Section 2

Question 1

What year was COPPA enacted?

Answer 1

1998

Question 2

Who does COPPA apply to?

Answer 2

Online services that specifically design for children under 13 or know that children under 13 use their services AND online services that knowingly collect children’s personal info from another online service or website targeted at children

Question 3

Does COPPA apply to governments and non profits?

Answer 3

No except in limited circumstances where nonprofit websites are operated for the commercial benefit of their members

Question 4

What additional kinds of PII apply for COPPA?

Answer 4

screen names, geolocation data, any media of a child’s image or voice and phone numbers AND any info collected from the child that is combined with any personal information

Question 5

What rights do parents have under COPPA?

Answer 5

to approve of the collection and use of personal information, to revoke that consent and require the deletion of the information, and to approve of collection ONLY as necessary to use the service

Question 6

What are COPPA’s general requirements?

Answer 6

Privacy policy, parental notification, consent and control, information security

Question 7

What does a COPPA information security program have to have?

Answer 7

Reasonable steps to protect against unauthorized access to children’s data and procedures to delete data when it is no longer needed

Question 8

What must a parental notification of a change in an organization’s practices include under COPPA?

Answer 8

The notice must: explain the consent process, detail the information the service intends to collect, and provide a link to the privacy policy and assure that any data collected, including contact data, will be deleted if parental consent isn’t granted.

Question 9

What services must be available to parents under COPPA?

Answer 9

To view the personal information collected, revoke any previous consent, restrict the online service form further use of their information and have personal information deleted

Question 10

Which agency(ies) enforce COPPA?

Answer 10

FTC. It may be enforced by states and some agencies like Department of Transportation.

Question 11

What is a COPPA fine?

Answer 11

up to $43,280 for each violation

Question 12

What happened with YouTube and COPPA?

Answer 12

In 2019 the FTC got a judgment against YouTube. They weren’t complying with COPPA because they didn’t think they were within its scope because the content is crowdsourced social media and not centrally managed. This helps to affirm COPPA’s application to social media companies.

Question 13

Who does HIPAA apply to?

Answer 13

Health insurance plans, healthcare clearinghouses and healthcare providers
Plus third party businesses associates if they meet certain conditions

Question 14

What are the requirements for third party individuals or organizations under HIPAA?

Answer 14

They must have business associate agreements that require the business associate to conform with HIPAA

Question 15

What kind of records are not covered under HIPAA?

Answer 15

personnel records for employees, academic records covered by FERPA, and information that has been properly anonymized so it cannot be used to identify a patient

Question 16

What are some HIPAA covered transactions from HHS’ guidance that aren’t on their face healthcare information?

Answer 16

payment and remittance advice, claims status, eligibility, coordination of benefits, claims and encounter information, enrollment and disenrollment, referrals and authorizations, and premium payments

Question 17

What year was the HIPAA privacy rule established?

Answer 17

2000

Question 18

What does the HIPAA Privacy Rule require?

Answer 18

1. implementation of information privacy practices
2. limits use and disclosure of data without patient authorization
3. gives patients additional rights including the right to view and correct their medical records

Question 19

Who enforces the HIPAA Privacy Rule?

Answer 19

HHS Office of Civil Rights (OCR)

Question 20

For how long are HIPAA covered entities required to retain records related to their privacy policies (like complaints or public notices)?

Answer 20

Six years

Question 21

Can HIPAA covered entities ask patients to waive their rights under the Privacy Rule as a condition of care or coverage?

Answer 21

No

Question 22

What are exceptions to the HIPAA requirement that patients have access to their PHI?

Answer 22

1. psychotherapy notes
2. information gathered for legal actions
3. lab results specifically restricted by the Clinical Lab Improvement Amendments
4. circumstances if the entity thinks may cause the person to harm themselves or others

Question 23

What are the exceptions of HIPAA for states to make use of PHI without patient consent?

Answer 23

1. Reporting health information (birth, death records)
2. Public health (reporting vital stats or enforcing regulations)
3. Reporting information about health plans for oversight purpose

Question 24

What is the range of fines for the OCR?

Answer 24

$100 up to $50K per violation
For repeated violations, up to $1.5M per year (per provision)

Question 25

Is HIPAA enforcement handled through both civil and criminal?

Answer 25

Either or. DOJ handles criminal.

Question 26

Does the HIPAA Security Rule apply to physical records?

Answer 26

No. Only to ePHI.

Question 27

Does HIPAA preempt state laws?

Answer 27

Yes

Question 28

What was Athens Orthopedic?

Answer 28

In 2016 they suffered a large data breach where a hacker stole 208K peoples information. OCR fined them $1.5M in September 2020 and consent resolution for failing to implement required protections that may have prevented the breach.

Question 29

When was HITECH passed?

Answer 29

2009

Question 30

What does HITECH do?

