Flash Cards 2

1
Q

Consumer report, Furnishers are obligated to..

A

correct and update information, provide notice of disputes, notice of account closures, notice of delinquency within 90 days of being given to collectors, notice of identity theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Consumer report, Financial institution, negative info to CRA, must also..

A

Give notice to the cusumer within 30 days ; there is a safe harbor if they have reasonable practices for doing so

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Consumer report, Furnishers to provide a dispute process to consumers, T or F

A

t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Consumer report, Furnishers, dispute, re-investigation to be completed within..

A

30 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Consumer report, Furnishers must have this in place, policies…

A

and procedures in place to handle disputes and ensure accuracy and integrity of information provided by CRAs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who regulates the Consumer Report stuff, FACTA stuff

A

FTC and CFPB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Red Flags rule is for what..

A

Identity theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Investigative consumer report is what

A

a consumer report that includes information on your character and reputation; done through personal interviews

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Investigative consumer reports, consumer has to be notified, and within 3 days of the request, T or F

A

t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Investigative consumer reports, users of it must..

A

must certify to the CRA that disclosures have been made and upon written request by consumer provide them with disclosures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Investigative consumer reports, safe harbor..

A

yes, if they have reasonable procedures in place to comply with the law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Investigative consumer reports, CRAs have to what before they start one..

A

get the required certifications and not violate the equal opportunity laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Investigative consumer report, CRAs, negative info rules..

A

verify, can’t be included in subsequent reports unless re-verified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

FCRA rule making outline

A

Dodd-Frank law transferred rule making to the Consumer Financial Protection Bureau

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

FCRA enforce outline

A

Enforcement is shared between the Consumer Financial Protection Bureau and the FTC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

FCRA may also be enforced by whom

A

Functional regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

FCRA and State Attorneys General have

A

State attorney generals have investigative and enforcement for consumers in their state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

FCRA identity theft pre-emption

A

State laws aren’t pre-emptedy the FCRA for identity theft IF they are consistent with the FCRA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

FCRA civil liability

A

yes, if found to knowingly and willingly done it, but Furnishers are generally exempt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is FERPA

A

Family education rights and privacy act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

FERPA is also called what

A

Buckley amendment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

FERPA applies to what schools

A

Any school taking federal education funding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

