Flash Cards 3

1
Q

4 types of privacy

A

information, bodily, communication, territory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identified individual is what

A

ascertained with certainty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Turn personal info into non personal info by

A

de-identifying it or anonymizing it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Encryption is what

A

making data unrecognizable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Anonymization is what

A

stripping it of identifying info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Pseudonymization is what

A

associate it with a pseudonym

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Sources of information are

A

public, publically accessible, and non public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data subject

A

person whos data is processed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data controller

A

The organization that decides how information is processed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data processor

A

The organization that processes the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

FIPs

A

Balance privacy with security and fairness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DHEW renamed HHS promulgated FIPs , T or F

A

t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The FIPs 5 organizational practices

A

No secret systems, know what’s in your record and how used, prevent misuse, correct errors, data reliability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Privacy Act of 1974 codified what..

A

FIPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Examples of FIPs in the U.S.

A

1973 FIPs, Privacy Act 1974, 20212 White House Report, 2012 FTC Report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

FTC report had 3 key things..

A

Privacy by design, simplified consumer choice, transparency in company data practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

FTC report prioritized 5 areas..

A

Do no track, mobile device data, data brokers, tracking by large comapnies, self regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

International FIPs examples

A

OECD, European Council Convention, Madrid Resolution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

FIPs individual rights

A

Notice, consent, access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

FIPs organization responsibilities

A

security, data quality, limitation principle, accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

OECD is what..

A

Organization of economic cooperation and development; privacy and transborder flow of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

OECD 8 principles

A

collection limitation, quality, specific purpose, use limitation, security, openess, individual participation, accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Council of Europe Convention..

A

Automatic processing of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Council of Europe Convention incorporates…

