Section 1 Flashcards
GDPR SPI
Data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify a person,, health data, data about sex life or orientation
HHS ways to de-identify data
Expert determination (statistician) or safe harbor (removal of 18 types of info)
GAPP Principles
Management, Notice, Choice and Consent, Collection, Use/Retention/Disposal, Access, Disclosure, Security for Privacy, Quality, & Monitoring + Enforcement
ISO 27701
It covers best practices for implementing privacy controls. Annex F provides advice on applying the privacy standard in an organization that already uses the information security standards
What is the data that must be removed from a data set for the HHS safe harbor in de-identification?
names, geographic dvisions and ZIP codes containing fewer than 20K, month and day of a person’s birth/death/hospital admissions or discharge or the age in years of a person over 89, telephone numbers, vehicle identifiers and serial numbers, including license plates, fax numbers, device identifiers and serial numbers, email addresses, web URLs, social security numbers, IP addresses, medical record numbers, biometric identifiers including finger and voice prints, health plan beneficiary numbers, full face photographs, account numbers, certificate/license numbers
ISO 27001 and 27002
These relate to an org’s information security program
Olmstead v. US
Right to be left alone
What is an investigative report under the FCRA?
under the FCRA, a consumer report becomes an investigative report when the process includes interviews with a person’s contacts to learn more about factors in the report such as “mode of living”
Can an ISP call an existing customer for telemarketing?
The Telemarketing sales rule does provide an existing business relationship exemption that would allow an ISP to call her even though she has added her phone to the DNC list
FACTA
the Fair and Accurate Credit Transactions Act includes specialized guidance for organizations that use consumer reports. The basic requirement of the FACTA Disposal Rule is that covered organizations must take “reasonable measures to protect against unauthorized access or use of the information in connections with its disposal”
What are the three main goals of a cybersecurity program?
confidentiality, integrity, and availability
Industry best practice for frequency of privacy risk assessment
Annual
Articles 1, 2, 3
1 - Legislative, 2 - executive, 3 - judicial
Article IV
defines the relationship between the federal government and the governments of the states
Article V
creates the process for amending the Constitution itself
Article VI
contains the supremacy clause and the process to modify the Constitution through amendments (2/3 of each house of Congress and 38/50 states)
Article VII
process for the initial establishment of the federal government
Which states have privacy in their constitutions?
Alaska
Arizona
California
Florida
Hawaii
Illinois
Louisiana
Montana
New Hampshire
South Carolina
Washington.
Smyth v Pillsbury (Eastern District of Pennsylvania 1996)
Holding: employees generally do not have a right to privacy in their use of a company provided email account.
Google v. CNIL (2019)
The right to be forgotten applies only within the EU
What does FERPA not apply to?
employee professional education records maintained by hospitals
What does HIPAA not apply to?
medical records maintained at student health centers
Does FERPA have a private right of action?
No but the DoE can bring a case
Does HIPAA have a private right of action?
No
Does GLBA have a private right of action?
No
Does the CCPA have a private right of action?
Yes if that breach involved certain unredacted and unencrypted personal information
What are the HIPAA civil penalties?
from $100 for a first time offense by an individual who did not know they were violating HIPAA to $50K if a violation was due to willful neglect and was not corrected
Does HIPAA have criminal penalties?
Yes.
$50K-$250K
1 - 10 years
Negligence elements
Duty of care, breach of that duty, damages, causation
What key legislation grants the FTC authority over unfair and deceptive practices?
15 USC Section 45 (a)(1) aka UDAAP. This law is commonly cited as giving the FTC authority over privacy and cyber security related matters.
Which administrative body regulates websites targeted at children?
FTC through COPPA
What is the process for when the FTC has investigated a company and wants to bring a complaint?
The company can negotiate or contest the complaint in front of an ALJ. They can appeal to the five FTC commissioners after. Then, they can pursue an appeal in the federal courts.
Sperry v. Hutchinson Trading Stamp co. (SCOTUS 1972)
Holding: Three factors for determining when a practices is unfair:
- if it injures consumers
- if it violates established public policy
- if it is unethical or unscrupulous
What is the test established by the FTC in its 1980 policy statement on unfairness to determine if a practice unfairly injures consumers?