Answer 30

provides incentives for healthcare orgs to use EHR and penalties for orgs that don’t use EHR. It also includes the Breach Notification Rule.

Question 31

Breach Notification Rule factors to determine if a breach has occurred

Answer 31

1. The type of information involved and whether individual patients may be identified.
2. The parties who used or access the information
3. The likelihood that PHI was actually shared
4. How well PHI is secured.

Question 32

How long do business associates have to notify healthcare orgs of a breach under the Breach Notification Rule (HITECH)?

Answer 32

60 days. Then the covered entity is responsible for the rest of the notifications.

Question 33

What are the notification steps for breaches under the Breach Notification Rule (HITECH) for breaches affecting fewer than 500 people?

Answer 33

Entities must notify victims with 60 days of discovery and report to HHS annually.

Question 34

What are the notification steps for breaches under the Breach Notification Rule (HITECH) for breaches affecting more than 500 people?

Answer 34

They must tell HHS within 60 days, notify the victims with 60 days AND notify media outlets (usually in the form of a press release).

Question 35

Do covered entities have to be able to prove they fulfilled notification requirements under the HITECH Act?

Answer 35

Yes. They must keep the documentation.

Question 36

What are the three types of use and disclosures that are not subject to the Breach Notification Rule?

Answer 36

1. Employee of a covered entity or BA accidentally accesses PHI but was acting in good faith
2. More than one person authorized to access the same PHI accidentally share with one another
3. If the entity has good reason to believe that no unauthorized parties will be able to retain the information (example - the data was fully encrypted and there was no way the information could be viewed).

Question 37

How does HITECH affect BAs?

Answer 37

Makes them directly subject to HIPAA so OCR can pursue enforcement actions directly against the BAs

Question 38

How does HITECH affect HIPAA fines?

Answer 38

Increases annual violation fines up to $1.5M

Question 39

How does HITECH affect the HIPAA Privacy Rule?

Answer 39

1. requires individual authorization for use of PHI in marketing
2. provides the ability for individuals to revoke authorizations for disclosure
3. requires healthcare orgs to maintain records of any PHI disclosures that may be viewed by patients upon request.

Question 40

When was the 21st Century Cures Act passed?

Answer 40

2016

Question 41

What does the 21st Century Cures Act do?

Answer 41

1. Penalizes information blocking
2. Sets up a framework for sharing certain mental health and substance abuse treatment information for adults with family or caregivers
3. Adds privacy protections for people participating in medical research (but exempts federal govt research that could identify an individual in a FOIA request)
4. Gives research participants “certificates of confidentiality” issued by the NIH

Question 42

What entities are subject to “Part Two” (Confidentiality of Substance Use Disorder Patient Records Rule)?

Answer 42

Any substance abuse treatment program that receives federal funding

Question 43

When was the Confidentiality of Substance Use Disorder Patient Records Rule passed?

Answer 43

1975

Question 44

What are the consequences of violating the Confidentiality of Substance Use Disorder Patient Records Rule?

Answer 44

Fines up to $500 for first offense, and $5K for repeat. Violators may also be subject to criminal prosecution.

Question 45

What kind of data is covered by the Confidentiality of Substance Use Disorder Patient Records Rule?

Answer 45

Any records related to alcohol or substance abuse treatment that could possibly identify an individual patient. It also restricts information that may expose a patient to criminal charges.

Question 46

When was the FCRA passed?

Answer 46

1970

Question 47

What entities are subject to the FCRA?

Answer 47

Entities that sell consumer reports and entities that use those reports to make decisions

Question 48

What is a consumer report?

Answer 48

Reports furnished to a customer for the purpose of making decisions about an individual related to extending credit, insurance coverage or employment, for a fee

Question 49

What types of information would make something a consumer report?

Answer 49

Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living

Question 50

What rights does the FCRA confer to consumers?

Answer 50

The right to request access to their consumer report (including credit scores) and to be told if anything in the report has been used to make unfavorable decisions
The right to give consent before reports may be shared with employers, to implement security freezes and to seek damages from businesses that violate their rights

Question 51

What information must be provided in a notice of an unfavorable decision from a consumer report?

Answer 51

1. Contact info for the CRA
2. An explanation that the CRA only furnished the information and did not play a decision-making role
3. An explanation of consumer rights (right to access and dispute)

Question 52

When can a consumer report be shared without that person’s written consent?

Answer 52

1. In response to court orders
2. To review a consumer’s application for insurance underwriting or financial services, such as a credit card
3. When the information is needed to complete a transaction initiated by the consumer
4. To evaluate a consumer’s existing accounts or services to verify ongoing eligibility
5. To review a consumer’s application for certain government licenses or benefits where financial responsibility is a legal criterion
6. for use by prospective investors and insurers to evaluate risk when deciding whether to invest in consumer debt
7. For use in setting appropriate levels of child support payments
8. For use by insurance and credit firms to screen consumers in advance of offering products and services

Question 53

Who enforces the FCRA?

