Flash Cards 3
4 types of privacy
information, bodily, communication, territory
Identified individual is what
ascertained with certainty
Turn personal info into non personal info by
de-identifying it or anonymizing it
Encryption is what
making data unrecognizable
Anonymization is what
stripping it of identifying info
Pseudonymization is what
associate it with a pseudonym
Sources of information are
public, publically accessible, and non public
Data subject
person whos data is processed
Data controller
The organization that decides how information is processed
Data processor
The organization that processes the data
FIPs
Balance privacy with security and fairness
DHEW renamed HHS promulgated FIPs , T or F
t
The FIPs 5 organizational practices
No secret systems, know what’s in your record and how used, prevent misuse, correct errors, data reliability
Privacy Act of 1974 codified what..
FIPs
Examples of FIPs in the U.S.
1973 FIPs, Privacy Act 1974, 20212 White House Report, 2012 FTC Report
FTC report had 3 key things..
Privacy by design, simplified consumer choice, transparency in company data practices
FTC report prioritized 5 areas..
Do no track, mobile device data, data brokers, tracking by large comapnies, self regulation
International FIPs examples
OECD, European Council Convention, Madrid Resolution
FIPs individual rights
Notice, consent, access
FIPs organization responsibilities
security, data quality, limitation principle, accountability
OECD is what..
Organization of economic cooperation and development; privacy and transborder flow of personal data
OECD 8 principles
collection limitation, quality, specific purpose, use limitation, security, openess, individual participation, accountability
Council of Europe Convention..
Automatic processing of personal data
Council of Europe Convention incorporates…
FIPs into domestic laws
Council of Europe Conventional Article 5
data quality
Council of Europe Conventional Article 6
categories of data
Council of Europe Conventional Article 7
Security
Council of Europe Conventional Article 8
Data subject safeguards
Madrid Resolution..
Standards on data protection, uniformity, transborder data flow
what is Notice
How an organization processes personal information
what is Consent
How your personal information is collected, used, and retained
what is Access
Giving you access to your personal information
Types of security controls
Physical (locks, cameras), Technical (code, systems) , Administrative (policies)
what is Data Quality
data should be accurate, complete, and relevant
what is Accountability
data to be defined and documented
Sources of privacy protection are
Government, regulations, market
what is the goal of legal protection
compensation and deterrence
Market protections arose because of
consumers react to data policies, publicity of data breaches
Self regulatory protection examples
PCI-DSS, DAA
Self regulatory protections bring together..
Industry standards and legal standards
What are the two protection privacy regimes
Sectoral and Comprehensive
Example of a sectoral privacy regime
United States
Example of a comprehensive privacy regime
Europe
Critiques of sectoral model
Divergent policies, inadequate, overly burdensome
Critiques of comprehensive model
costs outweigh benefit, doesn’t account for unique situations, discourages innovation
What is a cor-regulatory model
Combines self regulatory and either the sectoral or comprehensive model
Self Regulation is sometimes thought of as a …
3rd model alongside Sectoral and Comprehensive
What are the 3 branches of government
Executive, Legislative, Judicial
Which article of the constitution vests legislative power
Article I
Executive branch, which constitution article
Article II
Judicial branch, which constituional article
Article III
How many regional circuit courts
12
Federal judicial system process
Federal district court, appeal to US circuit court, appeal to US Supremen court
Most important circuit court is what
D.C. circuit court
Legislative branch checks
Executive branch, veto override, impeach, approve appointments; Judicial branch, change laws, approve judges, impeach judges, court jurisdiction
Executive branch checks
Legislative branch, veto; Judicial branch, appoint judges
Judicial branch checks
Legislative branch, unconstitutional; Executive branch, unconstitutional, interpretations invalid
Sources of law
Constitution, Satutory Law, Regulations and Administrative Rulemaking, Common Law, Contractual Law, International Law
The foundation of law is what
The constitution
Most significant privacy requirements come from where
Federal and State legislation
Statutory law is what
Legislation (laws) from Federal and States
Regulations and Administrative Rulemaking is what
Federal agencies enforcing statutory law
Common Law / Case Law is what
Societal customs and judicial decisions
Stare Decisis is what
Stand by things decided
What is the basis for many privacy related docterines
Common Law / Case Law
Contractual Law is what
Legally binding agreements
A legally binding agreement must have what
Offer, Acceptance, Consideration
What is a consent decree
a contract, party agrees to abide by a judgement
Consent decree benefits
avoid admitting guilt
International Law is what
Laws in foreign jurisdictions
What is jurisdiction
A court’s authority to hear a case
Types of jurisdiction
Personal, Subject Matter
What is preemption
Federal law override or supersede inconsistent state law
The supremacy clause is the basis for what
The doctrine of preemption
What is Subject Matter jurisdiction
A court’s authority to hear specific types of disputes
What is Personal jurisdiction
A court’s authority between people or to bring people into its process
What is a natural person
A human
What is a person
A company
Why was the FTC founded
To protect consumers against unfair or deceptive trade practices
The FTC is lead by what
a 5 member bipartisan commission
The Federal Reserve Board info
12 banks, 7 governors, 14 year term
The FTC is the most important Federal privacy regulator, T or F
t
Civil ligitagation standard of liability
Perponderance of evidence
Criminal litigiation standard of liability
Beyond a reasonable doubt
Person brining the lawsuit in Criminal litigation
DOJ for Federal crimes, and the State prosecutor for State crimes
Person brining the lawsuit in Civil litigation