Substantial
Outweighed
Not be reasonably avoidable
FTC v. Wyndham Worldwide (Third Circuit)
Holding: A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury and retains the profits of their business
LabMD - 2016
Example of unfair practice case brought by FTC in response to privacy issue
In 2016 the FTC issued a Final Order that LabMD suffered a data breach that impacted patient privacy as the direct result of insufficient cybersecurity practices. They were ordered to implement a cybersecurity program and subject themselves to periodic assessments.
LifeLock - 2010
Example of unfair practice case brought by FTC in response to privacy issue
LifeLock ran an advertising campaign that it could prevent identity theft. They paid a $12M fine to the FTC and state governments. They also agreed to avoid deceptive advertising and implement strong security controls. In 2019 the company paid an additional $100M after they violated that court order.
DesignerWare (2012)
Example of unfair practice case brought by FTC in response to privacy issue
A rent-to-own company was accused of placing spyware on the computers it rented that captured keystrokes and images of personal information. the FTC issued an order declaring this an unfair practice and prohibiting the company from engaging in similar practices in the future.
What are the requirements for a practice to be deceptive? (1983 FTC Policy Statement)
- There must be a representation, omission or practice that is likely to mislead the consumer
- The practice must be examined from the perspective of a consumer acting reasonably in the circumstances
- The representation, omission or practice must be material
GeoCities
This website hosting company collected personal information from customers, informing them that they would not resell this information. The FTC charged them with reselling information in violation of their privacy policy.
Eli Lilly
This pharma company collected patient info on their website and then inadvertently sent an email to all site users disclosing their identities to one another
Nomi
This tech company placed sensors in retail stores that collected info about consumers’ mobile devices without their knowledge or consent
Snapchat
They informed consumers that messages and photos disappeared but they were aware of methods users engaged into preserve those messages
TRUSTe
2014 deceptive practices - This privacy firm provides other companies with certifications of their privacy practices. The FTC charged them with failing to conduct annual recertifications of clients, as required. $200K fine.
Zoom Consent Decree (2020)
Zoom had said their videos were end to end encrypted but they were point to point and were temporarily decrypted when on Zoom’s servers. The Decree made Zoom not say anything more about privacy and security, put in a comprehensive program and conduct annual independent audits for 20 years.
What year was the Telecommunications Act?
1996
What is CPNI and who regulates it?
Customer proprietary network information. The FCC regulates the way communications carriers may handle that information.
How is broadband privacy handled by the FCC?
In Dec 2016 they passed a set of rules that would restrict ISPs from collecting and sharing info about customer comms, location data and browsing habits. In 2017 Trump repealed those privacy rules.
Which US org operates the US portion of the Privacy Shield?
Department of commerce
Which states have laws for UDAAP?
All
What is PCI DSS?
Payment card Industry Data Security Standard (more about security than privacy but does include data retention reqs that protects consumers).
What are the 12 high level requirements of PCI DSS?
- install and maintain a firewall config to protect cardholder data
- do not use vendor-supplied defaults for system passwords and other security parameters
- protect stored cardholder data
- encrypt transmission of cardholder data across open, public networks.
- use and regularly update antivirus software
- develop and maintain secure system and apps
- assign a unique ID to each person with computer access
- restrict physical access to cardholder data
- track and monitor all access to network resources
- restrict access to cardholder data by business need-to-know
- regularly test security systems
- maintain a policy that addresses information security for employees and contractors
What is NAI?
Networking Advertising Initiative. They can investigate their members and sanction them. They can refer noncom[pliant companies to the FTC.
What is the TRUSTe three phase process?
- Assessment
- Remediation and Certification
- Ongoing Monitoring and guidance
What is the Schrems II ruling?
July 2020 - EU Court of Justice said that the Privacy Shield is illegal (the safe harbor program and agreement that allows orgs conducting data transfers between the EU and US to comply with GDPR only if the firm that have agreed to appropriate privacy standards).
What is the largest fine the FTC has given?
Facebook - 2019. $5 billion based on deceptive claims about consumers’ ability to control the privacy of their personal data.
When was PCI DSS created?
2004
What are GPEN’s goals?
