CIPP / US outline Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Where, how, and for what length of time is the data stored?

A

Limited retention reduces the risk from data breach - no breach will occur once the data is removed from the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

<p>How sensitive is the information?</p>

A

<p>- Confidential, proprietary - property of the organization

- Sensitive, restricted - available to select few
- Public - generally available</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

<p>Should the information be encrypted?</p>

A

<p>Generally, no notice is required if the lost PI is sufficiently encrypted or protected by some other effective technical protection</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

<p>Will the info be transfered to or from other countries, and if so, how will it be transferred?</p>

A

<p>Organization should familiarize itself with the privacy requirements of both origination and destination countries for transborder data</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

<p>Who determines the rules that apply to the information?</p>

A

<p>1) Controller - entity who determines the purposes and means of the processing of personal data

2) Processor - entity that processes personal data on behalf of the controller
3) Business - think HIPAA</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

<p>How is the info processed, and how will these processes be maintained?</p>

A

<p>- Steps should be taken to train staff members involved in the processes and computers on which the info will be processed should be secured appropriately to minimize the risk of data leak or breach
- Physical transfer of data also should be secured</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

<p>Is the use of such data dependent upon other systems?</p>

A

<p>- If the use of personal data depends on the working condition of other systems >> the condition of those systems must also be evaluated and updated if necessary
- an outdated system may call for developing a new method or program for using relevant data</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

<p>Classes or categories of privacy</p>

A

<p>1) Information privacy – established rules that govern the collection and handling of personal information

2) Bodily privacy – a person’s physical being and any invasion thereof, ex./ genetic testing, drug testing or body cavity searches
3) Territorial privacy – placing limits on the ability to intrude into another individual’s environment. Environment is not limited to the home; it may be defined as the workplace or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as video surveillance
4) Communications privacy – protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

<p>Consent decree</p>

A

<p>• A judgement entered by consent of the parties
• Typically, the (D) agrees to stop alleged illegal activity and pay a fine, w/o admitting guilt or wrongdoing
• This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and adverse party
• Consent decrees are posted publicly on the FTC’s website, and the details of these decrees provide guidance about what practices the FTC considers inappropriate</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

<p>Protected health information (PHI)</p>

A

<p>Any individually identifiable health info that is: transmitted or maintained in any form or medium; held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; created or received by a covered entity or an employer; and relates to a past, present or future physical mental condition, provision of health care or payment for health care to that individual</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

<p>Electronic protected health info (ePHI)</p>

A

<p>Any PHI that is transmitted or maintained in electronic media</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

<p>Business associate</p>

A

<p>Any person or organization, other than a member of a covered entity’s workforce, that performs services and; activities for, or on behalf of, covered entity, if such services or activities involve the use or disclosure of PHI</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

<p>Under the Fair Credit Reporting Act, employee investigations are not treated as consumer reports as long as</p>

A

<p>1) The employer or its agents complies w/ the procedure set forth in the act

2) No credit info is used
3) Summary describing nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

<p>Under the Fair Credit Reporting Act, medical information</p>

A

<p>• Limits the use of medical info obtained from CRAs, other than payment info that appears in a coded form and does not identify the medical provider
• If the report is to be used for employment purposes – or in connection with a credit transaction, expect as provided in regulations issued by the banking and credit union regulators – the consumer must provide specific written consent and the medical info must be relevant</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

<p>Red Flag Rule</p>

A

<p>• Required agencies that regulate financial entities to develop a set of rules to mandate the detection, prevention and mitigation of identity theft
• Eliminates entities that extend credit only “for expenses incidental to a service”
• Authorizes regulations that apply the rule to businesses whose account should be “subject to a reasonably foreseeable risk of identity theft”</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

<p>Gramm-Leach-Bliley Act (GLBA)</p>

A

• Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial service companies
• Re-organized financial services regulation in the United States and applies broadly to any company that is “significantly engaged” in financial activities in the U.S.
• Addresses the handling of non-public personal information, defined broadly to include a consumer’s name and address, and consumers’ interactions with banks, insurers and other financial institutions.
• Requires financial institutions to securely store personal financial information:
(1) give notice of their policies regarding the sharing of personal financial information, and
(2) give consumers the ability to opt-out of some sharing of personal financial information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

<p>U.S. Bancorp / MemberWorks</p>

A

<p>• Focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and 3rd party marketers
• The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