A

FIPs into domestic laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Council of Europe Conventional Article 5
data quality
26
Council of Europe Conventional Article 6
categories of data
27
Council of Europe Conventional Article 7
Security
28
Council of Europe Conventional Article 8
Data subject safeguards
29
Madrid Resolution..
Standards on data protection, uniformity, transborder data flow
30
what is Notice
How an organization processes personal information
31
what is Consent
How your personal information is collected, used, and retained
32
what is Access
Giving you access to your personal information
33
Types of security controls
Physical (locks, cameras), Technical (code, systems) , Administrative (policies)
34
what is Data Quality
data should be accurate, complete, and relevant
35
what is Accountability
data to be defined and documented
36
Sources of privacy protection are
Government, regulations, market
37
what is the goal of legal protection
compensation and deterrence
38
Market protections arose because of
consumers react to data policies, publicity of data breaches
39
Self regulatory protection examples
PCI-DSS, DAA
40
Self regulatory protections bring together..
Industry standards and legal standards
41
What are the two protection privacy regimes
Sectoral and Comprehensive
42
Example of a sectoral privacy regime
United States
43
Example of a comprehensive privacy regime
Europe
44
Critiques of sectoral model
Divergent policies, inadequate, overly burdensome
45
Critiques of comprehensive model
costs outweigh benefit, doesn't account for unique situations, discourages innovation
46
What is a cor-regulatory model
Combines self regulatory and either the sectoral or comprehensive model
47
Self Regulation is sometimes thought of as a ...
3rd model alongside Sectoral and Comprehensive
48
What are the 3 branches of government
Executive, Legislative, Judicial
49
Which article of the constitution vests legislative power
Article I
50
Executive branch, which constitution article
Article II
51
Judicial branch, which constituional article
Article III
52
How many regional circuit courts
12
53
Federal judicial system process
Federal district court, appeal to US circuit court, appeal to US Supremen court
54
Most important circuit court is what
D.C. circuit court
55
Legislative branch checks
Executive branch, veto override, impeach, approve appointments; Judicial branch, change laws, approve judges, impeach judges, court jurisdiction
56
Executive branch checks
Legislative branch, veto; Judicial branch, appoint judges
57
Judicial branch checks
Legislative branch, unconstitutional; Executive branch, unconstitutional, interpretations invalid
58
Sources of law
Constitution, Satutory Law, Regulations and Administrative Rulemaking, Common Law, Contractual Law, International Law
59
The foundation of law is what
The constitution
60
Most significant privacy requirements come from where
Federal and State legislation
61
Statutory law is what
Legislation (laws) from Federal and States
62
Regulations and Administrative Rulemaking is what
Federal agencies enforcing statutory law
63
Common Law / Case Law is what
Societal customs and judicial decisions
64
Stare Decisis is what
Stand by things decided
65
What is the basis for many privacy related docterines
Common Law / Case Law
66
Contractual Law is what
Legally binding agreements
67
A legally binding agreement must have what
Offer, Acceptance, Consideration
68
What is a consent decree
a contract, party agrees to abide by a judgement
69
Consent decree benefits
avoid admitting guilt
70
International Law is what
Laws in foreign jurisdictions
71
What is jurisdiction
A court's authority to hear a case
72
Types of jurisdiction
Personal, Subject Matter
73
What is preemption
Federal law override or supersede inconsistent state law
74
The supremacy clause is the basis for what
The doctrine of preemption
75
What is Subject Matter jurisdiction
A court's authority to hear specific types of disputes
76
What is Personal jurisdiction
A court's authority between people or to bring people into its process
77
What is a natural person
A human
78
What is a person
A company
79
Why was the FTC founded
To protect consumers against unfair or deceptive trade practices
80
The FTC is lead by what
a 5 member bipartisan commission
81
The Federal Reserve Board info
12 banks, 7 governors, 14 year term
82
The FTC is the most important Federal privacy regulator, T or F
t
83
Civil ligitagation standard of liability
Perponderance of evidence
84
Criminal litigiation standard of liability
Beyond a reasonable doubt
85
Person brining the lawsuit in Criminal litigation
DOJ for Federal crimes, and the State prosecutor for State crimes
86
Person brining the lawsuit in Civil litigation
Plaintiff
87
What is legal liability
The defendent is legally obligated or accountable to the plaintiff
88
Breach of contract
one party fails to perform any of its contractual obligations at the time performance is due
89
Expectation Interest
had the contract been performed
90
Reliance Interest
contract not been made
91
Restitution Interest
unjustly enriched
92
Specific Performance of a contract
ordered to comply (fulfill) the contract
93
Forum Selection Clause
which court will try (hear) the case
94
Arbitration Clause
use an arbitrator
95
What is a Tort
a civil wrong
96
Intentional Torts
knows or should know it will cause harm
97
Negligent Torts
failing to observe the standard of care
98
Strict Liability Torts
engaged in prohibited conduct
99
Privacy Torts
Intrusion Upon Seclusion, Appropriation of Name or Likeness, Publically Given to Private Life, False Light
100
Intrusion Upon Seclusion
intentionally intrude
101
Appropriation of Name or Likeness
use another's name or likeness
102
Publically Given to Private Life
make something public that isn't a legitimate public concern
103
False Light
places someone in false light
104
Negligence
conduct that falls below the standard established by law for the protection of others against unreasonable risk of harm
105
Administrative Procedures Act (APA)
rules for administrative enforcement actions, Federal rules of civil procedure
106
Administrative actions are brought to ...
an ALJ, administrative law judge
107
What is UDAP
Unfair and Deceptive Acts and Practices, the state version of FTC unfair or deceptive trade practices
108
UDAP is enforced by ...
State Attorney's General
109
Every state except ?? provides a private right to action for UDAP
Iowa
110
Is there a Federal data breach law
No
111
UDAP and other state patch work laws govern what
Data breaches
112
Who are the leading enforcement regulators for Data Breaches
State Attorney's General
113
What is the National Association of Attorney's General