- Exchange information about privacy issues
- encourage sharing of enforcement expertise
- promote dialogue among enforcement groups
- facilitate intl cooperation
- support intl privacy practices
What organization created the Global Privacy Enforcement Network?
OECD - Organization for Economic Cooperation and Development
What kinds of information should an org consider when building a data inventory?
PII, PHI, financial information and government information
What is the NIST?
National institute of Standards and Technology
What is NIST 800-53?
NIST’s guidance that specifies different types of controls that should be used to protect information deemed low impact, moderate impact and high impact
What is data minimization?
The company collects the smallest amount of info necessary to meet their business needs
What is purpose limitation?
Businesses should use collected information only for the purpose for which it was originally collected
How can electronic media be erased?
specialized sanitation software, degaussing using intense magnetic fields or physical destruction
What is the FACTA disposal rule?
orgs must take “reasonable measures to protect against unauthorized access or use of the information in connection with its disposal”
What are the FTC’s suggestions for reasonable measures to comply with FACTA’s disposal rule?
- policies and procedures that require burning, pulverizing, shredding paper that contain consumer information and monitoring compliance with that policy
- policies and procedures that require destruction or erasure of electronic media containing consumer information so it cant be read or reconstructed and monitoring compliance
- contracting with a record destruction business after doing due diligence on that business. customers may request certificates of destruction.
What are the two reasons you should still be prepared for script kiddies?
- The tools are freely available on the internet so personal tech skills are no longer a barrier to hacks
- Script kiddies are plentiful and unfocused so they target many different orgs
What ways did EUROPOL and IOCTA find that organized crime is active in cybercrime (2019)?
cyber dependent crime (ransomware, data compromise, website defacement, attacks against critical infrastructure), child sexual exploitation, payment fraud, dark web activity, terrorism, cross cutting crime factors like social engineering, money mules and abuse of crypto
What company coined the term APT?
Mandiant - a security company
What is a zero day attack?
attacks that exploit vulnerabilities that are researched by the hacker and are not known to other attackers or cybersecurity teams
What is an event, an adverse event and a security incident?
Event - observable occurrence (examples - user accessing a file on a server, an administrator changing permissions, an attacker conducting a port scan)
Adverse event - event that has negative consequences (examples are malware infection, server crash, user accessing a file they are not authorized to view)
Security incident - violation or imminent threat of violation of security policies or practices (examples are accidental loss of sensitive info, intrusion by an attacker, use of keylogger on an exec’s system to steal passwords, and DoS attack)
What is a CSIRT?
Computer security incident response team
What are the steps of an incident response process?
Preparation, Detection & Analysis, Containment Eradication and Recovery, Post-Incident Activity
What is NIST 800-61?
Four major categories of security event indicators:
Alerts, Logs, Publicly available information, People
What is the process for the containment, eradication and recovery period in a security incident response?
Select a containment strategy, implement that strategy, gather additional evidence, identify the attackers, eradicate the effects
What should NOT be included in a security incident policy?
specific technologies, response procedures, and evidence gathering techniques - those are for the procedures document
What should be included in a security incident policy?
statement of management commitment
purpose and objectives
scope of the policy
definition of cybersecurity incidents
organizational structure and definition of roles
prioritization or severity rating scheme for incidents
performance measures for the CSIRT
reporting and contact forms
What are places where PII may be incoming into an organization?
New employee onboarding
Benefits administration
Customer interactions
Independent contractor tax reporting
What are the PII data inventory components?
Name of business process
Reason for using the PII
Legitimacy of use
Storage and transmission of PII
Access list
Third party involvement
Virus v. worm malware
Virus - spreads from system to system through human interaction
Worm - spreads from system to system by itself
How might adware be used?
changing the default search engine
displaying pop-up advertisements
replacing legitimate ads
What is a good way to prevent Trojan Horses?
Application control on employee computers
What are the three best ways to prevent malware?
Anti-malware software
Security patches
User education
What are the components of a good incident response plan?
- policy and plan documentation
- procedures for incident handling
- guidelines for communicating externally
- structure and staffing model for the team
- description of relationship with other groups
Incident Response Policy components
- foundational authority
- defines incidents
- incident prioritization scheme
What are the four steps of an Information Management Program?
Discover
Build
Communicate
Evolve
