Introduction to the U.S. Privacy Environment

Question 1

What are the branches of government?

Answer 1

i. Legislative
ii. Executive
iii. Judicial

Question 2

What is the legislative branch made up of and what are it’s checks and balances?

Answer 2

The legislative branch has the power to create new laws.

i. Congress (House of Representatives and the Senate)
ii. Confirms presidential appointees / can override vetos

Question 3

How does a bill become a law?

Answer 3

The bill must pass both house and senate, then goes to the white house. If the President signs the bill it becomes law, if not the President exercises their veto powers and goes back to the house. The House must have a 2/3 majority to overturn a veto.

Question 4

What is the executive branch made up of and what are its checks and balances?

Answer 4

The executive branch carries out and enforces existing laws

i. President, VP, Cabinet, Federal Agencies
ii. Appoint federal judges / can veto laws passed by congress

Question 5

What is the judicial branch made up of and what are its checks and balances?

Answer 5

The judicial branch interprets the meaning of laws

i. Federal Courts
ii. Determines whether laws are constitutional

Question 6

What are the sources of law?

Answer 6

i. Constitutions – Supreme law of the land. All other laws must be consistent. (Unconstitutional laws are declared invalid by courts). Amendments are difficult.
ii. Legislation – Laws passed by congress or state
iii. Regulations and rules – Compliance expectations set my regulatory agencies (“Administrative Law”)
iv. Case law – Final decisions made by judges in court cases and looked to as precedent
v. Common law – Legal principles that have been developed over time in judicial decisions – often drawing on social customs and expectations
vi. Contract law – A subcategory of common law (e.g., The Uniform Commercial Code (UCC) exists in all 50 states.)

Question 7

Jurisdiction

Answer 7

Jurisdiction is the power that a court has to render legal judgments. Jurisdiction may be limited by subject matter or geographic applicability.

Question 8

Person

Answer 8

A person is a human or non-human entity that can sue and be sued, can own property, and can take part in contracts.

Question 9

Preemption

Answer 9

A law that stems from a higher authority takes precedence over laws that stem from lower authorities.

Question 10

Private Right of Action

Answer 10

Laws with a private right of action grant legal persons the ability to bring cases to court.

Question 11

What are the primary regulatory authorities that regulate privacy in the U.S.?

Answer 11

i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking Regulators

Question 12

What are the primary banking regulators that regulate privacy in the U.S.?

Answer 12

i. Federal Reserve Board
ii. Comptroller of the Currency
iii. Consumer Financial Protection Bureau (CFPB)
iv. Federal Deposit Insurance Corporation (FDIC)
v. National Credit Union Administration

Question 13

Federal Trade Commission (FTC)

Answer 13

General authority to enforce the rules against unfair and deceptive trade practices (including the power to bring deception enforcement actions where an individual has broken a privacy promise).

1. Lead agency for privacy enforcement
2. Protects consumers against unfair and deceptive practices
3. Enforces Children’s Online Privacy Protection Act (COPPA)
4. Lacks authority over financial institutions

Question 14

Federal Communications Commission (FCC)

Answer 14

Summary: Regulates interstate and international communications providers

Detail: Places significant compliance regulations on and govern the communications industry, such as television, radio, and telemarketing, and more recently, with online marketing developing such laws as the Telemarketing Sales Rule and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act).

Question 15

Department of Commerce (DoC)

Answer 15

Summary: Implements the EU-US Privacy Shield

Detail: Leading role in federal privacy policy development. Administers the Privacy Shield Framework between the US and EU. The DoC works along with the FTC on the enforcement of privacy and security standards set by organizations, particular with those having privacy self-regulatory programs.

Question 16

Department of Health and Human Services (HHS)

Answer 16

Creates regulations to protect the privacy and security of healthcare information. Responsible for enforcing HIPAA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Healthcare Act (HI-TECH Act)

Question 17

Federal Reserve Board (Fed)

Answer 17

Responsible for enforcing provisions of specific federal financial regulatory mandates, such as the Gramm-Leach-Bliley Act (GLBA)

Question 18

Comptroller of the Currency

Answer 18

Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Ensures fair access to financial services and compliance with financial privacy laws and regulations.

