Introduction to US Privacy Environment (35 questions) Flashcards
What is the role of the legislative branch?
to create laws
what is the role of the executive branch?
to enforce the law
accomplished through work of federal administrative agencies- which are commonly granted authority by congress to make rules and pursue enforcement action
constitution
supreme law of the land
doesn’t mention the word privacy anywhere in its text but protects privacy interest through 3rd, 4th, 5th, and 14th amendments
provides floor of protection over which states are free to enact stricter protections
legislation
federal and state level legislation provides most significant privacy related requirements
preemption- may prohibit states from enacting laws covering same general area as federal law
rules and regulations
privacy related laws permit federal agencies to adopt formal regulations and rules to clarify and enforce statutory law
government agencies provide informal guidance (ex. written opinions setting forth interpretation of law)
case law/common law
set of legal principles and law that has developed over the course of time as a result of societal customers and judicial decisions (not statutes and constitution)
stare decisis- judicial decisions should be guided by past judicial decisions
contract law
contract= legally binding agreements to be enforced by court of law
include
- offer
- acceptance
- consideration
consent decree
type of contract where parties agree to enter into and abide by judgement that prevents one party form acting in an illegal manner or requires a party to refrain from engaging in illegal act
approved by judge
usually permit party to avoid admitting guilt or wrongdoing
jurisdiction
courts authority to hear specific case or issue decree
personal jurisdiction
courts authority to hear dispute between specific parties
subject matter jurisdiction
courts authority to hear specific types of disputes
federal courts- limited
state courts- general
person
any individual or organization with legal rights
individual= natural person
organization = legal person
private right of action
individuals right to sue in their personal capacity to enforce legal claim
federal trade commission (FTC)
most important federal regulatory authority
independent agency- not under US president control
5 member bipartisan commission appointed by president confirmed by senate
purpose
- protect consumers against unfair or deceptive trade practices
- regulate certain market segments and conduct (ex. child privacy online and commercial email marketing)
- conduct investigations and require businesses to submit investigatory reports under oath (section 6)
unfair and deceptive trade practices
section 5 of FTC act
unfair or deceptive acts or practices in or affecting commerce are unlawful
doesn’t extend to
- non profit orgs (not in commerce)
- banks
- federal regulated financial institutions
- common carriers (transportation and communication industries)
deceptive
material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances
ex. false promises, misrepresentation, failures to comply with representations made to consumers
unfair
section 5- unfair and deceptive
Cant Easily Avoid SNOB
- injury is substantial+
- lacks offsetting benefits +
- can’t be easily avoided by consumers
doesn’t matter if company didn’t make any deceptive statements
ex: failure to implement adequate protection measures for sensitive personal info, provide inadequate disclosures to consumers
Avoid SNOB
1. cant easily avoid
2. S- substantial injury
3. NOB- no offsetting benefits
Federal Communications Commission (FCC)
federal regulatory authority
independent agency- not under US president control
chairman + 4 commissioners appointed by president confirmed by senate
purpose- enforce various federal statutes related to telecommunications
department of commerce
federal regulatory authority
led by secretary of commerce
purpose
- develop federal privacy policy
- authorize privacy shield framework between US and EU
- NO ENFORCEMENT AUTHORITY
department of health and human services
federal regulatory authority
led by secretary of health and human services
purpose
- oversee health and well being of US citizens
- oversee and implement + enforce HIPAA
- administer 21st century cures act
- administer confidentiality of substance use disorder patient records rule
federal reserve board
bank regulator
federal regulatory authority
independent agency- not under US president control
led by 7 members (governors) nominated by president confirmed by senate
- 14 year terms (staggered)
purpose
- supervise and regulate financial institution
- promote consumer protection
- oversee 12 separate geographic regions of reserve bank through federal reserve board of governors
consumer financial protection bureau
bank regulator
federal regulatory authority
purpose
- promote consumer protection
- enforce fair credit reporting act (FCRA)
- rule making and regulatory authority under GLBA
department of treasury
bank regulator
federal regulatory authority
purpose
- house office of comptroller of currency (financial regulator)
- charter, regulate, supervise national banks, federal savings associations, and federal branches of foreign banks
state regulatory authority
state attorney general