FERPA applies to what records

A

Education records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

FERPA exceptions

A

Ancillary, Campus Police, Employment, Health Treatment, Alumni, Application, Peer Reviewed Papers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
FERPA, access, how many days from the time of the request
Access granted within 45 days
26
FERPA, access exceptions
parent's financial information, letters of recommendation
27
FERPA, access student signs waiver
admission or enrollment at another school, application for employment, honorary recommendation
28
FERPA, innacurate records to be fixed within..
a reasonable time
29
FERPA, what piece of information is never Directory Information
SSN
30
FERPA, how much time before publishing director information
a reasonable period of time
31
FERPA, directory info of former students may be disclosed without notice, T or F
t
32
FERPA, directory info, pior opt opt wishes to be honored after student graduates, T or F
t
33
FERPA, def of personal info
Name, names of family members, student or family addresses, SSN, student Id#, dates of birth, any other info that could be linked to a student with reasonable certainty
34
FERPA, how to long to maintain records records requesting access
for as long as the educational records themselves are maintained
35
FERPA, notice of rights, how often is the notice sent
At least annually
36
FERPA, who has enforcement authority
DOE, department of education
37
FERPA, funding can be pulled when..
compliance can't be secured by voluntary means
38
FERPA, where to send complaints
Office of the Chief Privacy Officer, within 180 days of the violation
39
As a general rule, a student's school health records are subject to FERPA not HIPAA, T or F
t
40
What is the TSR
Telemarketing Sales Rule, a phone, interstate call, purchase goods
41
The telemarketing industry is regulated by both..
FTC and FCC
42
TSR, seller definition
provides or arranges for others to provide services
43
TSR, telemarketer
initiatives or receives telephone calls
44
TSR exception
A non-profit making calls on its own behalf isn't subject to the TSR
45
Telephone solicitation exception
someone gave express consent, established business relationship, non profit
46
Who must access the don not call list
both sellers and marketers
47
Call lists must be updated every x days
31 days
48
TSR, what practice is prohibited
abusive
49
Don not call list exceptions
Express consent, Established business relationship
50
Established business relationship def
transaction with 18 months, consumer inquirey or submitted an application within 3 months
51
Who may access the Do Not Call registry
Sellers, Telemarketers, Service Providers, Law Enforcement
52
TSR does have a safe harbor if..
procedures, trained, own DCL, downloaded DLC within 31 days, compliance checks, call made in error
53
Enforcement of the TSR is done by..
FTC at federal level, both private litigants and state attorney general at state level but must notify FTC
54
What is the TCPA
Telephone Consumer Protection Act
55
TSR, when to call
Between 8am - 9pm, unless they have permission/consent to do otherwise
56
Prompt disclosure
idmust be made ad the beginning of the call, entity of the seller, purpose for call, nature of good or service, no purchas necessary if prize involved
57
Prompt disclosure upsell
If upsell happens after the initial transaction, the upsell is considered a new call so all the disclosures have to be said again
58
Deceptive telemarketing practice if..
accept payment without disclosing the terms
59
Material terms can be communicated how..
orally or in writing, must be clear and conspicous
60
For charitable donations, telemarketers may not misrepresent
nature, purpose, mission, tax deductability, contribution, %, prize, affiliations, endorsements
61
When accepting payment for a charitiable donation other than credit or debit card, you must get ..
express verifiable authorization, written or oral, signature, voided check
62
Abandoned call..
live person within 2 seconds
63
Call abandon safe harbor
< 3% of calls abaondon, ring 4 times or 15 seconds, pre-recorded message, maintain records of compliance
64
TSR prohibits pre-recorded messages called robo calls, T or F
TRUE , unless there is express written consent
65
TSR consent applicability
it's to a specific seller, does not extend to affiliates or marketing partners
66
Robo calls with epress written consent rules
ring 4 times or 15 seconds, recorded message within 2 seconds, opt out mechanism, terminate call once invoked, answering machine or vmail service
67
Robo call exception
made by a covered entity or business associate under HIPAA privacy rule
68
Robo texts are also prohibited, T or F
t
69
TSR, billing information, consent
Billing information can't be sent without express informed consent
70
TSR, free to pay rules
Telemarketer to get at least 4 digits of the account number to be charged
71
TSR fradulent practices
