CIPP / US outline Flashcards

Question 1

Q

Where, how, and for what length of time is the data stored?

Answer

A

Limited retention reduces the risk from data breach - no breach will occur once the data is removed from the system

Question 2

Q

How sensitive is the information?

Answer

A

- Confidential, proprietary - property of the organization

- Sensitive, restricted - available to select few
- Public - generally available

Question 3

Q

Should the information be encrypted?

Answer

A

Generally, no notice is required if the lost PI is sufficiently encrypted or protected by some other effective technical protection

Question 4

Q

Will the info be transfered to or from other countries, and if so, how will it be transferred?

Answer

A

Organization should familiarize itself with the privacy requirements of both origination and destination countries for transborder data

Question 5

Q

Who determines the rules that apply to the information?

Answer

A

1) Controller - entity who determines the purposes and means of the processing of personal data

2) Processor - entity that processes personal data on behalf of the controller
3) Business - think HIPAA

Question 6

Q

How is the info processed, and how will these processes be maintained?

Answer

A

- Steps should be taken to train staff members involved in the processes and computers on which the info will be processed should be secured appropriately to minimize the risk of data leak or breach
- Physical transfer of data also should be secured

Question 7

Q

Is the use of such data dependent upon other systems?

Answer

A

- If the use of personal data depends on the working condition of other systems >> the condition of those systems must also be evaluated and updated if necessary
- an outdated system may call for developing a new method or program for using relevant data

Question 8

Q

Classes or categories of privacy

Answer

A

1) Information privacy – established rules that govern the collection and handling of personal information

2) Bodily privacy – a person’s physical being and any invasion thereof, ex./ genetic testing, drug testing or body cavity searches
3) Territorial privacy – placing limits on the ability to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as video surveillance
4) Communications privacy – protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus

Question 9

Q

Consent decree

Answer

A

• A judgement entered by consent of the parties
• Typically, the (D) agrees to stop alleged illegal activity and pay a fine, w/o admitting guilt or wrongdoing
• This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and adverse party
• Consent decrees are posted publicly on the FTC’s website, and the details of these decrees provide guidance about what practices the FTC considers inappropriate

Question 10

Q

Protected health information (PHI)

Answer

A

Any individually identifiable health info that is: transmitted or maintained in any form or medium; held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; created or received by a covered entity or an employer; and relates to a past, present or future physical mental condition, provision of health care or payment for health care to that individual

Question 11

Q

Electronic protected health info (ePHI)

Answer

A

Any PHI that is transmitted or maintained in electronic media

Question 12

Q

Business associate

Answer

A

Any person or organization, other than a member of a covered entity’s workforce, that performs services and; activities for, or on behalf of, covered entity, if such services or activities involve the use or disclosure of PHI

Question 13

Q

Under the Fair Credit Reporting Act, employee investigations are not treated as consumer reports as long as

Answer

A

1) The employer or its agents complies w/ the procedure set forth in the act

2) No credit info is used
3) Summary describing nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation

Question 14

Q

Under the Fair Credit Reporting Act, medical information

Answer

A

• Limits the use of medical info obtained from CRAs, other than payment info that appears in a coded form and does not identify the medical provider
• If the report is to be used for employment purposes – or in connection with a credit transaction, expect as provided in regulations issued by the banking and credit union regulators – the consumer must provide specific written consent and the medical info must be relevant

Question 15

Q

Red Flag Rule

Answer

A

• Required agencies that regulate financial entities to develop a set of rules to mandate the detection, prevention and mitigation of identity theft
• Eliminates entities that extend credit only “for expenses incidental to a service”
• Authorizes regulations that apply the rule to businesses whose account should be “subject to a reasonably foreseeable risk of identity theft”

Question 16

Q

Gramm-Leach-Bliley Act (GLBA)

Answer

A

• Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial service companies
• Re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S.
• Addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions.
• Requires financial institutions to securely store personal financial information:
(1) give notice of their policies regarding the sharing of personal financial information, and
(2) give consumers the ability to opt-out of some sharing of personal financial information.

