Upgrade to remove ads
Terms in this set (259)
enforces against (Section 5) unfair + deceptive trade practices where company has broken privacy promise. Independent of presidential control
Healthcare Service Self Regulatory Programs
State Attorney General
brings privacy-related enforcement actions at state level
when one person sues another person to redress a wrong --> monetary judgment
lawsuits brought by gov't for violations of criminal law
FTC Enforcement Process and Consent Decrees
(1) Claim that a company has committed an unfair or deceptive act
(2) following an investigation (subpoenas) --> may initiate an enforcement action if it has reason to believe a law is being violated
(3) commission issues a complaint, and an administrative trial can proceed before ALJ
(4) decision can be appealed to 5 commissioners which can be appealed to federal district court
(5) order by commission becomes final after 60 days of servie
adopted the recommendation on cross border cooperation --> focuses on need to address common privacy issues on a global scale
established by OECD --> aims to promote cross-border information as well as investigation and enforcement cooperation among privacy authorities
Self-Regulatory Programs and Trust Marks
third party privacy seal/certification programs that give assurance that companies are complying w/ self-regulatory programs. Companies may demonstrate compliance and improve customer confidence by displaying a trust mark in the form of a seal, logo or certification showing that company is part of certification program
Companies are reponsible for actions of vendors they contract w/ to collect, analyze, catalogue or provide data management service on company's behalf --> requires precautions in contracts
US Privacy Shield
framework for translantic exchanges of personal data for commercial purposes b/w EU and US --> enables US companies to receive personal data from EU entities
Principles of Privacy Shield
- clear notice of participation of organization's participation of Privacy Shield + purposes for which data is collected
- choice: provide clear mechanisms by which individuals can opt out
- accountability: third parties must agree to provide same level of protection
- security: resaonable appropriate measures to protect data
- integrity: must be relevant to purposes of processing + limit collection only to relevant data
- access: provide individuals w/ access to their personal data
recourse: enhanced --> independent recourse mechanisms distinct from FTC + third party distpute bodies to investigate and resolve complaints
- verificaion that they actually implement policies they promise
permits personal data transfers to a 3rd country or international organization subject to compliance w/ set of conditions ---> must be adequate (approval by EU commish + Article 29 Working Party)
Standard contractual clauses
don't need approval by data protection authorities (safeguard against inadequacy
require approval from a supervisory autho;rity in accordance w/ the consistency mechanism
Codes of Conduct
similar to self-regulatory programs --> used to demonstrate to regulators and consumers that a company adheres to certain info privacy standards (must be submitted to appropriate supervisory authority for approval)
Data Protection Authority
must demonstrate, by contractual or other legal binding instruments their williness to adhere to the mandated data protection safeguards
Federal Trade Commission Act
established the FTC, outlawed unfair methods of competition and outlaws unfair acts that affect commerce
Section 5 of FTC
outlawed unfair/deceptive acts
FTC Privacy Enforcement Actions
- if minor violation --> work w/ company to resolve the problem w/o launching formal investigation
- significant pattern --> full enforcement
Significant pattern of non compliance
- issues a complaint
- administrative trial commences before an administrative law judge
- appealable to five commissioners which is appealable to federal district court
- order by commission is final after 60 days of service
penalties of FTC Section 5
- 16K per violation, each day the violator fails to comply is a separate offense
-usually settled thru consent decrees
users were required to fill out an online form that requested PI. were promised that collected info would not be sold w/o user consent
Unfair and Deceptive
Misrepped how it would use info by reselling info to 3rd parties.
Settled action + Consent Order (post online privacy notice that disclosed how it would collect PI + consent)
Eli Lilly facts
website sent subscribers email regarding medication. Accidentally sent an email that revealed email addresses of all subscribers
Eli Lilly rule/holding
required for first time that Lilly maintain an information privacy and security program
regarding passport service. Gave security control to vendors when they said they would maintain control
(1) prohibited from making future misrepresentation + (2) required to adopt/implement a comprehensive information security program + (3) biannual third party audit to ensure compliance
Gateway Learning facts
marketed and sold Hooked on Phonics. Privacy notice said wouldnot distribute PI w/o consent and would provide opt out.
