Flash Cards 3

Question 1

Q

4 types of privacy

Answer

A

information, bodily, communication, territory

Question 2

Q

Identified individual is what

Answer

A

ascertained with certainty

Question 3

Q

Turn personal info into non personal info by

Answer

A

de-identifying it or anonymizing it

Question 4

Q

Encryption is what

Answer

A

making data unrecognizable

Question 5

Q

Anonymization is what

Answer

A

stripping it of identifying info

Question 6

Q

Pseudonymization is what

Answer

A

associate it with a pseudonym

Question 7

Q

Sources of information are

Answer

A

public, publically accessible, and non public

Question 8

Q

Data subject

Answer

A

person whos data is processed

Question 9

Q

Data controller

Answer

A

The organization that decides how information is processed

Question 10

Q

Data processor

Answer

A

The organization that processes the data

Question 11

Q

FIPs

Answer

A

Balance privacy with security and fairness

Question 12

Q

DHEW renamed HHS promulgated FIPs , T or F

Question 13

Q

The FIPs 5 organizational practices

Answer

A

No secret systems, know what’s in your record and how used, prevent misuse, correct errors, data reliability

Question 14

Q

Privacy Act of 1974 codified what..

Question 15

Q

Examples of FIPs in the U.S.

Answer

A

1973 FIPs, Privacy Act 1974, 20212 White House Report, 2012 FTC Report

Question 16

Q

FTC report had 3 key things..

Answer

A

Privacy by design, simplified consumer choice, transparency in company data practices

Question 17

Q

FTC report prioritized 5 areas..

Answer

A

Do no track, mobile device data, data brokers, tracking by large comapnies, self regulation

Question 18

Q

International FIPs examples

Answer

A

OECD, European Council Convention, Madrid Resolution

Question 19

Q

FIPs individual rights

Answer

A

Notice, consent, access

Question 20

Q

FIPs organization responsibilities

Answer

A

security, data quality, limitation principle, accountability

Question 21

Q

OECD is what..

Answer

A

Organization of economic cooperation and development; privacy and transborder flow of personal data

Question 22

Q

OECD 8 principles

Answer

A

collection limitation, quality, specific purpose, use limitation, security, openess, individual participation, accountability

Question 23

Q

Council of Europe Convention..

Answer

A

Automatic processing of personal data

Question 24

Q

Council of Europe Convention incorporates…

Answer

A

FIPs into domestic laws

Question 25

Q

Council of Europe Conventional Article 5

Answer

A

data quality

Question 26

Q

Council of Europe Conventional Article 6

Answer

A

categories of data

Question 27

Q

Council of Europe Conventional Article 7

Question 28

Q

Council of Europe Conventional Article 8

Answer

A

Data subject safeguards

Question 29

Q

Madrid Resolution..

Answer

A

Standards on data protection, uniformity, transborder data flow

Question 30

Q

what is Notice

Answer

A

How an organization processes personal information

Question 31

Q

what is Consent

Answer

A

How your personal information is collected, used, and retained

Question 32

Q

what is Access

Answer

A

Giving you access to your personal information

Question 33

Q

Types of security controls

Answer

A

Physical (locks, cameras), Technical (code, systems) , Administrative (policies)

Question 34

Q

what is Data Quality

Answer

A

data should be accurate, complete, and relevant

Question 35

Q

what is Accountability

Answer

A

data to be defined and documented

Question 36

Q

Sources of privacy protection are

Answer

A

Government, regulations, market

Question 37

Q

what is the goal of legal protection

Answer

A

compensation and deterrence

Question 38

Q

Market protections arose because of

Answer

A

consumers react to data policies, publicity of data breaches

Question 39

Q

Self regulatory protection examples

Answer

A

PCI-DSS, DAA

Question 40

Q

Self regulatory protections bring together..

Answer

A

Industry standards and legal standards

Question 41

Q

What are the two protection privacy regimes

Answer

A

Sectoral and Comprehensive

Question 42

Q

Example of a sectoral privacy regime

Answer

A

United States

Question 43

Q

Example of a comprehensive privacy regime

Question 44

Q

Critiques of sectoral model

Answer

A

Divergent policies, inadequate, overly burdensome

Question 45

Q

Critiques of comprehensive model

Answer

A

costs outweigh benefit, doesn’t account for unique situations, discourages innovation