How states coordinate responses to legal issues and exchange information
114
What is GPEN
Global privacy enforcement network, connects privacy enforcement authorities around the world
115
What is APEC
Asia Pacific Economic Cooperation, cross boarder enforcement of privacy law
116
GPEN (global privacy enforcement network) 5 ways
exchanging info, training, dialogue, processes bilatteral and multilatteral cooperation, actions for communication
117
What is CPEA
Cross boarder Privacy Enforcement Action, came out of APEC
118
Goals of CPEA (cross boarder privacy enforcement action)
information sharing, cross boarder cooperation, cooperation on privacy investigation and enforcement
119
What is self regulatory enforcement
self policing of industry groups for compliance
120
What are the benefits of self regulatory enforcement
industry expertise, increased efficiency, flexible, quicker to react,
121
What are the draw backs of self regulatory enforcement
anti competitive, not as robust as govt, lax enforcement, may not full incorporate perspectives of others not in the industry
122
What is co-regulatory enforcement
both industry and government jointly administer the process, an example is COPPA
123
What is the most prominent self regulatory program
PCI-DSS
124
PCI-DSS data points
Developed by the credit card companies, each CC company has its own program for compliance, it is overseen by the credit card companies (Security Standards Council)
125
PCI-DSS has 12 requirements
firewall, no defaults, stored data, encrypt transmissions, malware, secure systems, restrict access, authenticate access, restrict physical access, monitor access, test, policies
126
Value of Trust Marks / Seal Programs
increase consumer confidence
127
Who is responsible for enforcing the DAA principles
the Council of Better Business Bureaus (CBBB) and Digital & Marketing Association (DAA)
128
How long after a valid request does an educational institution have to provide access to education records of a student?
A "reasonable" time, not to exceed 45 days.
129
What is a Data Assessment
generic term referring to processes like data inventory, data flow analysis, classifying data
130
What is a Data Inventory
identifies personal data as it moves across systems, shared, and stored, sometimes called Record of Authority
131
Why is a Data Inventory important
analyze what laws you need to comply with
132
What is data residency
physical location of servers
133
What is data location
where data is stored
134
What is data access
who has access, how and when information is shared, who has internal access, what 3rd parties have access
135
What is a data flow map
how information moves through the organization, increase confidence in regulatory compliance
136
Data Inventory and Data Maps are synonomous, T or F
t
137
What is Data Classification
classifying data by sensitivity
138
Data classification does what
provides the basis for managing access
139
What are the common sensitivity levels
confidential, proprietary, sensitive, restricted, public
140
Classifying data facilitates what
laws are followed, limit consequences of breaches, limit scope of disclosure, lowers cost of responding to a data breach
141
What is the main function of a privacy professional
develop privacy programs / information management programs
142
What are the types of risk
legal, reputational, operational, investement
143
What is legal risk
regulatory action, litigation
144
What is reputational risk
the trust consumers place in an organization
145
What is operational risk
trade off between privacy programs and achieving organizational goals
146
What is investement risk
are the benefits of the program worth the cost
147
The first step in a developing a privacy program is what
Developing a privacy vision / mission statement
148
Why have written policies
Ensure the program is implemented properly, basis for training, accountability, decision making
149
What are the steps in the privacy operational lifecycle
Assess, Protect, Sustain, Respond, also Discover, Build, Communicate, Evolve
150
Def of Privacy Operational Life Cycle
continuously monitors and improves the privacy program
151
What are the types of consent
Opt In, Double Opt In, Opt Out, No Option
152
What is Opt In consent
express, reqires affirmative action
153
What is Double Opt In consent
obtaining consent, then confirming it again
154
What is Opt Out consent
passive, consent is implied, processing will occur unless you opt out
155
What is No Option consent
implied by the circumstance, i.e. sharing your address with the post office
156
Managing consent, how should it be done..
However you are interacting with the consumer, in the same manner allow them to consent
157
After a consumer disputes the accuracy of information in a consumer report, how long does a consumer reporting agency have to re-investigate the information?
30 days.
158
The California Consumer Privacy Act is an example of what type of privacy protection?
A comprehensive model.
159
How many days does an organization have to cure a violation of the CCPA before it may be subject to fines or a private cause of action?
30 days.
160
All of the following are best practices in obtaining consumer consent, except:
Companies should obtain a separate consent specifically applicable to third-party data processors.
161
Under which of the following pieces of legislation are data brokers required to comply with a one-stop mechanism that allows data subjects to request the deletion of their personal data?
California's Delete Act.
162
According to the Supreme Court's decision in Société Nationale Industrielle Aerospaciale, all of the following should be considered in a comity analysis, except:
Whether the parties have domestic subsidiaries in the United States.
163
What is the most common phrase used in state-level data breach notification laws to describe when notice must be provided to affected individuals?
At the most expeditious time possible and without unreasonable delay.
164
What is the standard utilized by FISC to determine whether an application for a surveillance order should be granted?
Whether there is probable cause to believe that that the person being monitored is either a foreign power or an agent of a foreign power.
165
Who is responsible for enforcement under the Payment Card Industry Data Security Standard?
Individual payment card brands.
166
What change to the use of National Security Letters was implemented by the USA-PATRIOT Act?
An NSL may now be issued if relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.
167
If a third party accidently accesses protected health information without authorization, which of the following is accurate?
