Enforcement of U.S. Privacy and Security Laws Flashcards Preview

CIPP/US - Complete > Enforcement of U.S. Privacy and Security Laws > Flashcards

Flashcards in Enforcement of U.S. Privacy and Security Laws Deck (34)
Loading flashcards...
1
Q

What is Civil Litigation?

A

Occurs in courts when one person sues another person to redress a wrong.

2
Q

What types of relief may a person seek in civil litigation?

A
  1. Monetary Judgment

2. Injunction

3
Q

When may person sue based on a violation of law?

A

When a law creates a private right of action (ex. FCRA)

4
Q

What is Criminal Litigation?

A

Lawsuits brought by the government for violations of criminal laws.

5
Q

What types of punishment are typical associated with Criminal Litigation?

A
  1. Imprisonment

2. Criminal Fines

6
Q

Who initiates Criminal Litigation?

A
  1. DOJ

2. State attorney generals

7
Q

What are Agency Enforcement Actions?

A

Actions carried out pursuant to the statues that create and empower an agency.

8
Q

What is the Administrative Procedure Act?

A

An act laying out the basic rules for agency enforcement actions.

9
Q

What Act and Agency(ies) govern Medical Privacy?

A

Agencies - OCR and CMS (both roll up to HHS)

Act - HIPAA

10
Q

What Act and Agency(ies) govern Financial Privacy?

A

Agencies - CFPB, OCC, FED

Act - GLBA

11
Q

What Act and Agency(ies) govern Education Privacy?

A

Agencies - Dept. of Education

Act - Family Educational Rights and Privacy Act

12
Q

What Act and Agency(ies) govern Telemarking and Marketing Privacy?

A

Agencies - FCC and FTC

Act - Telephone Consumer Protection Act and other statues

13
Q

What Act and Agency(ies) govern Workplace Privacy?

A

Agencies - EEOC and other agencies

Act - ADA other statutes

14
Q

Which Acts give the FTC power to govern privacy issues?

A
  1. FTC Act Section 5
  2. FCRA
  3. Children’s Online Privacy Protection Act (COPPA)
  4. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  5. Telemarking Sales Rule
15
Q

What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?

A

FTC

  1. Achieves a consent decree that incorporates good privacy and security practices
  2. Avoids the expense and delay of trail
  3. Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree

Company

  1. Avoids a prolonged trial
  2. Avoids negative publicity
16
Q

What is considered “unfair”?

A

An injury that is:

  1. Substantial
  2. Without offsetting benefits
  3. one the consumers cannot reasonably avoid.
17
Q

Unfair Case: Gateway

A

Facts: Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out.

18
Q

Unfair Case: BJ’s Wholesale Club

A

Facts: BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customers’ identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice.

19
Q

Unfair Case: Google

A

Google buzz automatically enrolled consumers and provided personal information to the public. This was in conflict with Google’s privacy notice.

20
Q

Unfair Case: Facebook

A

Facts: Facebook repeatedly made designated personal private information public. This was in violation of Facebook’s privacy notice.

21
Q

What are the Consumer Privacy Bill of Rights?

A
  1. Individual Control
  2. Transparency
  3. Respect for Context
  4. Security
  5. Access and Accuracy
  6. Focused Collection
  7. Accountability
22
Q

What areas did the FTC Report emphasize?

A
  1. Privacy by Design
  2. Simplified Consumer Choice
  3. Transparency
23
Q

What five priorities did the FTC announce for attention?

A
  1. Do Not Track
  2. Mobile
  3. Data Brokers
  4. Large Platform Providers
  5. Promoting enforceable self-regulatory codes
24
Q

How to states enforce against unfair and deceptive practices?

A

Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. Ina addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.

25
Q

Who enforces UDAP laws?

A

State attorney generals

26
Q

How does self regulation occur?

A

Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication

27
Q

What does legislation refer to?

A

To the question of who should define the appropriate rules for protecting privacy.

28
Q

What does enforcement refer to?

A

To the question of who should initiate enforcement actions.

29
Q

What does adjudication refer to?

A

To the question of who should decide whether a company has violated the privacy rules, and with what penalties.

30
Q

Where does self regulation occur with Section 5 of the FTC and state UDAP laws?

A

At the legislation stage - companies write their privacy policies.

31
Q

What is PCI DSS?

A

Payment Card Institute Data Security Standard

32
Q

Where does self regulation occur with PCI DSS?

A

At all three stages.

33
Q

What is GPEN?

A

Global Privacy Enforcement Network. it aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.

34
Q

What is APEC?

A

Asia-Pacific Economic Cooperation. The Asia-PAcific Cross-Border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating member to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region.