Plaintiff
What is legal liability
The defendent is legally obligated or accountable to the plaintiff
Breach of contract
one party fails to perform any of its contractual obligations at the time performance is due
Expectation Interest
had the contract been performed
Reliance Interest
contract not been made
Restitution Interest
unjustly enriched
Specific Performance of a contract
ordered to comply (fulfill) the contract
Forum Selection Clause
which court will try (hear) the case
Arbitration Clause
use an arbitrator
What is a Tort
a civil wrong
Intentional Torts
knows or should know it will cause harm
Negligent Torts
failing to observe the standard of care
Strict Liability Torts
engaged in prohibited conduct
Privacy Torts
Intrusion Upon Seclusion, Appropriation of Name or Likeness, Publically Given to Private Life, False Light
Intrusion Upon Seclusion
intentionally intrude
Appropriation of Name or Likeness
use another’s name or likeness
Publically Given to Private Life
make something public that isn’t a legitimate public concern
False Light
places someone in false light
Negligence
conduct that falls below the standard established by law for the protection of others against unreasonable risk of harm
Administrative Procedures Act (APA)
rules for administrative enforcement actions, Federal rules of civil procedure
Administrative actions are brought to …
an ALJ, administrative law judge
What is UDAP
Unfair and Deceptive Acts and Practices, the state version of FTC unfair or deceptive trade practices
UDAP is enforced by …
State Attorney’s General
Every state except ?? provides a private right to action for UDAP
Iowa
Is there a Federal data breach law
No
UDAP and other state patch work laws govern what
Data breaches
Who are the leading enforcement regulators for Data Breaches
State Attorney’s General
What is the National Association of Attorney’s General
How states coordinate responses to legal issues and exchange information
What is GPEN
Global privacy enforcement network, connects privacy enforcement authorities around the world
What is APEC
Asia Pacific Economic Cooperation, cross boarder enforcement of privacy law
GPEN (global privacy enforcement network) 5 ways
exchanging info, training, dialogue, processes bilatteral and multilatteral cooperation, actions for communication
What is CPEA
Cross boarder Privacy Enforcement Action, came out of APEC
Goals of CPEA (cross boarder privacy enforcement action)
information sharing, cross boarder cooperation, cooperation on privacy investigation and enforcement
What is self regulatory enforcement
self policing of industry groups for compliance
What are the benefits of self regulatory enforcement
industry expertise, increased efficiency, flexible, quicker to react,
What are the draw backs of self regulatory enforcement
anti competitive, not as robust as govt, lax enforcement, may not full incorporate perspectives of others not in the industry
What is co-regulatory enforcement
both industry and government jointly administer the process, an example is COPPA
What is the most prominent self regulatory program
PCI-DSS
PCI-DSS data points
Developed by the credit card companies, each CC company has its own program for compliance, it is overseen by the credit card companies (Security Standards Council)
PCI-DSS has 12 requirements
firewall, no defaults, stored data, encrypt transmissions, malware, secure systems, restrict access, authenticate access, restrict physical access, monitor access, test, policies
Value of Trust Marks / Seal Programs
increase consumer confidence
Who is responsible for enforcing the DAA principles
the Council of Better Business Bureaus (CBBB) and Digital & Marketing Association (DAA)
How long after a valid request does an educational institution have to provide access to education records of a student?
A “reasonable” time, not to exceed 45 days.
What is a Data Assessment
generic term referring to processes like data inventory, data flow analysis, classifying data
What is a Data Inventory
identifies personal data as it moves across systems, shared, and stored, sometimes called Record of Authority
Why is a Data Inventory important
analyze what laws you need to comply with
What is data residency
physical location of servers
What is data location
where data is stored
What is data access
who has access, how and when information is shared, who has internal access, what 3rd parties have access
What is a data flow map
how information moves through the organization, increase confidence in regulatory compliance
Data Inventory and Data Maps are synonomous, T or F
t
What is Data Classification
classifying data by sensitivity
Data classification does what
provides the basis for managing access
What are the common sensitivity levels
confidential, proprietary, sensitive, restricted, public
Classifying data facilitates what
laws are followed, limit consequences of breaches, limit scope of disclosure, lowers cost of responding to a data breach
What is the main function of a privacy professional
develop privacy programs / information management programs
What are the types of risk
legal, reputational, operational, investement
What is legal risk
regulatory action, litigation
What is reputational risk
the trust consumers place in an organization
What is operational risk
trade off between privacy programs and achieving organizational goals
What is investement risk
are the benefits of the program worth the cost
The first step in a developing a privacy program is what
Developing a privacy vision / mission statement
Why have written policies
Ensure the program is implemented properly, basis for training, accountability, decision making
What are the steps in the privacy operational lifecycle
Assess, Protect, Sustain, Respond, also Discover, Build, Communicate, Evolve
Def of Privacy Operational Life Cycle
continuously monitors and improves the privacy program
What are the types of consent
Opt In, Double Opt In, Opt Out, No Option
What is Opt In consent
express, reqires affirmative action
What is Double Opt In consent
obtaining consent, then confirming it again
What is Opt Out consent
passive, consent is implied, processing will occur unless you opt out
What is No Option consent
implied by the circumstance, i.e. sharing your address with the post office
Managing consent, how should it be done..