Question 46

Q

What is a cor-regulatory model

Answer

A

Combines self regulatory and either the sectoral or comprehensive model

Question 47

Q

Self Regulation is sometimes thought of as a …

Answer

A

3rd model alongside Sectoral and Comprehensive

Question 48

Q

What are the 3 branches of government

Answer

A

Executive, Legislative, Judicial

Question 49

Q

Which article of the constitution vests legislative power

Answer

A

Article I

Question 50

Q

Executive branch, which constitution article

Answer

A

Article II

Question 51

Q

Judicial branch, which constituional article

Answer

A

Article III

Question 52

Q

How many regional circuit courts

Question 53

Q

Federal judicial system process

Answer

A

Federal district court, appeal to US circuit court, appeal to US Supremen court

Question 54

Q

Most important circuit court is what

Answer

A

D.C. circuit court

Question 55

Q

Legislative branch checks

Answer

A

Executive branch, veto override, impeach, approve appointments; Judicial branch, change laws, approve judges, impeach judges, court jurisdiction

Question 56

Q

Executive branch checks

Answer

A

Legislative branch, veto; Judicial branch, appoint judges

Question 57

Q

Judicial branch checks

Answer

A

Legislative branch, unconstitutional; Executive branch, unconstitutional, interpretations invalid

Question 58

Q

Sources of law

Answer

A

Constitution, Satutory Law, Regulations and Administrative Rulemaking, Common Law, Contractual Law, International Law

Question 59

Q

The foundation of law is what

Answer

A

The constitution

Question 60

Q

Most significant privacy requirements come from where

Answer

A

Federal and State legislation

Question 61

Q

Statutory law is what

Answer

A

Legislation (laws) from Federal and States

Question 62

Q

Regulations and Administrative Rulemaking is what

Answer

A

Federal agencies enforcing statutory law

Question 63

Q

Common Law / Case Law is what

Answer

A

Societal customs and judicial decisions

Question 64

Q

Stare Decisis is what

Answer

A

Stand by things decided

Answer 60

A

Common Law / Case Law

Answer 61

A

Legally binding agreements

Answer 62

A

Offer, Acceptance, Consideration

Answer 63

A

a contract, party agrees to abide by a judgement

Answer 64

A

avoid admitting guilt

Answer 65

A

Laws in foreign jurisdictions

Answer 66

A

A court’s authority to hear a case

Answer 67

A

Personal, Subject Matter

Answer 68

A

Federal law override or supersede inconsistent state law

Answer 69

A

The doctrine of preemption

Answer 70

A

A court’s authority to hear specific types of disputes

Answer 71

A

A court’s authority between people or to bring people into its process

Answer 72

A

A company

Answer 73

A

To protect consumers against unfair or deceptive trade practices

Answer 74

A

a 5 member bipartisan commission

Answer 75

A

12 banks, 7 governors, 14 year term

Answer 76

A

Perponderance of evidence

Answer 77

A

Beyond a reasonable doubt

Answer 78

A

DOJ for Federal crimes, and the State prosecutor for State crimes

Answer 79

A

Plaintiff

Answer 80

A

The defendent is legally obligated or accountable to the plaintiff

Answer 81

A

one party fails to perform any of its contractual obligations at the time performance is due

Answer 82

A

had the contract been performed

Answer 83

A

contract not been made

Answer 84

A

unjustly enriched

Answer 85

A

ordered to comply (fulfill) the contract

Answer 86

A

which court will try (hear) the case

Answer 87

A

use an arbitrator

Answer 88

A

a civil wrong

Answer 89

A

knows or should know it will cause harm

Answer 90

A

failing to observe the standard of care

Answer 91

A

engaged in prohibited conduct

Answer 92

A

Intrusion Upon Seclusion, Appropriation of Name or Likeness, Publically Given to Private Life, False Light

Answer 93

A

intentionally intrude

Answer 94

A

use another’s name or likeness

Answer 95

A

make something public that isn’t a legitimate public concern

Answer 96

A

places someone in false light

Answer 97

A

conduct that falls below the standard established by law for the protection of others against unreasonable risk of harm

Answer 98

A

rules for administrative enforcement actions, Federal rules of civil procedure

Answer 99

A

an ALJ, administrative law judge

Answer 100

A

Unfair and Deceptive Acts and Practices, the state version of FTC unfair or deceptive trade practices

Answer 101

A

State Attorney’s General

Answer 102

A

Data breaches

Answer 103

A

State Attorney’s General

Answer 104

A

How states coordinate responses to legal issues and exchange information

Answer 105

A

Global privacy enforcement network, connects privacy enforcement authorities around the world

