Module 1: Introduction to Privacy Flashcards
What are the 4 Fair Information Practices (FIP)
1) Rights of individuals: Notice, choice and consent, data subject access
2) Controls on the information: Information security, information quality
3) Information life cycle: Collection, use and retention, disclosure, destruction
4) Management: Management and administration, monitoring, and enforcement
Name 5 major components of milestone legislations re: FIPs
1) US Health, Education and Welfare FIPs (1973): created after secret dossiers were created. Also created Privacy Act of 1974.
2) OECD guidelines (1980): created as a set of guidelines across economies (The Organisation for Economic Co-operation and Development)
3) Council of Europe Convention (1981): the first legally binding international data protection convention
4) APEC Privacy Framework (2004): Non-binding data protection guidelines for Asia-Pacific countries.
5) Madrid Resolution (2009): Looked at creating at guiding privacy practices for Europe
Name 4 types of information
1) Personal Information includes name, gender, address, etc.
2) Sensitive information is information that is riskier to expose you to harm (e.g. SSN, medical records, etc).
3) Non-personal information is anonymized data and aggregated data.
4) Pseudonymized data is the replacement of personal information with pseudonyms, or artificial replacements.
Name 3 sources of personal information
1) Public records: information that government agencies publish for public consumption
2) Publicly available information: newspapers, phonebooks, etc.
3) Nonpublic information: information we want protected from public disclosure
Name 4 data protection roles
1) Data Subject: Who the information is about
2) Data Controller: Who controls access to information and what is done about it.
3) Data Processor: Processes data on behalf of the controller.
4) Regulator or data protection authority (DPA)
Name 4 sources of privacy protection
1) Markets: they want to create trust in their services, so they make sure they build in privacy controls.
2) Technology
3) Law: a good privacy law benefits us all, but quickly written laws only cause confusion
4) Self-regulation: 2 types–self-regulatory and co-regulatory (laws + regulating themselves). Establish enforceable codes.
Legislation: who writes the rules
Adjudication: who is breaking the rules
Enforcement: who enforces non-compliance
Name 4 types of privacy protection models
1) Few or no general laws (e.g. Cuba)
2) Co-regulatory: enforceable by industry body OR government (e.g. Australia). COPPA is an example of this – the government can enforce but lets industry-specific bodies do work too.
3) Sectoral: Industry-specific laws (e.g. U.S.)
4) Comprehensive: Omnibus laws (e.g. EU)
Name the 3 branches of government
1) Executive: enforces laws
2) Legislative: makes laws
3) Judicial: interprets laws
Name 8 sources of US law.
1) Constitutions
2) Legislation
3) Regulations and rules
4) Contract law
5) Case law
6) Common law
7) Consent decree
8) Tort law
What 3 things must be necessary for a contract to be binding?
1) Offer
2) Acceptance
3) Consideration
What is consideration in contract law?
Each party must change their position. Usually one of two things: 1) a promise to do something not legally obligated to 2) A promise not to do something you have the right to.
What is common law?
Used synonymously with case law in US. A system where courts can set precedent (vs. cannot work without laws in place). Generally legal precedent and social customs set laws.
What is a consent decree?
An agreement or settlement that resolves a dispute without admission of guilt or liability. It describes actions the defendant will take. Same effect as a court decision. Often used by SEC and FTC, since it’s easier for all.
What are torts?
Civil wrongs recognized by law as having the grounds for lawsuits. Provides relief and deters others from committing the same wrongs
What are the three general tort categories?
Intentional: defendant knew or should have known action would cause harm
Negligent: defendant’s actions were unreasonable unsafe
Strict liability: defendant has legal responsibility for damages even if not negligent or at fault.
What is a person (in legal terms)?
Any entity with legal rights. Can be a human being or corporation.
What are the two types of legal authority?
General: blanket authority to regulate a field of activity
Specific: Targeted at singular activities outlined by legislation
Does CAN-SPAM preempt state laws?
Yes
What are the 3 data subject rights?
1) Notice: What’s collected and why. Generally a Privacy Policy
2) Choice: opt-in or opt-out
3) Access: view personal information held by an org
Name 6 federal agencies that regulate privacy
1) FTC
2) Federal banking agencies such as the CFPB, Federal Reserve Board, or Office of the Comptroller of the Currency
3) FCC
4) DOT
5) HHS (through Office of Civil Rights)
6) Department of Commerce
Who regulates privacy at the state level?