A breach is presumed unless a risk assessment establishes that there was a low probability that PHI has been compromised.
168
As defined under the Fair Credit Reporting Act, which of the following is least likely to be considered an "employment purpose" for which a consumer report may be obtained?
Determining whether an employee is entitled to a raise.
169
Which of the following most accurately states whether a data processor experiencing a data breach must disclose to a data controller that a breach occurred under state-level breach notification laws?
Every state requires that a data processor notify a data controller when a breach occurs.
170
All of the following are benefits of data flow mapping, except:
It may limit the amount of data disclosed in the event of a data breach.
171
Which of the following best describes the enforcement of CAN-SPAM at the federal level?
The FTC enforces CAN-SPAM according to its "unfair and deceptive" trade practices authority but shares enforcement authority with prudential regulators.
172
In addition to "unfair" and "deceptive" trade practices, state UDAP laws also commonly prohibit what other type of act or practice?
"Unconscionable" acts or practices.
173
Which is the most accurate advice that Jackson can provide to BotVoice about its compliance obligations under HIPAA?
HIPAA does not apply because the health information provided by children is not made in connection with a covered transaction.
174
CAN-SPAM-Act prohibits communication after how many days of opting out
more than 10 days
175
OP-Out Consent is
A passive form, where consent is implied, processing occurs unless you opt-out
176
Information privacy focuses on what
Policies
177
Information security focuses on what
Protection of data from unauthorized access
178
Privacy focuses on what type of data
Personal information
179
Security focuses on what type of information
Confidential information
180
CIA triad stands for what
Confidentiality, Integrity, Availability
181
Security controls do what
Limit damage, loss, modification, and unauthorized access
182
Purposes of seurity controls
Preventative, Detective, Corrective
183
Preventive controls
Prevent an incident
184
Detective controls
Identify an incident
185
Corrective controls
Fix or limit the damage of an incident
186
Types of controls
Physical, Administrative, Technical
187
OMB 7 step breach response
1. Breach response team. 2. Privacy docs. 3. Sharing breach information. 4. Reporting. 5. Assess the risk. 6. Mitigating risk. 7. Notification.
188
FTC 4 step breach response
Confirm the breach. Then, 1. Secure Operations / Contain. 2. Analyze and fix vulnerabilities. 3. Notify. 4. Proactive steps to avoid future breaches
189
Breach Response: An important part of Analyze and fix vulnerabilities
Re-evaluate 3rd party service providers
190
Breach Response: Notify appropriate parties. Who must be notified?
Law enforcement, usually through Attorney's General, if PHI then HHS and the media, Business partners if contracts say so, and Affected individuals
191
Breach Response: Notification, FTC Recommendations
Consult law enforcement so you don't impede any investigation, Designate a communication person, a year of free credit monitoring
192
Breach Response: Notification Letter should contain
Clear description of what happened, Contact information of the organization, Steps an affected individual can take
193
Breach Response: Avoid future breaches
Employee training, Third party security audits, Analyze the entire breach
194
Benefit of inventorying and classifying data
Creating a privacy program, Incident response program, and Workforce training
195
Workforce training is…
Part of the accountability principle, lower costs of responding to breaches
196
HIPAA training requirements
All members on policies and procedures for PHI
197
GLBA training requirements
Identify reasonable and foreseeable internal and external risks, employee training and management
198
Red Flags Rule requirement
Establish an identity theft program
199
Who created the Red Flags Rule
the FTC uner authority of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)
200
Massachusetts safegaurd
Anyone owning or licensing information about a Massachusetts resident must have a secrutiy program and employee training
201
PCI-DSS requirement
A security awareness program to be in place
202
GDPR Article 5 Compliance
The data controller is responsible for compliance and demonstrates compliance through documentation
203
What is the Accountability Principle
Implementing technical and organization measures to demonstrate the handling of personal information is done in accordance with the law
204
Means to hold organizations accountable
Policies, Procedures, Governance, Monitoring, Training
205
How compliance for the Accountability Priciniple is up to
the Organization to determine
206
How long should you retain data
Only for so long as necessary to achieve it purpose
207
When data is no longer needed it should be
Destroyed or anonymized
208
Laws governing data retention
Fair and Accurate Credit Transaction Act (FACTA) for the Disposal Rule, and Fair Credit Reporting Act (FCRA) for Identity Theft
209
One of the best ways to limit risk
Limit the length of time data is retained
210
Server side languages
PHP
211
Browser side languages
HTML, CSS, XML, JavaScript
212
Explain Web Client, Web Server, Web Browser
Web client downloads files from the web server and the web browser interprets and displays them to the user
213
HTTP
How the web client and the web server communicate
214
TCP protocol
Breaks information into packets
215
IP protocol
Interfaces with the physical infrastructure
216
TCP/IP
Is the main commiunication protocol of the internet
217
TLS
transport layer security
218
IP Address
a unique number assigned to each device
219
URL
name and web address assigned to files
220
DNS
the phone book of the internet
221
Proxy server
intermediate web server
222
VPN
establishes an encrypted connection
223
A server log contains
IP Address, date and time of the page requested, URL of the file, broswer type, URL visited prior
224
Cache
content stored locally
225
Data automatically collected without you knowing it
Passive data collection
226
Data collected with the users knowing it
Active data collection
227
Just in time
privacy notice done at the point of collection
228
Syndicated content
purchased or licensed
229
Web services are…
a program contained wth a website
230
iFrame is…
a web page imbedded into another one
231
Spam
unsolicited emails
232
Malware
malicious software
233
Spyware
malware downloaded covertly
234
Ransomware
malware that locks or encrypts your operating system
235
Phishing
communication designed to trick users
236
