Missed Questions Flashcards
What legislation ended certain bulk collection practices of the US government for national security purposes?
The USA Freedom Act
What are requirements regarding use of directory information under FERPA?
social security number may never be considered directory information
students must be provided right to opt out before directory info is shared
schools can determine their own list of what constitutes directory information
what organization created K-12 school service provider pledge to safeguard student privacy?
software and information industry association in concert with the Future Privacy Forum
pledgees agree not to undertake numerous activities as well as undertake affirmative obligations aimed at protecting student privacy
violation is enforced as deceptive trade practice by FTC
majority of state data breach notification laws include
requirement that notice to affected consumers be provided in writingm
minority of state data breach notification laws include
- materiality requirement for determining when breach occurs
- specific requirements about what must be included in notice to affected individuals
- inclusion of biometric data in definition of personal info
type of security failure that is primary cause of most data security incidents
human error
technical protection examples
computer code
electronic systems designed to limit access to authorized users and maintain integrity of data from outside attack
administrative protections examples
policies designed to limit access to data to only employees who need access to accomplish their assigned job functions
are non profit entities are subject to FTCs jurisdiction under FTC ACT or COPPA or both
neither FTC act nor COPPA
COPPA_ exempt from definition of operator
FTC- specifically exempt under FTC act
HITECH made the following changes to HIPAA
- business associates directly subject to HIPPA
- term limited data set is defined
- term covered entity, business associate, and protected health information are codified
didn’t change minimum necessary requirements
what feature of binding corporate rules separates it from other international transfer mechanisms available under GDPR
only apply to international data transfers that occur within an organization not transfers to 3rd parties
Fair Information Practice of access is commonly considered to include
- ability to view information an organization collects
- ability to update or correct inaccurate info
what must a user of a consumer report do before re-selling a consumer report?
notify CRA of
1. identity of end users of report
2. each permissible purpose to which the end user will be utilizing the report for
what are benefits of data flow mapping
- mitigate risk associated with data processing
- facilitate identifying problems within an organizations data processing
- increase confidence in regulatory compliance
doesn’t help limit amount of data disclosed in event of data breach
GDPR individual rights
- data portability
- rectify data
- right to be forgotten
- consent
doesn’t include right to opt out of data selling
National Institute of Standards and Technology recommends that employees be provided data privacy and security training when all of the following occurs
- upon being hired (or promoted)
- as needed by the organization
- when changes are made to the information system or policies
not once annually
What article in the GDPR makes it illegitimate to transfer data to a 3rd country or to an international organization in the absence of a valid transfer mechanism?
article 44
what type of privacy protection model is overseen by multiple regulators
sectoral model
- select market segments are governed by different privacy laws
- no overarching regulatory regimen applicable across the entire economy
standard order of privacy operational life cycle
assess (create processes to evaluate program)
protect (implement practices)
sustain (manage program)
respond (respond to failures)
when is no option form of consent to be expected
product fulfillment
fraud prevention
internal operations
legal compliance
public purpose
1st party marketing
CA attorney general has authority to bring civil action for violation in
- Consuperm Financial Protection Act
- Fair Credit Reporting Act
- Red Flags Rule
not GLBA
GLBA privacy rule notice requirement
notice must be provided at the start of customer relationship and annually thereafter
no requirement for notice to be online but doing so is a best practice and may be required under state law (CALOPPA)
what law or regulation was enacted to facilitate in certain cases the compassionate sharing of info related to patients
21st Century Cures Act
- HHS must issue guidance on compassionate sharing of mental health and substance abuse info with family members and caregivers
CCPA parental consent must be obtained before selling PI of children under what age
under 13 years old
13-15- may obtain consent directly from child through opt in procedure
what unique characteristic makes a consent decree different than most other types of contracts?
a consent decree is approved by a court which enters a judgement incorporating the parties settlement agreement
what change to the VPPA was made by congress in 2012
contemporaneous consent to disclosure of personally identifiable information is not necessary and a one time consent may be made that is valid for two years
social engineering refers to
manipulation of individuals so as to create security vulnerabilities
often used in concert with specific types of cyber attacks
two primary goals served by implementing legal protections over personal information
compensation to those ho have been wronged
create deterrence
what is thought of as the 3rd model of governmental privacy protection
co-regulatory model
combines aspects of self regulatory model and either comprehensive or sectoral model
industry will develop and enforce appropriate standards but that industry is then overseen by a government regulatory agency
Tennessee data breach notification law
amended law in 2016 to remove provision that exempted encryption data from notification requirements
following year it provided that a breach of encrypted data will only subject a company to the laws notice requirements where the encryption key is also compromised
HIPPA privacy rule not entitled to access to
psychotherapy notes
information compiled in anticipation of litigation or regulatory action
what jurisdiction recently imposed a requirement on employers utilizing automated tools to make employment decisions the requirement to conduct bias audits related to the use of any such tool?
