Module #5: Enforcement of US Privacy and Security Laws

Question 1

Types of Legal Action

Answer 1

1) Civil Litigation
2) Criminal Litigation
3) Administrative enforcement

Question 2

Civil Litigation definition

Answer 2

Civil litigation is an action that occurs in the courts and involves a plaintiff suing a defendant
to redress a wrong

Question 3

Who initiates civil litigation

Answer 3

-Initiated by private party or government

Question 4

What is the burden of proof for civil litigation

Answer 4

a preponderance of evidence

Question 5

What is the punishment for civil litigation?

Answer 5

either monetary or compensation

Or a court-ordered injunction

Question 6

Definition of Civil Litigation

Answer 6

court proceedings for criminal prosecution

Question 7

Who initiates civil litigation?

Answer 7

Criminal litigation is brought forth by the government for violations of criminal laws

Question 8

What is the burden of proof for Civil Litigation

Answer 8

Beyond a reasonable doubt

Question 9

What is the punishment for civil litigation

Answer 9

fines
restitution
incarceration
death

Question 10

Administrative Enforcement definition

Answer 10

adjunction by an agency such FTC (federal trade commission) or FCC (federal communications commission)

Question 11

Who initiates administrative enforcement?

Answer 11

Government agency

Question 12

What is the burden of proof for administrative enforcement

Answer 12

burden of persuasion

Question 13

What is the punishment for administrative enforcement

Answer 13

actions

fines

Question 14

What are the basis of legal liability for:

• Civil litigation
• Criminal litigation
• Administrative enforcement

Answer 14

• civil litigation: tort, contract, and common law
• criminal litigation: constitutions, laws, and regulations
• Administrative enforcement: statutes that create agency governance

Question 15

What are the 6 legal liability categories

Answer 15

1) negligence
2) breach of warranty
3) Misrepresentation
4) defamation
5) strict tort liability
6) statutory actions

Question 16

negligence definition

Answer 16

Absence of, or failure to, exercise proper or ordinary care

Question 17

defamation definition

Answer 17

untruth about another that will harm the reputation of the person or organization defamed in the form of libel (written defamation) or slander (oral defamation)

Question 18

Strict tort liability definition

Answer 18

Extension of the responsibility of the vendor or manufacturer to
all individuals who might be injured by a product or service

Question 19

statutory actions

Answer 19

Action required, permitted or enacted by statute

Question 20

misrepresentation definition

Answer 20

False security about the safety of a particular product or service

Question 21

breach of warranty definition

Answer 21

Failure of a seller to fulfill the terms of a promise, claim or
representation

Question 22

FTC Definition

Answer 22

The Federal Trade Commission (or FTC) is an independent federal agency that operates outside the direct control of the president.

Question 23

FTC Privacy enforcement

Answer 23

1914 FTC established to enforce antitrust laws

1938 - general consumer protection mission established

1970 - fair credit reporting act of 1970

1990 - congress added privacy-related responsibilities to FTC

Question 24

What are the 4 Powers enforced by FTC

Answer 24

• Preventing:
  - unfair methods of competition
  - Deceptive acts or practice
• Seeking monetary redress
• Prescribing trade regulation rules
• Establishing requirements

Question 25

3 Regulatory responsibilities of FTC are?

Answer 25

• COPPA: The Childrens Online Privacy Protection Act of 1998
• CAN-SPAM: The Controlling Assault of Non-Solicited Pornography and Marketing Act of 2003
• HITECT: Health Information Technology for Economic and Clinical Health Act of 2009

Question 26

FTC: Deceptive Practices

Answer 26

• False promises
• Misrepresentations
• Failures to comply with representations made to consumers

Question 27

FTC: Unfair Practices

Answer 27

• Failure to implement adequate protection measures

- Providing inadequate disclosures to consumers

Question 28

What happens to noncompliant companies?

Answer 28

you need to cease and desist and resolve the issues. if so, there’s an agreement. or the consent degrees issue a consent order. it can recommend penalties up to 16k per infraction. it can recommend the fines.

investigations happen in two methods:

• read the press
• somebody complains to the FTC that you’re engaging in unfair or deceptive practices.

so they conduct an investigation and try to come to some type of agreement without going to court.