<p>GLBA Privacy Rule</p>

A

<p>• Financial institution must provide initial and annual privacy notices to consumers on 9 categories of info and must process opt-outs within 30 days
•Privacy notice itself must be a clear, conspicuous and accurate statement of the company’s privacy practices and must include: (1) Info the financial institution collects about its consumers and customers
(2) With whom it shares the info
(3) How it protects or safeguards the info
(4) An explanation of how a consumer may opt-out if having his info shared</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

<p>GLBA Safeguards Rule</p>

A

• Requires financial institutions to develop and implement a comprehensive “information security program” (a program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information)
• The administrative, technical and physical safeguards must be reasonably designed to:
(1) ensure the security and confidentiality of customer info,
(2) protect any anticipated threats or hazards to the security or integrity of info,
(3) protect against unauthorized access to or use of the info that could result in substantial harm or inconvenience to any customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

<p>No Child Left Behind Act of 2001</p>

A

<p>• Limits the collection and disclosure of student information
• Protection of Pupil Rights Amendment (PPRA) now requires schools to:
(1) enact policies re: collection, disclosure or use of personal info about students for commercial purposes
(2) Allows parents to access and inspect surveys and other commercial instruments before they are administered to students
(3) Provide advance notice to parents about the approx. date when these activities are scheduled
(4) Provide parents the right to opt-out of surveys or other sharing info for commercial purposes</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The Wireless Domain Registry

A
  • To help senders of commercial messages determine whether those messages might be MSCMs (rather than regular commercial email)
  • Senders are responsible for obtaining this list and ensuring that the appropriate authorizations exist before sending commercial messages to address within the domains
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

<p>Wiretap Act and the Electronic Communications Privacy Act (ECPA)</p>

A

<p>Generally strict in prohibiting the interception of wire communications, such as telephone calls or sound recordings from video cameras; oral communications, such as hidden bugs or microphones; and electronic communications, such as emails</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

<p>Olmstead v. U.S.</p>

A

<p>Court held that no warrant was required for wiretaps conducted on telephone company wires outside of the suspect’s building</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

<p>Katz v. U.S.</p>

A

<p>• What a person knowingly exposes to the public, even in his own home or office is not subject to 4th amend protection
• But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

<p>Foreign Intelligence Surveillance Act (FISA) of 1978</p>

A

<p>• Telephone companies and other communications providers can face especially complex rules about when and in what way they are permitted or required to provide into to the gov’t
• Establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the U.S. FISA orders can issue when foreign intelligence gathering is a “significant purpose” of the investigation
• Orders issue from a special court of fed district court judges, the Foreign Intelligence Surveillance Court (FISC)
• Authorizes pen register and trap and trace orders and orders for video surveillance</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Gatway Case

A

Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway, the policy stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

BJ’s Wholesale Club Case

A

BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customer’s identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What were the facts of the Lilly Case?

A

An employee accidentally sent an email to ALL users with all personal emails viewable. This was unreasonable handling of PI. No fine, but consent decree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

FTC has regulatory authority over.

A

COPPA, FCC, Telemarketing sales rule, can spam act, health and human services (HIPAA stuff), and FCRA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

FCC

A

Federal Communications Commission. - Federal Financial institution regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

HHS

A

Health and Human Services

  • OCR: Office of Civil Rights
  • CMS - Center for Medicare and Medicaid services

promulgated regulations to protect the PRIVACY and SECURITY of health info for HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

DOT

A

Department of Transportation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

FTC enforcement process

A
  1. Claim (press report or consumer complaint)
  2. If minor - mutual resolution FTC/respondant
  3. IF significant or pattern - investigation.
  4. If violation? Admin trial w/civil penalties if found OR consent decree (up to $16,000 per violation but no admit wrong) and fed district ct if violation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

3 criteria for unfair trade practices

A
  1. Substantial Injury
  2. w/o offsetting benefits
  3. Consumers could not reasonably avoid.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What are the facts of the Gateway case?

A

unfairness case. Owned “hooked on phonics” and promised they would not share PI but could change info at any time. Did not seek consent (but revised policy with a PO box to opt-out) and released age range and gender PI to third parties for marketing. Fined

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What are the facts of the BJs case?

A

unfairness case. They had security flaws in their network access. Caused identity theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What are the facts of the Google case?