Question 19

Consumer Financial Protection Bureau

Answer 19

Summary: Regulates how financial institutions handle personal information

Detail: An independent bureau under the Federal Reserve. CFPB has rule marking authority for laws related to financial privacy and oversees the relationship between consumers and financial products and services providers

Question 20

State Attorney General

Answer 20

Chief legal advisor to the state government / state’s chief law enforcement officer. Authority to take enforcement action on a state’s unfair and deceptive practice law, HIPAA, GLBA, the Telemarketing Sales Rule, and violations of breach notification laws

Question 21

Self-Regulation Model

Answer 21

Organizations that monitor privacy through internal privacy practices, frameworks/guidelines, policies and procedures, created and monitored by industry groups

Question 22

Payment Card Industry Data Security Standard (PCI DSS)

Answer 22

One of the most successful self-regulatory frameworks ever

Question 23

Trust Marks

Answer 23

Images or logos of third-party seal and certification programs that are displayed on websites to indicate that it has adopted the guidelines or a program and passed a security and privacy test

Question 24

Criminal Liability

Answer 24

Violations of criminal law with charges by the government. Parties that include depriving someone of their liberty.

Question 25

Mens rea

Answer 25

The mens rea standard requires that a person had criminal intent

Question 26

Civil Liability

Answer 26

Failure to carry out a legal duty owed to another party. Charges brought to courts by the claimant.

Question 27

What are the three categories of legal liability?

Answer 27

1. Legal Liability - contracts, torts, civil enforcement 2. Negligence 3. Strict Liability

Question 28

Contract

Answer 28

Agreement by two parties. Made up of three parts: (1) Offer; (2) Acceptance; and (3) Consideration. Contracts are legally binding agreement between two parties and are enforceable in court.

Question 29

What are the basic conditions of a contract?

Answer 29

i. Capacity to enter contract ii. Offer iii. Acceptance iv. Consideration v. Mutual intent to be bound. vi. Breach of Contract – handled in civil court

Question 30

Tort

Answer 30

Civil wrongs recognized by law as grounds for a lawsuit. These wrongs result in an injury or harm that constitutes a basis for a claim

Question 31

Civil Enforcement

Answer 31

A person may sue based on a violation of a law when a law creates a private right of action

Question 32

Negligence

Answer 32

An organization will be liable for damages if it breaches a legal duty to protect person information and an individual is harmed by that breach.

Question 33

Negligence Liability Factors

Answer 33

1. Duty of care 2. Breach of duty 3. Damages 4. Causation

Question 34

Invasion of Privacy

Answer 34

The violation of a person’s reasonable expectation to be left alone.

Question 35

Four legal standards of an invasion of privacy

Answer 35

1. Invasion of solitude 2. Disclosure of private facts 3. False light 4. Appropriation

Question 36

Strict Liability

Answer 36

Responsibility for actions even if they could not reasonably anticipate the adverse outcome.

Question 37

Can practices be both unfair and deceptive?

Answer 37

Yes.

Question 38

Unfair Trade Practices

Answer 38

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.

Question 39

What are the three requirements to be an unfair trade practice?

Answer 39

1. Must cause or be likely to cause substantial injury 2. Must not be reasonably avoidable 3. Must not be outweighed by the benefits

Question 40

Deceptive Trade Practices

Answer 40

Corporate entities who mislead or misrepresent products or services to consumers and customers.

Question 41

What are the three requirements to be a deceptive trade practice?

Answer 41

1. Must involve a misleading representation, omission, or practice 2. Must be analyzed from the perspective of a reasonable consumer 3. Must be material

Question 42

Who brings forward state enforcement of unfair and/or deceptive trade practices?

Answer 42

The State Attorney General Most states have similar laws to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.

Question 43

Global Privacy Enforcement Network (GPEN)

Answer 43

GPEN is the Global Privacy Enforcement Network. It aims to promote cross border information sharing as well as investigation and enforcement cooperation among privacy authorities. In summary, GPEN: • Exchanges information about privacy issues • Encourages sharing of enforcement expertise • Promotes dialogue among enforcement groups • Facilitates international cooperation • Supports international privacy practices

Question 44

What are the three traditional separation of power components for self-regulation?