SQL Injection
provide a dbase command to a web server
237
XSS
malicious code injected into a webpage
238
Cookie Poisoning
a cookie is modified to gain unauthorized access
239
Unauthorized Access
access through fraudulent means
240
Data validation
data conforms to requirements
241
Data sanitization
removing harmful characters
242
Social engineering
manipulating a user to create a security vulnerability
243
Behavioral advertising
advertising based upon information associated with an individual
244
AdChoices
Icon, consumers to exercise choice, Digital Advertisiing Alliance (DAA)
245
EU Cookie Directive
prevent cookie tracking without consent
246
Cross device tracking
map a user moving from a laptop to a mobile device
247
Methods of cross device tracking
deterministic tracking, probabilistic tracking
248
Deterministic tracking
track where ther person logs into
249
Probabilistic tracking
collects information from multiple devices and draws inferences based on probabilities
250
Web beaconing
one pixel image stored on your computer
251
Adware
monitors users behavior
252
Location based advertising
uses the devices GPS
253
Bluetooh beaconing
signals sent rom a beconing device
254
Digital fingerprinting
automatically collect user data when you visit a webpage
255
Web cookie
text file placed on your hard drive by a web server
256
Session cookie
text file ony used while connected that web server
257
Persistent cookie
long lived cookie set to expire sometime in the future
258
First party cookie
owned by the host of the web server
259
Third party cookie
owned by the someone other than the weber server host
260
Flash cookie
cookie stored outside the browsers control, dangerous, respawn, zombie cookies
261
Cookie best practices
stored information should be encrypted, only use persistent cookies where necessary and should expire in a reasonable time, provide notice to cookie usage, disclose 3rd party cookie providers, provide an opt-out function, follow general FIPs
262
COPPA
Childrens Online Privacy Protection, childeren under 13
263
GDPR child privacy
Children under 16
264
States , children between 13 and 18
California and Deleware, California Minors in the Digital World Act, Deleware Online and Personal Privacy Protection Act
265
CCPA regarding children
California Consumer Privacy Act, no selling info of children under 16 without consent, Data Controller may obtain consent from he child through an opt-out procedure, under 13 consent is from the parent
266
Privacy notices are…
document, states how a company collects, stores, and uses personal information it gathers
267
Privacy notice, used internally…
tells employees how personal information should be stored, accessed, and utilized.
268
Privacy notice, used externally
informs consumers how their personal information will be used, helps consumers make an informed decision
269
COPPA and privacy notice display
maintain a link on the website and each page where personal information is collected
270
GLBA and privacy notice
send customers the privacy policy each year
271
CalOPPA
conspiciously post the privacy policy on the website and mobile apps
272
CalOPPA, privacy policy must include
categories of personal information, categories of third parties, how to request changes, how the policy is updated, it's effective date, how it responds to do-not-track, if a third party can collect personal information
273
FTC can bring enforcement , privacy policy
privacy policy not being followed is an unfair or deceptive trade practice, FTC can bring enforcement
274
Privacy policy is a legal document, true or false
t
275
Privacy policy lifecycle
designing, developing, testing, releasing, revieweing and updating
276
FTC and data usage
data should be used in a manner consistent with the notice what was in effect at the time data was obtained
277
FTC and material change
express, affirmative consent should be given by consumers before making material retroactive changes to data usage
278
FTC and material change definition
at a minimum, sharing consumer information with third parties after committing not to share the data
279
Layered notice
short at the top, option to review the detailed longer privacy notice
280
Privacy dashboard is what
one point to manage all privacy preferences
281
Privacy icons are what
symbols used to indicate how information is processed
282
Article 29 Working Party and icons
to enhance transparency
283
Vendors, who is legally responsible
the data controller is responsible for any data misuse by vendors
284
HIPAA and vendors
Data controllers must have written contracts with their business associates
285
Article 28 GDPR and contracts part 1
Data controllers to have written contacts in place before processing may occur
286
Article 28 GDPR and contracts part 2
Data controller to have sufficient gaurantees from their third parties, properly vet and contract the 3rd parties
287
Choosing , Vetting Vendors, basic guidelines
Consider their reputation, financial condition, and security controls
288
Vendor contracts to include…
confidentialiy provisions, security protections, audit rights, no further use provision, subcontractor use, information sharing, breach notification, consumer consent, data classification system, and an end of relationship provision
289
Vendor contracts should be consistent with…
the organization's privacy notice and practices
290
Many of the largest data breaches came in through…
3rd party vendors
291
Data residency
physical location of the servers
292
CCPA and data sharing
California consumer privacy act, users have the right to opt-out of data selling
293
Virginia and data sharing
Virginia consumer data protection act, user can opt-out of targeted advertising, data selling, and profiling
294
CPRA and contracts
California privacy rights act, data controllers to have contracts with any party they share data with
295
Data residency can…
dictate what laws apply
296
Surprise minimization rule
a person's information is subject to the laws of their home jurisdiction
297
GDPR core purpose
facilitate the free flow of data between EU member states
298
3 ways to transfer data between EU and non member states
Adequacy decision, appropriate safeguards, derogations
299
Appropriate safeguards, GDPR
BCRs, EC model clauses, National model clauses, Codes of conduct, Certification, Ad Hoc contract
300
Derogations, GDPR
Consent, Performance of contract, Public interest, Legal claims, Vital interests, Legitimate interest
301
Article 45, GDPR, Adequacy decision is…
equivalent or greater protection in the transferee country
302
Schrems 1
no more safe harbor, in part because of Edward Snowden
303
Schrems 2
no more privacy shield, facebook ireland
304
Binding corporate rules