A

Violated their own privacy policy. Consent decree was entered into and they agreed to form a comprehensive privacy program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

OECD

A
  1. Organization for Economic Cooperation and Development - focuses on privacy on a global scale
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

APEC

A

Asia Pacific Economic Cooperation.
- cross-border privacy enforcement arrangement is the CPEA (cross-border privacy enforcement arrangement)

  • FTC was first privacy enforcement authority.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Steps in developing a privacy program.

A
  1. Discover
  2. Build
  3. Communicate
  4. Evolve
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Basic Elements of Incident Response (breach)

A

a. Detection - determine if it actually occurred
b. Containment/analysis and investigation- Prevent further activity
d. Notice
e. Review and follow-up/ corrective actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

HIPAA

A

Health Insurance Portability and Accountability Act of 1996

  • Does not preeempt state laws.
  • enforced by OCR (office of civil rights)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

HIPAA Privacy Rules

A

a. Must post privacy policy on website
b. Allow access to only the minimum necessary data to carry out treatment and payment.
c. Keep track of disclosures.
d. Have safeguards in place via security rules (accountability, de-identification, sometimes need notice and consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

HIPAA Security Rule

A

CIA - Confidentiality, Integrity, Availability

- risk assessments should be done once a year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

HITECH

A
  1. Health Info Tech for Economic and Clinical Health
    - Amended HIPAA by expanding to business associates involving the use or disclosure of PHI.

If significant risk of harm - must notify individual within 60 days.

Must notify HHS immediately if affects 500+ people. (and media if the 500 are in the same population.

Penalties up to 1.5 mil.

EHR - electronic health records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

GINA

A

Genetic Info Nondiscrimination Act of 2008
- made genetic info another PHI element to prevent hiring or insurance premiums discrimination.

  • some exceptions if commercially/publicly available info, it was inadvertent, signed consent for special program, need to collect info for law enforcement /quality control.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

FCRA

A
  1. Fair Credit Reporting Act.
    a. Mandates fair and accurate info
    b. Provides users ability to access and correct the info.
    f. Enforced by the FTC, CFPB, and state AGs.
    g. Private right of action with damages in 6 figures. (up to 1k per violations and 2.5 k for willful)

Under Dodd-Frank, rule making shifted from here to CFPB.

Users must have a permissible purpose in order to obtain an individual’s credit report. Among these permissible purposes is the determination of a consumer’s eligibility for a license. Library records, purchase transactions and academic records do not represent a permissible purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

FACTA

A

The Fair and Accurate Credit Transaction Act. (not preempted)

i. Can’t show credit numbers on receipts!
ii. You get one free credit report a year!
iii. In the past it sold a lot of info for marketing purposes.

This controls CRA (credit reporting agencies like experian)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

FACTA red flags rule

A

a. aimed at combatting ID theft. Mandates rules to combat this. Requires financial entities to implement written ID protection programs that explain the red flags that indicate ID theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

GLBA (general and privacy rules)

A

Gramm-Leach-Bliley Act: Born from the financial services modernization act of 1999. (Not preempted)

GLBA Privacy Rules: Financial Institutions must:
1. Store info securely and provide notice of policies re: sharing of personal fin info.
Prepare and provide clear and conspicuous privacy notice in 9 categories (must be provided when relationship is established then annually.)
2. Provide right to opt-out of 3rd party sharing (process w/i 30 days) (Exceptions: Joint marketing and processing.)
3. Don’t disclose to third party exception consumer reporting agency
4. Comply with regulatory gov standards
5. Privacy policy that is clear, conspicuous, and accurate. Include what info is collected, how it is protected, and opt out info.

Has nothing to do with Dept. of Commerce

No private right of action

Financial institutions are prohibited from disclosing consumer account numbers to nonaffiliated companies even if the consumer has not opted out of sharing information, but other information can be shared without obtaining an opt in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Dodd-Frank Wall Street Reform and Consumer Protection Act

A

Response to 2008 financial crisis.

Can enforce against abusive acts or practices –

i. if they materially interfere with consumers ability to understand a product or service, or
ii. takes advantage of inability to understand the risk, or
iii. inability to protect interests, or
iv. reasonable reliability on a covered person to act in the consumers interests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

CFPB

A

Consumer Financial Protection Bureau. -

part of the federal reserve. Rule making authority for the FCRA, GLBA, and Fair Debt Collection Practices Act.

Created by the Dodd-Frank…Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

BSA

A
  1. Bank Secrecy Act.

contains regulations relating to currency transactions, transportation of monetary instruments and the purchase of currency-like instruments.