Answer 106

A

Asia Pacific Economic Cooperation, cross boarder enforcement of privacy law

Answer 107

A

exchanging info, training, dialogue, processes bilatteral and multilatteral cooperation, actions for communication

Answer 108

A

Cross boarder Privacy Enforcement Action, came out of APEC

Answer 109

A

information sharing, cross boarder cooperation, cooperation on privacy investigation and enforcement

Answer 110

A

self policing of industry groups for compliance

Answer 111

A

industry expertise, increased efficiency, flexible, quicker to react,

Answer 112

A

anti competitive, not as robust as govt, lax enforcement, may not full incorporate perspectives of others not in the industry

Answer 113

A

both industry and government jointly administer the process, an example is COPPA

Answer 114

A

Developed by the credit card companies, each CC company has its own program for compliance, it is overseen by the credit card companies (Security Standards Council)

Answer 115

A

firewall, no defaults, stored data, encrypt transmissions, malware, secure systems, restrict access, authenticate access, restrict physical access, monitor access, test, policies

Answer 116

A

increase consumer confidence

Answer 117

A

the Council of Better Business Bureaus (CBBB) and Digital & Marketing Association (DAA)

Answer 118

A

A “reasonable” time, not to exceed 45 days.

Answer 119

A

generic term referring to processes like data inventory, data flow analysis, classifying data

Answer 120

A

identifies personal data as it moves across systems, shared, and stored, sometimes called Record of Authority

Answer 121

A

analyze what laws you need to comply with

Answer 122

A

physical location of servers

Answer 123

A

where data is stored

Answer 124

A

who has access, how and when information is shared, who has internal access, what 3rd parties have access

Answer 125

A

how information moves through the organization, increase confidence in regulatory compliance

Answer 126

A

classifying data by sensitivity

Answer 127

A

provides the basis for managing access

Answer 128

A

confidential, proprietary, sensitive, restricted, public

Answer 129

A

laws are followed, limit consequences of breaches, limit scope of disclosure, lowers cost of responding to a data breach

Answer 130

A

develop privacy programs / information management programs

Answer 131

A

legal, reputational, operational, investement

Answer 132

A

regulatory action, litigation

Answer 133

A

the trust consumers place in an organization

Answer 134

A

trade off between privacy programs and achieving organizational goals

Answer 135

A

are the benefits of the program worth the cost

Answer 136

A

Developing a privacy vision / mission statement

Answer 137

A

Ensure the program is implemented properly, basis for training, accountability, decision making

Answer 138

A

Assess, Protect, Sustain, Respond, also Discover, Build, Communicate, Evolve

Answer 139

A

continuously monitors and improves the privacy program

Answer 140

A

Opt In, Double Opt In, Opt Out, No Option

Answer 141

A

express, reqires affirmative action

Answer 142

A

obtaining consent, then confirming it again

Answer 143

A

passive, consent is implied, processing will occur unless you opt out

Answer 144

A

implied by the circumstance, i.e. sharing your address with the post office

Answer 145

A

However you are interacting with the consumer, in the same manner allow them to consent

Answer 146

A

A comprehensive model.

Answer 147

A

Companies should obtain a separate consent specifically applicable to third-party data processors.

Answer 148

A

California’s Delete Act.

Answer 149

A

Whether the parties have domestic subsidiaries in the United States.

Answer 150

A

At the most expeditious time possible and without unreasonable delay.

Answer 151

A

Whether there is probable cause to believe that that the person being monitored is either a foreign power or an agent of a foreign power.

Answer 152

A

Individual payment card brands.

Answer 153

A

An NSL may now be issued if relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.

Answer 154

A

A breach is presumed unless a risk assessment establishes that there was a low probability that PHI has been compromised.

Answer 155

A

Determining whether an employee is entitled to a raise.

Answer 156

A

Every state requires that a data processor notify a data controller when a breach occurs.

Answer 157

A

It may limit the amount of data disclosed in the event of a data breach.

Answer 158

A

The FTC enforces CAN-SPAM according to its “unfair and deceptive” trade practices authority but shares enforcement authority with prudential regulators.

Answer 159

A

“Unconscionable” acts or practices.

Answer 160

A

HIPAA does not apply because the health information provided by children is not made in connection with a covered transaction.