given significant authority under both state and federal law
self regulatory authority
can bring enforcement actions
ex
- payment card industry- data security standard
- digital advertising alliance
- network advertising initiative
- direct marketing association
PCI
most prominent self regulatory group
imposes significant obligations which are enforced by individual card brands (AMEX, Discover, Visa, Mastercard) through their own program for compliance and enforcement
rules (drafted by PCI DSS counsel)
- firewall
- no vendor supplied defaults for passwords
- protection of cardholder data
- encrypt cardholder data on public networks
- anti-virus software
- restrict access to cardholder data
- track access
- test systems
- maintain policy
- hire qualified security assessor to assess and detect security violations
DAA adchoice program
most prominent self-regulatory group in advertising
developed by advertising and marketing trade groups
goal: provide consumers ability to opt-out of online and interest based ads
enforcement: council of better business bureaus and digital & marketing association
failure to comply with PCI rules
exclusion from Visa, Mastercard, or other payment card systems +
penalties of 5,000-100,000/ month of noncompliance
trust marks
privacy seal programs
- programs that require companies to abide by set of principles and operating procedures in exchange for the right to display a seal or logo indicating certification with those principals
goal- increase consumer confidence and trust
ex. better business bureau
civil liability
plaintiff vs defendant
basis- civil violation of statute or civil wrong arising under common law (tort or contract)
relief- monetary damages, injunction, specific performance, declaratory judgment
standard of liability- P prove by preponderance of evidence (more likely than not)
same procedural protections for both parties
criminal liability
department of justice (federal) or state prosecutor/attorney general vs defendant
basis- violation of criminal statute
relief- criminal sentence (fine or prison)
standard of liability- government proves guilty beyond a reasonable doubt
additional procedural protections for defendant (ex. presumption of innocence, 6th amendment right to counsel, right to speedy trial)
contract liability
breach of contract- one party fails to perform any of its contractual obligations at time performance is due
remedies- monetary damages measured by
- expectation interest (put plaintiff in position he would be in if contract was performed)
- reliance interest (put plaintiff in position he would be in if contract not made)
- restitution interest (prevent party from unjust enrichment as result of breach)
specific performance- ordered to comply with terms of contract/ available when no other remedy will adequately compensate
tort liability
types
- intentional (party knows or should know would cause harm to another)
- negligent (party fails to observe standard of care)
- strict liability (engage in certain prohibited conduct)
intrusion upon seclusion- privacy tort
person intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns
must be highly offensive to reasonable person - substantial burden to one’s existence not just annoyance
appropriation- privacy tort
person uses another name or likeness for their own benefit without permission
publicity given to private life- privacy tort
person publicizes matters concerning another private life that are not of legitimate public concern
must be highly offensive to reasonable person
false light- privacy tort
person publicized matter concerning another that places the other before the public in false light
must be highly offensive to reasonable person
person must have had knowledge or acted in reckless disregard to falsity
federal enforcement actions
administrative procedures act (APA)
- provides set of procedural rules that govern actions (similar to FCRP)
- statutes can mandate specific enforcement producers different from those in APA (ex. FTC act)
procedure
1. commission issues complaint (can settle through consent decree which must be imposed for up two 20 years)
- administrative trial proceeds before ALJ
- violation found- ALJ enjoined company from continuing practices and order becomes final 60 days after served on company
- FTC can seek civil penalties (43,280/violation) if order is ignored by company - decision in appealable (1st to 5 commissioners then to federal district court)
global privacy enforcement network (GPEN)
network that connects privacy enforcement authority from around the world to promote and support cooperations in cross-border enforcement of laws protecting privacy
members: FTC, FCC, and California attorney general
5 ways GPEN seeks to encourage cooperation amongst countries
MATED
- exchanging info
- encouraging training opportunities
- promoting dialogue
- creating processes and mechanisms that can be utilized
- undertaking and supporting specific activities
Mechanisms
Activities
Training
Exchanging
Dialogue
what is regulated in US privacy law
personal information (personally identifiable information)
not non personal information
generally doesn’t include IP addresses (unless FTC- says IP addresses are personal info in connection with breach of healthcare info)