However you are interacting with the consumer, in the same manner allow them to consent
After a consumer disputes the accuracy of information in a consumer report, how long does a consumer reporting agency have to re-investigate the information?
30 days.
The California Consumer Privacy Act is an example of what type of privacy protection?
A comprehensive model.
How many days does an organization have to cure a violation of the CCPA before it may be subject to fines or a private cause of action?
30 days.
All of the following are best practices in obtaining consumer consent, except:
Companies should obtain a separate consent specifically applicable to third-party data processors.
Under which of the following pieces of legislation are data brokers required to comply with a one-stop mechanism that allows data subjects to request the deletion of their personal data?
California’s Delete Act.
According to the Supreme Court’s decision in Société Nationale Industrielle Aerospaciale, all of the following should be considered in a comity analysis, except:
Whether the parties have domestic subsidiaries in the United States.
What is the most common phrase used in state-level data breach notification laws to describe when notice must be provided to affected individuals?
At the most expeditious time possible and without unreasonable delay.
What is the standard utilized by FISC to determine whether an application for a surveillance order should be granted?
Whether there is probable cause to believe that that the person being monitored is either a foreign power or an agent of a foreign power.
Who is responsible for enforcement under the Payment Card Industry Data Security Standard?
Individual payment card brands.
What change to the use of National Security Letters was implemented by the USA-PATRIOT Act?
An NSL may now be issued if relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.
If a third party accidently accesses protected health information without authorization, which of the following is accurate?
A breach is presumed unless a risk assessment establishes that there was a low probability that PHI has been compromised.
As defined under the Fair Credit Reporting Act, which of the following is least likely to be considered an “employment purpose” for which a consumer report may be obtained?
Determining whether an employee is entitled to a raise.
Which of the following most accurately states whether a data processor experiencing a data breach must disclose to a data controller that a breach occurred under state-level breach notification laws?
Every state requires that a data processor notify a data controller when a breach occurs.
All of the following are benefits of data flow mapping, except:
It may limit the amount of data disclosed in the event of a data breach.
Which of the following best describes the enforcement of CAN-SPAM at the federal level?
The FTC enforces CAN-SPAM according to its “unfair and deceptive” trade practices authority but shares enforcement authority with prudential regulators.
In addition to “unfair” and “deceptive” trade practices, state UDAP laws also commonly prohibit what other type of act or practice?
“Unconscionable” acts or practices.
Which is the most accurate advice that Jackson can provide to BotVoice about its compliance obligations under HIPAA?
HIPAA does not apply because the health information provided by children is not made in connection with a covered transaction.
CAN-SPAM-Act prohibits communication after how many days of opting out
more than 10 days
OP-Out Consent is
A passive form, where consent is implied, processing occurs unless you opt-out
Information privacy focuses on what
Policies
Information security focuses on what
Protection of data from unauthorized access
Privacy focuses on what type of data
Personal information
Security focuses on what type of information
Confidential information
CIA triad stands for what
Confidentiality, Integrity, Availability
Security controls do what
Limit damage, loss, modification, and unauthorized access
Purposes of seurity controls
Preventative, Detective, Corrective
Preventive controls
Prevent an incident
Detective controls
Identify an incident
Corrective controls
Fix or limit the damage of an incident
Types of controls
Physical, Administrative, Technical
OMB 7 step breach response
- Breach response team. 2. Privacy docs. 3. Sharing breach information. 4. Reporting. 5. Assess the risk. 6. Mitigating risk. 7. Notification.
FTC 4 step breach response
Confirm the breach. Then, 1. Secure Operations / Contain. 2. Analyze and fix vulnerabilities. 3. Notify. 4. Proactive steps to avoid future breaches
Breach Response: An important part of Analyze and fix vulnerabilities
Re-evaluate 3rd party service providers
Breach Response: Notify appropriate parties. Who must be notified?