Question 29

suspected deceptive practices

Geocities, Inc. (1999)

Answer 29

GeoCities sold user information to third parties, which
violated the privacy notice on its website.

GeoCities settled the action, and the FTC issued a consent order, which required GeoCities to post and adhere to a conspicuous online privacy notice that disclosed to users how it would
collect and use personal information.

Question 30

suspected deceptive practices

Snapchat (2014)

Answer 30

Snapchat promised its customers a private, short-lived messaging service that messages disappear “forever” after a brief time.

“Find Friends” feature provided information to the company and individual users they snapchats with. Snapchat was aware there were ways to save messages and company was collecting names and phone #s of all users contacts. Find friends was inadequately secure and resulted in hackers compiling a database of million of users names and passwords.

Snapchat entered a consent order that it would not engage in these practices for the next 20 years

Question 31

suspected unfair practices

LifeLock, Inc. (2010)

Answer 31

Lifelock failed to encrypt its customers data putting it at risk. In the consent decree, paid significant fines and to protect its customers’ sensitive personal data to be assessed every 2 years for compliance. In 2016 lifelock failed to comply with the consent which required lifelock to pay millions of dollars as repayments to customers’ monthly premiums and a fine to the state attoe

Question 32

suspected unfair practices

Wyndham Worldwide Corporation (2012)

Answer 32

3 hacks to Wynham’s systems FTC alleged that they did not adequately protect its customers sensitive data. the company chose initially to not settle the case. court decisions and appeals findings in favor of the FTC and Wyndham agreeing to enter a consent order with the FTC.

Question 33

Department of Commerce

Answer 33

-leading role in federal privacy development
-EU-US Privacy Shield administration
-

Question 34

Department of Homeland Security

Answer 34

• E-Verify program; rules for air traveler records (TSA)

- Immigration; other border issues (Immigration and Customs enforcement)

Question 35

State Department

Answer 35

-negotiates internationally with other countries on privacy issues and in multinational groups

Question 36

Office of Civil Rights (HHS)

Answer 36

Role in enforcing HIPPA rules

Question 37

Department of Transporation

Answer 37

• transportation companies
• Drones (FAA)
• Internet-connected cars (national highway traffic safety administration)

Question 38

Internal Revenue Service

Answer 38

Privacy rules concerning tax records

Question 39

Office of Management and Budget

Answer 39

• Interpretation of Privacy Act of 1974

- Guidance to federal agencies and their contractors

Question 40

FTC Priority in late 1990s

Answer 40

• notice and choice approach

- deception and failure to comply

Question 41

FTC Priorities in 2001-2009

Answer 41

• Harm-based model
• Harm from identity theft
• privacy-program requirements
• impacts beyond tangible financial harm

Question 42

FTC Priority in 2012

Answer 42

Whitehouse report: "consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy"
 including:
      -individual control
      -transparency
      -respect for context
      -respect for content
      -security
      -access and accuracy
      -focused collection and accountability

Question 43

FTC Priority in 2015

Answer 43

• • data security investigations
• • FTC entered in consent orders with ASUS and TRENDnet
• • FTC enforcement actions for unfair practices when unreasonably and unnecessarily exposed consumers’ personal data

Question 44

FTC Priority in 2016

Answer 44

Cases:

  - InMobi and Turn: tracked user location and browsing history without permission
  - Vulcan: installed apps onto smart phones without permission

letter of warning to 12 app developers:
-cautioned app developers related to claimed or implied data was not being collected or transmitted when it is.

