CIPP / US Glossary Flashcards

Question 1

Q

Accountability

Answer

A

The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules

Question 2

Q

Adequate Level of Protection

Answer

A

Elements:

(a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred;
(b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules;
(c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data

Question 3

Q

Adverse Action

Answer

A

Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action

Question 4

Q

American Institute of Certified Public Accountants

Answer

A

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program

Question 5

Q

Americans with Disabilities Act

Answer

A

A U.S. law that bars discrimination against qualified individuals with disabilities

Question 6

Q

Anti-discrimination Laws

Answer

A

Anti-discrimination laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise

Question 7

Q

APEC Privacy Principles

Answer

A

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs

Question 8

Q

Background Screening/Checks

Answer

A

Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils

Question 9

Q

Bank Secrecy Act

Answer

A

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities

Question 10

Q

Behavioral Advertising

Answer

A

Advertising that is targeted at individuals based on the observation of their behaviour over time.
• Most often done via automated processing of personal data, or profiling, GDPR requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing
• If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information

Question 11

Q

Binding Corporate Rules

Answer

A

Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by GDPR to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved

Question 12

Q

Binding Safe Processor Rules

Answer

A

Previously, the EU distinguished between Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both

Question 13

Q

Breach Disclosure

Answer

A

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure

Question 14

Q

Bring Your Own Device

Answer

A

Use of employees’ own personal computing devices for work purposes

Question 15

Q

California Investigative Consumer Reporting Agencies Act

Answer

A

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report

Question 16

Q

Case Law

Answer

A

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions

Question 17

Q

CCTV

Answer

A

Originally an acronym for “closed circuit television,” CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns

Question 18

Q

Children’s Online Privacy Protection Act (COPPA) of 1998

Answer

A

U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13.

COPPA requires these website operators to: (1) post a privacy notice on the homepage of the website;

(2) provide notice about collection practices to parents;
(3) obtain verifiable parental consent before collecting personal information from children;
(4) give parents a choice as to whether their child’s personal information will be disclosed to third parties;
(5) provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information,
(6) and maintain the confidentiality, security and integrity of personal information collected from children.

Question 19

Q

Choice

Answer

A

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation

Question 20

Q

Cloud Computing

Answer

A

The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a “private cloud” or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models

Question 21

Q

Collection Limitation

Answer

A

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

Question 22

Q

Commercial Activity

Answer

A

Under Canada’s PIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition

Question 23

Q

Commercial Electronic Message

Answer

A

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

Question 24

Q

Common Law

Answer

A

Unwritten legal principles that have developed over time based on social customs and expectations.

Question 25

Q

Communications Privacy

Answer

A

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus

Question 26

Q

Comprehensive Laws

Answer

A

Laws that govern the collection, use and dissemination of personal information in the public and private sectors

Question 27

Q

Computer Forensics

Answer

A

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit

Question 28

Q

Confidentiality

Answer

A

Data is “confidential” if it is protected against unauthorised or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Question 29

Q

Confirmed Opt-In

Answer

A

An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail

Question 30

Q

Consent

Answer

A

One of the fair information practices. Individuals must be able to prevent the collection of their personal data unless the disclosure is required by law. If an individual has a choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure.

Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt-out.

(1) Affirmative/Explicit Consent: A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.
(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Question 31

Q

Consent Decree

Answer

A

A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party

Question 32

Q

Consumer Financial Protection Bureau

Answer

A

Created by the Dodd-Frank Act, the consumer financial protection bureau is intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created CFPB took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators. Its enforcement powers include authority to take action against “abusive acts and practices” as specified by the Dodd-Frank Act

Question 33

Q

Consumer Reporting Agency

Answer

A

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

Question 34

Q

Cookie

Answer

A

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as “first-party” (if they are placed by the website that is visited) or “third-party” (if they are placed by a party other than the visited website)

Question 35

Q

Credit Freeze

Answer

A

A consumer-initiated security measure which locks an individual’s data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit

Question 36

Q

Credit Reporting Agency

Answer

A

Under the Fair Credit Reporting Act, any organization that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties for a fee

Question 37

Q

Customer Access

Answer

A

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information

Question 38

Q

Customer Information

Answer

A

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services

Question 39

Q

Data Breach

Answer

A

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure

Question 40

Q

Data Classification

Answer

A

A scheme that provides the basis for managing access to, and protection of, data assets

