CIPP-US Glossary

Question 1

This term describes a control on an ACL that is used to prevent unauthorized persons from accessing a particular object.

Answer 1

Access Control Entry (ACE)

Question 2

Traditionally, this has been an FIPP, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Answer 2

Accountability

Question 3

A transfer of personal data from the EU to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an ___________ _____________ of ______________, which involves taking into account elements including the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred.

Answer 3

Adequate Level of Protection

Question 4

A transfer of personal data from the EU to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an ___________ _____________ of ______________, which involves taking into account elements including the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules.

Answer 4

Adequate Level of Protection

Question 5

A transfer of personal data from the EU to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an ___________ _____________ of ______________, which involves taking into account elements including the international commitments the third country or international organization concerned has entered into in relation to the protection of personal data.

Answer 5

Adequate Level of Protection

Question 6

Under the Fair Credit Reporting Act, the term ___________ _____________ is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion.

Answer 6

Adverse Action

Question 7

No _________ ___________ occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient with a copy of the credit report leading to the action.

Answer 7

Adverse Action

Question 8

______________________________ is a fair information practice principle included in the OECD Guidelines, APEC Privacy Framework, and Madrid Resolution, and includes the due diligence and reasonable steps an organization undertakes to protect an individual’s personal information and handle the information according to relevant laws and fair use principles.

Answer 8

Accountability

Question 9

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.

Answer 9

American Institute of Certified Public Accountants (AICPA)

Question 10

A U.S. law that bars discrimination against qualified individuals with disabilities.

Answer 10

Americans with Disabilities Act

Question 11

________________ includes the organization’s responsibility to maintain accurate data in relation to the purpose for which it is collected and used, as well as its responsibility to respond to record correction requests from data subjects.

Answer 11

Accuracy

Question 12

A set of laws that are indications of special classes of personal data. If there exists laws protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.

Answer 12

Anti-Discrimination Laws

Question 13

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD FIPPs. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing privacy with business needs.

Answer 13

APEC Privacy Principles

Question 14

Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers.

Answer 14

Background Screening / Checks

Question 15

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU GDPR and other frameworks, including APEC’s Cross Border Privacy Rules.

Answer 15

Accountability

Question 16

These range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such checks vary by member state and may be negotiated with local work councils.

Answer 16

Background Screening / Checks

Question 17

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.

Answer 17

Bank Secrecy Act (BSA)

Question 18

Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling. The General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing.

Answer 18

Behavioral Advertising

aka Online Behavioral Advertising (OBA); Behavioral Targeting

Question 19

If cookies are used to store or access information for the purposes of this type of advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.

Answer 19

Behavioral Advertising

aka Online Behavioral Advertising (OBA); Behavioral Targeting

Question 20

An appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules.

Answer 20

Binding Corporate Rules (BCRs)

Question 21

__________ _________ _______ compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had these approved.

Answer 21

Binding Corporate Rules (BCRs)

Question 22

Previously, the EU distinguished between Binding Corporate Rules for controllers and __________ _________ ___________ ________ for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both.

Answer 22

Binding Safe Processor Rules (BSPRs)

Question 23

What does the acronym AICPA stand for?

Answer 23

American Institute of Certified Public Accountants

Question 24

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.

Answer 24

Breach Disclosure

Question 25

Use of employees’ own personal computing devices for work purposes.

Answer 25

Bring Your Own Device (BYOD)

Question 26

A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.

Answer 26

California Investigative Consumer Reporting Agencies Act (CICRAA)

Question 27

Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.

Answer 27

Case Law

Question 28

The ____________ Privacy Principles is a set of non-binding principles similar to the OECD FIPs.

Answer 28

APEC

Question 29

Originally an acronym for “closed circuit television,” this term has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and were truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.

Answer 29

CCTV

Question 30

The acronym APEC stands for _______________ - ______________ _______________ _____________________.

Answer 30

Asian-Pacific Economic Cooperative

Question 31

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13.

Answer 31

Children’s Online Privacy Protection Act (COPPA) of 1998

Question 32

This federal law requires website operators to post a privacy notice on the homepage of their website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

Answer 32

Children’s Online Privacy Protection Act (COPPA) of 1998

Question 33

In the context of consent, this refers to the idea that consent must be freely given and that data subjects must genuinely have this to decide as to whether to provide personal data or not. If this is not in place, it is unlikely the consent will be deemed valid under the General Data Protection Regulation.

Answer 33

Choice

Question 34

The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a “private cloud” or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). This technology has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.