But made retroactive change and did so.
consent decree stating that retroactive application of material changes to company's data sharing policy was unfair
First privacy case based on unfairness
BJ's Wholesale Club, Inc facts
security flaws caused substantial injury + resulted in 800 hundred cases of identity theft
BJ's Wholesale Club Rule/Holding
consent decree required BJ's to implement a comprehensive security program
first time based solely on unfairness
first time in which a company agreed to implement a comprehensive privacy program
signals that privacy should be thoroughly integrated at development
in dependent third party privacy audits
first substantial US-Eu Safe Harbor Enforcement
who does COPPA apply to
who does it apply: operators of commercial websites and online services (1) directed to children under 13 + (2) online services that know/should know that they are collecting PI from children under 13
General Requirements of COPPA
post a privacy notice on homepage of website + link to notice on every pagewhere PI is collected + provide notice to parents and obtain consent + provide access to parents to view data and ability to prevent future collection + maintain CIA + minimum necessary
what should privacy notice include
(1) contact info for website operators
(2) type of info collected
(3) how info will be used
(4) whether info will be disclosed to 3rd party
(5) disclaimer providing an option to consent to collection
(6) stmt that no condition may be placed on disclosure of information
how to obtain parental verifiable consent to COPPA
(1) use info only for internal purposes --> email plus method
(2) disclose info to third parties or make it publicly available --> (a) provide form to sign and mail back to you (b) ask parent to use CC in connection w/ transaction, (c) maintain telephon # staffed by trained people for parents to call in their consent OR (accept emails from parents where those email contain digital signature)
exceptions to consent requirements
(1) respond to specific request from child, as long as PI is deleted immediately after
(2) to protect safety of child
(3) to protect security/integrity of the site, or to respond for law matters
who is covered: health care providers, health plan insurers, healthcare clearing houses, business associates (under Hi-Tech
who enforces: Dep't of HHS
preemption: states may pass privacy laws w/ stricter requirements
HIPAA Privacy Rule
(1) Privacy notice: detailed privacy notice at date of first delivery w/ stmts about individual's rights w/ respect to PHI
(3) other uses require opt-in authorizations
(4) Minimum Necessary Use: covered entities must make reasonable efforts to limit the use/disclosure of PHI
(5) Individuals have right to access and copy their own PHI from a covered entity-business associate
(6) Adminsitrative, technical, physical safeguards
(7) Privacy official designation
when can HIPAA Privacy Rule can be circumvented
Treatment, payment and healthcare operations.
(1) De-Identified Data
(2) Medical Research Purposes (w/ consent of the individual OR w/o consent if institutional review board approves it)
HIPAA's opt in authorization
Independent document that identifies the information to be used or disclosed; purposes of the use or disclosure; the person or entity to which disclosure made
HIPAA Security Rule
what type of information: ePHI
(1) ensure CIA of all ePHI
(2) Protect against reasonably anticipated threats
(3) Protect against reasonably anticipated uses/disclosures
who enforces: identify an individual who is responsible for implementation and oversight of the Security Rule compliance
(1) breach of unsecured information --> conduct risk assessment to determine the risk (if high risk --> notification w/i 60 days of discovery
(2) Increased penalty --> up to 1.5 mill
(3) patients can limit disclosure by provider to their health plan
21st Century Cures Act of '16
(1) gives medical researchers the ability to review certain data to develop research protocols remotely
(2) creates a certificate of confidentiality --> protects privacy in the research field
(3) requires more guidance in conection w/ patient authorizations under HIPAA for research purposes
Confidentiality of Alcohol and Drug Abuse Patient Records
issue: privacy records of individuals who may seek treatment for substance abuse
- patients who have general designation of "to whom" in their consent form, must be provided a list of entities to which their information has been disclosed pursuant to general designation
- entities that legally hold identifying patient info are now required to have formal policies and procedures addressing security
who is covered: health insurance companies
types of info: genetic info
- insurance companies can't discriminate on the basis of genetic predisposition in the absence of manifest symptoms
- can't request that applicant receive genetic testing AND
- employers can use genetic info in making employment decisions
employers CAN request genetic information IF:
- request is inadvertent
- request is part of employer-offered wellness program that employee voluntarily participates in w/ written authorization
- Family Medical Leave Act of '93
- employer purchases commercially and publicly available materials that include the information
- info is used for legally required genetic monitoring for toxin exposure in workplace if emloyer voluntarily participates w/ written authorization
- law enforcement purposes
users must certify to CRA before obtaining a CR that they have a permissible purpose
permissible purpose (under FCRA)
(1) ordered by subpoena
(2) instructed by consumer in writing
(3) employment purposes where consumer has given written permission
