Introduction to US Privacy Environment (35 questions)

Question 1

What is the role of the legislative branch?

Answer 1

to create laws

Question 2

what is the role of the executive branch?

Answer 2

to enforce the law

accomplished through work of federal administrative agencies- which are commonly granted authority by congress to make rules and pursue enforcement action

Question 3

constitution

Answer 3

supreme law of the land

doesn’t mention the word privacy anywhere in its text but protects privacy interest through 3rd, 4th, 5th, and 14th amendments

provides floor of protection over which states are free to enact stricter protections

Question 4

legislation

Answer 4

federal and state level legislation provides most significant privacy related requirements

preemption- may prohibit states from enacting laws covering same general area as federal law

Question 5

rules and regulations

Answer 5

privacy related laws permit federal agencies to adopt formal regulations and rules to clarify and enforce statutory law

government agencies provide informal guidance (ex. written opinions setting forth interpretation of law)

Question 6

case law/common law

Answer 6

set of legal principles and law that has developed over the course of time as a result of societal customers and judicial decisions (not statutes and constitution)

stare decisis- judicial decisions should be guided by past judicial decisions

Question 7

contract law

Answer 7

contract= legally binding agreements to be enforced by court of law

include
- offer
- acceptance
- consideration

Question 8

consent decree

Answer 8

type of contract where parties agree to enter into and abide by judgement that prevents one party form acting in an illegal manner or requires a party to refrain from engaging in illegal act

approved by judge

usually permit party to avoid admitting guilt or wrongdoing

Question 9

jurisdiction

Answer 9

courts authority to hear specific case or issue decree

Question 10

personal jurisdiction

Answer 10

courts authority to hear dispute between specific parties

Question 11

subject matter jurisdiction

Answer 11

courts authority to hear specific types of disputes

federal courts- limited
state courts- general

Question 12

person

Answer 12

any individual or organization with legal rights

individual= natural person
organization = legal person

Question 13

private right of action

Answer 13

individuals right to sue in their personal capacity to enforce legal claim

Question 14

federal trade commission (FTC)

Answer 14

most important federal regulatory authority

independent agency- not under US president control

5 member bipartisan commission appointed by president confirmed by senate

purpose
- protect consumers against unfair or deceptive trade practices
- regulate certain market segments and conduct (ex. child privacy online and commercial email marketing)
- conduct investigations and require businesses to submit investigatory reports under oath (section 6)

Question 15

unfair and deceptive trade practices

Answer 15

section 5 of FTC act

unfair or deceptive acts or practices in or affecting commerce are unlawful

doesn’t extend to
- non profit orgs (not in commerce)
- banks
- federal regulated financial institutions
- common carriers (transportation and communication industries)

Question 16

deceptive

Answer 16

material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances

ex. false promises, misrepresentation, failures to comply with representations made to consumers

Question 17

unfair

section 5- unfair and deceptive
Cant Easily Avoid SNOB

Answer 17

1. injury is substantial+
2. lacks offsetting benefits +
3. can’t be easily avoided by consumers

doesn’t matter if company didn’t make any deceptive statements

ex: failure to implement adequate protection measures for sensitive personal info, provide inadequate disclosures to consumers

Avoid SNOB
1. cant easily avoid
2. S- substantial injury
3. NOB- no offsetting benefits

Question 18

Federal Communications Commission (FCC)

Answer 18

federal regulatory authority

independent agency- not under US president control

chairman + 4 commissioners appointed by president confirmed by senate

purpose- enforce various federal statutes related to telecommunications

Question 19

department of commerce

Answer 19

federal regulatory authority

led by secretary of commerce

purpose
- develop federal privacy policy
- authorize privacy shield framework between US and EU
- NO ENFORCEMENT AUTHORITY

Question 20

department of health and human services

Answer 20

federal regulatory authority

led by secretary of health and human services

purpose
- oversee health and well being of US citizens
- oversee and implement + enforce HIPAA
- administer 21st century cures act
- administer confidentiality of substance use disorder patient records rule

