I-C: Enforcement of Privacy & Data Security Laws Flashcards
1
Q
Civil Litigation
A
When one person (the plaintiff) sues another person (the defendant) to redress a wrong.
2
Q
Criminal Litigation
A
Actions brought by the government for violation of criminal laws.
3
Q
Administrative Enforcement Actions
A
Carried out pursuant to the statutes that create and empower an agency (e.g., FTC)
4
Q
Civil Litigation Plaintiff
A
Government agency, legal person, or natural person
5
Q
Criminal Litigation Plaintiff
A
DOJ (federal) or state prosecutor
6
Q
Basis for Civil Litigation
A
Civil violation of a statute or a civil wrong arising under common law (e.g., tort or contract)
7
Q
Basis for Criminal Litigation
A
Violation of a criminal statute
8
Q
Civil Litigation - Relief Awarded
A
Money damages, injunction, specific performance, declaratory judgment
9
Q
Criminal Litigation - Relief Awarded
A
Criminal sentence (e.g., fine or prison sentence)
10
Q
Civil Litigation - Standard of Liability
A
Preponderance of the evidence
11
Q
Criminal Litigation - Standard of Liability
A
Guilty beyond a reasonable doubt
12
Q
Legal Liability
A
A finding by a court, or other adjudicatory body, such as an administrative law judge, that the defendant is legally obligated or accountable to the plaintiff
13
Q
Basis for Liability
A
Breach of contract, a tort, or violation of a statute
14
Q
Breach of Contract
A
When one party fails to perform any of its contractual obligations at the time that performance is due
15
Q
Tort
A
A civil wrong, other than a breach of contract, that causes injury to another person
16
Q
Privacy-Related Torts: Burden
A
Highly offensive to a reasonable person
Note: When conduct becomes a “substantial burden” to one’s existence, it will be highly offensive (i.e., applies to extreme situations like placing a spy camera in a bathroom).
17
Q
Privacy Related Torts
A
Intrusion Upon Seclusion
Appropriation of Name of Likeness
Publicity Given Private Life
False Light
18
Q
Breach of Contract Relief
A
Monetary Damages
Specific Performance
19
Q
Breach of Contract: Monetary Damages
A
Damages are measured by one of three interests that are protected by contract:
Expectation Interest
Reliance Interest
Restitution Interest
20
Q
Breach of Contract: Expectation Interest
A
Protects the benefit of the bargain that the parties entered into.
Expectation damages seek to put the plaintiff in the position he or she would have been in had the contract been performed.
21
Q
Breach of Contract: Reliance Interest
A
Refers to the loss caused by relying upon the contract.
Reliance damages seek to put the plaintiff in the position he or she would have been in had the contract NOT been made.
22
Q
Breach of Contract: Restitution Interest
A
Protects the benefits that a party has conferred on the other.
Restitution damages seek to prevent one party from being unjustly enriched as a result of the breach.
Note: measured by the value of the benefit that has been conferred on the other party.
23
Q
Specific Performance
A
A party in violation of a contractual agreement is ordered to comply with the terms thereof.
Available to the sale of goods or property breaches but NOT service or labor cases.
24
Q
Forum Selection Clause
A
The parties can agree, with some limits, which court will hear any dispute that may arise between them.
25
Arbitration Clause
The parties can agree that an arbitrator must hear a dispute.
26
Void or Voidable
A contract or specific provision within a contract may be considered void or voidable if:
A situation where both parties enter into a contract under a mutual misunderstanding
One party makes a material misrepresentation that induces the other party to enter into the contract (fraudulent inducement)
The agreement is against public policy
27
Tort Remedies
Monetary damages to compensate for the injuries sustained
Injunction barring the defendant from engaging in any future tortious conduct
28
Intentional Torts
Arise from those actions that a party knows or should know would cause harm to another
E.g., assault, battery, false imprisonment
29
Negligent Torts
A party acts unreasonably by failing to observe the standard of care required under the circumstances, though not necessarily intending to harm
30
Negligence: Elements
Duty
Breach
Causation
Damages
31
Negligence: Duty
Plaintiff must establish that they have an interest that is protected from unlawful invasion (i.e., the defendant has a duty not to cause harm to that protected interest)
32
Negligence: Breach
Plaintiff must establish that the defendant breached its duty not to invade the plaintiff's protected interest by acting negligently or below the required standard of care required by the circumstances.
33
Reasonable Person Standard
Measured by "what a reasonable man under like circumstances" would consider appropriate.