(4) legitimate business need that is initiated by consumer
(5) review consumer's accnt
(6) to determine child support payments
FCRA General Requirements
- data must be accurate, crrent, and complete
- consumers must receive notice when 3rd party data is used to make adverse decisions about them
- consumers must have access to their CR + opportunity to dispute them or correct any records
- refrain from reporting on info that is outdated (information that is over 7 years old + bankruptcies that are more than 10 years old)
Adverse decisions Notification
- name, address, telephone # of CRA that provided report
- stmt that CRA did not make adverse decision
- tell them there right to obtain disclosure of consumer file if make request within 60 days
who enforces FCRA
- CFPB for financial consumer protection issues
- federal reserve for federal financial regulator
- office of comptroller of the currency - institutions under GLBA
Penalties of FCRA
- Enforced by: FTC +
- CFPB + State AG
- Private Right of Action: 100K
- Statutory Damages: $1K per violation + $2500 for willful violations
- truncation of credit/debit card numbers
- gives consumers new rights to an explanation of credit scores
- right to request a free annual credit report from each 3 national consumer credit agencies
- includes Disposal Rule + Red Flags Rule
requires any individual/entity that uses a CR to dispose of that consumer information in a way that prevents unauthorized access
- dispose in a reaonable way
Red Flags Rule
financial entities must develop and implement written identity theft detection programs that can respond to red flags that signal identity theft
applies to: financial institutions (banks, saving associations)
enforced by: CFPB
GLBA general requirements
(1) store personal financial information in a secure manner
(2) provide notice of their policies regarding the sharing of personal financial information
(3) provide consumers w/ the choice to opt out of sharing some personal financial information
GLBA Privacy Rule
(1) prepare clear privacy notice at time relationship is established + annually therafter
(2) provide opt out of PI shared w/ non affiliated 3rd parties
(3) refrain from dicslosing an account number to a consumer's credit card
(4) comply w/ standards to protect CIA
GLBA Privacy Rule and Privacy Notices
- provide initial and annual privacy notices to consumers on nine categories of information and must process opt outs within 30 days
GLBA Privacy Notices
- info the financial institution collects
- w/ whom it shares info
- how it protects or safeguards the info
- explanation of how a consumer may opt out
GLBA No Opt out if
- financial institution provides info w/ outside companies that provide essential services
- disclosure is legally required
GLBA Safeguards Rule
develop and maintain security controls to protect confidentiality and integrity of personal consumer information
Safeguards Information Security Program
- designate employee to coordinate its information security program
- identify and assess the risks to customer information in each relvant area of operation
- design safeguards program and test it
- select service providers that can maintain appropriate safeguards
- evolve program
expands GLBA --> icreases disclosure requirements
violation: $2,500 per consumer, up to $500K per occurrence
California SB-1 opt-in and opt-out requirements
(1) when sharing personal info w/ nonaffiliated third party --> written opt in consent
(2) when sharing info w/ institutions not in same line of business --> opt out
(3) don't need consent to share info w/ wholly owned subsidiaries engaged in same line of business
Dodd-Frank Wall Street Reform Act
created CFPB which oversees relationship b/w consumers and financial services
What does the CFPB do in relation to Dodd-Frank
can bring enforcement against (1) unfair + deceptive acts AND (2) against abusive acts + practices
what is an abusive act and practice under CFPB
(1) materially interferes w/ ability of consumer to understand a term or condition of a consumer financial product
(2) takes unreasonable advantage of (a) understanding of material risk (b) inability of consumer to protect its interest (c) reasonable reliance by consumer on a covered person to act in the interests of the consumer
violations of Dodd-Frank
$5K per day for federal violations, $25K per day for reckless violations, and $1 mil for knowing violations
Bank Secrecy Act
authorizes US treasury secretary to issue regulations that impose extensive record-keeping and reporting requirements on financial institutions
Bank Secrecy General Rule
financial institutions must keep records of > 10K and report to IRS
who does BSA apply to
financial institutions --> banks, securities brokers and dealers, money services businesses, telegraph companies
BSA Record Retention Requirements
records of high degree of usefulness --> borrower's name and address, credit amt, purpose of credit and date of credit
How long does BSA require records to be maintained
Suspicious Activity Reports (BSA)
Financial institutions must file SAR when:
(1) suspects that insider is committing crime
(2) when entitty detects a possible crime involving $5k or more
(3) when entity detects a possible crime involving $25K
(4) when entity suspects currency transactions aggregating $5k
25K or amt of transaction (up to 100K
$5k per day for failure to comply w/ regulations
provides students w/ control over disclosure and access to education records. prevents schools from divulging education record info to parties other than student w/o student's consent
- 8 a.m. - 9 pm calls only
- screen/scrub names against DNC list