Law enforcement, usually through Attorney’s General, if PHI then HHS and the media, Business partners if contracts say so, and Affected individuals
Breach Response: Notification, FTC Recommendations
Consult law enforcement so you don’t impede any investigation, Designate a communication person, a year of free credit monitoring
Breach Response: Notification Letter should contain
Clear description of what happened, Contact information of the organization, Steps an affected individual can take
Breach Response: Avoid future breaches
Employee training, Third party security audits, Analyze the entire breach
Benefit of inventorying and classifying data
Creating a privacy program, Incident response program, and Workforce training
Workforce training is…
Part of the accountability principle, lower costs of responding to breaches
HIPAA training requirements
All members on policies and procedures for PHI
GLBA training requirements
Identify reasonable and foreseeable internal and external risks, employee training and management
Red Flags Rule requirement
Establish an identity theft program
Who created the Red Flags Rule
the FTC uner authority of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)
Massachusetts safegaurd
Anyone owning or licensing information about a Massachusetts resident must have a secrutiy program and employee training
PCI-DSS requirement
A security awareness program to be in place
GDPR Article 5 Compliance
The data controller is responsible for compliance and demonstrates compliance through documentation
What is the Accountability Principle
Implementing technical and organization measures to demonstrate the handling of personal information is done in accordance with the law
Means to hold organizations accountable
Policies, Procedures, Governance, Monitoring, Training
How compliance for the Accountability Priciniple is up to
the Organization to determine
How long should you retain data
Only for so long as necessary to achieve it purpose
When data is no longer needed it should be
Destroyed or anonymized
Laws governing data retention
Fair and Accurate Credit Transaction Act (FACTA) for the Disposal Rule, and Fair Credit Reporting Act (FCRA) for Identity Theft
One of the best ways to limit risk
Limit the length of time data is retained
Server side languages
PHP
Browser side languages
HTML, CSS, XML, JavaScript
Explain Web Client, Web Server, Web Browser
Web client downloads files from the web server and the web browser interprets and displays them to the user
HTTP
How the web client and the web server communicate
TCP protocol
Breaks information into packets
IP protocol
Interfaces with the physical infrastructure
TCP/IP
Is the main commiunication protocol of the internet
TLS
transport layer security
IP Address
a unique number assigned to each device
URL
name and web address assigned to files
DNS
the phone book of the internet
Proxy server
intermediate web server
VPN
establishes an encrypted connection
A server log contains
IP Address, date and time of the page requested, URL of the file, broswer type, URL visited prior
Cache
content stored locally
Data automatically collected without you knowing it
Passive data collection
Data collected with the users knowing it
Active data collection
Just in time
privacy notice done at the point of collection
Syndicated content
purchased or licensed
Web services are…
a program contained wth a website
iFrame is…
a web page imbedded into another one
Spam
unsolicited emails
Malware
malicious software
Spyware
malware downloaded covertly
Ransomware
malware that locks or encrypts your operating system
Phishing
communication designed to trick users
SQL Injection
provide a dbase command to a web server
XSS
malicious code injected into a webpage
Cookie Poisoning
a cookie is modified to gain unauthorized access
Unauthorized Access
access through fraudulent means
Data validation
data conforms to requirements
Data sanitization
removing harmful characters
Social engineering
manipulating a user to create a security vulnerability
Behavioral advertising
advertising based upon information associated with an individual
AdChoices
Icon, consumers to exercise choice, Digital Advertisiing Alliance (DAA)
EU Cookie Directive
prevent cookie tracking without consent
Cross device tracking
map a user moving from a laptop to a mobile device
Methods of cross device tracking
deterministic tracking, probabilistic tracking
Deterministic tracking
track where ther person logs into
Probabilistic tracking
collects information from multiple devices and draws inferences based on probabilities
Web beaconing
one pixel image stored on your computer
Adware
monitors users behavior
Location based advertising
uses the devices GPS
Bluetooh beaconing
signals sent rom a beconing device
Digital fingerprinting
automatically collect user data when you visit a webpage
Web cookie
text file placed on your hard drive by a web server
Session cookie
text file ony used while connected that web server
Persistent cookie
long lived cookie set to expire sometime in the future
First party cookie
owned by the host of the web server
Third party cookie
owned by the someone other than the weber server host
Flash cookie
cookie stored outside the browsers control, dangerous, respawn, zombie cookies
Cookie best practices
stored information should be encrypted, only use persistent cookies where necessary and should expire in a reasonable time, provide notice to cookie usage, disclose 3rd party cookie providers, provide an opt-out function, follow general FIPs
COPPA
Childrens Online Privacy Protection, childeren under 13
GDPR child privacy
Children under 16
States , children between 13 and 18
California and Deleware, California Minors in the Digital World Act, Deleware Online and Personal Privacy Protection Act
CCPA regarding children
California Consumer Privacy Act, no selling info of children under 16 without consent, Data Controller may obtain consent from he child through an opt-out procedure, under 13 consent is from the parent
Privacy notices are…
document, states how a company collects, stores, and uses personal information it gathers
Privacy notice, used internally…
tells employees how personal information should be stored, accessed, and utilized.