Question 21

federal reserve board

Answer 21

bank regulator

federal regulatory authority

independent agency- not under US president control

led by 7 members (governors) nominated by president confirmed by senate
- 14 year terms (staggered)

purpose
- supervise and regulate financial institution
- promote consumer protection
- oversee 12 separate geographic regions of reserve bank through federal reserve board of governors

Question 22

consumer financial protection bureau

Answer 22

bank regulator

federal regulatory authority

purpose
- promote consumer protection
- enforce fair credit reporting act (FCRA)
- rule making and regulatory authority under GLBA

Question 23

department of treasury

Answer 23

bank regulator

federal regulatory authority

purpose
- house office of comptroller of currency (financial regulator)
- charter, regulate, supervise national banks, federal savings associations, and federal branches of foreign banks

Question 24

state regulatory authority

Answer 24

state attorney general

given significant authority under both state and federal law

Question 25

self regulatory authority

Answer 25

can bring enforcement actions

ex
- payment card industry- data security standard
- digital advertising alliance
- network advertising initiative
- direct marketing association

Question 26

PCI

Answer 26

most prominent self regulatory group

imposes significant obligations which are enforced by individual card brands (AMEX, Discover, Visa, Mastercard) through their own program for compliance and enforcement

rules (drafted by PCI DSS counsel)
- firewall
- no vendor supplied defaults for passwords
- protection of cardholder data
- encrypt cardholder data on public networks
- anti-virus software
- restrict access to cardholder data
- track access
- test systems
- maintain policy
- hire qualified security assessor to assess and detect security violations

Question 27

DAA adchoice program

Answer 27

most prominent self-regulatory group in advertising

developed by advertising and marketing trade groups

goal: provide consumers ability to opt-out of online and interest based ads

enforcement: council of better business bureaus and digital & marketing association

Question 28

failure to comply with PCI rules

Answer 28

exclusion from Visa, Mastercard, or other payment card systems +

penalties of 5,000-100,000/ month of noncompliance

Question 29

trust marks

Answer 29

privacy seal programs
- programs that require companies to abide by set of principles and operating procedures in exchange for the right to display a seal or logo indicating certification with those principals

goal- increase consumer confidence and trust

ex. better business bureau

Question 30

civil liability

Answer 30

plaintiff vs defendant

basis- civil violation of statute or civil wrong arising under common law (tort or contract)

relief- monetary damages, injunction, specific performance, declaratory judgment

standard of liability- P prove by preponderance of evidence (more likely than not)

same procedural protections for both parties

Question 31

criminal liability

Answer 31

department of justice (federal) or state prosecutor/attorney general vs defendant

basis- violation of criminal statute

relief- criminal sentence (fine or prison)

standard of liability- government proves guilty beyond a reasonable doubt

additional procedural protections for defendant (ex. presumption of innocence, 6th amendment right to counsel, right to speedy trial)

Question 32

contract liability

Answer 32

breach of contract- one party fails to perform any of its contractual obligations at time performance is due

remedies- monetary damages measured by
- expectation interest (put plaintiff in position he would be in if contract was performed)
- reliance interest (put plaintiff in position he would be in if contract not made)
- restitution interest (prevent party from unjust enrichment as result of breach)

specific performance- ordered to comply with terms of contract/ available when no other remedy will adequately compensate

Question 33

tort liability

Answer 33

types
- intentional (party knows or should know would cause harm to another)
- negligent (party fails to observe standard of care)
- strict liability (engage in certain prohibited conduct)

Question 34

intrusion upon seclusion- privacy tort

Answer 34

person intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns

must be highly offensive to reasonable person - substantial burden to one’s existence not just annoyance