- identify themselves and what they are selling
- disclose all material info
- respect requests to call back
- retain records for at least 24 hours
- comply w/ special rules
- prohibit call abandonment
- prohibits material misrep
Telephone Consumer Protection Act
enforced by: FCC
allow indivdiuals to file lawsuits for receiving unsolicited telemarketing calls, faxes, pre-recorded calls
Do Not Call Registry
- requires telemarkters to serach registry every 31 dys and avoid calling any phone numbers that are on the registry
- means for US residents to register residential and wireless phone numbers that they do not wish to be called for telemarketing purposes
Penalties for Do Not Call
16K per violation + injunction that prohibit certain conduct
Do Not Call
Requires sellers and telemarketers to access the registry prior to making phone based solicitations and to update call lists every 31 days
Do Not Call Exceptions
Does not apply to:
- Nonprofits calling on their behalf
- Calls to customers w/ an EBR within 18 months
- Calls to prospective customer
- clear and conspicuous, written consent
Do Not Call Safe Harbor
for inadvertent mistakes. if telemarkter can show that, as part of its routin business practice, it meets requirements of safe harbor - it will not be subject to civil penalties for mistake
Do Not Call Safe Harbor Requirements
- Written procedures to comply w/ DNC Requirements
- Trains its personnel in those procedures
- It monitors and enforces compliance w/ these procedures
- maintains a company-specific list of telephone numbers that it may not call
- every 31 days, it accesses registry and documents it
- any call made in violation of the do not call rules was result of error
applies: anyone who advertises products or services by electronic mail directed to or originating from the US
covers: transmission of commercial email messages
- prohibits false/deceptive headers
- clear return email address
- clear opt out
- clearly identify
- tell recipients where you're located
- honor opt outs within 30 days
enforced by: FTC + FCC
penalties of CAN-SPAM
$16K per violation
Junk Fax Prevention Act
permits sending of commercial faxes to recipients bsed on an EBR, as long as sender offers an opt out in accordance w/ the act
Existing Business Relationship --> entered into purchase or services transaction w/ the sender within 18 months OR if the recipient has made an inquiry or application within past 3 month
Wireless Domain Registry
Telecommunications Act of '96
Cable Communications Privacy Act '84
Required to give subscribers a privacy notice that clearly informs subscribers of:
(1) nature of PI collected (2) how much info will be used (3) retention period of info (4) manner by which subscriber can access info
what kind of informatino can cable television providers collect
PI that is necessary to render cable services or to detect unauthorized reception of cable services
Video Privacy Protection Act of '88
Applies to: video tape service providers --> rental, sale, delivery or prerecorded video cassette tapes
requires: PI be destroyed as soon as practicable, no later than 1 year the date the info is no longer necessary for purpose for which it was collected and there are no pending requests or orders
Exceptions to VPPA
(1) made to consumer; (2) made subject to contemporarneous written consent (3) made to law enforcement pursuant to warrant (4) includes only names/addresses of consuemrs (5) pursuant to court order
Penalty for VPPA
Video Privacy Protection Act Amendments Act
Allows video rental companies to obtain customer consent (opt in) to share information about their viewing preferences via social media
FTC and Employment
oversees the FCRA -- limits employer's ability to receive an employee's or applicant's credit report, etc.
Equal Employment Opportunity Commission
works to prevent discrimination in the workplace
What laws does EEOC maintain
Civil Rights Act, Age Discrimination in Employment Act and ADA
US Department of Labor
oversees the welfare of the job seekers -- improves working conditions, protects retirement and healthcare benefits, etc
What laws does US DoL administer
Fair Labor Standards Act, Occupational Safety and Health Act, and Employee Retirement Income Security Act
National Labor Relations Board
conducts elections to determine if employees want union representation and investigates remedies unfair labor practices
what law does NLRB administer
US Anti Discrimination Laws
- Civil Rights Act '64
- Pregnancy Discrimination Act
- Equal Pay Act of '63
Civil Rights Act of '64
bars discrimination against qualified individuals w/ disabilities
Pregnancy Discrimination Act
bars discrimination due to pregnancy, childbirth and related medical conditions
bars discrimination against qualified individuals w/ disabilities
Equal Pay Act
bars gender based wage discrimination
GINA + Employment
bars using genetic info to discriminate in the hiring, firing of benefits of process
FCRA and pre-employment
- provide written notice to applicant
- obtain written consent from applicant
- obtain data only from a qualified CRA
- certify to CRA that employer has permissible purpose/consent
- before taking adverse action --> provide pre-adverse action notice to applicant w/ copy of CR (in order to let them dispute)
- after taking adverse action --> provide an adverse action notice
Employee Polygraph Protection Act
- employers are prohibited from using lie detectors on incumbent workers or to screen applicants
exceptions for EPPA
(1) gov't employees + employees in security services + those in manufacture of controlled substances, national security jobs