Privacy notice, used externally
informs consumers how their personal information will be used, helps consumers make an informed decision
COPPA and privacy notice display
maintain a link on the website and each page where personal information is collected
GLBA and privacy notice
send customers the privacy policy each year
CalOPPA
conspiciously post the privacy policy on the website and mobile apps
CalOPPA, privacy policy must include
categories of personal information, categories of third parties, how to request changes, how the policy is updated, it’s effective date, how it responds to do-not-track, if a third party can collect personal information
FTC can bring enforcement , privacy policy
privacy policy not being followed is an unfair or deceptive trade practice, FTC can bring enforcement
Privacy policy is a legal document, true or false
t
Privacy policy lifecycle
designing, developing, testing, releasing, revieweing and updating
FTC and data usage
data should be used in a manner consistent with the notice what was in effect at the time data was obtained
FTC and material change
express, affirmative consent should be given by consumers before making material retroactive changes to data usage
FTC and material change definition
at a minimum, sharing consumer information with third parties after committing not to share the data
Layered notice
short at the top, option to review the detailed longer privacy notice
Privacy dashboard is what
one point to manage all privacy preferences
Privacy icons are what
symbols used to indicate how information is processed
Article 29 Working Party and icons
to enhance transparency
Vendors, who is legally responsible
the data controller is responsible for any data misuse by vendors
HIPAA and vendors
Data controllers must have written contracts with their business associates
Article 28 GDPR and contracts part 1
Data controllers to have written contacts in place before processing may occur
Article 28 GDPR and contracts part 2
Data controller to have sufficient gaurantees from their third parties, properly vet and contract the 3rd parties
Choosing , Vetting Vendors, basic guidelines
Consider their reputation, financial condition, and security controls
Vendor contracts to include…
confidentialiy provisions, security protections, audit rights, no further use provision, subcontractor use, information sharing, breach notification, consumer consent, data classification system, and an end of relationship provision
Vendor contracts should be consistent with…
the organization’s privacy notice and practices
Many of the largest data breaches came in through…
3rd party vendors
Data residency
physical location of the servers
CCPA and data sharing
California consumer privacy act, users have the right to opt-out of data selling
Virginia and data sharing
Virginia consumer data protection act, user can opt-out of targeted advertising, data selling, and profiling
CPRA and contracts
California privacy rights act, data controllers to have contracts with any party they share data with
Data residency can…
dictate what laws apply
Surprise minimization rule
a person’s information is subject to the laws of their home jurisdiction
GDPR core purpose
facilitate the free flow of data between EU member states
3 ways to transfer data between EU and non member states
Adequacy decision, appropriate safeguards, derogations
Appropriate safeguards, GDPR
BCRs, EC model clauses, National model clauses, Codes of conduct, Certification, Ad Hoc contract
Derogations, GDPR
Consent, Performance of contract, Public interest, Legal claims, Vital interests, Legitimate interest
Article 45, GDPR, Adequacy decision is…
equivalent or greater protection in the transferee country
Schrems 1
no more safe harbor, in part because of Edward Snowden
Schrems 2
no more privacy shield, facebook ireland
Binding corporate rules
a company’s rules for internally handling data transfer, don’t apply to data transfers with 3rd parties
Article 47, GDPR, before using BCRs
it must be certified by a privacy supervisory agency in the EU
BCRs must contain the following
binding contract rules must contain stuff about, transparency, quality, security, audit, training, compliance procedures, a binding element
SCCs
standard contract clauses, a company contractually promises to comply with EU law
Shrems 2 and SCCs
the transferee country equivalent protections as GDPR, the clause and the legal system, or the supervisory authority should suspend the transfer priviledges
Codes of Conduct and Certifications
have to get approval from an EU data protection authority or the EU commission, the data protection authority has enforcement authority to include suspension
Article 49, GDPR, Derogations
last resort
Shrems 2 , controllers and processors
controllers and processors to conduct a transfer impact assessment prior to transferring personal data
Transfer impact assessment (TIA) is
a risk assessment of transferring data to a third countries, considers SCCs, legal system, adequacy decision stuff
European Data Protection Board (EDPB) and 6 steps
understand all transfers of personal data, verify all transfer tools, assess if appropriate safeguards will be impinged upon, identify supplemental measures, steps for supplemental measures, re-evaluate the level of protection in the trasferee country
Supervisory authority can suspend or end transfers, true or false
t
Schrems 2, Austrianand French DPAs, Google…
Google Analytics violates Chapter V of GDPR, SCCs didn’t provide appropriate safegaurds, US intelligence agencies could access data
Privacy operational lifecycle is the cornerstone…
cornerstone of privacy program management
Privacy operational lifecycle 4 steps
