Missed Questions

Question 1

What legislation ended certain bulk collection practices of the US government for national security purposes?

Answer 1

The USA Freedom Act

Question 1

What are requirements regarding use of directory information under FERPA?

Answer 1

social security number may never be considered directory information

students must be provided right to opt out before directory info is shared

schools can determine their own list of what constitutes directory information

Question 2

what organization created K-12 school service provider pledge to safeguard student privacy?

Answer 2

software and information industry association in concert with the Future Privacy Forum

pledgees agree not to undertake numerous activities as well as undertake affirmative obligations aimed at protecting student privacy

violation is enforced as deceptive trade practice by FTC

Question 3

majority of state data breach notification laws include

Answer 3

requirement that notice to affected consumers be provided in writingm

Question 4

minority of state data breach notification laws include

Answer 4

1. materiality requirement for determining when breach occurs
2. specific requirements about what must be included in notice to affected individuals
3. inclusion of biometric data in definition of personal info

Question 5

type of security failure that is primary cause of most data security incidents

Answer 5

human error

Question 6

technical protection examples

Answer 6

computer code
electronic systems designed to limit access to authorized users and maintain integrity of data from outside attack

Question 7

administrative protections examples

Answer 7

policies designed to limit access to data to only employees who need access to accomplish their assigned job functions

Question 8

are non profit entities are subject to FTCs jurisdiction under FTC ACT or COPPA or both

Answer 8

neither FTC act nor COPPA

COPPA_ exempt from definition of operator
FTC- specifically exempt under FTC act

Question 9

HITECH made the following changes to HIPAA

Answer 9

1. business associates directly subject to HIPPA
2. term limited data set is defined
3. term covered entity, business associate, and protected health information are codified

didn’t change minimum necessary requirements

Question 10

what feature of binding corporate rules separates it from other international transfer mechanisms available under GDPR

Answer 10

only apply to international data transfers that occur within an organization not transfers to 3rd parties

Question 11

Fair Information Practice of access is commonly considered to include

Answer 11

1. ability to view information an organization collects
2. ability to update or correct inaccurate info

Question 12

what must a user of a consumer report do before re-selling a consumer report?

Answer 12

notify CRA of
1. identity of end users of report
2. each permissible purpose to which the end user will be utilizing the report for

Question 13

what are benefits of data flow mapping

Answer 13

1. mitigate risk associated with data processing
2. facilitate identifying problems within an organizations data processing
3. increase confidence in regulatory compliance

doesn’t help limit amount of data disclosed in event of data breach

Question 14

GDPR individual rights

Answer 14

1. data portability
2. rectify data
3. right to be forgotten
4. consent

doesn’t include right to opt out of data selling

Question 15

National Institute of Standards and Technology recommends that employees be provided data privacy and security training when all of the following occurs

Answer 15

1. upon being hired (or promoted)
2. as needed by the organization
3. when changes are made to the information system or policies

not once annually

Question 16

What article in the GDPR makes it illegitimate to transfer data to a 3rd country or to an international organization in the absence of a valid transfer mechanism?

Answer 16

article 44

Question 17

what type of privacy protection model is overseen by multiple regulators

Answer 17

sectoral model
- select market segments are governed by different privacy laws
- no overarching regulatory regimen applicable across the entire economy

Question 18

standard order of privacy operational life cycle

Answer 18

assess (create processes to evaluate program)
protect (implement practices)
sustain (manage program)
respond (respond to failures)

Question 19

when is no option form of consent to be expected

Answer 19

product fulfillment
fraud prevention
internal operations
legal compliance
public purpose
1st party marketing

Question 20

CA attorney general has authority to bring civil action for violation in

Answer 20

1. Consuperm Financial Protection Act
2. Fair Credit Reporting Act
3. Red Flags Rule

not GLBA

Question 21

GLBA privacy rule notice requirement

Answer 21

notice must be provided at the start of customer relationship and annually thereafter

no requirement for notice to be online but doing so is a best practice and may be required under state law (CALOPPA)

Question 22

what law or regulation was enacted to facilitate in certain cases the compassionate sharing of info related to patients

Answer 22

21st Century Cures Act
- HHS must issue guidance on compassionate sharing of mental health and substance abuse info with family members and caregivers

Question 23

CCPA parental consent must be obtained before selling PI of children under what age

Answer 23

under 13 years old

13-15- may obtain consent directly from child through opt in procedure

Question 24

what unique characteristic makes a consent decree different than most other types of contracts?