(2) there is RS that there is a connection w/ an ongiong investigation involving economic loss or injury to the employer's business
in order to be dismissed bc of failure of EPPA
(1) Failure of polygraph test + (2) additional supporting evidence
violation of act
10k fine from DL + private lawsuits
Drug Testing (Pre-Employment)
allowed if not designed to identify legal use of drugs/addiction to illegal drugs
Drug Testing when reasonable suspicion
allowed as condition of continued employment if there is RS based on specific facts
routine drug testing
if the employees are notified at the time of hiring
need RS taht employee involved in the accident was under the influence
random drug testing
acceptable when used on existing employees in specific, narrowly defined jobs
criminal offense + private right of action
Exceptions where you can intercept communications
(1) if the person is a party to a call OR where ONE party has given consent OR (2) interception is done in the ordinary course of business
prohibitions against unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage
Postal Mail Monitoring
generally prohibits interference w/ mail delivery (when it reaches the business
Employers monitoring location of company vehicles equipped w/ GPS
(1) occurs for business purposes during work hours + (2) employees are informed
Access to physical/informational assets after employment
(1) secure methods of physical access
(2) disable access for computer accounts
(3) return company data
(4) remind employee of obligation not to use data
(5) mark personal mail and fwd to employee
Investigation of Employee Misconduct
using third parties to investigate --> used to run afoul of FCRA...but FACTA fixed this --> don't need consent for internal investigation however require summary of the nature if there is an adverse action
Post EMployment Records Retention
Don't disparage, detailed info about employee's performance before termination
Post Employment References
CL provides qualified privilege for employers to report their experience w/ and impressions of the employee to help in defense against defamation suits
Tennessee SB 2005
- trigger notification: unencrypted + encrypted
- time limit --> within 45 days after discovery of breach
- unauthorized person --> employee of the information holder who uses it for unlawful purpose
Illinois HB 1260
- PI: expands to include usernames/email adresses when combined w/ other information allowing a third party to access an individual's online account
- reasonable security measures to protect records from unauthorized breach
California AB 2828
- notification if encrypted/unencrypted OR if agency has reasonable belief that encryption key or security credential could render PI reasonable or useable
- expansion of PI
NM HB 15
- businesses that operate within NM must take reasonable security procedures to safeguard PI
- if more than 1000 residents affected, notify state AG
- notify residents within 45 days
-exceptions: HIPAA or GLBA
what did it do: increased disclosure requirement/expands privacy protections of GLBA
California SB-1 consent requirements
(1) non affiliated third parties --> written opt in consent
(2) affiliates not in the same line of business --> opt out
(3) wholly owned subsidiaries engaged in same line of business --> no consent needed
California SB-1 increased penalties
$2,500 per consumer, up to $500K
What to include in Data Breach letter
(a) general description of incident + type of info compromised
(b) general description of acts of the business to protect PI from further unauthorized access
(c) telephone number for business that person may call for further info
(d) advice to be vigilant
(e) numbers of CRAs
(f) numbers of FTC
Definition of PI that triggers notification (Connecticut)
first name/last name + (1) SSN or (2) Accnt number, etc
Definition of PI that triggers notification (Arkansas, California, Missouri Texas and Virginia)
includes medical and healthcare information
Definition of PI that triggers notification (Oregon and Wyoming)
include federal/state ID number
Definition of PI that triggers notification (Iowa, NC and Wisconsin)
include unique biometric data
Definition of PI that triggers notification (WIsoncins)
include DNA profile
Definition of PI that triggers notification (Puerto Rico)
includes tax info
Definition of PI that triggers notification (North Dakota)`
includes mother's maiden name, employee number and digital signature
Definition of PI that triggers notification (Illinois)
computerized records + written material
What entities are covered (Connecticut)
any person that conducts businesses in this state or has person from Connecticut data that includes PI
How to notify
written notice required first, then telephone/electronic messages
The ability to view personal information held by an organization. This may be supplemented by allowing updates or corrections to the information. U.S. laws often provide for access and correction when the information is used for any type of substantive decision making, such as for credit reports.
Americans with Disabilities Act (ADA)
Bars discrimination against qualified individuals with disabilities; places restrictions on pre-employment medical screening.
Consumer Financial Protection Bureau (CFPB)
Has enforcement power for unfair, deceptive or abusive acts and practices for financial institutions.
The ability to specify whether personal information will be collected and/or how it will be used or disclosed. Choice can be express or implied.
Legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations.
A judgment entered by consent of the parties (a federal or state agency and an adverse party) whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing.