Question 35

appropriation- privacy tort

Answer 35

person uses another name or likeness for their own benefit without permission

Question 36

publicity given to private life- privacy tort

Answer 36

person publicizes matters concerning another private life that are not of legitimate public concern

must be highly offensive to reasonable person

Question 37

false light- privacy tort

Answer 37

person publicized matter concerning another that places the other before the public in false light

must be highly offensive to reasonable person

person must have had knowledge or acted in reckless disregard to falsity

Question 38

federal enforcement actions

Answer 38

administrative procedures act (APA)
- provides set of procedural rules that govern actions (similar to FCRP)
- statutes can mandate specific enforcement producers different from those in APA (ex. FTC act)

procedure
1. commission issues complaint (can settle through consent decree which must be imposed for up two 20 years)

2. administrative trial proceeds before ALJ
   - violation found- ALJ enjoined company from continuing practices and order becomes final 60 days after served on company
   - FTC can seek civil penalties (43,280/violation) if order is ignored by company
3. decision in appealable (1st to 5 commissioners then to federal district court)

Question 39

global privacy enforcement network (GPEN)

Answer 39

network that connects privacy enforcement authority from around the world to promote and support cooperations in cross-border enforcement of laws protecting privacy

members: FTC, FCC, and California attorney general

Question 40

5 ways GPEN seeks to encourage cooperation amongst countries

MATED

Answer 40

1. exchanging info
2. encouraging training opportunities
3. promoting dialogue
4. creating processes and mechanisms that can be utilized
5. undertaking and supporting specific activities

Mechanisms
Activities
Training
Exchanging
Dialogue

Question 41

what is regulated in US privacy law

Answer 41

personal information (personally identifiable information)

not non personal information

generally doesn’t include IP addresses (unless FTC- says IP addresses are personal info in connection with breach of healthcare info)

Question 42

identified individual- personal info

Answer 42

one who can be ascertained with pertaining

SSN, passport number, names

likely to be regulated

Question 43

identifiable individual- personal info

Answer 43

one that can be indirectly identified through combination of various factors

ex. know person lives in specific city

less likely to be regulated

Question 44

sensitive personal information

Answer 44

subject to greater regulation for collection, use and disclosure

what is considered as sensitive varies from jurisdiction to jurisdiction depending on particular regulations

generally includes financial info, health info, drivers license numbers, SSN

Question 45

nonpublic information- personal info

Answer 45

at the center of US privacy regulation

not generally accessible or easily accessed due to law or custom

ex. medical records, financial info, adoption records

Question 46

public records- personal info

Answer 46

info collected and maintained by gov entity and available to public

law in jurisdiction determines if considered protected or not (private or not)

ex. court filings, real estate records

Question 47

publicly available info- personal info

Answer 47

generally not protected

info generally available to wide range of persons

ex. social media, search engines

Question 48

personal info can be transformed into non-personal unprotected info through

Answer 48

encryption (put it in unrecognizable form)

anonymization (strip data of identifying info)

pseudonymization (associated data with pseudonym so no longer attributed to specific person without additional info) ex. user 1

Question 49

data subject

Answer 49

individual whose personal information is being processed

ex. patient, employee, customer

Question 50

data controller

Answer 50

organization/individual that decided how personal information is being utilized and processed

subject to heaviest amount of regulation by privacy and data security laws

Question 51

data processor

Answer 51

organization/ individual that processes data on behalf of data controller ( collection, storage, use, disclosure, transmission destruction)

what it can do is limited by data controller

organization/ individual may be both data processor and data controller

includes 3rd party data controller contacts

Question 52

comprehensive data protection model (Europe)

Answer 52

uniform regulation over entire economy

DPA (data protection agency)- responsible for oversight of enforcement

issues:
1. cost outweighs benefits
2. one law no matter how unique situation is
3. no innovation
4. officials granted varying degrees of enforcement power from country to country
5. countries choose to allocate varying levels of resources to enforcement of data laws

pros:
1. remedy past injustices
2. ensure consistency
3. promote electronic commerce

Question 53

sectoral data protection model (US)

Answer 53

enacts laws that address a particular industry sector

multiple enforcement agencies

pros:
1. different parts of economy face different challenges for privacy and security
2. cost savings
3. little regulatory burden for organizations outside regulated sectors

cons:
1. lack of single DPA to oversee issues
2. gaps (inadequate) and overlaps (overly burdensome) in coverage
3. government agencies may develop different policies