Answer 161

A

more than 10 days

Answer 162

A

A passive form, where consent is implied, processing occurs unless you opt-out

Answer 163

A

Protection of data from unauthorized access

Answer 164

A

Personal information

Answer 165

A

Confidential information

Answer 166

A

Confidentiality, Integrity, Availability

Answer 167

A

Limit damage, loss, modification, and unauthorized access

Answer 168

A

Preventative, Detective, Corrective

Answer 169

A

Prevent an incident

Answer 170

A

Identify an incident

Answer 171

A

Fix or limit the damage of an incident

Answer 172

A

Physical, Administrative, Technical

Answer 173

A

Breach response team. 2. Privacy docs. 3. Sharing breach information. 4. Reporting. 5. Assess the risk. 6. Mitigating risk. 7. Notification.

Answer 174

A

Confirm the breach. Then, 1. Secure Operations / Contain. 2. Analyze and fix vulnerabilities. 3. Notify. 4. Proactive steps to avoid future breaches

Answer 175

A

Re-evaluate 3rd party service providers

Answer 176

A

Law enforcement, usually through Attorney’s General, if PHI then HHS and the media, Business partners if contracts say so, and Affected individuals

Answer 177

A

Consult law enforcement so you don’t impede any investigation, Designate a communication person, a year of free credit monitoring

Answer 178

A

Clear description of what happened, Contact information of the organization, Steps an affected individual can take

Answer 179

A

Employee training, Third party security audits, Analyze the entire breach

Answer 180

A

Creating a privacy program, Incident response program, and Workforce training

Answer 181

A

Part of the accountability principle, lower costs of responding to breaches

Answer 182

A

All members on policies and procedures for PHI

Answer 183

A

Identify reasonable and foreseeable internal and external risks, employee training and management

Answer 184

A

Establish an identity theft program

Answer 185

A

the FTC uner authority of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)

Answer 186

A

Anyone owning or licensing information about a Massachusetts resident must have a secrutiy program and employee training

Answer 187

A

A security awareness program to be in place

Answer 188

A

The data controller is responsible for compliance and demonstrates compliance through documentation

Answer 189

A

Implementing technical and organization measures to demonstrate the handling of personal information is done in accordance with the law

Answer 190

A

Policies, Procedures, Governance, Monitoring, Training

Answer 191

A

the Organization to determine

Answer 192

A

Only for so long as necessary to achieve it purpose

Answer 193

A

Destroyed or anonymized

Answer 194

A

Fair and Accurate Credit Transaction Act (FACTA) for the Disposal Rule, and Fair Credit Reporting Act (FCRA) for Identity Theft

Answer 195

A

Limit the length of time data is retained

Answer 196

A

HTML, CSS, XML, JavaScript

Answer 197

A

Web client downloads files from the web server and the web browser interprets and displays them to the user

Answer 198

A

How the web client and the web server communicate

Answer 199

A

Breaks information into packets

Answer 200

A

Interfaces with the physical infrastructure

Answer 201

A

Is the main commiunication protocol of the internet

Answer 202

A

transport layer security

Answer 203

A

a unique number assigned to each device

Answer 204

A

name and web address assigned to files

Answer 205

A

the phone book of the internet

Answer 206

A

intermediate web server

Answer 207

A

establishes an encrypted connection

Answer 208

A

IP Address, date and time of the page requested, URL of the file, broswer type, URL visited prior

Answer 209

A

content stored locally

Answer 210

A

Passive data collection

Answer 211

A

Active data collection

Answer 212

A

privacy notice done at the point of collection

Answer 213

A

purchased or licensed

Answer 214

A

a program contained wth a website

Answer 215

A

a web page imbedded into another one

Answer 216

A

unsolicited emails

Answer 217

A

malicious software

Answer 218

A

malware downloaded covertly

Answer 219

A

malware that locks or encrypts your operating system

Answer 220

A

communication designed to trick users

Answer 221

A

provide a dbase command to a web server

Answer 222

A

malicious code injected into a webpage

Answer 223

A

a cookie is modified to gain unauthorized access

Answer 224

A

access through fraudulent means

Answer 225

A

data conforms to requirements

Answer 226

A

removing harmful characters

Answer 227

A

manipulating a user to create a security vulnerability

Answer 228

A

advertising based upon information associated with an individual

Answer 229

A

Icon, consumers to exercise choice, Digital Advertisiing Alliance (DAA)

Answer 230

A

prevent cookie tracking without consent

Answer 231

A

map a user moving from a laptop to a mobile device

Answer 232

A

deterministic tracking, probabilistic tracking

Answer 233

A

track where ther person logs into

Answer 234

A

collects information from multiple devices and draws inferences based on probabilities