Question 17

Q

U.S. Bancorp / MemberWorks

Answer

A

• Focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and 3rd party marketers
• The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account

Question 18

Q

GLBA Privacy Rule

Answer

A

• Financial institution must provide initial and annual privacy notices to consumers on 9 categories of info and must process opt-outs within 30 days
•Privacy notice itself must be a clear, conspicuous and accurate statement of the company’s privacy practices and must include: (1) Info the financial institution collects about its consumers and customers
(2) With whom it shares the info
(3) How it protects or safeguards the info
(4) An explanation of how a consumer may opt-out if having his info shared

Question 19

Q

GLBA Safeguards Rule

Answer

A

• Requires financial institutions to develop and implement a comprehensive “information security program” (a program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information)
• The administrative, technical and physical safeguards must be reasonably designed to:
(1) ensure the security and confidentiality of customer info,
(2) protect any anticipated threats or hazards to the security or integrity of info,
(3) protect against unauthorized access to or use of the info that could result in substantial harm or inconvenience to any customer

Question 20

Q

No Child Left Behind Act of 2001

Answer

A

• Limits the collection and disclosure of student information
• Protection of Pupil Rights Amendment (PPRA) now requires schools to:
(1) enact policies re: collection, disclosure or use of personal info about students for commercial purposes
(2) Allows parents to access and inspect surveys and other commercial instruments before they are administered to students
(3) Provide advance notice to parents about the approx. date when these activities are scheduled
(4) Provide parents the right to opt-out of surveys or other sharing info for commercial purposes

Question 21

Q

The Wireless Domain Registry

Answer

A

To help senders of commercial messages determine whether those messages might be MSCMs (rather than regular commercial email)
Senders are responsible for obtaining this list and ensuring that the appropriate authorizations exist before sending commercial messages to address within the domains

Question 22

Q

Wiretap Act and the Electronic Communications Privacy Act (ECPA)

Answer

A

Generally strict in prohibiting the interception of wire communications, such as telephone calls or sound recordings from video cameras; oral communications, such as hidden bugs or microphones; and electronic communications, such as emails

Question 23

Q

Olmstead v. U.S.

Answer

A

Court held that no warrant was required for wiretaps conducted on telephone company wires outside of the suspect’s building

Question 24

Q

Katz v. U.S.

Answer

A

• What a person knowingly exposes to the public, even in his own home or office is not subject to 4th amend protection
• But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected

Question 25

Q

Foreign Intelligence Surveillance Act (FISA) of 1978

Answer

A

• Telephone companies and other communications providers can face especially complex rules about when and in what way they are permitted or required to provide into to the gov’t
• Establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the U.S. FISA orders can issue when foreign intelligence gathering is a “significant purpose” of the investigation
• Orders issue from a special court of fed district court judges, the Foreign Intelligence Surveillance Court (FISC)
• Authorizes pen register and trap and trace orders and orders for video surveillance

Question 26

Q

Gatway Case

Answer

A

Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway, the policy stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out

Question 27

Q

BJ’s Wholesale Club Case

Answer

A

BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customer’s identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice

Question 28

Q

What were the facts of the Lilly Case?

Answer

A

An employee accidentally sent an email to ALL users with all personal emails viewable. This was unreasonable handling of PI. No fine, but consent decree.

Question 29

Q

FTC has regulatory authority over.

Answer

A

COPPA, FCC, Telemarketing sales rule, can spam act, health and human services (HIPAA stuff), and FCRA

Question 30

Q

FCC

Answer

A

Federal Communications Commission. - Federal Financial institution regulators

Question 31

Q

HHS

Answer

A

Health and Human Services

OCR: Office of Civil Rights
CMS - Center for Medicare and Medicaid services

promulgated regulations to protect the PRIVACY and SECURITY of health info for HIPAA

Question 32

Q

DOT

Answer

A

Department of Transportation

Question 33

Q

FTC enforcement process

Answer

A

Claim (press report or consumer complaint)
If minor - mutual resolution FTC/respondant
IF significant or pattern - investigation.
If violation? Admin trial w/civil penalties if found OR consent decree (up to $16,000 per violation but no admit wrong) and fed district ct if violation.

