Flash Cards 3

Question

Council of Europe Conventional Article 5

Answer 1

data quality

Answer 2

categories of data

Answer 3

Data subject safeguards

Answer 4

Standards on data protection, uniformity, transborder data flow

Answer 5

How an organization processes personal information

Answer 6

How your personal information is collected, used, and retained

Answer 7

Giving you access to your personal information

Answer 8

Physical (locks, cameras), Technical (code, systems) , Administrative (policies)

Answer 9

data should be accurate, complete, and relevant

Answer 10

data to be defined and documented

Answer 11

Government, regulations, market

Answer 12

compensation and deterrence

Answer 13

consumers react to data policies, publicity of data breaches

Answer 14

PCI-DSS, DAA

Answer 15

Industry standards and legal standards

Answer 16

Sectoral and Comprehensive

Answer 17

United States

Answer 18

Divergent policies, inadequate, overly burdensome

Answer 19

costs outweigh benefit, doesn't account for unique situations, discourages innovation

Answer 20

Combines self regulatory and either the sectoral or comprehensive model

Answer 21

3rd model alongside Sectoral and Comprehensive

Answer 22

Executive, Legislative, Judicial

Answer 23

Article II

Answer 24

Article III

Answer 25

Federal district court, appeal to US circuit court, appeal to US Supremen court

Answer 26

D.C. circuit court

Answer 27

Executive branch, veto override, impeach, approve appointments; Judicial branch, change laws, approve judges, impeach judges, court jurisdiction

Answer 28

Legislative branch, veto; Judicial branch, appoint judges

Answer 29

Legislative branch, unconstitutional; Executive branch, unconstitutional, interpretations invalid

Answer 30

Constitution, Satutory Law, Regulations and Administrative Rulemaking, Common Law, Contractual Law, International Law

Answer 31

The constitution

Answer 32

Federal and State legislation

Answer 33

Legislation (laws) from Federal and States

Answer 34

Federal agencies enforcing statutory law

Answer 35

Societal customs and judicial decisions

Answer 36

Stand by things decided

Answer 37

Common Law / Case Law

Answer 38

Legally binding agreements

Answer 39

Offer, Acceptance, Consideration

Answer 40

a contract, party agrees to abide by a judgement

Answer 41

avoid admitting guilt

Answer 42

Laws in foreign jurisdictions

Answer 43

A court's authority to hear a case

Answer 44

Personal, Subject Matter

Answer 45

Federal law override or supersede inconsistent state law

Answer 46

The doctrine of preemption

Answer 47

A court's authority to hear specific types of disputes

Answer 48

A court's authority between people or to bring people into its process

Answer 49

To protect consumers against unfair or deceptive trade practices

Answer 50

a 5 member bipartisan commission

Answer 51

12 banks, 7 governors, 14 year term

Answer 52

Perponderance of evidence

Answer 53

Beyond a reasonable doubt

Answer 54

DOJ for Federal crimes, and the State prosecutor for State crimes

Answer 55

The defendent is legally obligated or accountable to the plaintiff

Answer 56

one party fails to perform any of its contractual obligations at the time performance is due

Answer 57

had the contract been performed

Answer 58

contract not been made

Answer 59

unjustly enriched

Answer 60

ordered to comply (fulfill) the contract

Answer 61

which court will try (hear) the case

Answer 62

use an arbitrator

Answer 63

a civil wrong

Answer 64

knows or should know it will cause harm

Answer 65

failing to observe the standard of care

Answer 66

engaged in prohibited conduct

Answer 67

Intrusion Upon Seclusion, Appropriation of Name or Likeness, Publically Given to Private Life, False Light

Answer 68

intentionally intrude

Answer 69

use another's name or likeness

Answer 70

make something public that isn't a legitimate public concern

Answer 71

places someone in false light

Answer 72

conduct that falls below the standard established by law for the protection of others against unreasonable risk of harm

Answer 73

rules for administrative enforcement actions, Federal rules of civil procedure

Answer 74

an ALJ, administrative law judge

Answer 75

Unfair and Deceptive Acts and Practices, the state version of FTC unfair or deceptive trade practices

