Enforcment Of US Privacy And Security Laws

Question 1

Civil litigation

Answer 1

Occurs in the courts
Plaintiff sues the defendant
Plaintiff usually seeks money or injunction ( mandating the defendant to stop engaging in certain behaviors)

Question 2

What are important categories of civil litigation?

Answer 2

Contracts - suing someone for breach of contract

Torts - suing someone for invasion of privacy

Question 3

Criminal litigation

Answer 3

Lawsuits brought by the government for violations of criminal laws
Can lead to imprisonment or fines

Question 4

Criminal litigation is prosecuted by who in the federal government and state?

Answer 4

Federal - department of justice

State - attorney general or district attorneys

Question 5

What is the FTC enforcement process and consent decrees?

Answer 5

When the Respondent of a FTC privacy enforcement action does not admit fault but promises to change its practices and avoids further litigation on the issue

Question 6

Deceptive trade practices

Answer 6

Must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances

Examples - false promises, misrepresentations, failure to comply with representations made to consumers

Question 7

Unfair trade practices

Answer 7

Failing to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosures to consumers

Unfair claims can exist even when the company has not made any deceptive statements
The injury must be
- substantial
- lacks offsetting benefits
- cannot be easily avoided by consumers.

Question 8

What is the GPEN?

Answer 8

Global privacy enforcement network
Promotes cross border information Shari g as well as investigation and enforcement cooperation among privacy authorities around the world

Question 9

How can Self regulatory enforcement occur?

Answer 9

Can occur through 3 separation of power components

Some self regulatory systems engage in all 3 roles without the enforcement of a government agency (PCI)

Section 5 of the FTC act can bring enforcement actions and adjusticstion

Question 10

Administrative enforcement actions

Answer 10

Actions carried out pursuant to the statutes (COPPA, TSR) that create and empower an agency (FTC and FCC)

Question 11

When may a person sue based on a violation of law?

Answer 11

When a law create a private right of action

Example: fair credit reporting act (FCRA) allows individuals to sue a company if their consumer reports have been used inappropriately

Question 12

What acts give the FTC power to govern privacy issues?

Answer 12

FTC act section 5
Fair credit reporting act (fcra)
Children’s online privacy protection act (COPPA)
Controlling assault of non-solicited pornography and marketing (CAN-SPAM)
Telemarketing sales rule

Question 13

Administrator procedure act

Answer 13

In the federal government the basic rules for agency enforcement actions occur under this act.

Sets forth basic rules for adjudication within an agency where court like hearings may take place before an administrative law judge

Question 14

What incentives does a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?

Answer 14

Company avoids a long trial, avoids having the details of its business practices exposed to the public and negative publicity

FTC - achieves a consent decree that incorporates good privacy and security, avoids the expense and delay of a trial, gains an enforcement advantage because monetary fines are easier to access in court if a company violates a consent decree than if one is not in place

Question 15

What are the consumer privacy bill of rights under the White House report by Obama?

Answer 15

Individual control 
Transparency
Respect for context 
Security 
Access and accuracy 
Focused collection
Accountability

Question 16

What is in the FTC privacy report?

Answer 16

Privacy by design
Simplified consumer choice
Transparency

Question 17

What are the FTCs 5 areas of priority?

Answer 17

Do not track mechanism 
Mobile
Data brokers
Large platform providers 
Promotion of enforceable self-regulatory codes

Question 18

What is section 5 of the FTC act?

Answer 18

Simple most important piece of US privacy law

Says “unfair or deceptive acts or practices in or affecting commerce are hearby declared unlawful”

Question 19

What laws to states have against privacy?

Answer 19

Unfair and deceptive acts and practices or UDAP statues.

Some of these statues allow enforcement against unconscionable practices, a term for a range of harsh seller practices

Question 20

Who can enforce UDAP laws?

Answer 20

State attorney general

Question 21

What are examples of self regulation?

Answer 21

PCI DSS - payment card institute data security standard
3rd party privacy seal and certification programs (TrustArc and better business bureau)
Digital advertising alliance (DDA)

Question 22

What roles under self regulation does PCI DSS engage in?

Answer 22

All 3 does not involve a government agency

Legislation - rules were drafted by the PCI DSS council
Enforcement - require a 3rd party to conduct assessments
Adjudication - there are penalties

Question 23

What is the FTC act?