Question 34

Q

3 criteria for unfair trade practices

Answer

A

Substantial Injury
w/o offsetting benefits
Consumers could not reasonably avoid.

Question 35

Q

What are the facts of the Gateway case?

Answer

A

unfairness case. Owned “hooked on phonics” and promised they would not share PI but could change info at any time. Did not seek consent (but revised policy with a PO box to opt-out) and released age range and gender PI to third parties for marketing. Fined

Question 36

Q

What are the facts of the BJs case?

Answer

A

unfairness case. They had security flaws in their network access. Caused identity theft.

Question 37

Q

What are the facts of the Google case?

Answer

A

Violated their own privacy policy. Consent decree was entered into and they agreed to form a comprehensive privacy program.

Question 38

Q

OECD

Answer

A

Organization for Economic Cooperation and Development - focuses on privacy on a global scale

Question 39

Q

APEC

Answer

A

Asia Pacific Economic Cooperation.
- cross-border privacy enforcement arrangement is the CPEA (cross-border privacy enforcement arrangement)

FTC was first privacy enforcement authority.

Question 40

Q

Steps in developing a privacy program.

Answer

A

Discover
Build
Communicate
Evolve

Question 41

Q

Basic Elements of Incident Response (breach)

Answer

A

a. Detection - determine if it actually occurred
b. Containment/analysis and investigation- Prevent further activity
d. Notice
e. Review and follow-up/ corrective actions

Question 42

Q

HIPAA

Answer

A

Health Insurance Portability and Accountability Act of 1996

Does not preeempt state laws.
enforced by OCR (office of civil rights)

Question 43

Q

HIPAA Privacy Rules

Answer

A

a. Must post privacy policy on website
b. Allow access to only the minimum necessary data to carry out treatment and payment.
c. Keep track of disclosures.
d. Have safeguards in place via security rules (accountability, de-identification, sometimes need notice and consent.

Question 44

Q

HIPAA Security Rule

Answer

A

CIA - Confidentiality, Integrity, Availability

- risk assessments should be done once a year.

Question 45

Q

HITECH

Answer

A

Health Info Tech for Economic and Clinical Health
- Amended HIPAA by expanding to business associates involving the use or disclosure of PHI.

If significant risk of harm - must notify individual within 60 days.

Must notify HHS immediately if affects 500+ people. (and media if the 500 are in the same population.

Penalties up to 1.5 mil.

EHR - electronic health records

Question 46

Q

GINA

Answer

A

Genetic Info Nondiscrimination Act of 2008
- made genetic info another PHI element to prevent hiring or insurance premiums discrimination.

some exceptions if commercially/publicly available info, it was inadvertent, signed consent for special program, need to collect info for law enforcement /quality control.

Question 47

Q

FCRA

Answer

A

Fair Credit Reporting Act.
a. Mandates fair and accurate info
b. Provides users ability to access and correct the info.
f. Enforced by the FTC, CFPB, and state AGs.
g. Private right of action with damages in 6 figures. (up to 1k per violations and 2.5 k for willful)

Under Dodd-Frank, rule making shifted from here to CFPB.

Users must have a permissible purpose in order to obtain an individual’s credit report. Among these permissible purposes is the determination of a consumer’s eligibility for a license. Library records, purchase transactions and academic records do not represent a permissible purpose.

Question 48

Q

FACTA

Answer

A

The Fair and Accurate Credit Transaction Act. (not preempted)

i. Can’t show credit numbers on receipts!
ii. You get one free credit report a year!
iii. In the past it sold a lot of info for marketing purposes.

This controls CRA (credit reporting agencies like experian)

Question 49

Q

FACTA red flags rule

Answer

A

a. aimed at combatting ID theft. Mandates rules to combat this. Requires financial entities to implement written ID protection programs that explain the red flags that indicate ID theft.

Question 50

Q

GLBA (general and privacy rules)

Answer

A

Gramm-Leach-Bliley Act: Born from the financial services modernization act of 1999. (Not preempted)

GLBA Privacy Rules: Financial Institutions must:
1. Store info securely and provide notice of policies re: sharing of personal fin info.
Prepare and provide clear and conspicuous privacy notice in 9 categories (must be provided when relationship is established then annually.)
2. Provide right to opt-out of 3rd party sharing (process w/i 30 days) (Exceptions: Joint marketing and processing.)
3. Don’t disclose to third party exception consumer reporting agency
4. Comply with regulatory gov standards
5. Privacy policy that is clear, conspicuous, and accurate. Include what info is collected, how it is protected, and opt out info.

