CIPP/US Flashcards Preview

CIPP/US > CIPP/US > Flashcards

Flashcards in CIPP/US Deck (120)
Loading flashcards...

What were the facts of the Lilly Case?

An employee accidentally sent an email to ALL users with all personal emails viewable. This was unreasonable handling of PI. No fine, but consent decree.


FTC has regulatory authority over.

COPPA, FCC, Telemarketing sales rule, can spam act, health and human services (HIPAA stuff), and FCRA



Federal Communications Commission. - Federal Financial institution regulators



Health and Human Services
-OCR: Office of Civil Rights
-CMS - Center for Medicare and Medicaid services

promulgated regulations to protect the PRIVACY and SECURITY of health info for HIPAA



Department of Transportation


FTC enforcement process

1. Claim (press report or consumer complaint)
2. If minor - mutual resolution FTC/respondant
2. IF significant or pattern - investigation.
3. If violation? Admin trial w/civil penalties if found OR consent decree (up to $16,000 per violation but no admit wrong) and fed district ct if violation.


3 criteria for unfair trade practices

1. Substantial Injury
2. w/o offsetting benefits
3. Consumers could not reasonably avoid.


What are the facts of the Gateway case?

unfairness case. Owned “hooked on phonics” and promised they would not share PI but could change info at any time. Did not seek consent (but revised policy with a PO box to opt-out) and released age range and gender PI to third parties for marketing. Fined


What are the facts of the BJs case?

unfairness case. They had security flaws in their network access. Caused identity theft.


What are the facts of the Google case?

Violated their own privacy policy. Consent decree was entered into and they agreed to form a comprehensive privacy program.



2007. Organization for Economic Cooperation and Development - focuses on privacy on a global scale



Asia Pacific Economic Cooperation.
- cross-border privacy enforcement arrangement is the CPEA (cross-border privacy enforcement arrangement)

- FTC was first privacy enforcement authority.


Steps in developing a privacy program.

1. Discover
2. Build
3. Communicate
4. Evolve


Basic Elements of Incident Response (breach)

a. Detection - determine if it actually occurred
b. Containment/analysis and investigation- Prevent further activity
d. Notice
e. Review and follow-up/ corrective actions



Health Insurance Portability and Accountability Act of 1996
- Does not preeempt state laws.
- enforced by OCR (office of civil rights)


HIPAA Privacy Rules

a. Must post privacy policy on website
b. Allow access to only the minimum necessary data to carry out treatment and payment.
c. Keep track of disclosures.
d. Have safeguards in place via security rules (accountability, de-identification, sometimes need notice and consent.


HIPAA Security Rule

CIA - Confidentiality, Integrity, Availability
- risk assessments should be done once a year.



2009. Health Info Tech for Economic and Clinical Health
- Amended HIPAA by expanding to business associates involving the use or disclosure of PHI.

If significant risk of harm - must notify individual within 60 days.

Must notify HHS immediately if affects 500+ people. (and media if the 500 are in the same population.

Penalties up to 1.5 mil.

EHR - electronic health records



Genetic Info Nondiscrimination Act of 2008
- made genetic info another PHI element to prevent hiring or insurance premiums discrimination.

- some exceptions if commercially/publicly available info, it was inadvertent, signed consent for special program, need to collect info for law enforcement /quality control.



1970. Fair Credit Reporting Act.
a. Mandates fair and accurate info
b. Provides users ability to access and correct the info.
f. Enforced by the FTC, CFPB, and state AGs.
g. Private right of action with damages in 6 figures. (up to 1k per violations and 2.5 k for willful)

Under Dodd-Frank, rule making shifted from here to CFPB.

Users must have a permissible purpose in order to obtain an individual’s credit report. Among these permissible purposes is the determination of a consumer’s eligibility for a license. Library records, purchase transactions and academic records do not represent a permissible purpose.



The Fair and Accurate Credit Transaction Act. (not preempted)
i. Can’t show credit numbers on receipts!
ii. You get one free credit report a year!
iii. In the past it sold a lot of info for marketing purposes.

This controls CRA (credit reporting agencies like experian)


FACTA red flags rule

a. aimed at combatting ID theft. Mandates rules to combat this. Requires financial entities to implement written ID protection programs that explain the red flags that indicate ID theft.


GLBA (general and privacy rules)

Gramm-Leach-Bliley Act: Born from the financial services modernization act of 1999. (Not preempted)

GLBA Privacy Rules: Financial Institutions must:
1. Store info securely and provide notice of policies re: sharing of personal fin info.
Prepare and provide clear and conspicuous privacy notice in 9 categories (must be provided when relationship is established then annually.)
2. Provide right to opt-out of 3rd party sharing (process w/i 30 days) (Exceptions: Joint marketing and processing.)
3. Don’t disclose to third party exception consumer reporting agency
4. Comply with regulatory gov standards
5. Privacy policy that is clear, conspicuous, and accurate. Include what info is collected, how it is protected, and opt out info.

Has nothing to do with Dept. of Commerce

No private right of action

Financial institutions are prohibited from disclosing consumer account numbers to nonaffiliated companies even if the consumer has not opted out of sharing information, but other information can be shared without obtaining an opt in.


Dodd-Frank Wall Street Reform and Consumer Protection Act

Response to 2008 financial crisis.

Can enforce against abusive acts or practices –
i. if they materially interfere with consumers ability to understand a product or service, or
ii. takes advantage of inability to understand the risk, or
iii. inability to protect interests, or
iv. reasonable reliability on a covered person to act in the consumers interests.



Consumer Financial Protection Bureau. -

part of the federal reserve. Rule making authority for the FCRA, GLBA, and Fair Debt Collection Practices Act.

Created by the Dodd-Frank...Act.



1970. Bank Secrecy Act.

contains regulations relating to currency transactions, transportation of monetary instruments and the purchase of currency-like instruments.

SAR is filed if it is suspected this is violated.


Anti-Money Laundering Laws

1. BSA
2. Currency and foreign transaction report (1970)
3. US Patriot Act


The International Money Laundering abatement and Anti-Terrorism Financing Act.

2001. Part of the Patriot Act.

expanded reach of BSA and made changes to anti-money-laundering laws.



Suspicious Activities report.


When does a financial institution have to file a SAR ?

i. Suspects an insider is committing or aiding in a crime
ii. When entity detects possible crime of $5,000 or more and substantial basis to ID suspect.
iii. When entity detects possible crime of $25,000 or more even without basis to ID suspect.
iv. When entity suspects currency transactions $5000 + that involve potential money laundering or violation of acts.