Answer 23

Act that Empowers the FTC

Question 24

What does COPPA and CAN-SPAM laws provide the FTC?

Answer 24

The authority to issue regulations to implement the laws

Specific regulatory authority

Question 25

What are recent focus areas for the FTC which may lead to future enforcement action?

Answer 25

Smart TVs - ability to track consumer viewing habits
Drones
Ransomware

Question 26

What is big data?

Answer 26

A term used to describe the nearly ubiquitous collection of data about individuals from multitudinous sources coupled with low costs to store such data and the new mining techniques used to draw connections and make predictions based on this collected information

Fuel that runs algorithms and analytics which will enable AI systems connected to the cloud

Question 27

IoT

Answer 27

Internet of things
Devices that can connect to the internet and each other without the need for human interaction
Big data is gathered by these devices and started as desktops, then moved to laptops and smartphones now includes wearable technology, connected cars, smart homes and smart cities
Devices interact with software likely in the cloud and run autonomously
When coupled with data analysis devices may take proactive steps, make decisions or suggest next steps

Question 28

What themes are important in applying privacy protections to big data?

Answer 28

Data minimization
De-identification
- pseudonymous: information from which the direct identifiers have been eliminated, indirect identifiers remain intact
- de-identified: direct and known indirect identifiers have been removed
- anonymous: direct and indirect identifiers have been removed or technically manipulated to prevent re-identification

Question 29

Data brokers

Answer 29

Collecting consumer data from numerous sources usually without consumers knowledge or consent, storing billions of data elements on nearly every us consumer, analyzing data about consumers to draw inference about them, and combining online and offline data to market to consumers online

Question 30

Concerns around privacy and security on IoTs stem from what?

Answer 30

Limited user interfaces in the products
Lack of industry experience with privacy and cyber security
Lack of incentives in the industries to deploy updates after products are purchased
Limitations of the devices themselves such as lack of effective hardware security measures

Question 31

Concerns around Wearables

Answer 31

Most of the information collected is not protected by HIPAA because HIPAA only applies to the activities of covered entities

The future of privacy forum issued a set of best practices for the privacy of consumer wearables

Question 32

Concerns with connected cars

Answer 32

Systems and subsystems will have digital information sent to the internet. Some of these systems may operate the vehicle or keep the users electronics operating. These configurations place sensitive information at risk to unauthorized access or hacking

Several organizations like the FCC FTC are considering regulating connected cars

Question 33

Concerns with smart homes

Answer 33

There are massive amounts of data collected, much of the data is reported back to companies over the internet, systems can be hacked or hijacked, often data streams are not encrypted

Question 34

Concerns around smart cities

Answer 34

Software vulnerabilities, data security breaches and potential invasion of privacy
Privacy threats include real-time surveillance capabilities, invasion of physical private space, identification of habits, collection of aggregated details about personal life

Question 35

What federal laws preempt state laws?

Answer 35

COPPA
CAN-SPAM
FCRA
FACTA

Question 36

Who does section 5 of the FTC act apply and not apply to?

Answer 36

Applies to businesses in commerce

Does not apply to:

• nonprofit orgs
• does not apply to banks and other federally regulated financial institutions and common carriers such as the transportation and communications industries

Question 37

What does section 5 of the FTC act apply to?

Answer 37

Applies to unfair and deceptive practices in commerce and does not apply to nonprofit orgs

The commissions powers also do not extend to certain industries including banks, other federally regulated financial institutions and common carries such as transportation and communications industries

Question 38

Privacy torts

Answer 38

Intrusion upon inclusion
Appropriation of name or likeness
Publicity given to private life
Publicity placing a person in false light

Question 39

FTC enforcement process

Answer 39

FTC receives complaint
Issues investigation and complaint
Administrative trail begin before the ALJ
If violation has been found the ALJ can force the company to stop the activity
Decision of the ALJ can be appealed to the 5 commissioners and then to federal district court

And order by the commission becomes final 60 days after it is served on the company. If the ruling is ignored the FTC can seek civil penalties or money

Each day the violator fails to comply with the order is considered a separate offense

Addition penalties can be made if a company does not respond to s complaint or order

Question 40

What is legislation, enforcement and adjudication?

Answer 40

L - who should define appropriate rules for protecting privacy
E - who should initiate enforcement actions
A - who should decide whether a company has violated the privacy rules and with what penalties