Answer 235

A

one pixel image stored on your computer

Answer 236

A

monitors users behavior

Answer 237

A

uses the devices GPS

Answer 238

A

signals sent rom a beconing device

Answer 239

A

automatically collect user data when you visit a webpage

Answer 240

A

text file placed on your hard drive by a web server

Answer 241

A

text file ony used while connected that web server

Answer 242

A

long lived cookie set to expire sometime in the future

Answer 243

A

owned by the host of the web server

Answer 244

A

owned by the someone other than the weber server host

Answer 245

A

cookie stored outside the browsers control, dangerous, respawn, zombie cookies

Answer 246

A

stored information should be encrypted, only use persistent cookies where necessary and should expire in a reasonable time, provide notice to cookie usage, disclose 3rd party cookie providers, provide an opt-out function, follow general FIPs

Answer 247

A

Childrens Online Privacy Protection, childeren under 13

Answer 248

A

Children under 16

Answer 249

A

California and Deleware, California Minors in the Digital World Act, Deleware Online and Personal Privacy Protection Act

Answer 250

A

California Consumer Privacy Act, no selling info of children under 16 without consent, Data Controller may obtain consent from he child through an opt-out procedure, under 13 consent is from the parent

Answer 251

A

document, states how a company collects, stores, and uses personal information it gathers

Answer 252

A

tells employees how personal information should be stored, accessed, and utilized.

Answer 253

A

informs consumers how their personal information will be used, helps consumers make an informed decision

Answer 254

A

maintain a link on the website and each page where personal information is collected

Answer 255

A

send customers the privacy policy each year

Answer 256

A

conspiciously post the privacy policy on the website and mobile apps

Answer 257

A

categories of personal information, categories of third parties, how to request changes, how the policy is updated, it’s effective date, how it responds to do-not-track, if a third party can collect personal information

Answer 258

A

privacy policy not being followed is an unfair or deceptive trade practice, FTC can bring enforcement

Answer 259

A

designing, developing, testing, releasing, revieweing and updating

Answer 260

A

data should be used in a manner consistent with the notice what was in effect at the time data was obtained

Answer 261

A

express, affirmative consent should be given by consumers before making material retroactive changes to data usage

Answer 262

A

at a minimum, sharing consumer information with third parties after committing not to share the data

Answer 263

A

short at the top, option to review the detailed longer privacy notice

Answer 264

A

one point to manage all privacy preferences

Answer 265

A

symbols used to indicate how information is processed

Answer 266

A

to enhance transparency

Answer 267

A

the data controller is responsible for any data misuse by vendors

Answer 268

A

Data controllers must have written contracts with their business associates

Answer 269

A

Data controllers to have written contacts in place before processing may occur

Answer 270

A

Data controller to have sufficient gaurantees from their third parties, properly vet and contract the 3rd parties

Answer 271

A

Consider their reputation, financial condition, and security controls

Answer 272

A

confidentialiy provisions, security protections, audit rights, no further use provision, subcontractor use, information sharing, breach notification, consumer consent, data classification system, and an end of relationship provision

Answer 273

A

the organization’s privacy notice and practices

Answer 274

A

3rd party vendors

Answer 275

A

physical location of the servers

Answer 276

A

California consumer privacy act, users have the right to opt-out of data selling

Answer 277

A

Virginia consumer data protection act, user can opt-out of targeted advertising, data selling, and profiling

Answer 278

A

California privacy rights act, data controllers to have contracts with any party they share data with

Answer 279

A

dictate what laws apply

Answer 280

A

a person’s information is subject to the laws of their home jurisdiction

Answer 281

A

facilitate the free flow of data between EU member states

Answer 282

A

Adequacy decision, appropriate safeguards, derogations

Answer 283

A

BCRs, EC model clauses, National model clauses, Codes of conduct, Certification, Ad Hoc contract

Answer 284

A

Consent, Performance of contract, Public interest, Legal claims, Vital interests, Legitimate interest

Answer 285

A

equivalent or greater protection in the transferee country

Answer 286

A

no more safe harbor, in part because of Edward Snowden

Answer 287

A

no more privacy shield, facebook ireland

Answer 288

A

a company’s rules for internally handling data transfer, don’t apply to data transfers with 3rd parties

Answer 289

A

it must be certified by a privacy supervisory agency in the EU

Answer 290

A

binding contract rules must contain stuff about, transparency, quality, security, audit, training, compliance procedures, a binding element