Answer 34

Cloud Computing

Question 35

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Answer 35

Collection Limitation

Question 36

Any form of electronic messaging, including e-mail, SMS text messages and messages sent via social networking about which it would be reasonable to conclude its purpose is to encourage participation in a commercial activity. Examples include electronic messages that offer to purchase, sell, barter or lease products, goods, services, land or an interest or right in land; offers to provide a business, investment or gaming opportunity; advertises or promotes anything previously mentioned.

Answer 36

Commercial Electronic Message

Question 37

Under Canada’s PIPEDA, this refers to any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

Answer 37

Commercial Activity

Question 38

Unwritten legal principles that have developed over time based on social customs and expectations.

Answer 38

Common Law

Question 39

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

Answer 39

Communications Privacy

Question 40

Laws that govern the collection, use and dissemination of personal information in the public and private sectors.

Answer 40

Comprehensive Laws (aka Omnibus Laws)

Question 41

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

Answer 41

Computer Forensics

Question 42

Data should be protected against unauthorized or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing __________, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security.

Answer 42

Confidentiality

Question 43

The GDPR requires that persons authorized to process the personal data have committed themselves to, or are under an appropriate statutory obligation of, ______________.

Answer 43

Confidentiality

Question 44

An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.

Answer 44

Confirmed Opt-In

aka Double Opt-In

Question 45

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, this is the individual’s way of giving permission for the use or disclosure. It may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.

Answer 45

Consent

Question 46

A requirement that an individual ““signifies”” his or her agreement with a data controller by some active communication between the parties.

Answer 46

Affirmative/Explicit Consent

Question 47

Arises where agreement may reasonably be inferred from the action or inaction of the individual.

Answer 47

Implicit Consent

aka Implied Consent

Question 48

A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.

Answer 48

Consent Decree

Question 49

Created by the Dodd-Frank Act, this entity is intended to consolidate the oversight of the financial industry.

Answer 49

Consumer Financial Protection Bureau (CFPB)

Question 50

An independent entity within the Federal Reserve which took rule-making authority over FCRA and GLBA regulations from the FTC and Financial Industry Regulators.

Answer 50

Consumer Financial Protection Bureau (CFPB)

Question 51

This entity’s enforcement powers include authority to take action against “abusive acts and practices” as specified by the Dodd-Frank Act.

Answer 51

Consumer Financial Protection Bureau (CFPB)

Question 52

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

Answer 52

Consumer Reporting Agency

Question 53

A small text file stored on a client machine that may later be retrieved by a web server from the machine.

Answer 53

Cookie

Question 54

Allows web servers to keep track of the end user’s browser activities, and connect individual web requests into a session.

Answer 54

Cookie

Question 55

May be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already.

Answer 55

Cookie

Question 56

A small text file stored on a client machine that may be referred to as “first-party” (if it is placed by the website that is visited) or “third-party” (if it is placed by a party other than the visited website).

Answer 56

Cookie

Question 57

A type of cookie that may be deleted when a session ends.

Answer 57

Session Cookie

Question 58

A type of cookie that remains on the client machine for a long period of time after the session ends. This category of cookies is listed as “cookie identifiers” by the GDPR, and is considered an example of personal information.

Answer 58

Persistent Cookie

Question 59

Provisions regarding the use of cookies in the GDPR and the ePrivacy Directive.

Answer 59

Cookie Directive

Question 60

A consumer-initiated security measure which locks an individual’s data at consumer reporting agencies. Is used to prevent identity theft, as it disallows both reporting of data and issuance of new credit.

Answer 60

Credit Freeze

Question 61

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

Answer 61

Customer Access

Question 62

In contrast to employee information, this type of information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

Answer 62

Customer Information

Question 63

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. This does not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

Answer 63

Data Breach

Question 64

A scheme that provides the basis for managing access to, and protection of, data assets.

Answer 64

Data Classification

Question 65

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the _____________ or the specific criteria for its nomination may be provided for by EU or member state law.

Answer 65

Data Controller

Question 66

A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates.

Answer 66

Data Element

Question 67

In the context of data protection, it is important to understand that ______ _______ in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.

Answer 67

Data Elements

Question 68

An activity that involves comparing personal data obtained from a variety of sources, including personal information banks, for the purpose of making decisions about the individuals to whom the data pertains.

Answer 68

Data Matching

Question 69

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Answer 69

Data Processing

Question 70

A natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.

Answer 70

Data Processor

Question 71

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Answer 71

Data Quality

Question 72

This is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? It is considered appropriate if these criteria are satisfied for a particular application.