SAR is filed if it is suspected this is violated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Anti-Money Laundering Laws

A
  1. BSA
  2. Currency and foreign transaction report (1970)
  3. US Patriot Act
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

The International Money Laundering abatement and Anti-Terrorism Financing Act.

A
  1. Part of the Patriot Act.

expanded reach of BSA and made changes to anti-money-laundering laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

SAR

A

Suspicious Activities report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

When does a financial institution have to file a SAR ?

A

i. Suspects an insider is committing or aiding in a crime
ii. When entity detects possible crime of $5,000 or more and substantial basis to ID suspect.
iii. When entity detects possible crime of $25,000 or more even without basis to ID suspect.
iv. When entity suspects currency transactions $5000 + that involve potential money laundering or violation of acts.

58
Q

FERPA (aka Buckley Amendment)

A
  1. Family Educational Rights and Privacy Act.
    i. No private right of action (doesn’t cover private schools)
    ii. Employee and alumni records are NOT educational record.
    iii. Education records may be disclosed when (just need one)…
  2. Not PI
  3. Directory info that has not been blocked.
  4. Student provided consent
  5. Student makes the disclosure.
  6. A statutory exception applies.

Provides for major aspects of FIPPS (fair info practice principles) including notice, consent, access, and correction, security, and accountability.

If student requests their records - institute must provide access to those records within 45 days.

59
Q

PPRA

A
  1. Protection of Pupil Rights Amendment (FERPA amended)
    - includes private family info as PI and gave rights to parents of minors with regard to collection of sensitive information.
60
Q

NCLB

A
  1. No Child Left Behind Act

Broadened PPRA to limit the collection and disclosure of student survey info. Added collection, access, notice, and opt-out rights to parents re: child info.

61
Q

Intrusion on seclusion

A

Tort right of action (can use for telemarketing). Must prove the intrusion is highly offensive to a reasonable person. One exception is unwanted and deceptive marketing

62
Q

TSR

A

Telemarketing Sales Rule. implemented 1995 and most recently amended 2010.

requires telemarketers to keep records of anything related to telemarketing for 2 years.

63
Q

TCPA

A

1991 (amd. 2012) Telephone Consumer Protection Act. - FTC enforced.

Prohibits automatic telephone dialing systems from making calls to any call phonr or other service “for which the called party is charged for the call.”

unauthorized faxes not allowed. Must have consent or valid business relationship.

i. Telemarketing – Uses one or more telephones and involving 1 or more interstate call.
ii. Must maintain DNC lists (*must call between 8a-9p) or pay up to $16,000 per violation.
iii. Exceptions – Nonprofits and existing business relationships (EBRS) and consumer opt-in.

64
Q

DNC Safe Harbor

A

Do Not Call safe harbor. Seller must comply with rules (see below) and …

i. Provide training to staff
ii. ID how to get DNC and ensure compliance
iii. Must have documentation
iv. People responsible and accountable
v. Must have program to monitor/enforce policies.

65
Q

DNC rules

A
  1. Between 8am -9pm
  2. Avoid people on DNC list.
  3. Must display accurate id info
  4. Must immediately ID themselves and what they’re selling.
  5. Disclose all material info and terms
  6. Comply with prize and promo terms
  7. Respect call-back and end-call requests.
  8. Retain records for 24 hours.
  9. Prior express consent for robocalls.

No preemption – so state laws can be stricter.

No disclosures required if no intent to sell goods or services.

66
Q

CAN-SPAM

A

a. Controlling the assault of non-solicited pornography and marketing act of 2003.
i. Must clearly ID sender.
ii. Must provide opt out-unsubscribe
iii. Rules for MSCMs – mobile service commercial messages.
1. Have unique electronic address
2. Wireless domain name list is maintained – and the rules only apply to these.
3. Must have express prior positive authorization

67
Q

Telecommunications Act

A
  1. CPNI is PI
    a. Can use for billing, collections, fraud prevention, customer service, and emergency services. Otherwise they can only use with opt-in, express consent, or as required by law.
    b. Now people need passwords to access phone activities and CPNI.
68
Q

CPNI

A

Consumer Proprietary Network Info.

Info collected by telecommunications carriers related to their subscribers.

carriers must get express consent to share with 3rd parties but can share if there is a joint venture or independent contractors unless opt-out within 30 days of being notified.