Answer 291

A

standard contract clauses, a company contractually promises to comply with EU law

Answer 292

A

the transferee country equivalent protections as GDPR, the clause and the legal system, or the supervisory authority should suspend the transfer priviledges

Answer 293

A

have to get approval from an EU data protection authority or the EU commission, the data protection authority has enforcement authority to include suspension

Answer 294

A

last resort

Answer 295

A

controllers and processors to conduct a transfer impact assessment prior to transferring personal data

Answer 296

A

a risk assessment of transferring data to a third countries, considers SCCs, legal system, adequacy decision stuff

Answer 297

A

understand all transfers of personal data, verify all transfer tools, assess if appropriate safeguards will be impinged upon, identify supplemental measures, steps for supplemental measures, re-evaluate the level of protection in the trasferee country

Answer 298

A

Google Analytics violates Chapter V of GDPR, SCCs didn’t provide appropriate safegaurds, US intelligence agencies could access data

Answer 299

A

cornerstone of privacy program management

Answer 300

A

discover (assess), build (protect), communicate (sustain), evlove (respond)

Answer 301

A

(1) Discover/Assess (including “Issue identification and self-assessment” and “Determination of best practices”); (2) Build/Protect (including “Procedure development and verification” and “Full implementation”); (3) Communicate/Sustain (including “Documentation” and “Education”); and (4) Evolve/Respond (including “Affirmation and monitoring” and “Adaptation”)

Answer 302

A

a policy based approach to managing the flow of information through a lifecycle

Answer 303

A

privacy policy, privacy statement, fair processing statement, strictly speaking the notice is internal facing the policy is external facing

Answer 304

A

Fair information practices (FIPs)

Answer 305

A

have assets and employees in the EU, data stored in the EU, and data interactions with EU residents

Answer 306

A

of EU data subjects that access their websites or digital products

Answer 307

A

4% of the company’s global revenue

Answer 308

A

Data protection authorities ,one in each EU country, but Germany has 1 national and 16 state level, DPAs enforce the GDPR

Answer 309

A

investigate, correct, advise; ask for records and proof of compliance, ban/stop/suspend data procecssing, require additional breach notification, order erasing of information, suspend cross boarder data flow

Answer 310

A

Transparent communication

Answer 311

A

Right to access

Answer 312

A

Rectify data

Answer 313

A

Restrict processing

Answer 314

A

Notification obligation to data subjects about their rights

Answer 315

A

Data portability

Answer 316

A

Object to processing personal information

Answer 317

A

No Automated processing

Answer 318

A

30 days after receipt, possible to get an extension of 60 days if the request is burdensome

Answer 319

A

Without undue delay

Answer 320

A

Without undue delay

Answer 321

A

Data is unintelligible, taken steps to minimize risk, would require disproportionate effort

Answer 322

A

Asia Pacific Economic Cooperation, founded in 2004

Answer 323

A

FIPs in APEC is similar to Madrid Resolution

Answer 324

A

preventing harm, notice, collection limitation, use of personal information, choice, integrity of information, security safeguards, access, correction, accountability

Answer 325

A

Cross boarder privacy enforcement agreement, APEC

Answer 326

A

multi jurisdiction, key practices to most restrictive laws

Answer 327

A

Antitrust laws

Answer 328

A

In 1938 it gave it general consumer protection authority, referred to as Section 5

Answer 329

A

5 people, a chairperson and 4 commissioners

Answer 330

A

privacy, fair credit reporting act (FCRA), CAN-SPAM act, COPPA

Answer 331

A

most important piece of federal privacy legislation

Answer 332

A

unfair or deceptive acts or practices affecting commerece are unlawful

Answer 333

A

apply to acts of foreign trade

Answer 334

A

non-profits, banks, financial institutions, common carriers

Answer 335

A

permitted it to issue regulations

Answer 336

A

To bring enforcement actions

Answer 337

A

news, public complaints, etc.