a company's rules for internally handling data transfer, don't apply to data transfers with 3rd parties
305
Article 47, GDPR, before using BCRs
it must be certified by a privacy supervisory agency in the EU
306
BCRs must contain the following
binding contract rules must contain stuff about, transparency, quality, security, audit, training, compliance procedures, a binding element
307
SCCs
standard contract clauses, a company contractually promises to comply with EU law
308
Shrems 2 and SCCs
the transferee country equivalent protections as GDPR, the clause and the legal system, or the supervisory authority should suspend the transfer priviledges
309
Codes of Conduct and Certifications
have to get approval from an EU data protection authority or the EU commission, the data protection authority has enforcement authority to include suspension
310
Article 49, GDPR, Derogations
last resort
311
Shrems 2 , controllers and processors
controllers and processors to conduct a transfer impact assessment prior to transferring personal data
312
Transfer impact assessment (TIA) is
a risk assessment of transferring data to a third countries, considers SCCs, legal system, adequacy decision stuff
313
European Data Protection Board (EDPB) and 6 steps
understand all transfers of personal data, verify all transfer tools, assess if appropriate safeguards will be impinged upon, identify supplemental measures, steps for supplemental measures, re-evaluate the level of protection in the trasferee country
314
Supervisory authority can suspend or end transfers, true or false
t
315
Schrems 2, Austrianand French DPAs, Google…
Google Analytics violates Chapter V of GDPR, SCCs didn’t provide appropriate safegaurds, US intelligence agencies could access data
316
Privacy operational lifecycle is the cornerstone…
cornerstone of privacy program management
317
Privacy operational lifecycle 4 steps
discover (assess), build (protect), communicate (sustain), evlove (respond)
318
Privacy operation lifecycle 4 steps more detail
(1) Discover/Assess (including “Issue identification and self-assessment” and “Determination of best practices”); (2) Build/Protect (including “Procedure development and verification” and “Full implementation”); (3) Communicate/Sustain (including “Documentation” and “Education”); and (4) Evolve/Respond (including “Affirmation and monitoring” and “Adaptation”)
319
Information Lifecycle Management, Data Lifecycle Management, Data Lifecycle Governance…
a policy based approach to managing the flow of information through a lifecycle
320
A privacy notice may also be called a
privacy policy, privacy statement, fair processing statement, strictly speaking the notice is internal facing the policy is external facing
321
GDPR requirements are based on …
Fair information practices (FIPs)
322
GDPR applies to companies that…
have assets and employees in the EU, data stored in the EU, and data interactions with EU residents
323
A company / country may be subject to the GDPR if it processes information…
of EU data subjects that access their websites or digital products
324
GDPR fine
4% of the company's global revenue
325
DPAs
Data protection authorities ,one in each EU country, but Germany has 1 national and 16 state level, DPAs enforce the GDPR
326
DPAs power
investigate, correct, advise; ask for records and proof of compliance, ban/stop/suspend data procecssing, require additional breach notification, order erasing of information, suspend cross boarder data flow
327
GDPR articles 12-14
Transparent communication
328
GDPR article 15
Right to access
329
GDPR article 16
Rectify data
330
GDPR article 17
Erasure
331
GDPR article 18
Restrict processing
332
GDPR article 19
Notification obligation to data subjects about their rights
333
GDPR article 20
Data portability
334
GDPR article 21
Object to processing personal information
335
GDPR article 22
No Automated processing
336
Data Controller is responsible for ensuring Data Subject rights, True or False
t
337
Data Controllers to take action on Data Subject requests no later than…
30 days after receipt, possible to get an extension of 60 days if the request is burdensome
338
Breach Notification, Data controllers to notify DPAs within how many hours
72
339
Breach Notification, Processors notify the Controller within
Without undue delay
340
Breach Notification, Controllers notify the Data Subjects within
Without undue delay
341
Controllers are exempt from notifying Data Subjects if
Data is unintelligible, taken steps to minimize risk, would require disproportionate effort
342
APEC is what
Asia Pacific Economic Cooperation, founded in 2004
343
APEC privacy framework is similar to
FIPs in APEC is similar to Madrid Resolution
344
APEC privacy framework includes what
preventing harm, notice, collection limitation, use of personal information, choice, integrity of information, security safeguards, access, correction, accountability
345
CPEA is what
Cross boarder privacy enforcement agreement, APEC
346
Rationalizing
multi jurisdiction, key practices to most restrictive laws
347
FTC was founded when
1914
348
Why was the FTC founded
Antitrust laws
349
Wheeler Lea Act did what to the FTC
In 1938 it gave it general consumer protection authority, referred to as Section 5
350
FTC is governed by
5 people, a chairperson and 4 commissioners
351
FTC oversees what
privacy, fair credit reporting act (FCRA), CAN-SPAM act, COPPA
352
Section 5 of FTC is the most important …
most important piece of federal privacy legislation
353
Section 5 states what aboun unfair practices
unfair or deceptive acts or practices affecting commerece are unlawful
354
2006 section 5 was ammended for what
apply to acts of foreign trade
355
FTC doesn't apply to whom
non-profits, banks, financial institutions, common carriers
356
Magnuson-Moss did what for the FTC
permitted it to issue regulations
357
FTC main prosecution method is what
To bring enforcement actions
358
FTC hears about stuff how
news, public complaints, etc.
359
What is section 6 of the FTC
Investigatory powers
360
FTC section 6 has authority to
require business to submit written reports, subpoena power
361
FTC pre-complaint is non public, true or false
t
362
FTC standard to initiate a complaint
If the FTC has reason to believe
363
Respondent defends themselves in front of whom
An Administrative Law Judge (ALJ)
364
ALJ will issue what…
an injunction, ALJ can not impose civil penalties
365
FTC, how do appeals work
ALJ to FTC commissioners to Federal Circuit Court
366
FTC can also do what under 13(a)
Prosecute claims before a Federal District Court, review by the Federal Appelate Court
367
Most FTC actions are consent decrees, T or F
t
368