Attorneys general (except California Privacy Protection Authority)
Name the three conditions that can trigger GDPR application
1) Processing of personal data when a controller or processor is established in EU
2) Processing of personal data of EU subjects relating to offering goods or services or monitoring behavior
3) Processing of personal data by a controller not established in the EU but in a place where member state law applies
Name 2 ways to transfer data from GDPR areas to the US aside from adequecy decisions
1) Binding Corporate Rules (BCRs): multinational company can transfer data between countries after certification of their practices by an EU privacy supervisory agency
2) Standard Contractual Clauses (SCCs): A company contractually promises to comply with EU law and submit to the supervision of an EU privacy supervisory agency
Name 4 accountability requirements GDPR controllers have that processors don’t
1) Privacy by design
2) Privacy by default
3) Data Protection Impact Assessments (DPIAs)
4) Data breach reporting (to data subject; processor must notify controller)
When is a DPO required under GDPR?
When the core activities are:
• Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale”
• Processing sensitive data (or personal data relating to criminal convictions/offences) on a “large scale”
• Processing by public bodies, other than courts acting in judicial capacity
Name 6 responsibilities of a DPO under GPDR
- To monitor compliance with the GDPR
- Advise controller and processors
- Manage risk
- Cooperate with supervisory authorities
- Communicate with data subjects and supervisory authorities
- Exercise professional secrecy
Who must a Processor notify when there is a data breach under GDPR?
The Controller
Who must a Controller inform when there is a data breach under GDPR?
1) The supervisory authority
2) The data subject
What is an adequacy decision?
A finding by the European Commission that a third country, territory, specific sector in a third country or an international organization offers levels of data protection that are essentially equivalent to that within the EU.
What are the 3 triggers for CCPA?
Any for-profit entity doing business in California that either:
1) Does more than $25 million USD in annual revenue
2) Holders PI of 50k+ people, households or devices
3) Makes at least half of its revenue from sale of PI
Who is protected under CCPA?
“Consumers:” aka “natural person who is a California resident.” Those who are in the state for other than temporary/transitory purpose, or those domiciled in the State but outside of the State for a temporary/transitory purpose.
Name 3 consumer rights under CCPA:
1) Request records
2) Right to erasure (with some exceptions)
3) Opt-out of sale
Name 8 obligations for businesses under the scope of CCPA
1) Provide certain disclosure to consumers
2) Provide at least two methods for receiving consumer requests e.g. (toll-free number [not needed if only e-commerce], link on website)
3) Have a verification process
4) Provide the information free of charge, within 45 days and in a portable format
5) Disclosure to consumers the third parties to whom the business sells the PI
6) Include a “Do Not Sell My Personal Information” button on website
7) Do not “discriminate against a consumer”
8) Train employees on consumer rights pursuant to the law
What are the fees for violating CCPA (enforced by AG)?
$2,500 fine per violation (record) not addressed within 30 days
$7,500 per record for intentional violations within 30 days
What are fees for violating CCPA (private right of action)
Consumers can sue for $100-750 per violation, or further actual damages.
Name 6 categories of legal liability
1) Negligence
2) Breach of warranty (failure of seller to fulfill promise, claim or representation)
3) Misrepresentation (false security about safety of a product or service)
4) Defamation (written = libel, oral = slander)
5) Strict tort liability ( imposition of liability on a party without a finding of fault ]such as negligence or tortious intent])
6) Statutory action (enacted by statute)
Describe the FTC/GeoCities consent decree
In 1099, the FTC said GeoCities didn’t disclose how they would data. They said they sold it by creating a database for selling ads. GeoCities agreed to disclose info and require parental permission for children 12 and younger.
What two remedies can the FRC seek through federal courts?
Injunctions and civil penalties
What law/section section gives broad powers to the FTC to protect consumer from deceptive acts and practices?
Section 5(b) of the FTC Act of 1913
What is the FTC division for investigating privacy cases?
Division of Privacy and Identity Protection, or DPIP
Describe the FTC/Snapchat consent decree
In 2014, FTC argued Snapchat’s “disappearing” messages could be saved and the “find friends” feature was seen as the only option, data was collected, and it was insecure, allowing hackers to create a database of millions. Consent decreed said it would not engage with the practices for 20 years.
Describe the FTC/LifeLock consent decree
In 2010, the FTC argued LifeLock failed to encrypt customer data or restrict access, putting data at risk. LifeLock paid fines, agreed to maintain a comprehensive security program, be assed every two years and cease deceptive advertising until 2026. In 2015, the FTC filed a contempt action, and a court ordered them to pay millions as repayment, plus a fine to either state AG or federal govt.