unencrypted account numbers; payment for repair services unless time has already expired and seller proves results were achieved; payment for asset recovery less than 7 days...; advanced fee loans; payment for debt relief
72
TSR, caller Id
must include accurate caller ID
73
TSR, deceptive practice, credit card transaction
record a credit card not linked to a sale
74
TSR record keeping requirements
keep for a period of 2 years after produced / created
75
TSR record keeping, how many copies
just one, either by seller or telemarketer
76
TCPA is enforced by
FCC at federal level, private litigants and the states attorney general at state level but must notify FCC
77
State laws are not preempted by TCPA, T or F
True, they are not
78
State laws are not preempted by TSR, T or F
True, they are not
79
The right to financial privacy act doesn't apply to ...
Corporations or Partnerships larger than 5 people
80
The right to financial privacy act is suposed to ..
restrict government access to personal financial information
81
Right to financial privacy disclosure rules
consent, subpoena, warrant, formaly request from a federal agency
82
Right to financial privacy act, consent rules
not in excess of 3 months, authorization can be revoked prior to disclosure, to a specific document, identify the government authority, purpose for disclosure, customer's rights
83
Right to financial privacy act, subpoena rules
quash in 10 days, 14 if mailing, government must have reason to believe the informaiton is relevant to a ligitimate law enforcement inquiry, customer gets a copy
84
Right to financial privacy act, warrant rules,
mail a copy of the search warrant to the customer within 90 days, court may delay the notification for 180 days
85
Right to financial privacy act, formal written request rules
is an option when no summons or subpoena is available
86
Right to financial privacy act, exemptions that apply to financial institutions
the exceptions are called suspicious activty reports (SARs)
87
Right to financial privacy act, exemptions in addition to SARs
A bank can give up your records to perfect a security interest, for bankruptcy, collect a debt, or for a government loan or benefit
88
The right to financial privacy act was ammended by the US Patriot Act
89
Right to financial privacy act, US Patriot Act, private cause of action heard in what court..
Federal court
90
Katz v. United States
warrant for a wire tap
91
Plamondon (Keith case)
4th ammendment warrant requirements intersected with national security
92
Artical II Constitution, President has ...
Plenary power or foreign affairs
93
Domestic surveillance is subject to what..
4th amendment warrant requirements, only applies to US citizens
94
What is FISA
Foreign intelligence serveillance act, engage in surveillance for national security
95
FISA revised by US Patriot Act
to fight terrorism, demanded more detailed reporting, more transparency
96
Edward Snowden released documents led to what..
US Freedom Act which ended bulk record collecting
97
FISC is what
Foreign intelligence surveillance court
98
FISC is composed of what
11 judges appointed by the chief justice, judges serve for 7 years
99
FISC friend of the cour
amicus curiae, US Freedom Act
100
Attorney General to review every application for what
a FISA order before it is submitted to the FISC
101
FISA order needs what to be issued
probable cause, foreign power or agent of a foreign power
102
FISA application process
minimization procedures, significant purpose
103
FISA order also permit..
pen registers, trap and trace
104
FISA application denials can be appealed to ..
court of review, if that is denied then the supreme court
105
Color of law is what..
appearance of lawful power when you don't have it, it's a criminal offense
106
US Patriot Act, any tangible thing
anyting that would advance the investigation into foreign intelligence
107
Any tangible thing, recipients of the order..
are prohibited to disclose they have the order
108
Any tangible thing,
people complying are immune from liability
109
US Patriot Act, intercept computer communications if..
owner gives consent, official investigation, content relevant to investigation, interception doesn't get comms other than those transmitted
110
Foreign intelligence info of persons outside the US..
Can be done, 1 year, Attorney General and Dir of National Intelligence must authorize it
111
Foreign intelligence info of persons outside the US, once approved..
FISC to review and approve, has to meet minimization and targeting rules
112
Upstream surveillance is what
information from internet backbone, the physical infrastructure
113
PRISM or Downstream surveillance is what
information from internet companies
114
After the fact surveillance disclosures aren't permitted, T or F
t
115
Amicus curiae from the US Patriot Act was permitted to what..
increase transparency
116
Surveillance reporting...
Congress mandated a bunch of reporting around the number of FISA orders and NSLs; this was added as a requirement to the US Freedom Act
117
Civil proceedings rules are called..
Federal Rules of Civil Procedure (FRCP)
118
Discovery devices