discover (assess), build (protect), communicate (sustain), evlove (respond)
Privacy operation lifecycle 4 steps more detail
(1) Discover/Assess (including “Issue identification and self-assessment” and “Determination of best practices”); (2) Build/Protect (including “Procedure development and verification” and “Full implementation”); (3) Communicate/Sustain (including “Documentation” and “Education”); and (4) Evolve/Respond (including “Affirmation and monitoring” and “Adaptation”)
Information Lifecycle Management, Data Lifecycle Management, Data Lifecycle Governance…
a policy based approach to managing the flow of information through a lifecycle
A privacy notice may also be called a
privacy policy, privacy statement, fair processing statement, strictly speaking the notice is internal facing the policy is external facing
GDPR requirements are based on …
Fair information practices (FIPs)
GDPR applies to companies that…
have assets and employees in the EU, data stored in the EU, and data interactions with EU residents
A company / country may be subject to the GDPR if it processes information…
of EU data subjects that access their websites or digital products
GDPR fine
4% of the company’s global revenue
DPAs
Data protection authorities ,one in each EU country, but Germany has 1 national and 16 state level, DPAs enforce the GDPR
DPAs power
investigate, correct, advise; ask for records and proof of compliance, ban/stop/suspend data procecssing, require additional breach notification, order erasing of information, suspend cross boarder data flow
GDPR articles 12-14
Transparent communication
GDPR article 15
Right to access
GDPR article 16
Rectify data
GDPR article 17
Erasure
GDPR article 18
Restrict processing
GDPR article 19
Notification obligation to data subjects about their rights
GDPR article 20
Data portability
GDPR article 21
Object to processing personal information
GDPR article 22
No Automated processing
Data Controller is responsible for ensuring Data Subject rights, True or False
t
Data Controllers to take action on Data Subject requests no later than…
30 days after receipt, possible to get an extension of 60 days if the request is burdensome
Breach Notification, Data controllers to notify DPAs within how many hours
72
Breach Notification, Processors notify the Controller within
Without undue delay
Breach Notification, Controllers notify the Data Subjects within
Without undue delay
Controllers are exempt from notifying Data Subjects if
Data is unintelligible, taken steps to minimize risk, would require disproportionate effort
APEC is what
Asia Pacific Economic Cooperation, founded in 2004
APEC privacy framework is similar to
FIPs in APEC is similar to Madrid Resolution
APEC privacy framework includes what
preventing harm, notice, collection limitation, use of personal information, choice, integrity of information, security safeguards, access, correction, accountability
CPEA is what
Cross boarder privacy enforcement agreement, APEC
Rationalizing
multi jurisdiction, key practices to most restrictive laws
FTC was founded when
1914
Why was the FTC founded
Antitrust laws
Wheeler Lea Act did what to the FTC
In 1938 it gave it general consumer protection authority, referred to as Section 5
FTC is governed by
5 people, a chairperson and 4 commissioners
FTC oversees what
privacy, fair credit reporting act (FCRA), CAN-SPAM act, COPPA
Section 5 of FTC is the most important …
most important piece of federal privacy legislation
Section 5 states what aboun unfair practices
unfair or deceptive acts or practices affecting commerece are unlawful
2006 section 5 was ammended for what
apply to acts of foreign trade
FTC doesn’t apply to whom
non-profits, banks, financial institutions, common carriers
Magnuson-Moss did what for the FTC
permitted it to issue regulations
FTC main prosecution method is what
To bring enforcement actions
FTC hears about stuff how
news, public complaints, etc.
What is section 6 of the FTC
Investigatory powers
FTC section 6 has authority to
require business to submit written reports, subpoena power
FTC pre-complaint is non public, true or false
t
FTC standard to initiate a complaint
If the FTC has reason to believe
Respondent defends themselves in front of whom
An Administrative Law Judge (ALJ)
ALJ will issue what…
an injunction, ALJ can not impose civil penalties
FTC, how do appeals work
ALJ to FTC commissioners to Federal Circuit Court
FTC can also do what under 13(a)
Prosecute claims before a Federal District Court, review by the Federal Appelate Court
Most FTC actions are consent decrees, T or F
t
Consent decree has the force of a Federal Court Order, T or F
t
Consent decrees are posted publically T or F
TRUE , to provide guidance to other companies
Benefits of consent decrees
Enforces good practice, avoid expense, easily enforceable, avoid additional negative press, limits exposure to business practices to competitors
To establish a deceptive trade practice the FTC needs
a material statement or omission that is likely to mislead consumers who are acting reasonably
GeoCities
first privacy enforcement action, GeoCities sold information
Eli Lilly
first consent decree, revealed email addresses
Snapchat
collecting names and phone numbers, and messages didn’t get deleted
TrustArc
did not conduct annaul re-certifications
Nomi
tracked consumers via mobile devices
LifeLock
couldn’t prevent all identity theft
3rd party developers could access user data
Zoom
weak encryption, secretly installed software
To establish an unfair trade pratice the FTC must prove
Substantial injury, lack of off setting benefits, and consumers could’t have reasonably avoided
DesignerWare