Answer 338

A

Investigatory powers

Answer 339

A

require business to submit written reports, subpoena power

Answer 340

A

If the FTC has reason to believe

Answer 341

A

An Administrative Law Judge (ALJ)

Answer 342

A

an injunction, ALJ can not impose civil penalties

Answer 343

A

ALJ to FTC commissioners to Federal Circuit Court

Answer 344

A

Prosecute claims before a Federal District Court, review by the Federal Appelate Court

Answer 345

A

TRUE , to provide guidance to other companies

Answer 346

A

Enforces good practice, avoid expense, easily enforceable, avoid additional negative press, limits exposure to business practices to competitors

Answer 347

A

a material statement or omission that is likely to mislead consumers who are acting reasonably

Answer 348

A

first privacy enforcement action, GeoCities sold information

Answer 349

A

first consent decree, revealed email addresses

Answer 350

A

collecting names and phone numbers, and messages didn’t get deleted

Answer 351

A

did not conduct annaul re-certifications

Answer 352

A

tracked consumers via mobile devices

Answer 353

A

couldn’t prevent all identity theft

Answer 354

A

3rd party developers could access user data

Answer 355

A

weak encryption, secretly installed software

Answer 356

A

Substantial injury, lack of off setting benefits, and consumers could’t have reasonably avoided

Answer 357

A

log key strokes, take screen shots, photograph anyone with the camera, geo track users

Answer 358

A

upheld FTCs unfairness authority, affirmed FTCs authority to regulate cybersecurity

Answer 359

A

rule making authority for unfair or deceptive trade practices, i.e. trade rules

Answer 360

A

disclosed patient information

Answer 361

A

FTCs cease and desist was unenforceable, FTC started holding public hearings

Answer 362

A

weak security measures

Answer 363

A

man in the middel attacks, pre-installing software

Answer 364

A

exposed routers and web cameras to attack

Answer 365

A

falsely claimed to have bank grade security

Answer 366

A

didn’t have appropriate security measures

Answer 367

A

COPPA violations

Answer 368

A

didn’t have reasonable security measures

Answer 369

A

IoT data and physical security issues

Answer 370

A

unsecured cloud storage

Answer 371

A

violated GLBA, mortgage information

Answer 372

A

geolocation data, IP addresses, and info stored in cookies

Answer 373

A

all operators of commercial websites

Answer 374

A

information collected, how used, if info is disclosed to third parties

Answer 375

A

mail or fax a consent form, credit card, debit card, call a toll free number, video conference, government issued ID

Answer 376

A

collected for the purpose of increasing security

Answer 377

A

access information, withdraw consent

Answer 378

A

True, participate in a seal program

Answer 379

A

California and Deleware

Answer 380

A

Collect personal information of consumers and resell it

Answer 381

A

Large amounts of data, analyized to get insights on consumer behavior

Answer 382

A

2014, data brokers to use data minimzation practices as they relate to children

Answer 383

A

Potential harm from inaccurate predictions

Answer 384

A

Consumer consent, no UI, need new models of FIPs and security by design

Answer 385

A

shift to electronic reimbursement requests, ,efficiency of healthcare

Answer 386

A

Privacy rule and the Security rule

Answer 387

A

Covered entities and Business associates

Answer 388

A

A healthcare provider that bills for insurance

Answer 389

A

Any person or entity that receives health information from a covered entity to provide services on behalf of the covered entity

Answer 390

A

individually identifiable health information

Answer 391

A

In HITECH

Answer 392

A

limit PHI to the minimum necessary to accomplish the intended purpose

Answer 393

A

Data set with facial identifiers removed, 16 categories

Answer 394

A

independent document, plain language, description,person, party, purpose, expire, dated and signed

Answer 395

A

Covered entitiy to keep a record, give to the individual upon request

Answer 396

A

Emergency, public health activities, report victims of abuse or domestic violence, court, law enforcement, research, investigate compliance

Answer 397

A

date of first service, compliance date, time of enrollment, upon request of the person

Answer 398

A

Medical, billing, enrollment, any other information used to make decisions

Answer 399

A

Access the designated record set, except for psychotherapy notes or information collected for a legal proceeding or regulatory action

Answer 400

A

within 30 days

Answer 401

A

can request the last 6 years

Answer 402

A

ensure CIA, threats, PHI uses or disclosures, ensure compliance

Answer 403

A

the measure’s size, complexity, capabilities, technical infrastructure, cost, risk ocurrance probability, potential risks

Answer 404

A

Required and Addressable

Answer 405

A

OCR, FTC, DOJ, State Attorneys General

Answer 406

A

States can request their law is not preempted, have to ask HHS, California Medical Information Privacy Act is an example

Answer 407

A

A company has recognized security practices in place not less than 12 months

Answer 408

A

Give HHS greater discretion imposing fines

Answer 409

A

Mapping a person’s contact with others, communicable diseases

Answer 410

A

Rules for data breaches, increased penalties, gave great acess to records, codified terms

Answer 411

A

There is a low probability of compromise based on nature and extent of disclosure, who the person was that accessed it, was it acquired or viewed, extent the risk has been mitigated