New York city
must be subject of bias audit conducted no more than 1 year prior to use of tool
bias audit- impartial evaluation by independent auditor that includes assessment of its disparate impact on persons on basis of sex race or ethnicity
pseudonymizing data
process of transforming data so that it can no longer be attributed to a specific person without the use of additional information
can be reversed so that info can be reidentified with specific person
what type of information may never be shared with nonaffiliated 3rd party for marketing purposes under GLBA privacy rule
customer account number and access codes
what entities have authority to enforce HIPAA
department of HHS
state attorneys genera
department of justice
not private individuals
who the protection of pupil rights amendment act of 198 grants individual rights to
parents of student if student is under 18
student if student is over 18 or emancipated
medical examinations
ADA- prospective employee may be required to submit to medical examination if
- all entering employees are subject to same examination
- info about any med condition is kept separate form other info and treated as confidential med record
- results of test are used only in accordance with the other provisions of ADA
MAY NEVER BE USED UNLESS EXAM OR INQUIRY IS JOB RELATED AND CONSISTENT WITH BUSINESS NECESSITY
Fair Credit Reporting Act mandates what type of consumer consent with respect to the use of firm offers of credit or insurance
opt out consent
structure transaction under bank secrecy act
engaging in transactions in such a way as to avoid reporting requirements
what law does the department of labor enforce
fair labor standards act
employment retirement security act
houses occupational safety and health administration which oversees the enforcement of workplace safety
who bears the burden of considering the impact that a 3rd country’s laws will have on the use of standard contract clauses
controllers and processors that make use of the standard clauses
preemption GLBA vs FCRA
there is no preemption under GLBA
FCRA preempts state laws
exception for laws relating to identify theft and laws carved out by congress
Prism and upstream programs are authorized under which of the following
section 702 of the Fish amendment act of 2008
allows attorney general and director of national intelligence to jointly authorize for period of up to one year the targeting of persons outside the US to acquire foreign intelligence information
SCC schemes II
- supervisory authorities must prohibits use of SCC if they are not and cannot be complied with in 3rd county
- SCC must ensure essentially equivalent level of protection as that afforded under GDPR
- determining whether the use of SCC is valid requires consideration of the legal system of the 3rd country where data will be transferred
what is the third form of litigation
administrative enforcement action
CPPA is 1st administrative agency dedicated solely to consumer privacy issues and is created by CPRA
global privacy enforcement network
network that connects privacy enforcement authorities from around the world to promote and support cooperation in cross boarder enforcement of laws protecting privacy
includes: FTC, FCC, and CA AG
data flow map
how info flows through organization across the entire life cycle of that data
data classification scheme
classification system that provides the basis for managing access to and protection of data assets
privacy operational lifecycle may also be called (not APSR)
discover
build
communicate
evolve
accountability principle
organization must take responsibility for protecting PI and using it in a matter that is both
- consistent with the law
- done in manner that treats individual equitably
organization has ultimate responsibility for legal compliance
EU cookie directive
info stored in cookie is considered PI under GDPR
thus it requires user consent
GDPR- processing of children data
prohibits processing data of children under 16 in absence of verifiable parental consent
CCPA- children
prohibits sale of personal data of children under 16 without appropriate consent
layer privacy notice
privacy notice that includes short notice at top of document that sets forth key points of a privacy disclosure followed by an option for users to review a more detailed privacy notice
just in time notice
providing privacy notice at the time that information is collected
may take form of layered notice
privacy dashboard
single point provided to consumers where they can view privacy information and make choices about how their data is processed
privacy icons
symbols used to indicate that an organization processes info in a particular manner (ex. adchoices)
ad hoc contract clauses
specifically drafted clauses that must be approved prior to transfer of data
disfavored
codes of conduct
co regulatory programs in which an organization undertakes a binding and enforceable obligation to abide by that code of conduct
derogations
exceptions to general prohibition on international transfer
relied on as last resort
ex. explicit consent of data subject
is there a private cause of action under the FTC act
no
in the matter of geocities
1st privacy enforcement action taken by FTC against company based upon its web based promises
in the matter of Eli Lilly and co
1st enforcement action in which the FTC entered into a consent decree requiring a company to develop and maintain an information privacy and security program
FTC v Wyndham worldwide corp
upheld FTC unfairness authority to regulate cybersecurity
didn’t answer whether FTC had section 5 authority over cyber security practices
labmd inc v FTC
FTC cease and desist order based upon lab meds general negligent failure to act was unenforceable because the prohibitions and directive to implement a reasonable security program were not specific enough