Answer 72

Data Quality

Question 73

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Excludes public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law. However, the processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Answer 73

Data Recipient

Question 74

An identified or identifiable natural person.

Answer 74

Data Subject

Question 75

In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by the Federal Trade Commission at the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.

Answer 75

Deceptive Trade Practices

Question 76

Common law tort that focuses on a false or defamatory statement, defined as a communication tending “so to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.”

Answer 76

Defamation

Question 77

The use of log files to identify a website visitor. It is often used for security and system maintenance purposes.

Answer 77

Digital Fingerprinting

Question 78

Log files that generally include: the IP address of the visitor; a time stamp; the URL of the requested page or file; a referrer URL, and the visitor’s web browser, operating system and font preferences. In some cases, combining this information can be used to identify a device. This more detailed information varies enough among computing devices that two devices are unlikely to be the same.

Answer 78

Digital Fingerprint

Question 79

Used as a security technique by financial institutions and others initiating additional security assurances before allowing users to log on from a new device. Some privacy enforcement agencies; however, have questioned what would constitute sufficient notice and consent for these techniques to be used for targeted advertising.

Answer 79

Digital Fingerprinting

Question 80

A means for ensuring the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file. If anything is changed in the electronic document after this is attached, it is rendered invalid.

Answer 80

Digital Signature

Question 81

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Answer 81

Direct Marketing

Question 82

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.

Answer 82

Do Not Track

Question 83

Grants the authority to the FTC to create the National Do-Not-Call Registry in the United States. The registry is open to all consumers, allowing them to place their phone numbers on a national list which makes it illegal for telemarketers to make unsolicited calls to those numbers, the only exceptions being for political activities and non-profit organizations.

Answer 83

Do-Not-Call Implementation Act of 2003

Question 84

Originally consumers would have to re-register their numbers on the DNC Registry every five years for continued prevention, but this act extended registration indefinitely. Violations can be enforced by the FTC, Federal Communications Commission, and State Attorneys General with up to a $16,000 fine per violation.

Answer 84

Do-Not-Call Improvement Act of 2007

Question 85

This act amended the U.S. Do-Not-Call Implementation Act of 2003 to remove the re-registration requirement. Originally registration with the National Do-Not-Call Registry ended after five years, but with this act the registrations became permanent.

Answer 85

Do-Not-Call Improvement Act of 2007

Question 86

In 2010 the U.S. Congress passed this act to reorganize and improve financial regulation. Among other reforms it put in place, the act created the Consumer Financial Protection Bureau and granted it rule-making authority over FCRA and GLBA as well as a few other regulations.

Answer 86

Dodd-Frank Wall Street Reform and Consumer Protection Act

Question 87

This act is the collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. The amended act protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers.

Answer 87

Electronic Communications Privacy Act of 1986

Question 88

This act applies to e-mail, telephone conversations and data stored electronically. The USA PATRIOT Act and subsequent federal enactments have clarified and updated the act in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.

Answer 88

Electronic Communications Privacy Act of 1986

Question 89

Prior to trial, information is typically exchanged between parties and their attorneys. This term refers to the requirement for civil litigants to turn over large volumes of a company’s electronic records in litigation.

Answer 89

Electronic Discovery

aka eDiscovery

Question 90

A computer record of an individual’s medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.

Answer 90

Electronic Health Record (EHR)

Question 91

This type of computer record may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their accessibility and standardization can facilitate large-scale data collection for researchers.

Answer 91

Electronic Health Record (EHR)

Question 92

Monitoring through electronic means; i.e., video surveillance, intercepting communications, stored communications or location based services.

Answer 92

Electronic Surveillance

Question 93

Personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating; (1) an employment relationship, or (2) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship.

Answer 93

Employee Information

Question 94

A type of employment contract that can be terminated by either the employer or the employee at any time for any reason.

Answer 94

Employment at Will

Question 95

An independent U.S. federal agency that enforces laws against workplace discrimination. This agency investigates discrimination complaints based on an individual’s race, color, national origin, religion, sex, age, perceived intelligence, disability and retaliation for reporting and/or opposing a discriminatory practice. It is empowered to file discrimination suits against employers on behalf of alleged victims and to adjudicate claims of discrimination brought against federal agencies.

Answer 95

Equal Employment Opportunity Commission

Question 96

An exemption to the Do Not Call (DNC) registry, a marketer may call an individual on the DNC registry if a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction by the residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.

Answer 96

Established Business Relationship (EBR)

Question 97

This directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use.