identified individual- personal info
one who can be ascertained with pertaining
SSN, passport number, names
likely to be regulated
identifiable individual- personal info
one that can be indirectly identified through combination of various factors
ex. know person lives in specific city
less likely to be regulated
sensitive personal information
subject to greater regulation for collection, use and disclosure
what is considered as sensitive varies from jurisdiction to jurisdiction depending on particular regulations
generally includes financial info, health info, drivers license numbers, SSN
nonpublic information- personal info
at the center of US privacy regulation
not generally accessible or easily accessed due to law or custom
ex. medical records, financial info, adoption records
public records- personal info
info collected and maintained by gov entity and available to public
law in jurisdiction determines if considered protected or not (private or not)
ex. court filings, real estate records
publicly available info- personal info
generally not protected
info generally available to wide range of persons
ex. social media, search engines
personal info can be transformed into non-personal unprotected info through
encryption (put it in unrecognizable form)
anonymization (strip data of identifying info)
pseudonymization (associated data with pseudonym so no longer attributed to specific person without additional info) ex. user 1
data subject
individual whose personal information is being processed
ex. patient, employee, customer
data controller
organization/individual that decided how personal information is being utilized and processed
subject to heaviest amount of regulation by privacy and data security laws
data processor
organization/ individual that processes data on behalf of data controller ( collection, storage, use, disclosure, transmission destruction)
what it can do is limited by data controller
organization/ individual may be both data processor and data controller
includes 3rd party data controller contacts
comprehensive data protection model (Europe)
uniform regulation over entire economy
DPA (data protection agency)- responsible for oversight of enforcement
issues:
1. cost outweighs benefits
2. one law no matter how unique situation is
3. no innovation
4. officials granted varying degrees of enforcement power from country to country
5. countries choose to allocate varying levels of resources to enforcement of data laws
pros:
1. remedy past injustices
2. ensure consistency
3. promote electronic commerce
sectoral data protection model (US)
enacts laws that address a particular industry sector
multiple enforcement agencies
pros:
1. different parts of economy face different challenges for privacy and security
2. cost savings
3. little regulatory burden for organizations outside regulated sectors
cons:
1. lack of single DPA to oversee issues
2. gaps (inadequate) and overlaps (overly burdensome) in coverage
3. government agencies may develop different policies
co-regulation (australia) data protection models
self regulation + comprehensive or sectoral model
emphasizes industry development of enforceable codes or standards for privacy and data protection against legal requirements by government
overseen by both privacy industry + government
ex. COPP- compliance with codes are sufficient for compliance with statute
self regulation data protection model (similar to US)
emphasizes creation of codes of practice for protection of PI by company, industry or independent body
no generally applicable data protection law
ex. PCI DSS- enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally
fair information practices
means for organizing multiple individual rights and organizational responsibilities that exist with respect to PI
covers both
1. individual rights related to PI +
2. how organizations manage data they collect
fair information practices- rights of individuals
CAN
notice- description of org info management practices, for consumer education and accountability of corporation
consent and choice- ability to specific whether PI will be collected and how it will be used or disclosed (express or implied)
- opt in= affirmative indication (no failure to answer)
- opt-out - can be implied through failure to object to use or disclosure
access- ability to view PI held by org
- generally require access and correction when info used for substantive decision making (ex. credit report)
fair information practices- organization of management protected
controls- info security (reasonable admin, tech, and physical safeguards to protect PI) and information quality ( maintain accurate, complete and relevant PI)
information life cycle
- collection (only for purpose identified)
- use and retention (only for purpose identified + consent + how long necessary to fulfill purpose)
-disclosure (only for purpose identified + consent)
3 groups of US consumers
- privacy fundamentalists
- privacy pragmatist
- privacy unconcerned
privacy fundamentalist
consumer that is
- generally distrustful of organizations that ask for their personal info
- favors stricter privacy regulation
25% of people in US
privacy pragmatist
consumer that weights benefits of various consumer opportunities and services vs. protections necessary to make sure PI is not abused