log key strokes, take screen shots, photograph anyone with the camera, geo track users
Wyndham
upheld FTCs unfairness authority, affirmed FTCs authority to regulate cybersecurity
Section 18 of the FTC Act
rule making authority for unfair or deceptive trade practices, i.e. trade rules
LabMD
disclosed patient information
LabMD v. FTC
FTCs cease and desist was unenforceable, FTC started holding public hearings
Uber
weak security measures
Lenovo
man in the middel attacks, pre-installing software
D-Link
exposed routers and web cameras to attack
2018 most high profile case
Venmo
Paypal
falsely claimed to have bank grade security
BLU products
didn’t have appropriate security measures
Vtech
COPPA violations
Equifax
didn’t have reasonable security measures
Tapplock
IoT data and physical security issues
SkyMed
unsecured cloud storage
Ascension Data and Analytics
violated GLBA, mortgage information
COPPA applies to non profits Tor F
False
COPPA personal information also includes
geolocation data, IP addresses, and info stored in cookies
COPPA applies to
all operators of commercial websites
COPPA notice includes
information collected, how used, if info is disclosed to third parties
Forms of verifiable consent COPPA
mail or fax a consent form, credit card, debit card, call a toll free number, video conference, government issued ID
COPPA consent exception
collected for the purpose of increasing security
COPPA, parental rights
access information, withdraw consent
COPPA has a safe harbor T or F
True, participate in a seal program
Two states with laws for children between 13 and 18
California and Deleware
COPPA, state AG can also prosecute, T or F
t
Data Broker is what
Collect personal information of consumers and resell it
Big data
Large amounts of data, analyized to get insights on consumer behavior
FTC data broker minimization practices
2014, data brokers to use data minimzation practices as they relate to children
FTC 2016 report on big data
Potential harm from inaccurate predictions
IoT privacy and security concerns
Consumer consent, no UI, need new models of FIPs and security by design
HIPPA law orginally for what
shift to electronic reimbursement requests, ,efficiency of healthcare
HHS rules for administering simplication
Privacy rule and the Security rule
Privacy and Security rule apply to whom
Covered entities and Business associates
What is a covered entity
A healthcare provider that bills for insurance
What is a business associate
Any person or entity that receives health information from a covered entity to provide services on behalf of the covered entity
What is PHI
individually identifiable health information
The terms covered entity, business associate, and PHI were codified …
In HITECH
Minimum necessary requirement
limit PHI to the minimum necessary to accomplish the intended purpose
Limited data set
Data set with facial identifiers removed, 16 categories
Patient authorization
independent document, plain language, description,person, party, purpose, expire, dated and signed
PHI disclosure documentation authorizations
Covered entitiy to keep a record, give to the individual upon request
PHI disclosure exceptions
Emergency, public health activities, report victims of abuse or domestic violence, court, law enforcement, research, investigate compliance
PHI privacy notice must be given when
date of first service, compliance date, time of enrollment, upon request of the person
PHI designated record set
Medical, billing, enrollment, any other information used to make decisions
PHI right to access records
Access the designated record set, except for psychotherapy notes or information collected for a legal proceeding or regulatory action
PHI access request timeline
within 30 days
PHI disclosures accounting timeline
can request the last 6 years
HIPPA security rule standards
ensure CIA, threats, PHI uses or disclosures, ensure compliance
Security measure decision criteria
the measure’s size, complexity, capabilities, technical infrastructure, cost, risk ocurrance probability, potential risks
HIPPA, forms of security rule implementation
Required and Addressable
HIPAA, privacy and security rule, are contracts between parties mandatory
Yes
Enforcement of HIPPA privacy and security rules
OCR, FTC, DOJ, State Attorneys General
HIPPA privacy and security rule, time to fix violations
30 days
HIPPA preemption, state requests
States can request their law is not preempted, have to ask HHS, California Medical Information Privacy Act is an example
HIPPA safe harbor
A company has recognized security practices in place not less than 12 months
Why have a HIPPA safe harbor
Give HHS greater discretion imposing fines
What is contact tracing
Mapping a person’s contact with others, communicable diseases
HIPPA doesn’t impact contact tracing, T or F
t
Biggest things HITECH did
Rules for data breaches, increased penalties, gave great acess to records, codified terms
Data breach is presumed unless
There is a low probability of compromise based on nature and extent of disclosure, who the person was that accessed it, was it acquired or viewed, extent the risk has been mitigated
Data breach notice period to affected people
60 days
Data breach >500
Notify media outlets, within 60 days
Data breach always notify …
Secretary of HHS
Data breach notification period extended if…
Law enforcement says so
HHS oversees GINA, T or F
t
GINA is PHI under HIPPA, T or F
t
Cures Act did what
Share infor with family and care givers, biomed research confidential, allowed for remote viewing of PHI, no information blocking
What is a Part 2 Program
Any federally assisted program that provides training or treatement for substance use
Substance Use patient record disclosure exceptions, can disclose if..