Answer 97

EU Data Protection Directive

Question 98

An agreement between the EU and U.S., invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the U.S. (see Adequacy). It was replaced by the EU-U.S. Privacy Shield in 2016 (see Privacy Shield).

Answer 98

EU-U.S. Safe Harbor Agreement

Question 99

Created in 2016 to replace the invalidated EU-U.S. Safe Harbor agreement, this agreement is an adequacy agreement that allows for the transfer of personal data from the EU to the U.S. for companies participating in the program. Only those companies that fall under the jurisdiction of the U.S. FTC may certify to the agreement’s principles and participate, which notably excludes health care, financial services, and non-profit institutions.

Answer 99

EU-U.S. Privacy Shield

Question 100

The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It initiates legislation in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries.

Answer 100

European Commission

Question 101

An expansion of the Fair Credit Reporting Act which focuses on consumer access and identity theft prevention. The act mandates that credit reporting agencies allow consumers to obtain a free credit report once every twelve months.

Answer 101

Fair and Accurate Credit Transactions Act of 2003 (FACTA, FACT Act)

Question 102

This act allows consumers to request alerts when a creditor suspects identity theft. The Federal Trade Commission (FTC) has authority to promulgate rules to prevent identity theft. The FTC used the authority to create the Red Flags Rule.

Answer 102

Fair and Accurate Credit Transactions Act of 2003 (FACTA, FACT Act)

Question 103

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability to access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.

Answer 103

Fair Credit Reporting Act (FCRA)

Question 104

The U.S. agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable. This agency has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act.

Answer 104

Federal Communications Commission (FCC)

Question 105

The U.S.’s primary consumer protection agency, it collects complaints about companies, business practices and identity theft and other laws that it enforces or administers. Importantly, it brings actions under Section 5 of the ____ Act, which prohibits unfair and deceptive trade practices.

Answer 105

Federal Trade Commission (FTC)

Question 106

A corporation that acts as a regulator for brokerage firms and exchange markets. Its primary charge is to make sure that security exchange markets, such as the New York Stock Exchange, operate fairly and honestly and to protect investors. Although it is a non-governmental regulator, ultimately it is subject to the regulations of the Securities and Exchange Commission along with the rest of the security exchange industry.

Answer 106

Financial Industry Regulatory Authority (FINRA)

Question 107

After the savings and loans crisis of the 1980s, the U.S Congress passed this law to enable financial regulators to levy penalties up to $5,000,000 for failure to comply with regulations. These penalties can be levied if a financial institution fails to comply with the information privacy requirements contained in GLBA.

Answer 107

Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA)

Question 108

A U.S. federal law that ensures citizen access to federal government agency records. This only applies to federal executive branch documents. It does not apply to legislative or judicial records. Requests made under this regulation will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of this regulation, which like the federal regulation, also include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.

Answer 108

Freedom of Information Act (FOIA)

Question 109

The attributes of this method specify how form data is sent to a web page. This method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar, and is thus less secure than the POST method.

Answer 109

GET Method

Question 110

Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, this network is a collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, this network had a membership of 50 countries.

Answer 110

Global Privacy Enforcement Network (GPEN)

Question 111

The commonly used name for The Financial Services Modernization Act of 1999. The act re-organized financial services regulation in the U.S. and applies broadly to any company that is “significantly engaged” in financial activities in the U.S.

Answer 111

Gramm-Leach-Bliley Act (GLBA)

Question 112

In this act’s privacy provisions, it addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions.

Answer 112

Gramm-Leach-Bliley Act (GLBA)

Question 113

This act requires financial institutions to securely store personal financial information; give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt-out of some sharing of personal financial information.

Answer 113

Gramm-Leach-Bliley Act (GLBA)

Question 114

A rule in the United States, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

Answer 114

Health Breach Notification Rule

Question 115

Enacted as part of the American Recovery and Reinvestment Act of 2009, this act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA.

Answer 115

Health Information Technology for Economic and Clinical Health Act (HITECH Act)

Question 116

This act’s privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.

Answer 116

Health Information Technology for Economic and Clinical Health Act (HITECH Act)

Question 117

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. This act required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.

Answer 117

Health Insurance Portability and Accountability Act (HIPAA)

Question 118

A cycle that recognizes that data has different value, and requires different approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction.

Answer 118

Information Life Cycle

Question 119

One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

Answer 119

Information Privacy

Question 120

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.

Answer 120

Information Security (IS)

Question 121

Creates the Existing Business Relationship exception to the U.S. Telephone Consumer Protection Act’s ban of fax-based marketing without consent but contains a requirement that all marketing faxes be accompanied by instructions on how to opt out of further unsolicited communications.