Answer 76

State Attorney's General

Answer 77

Data breaches

Answer 78

State Attorney's General

Answer 79

How states coordinate responses to legal issues and exchange information

Answer 80

Global privacy enforcement network, connects privacy enforcement authorities around the world

Answer 81

Asia Pacific Economic Cooperation, cross boarder enforcement of privacy law

Answer 82

exchanging info, training, dialogue, processes bilatteral and multilatteral cooperation, actions for communication

Answer 83

Cross boarder Privacy Enforcement Action, came out of APEC

Answer 84

information sharing, cross boarder cooperation, cooperation on privacy investigation and enforcement

Answer 85

self policing of industry groups for compliance

Answer 86

industry expertise, increased efficiency, flexible, quicker to react,

Answer 87

anti competitive, not as robust as govt, lax enforcement, may not full incorporate perspectives of others not in the industry

Answer 88

both industry and government jointly administer the process, an example is COPPA

Answer 89

Developed by the credit card companies, each CC company has its own program for compliance, it is overseen by the credit card companies (Security Standards Council)

Answer 90

firewall, no defaults, stored data, encrypt transmissions, malware, secure systems, restrict access, authenticate access, restrict physical access, monitor access, test, policies

Answer 91

increase consumer confidence

Answer 92

the Council of Better Business Bureaus (CBBB) and Digital & Marketing Association (DAA)

Answer 93

A "reasonable" time, not to exceed 45 days.

Answer 94

generic term referring to processes like data inventory, data flow analysis, classifying data

Answer 95

identifies personal data as it moves across systems, shared, and stored, sometimes called Record of Authority

Answer 96

analyze what laws you need to comply with

Answer 97

physical location of servers

Answer 98

where data is stored

Answer 99

who has access, how and when information is shared, who has internal access, what 3rd parties have access

Answer 100

how information moves through the organization, increase confidence in regulatory compliance

Answer 101

classifying data by sensitivity

Answer 102

provides the basis for managing access

Answer 103

confidential, proprietary, sensitive, restricted, public

Answer 104

laws are followed, limit consequences of breaches, limit scope of disclosure, lowers cost of responding to a data breach

Answer 105

develop privacy programs / information management programs

Answer 106

legal, reputational, operational, investement

Answer 107

regulatory action, litigation

Answer 108

the trust consumers place in an organization

Answer 109

trade off between privacy programs and achieving organizational goals

Answer 110

are the benefits of the program worth the cost

Answer 111

Developing a privacy vision / mission statement

Answer 112

Ensure the program is implemented properly, basis for training, accountability, decision making

Answer 113

Assess, Protect, Sustain, Respond, also Discover, Build, Communicate, Evolve

Answer 114

continuously monitors and improves the privacy program

Answer 115

Opt In, Double Opt In, Opt Out, No Option

Answer 116

express, reqires affirmative action

Answer 117

obtaining consent, then confirming it again

Answer 118

passive, consent is implied, processing will occur unless you opt out

Answer 119

implied by the circumstance, i.e. sharing your address with the post office

Answer 120

However you are interacting with the consumer, in the same manner allow them to consent

Answer 121

A comprehensive model.

Answer 122

Companies should obtain a separate consent specifically applicable to third-party data processors.

Answer 123

California's Delete Act.

Answer 124

Whether the parties have domestic subsidiaries in the United States.

Answer 125

At the most expeditious time possible and without unreasonable delay.

Answer 126

Whether there is probable cause to believe that that the person being monitored is either a foreign power or an agent of a foreign power.

Answer 127

Individual payment card brands.

Answer 128

An NSL may now be issued if relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.

Answer 129

A breach is presumed unless a risk assessment establishes that there was a low probability that PHI has been compromised.

Answer 130

Determining whether an employee is entitled to a raise.

Answer 131

Every state requires that a data processor notify a data controller when a breach occurs.

Answer 132

It may limit the amount of data disclosed in the event of a data breach.

Answer 133

The FTC enforces CAN-SPAM according to its "unfair and deceptive" trade practices authority but shares enforcement authority with prudential regulators.

Answer 134

"Unconscionable" acts or practices.

Answer 135

HIPAA does not apply because the health information provided by children is not made in connection with a covered transaction.