69
Q

Cable Television Privacy Act

A
  1. Protects the personal information of customers of cable service providers. Incorporates OECD guidelines.
70
Q

VPPA

A
  1. Video Privacy Protection Act - Regulates use and disclosure of PI collected by cable providers.
71
Q

Situations where an organization must disclose to the gov.

A

a. FDA requires serious adverse events or product problems under Food Drug and Cosmetic act.
b. Dept of Labor, Health and Safety requires compilations and reporting about workplace injuries and illnesses.
c. Wiretaps – super strict and needs PC
d. HIPAA and COPPA – forbid 3rd party disclosure without opt-in.
e. GLBA – – forbid 3rd party disclosure unless did-not opt out.

72
Q

4th Amdt. general concept.

A

“right to be secure…against unreasonable searches and seizures…without probable cause.”

73
Q

ECPA

A
  1. Electronic Communications Privacy Act. Does not preempt state law.

“trap and trace” devices and pen registries ok if a part of an ongoing investigation.

Extends ban on interception in e-communications. (with Title 3 laws)

There IS private right of action

74
Q

Telephone Wiretap Law –>

Olmstead, Kats and Jones holdings

A

Olmestead. Holding: Don’t need a warrant.
Katz – Holding: Need a warrant for wiretap
Jones – Holding: it was a trespass to track a car

75
Q

SCA

A
  1. Stored communications act generally prohibits collection or blocking while in storage w/o warrant.

Creates prohibition of acquisition or blocking of e-communications.

Exception: conduct authorized by entity when providing a service. Also, if use of that service intended for this purpose.

76
Q

RFPA

A
  1. Right to Financial Privacy Act.

No govt access unless reasonably described and meet one of the following

  1. Customer authorize
  2. Appropriate subpoena or summons
  3. Warrant
  4. Judicial subpoena
  5. Formal written request from gov authority.
77
Q

PPA

A
  1. Privacy Protection Act. (exception to RFPA). Protects the Media in the course of criminal investigation.

Exception – if PC that a reporter has committed or is in the process of committing a crime (doesn’t count if in possession or receipt of work product only)

78
Q

Zurcher vs. Stanford Dailey

A

Searched unpublished photos. SCOTUS decided search warrants were valid to search any property with probable cause that evidence of a crime will be found.

PPA later passed that those searchers were unlawful UNLESS PC that a reporter has committed or is in the process of committing a crime (doesn’t count if in possession or receipt of work product only)

79
Q

215 of Patriot Act

A
  1. Can demand production of info from companies for anti-terrorism.
80
Q

NSL

A

National Security Letter - Prior to 2001 this was used narrowly only with FBI order. This was expanded in Patriot Act.

2006 – Can be issued by authorize officials now. Generally can issue w/o any judicial involvement. Recipients can petition – however, if oppressive or unreasonable.
1. Request may be disclosed to legal counsel and those necessary to comply.

  1. Recipients can also petition a court to modify or end secrecy requirement.
  2. 5+ years in prison and fines up to 250,000 for individual If improper disclosure.
81
Q

FISA

A
  1. Foreign Intelligence Surveillance Act -
    as amended by US Patriot Act

Standards and procedures for electronic surveillance.

If Co. receive FISA order, then the recipient Co. cannot disclose the fact of the order to the target of the investigation.

FISA gave legal authorization of some new surveillance practices

82
Q

PO or QPO

Rule 26(c) of Civ Pro
Rule 49.1 of Crim Pro
Rule 9037 of Bankruptcy Pro

A

Qualified Protective Order- When requesting health info, this order states the acquired health info can only be used for litigation.

Redaction utilized (last 4 digits of sensitive ID #s and PCI, DOB, all minor info (use initials))

83
Q

PI disclosure is prohibited with the following acts

A

COPPA, GLBA, and HIPAA (not the ECPA)

84
Q

COPPA

A

Children’s Online Privacy Protection Act.

regulates collection and use of kid’s under 13 info by commercial website operators.

No private right of action. Enforcement actions include consent decrees ranging from 50k to 3 million.

Exceptions to the notice rule include if its collected along with parents to get consent, to respond once if they delete the kids email right away or sends notice to parent., and for safety of the kid.

COPPA safe harbor programs -
CARU - the BBB Children’s Advertising Review Unit.
ESRB - Entertainment Software Rating Board
Truste
Privo, Inc
Aristotle Int. Inc.