Question 41

Q

Data Controller

Answer

A

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law

Question 42

Q

Data Elements

Answer

A

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is important to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data

Question 43

Q

Data Matching

Answer

A

An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains

Question 44

Q

Data Processing

Answer

A

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Question 45

Q

Data Processor

Answer

A

A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing

Question 46

Q

Data Quality

Answer

A

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

The quality of data is judged by 4 criteria:
(1) Is it accurate?
(2) Does it meet the business needs?
(3) Is it complete?
(4) Is it recent?
» Data is of an appropriate quality if these criteria are satisfied for a particular application

Question 47

Q

Data Recipient

Answer

A

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not.

Exception: Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients.
• The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing

Question 48

Q

Data Subject

Answer

A

An identified or identifiable natural person

Question 49

Q

Deceptive Trade Practices

Answer

A

In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by the Federal Trade Commission at the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices

Question 50

Q

Defamation

Answer

A

Common law tort focuses on a false or defamatory statement, defined as a communication tending “so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.”

Question 51

Q

Digital Fingerprinting

Answer

A

The use of log files to identify a website visitor. It is often used for security and system maintenance purposes. Log files generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor’s web browser, operating system and font preferences. In some cases, combining this information can be used to “fingerprint” a device

Question 52

Q

Digital Signature

Answer

A

A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file. If anything is changed in the electronic document after the digital signature is attached, the signature is rendered invalid

Question 53

Q

Direct Marketing

Answer

A

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio

Question 54

Q

Do Not Track

Answer

A

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking

Question 55

Q

Do-Not-Call Implementation Act of 2003

Answer

A

Grants the authority to the FTC to create the National Do-Not-Call Registry in the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations.

Originally consumers would have to re-register their numbers with the FTC every 5 years for continued prevention, but the Do-Not-Call Improvement Act of 2007 extended registration indefinitely. Violations can be enforced by the FTC, Federal Communications Commission, and state attorneys general with up to a $16,000 fine per violation

Question 56

Q

Do-Not-Call Improvement Act of 2007

Answer

A

Amending the U.S. Do-Not-Call Implementation Act to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after 5 years, but with this act the registrations became permanent

Question 57

Q

Dodd-Frank Wall Street Reform and Consumer Protection Act

Answer

A

In 2010 the U.S. Congress passed the Dodd-Frank Act to reorganize and improve financial regulation. Among other reforms it put in place, the Dodd-Frank Act created the Consumer Financial Protection Bureau and granted it rule-making authority over FCRA and GLBA as well as a few other regulations

Question 58

Q

Electronic Communications Privacy Act of 1986

Answer

A

The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers.

The act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases

Question 59

Q

Electronic Discovery

Answer

A

Prior to trial, information is typically exchanged between parties and their attorneys. E-discovery requires civil litigants to turn over large volumes of a company’s electronic records in litigation

Question 60

Q

Electronic Health Record

Answer

A

A computer record of an individual’s medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their accessibility and standardization can facilitate large-scale data collection for researchers

Question 61

Q

Electronic Surveillance

Answer

A

Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location-based services

Question 62

Q

Employee Information

Answer

A

Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship

Question 63

Q

Employment at Will

Answer

A

An employment contract can be terminated by either the employer or the employee at any time for any reason

Question 64

Q

Equal Employment Opportunity Commission (EEOC)

Answer

A

An independent U.S. federal agency that enforces laws against workplace discrimination. The EEOC investigates discrimination complaints based on an individual’s race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies

Answer 65

A

An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party

Answer 66

A

The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use

Answer 67

A

An agreement between the European and United States, invalidated by the Court of Justice of the European Union in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield)

Answer 68

A

Created in 2016 to replace the invalidated EU-U.S. Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the United States for companies participating in the program. Only those companies that fall under the jurisdiction of the U.S. Federal Trade Commission may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions

Answer 69

A

The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries

Answer 70

A

Expanded the Fair Credit Reporting Act (focuses on consumer access and identity theft prevention)
Mandates that credit reporting agencies allow consumers to obtain a free credit report once every 12 months
Allows consumers to request alerts when a creditor suspects identity theft and gave the FTC authority to promulgate rules to prevent identity theft&raquo_space; FTC used the authority to create the Red Flags Rule
Stricter state laws are preempted in most areas although states retain some powers are preempted in most areas, although states retain some powers to enact laws addressing identity theft
Required truncation of credit and debit card numbers, so that receipts do not reveal the full credit or debit card number

