CIPP / US outline Flashcards
Where, how, and for what length of time is the data stored?
Limited retention reduces the risk from data breach - no breach will occur once the data is removed from the system
<p>How sensitive is the information?</p>
<p>- Confidential, proprietary - property of the organization
- Sensitive, restricted - available to select few
- Public - generally available</p>
<p>Should the information be encrypted?</p>
<p>Generally, no notice is required if the lost PI is sufficiently encrypted or protected by some other effective technical protection</p>
<p>Will the info be transfered to or from other countries, and if so, how will it be transferred?</p>
<p>Organization should familiarize itself with the privacy requirements of both origination and destination countries for transborder data</p>
<p>Who determines the rules that apply to the information?</p>
<p>1) Controller - entity who determines the purposes and means of the processing of personal data
2) Processor - entity that processes personal data on behalf of the controller
3) Business - think HIPAA</p>
<p>How is the info processed, and how will these processes be maintained?</p>
<p>- Steps should be taken to train staff members involved in the processes and computers on which the info will be processed should be secured appropriately to minimize the risk of data leak or breach
- Physical transfer of data also should be secured</p>
<p>Is the use of such data dependent upon other systems?</p>
<p>- If the use of personal data depends on the working condition of other systems >> the condition of those systems must also be evaluated and updated if necessary
- an outdated system may call for developing a new method or program for using relevant data</p>
<p>Classes or categories of privacy</p>
<p>1) Information privacy – established rules that govern the collection and handling of personal information
2) Bodily privacy – a person’s physical being and any invasion thereof, ex./ genetic testing, drug testing or body cavity searches
3) Territorial privacy – placing limits on the ability to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as video surveillance
4) Communications privacy – protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus</p>
<p>Consent decree</p>
<p>• A judgement entered by consent of the parties
• Typically, the (D) agrees to stop alleged illegal activity and pay a fine, w/o admitting guilt or wrongdoing
• This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and adverse party
• Consent decrees are posted publicly on the FTC’s website, and the details of these decrees provide guidance about what practices the FTC considers inappropriate</p>
<p>Protected health information (PHI)</p>
<p>Any individually identifiable health info that is: transmitted or maintained in any form or medium; held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; created or received by a covered entity or an employer; and relates to a past, present or future physical mental condition, provision of health care or payment for health care to that individual</p>
<p>Electronic protected health info (ePHI)</p>
<p>Any PHI that is transmitted or maintained in electronic media</p>
<p>Business associate</p>
<p>Any person or organization, other than a member of a covered entity’s workforce, that performs services and; activities for, or on behalf of, covered entity, if such services or activities involve the use or disclosure of PHI</p>
<p>Under the Fair Credit Reporting Act, employee investigations are not treated as consumer reports as long as</p>
<p>1) The employer or its agents complies w/ the procedure set forth in the act
2) No credit info is used
3) Summary describing nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation</p>
<p>Under the Fair Credit Reporting Act, medical information</p>
<p>• Limits the use of medical info obtained from CRAs, other than payment info that appears in a coded form and does not identify the medical provider
• If the report is to be used for employment purposes – or in connection with a credit transaction, expect as provided in regulations issued by the banking and credit union regulators – the consumer must provide specific written consent and the medical info must be relevant</p>
<p>Red Flag Rule</p>
<p>• Required agencies that regulate financial entities to develop a set of rules to mandate the detection, prevention and mitigation of identity theft
• Eliminates entities that extend credit only “for expenses incidental to a service”
• Authorizes regulations that apply the rule to businesses whose account should be “subject to a reasonably foreseeable risk of identity theft”</p>
<p>Gramm-Leach-Bliley Act (GLBA)</p>
• Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial service companies
• Re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S.
• Addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions.
• Requires financial institutions to securely store personal financial information:
(1) give notice of their policies regarding the sharing of personal financial information, and
(2) give consumers the ability to opt-out of some sharing of personal financial information.