Has nothing to do with Dept. of Commerce

No private right of action

Financial institutions are prohibited from disclosing consumer account numbers to nonaffiliated companies even if the consumer has not opted out of sharing information, but other information can be shared without obtaining an opt in.

Question 51

Q

Dodd-Frank Wall Street Reform and Consumer Protection Act

Answer

A

Response to 2008 financial crisis.

Can enforce against abusive acts or practices –

i. if they materially interfere with consumers ability to understand a product or service, or
ii. takes advantage of inability to understand the risk, or
iii. inability to protect interests, or
iv. reasonable reliability on a covered person to act in the consumers interests.

Question 52

Q

CFPB

Answer

A

Consumer Financial Protection Bureau. -

part of the federal reserve. Rule making authority for the FCRA, GLBA, and Fair Debt Collection Practices Act.

Created by the Dodd-Frank…Act.

Question 53

Q

BSA

Answer

A

Bank Secrecy Act.

contains regulations relating to currency transactions, transportation of monetary instruments and the purchase of currency-like instruments.

SAR is filed if it is suspected this is violated.

Question 54

Q

Anti-Money Laundering Laws

Answer

A

BSA
Currency and foreign transaction report (1970)
US Patriot Act

Question 55

Q

The International Money Laundering abatement and Anti-Terrorism Financing Act.

Answer

A

Part of the Patriot Act.

expanded reach of BSA and made changes to anti-money-laundering laws.

Question 56

Q

SAR

Answer

A

Suspicious Activities report.

Question 57

Q

When does a financial institution have to file a SAR ?

Answer

A

i. Suspects an insider is committing or aiding in a crime
ii. When entity detects possible crime of $5,000 or more and substantial basis to ID suspect.
iii. When entity detects possible crime of $25,000 or more even without basis to ID suspect.
iv. When entity suspects currency transactions $5000 + that involve potential money laundering or violation of acts.

Question 58

Q

FERPA (aka Buckley Amendment)

Answer

A

Family Educational Rights and Privacy Act.
i. No private right of action (doesn’t cover private schools)
ii. Employee and alumni records are NOT educational record.
iii. Education records may be disclosed when (just need one)…
Not PI
Directory info that has not been blocked.
Student provided consent
Student makes the disclosure.
A statutory exception applies.

Provides for major aspects of FIPPS (fair info practice principles) including notice, consent, access, and correction, security, and accountability.

If student requests their records - institute must provide access to those records within 45 days.

Question 59

Q

PPRA

Answer

A

Protection of Pupil Rights Amendment (FERPA amended)
- includes private family info as PI and gave rights to parents of minors with regard to collection of sensitive information.

Question 60

Q

NCLB

Answer

A

No Child Left Behind Act

Broadened PPRA to limit the collection and disclosure of student survey info. Added collection, access, notice, and opt-out rights to parents re: child info.

Question 61

Q

Intrusion on seclusion

Answer

A

Tort right of action (can use for telemarketing). Must prove the intrusion is highly offensive to a reasonable person. One exception is unwanted and deceptive marketing

Question 62

Q

TSR

Answer

A

Telemarketing Sales Rule. implemented 1995 and most recently amended 2010.

requires telemarketers to keep records of anything related to telemarketing for 2 years.

Question 63

Q

TCPA

Answer

A

1991 (amd. 2012) Telephone Consumer Protection Act. - FTC enforced.

Prohibits automatic telephone dialing systems from making calls to any call phonr or other service “for which the called party is charged for the call.”

unauthorized faxes not allowed. Must have consent or valid business relationship.

i. Telemarketing – Uses one or more telephones and involving 1 or more interstate call.
ii. Must maintain DNC lists (*must call between 8a-9p) or pay up to $16,000 per violation.
iii. Exceptions – Nonprofits and existing business relationships (EBRS) and consumer opt-in.