Requests for production, Depositions, Interrogatories, Requests for admission, Subpoena
119
Subpoena must have
the court, title, person, rules to challenge
120
All discovery devices must be personally served, T or F
T
121
What is privilege
Not to disclose information
122
Discovery rule changes.. why
for electronic information
123
New discovery rules now include what
emails, databases, server logs, text messages, voicemails, thumb drives, etc.
124
Sedona conference
best practices for e-discovery, data management, data retention, information governance
125
Aerospaciale, comity analysis
importance, specificity, originated in the U.S., alternative means, non compliance undermine U.S. interests
126
Filing suite in a U.S. court means..
subject yourself to U.S. rules
127
Sedona conference, act in good faith
get out of jail free card
128
Lewy v. Remington Arms
Sedona conference, good example of good faith
129
Sedona conf, business judgement rule
corp decisions are made in the best interests of the corporation
130
Attorney's eyes only
prevent private information from being disclosed
131
What is a protective order
prevents information disclosure
132
Rule 26 of Federal Rules of Civil Procedure (FRCP)
permits a protective order, annoyance, embarrassment, etc.
133
Rule 5.2 of Federal Rules of Civil Procedure (FRCP)
Redaction of specific information
134
At will
relationship between employee and employer
135
At will, can be modified with
a contract
136
Contract between the employer and the labor union
collective bargaining agreement
137
Governament employers have to worry about
constitutional provisions in the workplace
138
SEC law, disclose salaries of..
certain C-level executives, public companies
139
Consumer reports and the workplace...
Fair and Accurate Credit Transactions Act (FACTA), how consumer reports are used
140
Background checks are included in what law
Fair Credit Reporting Act (FCRA), regulated by the FTC
141
Depart of Labor (DOL) developed what..
welfare of the wage
142
Department of Labor (DOL) rule making for
Fair Labor Standards Act (FLSA), Employment Retirement Income Security Act (ERISA), Occupational Safety and Health Administration (OSHA)
143
Equal Employment Opportunity Commission (EEOC)
Antidiscrimination laws, Title VII of Civil Rights Act, American Disabilities Act, Age Discrimination Employment Act,
144
Equal Employment Opportunity Commission (EEOC) stats
5 members, no more than 3 of the same political party, appointed by the President for no more than 5 years, separate General Counsel serves 4 years and conducts litigation
145
National Labor Relations Board (NLRB) does what
Right to join unions, negotiates collective bargaining agreements
146
Title VII Civil Rights Act significan revisions
Civil Rights Act of 1991 and Lilly Ledbetter Fair Pay Act
147
Equal Employment Opportunity Commission (EEOC) applies to companies with how many employees
15 or more
148
Title VII Civil Rights Act created what
Equal Employment Opportunity Commission (EEOC)
149
EEOC has broad authority to prohibit what
unlawful employment practices, given to them by Title VII
150
EEOC, how many days to serve a charge
10 days
151
EEOC investigative threshold
reasonable cause
152
EEOC may file a civil action, T or F
T
153
EEOC general public importance, how many judges
3
154
American Disabilities Act (ADA) applies to what companies
15 or more people
155
Civil Rights Act Title I does what
Covered entities can't discriminate based on disability
156
ADA, Toyota v. Williams
carpal tunnel not a disability
157
ADA, Sutton v. United Airlines
Myopia not a disability
158
ADA, medical exams
can be required as a condition of a job offer if, all entering employees are subject to it, medical condition results are kept separate, results only used in accordance with the ADA
159
ADA, medical exams .. another fact
medical exams are permitted if both job related and consistent with business necessity
160
ADA, drug testing is not considered a medical exam, T or F
T
161
Genetic Information Nondiscrimination Act (GINA) is overseen by
HHS
162
GINA is tied to what other laws
Employement Retirement Income Security Act (ERISA), Social Security Act, HIPAA
163
GINA protected under Chapter 21 of Title 42 which is enforced by
EEOC
164
Civil Rights Act Title II and GINA
prohibits discrimination for genetic info, but age and sex are excluded
165
GINA, Employers requesting info, exceptions, they can request if
inadvertent, voluntary wellness program, to comply with Family Medical Leave Act, commercially publically available, for law enforcement
166
GINA rules also apply to
employment agencies, labor unions, training programs
167
GINA info has to be kept...
in a separate file and treated as confidential medical information
168
Places with laws about automated employment decision tools
Illinois, Maryland, New York City
169
Automated employment tooling, Illinois
Video Interview Act
170
Automated employment tooling, Maryland
Facial recognition
171
Automated employment tooling, New York City
Bias audit
172
ADA issues, automated employment tooling