COPPA
NOCAP
no unfair or deceptive acts or practices in connection with collection use or disclosure of PI of children 13 years old and under
operators of commercial websites that collect PI of visitors
need
NO- notice,
C- verifiable parental consent,
A- access,
P- procedures for confidentiality, security and integrity
safe harbor program- to be deemed in compliance with COPPA if copy with guidelines of participating seal program (Ex. ADchoice)
is there a private cause of action under COPPA
no
HIPAA
official DNAAA
covered entity(health plan/insurance, clearing house/storage, provider) and business associates
electronic protected health information - doesn’t apply to de-identified information
privacy rule
official- designate privacy officiel
D- no disclosure unless PEACES exception
N- privacy notices
A- access (designated record set)
A -amend
A- accounting
security rule
- reasonable and appropriate minimum security standards
- required and addressable standards
HIPAA disclosure exceptions under privacy rule
PEACES
P- patient
E-emergency (3rd party)
A- authorization (through independent doc in plain language)
C-court
E-enforcement (law)
S- secretary of HHS
must be in form of limited data set and made at time of delivery or time of enrollment/request
HIPAA safe harbor
if have recognized security practice for 1+ year
- fines are lessened
- security audits may be terminated early
- other remedies mitigated
HITECH
new data breach rules applicable to PHI
if data breach of unencrypted PHI- notify within 60 days of discovery
- affected individuals
-secretary of HHS(annually)
- media (500+)
-covered entity (business associate is source)
breach is presumed unless CE/BA can show
- low probability PHI compromised by analyzing nature and extent/ who unauthorized person is/ whether PHI was actually acquired/ mitigation of risk
GINA
overseen by HHS
exception of Title II
genetic info classified as protected health info under HIPAA
not used for
- underwriting purposes
- basis of discrimination in insurance
can’t request genetic testing be done except for voluntary testing in connection with research
GINA employer restriction of genetic info use
I PET FMLA
can’t request use disclose purchase GI unless
I- inadvertent
P-public
E-employee wellness program
T-toxin monitoring
FMLA- compliance with FMLA
21st century crest act of 2016
compassionate sharing
- allows for compassionate sharing of info of mental health and substance abuse under HIPAA
remote viewing
- allows remote viewing of PHI if meet HIPAA privacy and safety rules
no info blocking
- no practice of info blocking which is any practice likely to interfere with the use or exchange of electronic health info
no PHI in biomedical research used in court
- exempt from Freedom of Info Act
- certificate of confidentiality
confidentiality of substance use disorder patient records rule
based on public health services act
applies to
1. part 2 programs that receive federal funding (alcohol/sub abuse treatment staff, unit, or entity)
2. 3rd parties that lawfully receive personally identifying info from part 2 programs (even if not federally funded)
can’t
1. use patient info to initiate criminal charges or as predicate to conduct criminal investigation of patient
2. disclose unless consent, certain entities, certain crimes
must
1. implement security program + disposal practices
2. notify patients of rights (doesn’t include right to amend)
confidentiality of substance use disorder patient records rule disclosure exceptions
- consent
- court order
- child abuse neglect report
- crimes on program premises/against personnel
- research
- emergency
- VA
- audit. evaluation
Health Breach notification rule
applies to entities not subject to HIPAA
enforced by FTC
enforced for 1st time against GoodRx
notification in breach within 60 days of discovery to
- individual
- FTC
- media (500+)
FACTA
identity theft
protects against identity theft
- disposal rule
- must dispose consumer report in reasonable manner to avoid unauthorized disclosure - identity theft program with list of red flags for FI and creditors to use to guard against identity theft
- right to free annual credit report from 3 national CRAs and right to explanation of credit score
- only last 4 # of credit/debit on receipt
doesn’t preempt certain laws (CA and CO credit score laws, frequency of free credit reporting)
GLBA rulemaking
transfered to CFPB after Dodd Frank
GLBA- privacy rule
applies to
financial institutions (any company significantly engaged in financial activities) , consumers (obtain financial products/series) customers (ongoing relationship with FI)
FI may not
1. disclose nonpublic PI unless annual written notice of its privacy policies (safe harbor if use model disclosure form)
- disclose to nonaffiliated 3rd party without providing opt out opportunity or consent
- non affiliates can’t reuse info or disclose account # or access code to non-affiliate for marketing purposes
GLBA- safeguard
must adopt info security program with TAP safeguards to protect customer info
appoint qualified individual to oversee
risk assessments
employee training
incident response plan
contract with service provider to adopt safeguards
GLBA enforcement parties include
bank regulators
FTC
CFPB
state laws that exempt financial institutions from GLBA regulation
CCPA california
VCDPA
Connecticut
CPA
CFPB
rule making authority under GLBA and FCRA
enforcement over all non-depository financial institutions and depository financial institutions with more than 10 billion in assets
may enforce against unfair deceptive or abusive acts or practices
- limited than FTC jurisdiction applies only to consumer financial product or service