Question 64

Q

DNC Safe Harbor

Answer

A

Do Not Call safe harbor. Seller must comply with rules (see below) and …

i. Provide training to staff
ii. ID how to get DNC and ensure compliance
iii. Must have documentation
iv. People responsible and accountable
v. Must have program to monitor/enforce policies.

Answer 65

A

Between 8am -9pm
Avoid people on DNC list.
Must display accurate id info
Must immediately ID themselves and what they’re selling.
Disclose all material info and terms
Comply with prize and promo terms
Respect call-back and end-call requests.
Retain records for 24 hours.
Prior express consent for robocalls.

No preemption – so state laws can be stricter.

No disclosures required if no intent to sell goods or services.

Answer 66

A

a. Controlling the assault of non-solicited pornography and marketing act of 2003.
i. Must clearly ID sender.
ii. Must provide opt out-unsubscribe
iii. Rules for MSCMs – mobile service commercial messages.
1. Have unique electronic address
2. Wireless domain name list is maintained – and the rules only apply to these.
3. Must have express prior positive authorization

Answer 67

A

CPNI is PI
a. Can use for billing, collections, fraud prevention, customer service, and emergency services. Otherwise they can only use with opt-in, express consent, or as required by law.
b. Now people need passwords to access phone activities and CPNI.

Answer 68

A

Consumer Proprietary Network Info.

Info collected by telecommunications carriers related to their subscribers.

carriers must get express consent to share with 3rd parties but can share if there is a joint venture or independent contractors unless opt-out within 30 days of being notified.

Answer 69

A

Protects the personal information of customers of cable service providers. Incorporates OECD guidelines.

Answer 70

A

Video Privacy Protection Act - Regulates use and disclosure of PI collected by cable providers.

Answer 71

A

a. FDA requires serious adverse events or product problems under Food Drug and Cosmetic act.
b. Dept of Labor, Health and Safety requires compilations and reporting about workplace injuries and illnesses.
c. Wiretaps – super strict and needs PC
d. HIPAA and COPPA – forbid 3rd party disclosure without opt-in.
e. GLBA – – forbid 3rd party disclosure unless did-not opt out.

Answer 72

A

“right to be secure…against unreasonable searches and seizures…without probable cause.”

Answer 73

A

Electronic Communications Privacy Act. Does not preempt state law.

“trap and trace” devices and pen registries ok if a part of an ongoing investigation.

Extends ban on interception in e-communications. (with Title 3 laws)

There IS private right of action

Answer 74

A

Olmestead. Holding: Don’t need a warrant.
Katz – Holding: Need a warrant for wiretap
Jones – Holding: it was a trespass to track a car

Answer 75

A

Stored communications act generally prohibits collection or blocking while in storage w/o warrant.

Creates prohibition of acquisition or blocking of e-communications.

Exception: conduct authorized by entity when providing a service. Also, if use of that service intended for this purpose.

Answer 76

A

Right to Financial Privacy Act.

No govt access unless reasonably described and meet one of the following

Customer authorize
Appropriate subpoena or summons
Warrant
Judicial subpoena
Formal written request from gov authority.

Answer 77

A

Privacy Protection Act. (exception to RFPA). Protects the Media in the course of criminal investigation.

Exception – if PC that a reporter has committed or is in the process of committing a crime (doesn’t count if in possession or receipt of work product only)

Answer 78

A

Searched unpublished photos. SCOTUS decided search warrants were valid to search any property with probable cause that evidence of a crime will be found.

PPA later passed that those searchers were unlawful UNLESS PC that a reporter has committed or is in the process of committing a crime (doesn’t count if in possession or receipt of work product only)

Answer 79

A

Can demand production of info from companies for anti-terrorism.

Answer 80

A

National Security Letter - Prior to 2001 this was used narrowly only with FBI order. This was expanded in Patriot Act.

2006 – Can be issued by authorize officials now. Generally can issue w/o any judicial involvement. Recipients can petition – however, if oppressive or unreasonable.
1. Request may be disclosed to legal counsel and those necessary to comply.

Recipients can also petition a court to modify or end secrecy requirement.
5+ years in prison and fines up to 250,000 for individual If improper disclosure.