reasonable accommodations, screens out poeple with disabilities,
173
ADA guidance, automated employement tooling
transparent, provide notice, essential functions, a company's vendors comply with the same guidance
174
EEOC, iTutor Group, automated employment tooling
excluded females over 55, men over 60
175
National Child Protection Act permits access to the National Crime Information Center... why
Background checks
176
Why do background checks
protects the employer
177
ADA medical testing in Pre Offer stage is
prohibitted
178
Far reaching law impacting hiring process
Fair Credit Reporting Act (FCRA) , governs the use of Consumer Reports
179
FCRA left certain state laws in place
California Investigative Consumer Reporting Agencies Act which limits the use of credit information
180
9 states that copied Californias ICRAA
Colorado, Connecticut, Hawaii, Illinois, Maryland ,Nevada, Oregon, Vermont, Washington; and DC, Chicago, NYC, and Philadelphia
181
Methods of pre-employment screening
Personality, Psychological Evals, Polygraph
182
ADA, some psychological testing may be considered a medical eval, T or F
t
183
Employee Polygraph Protection Act (EPPA) does what
Employers prohibited from using lie detctor test unless, government, national defense, business provides security, transport of certain types of goods, companies that make or distribut controlled substances, investigations for economic loss, injury, theft
184
EPPA, keep statements for how long
3 years
185
EPPA, adverse action
brief the employee, give a copy of the results and questions asked, results only disclosed to the person, employer, or the court
186
EPPA, rule making authority
Secretary of Labor, also has subpoena power for investigations
187
Drug testing, Government employers, which ammendment
Fourth
188
Drug testing, private sector, which law
ADA
189
States, drug testing, reasonable suspicion
Iowa, Minnesota, Connecticut
190
Social media privacy
as long as the employee's actions don't negatively impact the employer
191
Employee monitoring written policy
purpose, what's monitored, how, what's info is stored, how being used, who disclosed to
192
Multi national companies may need different monitoring policies, T or F
t
193
Wiretap Act, Eletronic Communication Privacy Act (ECPA) enforce what
employee monitoring
194
One party consent
Wiretap Act, one party has to agree to being recorded
195
Two party consent
Wiretap Act, both parties on the call have to agree to being recorded
196
CCTV doesn't record audio so it's not subject to what
Wiretap act
197
State that prohibits CCTV
Michigan
198
Eletronic Communication Privacy Act (ECPA) Title II is what act
Stored Communication Act (SCA), email monitoring
199
Email monitoring is illegal unless
The person or entity providing the email service agrees
200
Two states with strict employer communication laws (email, phone, etc)
Deleware, Connecticut
201
When is mail considered delivered
when it reaches the business
202
GPS monitoring guidelines
during business hours, for business purposes, monitoring has been disclosed
203
States with additional GPS monitoring laws
California, Minnesota, Tennessee, Texas
204
BYOD can create what
security vulnerabilities
205
Data loss prevention (DLP) is a strategy for
unauthorized access or misuse of sensitive data
206
Collective bargaining agreements can
modify the obligations an employer has on its workforce
207
National Labor Relations Board (NLRB), Colgate
video surveillance
208
National Labor Relations Board (NLRB), Purple Communications
email monitoring, union organizing
209
Investigating employee misconduct guidelines
take seriously, fairness, follow laws and company policies, documentation
210
Important aspect of employmee investigation policies is
ensure a company properly documents employee performance problems
211
Fair Credit Reporting Act (FCRA) and employee misconduct investigations
If the investigation involves a consumer report, FTC provided an opinion in the Vail Letter
212
FTC Vail Letter said what
Third party investigations of employees were subject to the Fair Credit Reporting Act (FCRA) and needed to disclose this to the employee
213
FACTA and Vail Letter
Fair and Accurate Credit Transaction Act (FACTA) ammended FCRA, employers don't need to disclose they are conducting an employee investigation
214
FACTA employee investigation disclosure rules
don't need to disclose if investigating employee misconduct, related to compliance with laws or company policies, not investigating credit worthiness, communication only proivded to employer or agent, government, regulatory authority, required by law
215
HIPAA excludes what records
employment records held by a covered entity
216
Who enforces the Family Medical Leave Act
Department of Labor
217
HIPAA, employment records, ADA, GINA, FMLA stuff must be kept
All kept away from each other in separate files
218
State with a law to provide a reference after termination
Kansas
219
After termination
Restrict access, keep employee records, maintain good will
220
Jurisdictional nexus