Answer 121

Junk Fax Prevention Act of 2005 (JFPA)

Question 122

The authority of a court to hear a particular case. Courts must have this over both the parties to the dispute (personal) and the type of dispute (subject matter). The term is also used to denote the geographical area or subject-matter to which such authority applies.

Answer 122

Jurisdiction

Question 123

Services that utilize information about location to deliver, in various contexts, a wide array of applications and services, including social networking, gaming and entertainment. Such services typically rely upon GPS, RFID, Wi-Fi, or similar technologies in which geolocation is used to identify the real-world geographic location of an object, such as a mobile device or an internet-connected computer terminal.-

Answer 123

Location-Based Service

Question 124

Information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics or other medical or medically related facilities.

Answer 124

Medical Information

Question 125

Under HIPAA, the standard that the level of information that may be disclosed by healthcare providers to third parties is the minimum amount necessary to accomplish the intended purpose.

Answer 125

Minimum Necessary Requirement

Question 126

An authentication process that requires more than one verification method, such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject.

Answer 126

Multi-Factor Authentication

Question 127

Allows U.S. consumers to place their phone number on a national list, preventing calls from unsolicited telemarketers. This registration is now permanent and can be enforced by the FTC, FCC, and state AGs with up to a $16,000 fine per violation. Cell phones are protected from any unsolicited automatic-dialed calls through other FCC regulations.

Answer 127

National Do-Not-Call Registry (U.S.)

Question 128

A U.S. federal agency that administers the National Labor Relations Act. The board conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions.

Answer 128

National Labor Relations Board (NLRB)

Question 129

A category of subpoena. The USA PATRIOT Act expanded the use of them. Separate and sometimes differing statutory provisions now govern access, without a court order, to communication providers, financial institutions, consumer credit agencies and travel agencies.

Answer 129

National Security Letter (NSL)

Question 130

A condition under which an organization will be liable for damages if it breaches a legal duty to protect personal information and an individual is harmed by that breach.

Answer 130

Negligence

Question 131

This is defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. Excluded from the definition are (i) publicly available information and (ii) any consumer list that is derived without using personally identifiable financial information.

Answer 131

Non-Public Personal Information (NPI)

Question 132

First released in 1980, and then updated in 2013, these guidelines represent perhaps the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries as they develop regulations surrounding cross-border data flows and law-enforcement access to personal data.

Answer 132

OECD Guidelines

Question 133

These principles, widely emulated in national privacy laws, include Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability.

Answer 133

OECD Guidelines

Question 134

Used to distinguish from sectorial laws to mean laws that cover a broad spectrum of organizations or natural persons, rather than simply a certain market sector or population.

Answer 134

Omnibus Laws

Question 135

Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.

Answer 135

Online Behavioral Advertising

Question 136

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Answer 136

Opt-In

Question 137

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

Answer 137

Opt-Out

Question 138

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy.

Answer 138

Organization for Economic Cooperation and Development (OECD)

Question 139

Contracting business processes, which may include the processing of personal information, to a third party.

Answer 139

Outsourcing

Question 140

A self-regulatory system that provides an enforceable security standard for payment card data.

Answer 140

PCI Data Security Standard (PCI-DSS)

Question 141

These rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties.

Answer 141

PCI Data Security Standard (PCI-DSS)

Question 142

Technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.

Answer 142

Perimeter Controls

Question 143

The predominant term for Personal Information in the European Union, defined broadly in the GDPR as any information relating to an identified or identifiable natural person.

Answer 143

Personal Data

Question 144

A synonym for “personal data.” It is a term with particular meaning under the CCPA, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.

Answer 144

Personal Information (PI)

Question 145

A device used for the purpose of rendering a diagnostic opinion regarding an individual’s honesty.

Answer 145

Polygraph

aka Lie Detector

Question 146

This is a method with attributes that specify how form data is sent to a web page. This method is more secure than GET as it does not append the form data to the URL, which would allow passwords and other sensitive information collected in a form to be visible in the browser’s address bar.

Answer 146

POST Method

Question 147

A superior government’s ability to have its law(s) supersede those of an inferior government. For example, the U.S. federal government has mandated that no state government can regulate consumer credit reporting.

Answer 147

Preemption

Question 148

An assessment of an organization’s compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts.

