Introduction to the U.S. Privacy Environment Flashcards
What are the branches of government?
i. Legislative
ii. Executive
iii. Judicial
What is the legislative branch made up of and what are it’s checks and balances?
The legislative branch has the power to create new laws.
i. Congress (House of Representatives and the Senate)
ii. Confirms presidential appointees / can override vetos
How does a bill become a law?
The bill must pass both house and senate, then goes to the white house. If the President signs the bill it becomes law, if not the President exercises their veto powers and goes back to the house. The House must have a 2/3 majority to overturn a veto.
What is the executive branch made up of and what are its checks and balances?
The executive branch carries out and enforces existing laws
i. President, VP, Cabinet, Federal Agencies
ii. Appoint federal judges / can veto laws passed by congress
What is the judicial branch made up of and what are its checks and balances?
The judicial branch interprets the meaning of laws
i. Federal Courts
ii. Determines whether laws are constitutional
What are the sources of law?
i. Constitutions – Supreme law of the land. All other laws must be consistent. (Unconstitutional laws are declared invalid by courts). Amendments are difficult.
ii. Legislation – Laws passed by congress or state
iii. Regulations and rules – Compliance expectations set my regulatory agencies (“Administrative Law”)
iv. Case law – Final decisions made by judges in court cases and looked to as precedent
v. Common law – Legal principles that have been developed over time in judicial decisions – often drawing on social customs and expectations
vi. Contract law – A subcategory of common law (e.g., The Uniform Commercial Code (UCC) exists in all 50 states.)
Jurisdiction
Jurisdiction is the power that a court has to render legal judgments. Jurisdiction may be limited by subject matter or geographic applicability.
Person
A person is a human or non-human entity that can sue and be sued, can own property, and can take part in contracts.
Preemption
A law that stems from a higher authority takes precedence over laws that stem from lower authorities.
Private Right of Action
Laws with a private right of action grant legal persons the ability to bring cases to court.
What are the primary regulatory authorities that regulate privacy in the U.S.?
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking Regulators
What are the primary banking regulators that regulate privacy in the U.S.?
i. Federal Reserve Board
ii. Comptroller of the Currency
iii. Consumer Financial Protection Bureau (CFPB)
iv. Federal Deposit Insurance Corporation (FDIC)
v. National Credit Union Administration
Federal Trade Commission (FTC)
General authority to enforce the rules against unfair and deceptive trade practices (including the power to bring deception enforcement actions where an individual has broken a privacy promise).
- Lead agency for privacy enforcement
- Protects consumers against unfair and deceptive practices
- Enforces Children’s Online Privacy Protection Act (COPPA)
- Lacks authority over financial institutions
Federal Communications Commission (FCC)
Summary: Regulates interstate and international communications providers
Detail: Places significant compliance regulations on and govern the communications industry, such as television, radio, and telemarketing, and more recently, with online marketing developing such laws as the Telemarketing Sales Rule and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act).
Department of Commerce (DoC)
Summary: Implements the EU-US Privacy Shield
Detail: Leading role in federal privacy policy development. Administers the Privacy Shield Framework between the US and EU. The DoC works along with the FTC on the enforcement of privacy and security standards set by organizations, particular with those having privacy self-regulatory programs.
Department of Health and Human Services (HHS)
Creates regulations to protect the privacy and security of healthcare information. Responsible for enforcing HIPAA laws. The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Healthcare Act (HI-TECH Act)
Federal Reserve Board (Fed)
Responsible for enforcing provisions of specific federal financial regulatory mandates, such as the Gramm-Leach-Bliley Act (GLBA)
Comptroller of the Currency
Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks. Ensures fair access to financial services and compliance with financial privacy laws and regulations.
Consumer Financial Protection Bureau
Summary: Regulates how financial institutions handle personal information
Detail: An independent bureau under the Federal Reserve. CFPB has rule marking authority for laws related to financial privacy and oversees the relationship between consumers and financial products and services providers
State Attorney General
Chief legal advisor to the state government / state’s chief law enforcement officer. Authority to take enforcement action on a state’s unfair and deceptive practice law, HIPAA, GLBA, the Telemarketing Sales Rule, and violations of breach notification laws
Self-Regulation Model
Organizations that monitor privacy through internal privacy practices, frameworks/guidelines, policies and procedures, created and monitored by industry groups
Payment Card Industry Data Security Standard (PCI DSS)
One of the most successful self-regulatory frameworks ever
Trust Marks
Images or logos of third-party seal and certification programs that are displayed on websites to indicate that it has adopted the guidelines or a program and passed a security and privacy test
Criminal Liability
Violations of criminal law with charges by the government. Parties that include depriving someone of their liberty.
Mens rea
The mens rea standard requires that a person had criminal intent
Civil Liability
Failure to carry out a legal duty owed to another party. Charges brought to courts by the claimant.
What are the three categories of legal liability?
- Legal Liability - contracts, torts, civil enforcement
- Negligence
- Strict Liability
Contract
Agreement by two parties. Made up of three parts: (1) Offer; (2) Acceptance; and (3) Consideration. Contracts are legally binding agreement between two parties and are enforceable in court.