Activities of the business or person and the intersect with the state
221
Tenth ammendment and state law
Tenth ammendment gives states the right to pass laws
222
What do federal regulations streamline
nationwide baseline compliance
223
State unfair and deceptive acts and practices (UDAP) and AG's
UDAP give state attorney gernals authority to bring enforcement actions
224
Federal law can limit state law through..
preemption and limiting where federal claims may be filed
225
Federal courts hear cases about what
the constitution or federal law
226
State courts hear cases about what
states have a general jurisdiction
227
Removal jurisdiction
moving a case from state court to have it heard in federal court
228
States with laws like TCPA, TSR, CAN-SPAM
Alabama, plus all states got together to in-act 8 anti-robocall principles
229
California Online Privacy Protection Act (CalOPPA) requires ..
website operators to conspiciously post its privacy policy on websites and mobile apps; also Do Not Track policy
230
States allow a free credit report more frequently
Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Vermont
231
States with laws about how credit scores are utilized
California, Colorado
232
California Financial Information Privacy Act did what
Called California SB-1, consumers to opt-in in writing, entitled to opt out
233
One entity with jurisdiction over many financial institutions
NYDFS, new york dept of financial services
234
NYDFS has strict cybersecurity requirements..
most strict of all states, far beyond GLBA
235
FTC upgraded the GLBA safeguards to match what..
NYDFS, new york dept of financial services cybersecurity requirements
236
There is no federal law that governs data security or imposes universal security standards, T or F
t
237
HIPAA governs what market sector
Healthcare
238
GLBA governs what market sector
Finance
239
FTC can bring enforcement for failure to adopt..
adequate security measures... under section 5 of unfair or deceptive trade
240
FTC enforcement, failure to adopt adequate security, against who
Uber, Lenovo, D-Link
241
NYDFS has become the ..
gold standard for government mandated security practices
242
Massachusetts minimum security standards
one employee to maintain an infosec program, risk mgmt, policies, disciplinary measures, terminated employee no access, vendor mgmt, physical access controls, monitoring, incident mgmt
243
What state codified PCI-DSS into law
Washington, similar to what Minnesota did
244
SSN Confidentiality Act did what
federal law, prohibits SSNs from being visible in the envelope window
245
California SSN law
Probhibit SSN from public display, printed on access cards, requiring it be transmitted over the internet, requiring it to be used to access a website, it being on printed materials mailed to homes, selling it
246
Colorado data destruction law
businesses using documents containing persnal information must develop data destruction and disposal policies
247
States require the implementation of minimum security standards, T or F
t
248
North Carolina data destruction law
defines reasonable data destruction measures as, can't be read or reconstructed,
249
Subcontracting data destruction is permitted, T or F
True, think Iron Mountain
250
Vermont started to make data brokers register annually, why
to regulate them, California and Illinois are following suite
251
States that have cookie and online tracking laws
California and Virginia
252
Key definitions for data breach laws
who is covered, the term personal information, the term data breach
253
Data breach definition
When personal information is accessed or acquired without authorization
254
After a breach is determined, what is the next step
determine what notification obligations exist
255
State data breach notification laws require what..
any state resident that is affected be notified
256
If a data processor is breached they must what..
disclose the breach to the owner or licensee of the data
257
Data breach, States also require notification to govt agencies, california..
California Dept of Health Services
258
Data breach, States, also require notification to..
Attorney General, and Credit Reporting Agencies
259
Data breach, notification timing, common phrase..
the most expeditious time possible and without unreasonable delay, 8 states say within 45 days
260
Data breach, notification timing, Puerto Rico
10 days, then 24 hours
261
Data breach, notification standard, which state
North Carolina
262
Data breach, notification template
description, information type, steps to protect info,
263
Can a company draft one breach notice and send it nationwide
No, certain states have certain requirements
264
Is a written breach notice required to inform consumers in every state
No, some states allow for electronic communication if there is prior consent
265
Breach notification exceptions
Where more stringent law applies, an organization follows it's own breach notification procedures, when data was encrypted, redacted, or otherwise unusable
266
Data breach notification enforement, State Attorney's General