Answer 148

Privacy Assessment

Question 149

This type of assessment or audit measures how closely the organization’s privacy practices align with its legal obligations and stated practices and may rely on subjective information such as employee interviews/questionnaires and complaints received, or objective standards, such as information system logs or training and awareness attendance and test scores.

Answer 149

Privacy Assessment

Question 150

These types of assessments may be conducted internally by an audit function or by external third parties. It is also common in some jurisdictions for the privacy/data protection officer to conduct them. The results of the assessment or audit are documented for management sign-off, and analyzed to develop recommendations for improvement and a remediation plan.

Answer 150

Privacy Assessment

Question 151

Resolution of privacy issues and vulnerabilities noted on this type of assessment are monitored to ensure appropriate corrective action is taken on a timely basis. While assessments and audits may be conducted on a regular or scheduled basis, they may also arise ad hoc as the result of a privacy or security event or due to a request from an enforcement authority.

Answer 151

Privacy Assessment

Question 152

Generally regarded as a synonym for Data Protection by Design. However, this term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles.

Answer 152

Privacy by Design (PbD)

Question 153

A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. This may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require these.

Answer 153

Privacy Notice

Question 154

A general term in many organizations for the head of privacy compliance and operations. In the U.S. federal government, however, it is a more specific term for the official responsible for the coordination and implementation of all privacy and confidentiality efforts within a department or component. This official may be statutorily mandated as a political appointment, as in the Dept of Homeland Security, or a career professional.

Answer 154

Privacy Officer

Question 155

An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.

Answer 155

Privacy Policy

aka Data Protection Policy

Question 156

Under HIPAA, this rule establishes U.S. national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically.

Answer 156

Privacy Rule

Question 157

Under HIPAA, this rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

Answer 157

Privacy Rule

Question 158

Unless otherwise restricted by law, this term describes the action that can be taken by any individual that is harmed by a violation of the law by filing a lawsuit against the violator.

Answer 158

Private Right of Action

Question 159

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by HIPAA or its business associate; that identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.

Answer 159

Protected Health Information (PHI)

Question 160

A type of order in which a judge determines what information should not be made public and what conditions apply to who may access the protected information.

Answer 160

Protective Order

Question 161

Information collected and maintained by a government entity and available to the general public.

Answer 161

Public Records

Question 162

A U.S. common law tort that states: “One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public.” (Restatement (Second) of Torts § 652D)

Answer 162

Publicity Given to Private Life

Question 163

Requires that the parties are prohibited from using or disclosing protected health information for any purpose other than the litigation and that the PHI will be returned or destroyed at the end of the litigation.

Answer 163

Qualified Protective Order (QPO)

Question 164

Technologies that use radio waves to identify people or objects carrying encoded microchips.

Answer 164

Radio-Frequency Identification (RFID)

Question 165

This type of testing is sometimes required by law, prohibited in certain jurisdictions, but acceptable where used on existing employees in specific, narrowly defined jobs, such as those in highly regulated industries where the employee has a severely diminished expectation of privacy or where testing is critical to public safety or national security.

Answer 165

Random Testing

aka Substance Testing

Question 166

The action of reattaching identifying characteristics to pseudonymized or de-identified data. Often invoked as a “risk of ___________” or “_____________ risk,” which refers to nullifying the de-identification actions previously applied to data.

Answer 166

Re-identification

Question 167

A determining factor in substance testing where testing is allowed as a condition of continued employment if there is “___________ ___________” of drug or alcohol use based on specific facts as well as rational inferences from those facts; i.e., appearance, behavior, speech, odors.

Answer 167

Reasonable Suspicion

Question 168

An individual’s right to have personal data about them corrected or amended by a business or other organization if it is inaccurate.

Answer 168

Rectification

Question 169

A regulation created by the FTC under the authority of the FACTA of 2003. This regulation requires financial institutions and creditors to implement measures to detect and prevent identity theft. The original FTC rule was circumscribed by the Red Flag Program Clarification Act of 2010, which limited the definition of “creditors” to exclude any creditor “that advances funds on the behalf of a person for expenses incidental to a service.” The act in effect allowed lawyers, some doctors and other service type companies to avoid implementing Red Flag credit measures.

Answer 169

Red Flags Rule

Question 170

The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidence in a court proceeding.

Answer 170

Redaction

Question 171

Attorneys are required to perform this process so that no more than the following information is included in court filings: (1) The last four digits of the Social Security number and taxpayer-identification number; (2) the year of the individual’s birth; (3) if the individual is a minor, only the minor’s initials, and (4) the last four digits of the financial account number.

Answer 171

Redaction

Question 172

Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose.