Answer 71

A

• Enacted to regulate the consumer reporting industry and provide privacy rights in consumer reports
• Mandates accurate and relevant data collection, provides consumers w/ ability to access and correct their info, and limits the use if consumer reports to defined permissible purposes
• Regulates “consumer reporting agency” that furnishes a “consumer report,” which is used primarily for assisting in establishing consumer’s eligibility for credit
• Users must:
(1) 3rd party data for substantive decision making must be appropriately accurate, current, and complete
(2) Consumers must receive notice when 3rd party data is used to make adverse decisions about them
(3) Consumer reports may be used only for permissible purposes
(4) Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors

Answer 72

A

The United States agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable. The Federal Communications Commission has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act

Answer 73

A

The United States’ primary consumer protection agency
Collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer
The FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices

Answer 74

A

A corporation that acts as a regulator for brokerage firms and exchange markets
Its primary charge is to make sure that security exchange markets, such as the New York Stock Exchange, operate fairly and honestly and to protect investors
Although it is a non-governmental regulator, ultimately it is subject to the regulations of the Securities and Exchange Commission along with the rest of the security exchange industry

Answer 75

A

After the savings and loans crisis of the 1980s, the U.S Congress passed FIRREA to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a Financial institution fails to comply with the information privacy requirements contained in GLBA

Answer 76

A

A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state-level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed

Answer 77

A

The GET and POST HTML method attributes specify how form data is sent to a web page. The GET method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar, and is thus less secure than the POST method

Answer 78

A

Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws
GPEN is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns
As of 2018, GPEN counted 50 member countries

Answer 79

A

Aka Financial Services Modernization Act of 1999
Re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S.
In its privacy provisions, GLBA addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions
Requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt-out of some sharing of personal financial information

Answer 80

A

A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached

Answer 81

A

Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy

Answer 82

A

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations

Answer 83

A

The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction

Answer 84

A

One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others

Answer 85

A

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information

Answer 86

A

Creates the Existing Business Relationship exception to the U.S. Telephone Consumer Protection Act’s ban of fax-based marketing without consent but contains a requirement that all marketing faxes be accompanied by instructions on how to opt-out of further unsolicited communications

Answer 87

A

The authority of a court to hear a particular case. Courts must have jurisdiction over both the parties to the dispute (personal jurisdiction) and the type of dispute (subject matter jurisdiction). The term is also used to denote the geographical area or subject-matter to which such authority applies

Answer 88

A

Services that utilize information about location to deliver, in various contexts, a wide array of applications and services, including social networking, gaming and entertainment. Such services typically rely upon GPS, RFID, Wi-Fi, or similar technologies in which geolocation is used to identify the real-world geographic location of an object, such as a mobile device or an internet-connected computer terminal

Answer 89

A

Information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics or other medical or medically related facilities

Answer 90

A

Under HIPAA, the standard that the level of information that may be disclosed by healthcare providers to third parties is the minimum amount necessary to accomplish the intended purpose

Answer 91

A

An authentication process that requires more than one verification method (see Authentication), such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject

Answer 92

A

Allows U.S. consumers to place their phone number on a national list, preventing calls from unsolicited telemarketers. This registration is now permanent and can be enforced by the Federal Trade Commission, Federal Communication Commission and state attorneys general with up to a $16,000 fine (book says $40,654 per violation). Cell phones are protected from any unsolicited automatic-dialed calls through other FCC regulations

Answer 93

A

A U.S. federal agency that administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions

Answer 94

A

A category of subpoena. The USA PATRIOT Act expanded the use of national security letters. Separate and sometimes differing statutory provisions now govern access, without a court order, to communication providers, financial institutions, consumer credit agencies, and travel agencies

Answer 95

A

An organization will be liable for damages if it breaches a legal duty to protect personal information and an individual is harmed by that breach

Answer 96

A

Defined by GLBA as personally identifiable financial information:
• Provided by a consumer to a financial institution,
• Resulting from a transaction or service performed for the consumer,
• Otherwise obtained by the financial institution.

