Module #5: Enforcement of US Privacy and Security Laws Flashcards
Types of Legal Action
1) Civil Litigation
2) Criminal Litigation
3) Administrative enforcement
Civil Litigation definition
Civil litigation is an action that occurs in the courts and involves a plaintiff suing a defendant
to redress a wrong
Who initiates civil litigation
-Initiated by private party or government
What is the burden of proof for civil litigation
a preponderance of evidence
What is the punishment for civil litigation?
either monetary or compensation
Or a court-ordered injunction
Definition of Civil Litigation
court proceedings for criminal prosecution
Who initiates civil litigation?
Criminal litigation is brought forth by the government for violations of criminal laws
What is the burden of proof for Civil Litigation
Beyond a reasonable doubt
What is the punishment for civil litigation
fines
restitution
incarceration
death
Administrative Enforcement definition
adjunction by an agency such FTC (federal trade commission) or FCC (federal communications commission)
Who initiates administrative enforcement?
Government agency
What is the burden of proof for administrative enforcement
burden of persuasion
What is the punishment for administrative enforcement
actions
fines
What are the basis of legal liability for:
- Civil litigation
- Criminal litigation
- Administrative enforcement
- civil litigation: tort, contract, and common law
- criminal litigation: constitutions, laws, and regulations
- Administrative enforcement: statutes that create agency governance
What are the 6 legal liability categories
1) negligence
2) breach of warranty
3) Misrepresentation
4) defamation
5) strict tort liability
6) statutory actions
negligence definition
Absence of, or failure to, exercise proper or ordinary care
defamation definition
untruth about another that will harm the reputation of the person or organization defamed in the form of libel (written defamation) or slander (oral defamation)
Strict tort liability definition
Extension of the responsibility of the vendor or manufacturer to
all individuals who might be injured by a product or service
statutory actions
Action required, permitted or enacted by statute
misrepresentation definition
False security about the safety of a particular product or service
breach of warranty definition
Failure of a seller to fulfill the terms of a promise, claim or
representation
FTC Definition
The Federal Trade Commission (or FTC) is an independent federal agency that operates outside the direct control of the president.
FTC Privacy enforcement
1914 FTC established to enforce antitrust laws
1938 - general consumer protection mission established
1970 - fair credit reporting act of 1970
1990 - congress added privacy-related responsibilities to FTC
What are the 4 Powers enforced by FTC
- Preventing:
- unfair methods of competition
- Deceptive acts or practice - Seeking monetary redress
- Prescribing trade regulation rules
- Establishing requirements
3 Regulatory responsibilities of FTC are?
- COPPA: The Childrens Online Privacy Protection Act of 1998
- CAN-SPAM: The Controlling Assault of Non-Solicited Pornography and Marketing Act of 2003
- HITECT: Health Information Technology for Economic and Clinical Health Act of 2009
FTC: Deceptive Practices
- False promises
- Misrepresentations
- Failures to comply with representations made to consumers
FTC: Unfair Practices
- Failure to implement adequate protection measures
- Providing inadequate disclosures to consumers
What happens to noncompliant companies?
you need to cease and desist and resolve the issues. if so, there’s an agreement. or the consent degrees issue a consent order. it can recommend penalties up to 16k per infraction. it can recommend the fines.
investigations happen in two methods:
- read the press
- somebody complains to the FTC that you’re engaging in unfair or deceptive practices.
so they conduct an investigation and try to come to some type of agreement without going to court.
suspected deceptive practices
Geocities, Inc. (1999)
GeoCities sold user information to third parties, which
violated the privacy notice on its website.
GeoCities settled the action, and the FTC issued a consent order, which required GeoCities to post and adhere to a conspicuous online privacy notice that disclosed to users how it would
collect and use personal information.
suspected deceptive practices
Snapchat (2014)
Snapchat promised its customers a private, short-lived messaging service that messages disappear “forever” after a brief time.
“Find Friends” feature provided information to the company and individual users they snapchats with. Snapchat was aware there were ways to save messages and company was collecting names and phone #s of all users contacts. Find friends was inadequately secure and resulted in hackers compiling a database of million of users names and passwords.
Snapchat entered a consent order that it would not engage in these practices for the next 20 years
suspected unfair practices
LifeLock, Inc. (2010)
Lifelock failed to encrypt its customers data putting it at risk. In the consent decree, paid significant fines and to protect its customers’ sensitive personal data to be assessed every 2 years for compliance. In 2016 lifelock failed to comply with the consent which required lifelock to pay millions of dollars as repayments to customers’ monthly premiums and a fine to the state attoe
suspected unfair practices
Wyndham Worldwide Corporation (2012)
3 hacks to Wynham’s systems FTC alleged that they did not adequately protect its customers sensitive data. the company chose initially to not settle the case. court decisions and appeals findings in favor of the FTC and Wyndham agreeing to enter a consent order with the FTC.