- abusive acts interfere with consumers understanding of how a financial product/service operates or takes advantage of lack of knowledge
FERPA
only education institutions that receive federal funding
education records (includes health records)
right is in student if over 18 and parent if under 18
- access
- amend
- no disclosure unless consent or deidentified or for exception purpose
enforced by DOE who has authority to pull funding if compliance can’t be obtained
PPRA
prevent sale of student info for commercial purposes
applies to federally funded elementary and secondary schools
right is for parents but transfers to student upon 18
no survey, analysis, or evaluation for education program that reveals sentitive info about student without
- parental consent
- materials used provided to student/parent
- policies covering administration of survey
- opt out of commercial sharing
enforced by DOE
Carpenter v US
cellphone location data required a warrant
electronic stored communications act
criminal violation to obtain alter or block access to stored communications without permission
government may only access by cloud computing service if
- warrant (communication less than 180 days old)
- court order/subpoena + notice to subscriber/cusotmer
CLOUD act- 2018 amendment clarifying that SCA applies extraterritorially
what case did the Supreme Court hold domestic surveillance of US citizen for national security purpose is subject to 4th amendment warrant requirement
Keith case
not clear whether this applies to foreign agents within the US
how did congress respond to Keith case
passed FISA
- screens gov applications for surveillance orders for foreign activities in the US
(application must include minimization procedures, establish significant purpose to obtain foreign intelligence, and probable cause person monitored is foreign power)
215 FISA
Gov can obtain court order for protection of any tangible thing that would advance foreign intelligence investigation
person receiving order is prohibited from disclosure
217 FISA
permits interception of computer trespassers with permission of owner or operator of computer
702 FISA
allows standing orders to surveil non US persons outside US
upstream and downstream are based on authority
FTC regulates what in relation to employment
employee background screening
EEOC regulates what in relation to employment
employment discrimination
DOL regulates what in connection to employment
workplace benefits
OSHA regulates what in relation to employment
collective bargaining
SEC regulates what in relation to employment
executive compensation
title VII of civil rights act of 1964
applies to employers with 15+ employees, employment agencies, labor unions, joint labor management committees
no discrimination on basis of race, color, religion, sex or national origin
no direct, motivating factor, indirect disparate impacts
P must file charge with EEOC before bringing private cause of action
EPPA
prohibits employers and those working for them from conducting polygraph exams on employees or prospective employees
DOL has rulemaking and enforcement authority
private cause of action
ADA employer restrictions
employer can’t
- ask disabled person about specific condition he suffers from
employer can
- request individual submit to drug test prior to employment
- ask disabled whether they can perform job related tasks
- ask whether they can perform job related tasks if accommodations are provided
what is the relationship between the wiretap act and 4th amendment
the wiretap act imposes obligations only enforcement that are grater than those under 4th amendment access to private communications
4th amendment- floor of what access gov can have
wiretap act- provides greater protections than those set by 4th amendment
Ontario v quon
employer has authority under federal law to look at employees text messages when employer provided communication device
HIPAA
privacy rule applies to both PHI and ePHI
security rule only applies to ePHI
if company receive adverse determination form the FTC following an administrative enforcement proceeding to whom does the company appeal?
federal circuit court of appeal
(ALJ-5 member commission of FTC- us circuit court of appeal)
enforcement by FTC of orders is brought before federal district court
before releasing CR to user that intends to use report for employment CRA must
obtain certification from user that
1. it has obtained written permission from customer
2. it will comply with statutory requirements if adverse determination is made based on info in CR
3. CR will not be used in violation of EEO laws
what is not a requirement placed upon telecommunication carriers under the telecommunications act of 1996
they do not need to destroy CPNU when it is no longer necessary for purpose for which it was obtained
telecommunications carrier must design its system to permit access to communications that can be activated on what conduction or occurrence?
CALEA
affirmative intervention of officer or employee of carrier
what law specifically and expressly protects individual privacy?
california constitution
what is considered a privacy protection source
Market protections, legal protections and self regulatory protections
not administrative protections
data inventory should include what type of data that is collected stored and processed by an organization
data obtained form both external sources and data created internally
federal law prohibits discrimination on the basis of what
pregnancy
religion
prior bankruptcy filing
NOT marital status
standard by which department of treasury may impose record keeping requirements under the bank secrecy act
where records would have a high degree of usefulness in criminal or national security investigation