Excludes:

(i) publicly available information
(ii) any consumer list that is derived without using personally identifiable financial information

Answer 97

A

First released in 1980, and then updated in 2013, these guidelines represent perhaps the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries as they develop regulations surrounding cross-border data flows and law-enforcement access to personal data.

The principles, widely emulated in national privacy laws, include Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability (see entries for each principle under their own listing elsewhere in the glossary)

Answer 98

A

Used to distinguish from sectorial laws (see Sectorial Laws), to mean laws that cover a broad spectrum of organizations or natural persons, rather than simply a certain market sector or population

Answer 99

A

Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking

Answer 100

A

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties

Answer 101

A

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties

Answer 102

A

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy

Answer 103

A

Contracting business processes, which may include the processing of personal information, to a third party

Answer 104

A

A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties

Answer 105

A

Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside

Answer 106

A

The predominant term for Personal Information in the European Union, defined broadly in the General Data Protection Regulation as any information relating to an identified or identifiable natural person

Answer 107

A

A synonym for “personal data.” It is a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer

Answer 108

A

A device used for the purpose of rendering a diagnostic opinion regarding an individual’s honesty

Answer 109

A

Prohibits employers from requiring or requesting that a prospective or current employee take a lie detector test
Lie detector – polygraphs, voice stress, analyzers, psychology stress evaluators, or any similar device used for the purpose of rendering a diagnostic opinion re: an individual’s honesty
Exceptions: tests are allowed in connection w/ an ongoing investigation (w/ reasonable suspicion) re: economic loss or injury to the employer’s business (e.g. theft, embezzlement, or industrial espionage)

Answer 110

A

The GET and POST HTML method attributes specify how form data is sent to a web page. The POST method is more secure than GET as the GET method appends the form data to the URL allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar

Answer 111

A

A superior government’s ability to have its law(s) supersede those of an inferior government. For example, the U.S. federal government has mandated that no state government can regulate consumer credit reporting

Answer 112

A

An assessment of an organization’s compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts. The assessment or audit measures how closely the organization’s practices align with its legal obligations and stated practices and may rely on subjective information such as employee interviews/questionnaires and complaints received, or objective standards, such as information system logs or training and awareness attendance and test scores. Audits and assessments may be conducted internally by an audit function or by external third parties

Answer 113

A

Generally regarded as a synonym for Data Protection by Design (see Data Protection by Design). However, Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles

Answer 114

A

A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require privacy notices

Answer 115

A

A general term in many organizations for the head of privacy compliance and operations. In the United States federal government, however, it is a more specific term for the official responsible for the coordination and implementation of all privacy and confidentiality efforts within a department or component. This official may be statutorily mandated as a political appointment, as in the Department of Homeland Security, or a career professional

Answer 116

A

An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy

Answer 117

A

Establishes U.S. national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically.
Requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections

Answer 118

A

Unless otherwise restricted by law, any individual that is harmed by a violation of the law can file a lawsuit against the violator

Answer 119

A

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual

Answer 120

A

With a protective order, a judge determines what information should not be made public and what conditions apply to who may access the protected information

Answer 121

A

Information collected and maintained by a government entity and available to the general public

Answer 122

A

A U.S. common law tort that states: “One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public.”

Answer 123

A

Requires that the parties are prohibited from using or disclosing protected health information for any purpose other than the litigation and that the PHI will be returned or destroyed at the end of the litigation

Answer 124

A

Technologies that use radio waves to identify people or objects carrying encoded microchips

Answer 125

A

Substance testing sometimes required by law, prohibited in certain jurisdictions, but acceptable where used on existing employees in specific, narrowly defined jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy or where testing is critical to public safety or national security

Answer 126

A

The action of reattaching identifying characteristics to pseudonymized or de-identified data (see De-identification and Pseudonymization) . Often invoked as a “risk of re-identification” or “re-identification risk,” which refers to nullifying the de-identification actions previously applied to data (see De-identification)

Answer 127

A

A determining factor in substance testing where testing is allowed as a condition of continued employment if there is “reasonable suspicion” of drug or alcohol use based on specific facts as well as rational inferences from those facts; i.e., appearance, behavior, speech, odors

Answer 128

A

An individual’s right to have personal data about them corrected or amended by a business or other organization if it is inaccurate.