<p>U.S. Bancorp / MemberWorks</p>
<p>• Focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and 3rd party marketers
• The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account</p>
<p>GLBA Privacy Rule</p>
<p>• Financial institution must provide initial and annual privacy notices to consumers on 9 categories of info and must process opt-outs within 30 days
•Privacy notice itself must be a clear, conspicuous and accurate statement of the company’s privacy practices and must include: (1) Info the financial institution collects about its consumers and customers
(2) With whom it shares the info
(3) How it protects or safeguards the info
(4) An explanation of how a consumer may opt-out if having his info shared</p>
<p>GLBA Safeguards Rule</p>
• Requires financial institutions to develop and implement a comprehensive “information security program” (a program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information)
• The administrative, technical and physical safeguards must be reasonably designed to:
(1) ensure the security and confidentiality of customer info,
(2) protect any anticipated threats or hazards to the security or integrity of info,
(3) protect against unauthorized access to or use of the info that could result in substantial harm or inconvenience to any customer
<p>No Child Left Behind Act of 2001</p>
<p>• Limits the collection and disclosure of student information
• Protection of Pupil Rights Amendment (PPRA) now requires schools to:
(1) enact policies re: collection, disclosure or use of personal info about students for commercial purposes
(2) Allows parents to access and inspect surveys and other commercial instruments before they are administered to students
(3) Provide advance notice to parents about the approx. date when these activities are scheduled
(4) Provide parents the right to opt-out of surveys or other sharing info for commercial purposes</p>
The Wireless Domain Registry
- To help senders of commercial messages determine whether those messages might be MSCMs (rather than regular commercial email)
- Senders are responsible for obtaining this list and ensuring that the appropriate authorizations exist before sending commercial messages to address within the domains
<p>Wiretap Act and the Electronic Communications Privacy Act (ECPA)</p>
<p>Generally strict in prohibiting the interception of wire communications, such as telephone calls or sound recordings from video cameras; oral communications, such as hidden bugs or microphones; and electronic communications, such as emails</p>
<p>Olmstead v. U.S.</p>
<p>Court held that no warrant was required for wiretaps conducted on telephone company wires outside of the suspect’s building</p>
<p>Katz v. U.S.</p>
<p>• What a person knowingly exposes to the public, even in his own home or office is not subject to 4th amend protection
• But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected</p>
<p>Foreign Intelligence Surveillance Act (FISA) of 1978</p>
<p>• Telephone companies and other communications providers can face especially complex rules about when and in what way they are permitted or required to provide into to the gov’t
• Establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the U.S. FISA orders can issue when foreign intelligence gathering is a “significant purpose” of the investigation
• Orders issue from a special court of fed district court judges, the Foreign Intelligence Surveillance Court (FISC)
• Authorizes pen register and trap and trace orders and orders for video surveillance</p>
Gatway Case
Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway, the policy stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out
BJ’s Wholesale Club Case
BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customer’s identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice
What were the facts of the Lilly Case?
An employee accidentally sent an email to ALL users with all personal emails viewable. This was unreasonable handling of PI. No fine, but consent decree.
FTC has regulatory authority over.
COPPA, FCC, Telemarketing sales rule, can spam act, health and human services (HIPAA stuff), and FCRA
FCC
Federal Communications Commission. - Federal Financial institution regulators
HHS
Health and Human Services
- OCR: Office of Civil Rights
- CMS - Center for Medicare and Medicaid services
promulgated regulations to protect the PRIVACY and SECURITY of health info for HIPAA
DOT
Department of Transportation
FTC enforcement process
- Claim (press report or consumer complaint)
- If minor - mutual resolution FTC/respondant
- IF significant or pattern - investigation.
- If violation? Admin trial w/civil penalties if found OR consent decree (up to $16,000 per violation but no admit wrong) and fed district ct if violation.
3 criteria for unfair trade practices
- Substantial Injury
- w/o offsetting benefits
- Consumers could not reasonably avoid.
What are the facts of the Gateway case?
unfairness case. Owned “hooked on phonics” and promised they would not share PI but could change info at any time. Did not seek consent (but revised policy with a PO box to opt-out) and released age range and gender PI to third parties for marketing. Fined
What are the facts of the BJs case?
unfairness case. They had security flaws in their network access. Caused identity theft.
What are the facts of the Google case?
Violated their own privacy policy. Consent decree was entered into and they agreed to form a comprehensive privacy program.
OECD
- Organization for Economic Cooperation and Development - focuses on privacy on a global scale
APEC
Asia Pacific Economic Cooperation.
- cross-border privacy enforcement arrangement is the CPEA (cross-border privacy enforcement arrangement)
- FTC was first privacy enforcement authority.
Steps in developing a privacy program.