Answer 53

FTC, CFPB and states’ attorneys general

Question 54

When was FACTA passed?

Answer 54

2003

Question 55

What did FACTA do?

Answer 55

Give consumers a right to a free credit report every year, allows consumers to place fraud alerts on their credit reports, require potential creditors to verify an applicant’s ID before extending credit, gives consumers rights to trigger investigation into dispute data by the CRA
It also requires merchants to partially mask credit card numbers on receipts and transaction records and SSNs to be partially redacted (by consumer request)
Requires higher standard and more disclosures from CRAs
Clarifies the FACTA preemption rules, exempts certain communications involving employers, further protects medical information and creates an entity to offer educational programs for financial literacy

Question 56

What wear was the GLBA passed?

Answer 56

1999

Question 57

What businesses are subject to the GLBA?

Answer 57

Businesses that are “significantly engaged” in offering financial services

Question 58

What is the GLBA Privacy Rule?

Answer 58

Businesses must share their privacy notice when beginning a customer relationship and each year after

Question 59

How does GLBA differentiate between customers and consumers?

Answer 59

Customer - businesses must provide full privacy notices with all details listed in GLBA (beginning of relationship and annually)
Consumer - businesses must provide only a summary privacy notice that includes instructions for finding the full notice

Question 60

What is the GLBA Safeguards Rule?

Answer 60

Info security programs must have designated personnel, assess risk on an ongoing basis and put controls in place to minimize those risks and assess third party partners

It also offers guidance for lowering risk and emphasizes: (1) workfroce training, (2) securing information systems and (3) ongoing monitoring

Question 61

What is the Red Flags Rule?

Answer 61

Obligates financial institutions or any creditor to proactively monitor consumer data for identify theft by watching for “red flags”

Question 62

Who regulates the Red Flag Rule?

Answer 62

FTC, CFPB and states
SEC and Commodity Futures Trading Commission added by Dodd-Frank

Question 63

When was the Red Flags Rule enacted?

Answer 63

Originally in 2003 under FACTA
Expanded to SEC + CFTC under Dodd-Frank

Question 64

When was Dodd-Frank enacted?

Answer 64

2008

Question 65

What did the Dodd-Frank Act do?

Answer 65

Expanded UDAAP enforcement right to CFPB
Added Abusive to UDAAP

Question 66

What is an “abusive” act (UDAAP)?

Answer 66

Any act that materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service

Question 67

When was FERPA enacted?

Answer 67

1974

Question 68

What entities does FERPA apply to?

Answer 68

Educational institutions that receive federal funding from the US Department of Education (and third parties that maintain that data)

Question 69

What records does FERPA pertain to?

Answer 69

Any records maintained by an educational institution that pertain directly to a student

Question 70

What does FERPA exclude from regulation?

Answer 70

Law enforcement records and some application data and data collected after a student graduates. Also data from teachers like memory aids and individual notes.

Question 71

When can FERPA records be shared?

Answer 71

If they are sufficiently anonymized or the student/parent agrees or if there is a “legitimate educational interest”

Question 72

What contract language is important for FERPA regulated entities?

Answer 72

Educational institutions will designate tech providers as “school officials” so they can make that third party effectively part of the school and transfer records and so they are subject to FERPA

Question 73

When was the TCPA enacted?

Answer 73

1991 and updated in 2012 to add authority for regulating autodialers and robocalls

Question 74

What is the TSR and when was it enacted?

Answer 74

Telemarketing Sales Rule - 1995

Question 75

Does the TSR apply to financial institutions?

Answer 75

Not technically because it was enacted under the FTC which does not regulated financial institutions. However, the FCC, has jurisdiction over all telemarketing activities and adopted the TSR into its own rules.

Question 76

Who does the Established Business Relationship Exemption apply to?

Answer 76

Customers that have completed a purchase or transaction with the company within the last 18 months

Question 77

What are the TSR rules?

Answer 77

Calls can only be between 8AM and 9PM
Must use a valid caller ID
Must connect consumers to live person within two seconds
Can only use automated calls with direct written permission of the recipient
Establishes the DNC registry

Question 78

What is the TSR Safe Harbor?

Answer 78

Calls made by accident so long as they can show the call was truly an accident, there are DNC procedures and employee training, the company maintains a list of DNC numbers, and their is an internal monitoring process

Question 79

What calls do not apply to the Do Not Call registry?

Answer 79

Some calls by political groups, charities, some nonprofit orgs and surveys

Question 80

How often do telemarketers have to update their internal DNC list?

Answer 80

Every 31 days

Question 81

Why is the Globex Telecom (2020) enforcement action significant?