85
Q

CALEA or “Digital Telephony Bill”

A
  1. Communication Assistance to Law Enforcement Act. -

Requires telecommunications companies to keep different types of data depending on investigative warrants

86
Q

Common Torts actions re: Workplace Privacy

A

i. Intrusion upon seclusion
ii. Publicity given to private life/facts
iii. Defamation or false light(ie false drug test or factually incorrect reference)

87
Q

General Workplace Privacy rules to remember

A
  1. This is a matter of K law in US.
  2. Can’t ask for history of workman’s comp.
  3. In Delaware, no Co can monitor or intercept phone convos without notice once a day.
88
Q

Laws that protect employee privacy.

A

HIPAA, COBRA, ERISA, Fam and Med leave Act.

89
Q

COBRA

A
  1. Consolidated Omnibus Budget Reconciliation Act

Requires qualified health plans to still provide coverage after termination of certain beneficiaries

90
Q

ERISA

A
  1. Employee Retirement Income Security Act.

Ensures emp. benefits programs are created fairly w/ proper admin.

health plan providers cannot adjust premiums based on genetics

91
Q

Family and Medical Leave Act

A

Right to time off for birth or illness for self or family.

92
Q

Fed Agencies that enforce employment privacy

A

Dept. of Labor, EEOC, FTC, CFPB, NLRB (NLRA board)

93
Q

Department of Labor

A

Helps find work, and help with national efforts

94
Q

EEOC

A

Equal Employment Opportunity Commission

  1. Prevents discrimination
  2. Enforces title 7, anti-age discrimination, 1990 ADA
95
Q

NLRB

A

The National Labor Relations Board

Administrates NLR Act and deals with unfair labor Practices

96
Q

NCPA

A

National Child Protection Act

Allows background check to work with kids and extra access to info.

97
Q

FCRA standards to meet to conduct background checks

A

i. Written notice and consent
ii. Use of qualified CRA
iii. Certification of a permissible purpose
iv. Must provide report to dispute if they are going to take adverse action (adverse action notice).

98
Q

ICRAA

A

Investigated Credit Reporting Agencies Act (state law) - not preempted

i. Must get written disclosure to get a report before it is obtained. Must say basically everything about the purpose of report and all the personal info they’re getting. And website and numbers where employee can find more info on privacy practices.
ii. Consent requirements – FCRA does not preempt states from conducting credit checks and only some state limit credit history for employment. (sometimes depends on the job being hired for)

99
Q

Monitoring state laws to remember

A

in CA no cameras in places ppl change clothes. MI – no cameras in private place.

should limit to “non-private” areas of the workplace to avoid suits. even absence of statutes can bring common-law tort claims.

100
Q

EPPA

A
  1. Employee Polygraph Protection Act.

psych screening tests, stress tests or lie detector tests are not allowed.

Exceptions: gov. employees, controlled substances professions , national security jobs, ongoing investigation, some contractors.

101
Q

Hiring and Drug use

A

Alcoholism must be disclosed (even though it is a disability) if necessary for the job

Not allowed to discriminate on past drug use unless it is clear from policy its needed for the job. Exceptions: transportation settings.

Allowed to ID illegal drugs if employer has a reasonable suspicion from behavior, looks, and odors. Employees must be notified at time of hire. (ADA excludes current illegal drug use from their protections)

102
Q

An employer may ask if employee needs reasonable accommodations at what time?

A

After an offer of employment.

103
Q

CA Assembly Bill – 1950

A

2004: CA companies must have reasonable data security and must have reasonable security controls for PI and contractually obligate vendors and sub-contractors to have the same standards.

104
Q

MA 201 CMR 17 - 2010

A

Detailed min standards and tech requirements for maintaining records and data. – must review at least once a year or if business changes.

105
Q

WA HB 1149 - 2010

A

a. incorporates PCI DSS standards. lets banks recover the cost of reissuing debit card from large processor who handled them negligently. Processor then should encrypt and notify w/I 1 year.
i. Example of trying to incorporate PCI standards. MI and NV enacted similar laws earlier.
ii. CA prevents use of SSNs

106
Q

Privacy Rights clearinghouse

A

database of data breach incidence since 2005

107
Q

States that have Data breach notification laws

A

Every state as of Jun 2012 besides New Mexico, South Dakota, Alabama, and Kentucky.