Answer 412

A

Notify media outlets, within 60 days

Answer 413

A

Secretary of HHS

Answer 414

A

Law enforcement says so

Answer 415

A

Share infor with family and care givers, biomed research confidential, allowed for remote viewing of PHI, no information blocking

Answer 416

A

Any federally assisted program that provides training or treatement for substance use

Answer 417

A

Patient consents, veteran affairs, crimes, child abuse, medical emergency, audits, court order

Answer 418

A

can’t use to initiate criminal charges or criminal investigation

Answer 419

A

provide notice of rights, formal security program, protect paper and electronic records, destroy records when the company leaves the Part 2 program

Answer 420

A

Fair credit reporting act

Answer 421

A

Title VI of FDIC and amended the Consumer Credit Protection Act (CCPA)

Answer 422

A

Fair credit reporting act (FCRA)

Answer 423

A

Any consumer reporting agency (CRA) or users of a consumer report, furnishers of information to the CRA, companies that extend credit - red flags rule

Answer 424

A

Consumer reports

Answer 425

A

written, oral, or other communication used for eligibility for credit, insurance, employment, character, reputation, mode of living

Answer 426

A

Not a consumer report if it’s transactional, between affiliates, consumer is provided an opt out of affiliate sharing

Answer 427

A

CRAs can’t share a consumer report unless the user has a permissable purpose

Answer 428

A

court order, consumer consent, credit transaction, employment purpose, insurance, gov benefits, assess credit risk, account terms, travle charge cards, child support, liquidation

Answer 429

A

offer, promotion, reassignment, retention

Answer 430

A

consumer consent, firm offer of credit or insurance

Answer 431

A

firm offers of credit or insurance, the CRA must maintain a notification system and allow users to opt out

Answer 432

A

must be implemented within 5 business days

Answer 433

A

Only if it is coded for insurance purposes

Answer 434

A

Users are prohibited from re-disclosing that consumer report

Answer 435

A

the consumer report has to be accurate, current, and complete

Answer 436

A

Bankruptcy >10 years, other stuff more than 7 years old

Answer 437

A

Don’t apply to credit, life insurance >$150K, employment >$75K salary

Answer 438

A

Bankruptcy chapter, number of credit inquiries, credit account voluntarily closed, any dispute information

Answer 439

A

procedures

Answer 440

A

identity of users are validated, consumer reports are accurate

Answer 441

A

both uses and furnishers of information

Answer 442

A

Consumers have a right to see all the information in their file maintained by the CRA

Answer 443

A

Consumers have a right to see everyon their report was given to in the last 2 years for employment, last 1 year for everything else

Answer 444

A

Confirm the consumer’s identity

Answer 445

A

Be in writing, unless consumer consents otherwise, and it must include a summary of the consumer’s rights

Answer 446

A

A re-investigation

Answer 447

A

The reinvestigation reveals the information was inaccurate, incomplete, or can’t be verified

Answer 448

A

Notify anyone who received the consumer report within the last 6 months, or for 2 years if it was for employment purposes

Answer 449

A

Within 5 days of it being completed

Answer 450

A

it must be included in all future consumer reports containing the disputed information

Answer 451

A

notice must be given to the consumer

Answer 452

A

The name and contact information of the CRA, a statement the CRA isn’t responsible for and can’t explain anything, their right to request a free copy within 60 days, thei right to protest it

Answer 453

A

Consumer to be provided a credit score and information to understand the score

Answer 454

A

If reasonable procedures are in place to ensure compliance to the law

Answer 455

A

A copy of the report must be given to the consumer along with their rights, before taking action, however, if the consumer submitted the employment application by mail, phone, computer, they don’t need to do this

Answer 456

A

within 3 days aftter taking action, and provide name and contact infor of CRA, statement, and how to get a free copy

Answer 457

A

Tell the CRA, who the user is, permissable purpose, procedures in place, verify identity and certifications of recipient

Answer 458

A

For firm offers of credit or insurance not initiated by a consumer, i.e., companies creating a prequalificaiton list for their product or service

Answer 459

A

maintain records of the prescreen criteria for 3 years

Answer 460

A

CRA file was used, they are credit worthy, service can be withheld if fail further screening, consumer can prohibit (opt out of) similar solicitations by contacting the CRA

Answer 461

A

From providing false information or innacurate information

Brainscape's Knowledge GenomeTM

Flash Cards 3

Brainscape's Knowledge Genome^TM