Enforcment Of US Privacy And Security Laws Flashcards
Civil litigation
Occurs in the courts
Plaintiff sues the defendant
Plaintiff usually seeks money or injunction ( mandating the defendant to stop engaging in certain behaviors)
What are important categories of civil litigation?
Contracts - suing someone for breach of contract
Torts - suing someone for invasion of privacy
Criminal litigation
Lawsuits brought by the government for violations of criminal laws
Can lead to imprisonment or fines
Criminal litigation is prosecuted by who in the federal government and state?
Federal - department of justice
State - attorney general or district attorneys
What is the FTC enforcement process and consent decrees?
When the Respondent of a FTC privacy enforcement action does not admit fault but promises to change its practices and avoids further litigation on the issue
Deceptive trade practices
Must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances
Examples - false promises, misrepresentations, failure to comply with representations made to consumers
Unfair trade practices
Failing to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosures to consumers
Unfair claims can exist even when the company has not made any deceptive statements The injury must be - substantial - lacks offsetting benefits - cannot be easily avoided by consumers.
What is the GPEN?
Global privacy enforcement network
Promotes cross border information Shari g as well as investigation and enforcement cooperation among privacy authorities around the world
How can Self regulatory enforcement occur?
Can occur through 3 separation of power components
Some self regulatory systems engage in all 3 roles without the enforcement of a government agency (PCI)
Section 5 of the FTC act can bring enforcement actions and adjusticstion
Administrative enforcement actions
Actions carried out pursuant to the statutes (COPPA, TSR) that create and empower an agency (FTC and FCC)
When may a person sue based on a violation of law?
When a law create a private right of action
Example: fair credit reporting act (FCRA) allows individuals to sue a company if their consumer reports have been used inappropriately
What acts give the FTC power to govern privacy issues?
FTC act section 5
Fair credit reporting act (fcra)
Children’s online privacy protection act (COPPA)
Controlling assault of non-solicited pornography and marketing (CAN-SPAM)
Telemarketing sales rule
Administrator procedure act
In the federal government the basic rules for agency enforcement actions occur under this act.
Sets forth basic rules for adjudication within an agency where court like hearings may take place before an administrative law judge
What incentives does a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?
Company avoids a long trial, avoids having the details of its business practices exposed to the public and negative publicity
FTC - achieves a consent decree that incorporates good privacy and security, avoids the expense and delay of a trial, gains an enforcement advantage because monetary fines are easier to access in court if a company violates a consent decree than if one is not in place
What are the consumer privacy bill of rights under the White House report by Obama?
Individual control Transparency Respect for context Security Access and accuracy Focused collection Accountability
What is in the FTC privacy report?
Privacy by design
Simplified consumer choice
Transparency
What are the FTCs 5 areas of priority?
Do not track mechanism Mobile Data brokers Large platform providers Promotion of enforceable self-regulatory codes
What is section 5 of the FTC act?
Simple most important piece of US privacy law
Says “unfair or deceptive acts or practices in or affecting commerce are hearby declared unlawful”
What laws to states have against privacy?
Unfair and deceptive acts and practices or UDAP statues.
Some of these statues allow enforcement against unconscionable practices, a term for a range of harsh seller practices
Who can enforce UDAP laws?
State attorney general
What are examples of self regulation?
PCI DSS - payment card institute data security standard
3rd party privacy seal and certification programs (TrustArc and better business bureau)
Digital advertising alliance (DDA)
What roles under self regulation does PCI DSS engage in?
All 3 does not involve a government agency
Legislation - rules were drafted by the PCI DSS council
Enforcement - require a 3rd party to conduct assessments
Adjudication - there are penalties
What is the FTC act?
Act that Empowers the FTC
What does COPPA and CAN-SPAM laws provide the FTC?
The authority to issue regulations to implement the laws
Specific regulatory authority
What are recent focus areas for the FTC which may lead to future enforcement action?
Smart TVs - ability to track consumer viewing habits
Drones
Ransomware
What is big data?
A term used to describe the nearly ubiquitous collection of data about individuals from multitudinous sources coupled with low costs to store such data and the new mining techniques used to draw connections and make predictions based on this collected information
Fuel that runs algorithms and analytics which will enable AI systems connected to the cloud
IoT
Internet of things
Devices that can connect to the internet and each other without the need for human interaction
Big data is gathered by these devices and started as desktops, then moved to laptops and smartphones now includes wearable technology, connected cars, smart homes and smart cities
Devices interact with software likely in the cloud and run autonomously
When coupled with data analysis devices may take proactive steps, make decisions or suggest next steps
What themes are important in applying privacy protections to big data?
Data minimization
De-identification
- pseudonymous: information from which the direct identifiers have been eliminated, indirect identifiers remain intact
- de-identified: direct and known indirect identifiers have been removed
- anonymous: direct and indirect identifiers have been removed or technically manipulated to prevent re-identification
Data brokers
Collecting consumer data from numerous sources usually without consumers knowledge or consent, storing billions of data elements on nearly every us consumer, analyzing data about consumers to draw inference about them, and combining online and offline data to market to consumers online
Concerns around privacy and security on IoTs stem from what?
Limited user interfaces in the products
Lack of industry experience with privacy and cyber security
Lack of incentives in the industries to deploy updates after products are purchased
Limitations of the devices themselves such as lack of effective hardware security measures
Concerns around Wearables
Most of the information collected is not protected by HIPAA because HIPAA only applies to the activities of covered entities
The future of privacy forum issued a set of best practices for the privacy of consumer wearables
Concerns with connected cars
Systems and subsystems will have digital information sent to the internet. Some of these systems may operate the vehicle or keep the users electronics operating. These configurations place sensitive information at risk to unauthorized access or hacking
Several organizations like the FCC FTC are considering regulating connected cars
Concerns with smart homes
There are massive amounts of data collected, much of the data is reported back to companies over the internet, systems can be hacked or hijacked, often data streams are not encrypted
Concerns around smart cities
Software vulnerabilities, data security breaches and potential invasion of privacy
Privacy threats include real-time surveillance capabilities, invasion of physical private space, identification of habits, collection of aggregated details about personal life
What federal laws preempt state laws?
COPPA
CAN-SPAM
FCRA
FACTA
Who does section 5 of the FTC act apply and not apply to?
Applies to businesses in commerce
Does not apply to:
- nonprofit orgs
- does not apply to banks and other federally regulated financial institutions and common carriers such as the transportation and communications industries
What does section 5 of the FTC act apply to?
Applies to unfair and deceptive practices in commerce and does not apply to nonprofit orgs
The commissions powers also do not extend to certain industries including banks, other federally regulated financial institutions and common carries such as transportation and communications industries
Privacy torts
Intrusion upon inclusion
Appropriation of name or likeness
Publicity given to private life
Publicity placing a person in false light
FTC enforcement process
FTC receives complaint
Issues investigation and complaint
Administrative trail begin before the ALJ
If violation has been found the ALJ can force the company to stop the activity
Decision of the ALJ can be appealed to the 5 commissioners and then to federal district court
And order by the commission becomes final 60 days after it is served on the company. If the ruling is ignored the FTC can seek civil penalties or money
Each day the violator fails to comply with the order is considered a separate offense
Addition penalties can be made if a company does not respond to s complaint or order
What is legislation, enforcement and adjudication?
L - who should define appropriate rules for protecting privacy
E - who should initiate enforcement actions
A - who should decide whether a company has violated the privacy rules and with what penalties