Answer 129

A

A regulation created by the FTC under the authority of the Fair and Accurate Credit Transactions Act of 2003. This regulation requires financial institutions and creditors to implement measures to detect and prevent identity theft. The original FTC rule was circumscribed by the Red Flag Program Clarification Act of 2010, which limited the definition of “creditors” to exclude any creditor “that advances funds on the behalf of a person for expenses incidental to a service.” The act in effect allowed lawyers, some doctors and other service type companies to avoid implementing Red Flag credit measures

Answer 130

A

The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidence in a court proceeding. Specifically, attorneys are required to redact documents so that no more than the following information is included in court filings: (1) The last four digits of the Social Security number and taxpayer-identification number; (2) the year of the individual’s birth; (3) if the individual is a minor, only the minor’s initials, and (4) the last four digits of the financial account number

Answer 131

A

Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose

Answer 132

A

An individual’s right to request and receive their personal data from a business or other organization

Answer 133

A

A US law, passed in 2002, regulating the transparency of publicly held companies. In particular, public companies must establish a way for the company to confidentially receive and deal with complaints about actual or potential fraud from misappropriation of assets and/or material misstatements in financial reporting from so-called “whistle-blowers.”

Answer 134

A

Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance. In return, companies that abide by the terms of the seal program are allowed to display the programs seal on their website

Answer 135

A

A cryptographic key used with a secret key cryptographic algorithm, uniquely associated with one or more entities and which shall not be made public. The use of the term “secret” in this context does not imply a classification level, rather the term implies the need to protect the key from disclosure or substitution

Answer 136

A

An important source of standards and best practices for managing electronic discovery compliance through data retention policies. Regarding email retention, the Sedona Conference offers four key guidelines:

(1) Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units;
(2) such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice;
(3) interdisciplinary teams should reach consensus as to policies while looking to industry standards;
(4) technical solutions should meet and parallel the functional requirements of the organization.

Answer 137

A

Refers to stakeholder-based models for ensuring privacy. The term “self-regulation” can refer to any or all of three pieces: legislation, enforcement and adjudication.
• Legislation - who defines privacy rules? For self-regulation, this typically occurs through the privacy policy of a company or other entity, or by an industry association.
• Enforcement - who should initiate an enforcement action? Actions may be brought by data protection authorities, other government agencies, industry code enforcement, or in some cases, the affected individuals.
• Adjudication - who should decide whether an organization has violated a privacy rule. The decision-maker can be an industry association, a government agency or a judicial officer

Answer 138

A

A case recognized as establishing the “knock-and-announce rule,” an important concept relating to privacy in one’s home and Fourth Amendment search and seizure jurisprudence in the U.S.

Answer 139

A

An energy system that manages electricity consumption through continuous monitoring, remote computerization and automation. The traditional electric transmission system required physically sending workers into the field to periodically read customer meters and find where problems existed in the grid. Smart grid operators; however, can remotely monitor and control the use of electricity to each home or business

what eversource and national grid do once a month

Answer 140

A

Unsolicited commercial e-mail

Answer 141

A

• Prohibits false or misleading headers, deceptive subject lines, sending commercial email following a grace period of 10 business days who has not asked to receive future email
• Commercial emails must include clear
and conspicuous (1) notice of the opportunity to opt out along w/ a cost-free mechanism for exercising the opt-out, (2) identification that the message is a commercial message (unless recipient has provided prior affirmative consent to receive email), (3) a valid physical postal address of the sender, (4) a functioning, clearly and conspicuously displayed return email address that allows the recipient to contact sender
• Prohibits “aggravated violations” relating to commercial emails such as (1) address-harvesting and dictionary attacks, (2) automated creation of multiple email accounts and (3) the retransmission of commercial email through unauthorized accounts
• Commercial email containing sexually oriented material must include a warning label (unless the recipient has provided prior affirmative consent to receive the email)

Answer 142

A

As defined in Article 9 of the General Data Protection Regulation, personal information that reveals, for example, racial origin, political opinions or religious or other beliefs, as well as personal data that concerns health or sexual life or criminal convictions is considered to be in a special category and cannot be processed except under specific circumstances

Answer 143

A

The Stored Communications Act was enacted as part of Electronic Communications Privacy Act in 1986 in the United States. It generally prohibits the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided

Answer 144

A

A written court order issued in an administrative, civil or criminal action that requires the person named in the subpoena to appear in court in order to testify under oath on a particular matter which is the subject of an investigation, proceeding or lawsuit. A subpoena may also require the production of a paper, document or other object relevant to an investigation, proceeding or lawsuit that discloses personal information

Answer 145

A

A screening to identify drug use. Substance testing can be used in a variety of settings such as preemployment, reasonable suspicion, routine testing, post-accident testing or randomly

Answer 146

A

Scope of the rule covers the disclosure & use of “patient identifying” info by treatment programs for alcohol & substance abuse
Applies to any program that receives federal funding
Must obtain written patient consent before disclosing info subject to the rule
Redisclosing info obtained from a program is prohibited when that info would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment

Answer 147

A

Medical emergencies
Scientific research
Audits and evaluations
Communications w/ a qualified service related to info needed by the org to provide services to the program
Crimes on program premises or against program personnel
Child abuse reporting
Court order

Answer 148

A

Most legislation recognizes that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore allow substitute notification methods. In Connecticut, for example, “Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the website of the person, business or agency if the person maintains one, and (C) notification to major state-wide media, including newspapers, radio and television.”

Answer 149

A

The first enactment of laws limiting unsolicited and automated telemarketing for both telephone and fax communications
Creates a private right of action for those receiving unsolicited faxes, carrying a $500 fine per violation and any damages sustained because of the fax.
Gives rule-making authority to the Federal Communications Commission, allowing it to make further regulations in this area
Prevents faxing without consent from the recipient (this requirement was amended by the Junk Fax Prevention Act of 2005 to not include customers with an existing business relationship) and requires companies to create and honor internal do-not-call registries (in 2003 the National Registry was created by the FTC)

Answer 150

A

One of the four classes of privacy, along with information privacy, bodily privacy and communications privacy. It is concerned with placing limitations on the ability of one to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into an individual’s territorial privacy typically comes in the form of video surveillance, ID checks and use of similar technology and procedures

Answer 151

A

Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language

Answer 152

A

A U.S. federal agency that oversees “the welfare of the job seekers, wage earners and retirees of the United States by improving their working conditions, advancing their opportunities for profitable employment, protecting their retirement and healthcare benefits, helping employers find workers, strengthening free collective bargaining and tracking changes in employment, prices, and other national economic measurements.”
• To achieve this mission, the dept administers a variety of federal laws such as Fair Labor Standards Act (FLSA), Occupational Safety and Health Act (OSHA) and Employee Retirement Income Security Act (ERISA)

Answer 153

A

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid

Answer 154

A

A code of fair information practices that contains 5 principles:

(1) There must be no personal data record-keeping systems whose very existence is secret
(2) There must be a way for an individual to find out what information about him is in a record and how it is used
(3) There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent
(4) There must be a way for an individual to correct or amend a record of identifiable information about him
(5) Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data

Answer 155

A

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 is a broad-ranging act designed to counter-terrorism that expanded U.S. law enforcement authority to surveillance and capturing communications and records. Commonly referred to as the Patriot Act

Answer 156

A

A telecommunications industry term for non-core services (i.e., services beyond voice calls and fax transmissions)
More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business.
For mobile phones, while technologies like SMS, MMS and GPRS are usually considered value-added services, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS.

Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), aka a content provider (CP) such as Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content

Answer 157

A

Recordings that do not have sound

Answer 158

A

A technology that allows telephone calls to be made over a LAN or the Internet itself. Skype is a well-known example. VoIP poses the same risk as network-connected PBX systems but also poses the additional risk of data interception when such data travel over an unsecured connection. VoIP functionality should be encrypted where possible and equipment monitored with intrusion-detection systems

Answer 159

A

Created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is a self-regulating seal program which licenses qualifying certified public accountants.

Answer 160

A

If illegal or improper activity is taking place within an organization, employees may first observe it and report it to individuals with more authority or an agency outside of the organization. In setting up procedures to make it possible for an employee to report such activity, per laws in a variety of jurisdictions that protect the rights of these so-called whistleblowers, an organization will want to be sure that appropriate privacy safeguards are put in place

Brainscape's Knowledge GenomeTM

CIPP / US Glossary Flashcards

Brainscape's Knowledge Genome^TM