Describe the FTC/Wyndham administrative action
FTC argued Wyndham did not protect sensitive data. Wyndham did not settle. Courts found in favor of FTC, then Wyndham entered a consent order.
How does the DOT enforce privacy laws?
Responsible for transportation companies under its jurisdiction, incl. enforcing violations of the Privacy Shield (now not true). Federal Aviation Administration (FAA) manages drones, National Highway Traffic Safety Administration (NHTSA) manages internet-connected cars.
What role does the Department of Commerce play in privacy law?
Plays a role in federal privacy policy development, administers the EU/US Privacy Shield
What does the Office of Management and Budget do re: privacy?
Lead agency for interpreting Privacy Act of 1974, issues guidance to agencies and their contractors
What is the Privacy Act of 1974?
Establishes FIPs for federal agencies and their contractors
What does the IRS do re: privacy?
Subject to privacy rules concerning tax records
What does the DHS do re: privacy?
Runs the E-Verify program, rules for air traveler records (through TSA), immigration and other border issues (ICE)
What does the Office of Civil Rights (HHS) do re: privacy?
Plays role in enforcing HIPPA (investigates complaints, conducts compliance reviews, for covered entities, education and outreach), works with DOJ to refer criminal violations of HIPPA.
What were privacy priorities of the FTC in the late 90s?
Providing notice of policies, allowing choice on how data is shared, take entities who were lying or not complying with their privacy notices
What were the privacy priorities of the FTC from 2001-2009?
Emphasized “injury” under the FTC unfairness authority. E.g. 2004 Gateway/Hooked on Phonics (rented customer information it promised to keep private), 2005 BJ’s Wholesale (security flaws allowed unauthorized access and identity theft)
What were the privacy priorities of the FTC in 2009+?
Developing privacy program requirements (e.g. what are FIPs for orgs), reaching beyond tangible financial harm
What were the privacy priorities of the FTC in 2012+?
White House Report “Consumer Privacy Bill of Rights,” emphasizing privacy by design and simplified consumer choice and control.
What were the FTC’s principles in the 2015 Privacy and Security Update?
- Know what data you have and who has a legitimate right or need to access it
- Limit data retained based on legitimate need
- Implement safeguards to protect data
- Dispose of data when no longer needed
- Have a plan for responding to security incidents
What are 4 risks of using privacy information properly that an organization should balance?
1) Legal risks
2) Reputational risks
3) Operational risks (efficiency, etc.)
4) Investment risks
What type of privacy/data accountability considerations should an organization consider? Name 7.
1) Length of storage
2) Sensitivity
3) Encryption
4) International data transfer laws
5) Who determines rules?
6) Processes
7) Dependence on other systems
What steps should a company take when developing privacy policies?
1) Discover (define the privacy program)
2) Build
3) Communicate
4) Evolve
What steps should an org take to manage incidents (e.g. security breaches, cyberattacks)?
1) Preparation (prepare users/IT staff to handle potential incidents
2) Identification
3) Containment
4) Eradication (removing root cause of incident)
5) Recovery (permit systems back into the environment)
6) Lessons learned
Name 4 examples of US laws/guidelines with Opt-In preferences?
COPPA
HIPPA
Fair Credit Reporting Act (FCRA)
Some email marketing
Name 4 examples of US laws/guidelines with Opt-Out preferences?
Gramm-Leach-Bliley Act (GLBA)
CAN-Spam
Do Not Call Rules
CCPA DNS Provision
What amendment gives power to the states to make law?
10th: “[t]he powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.”
Does FCRA/FACTA preempt state law?
Yes, but states retain right to enact identity theft laws
Does CAN-SPAM preempt state laws?
Yes
Does HIPPA preempt state laws
No
Does GLBA preempt state laws?
No
What does HIPPA stand for?
Health Insurance Portability and Accountability Act of 1996.
What was the original purpose of HIPPA?
Improve efficiency of the healthcare system
What are covered entities under HIPPA?
Healthcare providers, insurers, clearinghouses (convert billing to codes) and business associates who receive data.
What kind of penalties can HIPPA require?
Civil and criminal
What is Protected Health Information (PHI)?
1) Identifies or can create identification of individuals
2) Created or received by a covered entity or employer
3) Relates to past, present or future physical or mental conditions or payment of healthcare
What is ePHI?
Electronic Personal Health Information – PHI transmitted or maintained in electronic media.
What are 4 key protections of HIPPA’s Privacy Rule?