Answer 172

Retention

Question 173

An individual’s right to request and receive their personal data from a business or other organization.

Answer 173

Right of Access

Question 174

A U.S. law, passed in 2002, regulating the transparency of publicly held companies. In particular, public companies must establish a way for the company to confidentially receive and deal with complaints about actual or potential fraud from misappropriation of assets and/or material misstatements in financial reporting from so-called “whistle-blowers.”

Answer 174

Sarbanes-Oxley Act (SOX)

Question 175

Programs that require participants to abide by codes of information practices and submit to monitoring to ensure compliance. In return, companies that abide by the terms of this type of program are allowed to display the programs seal on their website.

Answer 175

Seal Program

Question 176

A cryptographic key used with a cryptographic algorithm, uniquely associated with one or more entities and which is not made public. This term is not used to indicate the level of classification for the information, but rather implies the need to protect the mechanism from disclosure or substitution.

Answer 176

Secret Key

see Federal Information Processing Standards Publication 140-1, Security Requirements for Cryptographic Modules

Question 177

An important source of standards and best practices for managing electronic discovery compliance through data retention policies, implemented through a cross-functional team.

Answer 177

Sedona Conference

Question 178

This source of standards offers four key guidelines for email retention:

1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units;
2. The teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice;
3. Interdisciplinary teams should reach consensus as to policies while looking to industry standards;
4. Technical solutions should meet and parallel the functional requirements of the organization.

Answer 178

Sedona Conference

Question 179

This refers to stakeholder-based models for ensuring privacy. It can refer to any or all of three pieces: legislation, enforcement and adjudication.

Answer 179

Self-Regulation Model

Question 180

In this type of model, legislation refers to question of who defines privacy rules. This typically occurs through the privacy policy of a company or other entity, or by an industry association.

Answer 180

Self-Regulation Model

Question 181

In this type of model, enforcement refers to the question of who should initiate enforcement action. Actions may be brought by data protection authorities, other government agencies, industry code enforcement or, in some cases, the affected individuals.

Answer 181

Self-Regulation Model

Question 182

In this type of model, adjudication refers to the question of who should decide whether an organization has violated a privacy rule. The decision maker can be an industry association, a government agency or a judicial officer.

Answer 182

Self-Regulation Model

Question 183

The term “________-________” covers a broad range of institutional arrangements. For a clear understanding of data privacy responsibilities, privacy professionals should consider who defines the requirements, which organization brings enforcement action and who actually makes the judicial decisions.

Answer 183

Self-Regulation

Question 184

A case recognized as establishing the “knock-and-announce rule,” an important concept relating to privacy in one’s home and Fourth Amendment search and seizure jurisprudence in the U.S.

Answer 184

Semayne’s Case

Question 185

Unsolicited commercial e-mail.

Answer 185

SPAM

Question 186

As defined in Article 9 of the GDPR, this type of personal information that reveals, for example, racial origin, political opinions or religious or other beliefs, as well as personal data that concerns health or sexual life or criminal convictions cannot be processed except under specific circumstances.

Answer 186

Special Categories of Data

Question 187

Contractual Clauses in EU Data Protection Directive are known as __________ _____________ ____________.

Answer 187

Standard Model Clauses

Question 188

This act was enacted as part of Electronic Communications Privacy Act in 1986 in the U.S. It generally prohibits the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.

Answer 188

Stored Communications Act (SCA)

Question 189

A written court order issued in an administrative, civil or criminal action that requires the person named in the order to appear in court to testify under oath on a particular matter which is the subject of an investigation, proceeding or lawsuit.

Answer 189

Subpoena

Question 190

A written court order that may require the production of a paper, document or other object relevant to an investigation, proceeding or lawsuit that discloses personal information.

Answer 190

Subpoena

Question 191

A screening to identify drug use, which can be used in a variety of settings such as preemployment, reasonable suspicion, routine testing, post-accident testing or randomly.

Answer 191

Substance Testing

Question 192

Most legislation recognizes that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore often allow this type of notification method.

Answer 192

Substitute Notice

Question 193

A type of notice, which in the state of Connecticut “shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the website of the person, business or agency if the person maintains one, and (C) notification to major state-wide media, including newspapers, radio and television.”

Answer 193

Substitute Notice

Question 194

The first enactment of laws limiting unsolicited and automated telemarketing for both telephone and fax communications. Most notably the act creates a private right of action for those receiving unsolicited faxes, carrying a $500 fine per violation and any damages sustained because of the fax.

