Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP > State Privacy Laws > Flashcards

State Privacy Laws Flashcards

1
Q

What is information security?

A

Protection of information for the purpose of preventing loss unauthorized access or misuse. Requires ongoing assessments of threats and risks to information and of the procedures and controls to preserve the information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three key attributes of information security?

A

Confidentiality -access to data is limited to authorized parties
Integrity - assurance that the data is authentic and complete
Availability - knowledge that the data is accessible as needed by those who are authorized to use it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How is information security achieved?

A

Implementing controls which need to be monitored and reviewed to ensure security objectives are met. Security controls are mechanisms put in place to prevent detect or correct a security incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the three types of security controls?

A

Physical - such as locks security cameras and fences
Administrative - incident response procedures and training
Technical - firewalls, antivirus software and access logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Information security vs information privacy

A

Privacy includes what sorts of use and disclosure of personal information should be authorized and data subjects rights to control the data including notice and consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Federal information security laws

A

No federal legislation directly imposes information security standards across all industries but healthcare and financial sectors have federally imposed information security provisions.

The FTC uses its section 5 under the FTC act to bring actions against companies misrepresenting their information security practices (deceptive trade practice) or failing to provide reasonable procedures to protect personal information (as an unfair trade practice)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

California AB 1950

A

California’s accessibly bill 1950 is to encourage businesses that own or license personal information about Californians to provide reasonable security.

One of the first state laws on security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

State laws on information security

A

In the absence of comprehensive federal requirements some state legislatures have passed laws requiring companies to take information security measure to protect citizens sensitive information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Laws on social security numbers

A

Majority of states have laws limiting businesses right to use social security numbers.

Ex: prohibiting businesses from requiring that customers transmit their SSN over an unencrypted internet connection, no printing on mailings, printing on ID or membership cards

Federal government has limits as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data destruction laws

A

As of 2017 at least 32 states have data destruction laws, which are sometimes incorporated into data breach laws

Common elements are.. describing who the law applies to, the required notice, exemptions, the covered media, and the penalties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the elements of state data breach notification laws

A
  • Definition of personal information / data elements that trigger reporting requirements
  • what entities are covered
  • definition of a security breach
  • level or harm requiring notification
  • whom to notify
  • when to notify
  • what to include in notification
  • how to notify
  • exceptions to notifications
  • penalties and rights of action
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is personal information (data breach notification state laws)

A

These elements are part of the definition in all state data breach notification laws although more than half contain additional elements

An individuals first name or first initial and last name in combination with any one or more of the following..
SSN, Drivers license, or state ID card, account number, CC or debit number in combination with any required security code that would permit access to an individuals financial account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Security breach (state data breach notification laws)

A

Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or other method that renders the personal information unreadable or unusable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Covered entity (state data breach notification law)

A

Any person who conducts business in the state data and who owns licenses or maintains computerized data that included personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Who to notify in data breach

A

Primary - State residents / third parties whose data has been exposed
More than half of the states require entities notify the State attorney general and or other state agencies some only require it if 500 or more of their residents were effected
Some states require entities to notify nationwide credit reporting agencies
All states must notify 3rd parties if they do not own the data (processor. Notifying controller)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When to notify of data breach

A

The most expeditious time possible and without unreasonable delay

Typically no later than 45 days after the discovery of the breach

Legislatures recognize the need for the affected entity to conduct a reasonable investigation in order to determine the scope of the breach and restore the integrity of the system or if is the result of criminal activity

17
Q

What to include in data breach notification

A

Description of the incident
Type of personal information that was subject
Steps taken to protect the personal information from further unauthorized access
A phone number to call
Advice to stay vigilant
Number for consumer reporting agencies
Number and websites to the FTC

18
Q

How to notify of data breach

A

Written notice to the data subject is required first
Telephone and electronic messages are alternatives

Notification to state attorney generals and regulators may be sent via email or letter, or online forms