majority of public
privacy unconcerned
consumers that are
- generally trustful of organizations collecting their personal info
- willing to sacrifice privacy in favor of commercial or public benefits
data assessment
CIA
process for
1. creating data inventory
2. conducting data flow analysis
3. classifying categories of data
data inventory
identifies personal data as it moves across various systems including
includes both customer and employee data records
legally required for some organizations
information that must be recorded during data inventory
- data location
- physical location + general understanding about where data is stored
- electronic data= file saved on + server stored on - data residency
- where servers storing data are physically located
- dictates what laws apply to how data is processed
3.data access
- identify who has access to data being processed
- identify how and when such info is shared
- looks at both internal access and 3rd party external access
data flow analysis
examination and documentation of data flows through organization
identifies
- purpose data is used for
- types of data processed
- risks and controls at each step
- maintenance plan (for compliance)
increases confidence in regulatory compliance and becomes a record to reference for customers and employees
data classification
categories-CPPRS
classifying data according to its level of sensitivity which in turn defines
- level of clearance individual who can access and handle data
- baseline level of protection appropriate for data
categories are generally tailored to organization but commonly include
- confidential info
- proprietary info
- sensitive info
- restricted info
- public info
privacy program development steps
- balance risks
- understand organizational goals
- develop policies
- privacy operational life cycle
4 categories of risk to keep in mind when developing privacy program
oilr
- legal risk (regulatory action and litigation that may result from failing to comply with laws and regulations)
- reputational risk (trust consumers place in organization + organizations reputation may affect consumer behavior )
- organizational risk (balance between compliance with privacy regulations and achieving organizational goals)
- investment risk (balance what investment in information management and technology are worth the coals)
privacy operational life cycle
continuous refinement of privacy program
should do following
1. assess (identify risks )
2. protect (develop policies and practices)
3. sustain (communicate, monitor, and audit)
4. respond (respond to privacy incidents and handle complaints)
managing user preferences
user consent + user access + notice
opt-in user consent
express form of consent
requires some affirmative act by consumer before consent will be deemed adequate
scope determined by organization
legally required for COPPA- express consent of parent required before personal info of child is connected
double opt-in user consent
consumer initially expresses interest + asked second time to confirm interest
opt-out user consent
passive form of consent
allows collection and use of data unless user expressly states desire not to have info collected
may require 2nd opportunity to opt-out even after initial consent
scope should be more broad than narrow (ex. comply across all communications regardless of media used to communicate request)
legally required for VPPA- required in certain cases before movie rental data is provided to 3rd parties
no option user consent
where authority to collect and utilize data is implied from situations
“commonly accepted categories of commercial data practices”
includes
- product fulfillment (implicit consent to share address with delivery company + credit card company processing financial portions of transaction)
- fraud prevention
- internal operations
- legal compliance and public purpose
- 1st party marketing
form of user consent
mechanism for obtaining consent
recommendation- provide consumers choice in same manner in which communicated with consumer
user access- managing user preferences
2 components
1. actual access to information collected
2. ability to correct that information that is inaccurate or incomplete
information privacy
concerned with personal information
policies behind handling info
- identify users and users of information
- seeks agreement to use information
- limits collection
- provide avenues for complaints
- allow access to info to maintain accuracy and completeness
information security
concerned with confidential information
protection of data from unauthorized access
- protection system and data from threats
- malicious code detection and prevention
- configurations and patch management
- intrusion detection and mitigation
CIA triad- 3 considerations for information security program
confidentiality
- access limited to authorized persons only
- accomplished through access control list, encryption, file permissions
integrity
- info kept in authentic, accurate, and complete form
availability
- kept in way that those with authorization can adequately access it
security controls
measure that is modifying risk
includes processes, policies, devices, practice or other actions.
