Section 2 Flashcards
What year was COPPA enacted?
1998
Who does COPPA apply to?
Online services that specifically design for children under 13 or know that children under 13 use their services AND online services that knowingly collect children’s personal info from another online service or website targeted at children
Does COPPA apply to governments and non profits?
No except in limited circumstances where nonprofit websites are operated for the commercial benefit of their members
What additional kinds of PII apply for COPPA?
screen names, geolocation data, any media of a child’s image or voice and phone numbers AND any info collected from the child that is combined with any personal information
What rights do parents have under COPPA?
to approve of the collection and use of personal information, to revoke that consent and require the deletion of the information, and to approve of collection ONLY as necessary to use the service
What are COPPA’s general requirements?
Privacy policy, parental notification, consent and control, information security
What does a COPPA information security program have to have?
Reasonable steps to protect against unauthorized access to children’s data and procedures to delete data when it is no longer needed
What must a parental notification of a change in an organization’s practices include under COPPA?
The notice must: explain the consent process, detail the information the service intends to collect, and provide a link to the privacy policy and assure that any data collected, including contact data, will be deleted if parental consent isn’t granted.
What services must be available to parents under COPPA?
To view the personal information collected, revoke any previous consent, restrict the online service form further use of their information and have personal information deleted
Which agency(ies) enforce COPPA?
FTC. It may be enforced by states and some agencies like Department of Transportation.
What is a COPPA fine?
up to $43,280 for each violation
What happened with YouTube and COPPA?
In 2019 the FTC got a judgment against YouTube. They weren’t complying with COPPA because they didn’t think they were within its scope because the content is crowdsourced social media and not centrally managed. This helps to affirm COPPA’s application to social media companies.
Who does HIPAA apply to?
Health insurance plans, healthcare clearinghouses and healthcare providers
Plus third party businesses associates if they meet certain conditions
What are the requirements for third party individuals or organizations under HIPAA?
They must have business associate agreements that require the business associate to conform with HIPAA
What kind of records are not covered under HIPAA?
personnel records for employees, academic records covered by FERPA, and information that has been properly anonymized so it cannot be used to identify a patient
What are some HIPAA covered transactions from HHS’ guidance that aren’t on their face healthcare information?
payment and remittance advice, claims status, eligibility, coordination of benefits, claims and encounter information, enrollment and disenrollment, referrals and authorizations, and premium payments
What year was the HIPAA privacy rule established?
2000
What does the HIPAA Privacy Rule require?
- implementation of information privacy practices
- limits use and disclosure of data without patient authorization
- gives patients additional rights including the right to view and correct their medical records
Who enforces the HIPAA Privacy Rule?
HHS Office of Civil Rights (OCR)
For how long are HIPAA covered entities required to retain records related to their privacy policies (like complaints or public notices)?
Six years
Can HIPAA covered entities ask patients to waive their rights under the Privacy Rule as a condition of care or coverage?
No
What are exceptions to the HIPAA requirement that patients have access to their PHI?
- psychotherapy notes
- information gathered for legal actions
- lab results specifically restricted by the Clinical Lab Improvement Amendments
- circumstances if the entity thinks may cause the person to harm themselves or others
What are the exceptions of HIPAA for states to make use of PHI without patient consent?
- Reporting health information (birth, death records)
- Public health (reporting vital stats or enforcing regulations)
- Reporting information about health plans for oversight purpose
What is the range of fines for the OCR?
$100 up to $50K per violation
For repeated violations, up to $1.5M per year (per provision)
Is HIPAA enforcement handled through both civil and criminal?
Either or. DOJ handles criminal.
Does the HIPAA Security Rule apply to physical records?
No. Only to ePHI.
Does HIPAA preempt state laws?
Yes
What was Athens Orthopedic?
In 2016 they suffered a large data breach where a hacker stole 208K peoples information. OCR fined them $1.5M in September 2020 and consent resolution for failing to implement required protections that may have prevented the breach.
When was HITECH passed?