Consumer Reporting Agency (CRA)
Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
The intentional or unintentional release of secure information to an untrusted environment.
Defines the clearance of individuals who can access or handle a given set of data, as well as the baseline level of protection that is appropriate for that data.
Deceptive Trade Practices
Along with unfair trade practices, behavior of an organization that can be enforced against by the FTC.
Any act or communication intending to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.
Electronic Discovery (e-discovery)
Discovery in civil litigation dealing with the exchange of information in electronic format, often requiring digital forensics analysis.
Electronically Stored Information (ESI)
A category of information that can include e-mail, word-processing documents, server logs, instant messaging transcripts, voicemail systems, social networking records, thumb drives, or data on SD cards.
Equal Employment Opportunity Commission (EEOC)
A federal agency overseeing many laws preventing discrimination in the workplace, include Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA) and Titles I and V of the Americans with Disabilities Act of 1990 (ADA).
Privileges limiting or prohibiting disclosure of personal information in the context of investigations and litigation, such as attorney-client privilege.
Fair Credit Reporting Act (FCRA)
Enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports, FCRA mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes.
Federal Trade Commission (FTC)
An independent consumer protection agency governed by a chairman and four other commissioners with the authority to enforce against unfair and deceptive trade practices.
Global Privacy Enforcement Network (GPEN)
Established in 2010 by the FTC and enforcement authorities from around the world, the GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
Gramm-Leach Bliley Act (GLBA)
Alo known as the Financial Services Modernization Act of 1999, GLBA is a United States federal law to control the ways that financial institutions deal with the private information of individuals.
Any information related to the past, present or future physical or mental condition, provision of health care or payment for health care for a specific individual.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt-in before their information can be shared with other organizations - although there are important exceptions such for treatment, payment and healthcare operations.
National Labor Relations Board (NLRB)
An independent agency of the United States government responsible for investigating and remedying unfair labor practices.
National Security Letter (NSL)
A category of subpoena generally issued to seek records considered relevant to protect against international terrorism or clandestine intelligence activities.
The failure to exercise the care that a reasonably prudent person would exercise in like circumstances, leading to unintended harm.
A description of an organization's information management practices, with the purposes of consumer education and corporate accountability.
Organisation for Economic Co-operation and Development (OECD)
A multinational organization with the goal of creating policies that contribute to the economic, environmental, and social well-being of its member countries.
Personal Health Information (PHI)
Any individually indentifiable health information with data elements which could reasonably be expected to allow individual identification.
Personal Health Record (PHR)
A record maintained by the patient to track health and medical care information across a duration of time.
The ability for one government's laws to supersede those of another, such as federal law overriding individual state law.
An external communication from an organization to consumers, customers or users to describe an organization's privacy practices.
An internal standards document to describe an organization's privacy practices.
Private Right of Action
The ability of an individual harmed by a violation of law to bring suit against the violator.
A rule of evidence that protects confidential information communicated between a client and legal advisor.
A judge-issued determination of what information contained in court records should not be made public and what conditions apply to who may access the protected information.
Publicity Given to Private Life
A tort claim that considers publicity given to an individual's private life by another is an invasion of privacy and subject to liability.
Qualified Protection Order (QPO)
Under HIPAA, a QPO prohibits the use of disclosure of PHI for any purpose other than the litigation for which the information was requested; it also requires the return of PHI to the covered entity at the close of litigation.
Red Flags Rule
Promulgated under FACTA, the Red Flags Rule requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft.
The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or evidence in a court proceeding.
A nonprofit research and educational institute responsible for the establishment of standards and best practices for managing electronic discovery compliance through data retention policies.
A category of data prohibited from unauthorized acquisitionn, alteration or blocking while stored in a facility through which electronic communications service is provided.
Pursuant to breach notification laws, certain entities must provide for substitute notice of data breach in a situation where insufficient or out-of-date contact information is held.
Demonstration of compliance with self-regulatory programs by display of a seal, logo, or certification.
Unfair Trade Practices
Along with deceptive trade practices, behavior of an organization that can be enforced against by the FTC.
The identification of an individual account user based on a combination of security measures.
After authentication, the proces of determining if the end user is permitted to have access to the desired resource, such as the information asset or the information system containing the asset.
Choice and Consent
Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is often considered especially important for disclosures of personal information to other data controllers.
A method of data protection to govern the collection, use and dissemination of personal information in the public and private sectors, generally with an official or agency responsible for overseeing enforcement.
The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.
Used in Australia and New Zealand, this model emphasizes industry development of enforceable codes or standards for privacy and data protection, against the backdrop of legal requirements by the government.