Notification to consumer reporting agencies is via email

19
Q

Exceptions to notifications for data breaches

A

Entities subject to other more stringent data breach notification laws (HIPAA or GLBA safeguards rules)
Entities that already follow breach notification procedures as part of their own information security policies as long as these are compatible with the requirements of the state law
If the data was encrypted redacted unreadable or unusable

20
Q

Penalties for data breaches

A

Enforcement is with the state attorney general

Civil penalty or payment
Private right of action to individuals harmed to recover damages

21
Q

Types of data breach incidents

A

Unintended disclosure - sensitive info mishandled or sent to the wrong party
Hacking / malware - electronic entry by an outside party
Payment card fraud - fraud involving payment cards that is not accomplished via hacking
Insider - employee or CW intentionally breaching information
Physical loss - stolen paper documents
Portable device - lost or stolen laptop smartphone etc.
stationary device - lost or stolen computer or server not designed for mobility

22
Q

Fundamentals of incident management for a data breach

A
  1. Determine whether a breach has actually occurred
  2. Containment and analysis of the incident
  3. Notify affected parties
  4. Implementing effective follow-up methods
23
Q

California SB-1

A

California financial information privacy act
Expands the financial privacy protections afforded under the GLBA
- increases the disclosure requirements of financial institutions and grants consumers increased rights with regard to the sharing of information
- opt-in consent is required for a financial institution to share personal information with no affiliated third parties
- grants consumers the ability to opt-out of information sharing between their financial institutions and affiliates not in the same line of business

24
Q

Data breach notification laws - Tennessee SB 2005

A

First state to require notification of any breach, whether data is encrypted or not.
45 days to notify of breach

25
Q

Data breach notification laws - California AB 2828

A

Requires notification of breached encrypted data in addition to unencrypted data.

26
Q

Data breach notification laws - New Mexico HB 15

A

Includes encrypted data if keys were likely compromised and unencrypted data.
45 days to notify

27
Q

CCPA

A

Residents of CA have the following rights:

  • what personal info is collected about them
  • access that information
  • know if their personal info is disclosed
  • know if their personal info is sold
  • receive equal service and price whether or not they exercise their privacy rights
28
Q

CalECPA

A

California electronic communications privacy act

Protects location data, content, metadata, and device searches

Act requires law enforcement obtain a warrant, wiretap order, order for electronic reader records or subpoena issued pursuant to existing state law before compelling or accessing electronic information except in emergency situations

29
Q

NYDFS cyber security regulation

A
  • creation and implementation of security policies and procedures
  • limitation of user access privileges
  • designation of a CISO
  • written IR plan
30
Q

Illinois right to know act

A

Gives consumers the right to know what information has been collected about them and who has access

31
Q

Washington biometric privacy law

A

Forbids commercial interests from obtaining or selling biometric information for individuals without their consent and to keep data for a period of time

32
Q

New Jersey personal information and privacy protection act

A

Limits the purpose for which retail establishments may lawfully scan a persons government issued identification card like a drivers license.

Limits the data that can be collected from such scanning and how these data can be retained and used

33
Q

Delaware online privacy and protection act

A

A law that provides privacy protections to its residents.

  • advertising to children is strictly regulated
  • privacy policies must be conspicuously posted
  • enhancing the privacy protections of users of digital books
34
Q

Nevada SB 538

A

Requires operators of websites and online services to provide notice to Nevada residents of their practices relating to the collection and disclosure of PII

35
Q

Massachusetts HB 4806

A

Has notice requirements in the case of a data breach
Requires companies to contract with a third party to offer affected residents free credit monitoring services and prohibits security freeze fees.

36
Q

Illinois HB 1260

A

Expands the definition of personal information to in life medical info
Requires that the attorney general be notified of a breach in certain circumstances
Limits the encryption safe harbor if the encryption key was possibly acquired in the data breach

CIPP (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions