not waive privileges
Shared info exempt from federal and state FOIA laws
Prohibition on gov’t using shared info to regulate or take enforcement actions against lawful activities
Authorization for company’s monitoring and operating defensive measures
Protection from liability for monitoring activities

Answer 238

A

For sharing to qualify for protections under CISA, the company’s actions must be done in accordance with certain requirements.
Ex./ a company intending to share a “cyber threat indicator” must first remove, or implement a “technical capacity” configured to remove, any information that is not directly related to a threat and that the company is aware at the time relates to a specific individual

Answer 239

A

Sharing information with the federal government does not waive privileges, such as attorney-client privilege. Importantly, there is no similar provision for sharing with state and local governments or other companies

Answer 240

A

Information shared pursuant to CISA is exempt from disclosure under FOIA, as well as under any state or local provisions “requiring disclosure of information or records

Answer 241

A

Information shared under CISA “shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities related to monitoring, operating defensive measures, or sharing cyber threat indicators.” The information may be used, however, to develop or implement new cybersecurity regulations

Answer 242

A

According to the act, a company is authorized to “monitor” and “operate defensive measures” on its own information system—or, with written authorization, another party’s system— for cybersecurity purposes

Answer 243

A

Under CISA, the company is protected from liability for its monitoring activities. Note, however, that there is no corresponding liability protection for operating defensive measures

Answer 244

A

Applies to disclosures by a variety of financial institutions, including banks, credit card companies and consumer finance companies
Applies only to requests from federal agencies, although over a dozen states have similar requirements
Applies to the financial records of individuals and partnerships of fewer than five people

Answer 245

A

RFPA states that “no Government authority may have access to or obtain copies of, or the info contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and meet at least 1 of these conditions:

(1) The customer authorizes access
(2) There is an appropriate administrative subpoena or summons
(3) There is a qualified search warrant
(4) There is an appropriate judicial subpoena
(5) There is an appropriate formal written request from an authorized government authority

Answer 246

A

Provides an extra layer of protection for members of the media and media organizations from government searches or seizures in the course of a criminal investigation

Answer 247

A

PPA was passed in the wake of the 1978 Supreme Court case of Zurcher v. Stanford Daily
PPA was drafted to respond to police physical searches of traditional newspaper facilities

Answer 248

A

Police used a search warrant to look through a newspaper’s unpublished photographs of a demonstration
Lower courts found the search unlawful, saying that the government should have used less invasive methods than a full search of the newspaper’s premises
The Supreme Court, however, found that valid search warrants “may be used to search any property” where there is probable cause to believe that evidence of a crime will be found

Answer 249

A

To search or seize media work products or documentary materials “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast or other similar form of public communication.” In practice, rather than physically searching a newsroom, “the PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities.”

Answer 250

A

PPA applies to government officers or employees at all levels of government. It applies only to criminal investigations, not to civil litigation. Several states provide additional protections

Answer 251

A

Violation can lead to penalties of a minimum of $1,000, actual damages and attorney’s fees

Answer 252

A

(1) If there is probable cause to believe that a reporter has committed or is in the process of committing a crime
- This PPA exception does not apply if the member of the media’s only crime is possession, receipt or “communication of the work product itself
(2) Other exceptions exist, such as to prevent death or serious injury or where there is reason to believe documents will be destroyed or concealed if the materials were requested through a subpoena

Answer 253

A

Federal appellate court in New York ruled that the SCA did not require the company to provide electronic evidence that was stored outside of the US, meaning the warrant was not valid for the contents of an email account that Microsoft stored overseas

Answer 254

A

This interpretation, that a warrant could not compel production of electronic evidence held by a U.S. company outside the U.S., surprised some commentators
Until the Microsoft Ireland case (so called because the evidence at issue was housed by Microsoft in Ireland), leading email and social network services have been based in the U.S., so the U.S. government could gain evidence in law enforcement investigations by ordering production through the U.S. corporate headquarters

Answer 255

A

The court specifically left undecided the extent of the president’s power to conduct wiretaps without warrants “with respect to the activities of foreign powers, within or without this country.

Answer 256

A

The original FISA statute was passed during the Cold War, when a major target of national security efforts was to track the activities of agents of the Soviet Union and its allied foreign nation states
- Ex./ foreign intelligence wiretaps could be used in connection with communications of the Soviet Embassy or people who worked there

Answer 257

A

This statute gave legal authorization to some of the new surveillance practices, especially where one party to the communication is reasonably believed to be outside of the United States
Granted immunity to the telephone companies, so they would not be liable for the records they had provided to the government in the wake of 9/11
The new rules also required more reporting from the government to Congress, and put limits on some of the secrecy about NSLs and other government requests for records in the national security realm

Answer 258

A

USA FREEDOM Act in 2015, which among multiple provisions ended bulk collection under the Section 215 program, and the Judicial Redress Act of 2016, which extends U.S. Privacy Act protections to certain non-U.S. persons

Answer 259

A

The FBI sought the assistance of Apple to gain access to the encrypted phone of one of the assailants in the San Bernardino shooting.
The FBI obtained a court order requiring Apple to assist the government by creating a custom operating system that would disable key security features on the iPhone.
Apple filed a motion with the court asking it to reconsider its decision, expressing the company’s concern that complying with the order would result in building a backdoor into the encryption for all iPhones of that particular model phone
On one side, law enforcement sought info in a mass shooting, and they secured a warrant before proceeding. - On the other side, a preeminent technology company warned that its compliance with the order could weaken the technology that protects privacy around the world

Answer 260

A

The specific court case involving Apple ended when the FBI announced that it had gained access to the encrypted phone without the assistance of the company, but the debate about the government accessing encrypted data led to hearings and proposed legislation in Congress

Answer 261

A

Establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the United States FISA orders can issue when foreign intelligence gathering is “a significant purpose” of the investigation

Answer 262

A

For law enforcement cases, court orders issue based on probable cause of a crime; FISA orders instead issue on probable cause that the party to be monitored is a “foreign power” or an “agent of a foreign power.” FISA orders issue from a special court of federal district court judges, the Foreign Intelligence Surveillance Court (FISC)

Answer 263

A

FISA authorizes pen register and trap and trace orders (for phone numbers, email addresses, and other addressing and routing information) and orders for video surveillance

Answer 264

A

False. There is generally no disclosure after the fact to the target of a FISA wiretap as there is for law enforcement wiretaps

Answer 265

A

Provides that a federal court order can require the production of “any tangible thing” for defined foreign intelligence and antiterrorism investigations
Recipients of such an order receive notice that they were forbidden from disclosing the existence or contents of the order

Answer 266

A

Disclosure is permitted, however, to the persons necessary to comply with the order (such as employees who gather the records) and to an attorney for purposes of receiving legal advice
Production of the records in good faith provides immunity for such production

Answer 267

A

The USA FREEDOM Act ended bulk collection conducted under Section 215
Going forward, requests by government officials must be based upon specific selectors, such as a telephone number

Answer 268

A

Applies to collection of electronic communications that take place within the United States and only authorizes access to the communications of targeted individuals for listed foreign intelligence purposes

Answer 269

A

The basic structure of Section 702 is that the FISC must annually approve certifications by the director of national intelligence and the attorney general setting the terms for Section 702 surveillance

Answer 270

A

The government must have a foreign intelligence purpose to conduct the collection and a reasonable belief that the person is a non-U.S. citizen located outside of the United States

Answer 271

A

PRISM and Upstream

Answer 272

A

The PRISM program became famous when it was publicly named in one of the first stories based on the Snowden documents.
The operation of PRISM resembles data requests made in other settings to service providers
In PRISM collection, acting under a Section 702 court order, the government sends a judicially approved and judicially supervised directive requiring collection of certain “selectors,” such as an email address

Answer 273

A

Upstream targets Internet-based communications as they pass through physical Internet infrastructure located within the Unites States
Upstream is designed to only acquire Internet communications that contain a tasked selector
To do so, Upstream filters Internet transactions that pass through the Internet backbone to eliminate potential domestic transactions; these are then further screened to capture only transactions containing a tasked selector

Answer 274

A

An NSL is a category of subpoena that, prior to the PATRIOT Act in 2001, was used narrowly, only for certain financial and communication records of an agent of a foreign power, and only with approval of FBI headquarters

Answer 275

A

The PATRIOT Act expanded use of NSLs

Answer 276

A

NSLs can be issued by authorized officials, often the special agent in charge of an FBI field office.
The precise language in the statutes varies, but NSLs generally can seek records relevant to protect against international terrorism or clandestine intelligence activities.
NSLs can be issued without any judicial involvement

Answer 277

A

Recipients were allowed to disclose the request to those necessary to comply with the request and to an attorney for legal assistance
Recipients could also petition a court to modify or end the secrecy requirement
Breach of the confidentiality requirements, however, was treated as a serious offense, punishable by up to five years’ imprisonment and fines of up to $250,000 for an individual

Answer 278

A

an investigation closes, or no more than three years after the opening of a full investigation

Answer 279

A

A term used to describe the nearly ubiquitous collection of data about individuals from multitudinous sources, coupled with the low costs to store such data and the new data mining techniques used to draw connections and make predictions based on this collected information

Answer 280

A

On the positive side, Big Data provides the basis for modern analytics, and the significant insights that can be derived from such data

Answer 281

A

On the cautionary side, Big Data and modern analytics can be a difficult fit for the fair information privacy practices (FIPPs), sometimes called fair information practices (FIPs), because there may not be clear notice of how data is used, and advanced analytics may not be within the purposes the individual expected when the data was collected