Answer 44

i. Legislation – questions of who should define appropriate rules for the privacy ii. Enforcement – questions of who should initiate enforcement actions iii. Adjunction – who should decide whether a company has violated privacy rules and with what penalties. Within Section 5 of the FTC and UDAP laws, self-regulation occurs at the legislation stage as companies write their own privacy policies.

Question 45

Data Inventory

Answer 45

Involves an inventory of PI (employee and customer) that the organization collects, stores, uses, or discloses. IT should document data location and flow as well as evaluate how, when, and with whom the organization shares such information and the means for data transfer and uses

Question 46

Personally Identifiable Information (PII)

Answer 46

Any information that can be used to distinguish an individual’s identity or any information that is either linked or linkable to an individual.

Question 47

What are some common activities in a business that involve PII?

Answer 47

``` o New employee onboarding o Benefits program administration o Customer interactions o Independent contractor tax reporting o Walk the employee and customer journeys to identify other PII uses ```

Question 48

What are some common components of a data inventory?

Answer 48

``` o Name of business process o Reason for using PII o Legitimacy of use o Storage and transmission of PII o Access list o Third-party involvement ```

Question 49

Data Classification

Answer 49

Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for the data

Question 50

Data Flow Mapping

Answer 50

The mapping and documenting of systems, applications, and processes handling data. Key employee interviews are a good starting point. Data Flow diagrams trace the PII journey.

Question 51

Privacy Program Framework

Answer 51

An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.

Question 52

What are some key components of a privacy program framework?

Answer 52

i. Establishes accountability for privacy practices. ii. A Chief Privacy Officer has broad oversight over an organization’s privacy practices. Subordinate privacy officials may have authority over specific functions or subject areas iii. Privacy is the responsibility of every employee who handles PII iv. Privacy programs must track information related to privacy practices v. Managing User Preferences

Question 53

Managing User Preferences

Answer 53

Organizations must often obtain consent from individuals prior to collecting or using their PII.

Question 54

What are the two ways consent are obtained?

Answer 54

1. Opt-In Consent 2. Opt-Out Consent Many privacy regulations require opt-in consent.

Question 55

Opt-In Consent

Answer 55

Affirmative consent takes place when the user explicitly agrees to a privacy practice

Question 56

Opt-Out Consent

Answer 56

Implicit consent occurs when the user does not take action to explicitly deny consent

Question 57

What are the five key components of an incident response program?

Answer 57

i. Policy and plan documentation ii. Procedures for incident handling iii. Guidelines for communicating externally iv. Structure and staffing model for the team v. Description of relationships with other groups

Question 58

Workforce Training

Answer 58

Privacy education helps protect organizations from privacy risks.

Question 59

Accountability

Answer 59

The responsibility to assure compliance with privacy laws and policies

Question 60

Data Retention

Answer 60

Within information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose. Securely dispose of information when it is no longer needed.

Question 61

Privacy notices

Answer 61

A statement made to a data subject that describes how an organization collects, uses, retains, and discloses PI. May be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy.

Question 62

Vendor Management

Answer 62

Vendor agreements should contain clear data ownership language i. Data Ownership Provisions: 1. Customer retains uninhibited data ownership 2. Vendor’s right to use information is limited to activities performed on behalf of the customer 3. Vendor’s right to use information is limited o activities performed with the customer’s knowledge 4. Vendor must delete information at the end of the contract

Question 63

EU - U.S. Safe Harbor Agreement

Answer 63

An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield

Question 64

Privacy Shield

Answer 64

Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.

Question 65

Binding Corporate Rules (BCRs)

Answer 65

An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.

Question 66

Standard Contractual Clauses

Answer 66

Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

Question 67

Certification Mechanisms

Answer 67

Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.

Question 68

Electronic Discovery (e-Discovery)

Answer 68

Requires civil litigants to turn over large volumes of a company’s electronic records in litigation

Question 69

EU Data Protection Directive

Answer 69

Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use

Question 70

GDPR requirements

Answer 70

Broad privacy law that regulates almost all personal information for EU residents.

Question 71

APEC Privacy Framework

Answer 71

A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.