- Covered entities must provide detailed privacy notice at the date of first service delivery
- Uses or disclosures outside of HIPAA’s guidelines require opt-in authorization
- Use and disclosure of PHI for situations other than treatment is limited
- Individuals have the right to access and copy their own PHI from a covered entity and to amend their PHI
Under what circumstances do limitations and exceptions apply to the HIPPA Privacy Rule?
1) De-identification (removing data AND an expert certifying risk of re-identification is small)
2) Research
3) Other: Public health activities, e.g. reporting abuse or neglect, judicial/administrative proceedings, specialized gov’t functions.
What are requirements of the HIPPA Security Rule?
1) Ensure the confidentiality, integrity and availability of all ePHI obtained by the covered entity
2) Protect against reasonably anticipated threats or hazards
3) Protect against any reasonably anticipated uses or disclosures
4) Ensure compliance by workforce (must have privacy official for development of policy AND implementation/oversight [can be same person], training, and complaint procedures)
What is GINA?
Genetic Information Nondiscrimination Act of 2008
What does GINA prohibit?
1) Higher premiums based on genetic tests
2) Using genetic predisposition to deny coverage based on preexisting condition
3) Prohibit employment discrimination based on genetic info, incl. unions and training programs, family members, and requirements or requests for genetic info.
What is HITECH?
Health Information Technology for Economic and Clinical Health Act of 2009
What additions to Privacy to HIPPA did HITECH add (name 3)?
1) Notification of breach (60 days, 500+ people)
2) Increased penalties (up to $1.5M, criminal liability, even if they didn’t know)
3) Limited data (remove what isn’t needed)
What was the purpose of the 21st Century Cures Act?
Expedite research, reform mental health treatment, addressed concerns of pharma purchasing PHI for research
What are 5 provisions of the Cures Act?
Exempts mandatory disclosure of individual biomedical research
2) Researches are allowed to remotely review PHI under HIPPA rules
3) Prohibits information-blocking that would interfere with the exchange of electronic health info
4) Requires “Certificates of Confidentiality” for research
5) Provides guidelines for permissible “compassionate” sharing of mental health or substance abuse info w/ family/caregivers
When did FCRA come into effect?
1970
What type of organizations does the FCRA regulate?
Consumer Reporting Agencies (CRAs)
Who enforces FCRA?
FTC, CFPB, state AGs, private right of action
Does FCRA allow deletion of consumer data?
No, only access and correction
Does FCRA allow deletion of consumer data?
No, only access and correction
What is FACTA?
Fair and Accurate Credit Transaction Act of 2003
Does FACTA preempt state law?
Yes, most
What are 4 things FACTA requires?
1) Truncation of credit/debit card numbers
2) Consumer right to explanation of credit scores
3) Consumer right to free annual report from 3 national CRAs
4) The disposal rule and red flags rule
Who or what is in scope of the Disposal Rule?
Any individual or entity that uses consumer reports or info derived from them (e.g. CRAs, lenders, employers, etc.)
What is the FACTA Disposal Rule?
The FACTA disposal rule requires businesses to take “reasonable measures” to protect against unauthorized access to or use of consumers’ information.
What is the FACTA Red Flags Rule?
The Red Flags Rule calls for financial institutions and creditors to implement red flags to detect and prevent against identity theft.
Who does the FACTA Red Flags Rule apply to?
Financial institutions, creditors and all other entities that hold a “transaction account” w/ consumer
What does the Red Flag Program Clarification Act of 2010 do?
Determined Red Flags Rule doesn’t apply to creditors who extend credit only for “expenses incidental to a serve” e.g. lawyers and health providers.
When does FCRA not preempt state laws?
In area of employment credit history checks
What is the GLBA?
Graham-Leach-Bliley Act of 1999 (aka Financial Services Modernization Act)
Who is under the scope of GLBA?
Financial institutions – any US company that is “significantly engaged in financial activities”
What does the GLBA regulate?
Financial institution management of nonpublic personal information (NPI)
Who manages most of the administration of the GLBA?
The CFPB
What created the CFPB?
The Dodd-Frank Act of 2010
Does the GLBA preempt stricter state laws?
No, but the FCRA can challenge them
What does the GLBA Privacy Rule require?
Must provide initial and annual privacy notices, opt-outs must be processed within 30 days for sharing information with affiliated companies and joint marketing partners.
When can consumers not opt-out of GLBA sharing?