An organization that has the authority to decide how and why personal information is to be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership.
An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller.
Data Protection Authority (DPA)
An official, or body, who ensures compliance with the law and investigates alleged breaches of the law's provisions.
The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company, or the customer of a retail store.
EU Data Protection Directive
The EU Directive was adopted in 1995 and became effective in 1998 and protects individuals' privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data.
Constitutional guarantees that the citizenry may "have the data" archived about them by governmental and commercial repositories.
Privacy Impact Assessment (PIA)
Checklists or tools to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to legal, regulatory and industry standards, and maintains consistency between policy and practice.
This framework protects personal information by enacting laws that address a particular industry sector.
Sensitive Personal Information
That which is more significantly related to the notion of a reasonable expectation of privacy. One's medical or financial information is often considered sensitive personal information (SPI), but other types of personal information might be as well.
Opt in means an individual actively affirms that information can be shared with third parties (e.g., an individual checks a box stating that she wants her information to go to another organization).
Opt out means that, in the absence of action by the individual, information can be shared with third parties (e.g., unless the individual checks a box to opt out, her information can go to another organization).
What are the four phases of privacy program development?
- Issue identification
- Identify best practices
- Perform PIA
- Procedure development and identification
- Full implementation
- Documentation (Training and Awareness)
- Affirmation and Monitoring
What are the elements of data sharing and transfer?
1. Data inventory
2. Data classification
3. Data flows
What are the four elements of privacy policies and disclosure?
1. How many policies?
2. Policy review and approval
3. Privacy notice
4. Policy version control
What are the six phases of privacy incident response programs?
2. Prevent further activity
6. Corrective actions
What are the three elements of data subject preference and access
1. Opt-in, opt-out, no option
2. Managing preferences
3. Access and redress
What are the two elements of vendor management?
- No further use
- Breach disclosure
- Information security
2. Due diligence
- Financial condition, insurance
- Information security
- Point of transfer
- Training and user awareness
- Incident response
Which branch of the U.S. Federal Government makes laws?
Where is privacy mentioned in the U.S. Constitution?
It's not. Usually privacy falls under the 4th amendment.
What federal agency is the most active in enforcing privacy rights?
How does punishment differ in civil and criminal cases?
Civil punishments are compensation such as monetary and injunctive while criminal punishments include fine, incarceration, and death.
When an FTC investigation finds a company guilty of violating privacy, what are its two recourses?
1. Administrative trial
2. Consent decree
What was the basis of the FTC's findings against BJ's Wholesale Club?
Unfair practices because private data was not encrypted during transmission
What are the six questions you should ask in understanding a law?
1. Who is covered by this law?
2. What types of information and what uses of information are covered?
3. What exactly is required and/or prohibited?
4. Who enforces the law?
5. What happens if I don't comply?
6. Why does this law exist?
Define civil litigation
Disputes between individuals and/or organizations
Define criminal litigation
Legal punishment of criminal offenses
Who initiates civil litigation?
Who initiates criminal litigation?
What is the burden of proof for civil litigation?
Preponderance of evidence
What is the burden of proof for criminal litigation?
Reyond a reasonable doubt
List the five theories of legal liability
1. Negligence - absence of, or failure to exercise, proper or ordinary care.
2. Breach of Warranty - failure of a seller to fulfill the terms of a promise, claim, or representation.
3. Misrepresentation - false security about the safety of a particular product.
4. Defamation - an untruth about another which untruth will harm the reputation of the person defamed (wrtten defamation is libel; oral defamation is slander).
5. Strict tort liability - extending the responsibility of the vendor or manufacturer to all individuals who might be injured by the product.
What does article 5 of the FTC Act declare unlawful?
unfair or deceptive acts or practices in or affecting commerce.
What is Children's Online Privacy Protection Act of 1998 (COPPA)?
1. Regulates collection and use of children's information by commercial website operators.
2. Compels website owners to adhere to specific notice and choice practices.
3. Applies to websites and services targeted to children under 13.
Who handles the enforcement of COPPA?
Who handles the enforcement of CAN-SPAM?
What does the FTC consider a deceptive practice?
Saying one thing and completely going against it
What does the FTC consider an unfair practice?
When reasonable practice are not being followed
What does the "Consumer Privacy Bill of Rights" emphasize?
1. Privacy by Design
2. Simplified choice
What does the "Consumer Privacy Bill of Rights" prioritize?
1. Do not track
3. Large platform providers
4. Enforceable self-regulation
What are the three goals of APEC Cross-border Privacy Enforcement Arrangement (CPEA)
1. Facilitate information sharing
2. Promote effective cross-border cooperation
3. Encourage information sharing and investigative/enforcement cooperation
What are the three components of self-regulatory enforcement?