Question 54

co-regulation (australia) data protection models

Answer 54

self regulation + comprehensive or sectoral model

emphasizes industry development of enforceable codes or standards for privacy and data protection against legal requirements by government

overseen by both privacy industry + government
ex. COPP- compliance with codes are sufficient for compliance with statute

Question 55

self regulation data protection model (similar to US)

Answer 55

emphasizes creation of codes of practice for protection of PI by company, industry or independent body

no generally applicable data protection law

ex. PCI DSS- enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally

Question 56

fair information practices

Answer 56

means for organizing multiple individual rights and organizational responsibilities that exist with respect to PI

covers both
1. individual rights related to PI +
2. how organizations manage data they collect

Question 57

fair information practices- rights of individuals

CAN

Answer 57

notice- description of org info management practices, for consumer education and accountability of corporation

consent and choice- ability to specific whether PI will be collected and how it will be used or disclosed (express or implied)
- opt in= affirmative indication (no failure to answer)
- opt-out - can be implied through failure to object to use or disclosure

access- ability to view PI held by org
- generally require access and correction when info used for substantive decision making (ex. credit report)

Question 58

fair information practices- organization of management protected

Answer 58

controls- info security (reasonable admin, tech, and physical safeguards to protect PI) and information quality ( maintain accurate, complete and relevant PI)

information life cycle
- collection (only for purpose identified)
- use and retention (only for purpose identified + consent + how long necessary to fulfill purpose)
-disclosure (only for purpose identified + consent)

Question 59

3 groups of US consumers

Answer 59

1. privacy fundamentalists
2. privacy pragmatist
3. privacy unconcerned

Question 60

privacy fundamentalist

Answer 60

consumer that is
- generally distrustful of organizations that ask for their personal info
- favors stricter privacy regulation

25% of people in US

Question 61

privacy pragmatist

Answer 61

consumer that weights benefits of various consumer opportunities and services vs. protections necessary to make sure PI is not abused

majority of public

Question 62

privacy unconcerned

Answer 62

consumers that are
- generally trustful of organizations collecting their personal info
- willing to sacrifice privacy in favor of commercial or public benefits

Question 63

data assessment

CIA

Answer 63

process for
1. creating data inventory
2. conducting data flow analysis
3. classifying categories of data

Question 64

data inventory

Answer 64

identifies personal data as it moves across various systems including

includes both customer and employee data records

legally required for some organizations

Question 65

information that must be recorded during data inventory

Answer 65

1. data location
   - physical location + general understanding about where data is stored
   - electronic data= file saved on + server stored on
2. data residency
   - where servers storing data are physically located
   - dictates what laws apply to how data is processed

3.data access
- identify who has access to data being processed
- identify how and when such info is shared
- looks at both internal access and 3rd party external access

Question 66

data flow analysis

Answer 66

examination and documentation of data flows through organization

identifies
- purpose data is used for
- types of data processed
- risks and controls at each step
- maintenance plan (for compliance)

increases confidence in regulatory compliance and becomes a record to reference for customers and employees

Question 67

data classification

categories-CPPRS

Answer 67

classifying data according to its level of sensitivity which in turn defines
- level of clearance individual who can access and handle data
- baseline level of protection appropriate for data

categories are generally tailored to organization but commonly include
- confidential info
- proprietary info
- sensitive info
- restricted info
- public info

Question 68

privacy program development steps

Answer 68

1. balance risks
2. understand organizational goals
3. develop policies
4. privacy operational life cycle

Question 69

4 categories of risk to keep in mind when developing privacy program

oilr

Answer 69

1. legal risk (regulatory action and litigation that may result from failing to comply with laws and regulations)
2. reputational risk (trust consumers place in organization + organizations reputation may affect consumer behavior )
3. organizational risk (balance between compliance with privacy regulations and achieving organizational goals)
4. investment risk (balance what investment in information management and technology are worth the coals)

Question 70

privacy operational life cycle

Answer 70

continuous refinement of privacy program

should do following
1. assess (identify risks )
2. protect (develop policies and practices)
3. sustain (communicate, monitor, and audit)
4. respond (respond to privacy incidents and handle complaints)

Question 71

managing user preferences

Answer 71

user consent + user access + notice

Question 72

opt-in user consent

Answer 72

express form of consent

requires some affirmative act by consumer before consent will be deemed adequate

scope determined by organization

legally required for COPPA- express consent of parent required before personal info of child is connected

Question 73

double opt-in user consent

Answer 73

consumer initially expresses interest + asked second time to confirm interest

Question 74

opt-out user consent

Answer 74

passive form of consent

allows collection and use of data unless user expressly states desire not to have info collected

may require 2nd opportunity to opt-out even after initial consent

scope should be more broad than narrow (ex. comply across all communications regardless of media used to communicate request)

legally required for VPPA- required in certain cases before movie rental data is provided to 3rd parties

Question 75

no option user consent

Answer 75

where authority to collect and utilize data is implied from situations

“commonly accepted categories of commercial data practices”

includes
- product fulfillment (implicit consent to share address with delivery company + credit card company processing financial portions of transaction)
- fraud prevention
- internal operations
- legal compliance and public purpose
- 1st party marketing

Question 76

form of user consent

Answer 76

mechanism for obtaining consent

recommendation- provide consumers choice in same manner in which communicated with consumer

Question 77

user access- managing user preferences

Answer 77

2 components
1. actual access to information collected
2. ability to correct that information that is inaccurate or incomplete

Question 78

information privacy

Answer 78

concerned with personal information

policies behind handling info
- identify users and users of information
- seeks agreement to use information
- limits collection
- provide avenues for complaints
- allow access to info to maintain accuracy and completeness

Question 79

information security

Answer 79

concerned with confidential information

protection of data from unauthorized access
- protection system and data from threats
- malicious code detection and prevention
- configurations and patch management
- intrusion detection and mitigation

Question 80

CIA triad- 3 considerations for information security program

Answer 80

confidentiality
- access limited to authorized persons only
- accomplished through access control list, encryption, file permissions

integrity
- info kept in authentic, accurate, and complete form

availability
- kept in way that those with authorization can adequately access it

Question 81

security controls

Answer 81

measure that is modifying risk

includes processes, policies, devices, practice or other actions.

Question 82

categories of security controls

Answer 82

prevention
- prevent security event form occurring or otherwise prevent errors or other negative consequences

detective
- identify security incident while it is in progress
ex. active monitoring of closed- circuit tvs

corrective
- fix or limit damage caused by security incident
ex. data loss prevention systems that remotely wipe employees hard drive when laptop is lost

Question 83

types of security controls

PAT

Answer 83

physical
- mechanisms designed to limit or monitor physical access to an environment or object
ex. locks and security cameras

administrative
- internal procedures and mechanisms put in place to limit and monitor access to information + training of employees to follow those internal procedures

technical
- applications of technology that help protect information against unauthorized access
categories
- obfuscation (ex. randomization or hashing)
- data minimization (ex. data segregation)
- security (ex. access controls and antivirus software)
- privacy engineering (ex. anonymous digital credentials)

Question 84

workforce training

Answer 84

employees should receive awareness training and regular update on organizational policies and procedures relevant to job function

benefits: lowers cost of responding to data breaches

Question 85

laws that mandate workforce training

Answer 85

HIPPA privacy and security rules
- must train all members of workforce within reasonable time on policies and procedures with respect to protected health info as necessary for them to carry out functions within entity

GLBA safeguard rule
- financial institution must train staff to prepare and implement info security program
- specialized training required where appropriate

FTC red flags rule
- must establish identity theft program and training is necessary to effectively implement program

Massachusetts data security law
- anyone that owns or licensed PI about MA resident must have comprehensive security program in place that includes ongoing employee training and maintenance of system