Answer 136

more than 10 days

Answer 137

A passive form, where consent is implied, processing occurs unless you opt-out

Answer 138

Protection of data from unauthorized access

Answer 139

Personal information

Answer 140

Confidential information

Answer 141

Confidentiality, Integrity, Availability

Answer 142

Limit damage, loss, modification, and unauthorized access

Answer 143

Preventative, Detective, Corrective

Answer 144

Prevent an incident

Answer 145

Identify an incident

Answer 146

Fix or limit the damage of an incident

Answer 147

Physical, Administrative, Technical

Answer 148

1. Breach response team. 2. Privacy docs. 3. Sharing breach information. 4. Reporting. 5. Assess the risk. 6. Mitigating risk. 7. Notification.

Answer 149

Confirm the breach. Then, 1. Secure Operations / Contain. 2. Analyze and fix vulnerabilities. 3. Notify. 4. Proactive steps to avoid future breaches

Answer 150

Re-evaluate 3rd party service providers

Answer 151

Law enforcement, usually through Attorney's General, if PHI then HHS and the media, Business partners if contracts say so, and Affected individuals

Answer 152

Consult law enforcement so you don't impede any investigation, Designate a communication person, a year of free credit monitoring

Answer 153

Clear description of what happened, Contact information of the organization, Steps an affected individual can take

Answer 154

Employee training, Third party security audits, Analyze the entire breach

Answer 155

Creating a privacy program, Incident response program, and Workforce training

Answer 156

Part of the accountability principle, lower costs of responding to breaches

Answer 157

All members on policies and procedures for PHI

Answer 158

Identify reasonable and foreseeable internal and external risks, employee training and management

Answer 159

Establish an identity theft program

Answer 160

the FTC uner authority of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)

Answer 161

Anyone owning or licensing information about a Massachusetts resident must have a secrutiy program and employee training

Answer 162

A security awareness program to be in place

Answer 163

The data controller is responsible for compliance and demonstrates compliance through documentation

Answer 164

Implementing technical and organization measures to demonstrate the handling of personal information is done in accordance with the law

Answer 165

Policies, Procedures, Governance, Monitoring, Training

Answer 166

the Organization to determine

Answer 167

Only for so long as necessary to achieve it purpose

Answer 168

Destroyed or anonymized

Answer 169

Fair and Accurate Credit Transaction Act (FACTA) for the Disposal Rule, and Fair Credit Reporting Act (FCRA) for Identity Theft

Answer 170

Limit the length of time data is retained

Answer 171

HTML, CSS, XML, JavaScript

Answer 172

Web client downloads files from the web server and the web browser interprets and displays them to the user

Answer 173

How the web client and the web server communicate

Answer 174

Breaks information into packets

Answer 175

Interfaces with the physical infrastructure

Answer 176

Is the main commiunication protocol of the internet

Answer 177

transport layer security

Answer 178

a unique number assigned to each device

Answer 179

name and web address assigned to files

Answer 180

the phone book of the internet

Answer 181

intermediate web server

Answer 182

establishes an encrypted connection

Answer 183

IP Address, date and time of the page requested, URL of the file, broswer type, URL visited prior

Answer 184

content stored locally

Answer 185

Passive data collection

Answer 186

Active data collection

Answer 187

privacy notice done at the point of collection

Answer 188

purchased or licensed

Answer 189

a program contained wth a website

Answer 190

a web page imbedded into another one

Answer 191

unsolicited emails

Answer 192

malicious software

Answer 193

malware downloaded covertly

Answer 194

malware that locks or encrypts your operating system

Answer 195

communication designed to trick users

Answer 196

provide a dbase command to a web server

Answer 197

malicious code injected into a webpage

Answer 198

a cookie is modified to gain unauthorized access

Answer 199

access through fraudulent means

Answer 200

data conforms to requirements

Answer 201

removing harmful characters

Answer 202

manipulating a user to create a security vulnerability

Answer 203

advertising based upon information associated with an individual

Answer 204

Icon, consumers to exercise choice, Digital Advertisiing Alliance (DAA)