1. Legislation - Who determines the rules?
2. Enforcement - Who initiates actions?
3. Ajudication - Who decides if something is in violation?
What does HIPAA require?
Covered entities to protect health information that is transmitted or maintained in any form or medium
List the three HIPAA covered entities
1. Healthcare providers that conduct transactions in electronic form
2. Health insurers
3. Health clearinghouses
Does HIPAA preempt stronger state laws?
Who enforces HIPAA?
The U.S. Department of Health & Human Services (HHS)
What are the punishments for non-compliance of HIPAA?
Fines up to $250K and/or 10 years imprisonment
What are the elements of the HIPAA Privacy Rule?
1. Privacy notice
2. Authorizations for use and disclosure
3. "Minimum necessary" use and disclosure
4. Access and accounting of disclosures
9. Other exceptions (law enforcement investigations)
What are the elements of the HIPAA Security Rule?
1. Confidentiality, integrity and availability of ePHI
2. Protection against threats to ePHI
3. No unreasonable uses or disclosures of information not required under the Privacy Rule
Health Information Technology for Economic and Clinical Health, 2009 (HITECH)
1. Enacted as a part of the American Recovery and Reinvestment Act of 2009.
2. Amends HIPAA
- Regulates personal health records (PHR)
- Covered entities and PHR vendors must provide breach notification to consumers, HHS and FTC
- Extends HIPAA safeguard and breach notice requirements to business associates
- Increased penalties for non-compliance
- Provides state attorneys general with enforcement authority
The Genetic Information Nondiscrimination Act of 2008 (GINA)
1. Addresses potential abuses based on genetic information in the absence of the manifestation of a condition
2. Amends federal healthcare and employment-related laws
- Social Security Act
- Civil Rights Act
- Public Service Health Act
3. Empowers government enforcement
4. Creates review commission in 2014
5. Applies prohibitions to health insurance providers
The Fair Credit Reporting Act of 1970 (FCRA)
1. Accurate and relevant data collection required
2. Consumers can access and correct information
3. Limitation on use of credit reports
Who does the FCRA apply to?
Consumer Reporting Agencies (CRA)
Who enforces the FCRA and what are the punishments?
Enforced by the FTC and state attorneys general and non-compliance leads to civil and crimal penalties and fines
The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
1. Amends FCRA, preempting state laws
2. Requires truncation of credit and debit card numbers
3. Consumers have rights to explanation of credit score
4. Free annual credit report
5. Opt-out for marketing
6. The Disposal Rule
7. The Red Flags Rule
The Financial Services Modernization Act of 1999 - "Gramm-Leach-Bliley" (GLBA)
1. GLBA Privacy Rule
- Initial and annual privacy notice required
- Provide right to opt out
- No disclosure of account numbers to third parties
- Comply with regulatory standards
2. GLBA Safeguards Rule
- Administrative Security
- Technical Security
- Physical Security
What are the three categories of security that span multiple regulations?
Dodd-Frank Wall Street Reform and Consumer Protection Act (2010)
1. Created the Consumer Financial Protection Bureau (CFPB) within the Federal Reserve
2. Oversees the relationship between consumers and providers of financial products and services
3. Can enforce against "abusive acts and practices"
Family Educational Rights and Privacy Act of 1974 (FERPA)
1. Places control over disclosure and access to educational records (with exceptions)
2. Provides students right to access and correct education records
3. Applies to all educational institutions that receive federal funding.
Protection of Pupil Rights Amendment 1978 (PPRA)
1. Extended protections to parents of minors relative to surveys collecting sensitive information
2. Applies to all elementary and secondary schools receiving federal funding
No Child Left Behind Act 2001 (NCLB)
1. Broadened PPRA survey restrictions
- Enact policies
- Parental review of surveys prior to use
- Advance notice
- Opt out
FTC Telemarketing Sales Rule (TSR) Telephone Consumer Protection Act of 1991 - FCC regulations
1. Who can be called?
- Prohibits calls to cell phones
- U.S. National Do Not Call Registry
2. Rules governing calls
- 8am - 9pm as one example
3. Call abandonment
4. Unathorized billing
5. Record keeping
6. Robocall rules (2012)
7. Does not preempt state law
This set is often in folders with...
You might also like...
Chapter 4: Federal Privacy Protection and Consumer…
Other Quizlet sets
PHARM 167 EXAM 4
Biology 1 - Circulatory Systems
Othello Act 5 Quiz
junior esthetic test review