108
Q

Definitions of PI across states

A
  1. CT. first and last name (or initials) in convo with SSNs license, ID #. PCI, access codes/passwords.
  2. NV excludes last 4 SSN as PI
  3. AK, CA, MS, TX, an VG include med and healthcare info
  4. OR, NE, NC, and WIscon include unique biometric data
  5. WI includes DNA profile
  6. ND includes moms maiden name
  7. CA - name plus (1 of the following) SSN, ID #, license, or PCI. ORRRR card # with another code. (there is private right of action).
109
Q

Definitions of “data breach” across states

A
  1. CT - unauthorized access to or acquisition of electronic files containing PI when it is not secured by encryption or another anonymization of the info.
  2. FL – “material compromise”
  3. KS, SC – cause (or likely to cause) ID theft or material harm

CA - excludes encrypted data

Some states have private right of action - other reserve enforcement to the AG.

110
Q

Whom to and when to notify across states.

A

TX – must notify residents and notify AG and reporting agencies CRAs.

Idaho - gotta notify AG w/I 24 hours of detections

CA - gotta notify AG ASAP if >500 residents affected.

Puerto Rico – notification w/I 10 days of detection and the entity will make info public w/I 24 hours

MA – report to AG and prohibits reporting the number of affected individuals in a data breach notification.

LO - tell AG w/i 10 days

14 states gotta tell AG

111
Q

What to include in notification (NC ex.)

A
  1. Description of incident
  2. Description of type of info
  3. Description of what business has done to prevent further access
  4. Who they can call for further info
  5. A warning for them to stay vigilant
  6. Toll-free numbers for reportign agencies
  7. Toll-free numbers for FTC and NC AG telling them those sources have more info on ID theft.
112
Q

Destruction Laws by state

A

a. As of July 2012, 26 states have data destruction laws, often incorporated in breach notification laws.
i. Applicability
ii. Requirements
iii. Exemptions
iv. Covered media
v. Penalties

i. AZ – this law only applies to paper records
ii. Alaska – right to private action
iii. CA – “unreadable or undecipherable through any means”
iv. IL, UT – gov entities only
v. NY – for profit business only
vi. MA – steep penalties (not more than $100/data subject not to exceed $50,000 for each instance).

113
Q

TX whom to notify provision

A

must know for some reason….

114
Q

Reliable methods to verify parental consent via COPPA

A
  1. provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method);
  2. require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card).
  3. maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; or
  4. obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.
115
Q

Appropriate reasons for disclosing empl. PI

A

Determining legal standing or citizen status, retirement planning and group insurance underwriting.

(NOT test marketing new products)

116
Q

Whats generally required in a breach notification letter

A
  1. A brief description of the incident,
  2. The type of information involved, and
  3. A toll-free number for answers to questions.
117
Q

What is a consent decree?

A

A judgement entered by consent of the parties whereby the defendant agrees to stop illegal activity without admitting guilt or wrongdoing.

118
Q

FTC

A

1914 (antitrust) then 1938 (for consumer protection) Federal Trade Commission.

Generally protects against deceptive and unfair practices. via title 5

119
Q

Dept of Commerce

A

plays leading role in Fed privacy development and administers Safe Harbor agreement. (now privacy shield)

120
Q

Magnuson-Moss Warranty FTC improvement act

A

1975 - businesses must comply with this to avoid being found to engage in deceptive or unfair practices by the FTC.

121
Q

UDAP statutes

A

Unfair and Deceptive Acts and Practices statutes (from Section 5 of the FTC act)

depends on state if private right of action.

122
Q

PCI DSS

A

Payment Card Institute Data Security Standard (PCI DSS)

123
Q

GPEN

A
  1. Global Privacy Enforcement Network - aims to promote cross-border sharing and investigation / enforcement.

response to the OECD recommendation on cross-border co-operationg in the enforcement of laws protecting privacy.

124
Q

4 requirements for users of consumer reports (under FCRA)

A
  1. Must be appropriately accurate, current, and complete.
  2. Consumers receive notice if used to make adverse decisions. (within 60 days)
  3. Reports only used for permissible purposes.
  4. Must have access to reports and ability to correct
125
Q

FACTA disposal rule

A

must dispose of consumer info in reports to prevent unauthorized access or misuse of data.

126
Q

FIRREA

A

Financial Institutions Reform, Recovery, and Enforcement Act.

Failing to comply with GLBA may be subject to penalties under this. Ranges from 5.5k to 27.5k if reckless. Up to 1.1 mil if “knowing” violaton.