Department of Commerce
-leading role in federal privacy development
-EU-US Privacy Shield administration
-
Department of Homeland Security
- E-Verify program; rules for air traveler records (TSA)
- Immigration; other border issues (Immigration and Customs enforcement)
State Department
-negotiates internationally with other countries on privacy issues and in multinational groups
Office of Civil Rights (HHS)
Role in enforcing HIPPA rules
Department of Transporation
- transportation companies
- Drones (FAA)
- Internet-connected cars (national highway traffic safety administration)
Internal Revenue Service
Privacy rules concerning tax records
Office of Management and Budget
- Interpretation of Privacy Act of 1974
- Guidance to federal agencies and their contractors
FTC Priority in late 1990s
- notice and choice approach
- deception and failure to comply
FTC Priorities in 2001-2009
- Harm-based model
- Harm from identity theft
- privacy-program requirements
- impacts beyond tangible financial harm
FTC Priority in 2012
Whitehouse report: "consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy" including: -individual control -transparency -respect for context -respect for content -security -access and accuracy -focused collection and accountability
FTC Priority in 2015
- data security investigations
- FTC entered in consent orders with ASUS and TRENDnet
- FTC enforcement actions for unfair practices when unreasonably and unnecessarily exposed consumers’ personal data
FTC Priority in 2016
Cases:
- InMobi and Turn: tracked user location and browsing history without permission - Vulcan: installed apps onto smart phones without permission
letter of warning to 12 app developers:
-cautioned app developers related to claimed or implied data was not being collected or transmitted when it is.
FTC 3-part to examine consumer protection issues:
- smart tv's - drones - ransomware
FTC Priority in in 2017
recent cases:
-Lenova: did not disclose to consumers preinstalled software program, VisualDiscovert, which acted as a man-in-the-middle between consumers and websites with which they communicated
- Vizio: smart Tv's installed software to collect viewing data on 11 million consumer TVs without consumers knowledge or consent - Tru Communication, Decusoft, and Md7 charges settled for misleading consumers about their certification to participate in the EU-US Privacy Shield
FTC Priority in 2018
recent cases:
- Venmo: misrepresented steps for keeping financial transactions private which failed Gramm-Leach-Bliley Privacy Rule and Safegaurds rule requirements - Facebook privacy practices and fine reported $5 billion
FTC Priority in 2019
- FTC and US Dept of Justice announced a settlement with Facebook for $5 billion penalty as well as modifications to their overall approach to privacy
- Cambridge Analytica complaint that users were unaware their personal data was being harvested for illegal voter profiling and targeting
FTC Report principals in 2012
“protecting consumer privacy in an era of rapid change: recommendations for business and policymakers”
- privacy by design - simplified consumer choice and transparency
FTC 5 Principles in 2015
“Privacy and Data Security Updates”
- Know what data you have and rights / need to access - limit data retained based on legitimate need - implement safeguards to protect data - dispose of data when no longer needed - plans for security incidents
Workshops hosted by FTC in 2017
FTC hosted workshops on privacy issues:
- connected cars - education technology - identity theft
Workshops hosted by FTC in 2018
FTC hosted workshops on privacy issues:
- fraudulent practices around cryptocurrency - data breaches
State Regulation
- Inadequate data protection
- AGs (attorney generals)
- laws and statutes to protect privacy
Cross-border Regulation
-cooperation:
OECD recommendation: Organization for Economic Cooperation and Development
-Recommendation on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy, which promotes addressing common privacy issues on a global scale
GPEN: Global Privacy Enforcement Network
-motivated the FTC and other enforcement agencies around the
world to form
APEC CPEA: AsiaPacific Economic Cooperation & Cross-border Privacy Enforcement Arrangement
-establishes a framework for members to share information and evidence in crossborder investigations and enforcement actions in the Asia-Pacific region, as well as facilitating communication between APEC and non-APEC members.
Self-Regulatory Regulation
-internal frameworks, policies and procedures
approaches to privacy protection have been created by some organizations, through which they monitor their own privacy guidelines and practices.
Organizations may also adopt the guidelines of a third party that monitors and enforces compliance
federal vs state authority
law-making power is shared between federal and state governments
US constitution says its “the supreme law of the land”
10th amendment states powers not delegated to the US by the Constitution nor prohibited by the states are reserved to the states, or to the people
some federal laws preempt even stricter state laws. conversly some federal laws may be superseded by state laws
What theory of legal liability is described as the absence of or failure to exercise proper or ordinary care?
A) Defamation
B) Negligence
C) Breach of warranty
D) Strict tort liability
B) Negligence
Which of the following are powers of the FTC? Select all that apply.
A) Penalizing and halting unfair or deceptive trade practices
B) Seeking monetary redress for conduct injurious to consumers
C) Prescribing trade regulation rules
D) Administering self-certification programs for honest trade practices
E) Establishing requirements to prevent unfair or deceptive trade practices
A, B, C, and E
all but Administering self-certification programs for honest trade practices
Which federal agency is the most visible proponent of privacy concerns in the U.S.?
A) Department of Commerce (DOC)
B) Department of Homeland Security (DHS)
C) Office for Civil Rights (HHS)
D) Federal Trade Commission (FTC)
D) Federal Trade Commission (FTC)
During which decade did the FTC’s perspective evolve into a harm-based model?
A) 1980s
B) 1990s
C) 2000s
D) 2010s
C) 2000s
What does GPEN stand for?
A) Good principles for encrypting numerals
B) Grades of privacy employment negligence
C) Guild of Privacy Economic Nations
D) Global Privacy Enforcement Network
D) Global Privacy Enforcement Network