Answer 205

prevent cookie tracking without consent

Answer 206

map a user moving from a laptop to a mobile device

Answer 207

deterministic tracking, probabilistic tracking

Answer 208

track where ther person logs into

Answer 209

collects information from multiple devices and draws inferences based on probabilities

Answer 210

one pixel image stored on your computer

Answer 211

monitors users behavior

Answer 212

uses the devices GPS

Answer 213

signals sent rom a beconing device

Answer 214

automatically collect user data when you visit a webpage

Answer 215

text file placed on your hard drive by a web server

Answer 216

text file ony used while connected that web server

Answer 217

long lived cookie set to expire sometime in the future

Answer 218

owned by the host of the web server

Answer 219

owned by the someone other than the weber server host

Answer 220

cookie stored outside the browsers control, dangerous, respawn, zombie cookies

Answer 221

stored information should be encrypted, only use persistent cookies where necessary and should expire in a reasonable time, provide notice to cookie usage, disclose 3rd party cookie providers, provide an opt-out function, follow general FIPs

Answer 222

Childrens Online Privacy Protection, childeren under 13

Answer 223

Children under 16

Answer 224

California and Deleware, California Minors in the Digital World Act, Deleware Online and Personal Privacy Protection Act

Answer 225

California Consumer Privacy Act, no selling info of children under 16 without consent, Data Controller may obtain consent from he child through an opt-out procedure, under 13 consent is from the parent

Answer 226

document, states how a company collects, stores, and uses personal information it gathers

Answer 227

tells employees how personal information should be stored, accessed, and utilized.

Answer 228

informs consumers how their personal information will be used, helps consumers make an informed decision

Answer 229

maintain a link on the website and each page where personal information is collected

Answer 230

send customers the privacy policy each year

Answer 231

conspiciously post the privacy policy on the website and mobile apps

Answer 232

categories of personal information, categories of third parties, how to request changes, how the policy is updated, it's effective date, how it responds to do-not-track, if a third party can collect personal information

Answer 233

privacy policy not being followed is an unfair or deceptive trade practice, FTC can bring enforcement

Answer 234

designing, developing, testing, releasing, revieweing and updating

Answer 235

data should be used in a manner consistent with the notice what was in effect at the time data was obtained

Answer 236

express, affirmative consent should be given by consumers before making material retroactive changes to data usage

Answer 237

at a minimum, sharing consumer information with third parties after committing not to share the data

Answer 238

short at the top, option to review the detailed longer privacy notice

Answer 239

one point to manage all privacy preferences

Answer 240

symbols used to indicate how information is processed

Answer 241

to enhance transparency

Answer 242

the data controller is responsible for any data misuse by vendors

Answer 243

Data controllers must have written contracts with their business associates

Answer 244

Data controllers to have written contacts in place before processing may occur

Answer 245

Data controller to have sufficient gaurantees from their third parties, properly vet and contract the 3rd parties

Answer 246

Consider their reputation, financial condition, and security controls

Answer 247

confidentialiy provisions, security protections, audit rights, no further use provision, subcontractor use, information sharing, breach notification, consumer consent, data classification system, and an end of relationship provision

Answer 248

the organization's privacy notice and practices

Answer 249

3rd party vendors

Answer 250

physical location of the servers

Answer 251

California consumer privacy act, users have the right to opt-out of data selling

Answer 252

Virginia consumer data protection act, user can opt-out of targeted advertising, data selling, and profiling

Answer 253

California privacy rights act, data controllers to have contracts with any party they share data with

Answer 254

dictate what laws apply

Answer 255

a person's information is subject to the laws of their home jurisdiction

Answer 256

facilitate the free flow of data between EU member states

Answer 257

Adequacy decision, appropriate safeguards, derogations

Answer 258

BCRs, EC model clauses, National model clauses, Codes of conduct, Certification, Ad Hoc contract

Answer 259

Consent, Performance of contract, Public interest, Legal claims, Vital interests, Legitimate interest

Answer 260

equivalent or greater protection in the transferee country

Answer 261

no more safe harbor, in part because of Edward Snowden

Answer 262

no more privacy shield, facebook ireland

Answer 263

a company's rules for internally handling data transfer, don't apply to data transfers with 3rd parties

Answer 264

it must be certified by a privacy supervisory agency in the EU

Answer 265

binding contract rules must contain stuff about, transparency, quality, security, audit, training, compliance procedures, a binding element

Answer 266

standard contract clauses, a company contractually promises to comply with EU law

Answer 267

the transferee country equivalent protections as GDPR, the clause and the legal system, or the supervisory authority should suspend the transfer priviledges

Answer 268

have to get approval from an EU data protection authority or the EU commission, the data protection authority has enforcement authority to include suspension

Answer 269

last resort

Answer 270

controllers and processors to conduct a transfer impact assessment prior to transferring personal data

Answer 271

a risk assessment of transferring data to a third countries, considers SCCs, legal system, adequacy decision stuff

Answer 272

understand all transfers of personal data, verify all transfer tools, assess if appropriate safeguards will be impinged upon, identify supplemental measures, steps for supplemental measures, re-evaluate the level of protection in the trasferee country

Answer 273

Google Analytics violates Chapter V of GDPR, SCCs didn’t provide appropriate safegaurds, US intelligence agencies could access data

Answer 274

cornerstone of privacy program management

Answer 275

discover (assess), build (protect), communicate (sustain), evlove (respond)

Answer 276

(1) Discover/Assess (including “Issue identification and self-assessment” and “Determination of best practices”); (2) Build/Protect (including “Procedure development and verification” and “Full implementation”); (3) Communicate/Sustain (including “Documentation” and “Education”); and (4) Evolve/Respond (including “Affirmation and monitoring” and “Adaptation”)

Answer 277

a policy based approach to managing the flow of information through a lifecycle

Answer 278

privacy policy, privacy statement, fair processing statement, strictly speaking the notice is internal facing the policy is external facing

Answer 279

Fair information practices (FIPs)

Answer 280

have assets and employees in the EU, data stored in the EU, and data interactions with EU residents

Answer 281

of EU data subjects that access their websites or digital products

Answer 282

4% of the company's global revenue

Answer 283

Data protection authorities ,one in each EU country, but Germany has 1 national and 16 state level, DPAs enforce the GDPR

Answer 284

investigate, correct, advise; ask for records and proof of compliance, ban/stop/suspend data procecssing, require additional breach notification, order erasing of information, suspend cross boarder data flow

Answer 285

Transparent communication

Answer 286

Right to access

Answer 287

Rectify data

Answer 288

Restrict processing

Answer 289

Notification obligation to data subjects about their rights

Answer 290

Data portability

Answer 291

Object to processing personal information

Answer 292

No Automated processing

Answer 293

30 days after receipt, possible to get an extension of 60 days if the request is burdensome

Answer 294

Without undue delay

Answer 295

Without undue delay

Answer 296

Data is unintelligible, taken steps to minimize risk, would require disproportionate effort

Answer 297

Asia Pacific Economic Cooperation, founded in 2004

Answer 298

FIPs in APEC is similar to Madrid Resolution

Answer 299

preventing harm, notice, collection limitation, use of personal information, choice, integrity of information, security safeguards, access, correction, accountability

Answer 300

Cross boarder privacy enforcement agreement, APEC

Answer 301

multi jurisdiction, key practices to most restrictive laws

Answer 302

Antitrust laws

Answer 303

In 1938 it gave it general consumer protection authority, referred to as Section 5

Answer 304

5 people, a chairperson and 4 commissioners

Answer 305

privacy, fair credit reporting act (FCRA), CAN-SPAM act, COPPA

Answer 306

most important piece of federal privacy legislation

Answer 307

unfair or deceptive acts or practices affecting commerece are unlawful

Answer 308

apply to acts of foreign trade

Answer 309

non-profits, banks, financial institutions, common carriers

Answer 310

permitted it to issue regulations

Answer 311

To bring enforcement actions

Answer 312

news, public complaints, etc.