Answer 282

A

The data analyzed by analytics programs, algorithms, machine learning, and other data mining techniques—the underpinnings of the term Big Data—are often gathered by devices collectively

Answer 283

A

In 1965, Moore published a now-iconic article in which he observed that the number of transistors that would fit onto a circuit board doubled each year.
A decade after this publication, the principle, dubbed “Moore’s Law,” was tweaked to say that the number of transistors on a circuit board doubled every 18 to 24 months

Answer 284

A

Moore’s Law is a useful way to explain the development of two of the technological phenomena emerging at the time of the writing of this book—Big Data and IoT

Answer 285

A

(1) Velocity (how fast the data is coming in) - come directly from greater processing capability
(2) Volume (the amount of data coming in) - come directly from greater processing capability
(3) Variety (what different forms of data are being analyzed) - derived from the combination of network environments, draws from disparate sources as well as disparate capabilities that can be turned into more uniform categories of data

Answer 286

A

A robot may not injure a human being or, through inaction, allow a human being to come to harm”
A robot must obey orders given it by human beings except where such orders would conflict with the First Law
A robot must protect its own existence as long as such protection does not conflict with the First or Second Law

Answer 287

A

Robots should always reveal the basis of their decisions

2. Robots must always reveal their identities

Answer 288

A

The ACF software collects a tremendous amount of data, with granular financial information about tens of millions of customers
Data at this scale enables advanced analytics, with potentially great benefits to customers (higher return on investment) and the bank (greater profit per customer)

Answer 289

A

One tip for senior managers in implementing the comprehensive information plan is the “friends and family test”—would the managers feel comfortable if data on themselves and their family and friends were in the database, subject to possible breach? For instance, would managers at the bank feel comfortable with their own family’s data going into the ACF database? If not, that is a reason to take greater precautions

Answer 290

A

into the Data Protection Directive and the General Data Protection Regulation

Answer 291

A

into companies’ privacy policies, and violation of those policies can lead to enforcement under the Federal Trade Commission (FTC) Act or other statutes

Answer 292

A

(1) data minimization, to avoid privacy and security risks of Big Data where possible and
(2) de-identification, to avoid privacy and security risks that arise when previously de-identified data can be re-identified

Answer 293

A

The principle of data minimization is a useful way to summarize why more data is not always better

Answer 294

A

Ex./ The employees doing data analytics often have no need to see the customers’ names and full account numbers—the analytics can proceed just as well without those data fields

Identifiers are not needed for many Big Data applications, so the benefits of analytics can be achieved while reducing the privacy and security risks
Similarly, data should be disposed of when no longer needed by the organization—proper disposal reduces the risk that a security or privacy breach will occur down the road because of paper left in a dumpster or records left on an old hard drive

Answer 295

A

“direct identifiers,” which are data that identify an individual with little or no additional effort. A phone number is an example of a direct identifier, because there are look-up services that provide the name for most phone numbers

Answer 296

A

Pseudonymous data
De-identified data
Anonymous data

Answer 297

A

Information from which the direct identifiers have been eliminated. Indirect identifiers remain intact

Answer 298

A

Direct and known indirect identifiers have been removed

Answer 299

A

Direct and indirect identifiers have been removed or technically manipulated to prevent re-identification

Answer 300

A

This technique reduces the precision of disclosed data to reduce the certainty of individual identification. For example, date of birth is highly identifying (because a small portion of people are born on a particular day of a particular year), but year of birth is less identifying. Similarly, a broader set of years (such as 1971-1980, or 1981-1990) is less identifying than year of birth

Answer 301

A

This technique masks the original values in a data set with the goal of data privacy protection. One way this may be accomplished is to use perturbation—make small changes to the data while maintaining overall averages—to make it more difficult to identify individuals

Answer 302

A

This technique uses a mathematical approach to ensure that the risk to an individual’s privacy is not substantially increased as a result of being part of the database

Answer 303

A

then the FTC or state attorneys general may have a valid claim for a deceptive trade practice

Answer 304

A

Collecting consumer data from numerous sources, usually without consumers’ knowledge or consent; storing billions of data elements on nearly every U.S. consumer; analyzing data about consumers to draw inferences about them; and combining online and offline data to market to consumers online

Answer 305

A

(1) marketing (such as appending data to customer information that a marketing company already has),
(2) risk mitigation (such as information that may reduce the risk of fraud) and
(3) location of individuals (such as identifying an individual from partial information)