categories of security controls
prevention
- prevent security event form occurring or otherwise prevent errors or other negative consequences
detective
- identify security incident while it is in progress
ex. active monitoring of closed- circuit tvs
corrective
- fix or limit damage caused by security incident
ex. data loss prevention systems that remotely wipe employees hard drive when laptop is lost
types of security controls
PAT
physical
- mechanisms designed to limit or monitor physical access to an environment or object
ex. locks and security cameras
administrative
- internal procedures and mechanisms put in place to limit and monitor access to information + training of employees to follow those internal procedures
technical
- applications of technology that help protect information against unauthorized access
categories
- obfuscation (ex. randomization or hashing)
- data minimization (ex. data segregation)
- security (ex. access controls and antivirus software)
- privacy engineering (ex. anonymous digital credentials)
workforce training
employees should receive awareness training and regular update on organizational policies and procedures relevant to job function
benefits: lowers cost of responding to data breaches
laws that mandate workforce training
HIPPA privacy and security rules
- must train all members of workforce within reasonable time on policies and procedures with respect to protected health info as necessary for them to carry out functions within entity
GLBA safeguard rule
- financial institution must train staff to prepare and implement info security program
- specialized training required where appropriate
FTC red flags rule
- must establish identity theft program and training is necessary to effectively implement program
Massachusetts data security law
- anyone that owns or licensed PI about MA resident must have comprehensive security program in place that includes ongoing employee training and maintenance of system
PCI-DSS workforce training requirement
requires implementation of security awareness program to make all personnel aware of importance of cardholder data security
accountability of organization
org must hold themselves accountable for maintaining adequate privacy protections
internal association of privacy professionals defines accountability as implementation of appropriate tech and organizational measures to ensure and be able to demonstrate that handling of personal data is performed in accordance with relevant law
requires significant amount of documentation to demonstrate compliance (each compliance procedure is unique to organization)
privacy policy/ privacy notices
written document setting forth how company collects, stores, and uses PI it gathers
purposes:
- inform employees how info should be stored, accessed, and utilized
- set limits on how info may be used
- inform consumers about how data will be used
may be required by law to implement (ex. GLBA for financial institutions, and CalOPPA for companies collecting personally identifiable info)
vendor management
organization as data controller always remains liable for data misuse by vendors
ways to oversee 3rd party data vendors
1. vet vendor (look at reputation, finances, and security controls) and
2. vendor contract (usually required by law)
vendor contract provisions
- confidentiality- not share data with other parties
- security protections- specific controls must be put in place (ex. employee training, encryption, and reporting of breaches)
- audit rights- right to audit 3rd party security practices to ensure compliance
- no further use- no use for purposes other than specified
- subcontractor use- not appropriate to use at all or if used set forth requirements for subcontractor
- information sharing- what may be shared between principal and vendor and subcontractors
- breach notice- vendor required to provide immediate notification of breach
- consumer consent- vendor obligated to abide by consumer preferences and consents provided to principal organization
- end of relationship- what happens to data (delete or return)
- vendor incidents- protocol that should be followed when vendor incident and steps for response
cloud computing
provision of software and other info tech services over the internet
forms
1. software as a service (SaaS)
2. platform as a service (PaaS)
3. infrastructure as a service (IaaS)
there is public cloud (servers assessable by 3rd party) and private (only allow access to one org)
data residency
where servers that are storing data are physically located
increased regulation when located outside of where company typically conducts business
data transfers across state lines
supriseminimizationrule
transferring data across boarders can result in organization subjecting themselves to additional laws and regulations
surprise minimization rule- consumer should be able to assume their info is subject to protections afforded by their home jurisdiction laws regardless of where data is processed (no surprise)
international data transfers (EU to US)
GDPR contains most prominent and well known set of international data transfer rules
must have valid basis to transfer data
1. adequacy decisions
2. adoption of appropriate safeguards
3. derogations (exceptions such as explicit consent)
international data transfer basis- adequacy decision
determine 3rd party country data protection regulations are equivalent to or grater than those under GFPR
US previous privacy frameworks struck down under adequacy decision
1. safe harbor program- struck down in Schrems I based on concerns of surveillance programs disclosed by Edward Snowden
2. privacy shield framework- struck down in Schrems II (2020)
current framework of US= trans- Atlantic data privacy framework (2022)
1. adequacy decision is not final yet
international data transfer basis- appropriate safeguards
binding corporate rules (BCRs)
- set procedures and policies org voluntarily agrees to follow (form of fair info practices) to cover its internal handling of personal data
-no third party transfers!!!!!
standard contract clauses (SCCs)
- company contractually promises to comply with EU law and submit to jurisdiction of EU privacy supervisory agency
- Schremes II upheld validity of SCCs but raised concerns about whether it is permissible means to transfer data since it must be noted they must be prohibited if they don’t comply with 3rd country legal protection required
ad hoc contract clauses (disfavored)
- parties can draft own contract clauses when SCCs are not appropriate
codes of conduct/approved certification mechanism
- co-regulatory programs where org is required to undertake bidding and enforceable obligation to abide by code of conduct