Answer 313

Investigatory powers

Answer 314

require business to submit written reports, subpoena power

Answer 315

If the FTC has reason to believe

Answer 316

An Administrative Law Judge (ALJ)

Answer 317

an injunction, ALJ can not impose civil penalties

Answer 318

ALJ to FTC commissioners to Federal Circuit Court

Answer 319

Prosecute claims before a Federal District Court, review by the Federal Appelate Court

Answer 320

TRUE , to provide guidance to other companies

Answer 321

Enforces good practice, avoid expense, easily enforceable, avoid additional negative press, limits exposure to business practices to competitors

Answer 322

a material statement or omission that is likely to mislead consumers who are acting reasonably

Answer 323

first privacy enforcement action, GeoCities sold information

Answer 324

first consent decree, revealed email addresses

Answer 325

collecting names and phone numbers, and messages didn't get deleted

Answer 326

did not conduct annaul re-certifications

Answer 327

tracked consumers via mobile devices

Answer 328

couldn't prevent all identity theft

Answer 329

3rd party developers could access user data

Answer 330

weak encryption, secretly installed software

Answer 331

Substantial injury, lack of off setting benefits, and consumers could't have reasonably avoided

Answer 332

log key strokes, take screen shots, photograph anyone with the camera, geo track users

Answer 333

upheld FTCs unfairness authority, affirmed FTCs authority to regulate cybersecurity

Answer 334

rule making authority for unfair or deceptive trade practices, i.e. trade rules

Answer 335

disclosed patient information

Answer 336

FTCs cease and desist was unenforceable, FTC started holding public hearings

Answer 337

weak security measures

Answer 338

man in the middel attacks, pre-installing software

Answer 339

exposed routers and web cameras to attack

Answer 340

falsely claimed to have bank grade security

Answer 341

didn't have appropriate security measures

Answer 342

COPPA violations

Answer 343

didn't have reasonable security measures

Answer 344

IoT data and physical security issues

Answer 345

unsecured cloud storage

Answer 346

violated GLBA, mortgage information

Answer 347

geolocation data, IP addresses, and info stored in cookies

Answer 348

all operators of commercial websites

Answer 349

information collected, how used, if info is disclosed to third parties

Answer 350

mail or fax a consent form, credit card, debit card, call a toll free number, video conference, government issued ID

Answer 351

collected for the purpose of increasing security

Answer 352

access information, withdraw consent

Answer 353

True, participate in a seal program

Answer 354

California and Deleware

Answer 355

Collect personal information of consumers and resell it

Answer 356

Large amounts of data, analyized to get insights on consumer behavior

Answer 357

2014, data brokers to use data minimzation practices as they relate to children

Answer 358

Potential harm from inaccurate predictions

Answer 359

Consumer consent, no UI, need new models of FIPs and security by design

Answer 360

shift to electronic reimbursement requests, ,efficiency of healthcare

Answer 361

Privacy rule and the Security rule

Answer 362

Covered entities and Business associates

Answer 363

A healthcare provider that bills for insurance

Answer 364

Any person or entity that receives health information from a covered entity to provide services on behalf of the covered entity

Answer 365

individually identifiable health information

Answer 366

limit PHI to the minimum necessary to accomplish the intended purpose

Answer 367

Data set with facial identifiers removed, 16 categories

Answer 368

independent document, plain language, description,person, party, purpose, expire, dated and signed

Answer 369

Covered entitiy to keep a record, give to the individual upon request

Answer 370

Emergency, public health activities, report victims of abuse or domestic violence, court, law enforcement, research, investigate compliance

Answer 371

date of first service, compliance date, time of enrollment, upon request of the person

Answer 372

Medical, billing, enrollment, any other information used to make decisions

Answer 373

Access the designated record set, except for psychotherapy notes or information collected for a legal proceeding or regulatory action

Answer 374

within 30 days

Answer 375

can request the last 6 years

Answer 376

ensure CIA, threats, PHI uses or disclosures, ensure compliance

Answer 377

the measure's size, complexity, capabilities, technical infrastructure, cost, risk ocurrance probability, potential risks

Answer 378

Required and Addressable

Answer 379

OCR, FTC, DOJ, State Attorneys General

Answer 380

States can request their law is not preempted, have to ask HHS, California Medical Information Privacy Act is an example

Answer 381

A company has recognized security practices in place not less than 12 months

Answer 382

Give HHS greater discretion imposing fines

Answer 383

Mapping a person's contact with others, communicable diseases

Answer 384

Rules for data breaches, increased penalties, gave great acess to records, codified terms