Answer 306

A

FTC successfully brought an enforcement action against LeapLab for its “failure to protect data that was sold to a third party.
According to the FTC, LeapLab bought sensitive info, including Social Security numbers and bank account numbers, from payday loan websites and, acting as a data broker, sold the information to businesses that LeapLab knew had no legitimate use for the info&raquo_space; LeapLab’s actions allowed scammers to steal millions of dollars from individuals’ accounts
Court issued an order in 2016 prohibiting LeapLab from continuing these business practices and $5.7 million money judgment against the business and its officers, but suspended the payment of the judgment based on sworn affidavits that the (D)s could not pay the amount

Answer 307

A

Examples of the benefits:

providing healthcare tailored to individual patients,
enhancing educational opportunities by tailoring the experience to the individual student, and
increasing equal access to employment

Examples of risks:

exposing sensitive information;
reinforcing existing disparities; and
creating new justifications for exclusion

Answer 308

A

The Fair Credit Reporting Act
The Equal Credit Opportunity Act
The Federal Trade Commission Act

Answer 309

A

(1) the devices interact with software running elsewhere (often in the cloud) and function autonomously and
(2) when coupled with data analysis, the devices may take proactive steps and make decisions about or suggest next steps for users

Answer 310

A

(1) limited user interfaces in the products;
(2) lack of industry experience with privacy and cybersecurity;
(3) lack of incentives in the industries to deploy updates after products are purchased; and
(4) limitations of the devices themselves, such as lack of effective hardware security measures

Answer 311

A

Electronic devices that are worn on the body and collect data in real time
They range from headwear used by soldiers on the battlefield to wrist devices that check heart beats during exercise

Answer 312

A

Right to forget: users are concerned that tracking data daily will make it difficult for them to get rid of documentation of actions that they would rather forget
Impact of location disclosure: users expressed concern that criminals might gain access to this information to track or stalk them.
Concern that screens will be read: users pointed out that many devices, such as smart watches, have a display that can be read by those who are near the user
Video and audio recording where those involved were unaware
Lack of control of the data
Automatic syncing with social media
Facial recognition

Answer 313

A

Connected cars collect and transmit data about the vehicle, the driver’s driving habits, and the driver’s preferences
Ex. 1 / a vehicle that wirelessly alerts the dealership when tires need to be rotated
Ex. 2/ an app from a car insurance company that records braking habits
Ex. 3/ information may be transmitted from the car to the Internet from multiple sources, such as users’ phones, video systems, cameras, GPS systems, and entertainment centers

Answer 314

A

Smart homes have multiple devices that are connected to the Internet to enhance the home environment experience
These devices are typically user controlled—a task that is often accomplished via a smartphone or another small electronic device

Answer 315

A

Smart thermostats
Smart TVs
Communications systems
Security systems

Answer 316

A

Smart cities is a term that primarily refers to municipalities and other government entities using sensors to monitor functions and improve government services
Ex./ a city could embed wireless sensors into existing lighting fixtures, then analyze this data to allow targeted law enforcement practices, improved parking efficiency and increased environmental monitoring

Answer 317

A

Changing seams: from the seams between legacy and new infrastructure to those between urban and rural systems, these boundaries are moving or disappearing as systems are networked and upgraded.
Inconsistent adoption: factors such as user preferences, resource availability and scale of technological system will lead to inconsistent adoption. These inevitable inconsistencies will introduce security challenges for industry, gov’t and people living w/ the technology.
Increased automation: although automation can reduce certain risks, removal of human interaction from many aspects of cyber-physical infrastructure has the potential to introduce new security challenges, including increasing the number of access points (and the possible attack vectors), cascading failures (where no humans are present to witness developing problems), and unintentional removal of manual overrides

Answer 318

A

(1) IoT devices should follow security and encryption best practices
(2) For devices that can be customized by the users, the company should test the IoT devices in different possible configurations
(3) IoT devices should be designed to facilitate automated, secure software updates
(4) IoT devices should be secured by default by the inclusion of a password
(5) IoT devices should be shipped originally with reasonably up-to-date software
(6) IoT devices should be shipped with a privacy policy that is understandable and easy to find
(7) IoT devices should communicate with restrictive rather than permissive protocols
(8) IoT devices should continue to function if Internet connectivity is disrupted or if cloud back-up fails

Answer 319

A

FTC alleged that TRENDnet failed to encrypt customer log-in credentials and failed to test consumers’ privacy settings
Hackers utilized these security vulnerabilities to post hundreds of live video feeds featuring babies sleeping in cribs and adults engaging in daily activities
The agency’s complaint resulted in an order requiring the company to bring its practices into line with FTC requirements and to establish its compliance by undergoing assessments every 2 years for the next 20 years

Answer 320

A

Implement security by design,
Ensure personnel employ good security,
Engage in good vendor management practices,
Utilize a defense-in-depth approach where security measures are considered at several levels,
Implement reasonable access controls to ensure that access by unauthorized persons to a customer’s device is limited, and
Continue to monitor products throughout the device’s lifecycle, patching vulnerabilities when possible