Answer 81

Globex was using VoIP. It shows that the FTC has ability to enforce regulations even if the technology to make the calls has changed.

Question 82

What was the DNC fines?

Answer 82

Up to $43,280 per call (which comes from the FTC Act). States can fine up to $25K per call.

Question 83

When was the Junk Fax Prevention Act enacted?

Answer 83

Added to the TCPA as an amendment in 2005

Question 84

When was CAN-SPAM enacted?

Answer 84

2003

Question 85

What does CAN-SPAM regulate?

Answer 85

Commercial electronic messages (based on primary purpose of the message). Both companies and individuals are subject to the law.

Question 86

Is there an individual private right of action under CAN-SPAM?

Answer 86

No

Question 87

What are the CAN-SPAM requirements for unsubscribing?

Answer 87

Every message must have a clear notice about how to opt-out. That right must be available for up to 30 days after sending the message. The company must comply within 10 days of a user opting out. Companies cannot sell email addresses of users that have opted out.

Question 88

Does CAN SPAM preempt state laws?

Answer 88

Yes. It does not allow states to have stricter rules.

Question 89

When was the Telecommunications Act passed?

Answer 89

1996

Question 90

What does the Telecommunications Act regulate?

Answer 90

CPNI (customer proprietary network information)

Question 91

Who does the CPNI apply to?

Answer 91

Telecommunications carriers (including VoIP)

Question 92

Are text messages regulated by CPNI?

Answer 92

No

Question 93

How long does a telecoms company have to notify law enforcement of a breach of their CPNI?

Answer 93

7 days

Question 94

When was the Cable Communications Policy Act enacted?

Answer 94

1984

Question 95

Are modern streaming services subject to the Cable Communications Policy Act?

Answer 95

Not usually. They don’t meet the definition of “providing cable service.”

Question 96

Does the Cable Communications Policy Act provide a private right of action?

Answer 96

Yes

Question 97

When was the Video Privacy Protection Act (VPPA) enacted?

Answer 97

1988

Question 98

Does the VPPA apply to streaming services?

Answer 98

Yes via court interpretation

Question 99

Does the VVPA provide a private right of action?

Answer 99

Yes

Question 100

Does the VVPA preempt state law?

Answer 100

Yes only if a state law allows or even require MORE disclosure than is permitted by the VPPA. State laws can enforce stricter protections against disclosure of PII.

Question 101

Can the FTC make regulatory actions against non-profits?

Answer 101

No. It is exclusive to commerce.

Question 102

What happened in the Wyndham 2015 FTC case?

Answer 102

Landmark case that established the FTC had authority to implement security rules.
Wyndham’s security practices led to breach of consumer credit card numbers.

Question 103

What is the FTC “sunset” policy?

Answer 103

Sets a 20 year maximum length for a consent decree

Question 104

Google & YouTube COPPA Agreement

Answer 104

Notable because
1. $170M fine for Google
2. FTC published guidelines to show how they will determine if a site is directed toward children

Question 105

How does HHS distinguish between entities that provide tracking and cookies for HIPAA covered entities?

Answer 105

If the webpage authenticates users, the information is PHI and the service is a business associate.

Question 106

Can credit reports be oral?

Answer 106

Yes

Question 107

What are the damages available to consumers under the FCRA?

Answer 107

Actual damages
Punitive damages
Legal costs

Question 108

What is the other name for the GLBA?

Answer 108

Financial Services Modernization Act of 1999

Question 109

What data does the CCPA exclude?

Answer 109

Data collected under the GLBA

Question 110

Which states have GLBA exemptions?

Answer 110

California
Colorado
Nevada
Virginia

Question 111

What are abusive practices?

Answer 111

1. Materially interfere with ability of consumer to understand a term or condition OR
2. Takes unreasonable advantage of: lack of consumer understanding or inability to protect interests or reasonable reliance on providers to act in the interest of the consumer

Question 112

Who has the rights under FERPA if a student is under 18 and enrolled at a postsecondary school? (student or parent)

Answer 112

The student

Question 113

What is a transactional relationship that is excluded from the CAN SPAM Act

Answer 113

1. Facilitates or confirms a transaction
2. Provides warranty, recall, safety or security information
3. Gives information about change sin terms of an existing account
4. Provides information about the employment relationship
5. Delivers goods or services

Question 114

What are the CAN SPAM rules?

Answer 114

1. Don’t use false or misleading header information
2. Don’t use deceptive subject lines
3. Identify the message as an advertisement
4. Tell recipients where you are located
5. Provide opt-out instructions
6. Honor opt-out requests promptly
7. Monitor what others are doing on your behalf

Question 115

What are the GAPP principles?

Answer 115

1. Management
2. Notice
3. Choice and consent
4. Collection
5. Use, retention and disposal
6. Access
7. Disclosure to Third Parties
8. Security
9. Quality
10. Monitoring and Enforcement