Can get involved when an organization fails to comply with the law
267
Data breach private cause of action
is possible under UDAP statutes in some states
268
Which state first adopted data breach notification law
California SB-1386
269
What is the first comprehensive data protection law in the U.S.
California Consumer Protection Act (CCPA)
270
Which law expands upon the California Consumer Protection Act (CCPA)
California Privacy Rights Act (CPRA)
271
California's definition of personal information
First name and last name, or first initial and last name, in combination with other stuff
272
California's data breach encryption exception
notification to consumers is necessary only if the data isn't encrypted
273
California's data breach notification timing
most expedient time without unreasonable delay, consistent with the legitimate needs of law enforcement
274
California's data processor notification requirements
are placed on the data controller
275
California's data breach notification content
disclosures in plain language, specificity, and a bunch of stuff
276
Any data breach disclosure complying with federal law will satisfy California requirement
t
277
California allows for both written and electronic data breach notificaitons
t
278
California data breach notification, if over 500K people
a substitute notice may be used
279
California data security law excludes what data
publically available and encrypted data
280
California data security law, disposal of data
shredding, erasing, make unreadable or undecipherable
281
Scope of California Consumer Protection Act (CCPA)
>25M in revenue, personal info of 50K people, get 50% of its revenue from selling personal info
282
California Consumer Privacy Act (CCPA), Third Parties
Third parties are prohibited from selling personal information unless the consumer receives notice and the opportunity to opt out
283
The definition of a consumer under the CCPA
Any natural person who is a California resident
284
The California Consumer Privacy Act does not apply to what type of information
deidentified or aggregated information
285
The term Sale in the context of personal information
it's a long definition but ends with "for monetary or other valuable consideration"
286
California Consumer Privacy Act (CCPA) and notice
provide notice at or before collection, what's collected, how used, categories, rights, how to exercise the rights, etc.
287
California Consumer Privacy Act (CCPA) consumer rights
Notice, Opt Out, Request Disclosure, Access, Deletion, Not to be dscriminated against
288
Who enforces the CCPA
California attorney general
289
CCPA does provide a private cause of action for what
Data breach
290
What did the California Privacy Rights Act (CPRA) create
the California Privacy Protection Agency (CPPA)
291
California Privacy Protection Agency (CPPA) stats
5 member board, enforcement authority transferred from California Attorney General to the CPPA
292
California Privacy Protection Agency (CPPA) board members need
qualifications in privacy and technology
293
California Privacy Rights Act (CPRA) includes sensitive information
t
294
California Privacy Rights Act (CPRA) includes public records made available by the government
t
295
What did the California Privacy Rights Act (CPRA) strengthen
transparency and accountability requirements under the CCPA
296
California Privacy Rights Act (CPRA) security requirement
CPRA incorporated security requirements into the CCPA
297
California Privacy Rights Act (CPRA) mandates that controllers..
enter into written contracts with 3rd party data vendors
298
California Privacy Rights Act (CPRA) broadened rights
correct information, use of sensitive info, automated decision making, delete info, expanded access, expanded opt out
299
California Age Appropriate Design Code Act (AADC)
Prohibits advertising directed at children, profiling of children, dark patterns
300
California Age Appropriate Design Code Act (AADC) defines children as
anyone under 18
301
States adopting laws similar to the CCPA
Virginia, Colorado, Utah, Connecticut
302
Virginia Consumer Data Protection Act (VCDPA)
makes Virginia the only state to implement comprehensive privacy laws
303
Who is exempt from the Virginia Consumer Data Protection Act (VCDPA)
GLBA, HIPPA, and non profits
304
Virginia Consumer Data Protection Act (VCDPA) is close to the GDPR
t
305
Virginia Consumer Data Protection Act (VCDPA) time to respond to data subject request
without undue delay, no later than 45 days
306
Virginia Consumer Data Protection Act (VCDPA) private cause of action
No
307
Virginia Consumer Data Protection Act (VCDPA) enforced by
State attorney general
308
Virginia Consumer Data Protection Act (VCDPA) rule making authority
No rule making authority, Data Controllers have to rely on the text of the statute
309
Colorado Privacy Act (CPA) doesn't include
HIPPA, GLBA, COPPA, FERPA
310
Colorado Privacy Act (CPA) includes what.. that no one else does
It applies to non profits
311
VCDPA and the CPA have a controller / processor framework and the CCPA has a