Answer 81

A

Foreign Intelligence Surveillance Act -
as amended by US Patriot Act

Standards and procedures for electronic surveillance.

If Co. receive FISA order, then the recipient Co. cannot disclose the fact of the order to the target of the investigation.

FISA gave legal authorization of some new surveillance practices

Answer 82

A

Qualified Protective Order- When requesting health info, this order states the acquired health info can only be used for litigation.

Redaction utilized (last 4 digits of sensitive ID #s and PCI, DOB, all minor info (use initials))

Answer 83

A

COPPA, GLBA, and HIPAA (not the ECPA)

Answer 84

A

Children’s Online Privacy Protection Act.

regulates collection and use of kid’s under 13 info by commercial website operators.

No private right of action. Enforcement actions include consent decrees ranging from 50k to 3 million.

Exceptions to the notice rule include if its collected along with parents to get consent, to respond once if they delete the kids email right away or sends notice to parent., and for safety of the kid.

COPPA safe harbor programs -
CARU - the BBB Children’s Advertising Review Unit.
ESRB - Entertainment Software Rating Board
Truste
Privo, Inc
Aristotle Int. Inc.

Answer 85

A

Communication Assistance to Law Enforcement Act. -

Requires telecommunications companies to keep different types of data depending on investigative warrants

Answer 86

A

i. Intrusion upon seclusion
ii. Publicity given to private life/facts
iii. Defamation or false light(ie false drug test or factually incorrect reference)

Answer 87

A

This is a matter of K law in US.
Can’t ask for history of workman’s comp.
In Delaware, no Co can monitor or intercept phone convos without notice once a day.

Answer 88

A

HIPAA, COBRA, ERISA, Fam and Med leave Act.

Answer 89

A

Consolidated Omnibus Budget Reconciliation Act

Requires qualified health plans to still provide coverage after termination of certain beneficiaries

Answer 90

A

Employee Retirement Income Security Act.

Ensures emp. benefits programs are created fairly w/ proper admin.

health plan providers cannot adjust premiums based on genetics

Answer 91

A

Right to time off for birth or illness for self or family.

Answer 92

A

Dept. of Labor, EEOC, FTC, CFPB, NLRB (NLRA board)

Answer 93

A

Helps find work, and help with national efforts

Answer 94

A

Equal Employment Opportunity Commission

Prevents discrimination
Enforces title 7, anti-age discrimination, 1990 ADA

Answer 95

A

The National Labor Relations Board

Administrates NLR Act and deals with unfair labor Practices

Answer 96

A

National Child Protection Act

Allows background check to work with kids and extra access to info.

Answer 97

A

i. Written notice and consent
ii. Use of qualified CRA
iii. Certification of a permissible purpose
iv. Must provide report to dispute if they are going to take adverse action (adverse action notice).

Answer 98

A

Investigated Credit Reporting Agencies Act (state law) - not preempted

i. Must get written disclosure to get a report before it is obtained. Must say basically everything about the purpose of report and all the personal info they’re getting. And website and numbers where employee can find more info on privacy practices.
ii. Consent requirements – FCRA does not preempt states from conducting credit checks and only some state limit credit history for employment. (sometimes depends on the job being hired for)

Answer 99

A

in CA no cameras in places ppl change clothes. MI – no cameras in private place.

should limit to “non-private” areas of the workplace to avoid suits. even absence of statutes can bring common-law tort claims.

Answer 100

A

Employee Polygraph Protection Act.

psych screening tests, stress tests or lie detector tests are not allowed.

Exceptions: gov. employees, controlled substances professions , national security jobs, ongoing investigation, some contractors.

Answer 101

A

Alcoholism must be disclosed (even though it is a disability) if necessary for the job

Not allowed to discriminate on past drug use unless it is clear from policy its needed for the job. Exceptions: transportation settings.

Allowed to ID illegal drugs if employer has a reasonable suspicion from behavior, looks, and odors. Employees must be notified at time of hire. (ADA excludes current illegal drug use from their protections)

Answer 102

A

After an offer of employment.