Answer 24

a consent decree is approved by a court which enters a judgement incorporating the parties settlement agreement

Question 25

what change to the VPPA was made by congress in 2012

Answer 25

contemporaneous consent to disclosure of personally identifiable information is not necessary and a one time consent may be made that is valid for two years

Question 26

social engineering refers to

Answer 26

manipulation of individuals so as to create security vulnerabilities

often used in concert with specific types of cyber attacks

Question 27

two primary goals served by implementing legal protections over personal information

Answer 27

compensation to those ho have been wronged
create deterrence

Question 28

what is thought of as the 3rd model of governmental privacy protection

Answer 28

co-regulatory model

combines aspects of self regulatory model and either comprehensive or sectoral model

industry will develop and enforce appropriate standards but that industry is then overseen by a government regulatory agency

Question 29

Tennessee data breach notification law

Answer 29

amended law in 2016 to remove provision that exempted encryption data from notification requirements

following year it provided that a breach of encrypted data will only subject a company to the laws notice requirements where the encryption key is also compromised

Question 30

HIPPA privacy rule not entitled to access to

Answer 30

psychotherapy notes
information compiled in anticipation of litigation or regulatory action

Question 31

what jurisdiction recently imposed a requirement on employers utilizing automated tools to make employment decisions the requirement to conduct bias audits related to the use of any such tool?

Answer 31

New York city

must be subject of bias audit conducted no more than 1 year prior to use of tool

bias audit- impartial evaluation by independent auditor that includes assessment of its disparate impact on persons on basis of sex race or ethnicity

Question 32

pseudonymizing data

Answer 32

process of transforming data so that it can no longer be attributed to a specific person without the use of additional information

can be reversed so that info can be reidentified with specific person

Question 33

what type of information may never be shared with nonaffiliated 3rd party for marketing purposes under GLBA privacy rule

Answer 33

customer account number and access codes

Question 34

what entities have authority to enforce HIPAA

Answer 34

department of HHS
state attorneys genera
department of justice

not private individuals

Question 35

who the protection of pupil rights amendment act of 198 grants individual rights to

Answer 35

parents of student if student is under 18

student if student is over 18 or emancipated

Question 36

medical examinations

Answer 36

ADA- prospective employee may be required to submit to medical examination if
- all entering employees are subject to same examination
- info about any med condition is kept separate form other info and treated as confidential med record
- results of test are used only in accordance with the other provisions of ADA

MAY NEVER BE USED UNLESS EXAM OR INQUIRY IS JOB RELATED AND CONSISTENT WITH BUSINESS NECESSITY

Question 37

Fair Credit Reporting Act mandates what type of consumer consent with respect to the use of firm offers of credit or insurance

Answer 37

opt out consent

Question 38

structure transaction under bank secrecy act

Answer 38

engaging in transactions in such a way as to avoid reporting requirements

Question 39

what law does the department of labor enforce

Answer 39

fair labor standards act
employment retirement security act

houses occupational safety and health administration which oversees the enforcement of workplace safety

Question 40

who bears the burden of considering the impact that a 3rd country’s laws will have on the use of standard contract clauses

Answer 40

controllers and processors that make use of the standard clauses

Question 41

preemption GLBA vs FCRA

Answer 41

there is no preemption under GLBA

FCRA preempts state laws
exception for laws relating to identify theft and laws carved out by congress

Question 42

Prism and upstream programs are authorized under which of the following

Answer 42

section 702 of the Fish amendment act of 2008

allows attorney general and director of national intelligence to jointly authorize for period of up to one year the targeting of persons outside the US to acquire foreign intelligence information

Question 43

SCC schemes II

Answer 43

1. supervisory authorities must prohibits use of SCC if they are not and cannot be complied with in 3rd county
2. SCC must ensure essentially equivalent level of protection as that afforded under GDPR
3. determining whether the use of SCC is valid requires consideration of the legal system of the 3rd country where data will be transferred

Question 44

what is the third form of litigation

Answer 44

administrative enforcement action

CPPA is 1st administrative agency dedicated solely to consumer privacy issues and is created by CPRA

Question 45

global privacy enforcement network

Answer 45

network that connects privacy enforcement authorities from around the world to promote and support cooperation in cross boarder enforcement of laws protecting privacy

includes: FTC, FCC, and CA AG

Question 46

data flow map

Answer 46

how info flows through organization across the entire life cycle of that data

Question 47

data classification scheme

Answer 47

classification system that provides the basis for managing access to and protection of data assets