Information is shared with companies that provide essential services (e.g. data processing), the disclosure is legally required, or shared with outside service providers that market the financial company’s products or services.
How long does a company have to process GLBA opt-outs?
30 days
What is the FAST Act?
Effective 2015, provides exemptions to annual privacy notice requirements
What are four things that must be included in financial privacy notices?
- What is collected
- With whom information is shared
- How information will be safeguarded
- How consumer can opt out
What is the GLBA Safeguards rule?
Requires financial institutions to develop and implement a comprehensive “information security program.”
What is California SB-1?
Expands GLBA protections, increases disclosure requirements for financial institutions. No cap for damage with willful noncompliance. Opt-in required for sharing PI with nonaffiliated 3rd parties. Opt-out for sharing with affiliates not in same LOB.
What is the Dodd-Frank Act?
Created in 2010, created the CFPB. CFPB has rule-making authority for FCRA, GBLA, etc. Can bring enforcement action for “unfair and deceptive” acts and practices. Can enforce against “abusive acts and practices.” Similar to FTC for finance.
What is the Bank Secrecy Act of 1970?
Targeted crime groups using large cash transactions. Requires records and creation of Suspicious Activity Reports (SARs). Regulates currency transactions >$10k, currency-like instruments >$3k.
What is the International Money-Laundering Abatement and Anti-Terrorist Financing Act of 2001?
Expanded reach of BSA, part of USA PATRIOT Act.
What does FERPA stand for?
Family Educational Rights and Privacy Act of 2010
Who does FERPA apply to?
All educational institutions that receive federal funding.
What are “educational records” under FERPA?
All records directly related to the student, including academic, disciplinary and financial. NOT campus police, employment, health records, alumni records, grades on peer-graded papers.
When does a student’s rights transfer to them vs. their parents under FERPA?
When 18 or attending only a post-secondary institution
What are four key principles of FERPA?
1) Notice (students receive annual notice of rights)
2) Consent (for sharing of educational records)
3) Access and correction (right to review records, request correction, have a hearing if request is denied)
4) Security and accountability
Name five exemptions for FERPA
Disclosing information to organizations on the behalf of schools for 1) test development, 2) student aid
programs or 3) instruction improvement is acceptable, 4) a threat of harm is articulate and significant, 5) with subpoena
What is the PPRA?
Protection of Pupil Right Amendment to FERPA. Provides rights re: sensitive information from students via surveys for commercial purposes.
What does NCLBA stand for?
No Child Left Behind Act
How does NCLBA address privacy?
Broadened scope of PPRA. If you are using surveys for ANY collection of data, you had to notify the parent and legal guardian – type of instrument used, date and time, and give them the right to opt-out of use for commercial purposes.
Which type of tech providers does FERPA et. all apply to?
Those that provide free teaching material, online posting of homework, communication and grades, etc.
What does COPPA stand for?
Children’s Online Privacy Protection Act of 1998
Who does COPPA apply to?
Any online service targeting collecting PI from children 13 and under
What does COPPA require?
Safeguards, notice of data collection required (to parents), parental consent before collection of ANY PI.
What is the TCPA?
Telephone Consumer Protection Act of 1991. Places restrictions on unsolicited phone advertising, faxes robocalls, texts.
What is the TSR?
Telemarketing Sales Rule. Enacted in 1995 by FTC to implement the Telemarketing and Consumer Fraud and Abuse Prevention Act
What does the TSR require?
1) Do-not-call registry
2) Unauthorized billing
3) Only call between 8am-9pm, respect requests to call back
3) Prohibition from asking not to be called again
4) Disclosure of purpose of call
5) Caller ID
6) Live reps must connect in 2 seconds
7) Prohibits misrepresentation and omissions of important info
8) Robocalls need consent; HIPPA-governed entities exempt
9) Record-keeping
How often must telemarketers check the do-not-call registry?
Every 31 days.
What are exceptions to the DNC registry?
1) Non-profits calling on their own behalf
2) Existing business relationships
3) Consent given by consumer
What does CAN-SPAM stand for?
Controlling the Assault of Non-Solicited Pornography and Marketing act of 2003
What does CAN-SPAM require
Opt-out of commercial email messages, opt-in of MSCM messages
What is an MSCM?
Defined by CAN-SPAM: Mobile Service Commercial Messages (MSCMs): A commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscribe of a commercial mobile services. Covers SMS, not phone-to-phone messages.
What is the Wireless Domain Registry?
Similar to the DNC Registry, a list of websites that qualify as MSCM domains (e.g. mymobile.att.com)
What is CAN-SPAM enforcement?