Answer 103

A

2004: CA companies must have reasonable data security and must have reasonable security controls for PI and contractually obligate vendors and sub-contractors to have the same standards.

Answer 104

A

Detailed min standards and tech requirements for maintaining records and data. – must review at least once a year or if business changes.

Answer 105

A

a. incorporates PCI DSS standards. lets banks recover the cost of reissuing debit card from large processor who handled them negligently. Processor then should encrypt and notify w/I 1 year.
i. Example of trying to incorporate PCI standards. MI and NV enacted similar laws earlier.
ii. CA prevents use of SSNs

Answer 106

A

database of data breach incidence since 2005

Answer 107

A

Every state as of Jun 2012 besides New Mexico, South Dakota, Alabama, and Kentucky.

Answer 108

A

CT. first and last name (or initials) in convo with SSNs license, ID #. PCI, access codes/passwords.
NV excludes last 4 SSN as PI
AK, CA, MS, TX, an VG include med and healthcare info
OR, NE, NC, and WIscon include unique biometric data
WI includes DNA profile
ND includes moms maiden name
CA - name plus (1 of the following) SSN, ID #, license, or PCI. ORRRR card # with another code. (there is private right of action).

Answer 109

A

CT - unauthorized access to or acquisition of electronic files containing PI when it is not secured by encryption or another anonymization of the info.
FL – “material compromise”
KS, SC – cause (or likely to cause) ID theft or material harm

CA - excludes encrypted data

Some states have private right of action - other reserve enforcement to the AG.

Answer 110

A

TX – must notify residents and notify AG and reporting agencies CRAs.

Idaho - gotta notify AG w/I 24 hours of detections

CA - gotta notify AG ASAP if >500 residents affected.

Puerto Rico – notification w/I 10 days of detection and the entity will make info public w/I 24 hours

MA – report to AG and prohibits reporting the number of affected individuals in a data breach notification.

LO - tell AG w/i 10 days

14 states gotta tell AG

Answer 111

A

Description of incident
Description of type of info
Description of what business has done to prevent further access
Who they can call for further info
A warning for them to stay vigilant
Toll-free numbers for reportign agencies
Toll-free numbers for FTC and NC AG telling them those sources have more info on ID theft.

Answer 112

A

a. As of July 2012, 26 states have data destruction laws, often incorporated in breach notification laws.
i. Applicability
ii. Requirements
iii. Exemptions
iv. Covered media
v. Penalties

i. AZ – this law only applies to paper records
ii. Alaska – right to private action
iii. CA – “unreadable or undecipherable through any means”
iv. IL, UT – gov entities only
v. NY – for profit business only
vi. MA – steep penalties (not more than $100/data subject not to exceed $50,000 for each instance).

Answer 113

A

must know for some reason….

Answer 114

A

provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method);
require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card).
maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; or
obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.

Answer 115

A

Determining legal standing or citizen status, retirement planning and group insurance underwriting.

(NOT test marketing new products)

Answer 116

A

A brief description of the incident,
The type of information involved, and
A toll-free number for answers to questions.

Answer 117

A

A judgement entered by consent of the parties whereby the defendant agrees to stop illegal activity without admitting guilt or wrongdoing.

Answer 118

A

1914 (antitrust) then 1938 (for consumer protection) Federal Trade Commission.

Generally protects against deceptive and unfair practices. via title 5

Answer 119

A

plays leading role in Fed privacy development and administers Safe Harbor agreement. (now privacy shield)

Answer 120

A

1975 - businesses must comply with this to avoid being found to engage in deceptive or unfair practices by the FTC.

Answer 121

A

Unfair and Deceptive Acts and Practices statutes (from Section 5 of the FTC act)

depends on state if private right of action.

Answer 122

A

Payment Card Institute Data Security Standard (PCI DSS)

Answer 123

A

Global Privacy Enforcement Network - aims to promote cross-border sharing and investigation / enforcement.

response to the OECD recommendation on cross-border co-operationg in the enforcement of laws protecting privacy.

Answer 124

A

Must be appropriately accurate, current, and complete.
Consumers receive notice if used to make adverse decisions. (within 60 days)
Reports only used for permissible purposes.
Must have access to reports and ability to correct

Answer 125

A

must dispose of consumer info in reports to prevent unauthorized access or misuse of data.