Consent decree has the force of a Federal Court Order, T or F
t
369
Consent decrees are posted publically T or F
TRUE , to provide guidance to other companies
370
Benefits of consent decrees
Enforces good practice, avoid expense, easily enforceable, avoid additional negative press, limits exposure to business practices to competitors
371
To establish a deceptive trade practice the FTC needs
a material statement or omission that is likely to mislead consumers who are acting reasonably
372
GeoCities
first privacy enforcement action, GeoCities sold information
373
Eli Lilly
first consent decree, revealed email addresses
374
Snapchat
collecting names and phone numbers, and messages didn't get deleted
375
TrustArc
did not conduct annaul re-certifications
376
Nomi
tracked consumers via mobile devices
377
LifeLock
couldn't prevent all identity theft
378
Facebook
3rd party developers could access user data
379
Zoom
weak encryption, secretly installed software
380
To establish an unfair trade pratice the FTC must prove
Substantial injury, lack of off setting benefits, and consumers could't have reasonably avoided
381
DesignerWare
log key strokes, take screen shots, photograph anyone with the camera, geo track users
382
Wyndham
upheld FTCs unfairness authority, affirmed FTCs authority to regulate cybersecurity
383
Section 18 of the FTC Act
rule making authority for unfair or deceptive trade practices, i.e. trade rules
384
LabMD
disclosed patient information
385
LabMD v. FTC
FTCs cease and desist was unenforceable, FTC started holding public hearings
386
Uber
weak security measures
387
Lenovo
man in the middel attacks, pre-installing software
388
D-Link
exposed routers and web cameras to attack
389
2018 most high profile case
Venmo
390
Paypal
falsely claimed to have bank grade security
391
BLU products
didn't have appropriate security measures
392
Vtech
COPPA violations
393
Equifax
didn't have reasonable security measures
394
Tapplock
IoT data and physical security issues
395
SkyMed
unsecured cloud storage
396
Ascension Data and Analytics
violated GLBA, mortgage information
397
COPPA applies to non profits Tor F
False
398
COPPA personal information also includes
geolocation data, IP addresses, and info stored in cookies
399
COPPA applies to
all operators of commercial websites
400
COPPA notice includes
information collected, how used, if info is disclosed to third parties
401
Forms of verifiable consent COPPA
mail or fax a consent form, credit card, debit card, call a toll free number, video conference, government issued ID
402
COPPA consent exception
collected for the purpose of increasing security
403
COPPA, parental rights
access information, withdraw consent
404
COPPA has a safe harbor T or F
True, participate in a seal program
405
Two states with laws for children between 13 and 18
California and Deleware
406
COPPA, state AG can also prosecute, T or F
t
407
Data Broker is what
Collect personal information of consumers and resell it
408
Big data
Large amounts of data, analyized to get insights on consumer behavior
409
FTC data broker minimization practices
2014, data brokers to use data minimzation practices as they relate to children
410
FTC 2016 report on big data
Potential harm from inaccurate predictions
411
IoT privacy and security concerns
Consumer consent, no UI, need new models of FIPs and security by design
412
HIPPA law orginally for what
shift to electronic reimbursement requests, ,efficiency of healthcare
413
HHS rules for administering simplication
Privacy rule and the Security rule
414
Privacy and Security rule apply to whom
Covered entities and Business associates
415
What is a covered entity
A healthcare provider that bills for insurance
416
What is a business associate
Any person or entity that receives health information from a covered entity to provide services on behalf of the covered entity
417
What is PHI
individually identifiable health information
418
The terms covered entity, business associate, and PHI were codified …
In HITECH
419
Minimum necessary requirement
limit PHI to the minimum necessary to accomplish the intended purpose
420
Limited data set
Data set with facial identifiers removed, 16 categories
421
Patient authorization
independent document, plain language, description,person, party, purpose, expire, dated and signed
422
PHI disclosure documentation authorizations
Covered entitiy to keep a record, give to the individual upon request
423
PHI disclosure exceptions
Emergency, public health activities, report victims of abuse or domestic violence, court, law enforcement, research, investigate compliance
424
PHI privacy notice must be given when
date of first service, compliance date, time of enrollment, upon request of the person
425
PHI designated record set
Medical, billing, enrollment, any other information used to make decisions
426
PHI right to access records
Access the designated record set, except for psychotherapy notes or information collected for a legal proceeding or regulatory action
427
PHI access request timeline
within 30 days
428
PHI disclosures accounting timeline
can request the last 6 years
429
HIPPA security rule standards
ensure CIA, threats, PHI uses or disclosures, ensure compliance
430
Security measure decision criteria
the measure's size, complexity, capabilities, technical infrastructure, cost, risk ocurrance probability, potential risks
431
HIPPA, forms of security rule implementation
Required and Addressable
432
HIPAA, privacy and security rule, are contracts between parties mandatory
Yes
433
Enforcement of HIPPA privacy and security rules
OCR, FTC, DOJ, State Attorneys General
434
HIPPA privacy and security rule, time to fix violations
30 days
435
HIPPA preemption, state requests
States can request their law is not preempted, have to ask HHS, California Medical Information Privacy Act is an example
436
HIPPA safe harbor
A company has recognized security practices in place not less than 12 months
437
Why have a HIPPA safe harbor
Give HHS greater discretion imposing fines
438
What is contact tracing
Mapping a person's contact with others, communicable diseases
439
HIPPA doesn't impact contact tracing, T or F
t
440
Biggest things HITECH did
Rules for data breaches, increased penalties, gave great acess to records, codified terms
441
Data breach is presumed unless
There is a low probability of compromise based on nature and extent of disclosure, who the person was that accessed it, was it acquired or viewed, extent the risk has been mitigated
442
Data breach notice period to affected people
60 days
443
Data breach >500
Notify media outlets, within 60 days
444
Data breach always notify …
Secretary of HHS
445
Data breach notification period extended if…
Law enforcement says so