business / affiliate framework
312
Colorado Privacy Act (CPA) codifies that
a person not limitted in processing or fails to follow the instructions of the controller, now is considered the controller
313
Colorado Privacy Act (CPA), processors can use subcontractors
No
314
Colorado Privacy Act (CPA) calls for adoption of
appropropriate technical and organizational safegaurds, data processing contracts, controllers to conduct data protection assessments where there is a hightened risk of harm
315
Colorado Privacy Act (CPA) rights
opt out, access, correct, delete, portability
316
Colorado Privacy Act (CPA) private cause of action
No
317
Colorado Privacy Act (CPA) enforcement
State attorney general, local district attorneys, covered under the state UDAP
318
Colorado Privacy Act (CPA) rule making
lies with the State attorney general
319
Utah Consumer Privacy Act (UCPA) excludes what from personal data
aggregated data
320
Utah Consumer Privacy Act (UCPA) enforcement
State attorney general
321
Utah Consumer Privacy Act (UCPA) time to fix a violation
30 days
322
Connecticut Personal Data Privacy and Online Monitoring Act does not apply to
publically available info and personal data solely used for payment transactions, i.e. completing a sale
323
Connecticut Personal Data Privacy and Online Monitoring Act list of rights
access, correct, delete, portability, universal opt out signals
324
Connecticut Personal Data Privacy and Online Monitoring Act enforcement
Attorney general, no private cause of action
325
Connecticut Personal Data Privacy and Online Monitoring Act days to fix a problem
60 days
326
California Electronic Communications Privacy Act
can't search phones or online accounts without a court order or consent or an emergency
327
Deleware Online Personal Privacy Protection Act DOPPA)
Deleware's version of COPPA but childeren are anyone under 18
328
Deleware Online Personal Privacy Protection Act DOPPA) advertising..
Prohibits ads for tobacco, firearms, tanning equipment..
329
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 exemptions
FCRA, fraud prevention, publically available, drivers privacy protection act, GLBA
330
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 primary requirement
to provide an online notice and designated request address to no sell data, have 60 days to process it
331
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 time to fix issues
30 days
332
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 "sale" extends to
data brokers
333
Illinois Geolocation Privacy Protection Act and Right to Know Act
Vetoed by the governor, affirmative express consent before getting geolocation info from a consumer's device
334
New Jersey Personal Information and Privacy Protection Act
when retailers can scan a person's identification card, sale of the data is prohibited
335
Washington state Biometric Privacy Law
can't put biometric data into a database for commercial purposes without adequate notice, consent obtained, and can prevent subsequent use
336
New York's SHIELD Act expands
private information and data breach
337
New York's SHIELD Act private information is
biometric data, account number, user names
338
New York's SHIELD Act data breach..
when private information is accessed without authorization
339
New York's SHIELD Act data breach exemption
when it was accessed by accident
340
New York's SHIELD Act also requires
develop, implement, maintain reasonable safeguards to protect security and disposal
341
New York's SHIELD Act requires safegaurds in line with a company's
size and complexity
342
Illinois Student Online Personal Protection Act (SOPPA)
most comprehensive privacy for student records, info is called covered info, any personally identifiable information
343
Illinois Student Online Personal Protection Act (SOPPA) operators..
are prohibited from advertising, profiling, selling, or disclosing covered information
344
Illinois Student Online Personal Protection Act (SOPPA) school requirements and state board of education requirements
no selling, or disclosing, there are some exceptions, and the school needs a privacy officer
345
Tennessee SB 2005 data breach notification
encrypted data is no longer an excluded, you have to notify consumers
346
Illinois HB 1260 data breach notification
encrypted data is not excluded if there is a risk the key was compromised
347
Illinois HB 1260 data breach medical information
medical info, biometric info, health insurance info now in scope
348
Illinlois HB 1260 data breach notification to attorney general
HIPPA regulated entities have to notify the attorney general now if there is a breach
349
New Mexico HB 15 data breach laws
apply to encrypted and non encrypted data, biometric data, personal health information
350
South Dakota data breach law
don't need to notify if there is no harm to consumers but you must notifiy the attorney general
351
Massachusetts HB 4806 data breach law
similar to the Fair Credit Reporting Act (FCRA) requirements, the data breach laws regulate the credit reporting agencies