Question 48

privacy operational lifecycle may also be called (not APSR)

Answer 48

discover
build
communicate
evolve

Question 49

accountability principle

Answer 49

organization must take responsibility for protecting PI and using it in a matter that is both
- consistent with the law
- done in manner that treats individual equitably

organization has ultimate responsibility for legal compliance

Question 50

EU cookie directive

Answer 50

info stored in cookie is considered PI under GDPR
thus it requires user consent

Question 51

GDPR- processing of children data

Answer 51

prohibits processing data of children under 16 in absence of verifiable parental consent

Question 52

CCPA- children

Answer 52

prohibits sale of personal data of children under 16 without appropriate consent

Question 53

layer privacy notice

Answer 53

privacy notice that includes short notice at top of document that sets forth key points of a privacy disclosure followed by an option for users to review a more detailed privacy notice

Question 54

just in time notice

Answer 54

providing privacy notice at the time that information is collected

may take form of layered notice

Question 55

privacy dashboard

Answer 55

single point provided to consumers where they can view privacy information and make choices about how their data is processed

Question 56

privacy icons

Answer 56

symbols used to indicate that an organization processes info in a particular manner (ex. adchoices)

Question 57

ad hoc contract clauses

Answer 57

specifically drafted clauses that must be approved prior to transfer of data

disfavored

Question 58

codes of conduct

Answer 58

co regulatory programs in which an organization undertakes a binding and enforceable obligation to abide by that code of conduct

Question 59

derogations

Answer 59

exceptions to general prohibition on international transfer

relied on as last resort

ex. explicit consent of data subject

Question 60

is there a private cause of action under the FTC act

Answer 60

no

Question 61

in the matter of geocities

Answer 61

1st privacy enforcement action taken by FTC against company based upon its web based promises

Question 62

in the matter of Eli Lilly and co

Answer 62

1st enforcement action in which the FTC entered into a consent decree requiring a company to develop and maintain an information privacy and security program

Question 63

FTC v Wyndham worldwide corp

Answer 63

upheld FTC unfairness authority to regulate cybersecurity

didn’t answer whether FTC had section 5 authority over cyber security practices

Question 64

labmd inc v FTC

Answer 64

FTC cease and desist order based upon lab meds general negligent failure to act was unenforceable because the prohibitions and directive to implement a reasonable security program were not specific enough

Question 65

COPPA
NOCAP

Answer 65

no unfair or deceptive acts or practices in connection with collection use or disclosure of PI of children 13 years old and under

operators of commercial websites that collect PI of visitors

need
NO- notice,
C- verifiable parental consent,
A- access,
P- procedures for confidentiality, security and integrity

safe harbor program- to be deemed in compliance with COPPA if copy with guidelines of participating seal program (Ex. ADchoice)

Question 66

is there a private cause of action under COPPA

Answer 66

no

Question 67

HIPAA

official DNAAA

Answer 67

covered entity(health plan/insurance, clearing house/storage, provider) and business associates

electronic protected health information - doesn’t apply to de-identified information

privacy rule
official- designate privacy officiel
D- no disclosure unless PEACES exception
N- privacy notices
A- access (designated record set)
A -amend
A- accounting

security rule
- reasonable and appropriate minimum security standards
- required and addressable standards

Question 68

HIPAA disclosure exceptions under privacy rule

PEACES

Answer 68

P- patient
E-emergency (3rd party)
A- authorization (through independent doc in plain language)
C-court
E-enforcement (law)
S- secretary of HHS

must be in form of limited data set and made at time of delivery or time of enrollment/request

Question 69

HIPAA safe harbor

Answer 69

if have recognized security practice for 1+ year
- fines are lessened
- security audits may be terminated early
- other remedies mitigated

Question 70

HITECH

Answer 70

new data breach rules applicable to PHI

if data breach of unencrypted PHI- notify within 60 days of discovery
- affected individuals
-secretary of HHS(annually)
- media (500+)
-covered entity (business associate is source)

breach is presumed unless CE/BA can show
- low probability PHI compromised by analyzing nature and extent/ who unauthorized person is/ whether PHI was actually acquired/ mitigation of risk