2009
What does HITECH do?
provides incentives for healthcare orgs to use EHR and penalties for orgs that don’t use EHR. It also includes the Breach Notification Rule.
Breach Notification Rule factors to determine if a breach has occurred
- The type of information involved and whether individual patients may be identified.
- The parties who used or access the information
- The likelihood that PHI was actually shared
- How well PHI is secured.
How long do business associates have to notify healthcare orgs of a breach under the Breach Notification Rule (HITECH)?
60 days. Then the covered entity is responsible for the rest of the notifications.
What are the notification steps for breaches under the Breach Notification Rule (HITECH) for breaches affecting fewer than 500 people?
Entities must notify victims with 60 days of discovery and report to HHS annually.
What are the notification steps for breaches under the Breach Notification Rule (HITECH) for breaches affecting more than 500 people?
They must tell HHS within 60 days, notify the victims with 60 days AND notify media outlets (usually in the form of a press release).
Do covered entities have to be able to prove they fulfilled notification requirements under the HITECH Act?
Yes. They must keep the documentation.
What are the three types of use and disclosures that are not subject to the Breach Notification Rule?
- Employee of a covered entity or BA accidentally accesses PHI but was acting in good faith
- More than one person authorized to access the same PHI accidentally share with one another
- If the entity has good reason to believe that no unauthorized parties will be able to retain the information (example - the data was fully encrypted and there was no way the information could be viewed).
How does HITECH affect BAs?
Makes them directly subject to HIPAA so OCR can pursue enforcement actions directly against the BAs
How does HITECH affect HIPAA fines?
Increases annual violation fines up to $1.5M
How does HITECH affect the HIPAA Privacy Rule?
- requires individual authorization for use of PHI in marketing
- provides the ability for individuals to revoke authorizations for disclosure
- requires healthcare orgs to maintain records of any PHI disclosures that may be viewed by patients upon request.
When was the 21st Century Cures Act passed?
2016
What does the 21st Century Cures Act do?
- Penalizes information blocking
- Sets up a framework for sharing certain mental health and substance abuse treatment information for adults with family or caregivers
- Adds privacy protections for people participating in medical research (but exempts federal govt research that could identify an individual in a FOIA request)
- Gives research participants “certificates of confidentiality” issued by the NIH
What entities are subject to “Part Two” (Confidentiality of Substance Use Disorder Patient Records Rule)?
Any substance abuse treatment program that receives federal funding
When was the Confidentiality of Substance Use Disorder Patient Records Rule passed?
1975
What are the consequences of violating the Confidentiality of Substance Use Disorder Patient Records Rule?
Fines up to $500 for first offense, and $5K for repeat. Violators may also be subject to criminal prosecution.
What kind of data is covered by the Confidentiality of Substance Use Disorder Patient Records Rule?
Any records related to alcohol or substance abuse treatment that could possibly identify an individual patient. It also restricts information that may expose a patient to criminal charges.
When was the FCRA passed?
1970
What entities are subject to the FCRA?
Entities that sell consumer reports and entities that use those reports to make decisions
What is a consumer report?
Reports furnished to a customer for the purpose of making decisions about an individual related to extending credit, insurance coverage or employment, for a fee
What types of information would make something a consumer report?
Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living
What rights does the FCRA confer to consumers?
The right to request access to their consumer report (including credit scores) and to be told if anything in the report has been used to make unfavorable decisions
The right to give consent before reports may be shared with employers, to implement security freezes and to seek damages from businesses that violate their rights
What information must be provided in a notice of an unfavorable decision from a consumer report?
- Contact info for the CRA
- An explanation that the CRA only furnished the information and did not play a decision-making role
- An explanation of consumer rights (right to access and dispute)
When can a consumer report be shared without that person’s written consent?
- In response to court orders
- To review a consumer’s application for insurance underwriting or financial services, such as a credit card
- When the information is needed to complete a transaction initiated by the consumer
- To evaluate a consumer’s existing accounts or services to verify ongoing eligibility
- To review a consumer’s application for certain government licenses or benefits where financial responsibility is a legal criterion
- for use by prospective investors and insurers to evaluate risk when deciding whether to invest in consumer debt
- For use in setting appropriate levels of child support payments
- For use by insurance and credit firms to screen consumers in advance of offering products and services
Who enforces the FCRA?