Question 86

PCI-DSS workforce training requirement

Answer 86

requires implementation of security awareness program to make all personnel aware of importance of cardholder data security

Question 87

accountability of organization

Answer 87

org must hold themselves accountable for maintaining adequate privacy protections

internal association of privacy professionals defines accountability as implementation of appropriate tech and organizational measures to ensure and be able to demonstrate that handling of personal data is performed in accordance with relevant law

requires significant amount of documentation to demonstrate compliance (each compliance procedure is unique to organization)

Question 88

privacy policy/ privacy notices

Answer 88

written document setting forth how company collects, stores, and uses PI it gathers

purposes:
- inform employees how info should be stored, accessed, and utilized
- set limits on how info may be used
- inform consumers about how data will be used

may be required by law to implement (ex. GLBA for financial institutions, and CalOPPA for companies collecting personally identifiable info)

Question 89

vendor management

Answer 89

organization as data controller always remains liable for data misuse by vendors

ways to oversee 3rd party data vendors
1. vet vendor (look at reputation, finances, and security controls) and
2. vendor contract (usually required by law)

Question 90

vendor contract provisions

Answer 90

1. confidentiality- not share data with other parties
2. security protections- specific controls must be put in place (ex. employee training, encryption, and reporting of breaches)
3. audit rights- right to audit 3rd party security practices to ensure compliance
4. no further use- no use for purposes other than specified
5. subcontractor use- not appropriate to use at all or if used set forth requirements for subcontractor
6. information sharing- what may be shared between principal and vendor and subcontractors
7. breach notice- vendor required to provide immediate notification of breach
8. consumer consent- vendor obligated to abide by consumer preferences and consents provided to principal organization
9. end of relationship- what happens to data (delete or return)
10. vendor incidents- protocol that should be followed when vendor incident and steps for response

Question 91

cloud computing

Answer 91

provision of software and other info tech services over the internet

forms
1. software as a service (SaaS)
2. platform as a service (PaaS)
3. infrastructure as a service (IaaS)

there is public cloud (servers assessable by 3rd party) and private (only allow access to one org)

Question 92

data residency

Answer 92

where servers that are storing data are physically located

increased regulation when located outside of where company typically conducts business

Question 93

data transfers across state lines

supriseminimizationrule

Answer 93

transferring data across boarders can result in organization subjecting themselves to additional laws and regulations

surprise minimization rule- consumer should be able to assume their info is subject to protections afforded by their home jurisdiction laws regardless of where data is processed (no surprise)

Question 94

international data transfers (EU to US)

Answer 94

GDPR contains most prominent and well known set of international data transfer rules

must have valid basis to transfer data
1. adequacy decisions
2. adoption of appropriate safeguards
3. derogations (exceptions such as explicit consent)

Question 95

international data transfer basis- adequacy decision

Answer 95

determine 3rd party country data protection regulations are equivalent to or grater than those under GFPR

US previous privacy frameworks struck down under adequacy decision
1. safe harbor program- struck down in Schrems I based on concerns of surveillance programs disclosed by Edward Snowden
2. privacy shield framework- struck down in Schrems II (2020)

current framework of US= trans- Atlantic data privacy framework (2022)
1. adequacy decision is not final yet

Question 96

international data transfer basis- appropriate safeguards

Answer 96

binding corporate rules (BCRs)
- set procedures and policies org voluntarily agrees to follow (form of fair info practices) to cover its internal handling of personal data
-no third party transfers!!!!!

standard contract clauses (SCCs)
- company contractually promises to comply with EU law and submit to jurisdiction of EU privacy supervisory agency
- Schremes II upheld validity of SCCs but raised concerns about whether it is permissible means to transfer data since it must be noted they must be prohibited if they don’t comply with 3rd country legal protection required

ad hoc contract clauses (disfavored)
- parties can draft own contract clauses when SCCs are not appropriate

codes of conduct/approved certification mechanism
- co-regulatory programs where org is required to undertake bidding and enforceable obligation to abide by code of conduct