FTC 3-part to examine consumer protection issues:

  - smart tv's
  - drones
  - ransomware

Question 45

FTC Priority in in 2017

Answer 45

recent cases:
-Lenova: did not disclose to consumers preinstalled software program, VisualDiscovert, which acted as a man-in-the-middle between consumers and websites with which they communicated

  - Vizio: smart Tv's installed software to collect viewing data on 11 million consumer TVs without consumers knowledge or consent
  - Tru Communication, Decusoft, and Md7 charges settled for misleading consumers about their certification to participate in the EU-US Privacy Shield

Question 46

FTC Priority in 2018

Answer 46

recent cases:

  - Venmo: misrepresented steps for keeping financial transactions private which failed Gramm-Leach-Bliley Privacy Rule and Safegaurds rule requirements  - Facebook privacy practices and fine reported $5 billion

Question 47

FTC Priority in 2019

Answer 47

• FTC and US Dept of Justice announced a settlement with Facebook for $5 billion penalty as well as modifications to their overall approach to privacy
  - Cambridge Analytica complaint that users were unaware their personal data was being harvested for illegal voter profiling and targeting

Question 48

FTC Report principals in 2012

Answer 48

“protecting consumer privacy in an era of rapid change: recommendations for business and policymakers”

  - privacy by design
  - simplified consumer choice and transparency

Question 49

FTC 5 Principles in 2015

Answer 49

“Privacy and Data Security Updates”

  - Know what data you have and rights / need to access
  - limit data retained based on legitimate need
  - implement safeguards to protect data
  - dispose of data when no longer needed
  - plans for security incidents

Question 50

Workshops hosted by FTC in 2017

Answer 50

FTC hosted workshops on privacy issues:

  - connected cars
  - education technology
  - identity theft

Question 51

Workshops hosted by FTC in 2018

Answer 51

FTC hosted workshops on privacy issues:

  - fraudulent practices around cryptocurrency
  - data breaches

Question 52

State Regulation

Answer 52

• Inadequate data protection
• AGs (attorney generals)
• laws and statutes to protect privacy

Question 53

Cross-border Regulation

Answer 53

-cooperation:

OECD recommendation: Organization for Economic Cooperation and Development
-Recommendation on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy, which promotes addressing common privacy issues on a global scale

GPEN: Global Privacy Enforcement Network
-motivated the FTC and other enforcement agencies around the
world to form

APEC CPEA: AsiaPacific Economic Cooperation & Cross-border Privacy Enforcement Arrangement
-establishes a framework for members to share information and evidence in crossborder investigations and enforcement actions in the Asia-Pacific region, as well as facilitating communication between APEC and non-APEC members.

Question 54

Self-Regulatory Regulation

Answer 54

-internal frameworks, policies and procedures

approaches to privacy protection have been created by some organizations, through which they monitor their own privacy guidelines and practices.

Organizations may also adopt the guidelines of a third party that monitors and enforces compliance

Question 55

federal vs state authority

Answer 55

law-making power is shared between federal and state governments

US constitution says its “the supreme law of the land”

10th amendment states powers not delegated to the US by the Constitution nor prohibited by the states are reserved to the states, or to the people

some federal laws preempt even stricter state laws. conversly some federal laws may be superseded by state laws

Question 56

What theory of legal liability is described as the absence of or failure to exercise proper or ordinary care?

A) Defamation
B) Negligence
C) Breach of warranty
D) Strict tort liability

Answer 56

B) Negligence

Question 57

Which of the following are powers of the FTC? Select all that apply.

A) Penalizing and halting unfair or deceptive trade practices

B) Seeking monetary redress for conduct injurious to consumers

C) Prescribing trade regulation rules

D) Administering self-certification programs for honest trade practices

E) Establishing requirements to prevent unfair or deceptive trade practices

Answer 57

A, B, C, and E

all but Administering self-certification programs for honest trade practices

Question 58

Which federal agency is the most visible proponent of privacy concerns in the U.S.?

A) Department of Commerce (DOC)

B) Department of Homeland Security (DHS)

C) Office for Civil Rights (HHS)

D) Federal Trade Commission (FTC)

Answer 58

D) Federal Trade Commission (FTC)

Question 59

During which decade did the FTC’s perspective evolve into a harm-based model?

A) 1980s
B) 1990s
C) 2000s
D) 2010s

Answer 59

C) 2000s

Question 60

What does GPEN stand for?

A) Good principles for encrypting numerals
B) Grades of privacy employment negligence
C) Guild of Privacy Economic Nations
D) Global Privacy Enforcement Network

Answer 60

D) Global Privacy Enforcement Network