FTC, CFPB and states’ attorneys general
When was FACTA passed?
2003
What did FACTA do?
Give consumers a right to a free credit report every year, allows consumers to place fraud alerts on their credit reports, require potential creditors to verify an applicant’s ID before extending credit, gives consumers rights to trigger investigation into dispute data by the CRA
It also requires merchants to partially mask credit card numbers on receipts and transaction records and SSNs to be partially redacted (by consumer request)
Requires higher standard and more disclosures from CRAs
Clarifies the FACTA preemption rules, exempts certain communications involving employers, further protects medical information and creates an entity to offer educational programs for financial literacy
What wear was the GLBA passed?
1999
What businesses are subject to the GLBA?
Businesses that are “significantly engaged” in offering financial services
What is the GLBA Privacy Rule?
Businesses must share their privacy notice when beginning a customer relationship and each year after
How does GLBA differentiate between customers and consumers?
Customer - businesses must provide full privacy notices with all details listed in GLBA (beginning of relationship and annually)
Consumer - businesses must provide only a summary privacy notice that includes instructions for finding the full notice
What is the GLBA Safeguards Rule?
Info security programs must have designated personnel, assess risk on an ongoing basis and put controls in place to minimize those risks and assess third party partners
It also offers guidance for lowering risk and emphasizes: (1) workfroce training, (2) securing information systems and (3) ongoing monitoring
What is the Red Flags Rule?
Obligates financial institutions or any creditor to proactively monitor consumer data for identify theft by watching for “red flags”
Who regulates the Red Flag Rule?
FTC, CFPB and states
SEC and Commodity Futures Trading Commission added by Dodd-Frank
When was the Red Flags Rule enacted?
Originally in 2003 under FACTA
Expanded to SEC + CFTC under Dodd-Frank
When was Dodd-Frank enacted?
2008
What did the Dodd-Frank Act do?
Expanded UDAAP enforcement right to CFPB
Added Abusive to UDAAP
What is an “abusive” act (UDAAP)?
Any act that materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service
When was FERPA enacted?
1974
What entities does FERPA apply to?
Educational institutions that receive federal funding from the US Department of Education (and third parties that maintain that data)
What records does FERPA pertain to?
Any records maintained by an educational institution that pertain directly to a student
What does FERPA exclude from regulation?
Law enforcement records and some application data and data collected after a student graduates. Also data from teachers like memory aids and individual notes.
When can FERPA records be shared?
If they are sufficiently anonymized or the student/parent agrees or if there is a “legitimate educational interest”
What contract language is important for FERPA regulated entities?
Educational institutions will designate tech providers as “school officials” so they can make that third party effectively part of the school and transfer records and so they are subject to FERPA
When was the TCPA enacted?
1991 and updated in 2012 to add authority for regulating autodialers and robocalls
What is the TSR and when was it enacted?
Telemarketing Sales Rule - 1995
Does the TSR apply to financial institutions?
Not technically because it was enacted under the FTC which does not regulated financial institutions. However, the FCC, has jurisdiction over all telemarketing activities and adopted the TSR into its own rules.
Who does the Established Business Relationship Exemption apply to?
Customers that have completed a purchase or transaction with the company within the last 18 months
What are the TSR rules?
Calls can only be between 8AM and 9PM
Must use a valid caller ID
Must connect consumers to live person within two seconds
Can only use automated calls with direct written permission of the recipient
Establishes the DNC registry
What is the TSR Safe Harbor?
Calls made by accident so long as they can show the call was truly an accident, there are DNC procedures and employee training, the company maintains a list of DNC numbers, and their is an internal monitoring process
What calls do not apply to the Do Not Call registry?
Some calls by political groups, charities, some nonprofit orgs and surveys
How often do telemarketers have to update their internal DNC list?