Question 71

GINA

Answer 71

overseen by HHS

exception of Title II

genetic info classified as protected health info under HIPAA

not used for
- underwriting purposes
- basis of discrimination in insurance

can’t request genetic testing be done except for voluntary testing in connection with research

Question 72

GINA employer restriction of genetic info use

I PET FMLA

Answer 72

can’t request use disclose purchase GI unless
I- inadvertent
P-public
E-employee wellness program
T-toxin monitoring
FMLA- compliance with FMLA

Question 73

21st century crest act of 2016

Answer 73

compassionate sharing
- allows for compassionate sharing of info of mental health and substance abuse under HIPAA

remote viewing
- allows remote viewing of PHI if meet HIPAA privacy and safety rules

no info blocking
- no practice of info blocking which is any practice likely to interfere with the use or exchange of electronic health info

no PHI in biomedical research used in court
- exempt from Freedom of Info Act
- certificate of confidentiality

Question 74

confidentiality of substance use disorder patient records rule

Answer 74

based on public health services act

applies to
1. part 2 programs that receive federal funding (alcohol/sub abuse treatment staff, unit, or entity)
2. 3rd parties that lawfully receive personally identifying info from part 2 programs (even if not federally funded)

can’t
1. use patient info to initiate criminal charges or as predicate to conduct criminal investigation of patient
2. disclose unless consent, certain entities, certain crimes

must
1. implement security program + disposal practices
2. notify patients of rights (doesn’t include right to amend)

Question 75

confidentiality of substance use disorder patient records rule disclosure exceptions

Answer 75

1. consent
2. court order
3. child abuse neglect report
4. crimes on program premises/against personnel
5. research
6. emergency
7. VA
8. audit. evaluation

Question 76

Health Breach notification rule

Answer 76

applies to entities not subject to HIPAA

enforced by FTC

enforced for 1st time against GoodRx

notification in breach within 60 days of discovery to
- individual
- FTC
- media (500+)

Question 77

FACTA
identity theft

Answer 77

protects against identity theft

1. disposal rule
   - must dispose consumer report in reasonable manner to avoid unauthorized disclosure
2. identity theft program with list of red flags for FI and creditors to use to guard against identity theft
3. right to free annual credit report from 3 national CRAs and right to explanation of credit score
4. only last 4 # of credit/debit on receipt

doesn’t preempt certain laws (CA and CO credit score laws, frequency of free credit reporting)

Question 78

GLBA rulemaking

Answer 78

transfered to CFPB after Dodd Frank

Question 79

GLBA- privacy rule

Answer 79

applies to
financial institutions (any company significantly engaged in financial activities) , consumers (obtain financial products/series) customers (ongoing relationship with FI)

FI may not
1. disclose nonpublic PI unless annual written notice of its privacy policies (safe harbor if use model disclosure form)

2. disclose to nonaffiliated 3rd party without providing opt out opportunity or consent
3. non affiliates can’t reuse info or disclose account # or access code to non-affiliate for marketing purposes

Question 80

GLBA- safeguard

Answer 80

must adopt info security program with TAP safeguards to protect customer info

appoint qualified individual to oversee

risk assessments

employee training

incident response plan

contract with service provider to adopt safeguards

Question 81

GLBA enforcement parties include

Answer 81

bank regulators
FTC
CFPB

Question 82

state laws that exempt financial institutions from GLBA regulation

Answer 82

CCPA california

VCDPA

Connecticut

CPA

Question 83

CFPB

Answer 83

rule making authority under GLBA and FCRA

enforcement over all non-depository financial institutions and depository financial institutions with more than 10 billion in assets

may enforce against unfair deceptive or abusive acts or practices
- limited than FTC jurisdiction applies only to consumer financial product or service
- abusive acts interfere with consumers understanding of how a financial product/service operates or takes advantage of lack of knowledge

Question 84

FERPA

Answer 84

only education institutions that receive federal funding

education records (includes health records)

right is in student if over 18 and parent if under 18
- access
- amend
- no disclosure unless consent or deidentified or for exception purpose

enforced by DOE who has authority to pull funding if compliance can’t be obtained

Question 85

PPRA

Answer 85

prevent sale of student info for commercial purposes

applies to federally funded elementary and secondary schools

right is for parents but transfers to student upon 18

no survey, analysis, or evaluation for education program that reveals sentitive info about student without
- parental consent
- materials used provided to student/parent
- policies covering administration of survey
- opt out of commercial sharing

enforced by DOE

Question 86

Carpenter v US

Answer 86

cellphone location data required a warrant

Question 87

electronic stored communications act

Answer 87

criminal violation to obtain alter or block access to stored communications without permission

government may only access by cloud computing service if
- warrant (communication less than 180 days old)
- court order/subpoena + notice to subscriber/cusotmer