- Discover
- Build
- Communicate
- Evolve
Basic Elements of Incident Response (breach)
a. Detection - determine if it actually occurred
b. Containment/analysis and investigation- Prevent further activity
d. Notice
e. Review and follow-up/ corrective actions
HIPAA
Health Insurance Portability and Accountability Act of 1996
- Does not preeempt state laws.
- enforced by OCR (office of civil rights)
HIPAA Privacy Rules
a. Must post privacy policy on website
b. Allow access to only the minimum necessary data to carry out treatment and payment.
c. Keep track of disclosures.
d. Have safeguards in place via security rules (accountability, de-identification, sometimes need notice and consent.
HIPAA Security Rule
CIA - Confidentiality, Integrity, Availability
- risk assessments should be done once a year.
HITECH
- Health Info Tech for Economic and Clinical Health
- Amended HIPAA by expanding to business associates involving the use or disclosure of PHI.
If significant risk of harm - must notify individual within 60 days.
Must notify HHS immediately if affects 500+ people. (and media if the 500 are in the same population.
Penalties up to 1.5 mil.
EHR - electronic health records
GINA
Genetic Info Nondiscrimination Act of 2008
- made genetic info another PHI element to prevent hiring or insurance premiums discrimination.
- some exceptions if commercially/publicly available info, it was inadvertent, signed consent for special program, need to collect info for law enforcement /quality control.
FCRA
- Fair Credit Reporting Act.
a. Mandates fair and accurate info
b. Provides users ability to access and correct the info.
f. Enforced by the FTC, CFPB, and state AGs.
g. Private right of action with damages in 6 figures. (up to 1k per violations and 2.5 k for willful)
Under Dodd-Frank, rule making shifted from here to CFPB.
Users must have a permissible purpose in order to obtain an individual’s credit report. Among these permissible purposes is the determination of a consumer’s eligibility for a license. Library records, purchase transactions and academic records do not represent a permissible purpose.
FACTA
The Fair and Accurate Credit Transaction Act. (not preempted)
i. Can’t show credit numbers on receipts!
ii. You get one free credit report a year!
iii. In the past it sold a lot of info for marketing purposes.
This controls CRA (credit reporting agencies like experian)
FACTA red flags rule
a. aimed at combatting ID theft. Mandates rules to combat this. Requires financial entities to implement written ID protection programs that explain the red flags that indicate ID theft.
GLBA (general and privacy rules)
Gramm-Leach-Bliley Act: Born from the financial services modernization act of 1999. (Not preempted)
GLBA Privacy Rules: Financial Institutions must:
1. Store info securely and provide notice of policies re: sharing of personal fin info.
Prepare and provide clear and conspicuous privacy notice in 9 categories (must be provided when relationship is established then annually.)
2. Provide right to opt-out of 3rd party sharing (process w/i 30 days) (Exceptions: Joint marketing and processing.)
3. Don’t disclose to third party exception consumer reporting agency
4. Comply with regulatory gov standards
5. Privacy policy that is clear, conspicuous, and accurate. Include what info is collected, how it is protected, and opt out info.
Has nothing to do with Dept. of Commerce
No private right of action
Financial institutions are prohibited from disclosing consumer account numbers to nonaffiliated companies even if the consumer has not opted out of sharing information, but other information can be shared without obtaining an opt in.
Dodd-Frank Wall Street Reform and Consumer Protection Act
Response to 2008 financial crisis.
Can enforce against abusive acts or practices –
i. if they materially interfere with consumers ability to understand a product or service, or
ii. takes advantage of inability to understand the risk, or
iii. inability to protect interests, or
iv. reasonable reliability on a covered person to act in the consumers interests.
CFPB
Consumer Financial Protection Bureau. -
part of the federal reserve. Rule making authority for the FCRA, GLBA, and Fair Debt Collection Practices Act.
Created by the Dodd-Frank…Act.
BSA
- Bank Secrecy Act.
contains regulations relating to currency transactions, transportation of monetary instruments and the purchase of currency-like instruments.
SAR is filed if it is suspected this is violated.
Anti-Money Laundering Laws
- BSA
- Currency and foreign transaction report (1970)
- US Patriot Act
The International Money Laundering abatement and Anti-Terrorism Financing Act.
- Part of the Patriot Act.
expanded reach of BSA and made changes to anti-money-laundering laws.
SAR
Suspicious Activities report.