Answer 385

There is a low probability of compromise based on nature and extent of disclosure, who the person was that accessed it, was it acquired or viewed, extent the risk has been mitigated

Answer 386

Notify media outlets, within 60 days

Answer 387

Secretary of HHS

Answer 388

Law enforcement says so

Answer 389

Share infor with family and care givers, biomed research confidential, allowed for remote viewing of PHI, no information blocking

Answer 390

Any federally assisted program that provides training or treatement for substance use

Answer 391

Patient consents, veteran affairs, crimes, child abuse, medical emergency, audits, court order

Answer 392

can't use to initiate criminal charges or criminal investigation

Answer 393

provide notice of rights, formal security program, protect paper and electronic records, destroy records when the company leaves the Part 2 program

Answer 394

Fair credit reporting act

Answer 395

Title VI of FDIC and amended the Consumer Credit Protection Act (CCPA)

Answer 396

Fair credit reporting act (FCRA)

Answer 397

Any consumer reporting agency (CRA) or users of a consumer report, furnishers of information to the CRA, companies that extend credit - red flags rule

Answer 398

Consumer reports

Answer 399

written, oral, or other communication used for eligibility for credit, insurance, employment, character, reputation, mode of living

Answer 400

Not a consumer report if it's transactional, between affiliates, consumer is provided an opt out of affiliate sharing

Answer 401

CRAs can't share a consumer report unless the user has a permissable purpose

Answer 402

court order, consumer consent, credit transaction, employment purpose, insurance, gov benefits, assess credit risk, account terms, travle charge cards, child support, liquidation

Answer 403

offer, promotion, reassignment, retention

Answer 404

consumer consent, firm offer of credit or insurance

Answer 405

firm offers of credit or insurance, the CRA must maintain a notification system and allow users to opt out

Answer 406

must be implemented within 5 business days

Answer 407

Only if it is coded for insurance purposes

Answer 408

Users are prohibited from re-disclosing that consumer report

Answer 409

the consumer report has to be accurate, current, and complete

Answer 410

Bankruptcy >10 years, other stuff more than 7 years old

Answer 411

Don't apply to credit, life insurance >$150K, employment >$75K salary

Answer 412

Bankruptcy chapter, number of credit inquiries, credit account voluntarily closed, any dispute information

Answer 413

procedures

Answer 414

identity of users are validated, consumer reports are accurate

Answer 415

both uses and furnishers of information

Answer 416

Consumers have a right to see all the information in their file maintained by the CRA

Answer 417

Consumers have a right to see everyon their report was given to in the last 2 years for employment, last 1 year for everything else

Answer 418

Confirm the consumer's identity

Answer 419

Be in writing, unless consumer consents otherwise, and it must include a summary of the consumer's rights

Answer 420

A re-investigation

Answer 421

The reinvestigation reveals the information was inaccurate, incomplete, or can't be verified

Answer 422

Notify anyone who received the consumer report within the last 6 months, or for 2 years if it was for employment purposes

Answer 423

Within 5 days of it being completed

Answer 424

it must be included in all future consumer reports containing the disputed information

Answer 425

notice must be given to the consumer

Answer 426

The name and contact information of the CRA, a statement the CRA isn't responsible for and can't explain anything, their right to request a free copy within 60 days, thei right to protest it

Answer 427

Consumer to be provided a credit score and information to understand the score

Answer 428

If reasonable procedures are in place to ensure compliance to the law

Answer 429

A copy of the report must be given to the consumer along with their rights, before taking action, however, if the consumer submitted the employment application by mail, phone, computer, they don't need to do this

Answer 430

within 3 days aftter taking action, and provide name and contact infor of CRA, statement, and how to get a free copy

Answer 431

Tell the CRA, who the user is, permissable purpose, procedures in place, verify identity and certifications of recipient

Answer 432

For firm offers of credit or insurance not initiated by a consumer, i.e., companies creating a prequalificaiton list for their product or service

Answer 433

maintain records of the prescreen criteria for 3 years

Answer 434

CRA file was used, they are credit worthy, service can be withheld if fail further screening, consumer can prohibit (opt out of) similar solicitations by contacting the CRA

Answer 435

From providing false information or innacurate information