Every 31 days
Why is the Globex Telecom (2020) enforcement action significant?
Globex was using VoIP. It shows that the FTC has ability to enforce regulations even if the technology to make the calls has changed.
What was the DNC fines?
Up to $43,280 per call (which comes from the FTC Act). States can fine up to $25K per call.
When was the Junk Fax Prevention Act enacted?
Added to the TCPA as an amendment in 2005
When was CAN-SPAM enacted?
2003
What does CAN-SPAM regulate?
Commercial electronic messages (based on primary purpose of the message). Both companies and individuals are subject to the law.
Is there an individual private right of action under CAN-SPAM?
No
What are the CAN-SPAM requirements for unsubscribing?
Every message must have a clear notice about how to opt-out. That right must be available for up to 30 days after sending the message. The company must comply within 10 days of a user opting out. Companies cannot sell email addresses of users that have opted out.
Does CAN SPAM preempt state laws?
Yes. It does not allow states to have stricter rules.
When was the Telecommunications Act passed?
1996
What does the Telecommunications Act regulate?
CPNI (customer proprietary network information)
Who does the CPNI apply to?
Telecommunications carriers (including VoIP)
Are text messages regulated by CPNI?
No
How long does a telecoms company have to notify law enforcement of a breach of their CPNI?
7 days
When was the Cable Communications Policy Act enacted?
1984
Are modern streaming services subject to the Cable Communications Policy Act?
Not usually. They don’t meet the definition of “providing cable service.”
Does the Cable Communications Policy Act provide a private right of action?
Yes
When was the Video Privacy Protection Act (VPPA) enacted?
1988
Does the VPPA apply to streaming services?
Yes via court interpretation
Does the VVPA provide a private right of action?
Yes
Does the VVPA preempt state law?
Yes only if a state law allows or even require MORE disclosure than is permitted by the VPPA. State laws can enforce stricter protections against disclosure of PII.
Can the FTC make regulatory actions against non-profits?
No. It is exclusive to commerce.
What happened in the Wyndham 2015 FTC case?
Landmark case that established the FTC had authority to implement security rules.
Wyndham’s security practices led to breach of consumer credit card numbers.
What is the FTC “sunset” policy?
Sets a 20 year maximum length for a consent decree
Google & YouTube COPPA Agreement
Notable because
1. $170M fine for Google
2. FTC published guidelines to show how they will determine if a site is directed toward children
How does HHS distinguish between entities that provide tracking and cookies for HIPAA covered entities?
If the webpage authenticates users, the information is PHI and the service is a business associate.
Can credit reports be oral?
Yes
What are the damages available to consumers under the FCRA?
Actual damages
Punitive damages
Legal costs
What is the other name for the GLBA?
Financial Services Modernization Act of 1999
What data does the CCPA exclude?
Data collected under the GLBA
Which states have GLBA exemptions?
California
Colorado
Nevada
Virginia
What are abusive practices?
- Materially interfere with ability of consumer to understand a term or condition OR
- Takes unreasonable advantage of: lack of consumer understanding or inability to protect interests or reasonable reliance on providers to act in the interest of the consumer
Who has the rights under FERPA if a student is under 18 and enrolled at a postsecondary school? (student or parent)
The student
What is a transactional relationship that is excluded from the CAN SPAM Act
- Facilitates or confirms a transaction
- Provides warranty, recall, safety or security information
- Gives information about change sin terms of an existing account
- Provides information about the employment relationship
- Delivers goods or services
What are the CAN SPAM rules?
- Don’t use false or misleading header information
- Don’t use deceptive subject lines
- Identify the message as an advertisement
- Tell recipients where you are located
- Provide opt-out instructions
- Honor opt-out requests promptly
- Monitor what others are doing on your behalf
What are the GAPP principles?
- Management
- Notice
- Choice and consent
- Collection
- Use, retention and disposal
- Access
- Disclosure to Third Parties
- Security
- Quality
- Monitoring and Enforcement