446
HHS oversees GINA, T or F
t
447
GINA is PHI under HIPPA, T or F
t
448
Cures Act did what
Share infor with family and care givers, biomed research confidential, allowed for remote viewing of PHI, no information blocking
449
What is a Part 2 Program
Any federally assisted program that provides training or treatement for substance use
450
Substance Use patient record disclosure exceptions, can disclose if..
Patient consents, veteran affairs, crimes, child abuse, medical emergency, audits, court order
451
Substance Use patient record use restrictions..
can't use to initiate criminal charges or criminal investigation
452
Part 2 Programs must do..
provide notice of rights, formal security program, protect paper and electronic records, destroy records when the company leaves the Part 2 program
453
The FCRA is what
Fair credit reporting act
454
FCRA came from where
Title VI of FDIC and amended the Consumer Credit Protection Act (CCPA)
455
First federal law protecting personal information from private businesses is..
Fair credit reporting act (FCRA)
456
Who the FCRA applies to
Any consumer reporting agency (CRA) or users of a consumer report, furnishers of information to the CRA, companies that extend credit - red flags rule
457
What the FCRA applies to
Consumer reports
458
What is a consumer report
written, oral, or other communication used for eligibility for credit, insurance, employment, character, reputation, mode of living
459
Consumer report exceptions
Not a consumer report if it's transactional, between affiliates, consumer is provided an opt out of affiliate sharing
460
FCRA permissable purpose
CRAs can't share a consumer report unless the user has a permissable purpose
461
FCRA permissable purpose list
court order, consumer consent, credit transaction, employment purpose, insurance, gov benefits, assess credit risk, account terms, travle charge cards, child support, liquidation
462
FCRA employment purpose
offer, promotion, reassignment, retention
463
FCRA credit transaction purpose
consumer consent, firm offer of credit or insurance
464
FCRA firm offer purpose
firm offers of credit or insurance, the CRA must maintain a notification system and allow users to opt out
465
FCRA firm offer opt out is good for..
5 years
466
FCRA signed notice of election implemented when..
must be implemented within 5 business days
467
Can CRAs provide consumer reports with medical information
Only if it is coded for insurance purposes
468
Consumer reports with medical information..
Users are prohibited from re-disclosing that consumer report
469
FCRA CRAs have to ensure the report is …
the consumer report has to be accurate, current, and complete
470
Credit report exclusions
Bankruptcy >10 years, other stuff more than 7 years old
471
Credit report exclusions don't apply if..
Don't apply to credit, life insurance >$150K, employment >$75K salary
472
Credit report must include
Bankruptcy chapter, number of credit inquiries, credit account voluntarily closed, any dispute information
473
CRAs are obligated to maintain what..
procedures
474
CRA procedures should ensure what..
identity of users are validated, consumer reports are accurate
475
CRAs must provide notices to…
both uses and furnishers of information
476
Consumer report access 1
Consumers have a right to see all the information in their file maintained by the CRA
477
Consumer report access 2
Consumers have a right to see everyon their report was given to in the last 2 years for employment, last 1 year for everything else
478
CRAs are required to provide credit score to consumers, T or F
479
CRAs are required to provide their sources to consumers, T or F
480
Before making any disclosure to a consumer, the CRA must
Confirm the consumer's identity
481
When CRAs make disclosures to a consumer it must..
Be in writing, unless consumer consents otherwise, and it must include a summary of the consumer's rights
482
Consumer files a dispute, CRA must complete their investigation in how many days
30 days
483
The FCRA refers to a investigating a consumer dispute as what..
A re-investigation
484
CRA provide notice of the consumer dispute to the Furnisher within how many days
5 days
485
CRAs must delete information from their files if..
The reinvestigation reveals the information was inaccurate, incomplete, or can't be verified
486
If the CRA deletes information from their file they must do what..
Notify anyone who received the consumer report within the last 6 months, or for 2 years if it was for employment purposes
487
CRA re-investigation results must be provided to the consumer within how many days
Within 5 days of it being completed
488
CRAs, if a consumer provides a statement of disagreement it must..
it must be included in all future consumer reports containing the disputed information
489
When an adverse action it taken against a consumer because of a consumer report what must happen..
notice must be given to the consumer
490
When a consumer report adverse action is taken the notice to the consumer must contain
The name and contact information of the CRA, a statement the CRA isn't responsible for and can't explain anything, their right to request a free copy within 60 days, thei right to protest it
491
Consumer report, adverse action, due to credit score..
Consumer to be provided a credit score and information to understand the score
492
Consumer report liability can be avoided if..
If reasonable procedures are in place to ensure compliance to the law
493
Consumer report adverse action employment
A copy of the report must be given to the consumer along with their rights, before taking action, however, if the consumer submitted the employment application by mail, phone, computer, they don't need to do this
494
Consumer report adverse action employment, provide notice within how many days
within 3 days aftter taking action, and provide name and contact infor of CRA, statement, and how to get a free copy
495
Consumer report reselling
Tell the CRA, who the user is, permissable purpose, procedures in place, verify identity and certifications of recipient
496
Limited consumer report is used where
For firm offers of credit or insurance not initiated by a consumer, i.e., companies creating a prequalificaiton list for their product or service
497
Companies using limited consumer reports must do what..
maintain records of the prescreen criteria for 3 years
498
Consumer report offer solicitation, opt out..
CRA file was used, they are credit worthy, service can be withheld if fail further screening, consumer can prohibit (opt out of) similar solicitations by contacting the CRA
499
Consumer report, Furnishers prohibited..
From providing false information or innacurate information