127
Q

What agency implemented the model short privacy notice in 2009?

A

the Financial Services Regulatory Relief Act of 2006

128
Q

GLBA Safeguards Rule

A

Must have 3 levels of security

  1. Admin security
  2. Tech security
  3. Physical security
129
Q

What are NOT considered “educational records” under FERPA?

A
1. Campus police records.
Employment Records
2. Treatment Records
3. Applicant Records
4. Alumni records
5. Grades on peer-graded papers.
130
Q

DNC rules do not apply to …

A
  1. Nonprofits calling on their own behalf
  2. Calls to customers with an existing relationship within the last 18 months.
  3. Inbound calls, provided there is no “upselling”
  4. Most business-to-business calls.
131
Q

Abandonment Safe Harbor

A

Telemarketer must:

  1. Use tech to ensure no more than 3% of calls are abandoned. 97% must be a live rep.
  2. Allows the phone to ring 15 seconds or 4 rings before disconnecting unanswered calls.
  3. Within 2 seconds of answering a recorded message says the name, and phone# of seller when a live sales rep is unavailable.
132
Q

JFPA

A

2005, Junk Fax Prevention Act. - consent can be inferred from an existing business relationship (EBR)

133
Q

CAN SPAM

A
  1. Controlling of the Assault of Non-Solicited Pornography and Marketing Act.

Rules of the road for how the legit organizations send emails, including ID the sender and a simple unsubscribe or opt-out. Up to $16,000 per violation. Preempts most state laws.

No private right of action but provides for injunctive relief and damages up to $250 per violation with a max of 2 million in award. egregious violations = 5 years prison.

PROHIBITS:

  1. false/misleading headers
  2. deceptive subject lines
  3. commercial email (following a grace period of 10 business days) to someone who opted out of future email.
  4. Aggravated violations
  5. All sexually oriented material come with a warning label (unless consent)≥

REQUIRES

  1. functioning, clearly and conspicuously displayed return e-mail address.
  2. clear and conspicuous notice of opportunity to opt-out for free.
  3. Commercial emails must include 1) clear and conspicuous ID of the message (unless consent already given) and 2) valid postal address or PO box of sender
134
Q

CA Online Privacy Protection Act

A
  1. first state law to require owners and operators of websites and online services to conspicuously post a privacy notice on their website. (pg 112 for reqs of what the privacy notice requires).

If non-compliant they have 30 days to post an appropriate privacy notice.

no specific enforcement provisions - but may be enforce thorguh fraud business practices

135
Q

Disclosure to the gov forbidden by law.

A

HIPPA and COPPA forbid disclosures of covered info to 3rd parties unless opt-in. GLBA forbids disclosures unless opt-out.

136
Q

ESI

A

electronically stored info.

is a sub-discipline of e-discovery which implicates domestic and trans-border data flows.

137
Q

Aerospace v. Iowa

A

Set out factors for knowing if a trans-border transfer of data is appropriate.

  1. The importance of the documents or data to the litigation at hand.
  2. The specificity of the request
  3. Whether the info originated in the U.S.
  4. The availability of the alt means of security info.
  5. (most important) The extent to which the important interests of the US and the foreign state would be undermined by an adverse ruling.
138
Q

Federal Laws Protecting Employee Privacy

A

Civil Rights Act of 1964

Pregnancy Discrimination Act

ADA of 1991x

Age Discrimination Act

Equal Pay Act of 1963

GINA of 2008

139
Q

Laws regulating employee benefits management

A

HIPPA, COBRA, ERISA, FMLA

140
Q

FMLA

A

Family Medical Leave Act - entitles certain employees to leave in the event of birth or illness of self or family.

141
Q

Fed laws that help with employee privacy regarding data collection and record keeping

A

FCRA,
FLSA - fair labor standards act
OSHA - occupational safety and health act
Whistleblower protection act,
NLRA - national labor relations act
ICRA - Immigration reform and control act
Securities and Exchange Act

142
Q

Canada’s 1990s “privacy by design” framework”

A

(1) Proactive not Reactive; Preventative not Remedial; (2) Privacy as the Default Setting; (3) Privacy Embedded into Design, (4) Full Functionality — Positive-Sum, not Zero-Sum; (5) End-to-End Security — Full Lifecycle Protection; (6)Visibility and Transparency — Keep it Open; and (7) Respect for User Privacy — Keep it User-Centric.