What are the basic conditions of a contract?
i. Capacity to enter contract
ii. Offer
iii. Acceptance
iv. Consideration
v. Mutual intent to be bound.
vi. Breach of Contract – handled in civil court
Tort
Civil wrongs recognized by law as grounds for a lawsuit. These wrongs result in an injury or harm that constitutes a basis for a claim
Civil Enforcement
A person may sue based on a violation of a law when a law creates a private right of action
Negligence
An organization will be liable for damages if it breaches a legal duty to protect person information and an individual is harmed by that breach.
Negligence Liability Factors
- Duty of care
- Breach of duty
- Damages
- Causation
Invasion of Privacy
The violation of a person’s reasonable expectation to be left alone.
Four legal standards of an invasion of privacy
- Invasion of solitude
- Disclosure of private facts
- False light
- Appropriation
Strict Liability
Responsibility for actions even if they could not reasonably anticipate the adverse outcome.
Can practices be both unfair and deceptive?
Yes.
Unfair Trade Practices
Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.
What are the three requirements to be an unfair trade practice?
- Must cause or be likely to cause substantial injury
- Must not be reasonably avoidable
- Must not be outweighed by the benefits
Deceptive Trade Practices
Corporate entities who mislead or misrepresent products or services to consumers and customers.
What are the three requirements to be a deceptive trade practice?
- Must involve a misleading representation, omission, or practice
- Must be analyzed from the perspective of a reasonable consumer
- Must be material
Who brings forward state enforcement of unfair and/or deceptive trade practices?
The State Attorney General
Most states have similar laws to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
Global Privacy Enforcement Network (GPEN)
GPEN is the Global Privacy Enforcement Network. It aims to promote cross border information sharing as well as investigation and enforcement cooperation among privacy authorities.
In summary, GPEN:
• Exchanges information about privacy issues
• Encourages sharing of enforcement expertise
• Promotes dialogue among enforcement groups
• Facilitates international cooperation
• Supports international privacy practices
What are the three traditional separation of power components for self-regulation?
i. Legislation – questions of who should define appropriate rules for the privacy
ii. Enforcement – questions of who should initiate enforcement actions
iii. Adjunction – who should decide whether a company has violated privacy rules and with what penalties. Within Section 5 of the FTC and UDAP laws, self-regulation occurs at the legislation stage as companies write their own privacy policies.
Data Inventory
Involves an inventory of PI (employee and customer) that the organization collects, stores, uses, or discloses. IT should document data location and flow as well as evaluate how, when, and with whom the organization shares such information and the means for data transfer and uses
Personally Identifiable Information (PII)
Any information that can be used to distinguish an individual’s identity or any information that is either linked or linkable to an individual.
What are some common activities in a business that involve PII?
o New employee onboarding o Benefits program administration o Customer interactions o Independent contractor tax reporting o Walk the employee and customer journeys to identify other PII uses
What are some common components of a data inventory?
o Name of business process o Reason for using PII o Legitimacy of use o Storage and transmission of PII o Access list o Third-party involvement
Data Classification
Classifying data according to its level of sensitivity. It should define the clearance of individuals who can access or handle the data, as well as the baseline level of protection that is appropriate for the data
Data Flow Mapping
The mapping and documenting of systems, applications, and processes handling data. Key employee interviews are a good starting point. Data Flow diagrams trace the PII journey.
Privacy Program Framework
An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.
What are some key components of a privacy program framework?
i. Establishes accountability for privacy practices.
ii. A Chief Privacy Officer has broad oversight over an organization’s privacy practices. Subordinate privacy officials may have authority over specific functions or subject areas
iii. Privacy is the responsibility of every employee who handles PII
iv. Privacy programs must track information related to privacy practices
v. Managing User Preferences
Managing User Preferences
Organizations must often obtain consent from individuals prior to collecting or using their PII.
What are the two ways consent are obtained?
- Opt-In Consent
- Opt-Out Consent
Many privacy regulations require opt-in consent.
Opt-In Consent
Affirmative consent takes place when the user explicitly agrees to a privacy practice
Opt-Out Consent
Implicit consent occurs when the user does not take action to explicitly deny consent
What are the five key components of an incident response program?
i. Policy and plan documentation
ii. Procedures for incident handling
iii. Guidelines for communicating externally
iv. Structure and staffing model for the team
v. Description of relationships with other groups
Workforce Training
Privacy education helps protect organizations from privacy risks.
Accountability
The responsibility to assure compliance with privacy laws and policies
Data Retention
Within information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose. Securely dispose of information when it is no longer needed.
Privacy notices
A statement made to a data subject that describes how an organization collects, uses, retains, and discloses PI. May be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy.
Vendor Management
Vendor agreements should contain clear data ownership language
i. Data Ownership Provisions:
1. Customer retains uninhibited data ownership
2. Vendor’s right to use information is limited to activities performed on behalf of the customer
3. Vendor’s right to use information is limited o activities performed with the customer’s knowledge
4. Vendor must delete information at the end of the contract
EU - U.S. Safe Harbor Agreement
An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield
Privacy Shield
Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.
Binding Corporate Rules (BCRs)
An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.
Standard Contractual Clauses
Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.
Certification Mechanisms
Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.
Electronic Discovery (e-Discovery)
Requires civil litigants to turn over large volumes of a company’s electronic records in litigation
EU Data Protection Directive
Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use
GDPR requirements
Broad privacy law that regulates almost all personal information for EU residents.
APEC Privacy Framework
A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.