Answer 126

A

Financial Institutions Reform, Recovery, and Enforcement Act.

Failing to comply with GLBA may be subject to penalties under this. Ranges from 5.5k to 27.5k if reckless. Up to 1.1 mil if “knowing” violaton.

Answer 127

A

the Financial Services Regulatory Relief Act of 2006

Answer 128

A

Must have 3 levels of security

Admin security
Tech security
Physical security

Answer 129

A

1. Campus police records.
Employment Records
2. Treatment Records
3. Applicant Records
4. Alumni records
5. Grades on peer-graded papers.

Answer 130

A

Nonprofits calling on their own behalf
Calls to customers with an existing relationship within the last 18 months.
Inbound calls, provided there is no “upselling”
Most business-to-business calls.

Answer 131

A

Telemarketer must:

Use tech to ensure no more than 3% of calls are abandoned. 97% must be a live rep.
Allows the phone to ring 15 seconds or 4 rings before disconnecting unanswered calls.
Within 2 seconds of answering a recorded message says the name, and phone# of seller when a live sales rep is unavailable.

Answer 132

A

2005, Junk Fax Prevention Act. - consent can be inferred from an existing business relationship (EBR)

Answer 133

A

Controlling of the Assault of Non-Solicited Pornography and Marketing Act.

Rules of the road for how the legit organizations send emails, including ID the sender and a simple unsubscribe or opt-out. Up to $16,000 per violation. Preempts most state laws.

No private right of action but provides for injunctive relief and damages up to $250 per violation with a max of 2 million in award. egregious violations = 5 years prison.

PROHIBITS:

false/misleading headers
deceptive subject lines
commercial email (following a grace period of 10 business days) to someone who opted out of future email.
Aggravated violations
All sexually oriented material come with a warning label (unless consent)≥

REQUIRES

functioning, clearly and conspicuously displayed return e-mail address.
clear and conspicuous notice of opportunity to opt-out for free.
Commercial emails must include 1) clear and conspicuous ID of the message (unless consent already given) and 2) valid postal address or PO box of sender

Answer 134

A

first state law to require owners and operators of websites and online services to conspicuously post a privacy notice on their website. (pg 112 for reqs of what the privacy notice requires).

If non-compliant they have 30 days to post an appropriate privacy notice.

no specific enforcement provisions - but may be enforce thorguh fraud business practices

Answer 135

A

HIPPA and COPPA forbid disclosures of covered info to 3rd parties unless opt-in. GLBA forbids disclosures unless opt-out.

Answer 136

A

electronically stored info.

is a sub-discipline of e-discovery which implicates domestic and trans-border data flows.

Answer 137

A

Set out factors for knowing if a trans-border transfer of data is appropriate.

The importance of the documents or data to the litigation at hand.
The specificity of the request
Whether the info originated in the U.S.
The availability of the alt means of security info.
(most important) The extent to which the important interests of the US and the foreign state would be undermined by an adverse ruling.

Answer 138

A

Civil Rights Act of 1964

Pregnancy Discrimination Act

ADA of 1991x

Age Discrimination Act

Equal Pay Act of 1963

GINA of 2008

Answer 139

A

HIPPA, COBRA, ERISA, FMLA

Answer 140

A

Family Medical Leave Act - entitles certain employees to leave in the event of birth or illness of self or family.

Answer 141

A

FCRA,
FLSA - fair labor standards act
OSHA - occupational safety and health act
Whistleblower protection act,
NLRA - national labor relations act
ICRA - Immigration reform and control act
Securities and Exchange Act

Answer 142

A

(1) Proactive not Reactive; Preventative not Remedial; (2) Privacy as the Default Setting; (3) Privacy Embedded into Design, (4) Full Functionality — Positive-Sum, not Zero-Sum; (5) End-to-End Security — Full Lifecycle Protection; (6)Visibility and Transparency — Keep it Open; and (7) Respect for User Privacy — Keep it User-Centric.

Brainscape's Knowledge GenomeTM

CIPP / US outline Flashcards

Brainscape's Knowledge Genome^TM