Patient consents, veteran affairs, crimes, child abuse, medical emergency, audits, court order
Substance Use patient record use restrictions..
can’t use to initiate criminal charges or criminal investigation
Part 2 Programs must do..
provide notice of rights, formal security program, protect paper and electronic records, destroy records when the company leaves the Part 2 program
The FCRA is what
Fair credit reporting act
FCRA came from where
Title VI of FDIC and amended the Consumer Credit Protection Act (CCPA)
First federal law protecting personal information from private businesses is..
Fair credit reporting act (FCRA)
Who the FCRA applies to
Any consumer reporting agency (CRA) or users of a consumer report, furnishers of information to the CRA, companies that extend credit - red flags rule
What the FCRA applies to
Consumer reports
What is a consumer report
written, oral, or other communication used for eligibility for credit, insurance, employment, character, reputation, mode of living
Consumer report exceptions
Not a consumer report if it’s transactional, between affiliates, consumer is provided an opt out of affiliate sharing
FCRA permissable purpose
CRAs can’t share a consumer report unless the user has a permissable purpose
FCRA permissable purpose list
court order, consumer consent, credit transaction, employment purpose, insurance, gov benefits, assess credit risk, account terms, travle charge cards, child support, liquidation
FCRA employment purpose
offer, promotion, reassignment, retention
FCRA credit transaction purpose
consumer consent, firm offer of credit or insurance
FCRA firm offer purpose
firm offers of credit or insurance, the CRA must maintain a notification system and allow users to opt out
FCRA firm offer opt out is good for..
5 years
FCRA signed notice of election implemented when..
must be implemented within 5 business days
Can CRAs provide consumer reports with medical information
Only if it is coded for insurance purposes
Consumer reports with medical information..
Users are prohibited from re-disclosing that consumer report
FCRA CRAs have to ensure the report is …
the consumer report has to be accurate, current, and complete
Credit report exclusions
Bankruptcy >10 years, other stuff more than 7 years old
Credit report exclusions don’t apply if..
Don’t apply to credit, life insurance >$150K, employment >$75K salary
Credit report must include
Bankruptcy chapter, number of credit inquiries, credit account voluntarily closed, any dispute information
CRAs are obligated to maintain what..
procedures
CRA procedures should ensure what..
identity of users are validated, consumer reports are accurate
CRAs must provide notices to…
both uses and furnishers of information
Consumer report access 1
Consumers have a right to see all the information in their file maintained by the CRA
Consumer report access 2
Consumers have a right to see everyon their report was given to in the last 2 years for employment, last 1 year for everything else
CRAs are required to provide credit score to consumers, T or F
CRAs are required to provide their sources to consumers, T or F
Before making any disclosure to a consumer, the CRA must
Confirm the consumer’s identity
When CRAs make disclosures to a consumer it must..
Be in writing, unless consumer consents otherwise, and it must include a summary of the consumer’s rights
Consumer files a dispute, CRA must complete their investigation in how many days
30 days
The FCRA refers to a investigating a consumer dispute as what..
A re-investigation
CRA provide notice of the consumer dispute to the Furnisher within how many days
5 days
CRAs must delete information from their files if..
The reinvestigation reveals the information was inaccurate, incomplete, or can’t be verified
If the CRA deletes information from their file they must do what..
Notify anyone who received the consumer report within the last 6 months, or for 2 years if it was for employment purposes
CRA re-investigation results must be provided to the consumer within how many days
Within 5 days of it being completed
CRAs, if a consumer provides a statement of disagreement it must..
it must be included in all future consumer reports containing the disputed information
When an adverse action it taken against a consumer because of a consumer report what must happen..
notice must be given to the consumer
When a consumer report adverse action is taken the notice to the consumer must contain
The name and contact information of the CRA, a statement the CRA isn’t responsible for and can’t explain anything, their right to request a free copy within 60 days, thei right to protest it
Consumer report, adverse action, due to credit score..
Consumer to be provided a credit score and information to understand the score
Consumer report liability can be avoided if..
If reasonable procedures are in place to ensure compliance to the law
Consumer report adverse action employment
A copy of the report must be given to the consumer along with their rights, before taking action, however, if the consumer submitted the employment application by mail, phone, computer, they don’t need to do this
Consumer report adverse action employment, provide notice within how many days
within 3 days aftter taking action, and provide name and contact infor of CRA, statement, and how to get a free copy
Consumer report reselling
Tell the CRA, who the user is, permissable purpose, procedures in place, verify identity and certifications of recipient
Limited consumer report is used where
For firm offers of credit or insurance not initiated by a consumer, i.e., companies creating a prequalificaiton list for their product or service
Companies using limited consumer reports must do what..
maintain records of the prescreen criteria for 3 years
Consumer report offer solicitation, opt out..
CRA file was used, they are credit worthy, service can be withheld if fail further screening, consumer can prohibit (opt out of) similar solicitations by contacting the CRA
Consumer report, Furnishers prohibited..
From providing false information or innacurate information