Answer 194

Telephone Consumer Protection Act of 1991 (TCPA)

Question 195

This act gives rule-making authority to the Federal Communications Commission, allowing it to make further regulations in the area of automated telemarketing for both telephone and fax communications. Among other provisions, the act prevents faxing without consent from the recipient (this requirement was amended by the Junk Fax Prevention Act of 2005 to not include customers with an existing business relationship) and requires companies to create and honor internal do-not-call registries (in 2003 the National Registry was created by the Federal Trade Commission).

Answer 195

Telephone Consumer Protection Act of 1991 (TCPA)

Question 196

One of the four classes of privacy, along with information privacy, bodily privacy and communications privacy. It is concerned with placing limitations on the ability of one to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into this type of an individual’s privacy typically comes in the form of video surveillance, ID checks and use of similar technology and procedures.

Answer 196

Territorial Privacy

Question 197

The movement of personal data from one organization to another.

Answer 197

Transfer

Question 198

This term relates to taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language.

Answer 198

Transparency

Question 199

A U.S. federal agency that oversees “the welfare of the job seekers, wage earners and retirees of the U.S. by improving their working conditions, advancing their opportunities for profitable employment, protecting their retirement and healthcare benefits, helping employers find workers, strengthening free collective bargaining and tracking changes in employment, prices and other national economic measurements.” To achieve this mission, the department administers a variety of federal laws including, but not limited to, the Fair Labor Standards Act (FLSA), the Occupational Safety and Health Act (OSHA) and the Employee Retirement Income Security Act (ERISA).

Answer 199

U.S. Department of Labor (DOL)

Question 200

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.

Answer 200

Unfair Trade Practices

Question 201

A code of fair information practices that contains five principles:

1. There must be no personal data record keeping systems whose very existence is secret.
2. There must be a way for an individual to find out what information about him (or her) is in a record and how it is used.
3. There must be a way for an individual to prevent information about him (or her) that was obtained for one purpose from being used or made available for other purposes without his (or her) consent.
4. There must be a way for an individual to correct or amend a record of identifiable information about him (or her).
5. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

Answer 201

U.S. Department of Health, Education and Welfare Fair Information Practice Principles (1973)

aka HEW Principles; HEW Report

Question 202

A broad-ranging act designed to counter terrorism that expanded U.S. law enforcement authority to surveillance and capturing communications and records.

Answer 202

USA PATRIOT Act
aka ‘The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001’

Question 203

A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions. More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business.

Answer 203

Value-Added Services

Question 204

For mobile phones, technologies like SMS, MMS and GPRS

Answer 204

Value-Added Services

Question 205

Premium-charged mobile phone content, which are supplied either in-house by the mobile network operator themselves or by a third-party service provider, also known as a content provider such as Headline News or Reuters.

Answer 205

Value-Added Services

related to: Mobile Value-Added Services (MVAS); Value-Added Service Provider (VASP); and Content Provider (CP)

Question 206

These types of technologies typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service center (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.

Answer 206

Value-Added Service Providers

Question 207

Recordings that do not have sound.

Answer 207

Video Surveillance

Question 208

A technology that allows telephone calls to be made over a LAN or the Internet itself. Skype is a well-known example. This technology poses the same risk as network-connected PBX systems but also poses the additional risk of data interception when such data travel over an unsecured connection. Its functionality should be encrypted where possible and equipment monitored with intrusion-detection systems.

Answer 208

Voice Over Internet Protocol (VoIP)

Question 209

Created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is a self-regulating seal program which licenses qualifying certified public accountants.

Answer 209

WebTrust

Question 210

If an illegal or improper activity is taking place within an organization, the process of employees first observing it and reporting it to individuals with more authority or an agency outside of the organization. In setting up procedures to make it possible for an employee to report such activity, per laws in a variety of jurisdictions that protect the rights of the employees, an organization will want to be sure that appropriate privacy safeguards are put in place.

Answer 210

Whistleblowing

Question 211

The most used form of targeted advertising on the internet. The content of the ad relies on the content of the webpage or the query entered by a user.

Answer 211

Contextual Advertising

Question 212

A trend in the adoption of information technology where the technology emerges first in the consumer market before spreading to business and government organizations. The adoption of technology within organizations is driven by employees using consumer devices at home and then introducing them into the workplace.

Answer 212

Consumerization of Information Technology (COIT)

Question 213

A Canadian act with two goals: (1) to instill trust in electronic commerce and private sector transactions for citizens, and (2) to establish a level playing field where the same marketplace rules apply to all businesses.

Answer 213

Personal Information Protection and Electronic Documents Act (PIPEDA)