CLOUD act- 2018 amendment clarifying that SCA applies extraterritorially

Question 88

what case did the Supreme Court hold domestic surveillance of US citizen for national security purpose is subject to 4th amendment warrant requirement

Answer 88

Keith case

not clear whether this applies to foreign agents within the US

Question 89

how did congress respond to Keith case

Answer 89

passed FISA
- screens gov applications for surveillance orders for foreign activities in the US
(application must include minimization procedures, establish significant purpose to obtain foreign intelligence, and probable cause person monitored is foreign power)

Question 90

215 FISA

Answer 90

Gov can obtain court order for protection of any tangible thing that would advance foreign intelligence investigation

person receiving order is prohibited from disclosure

Question 91

217 FISA

Answer 91

permits interception of computer trespassers with permission of owner or operator of computer

Question 92

702 FISA

Answer 92

allows standing orders to surveil non US persons outside US

upstream and downstream are based on authority

Question 93

FTC regulates what in relation to employment

Answer 93

employee background screening

Question 94

EEOC regulates what in relation to employment

Answer 94

employment discrimination

Question 95

DOL regulates what in connection to employment

Answer 95

workplace benefits

Question 96

OSHA regulates what in relation to employment

Answer 96

collective bargaining

Question 97

SEC regulates what in relation to employment

Answer 97

executive compensation

Question 98

title VII of civil rights act of 1964

Answer 98

applies to employers with 15+ employees, employment agencies, labor unions, joint labor management committees

no discrimination on basis of race, color, religion, sex or national origin

no direct, motivating factor, indirect disparate impacts

P must file charge with EEOC before bringing private cause of action

Question 99

EPPA

Answer 99

prohibits employers and those working for them from conducting polygraph exams on employees or prospective employees

DOL has rulemaking and enforcement authority
private cause of action

Question 100

ADA employer restrictions

Answer 100

employer can’t
- ask disabled person about specific condition he suffers from

employer can
- request individual submit to drug test prior to employment
- ask disabled whether they can perform job related tasks
- ask whether they can perform job related tasks if accommodations are provided

Question 101

what is the relationship between the wiretap act and 4th amendment

Answer 101

the wiretap act imposes obligations only enforcement that are grater than those under 4th amendment access to private communications

4th amendment- floor of what access gov can have
wiretap act- provides greater protections than those set by 4th amendment

Question 102

Ontario v quon

Answer 102

employer has authority under federal law to look at employees text messages when employer provided communication device

Question 103

HIPAA

Answer 103

privacy rule applies to both PHI and ePHI

security rule only applies to ePHI

Question 104

if company receive adverse determination form the FTC following an administrative enforcement proceeding to whom does the company appeal?

Answer 104

federal circuit court of appeal

(ALJ-5 member commission of FTC- us circuit court of appeal)

enforcement by FTC of orders is brought before federal district court

Question 105

before releasing CR to user that intends to use report for employment CRA must

Answer 105

obtain certification from user that
1. it has obtained written permission from customer
2. it will comply with statutory requirements if adverse determination is made based on info in CR
3. CR will not be used in violation of EEO laws

Question 106

what is not a requirement placed upon telecommunication carriers under the telecommunications act of 1996

Answer 106

they do not need to destroy CPNU when it is no longer necessary for purpose for which it was obtained

Question 107

telecommunications carrier must design its system to permit access to communications that can be activated on what conduction or occurrence?

Answer 107

CALEA

affirmative intervention of officer or employee of carrier

Question 108

what law specifically and expressly protects individual privacy?

Answer 108

california constitution

Question 109

what is considered a privacy protection source

Answer 109

Market protections, legal protections and self regulatory protections

not administrative protections

Question 110

data inventory should include what type of data that is collected stored and processed by an organization

Answer 110

data obtained form both external sources and data created internally

Question 111

federal law prohibits discrimination on the basis of what

Answer 111

pregnancy
religion
prior bankruptcy filing

NOT marital status

Question 112

standard by which department of treasury may impose record keeping requirements under the bank secrecy act

Answer 112

where records would have a high degree of usefulness in criminal or national security investigation