10 business day grace period, penalties of $40k+ tied to inflation, ISPs can sue and egregious conduct punishable to up to 5- year imprisonment.
What is the Cable Communications Policy Act of 1984’s relation to privacy?
Cable companies had to give annual privacy agreements, only use PI necessary, and require consent for disclosure. Restricted use of warrants. Data destroyed when no longer needed
What is the Telecommunications Act of 1996’s relation to privacy?
Pertains to telecommunications carriers; • Restricts accessing, using and disclosing customer proprietary network information (CPNI). Customers must be notified of breaches, provide passwords before accessing.
What is CPNI?
Customer Proprietary Network Information. Information collected by telecommunications carriers about their subscribers.
What is the VPPA?
Video Privacy Protection Act of 1988. Provided requirements for PI disclosure. VPPA Amendments Act of 2012 allowed users to share movie viewing information via social media.
What are the self-regulating bodies and principles for online advertising?
1) The Digital Advertising Alliance (DAI) Self-Regulatory Principles for Online Behavioral Advertising 2) Network Advertising Initiative (NAI) Code of Conduct
What is the ECPA?
Electronic Communications Privacy Act of 1986. Extended bans on interception of communications to include “electronic communications.” California passed their own (CalECPA) to say government entities cannot search online accounts without warrant, consent or in emergencies.
What is the SCA?
Stored Communications Act, enacted as part of ECPA. Prohibits unauthorized aquisition, alteration or blocking of e-comms in e-storage. Limits are less than interceptions.
Does ECPA preempt state law?
No
What is a pen register?
Records the telephone numbers of outgoing calls
What is a trap and trace?
Records the telephone numbers that are called into a number
What is CALEA?
The Communications Assistance to Law Enforcement Act of 1994 aka “Digital Telephony Bill.” Requires telecom companies to design products/services so they can carry out lawful orders from govt. Originally excluded ISPs, not after FTC issued an order in 1995.
What is CISA?
Cybersecurity Information Sharing Act. Voluntary program for private sector. Govt can help with cybersecurity programs. Allows companies to share indicators and defensive measure if PI is removed.
What is RFPA?
Right to Financial Privacy Act of 1978. No government may access records from financial institutions without specific conditions met.
What is the PPA?
The Privacy Protection Act of 1980. Protects media and media orgs from seizure. Only criminal, not civil, unless the reported committed/is committing a crime.
What does FISA stand for?
Foreign Intelligence Surveillance Act of 1978
Why was FISA passed?
To allow surveillance during the Cold War to track agents of the Soviet Union
What does FISA cover?
Wiretap, pen register, trap and trace and video sureillance re: “foreign intelligence.” Establishes National Security Letters.
What is an NSL?
National Security Letter. Established under FISA. Basically a subpoena use administratively. Originally used very narrowly with approval of FBI headquarters.
What changed with the USA PATRIOT Act?
Allow more often use of wiretaps. Pen register/trap and trace expanded. NSLs could apply to any org without judicial involvement. Federal court can require production of “any tangible thing” for foreign intelligence & antiterrorism investigations
What was the FISA Amendment Act?
Pass in 2008 after PATRIOT Act. Orders for NSLs were higher than reported, and it broke in the news. It required more reporting to Congress, granted immunity to telephone companies. Must have intelligence purpose and reason to believe subject is a non-US citizen.
What was the USA FREEDOM Act of 2015?
Enacted as PATRIOT Act expired. Prohibited bulk collection of pen register/trap and trace. Requires transparency reports about FISA orders and NSLs. Requires warrants from FISA court for phone metadata.
What are protective orders?
a judge decides what information in litigation is prohibited form public disclosure.
What is a HIPPA QPO?
Qualified protective order. Prohibits parties from using or disclosing PHI for any purpose other than litigation, must be returned/destroyed at end.
What is the EPAA?
Employee Polygraph Protection Act of 1988. Prohibits using lie detectors and taking adverse action against employees who refuse. Some exceptions for government, security, defense and controlled substance.
Is substance use testing regulated federally?
No
What is California AB 1950?
Applies to orgs holding personal info of CA residents. Requires security controls. Companies subject to stronger requirements (GLBA or HIPPA) are exempt.
What is Mass 201 CMR 17
Most prescriptive security law in the nation. Establishes minimum standards and a comprehensive data security program.
What is Washington state HB 1149?
Incorporates Payment Card Industry Data Security Standard PCI DSS to ensure security of CC transactions.