34
Negligence: Causation
Plaintiff must establish that the defendant's conduct is both the proximate and actual cause of the plaintiff's injury
35
Negligence: Actual Causation
Plaintiff must prove "but for" the defendant's conduct the plaintiff would not have been injured
36
Negligence: Proximate Causation
Plaintiff's injuries were REASONABLY FORESEEABLE based upon the defendant's conduct or that the conduct is legally sufficient to impost liability
37
Negligence: Damages
Plaintiff must prove that they were damaged or harmed by the defendant's conduct
38
Negligence
A conduct that falls below the standard established by law for the protection of others against unreasonable risk of harm
Note: both an act and the failure to act can be considered negligent conduct
39
Strict Liability Torts
Torts that occur when a particular action happens, regardless of the state of mind or intent of the party committing the tort (e.g., product liability_
Note: Plaintiff needs only to prove that the defendant engaged in certain prohibited conduct
40
Intrusion Upon Seclusion
Occurs when a person "intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns."
41
Appropriation of Name or Likeness
Occurs when a person uses another's name or likeness for their own benefit without permission
42
Publicity Given to Private Life
Occurs when a person publicizes matters concerning another's private life that are not a legitimate public concern.
43
False Light
Occurs when a defendant has publicized given to private life only if their conduct would be highly offensive to a reasonable person.
44
Administrative Enforcement Action
a corollary to, and often a necessary prerequisite to, the civil enforcement of statutory requirements in a court of law
45
Administrative Procedures Act (APA)
Provides a set of rules that govern administrative enforcement actions.
(Administrative enforcement actions are commonly prosecuted under the APA)
Note: APA is the equivalent of court rules or the Federal Rules of Civil Procedure
46
FTC Enforcement Authority
Section 5of the FTC Act is the most essential type of enforcement action in the field of privacy regulation.
47
Medical Privacy Enforcement
The Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) enforces the Health Insurance Portability and Accountability Act (HIPAA)
48
Financial Privacy Enforcement
The Consumer Financial Protection Bureau (CFPB) is generally responsible for financial consumer protection issues.
The Federal Reserve and the Office of Comptroller of the Currency (OCC) have privacy enforcement responsibilities for institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA)
49
Education Privacy Enforcement
The U.S. Department of Education enforces the Family Educational Rights and Privacy Act (FERPA)
50
Telecommunications and Marketing Privacy Enforcement
The Federal Communications Commission (FTC) has responsibilities under the Telephone Consumer Protection Act (TCPA) and other statutes.
51
Workplace Privacy Enforcement
Agencies, including the Equal Employment Opportunity Commission (EEOC), are responsible for enforcing the protections in the Americans with Disabilities Act (ADA) and other anti-discrimination statutes.
52
U.S. Department of State (DOS)
Negotiates internationally on privacy issues with other countries and in multinational groups such as the UN or OECD
53
U.S. Department of Commerce (DOC)
Administers the agreements on privacy protections for data flows between the US and the EU.
The DOC negotiates internationally on privacy issues with other countries and multinational organizations. (e.g., UN & OECD)
54
U.S. Department of Transportation (DOT)
The Federal Aviation Administration (FAA) plays a role in drones
The National Highway Traffic Safety Administration (NHTSA) addresses privacy and security issues for connected cars.
55
Office of Management and Budget (OMB)
Lead agency for interpreting the Privacy Act of 1974, which applies to federal agencies and private-sector contractors to those agencies.
56
Internal Service Revenue (IRS)
Subject to privacy rules concerning tax records, including disclosures of such records in the private sector.
57
U.S. Department of Homeland Security (DHS)
Privacy issues, including the E-Verify program for new employees, rules for air traveler records under TSA, and immigration and other border issues under ICE.
58
U.S. Department of Justice
The sole federal agency to bring criminal enforcement actions
E.g., HIPAA provides for both civil and criminal enforcement
59
FTC Jurisdiction
FTC enforces anti-trust laws and consumer protection laws
Note: this includes privacy & information security issues
60
Section 5 of the FTC Act
Unfair and deceptive acts or practices in or affecting commerce are illegal
a.k.a. consumer protection
61
NOT Covered by Section 5
Non-profit organizations
Banks & federally regulated financial institutions
Common Carriers (transportation & communications industries)
62
FTC Enforcement of FCRA
FTC enforces privacy violations in credit reporting and debt collection practice under FCRA
63
FTC v. Wyndham Worldwide Corp.
The FTC's authority to regulate "unfair methods of competition in or affecting commerce" under Section 5 of the FTC Act extends to regulation of cybersecurity practices that are harmful to consumers
64
FTC v. LabMD
The 11th Circuit Ct. held that the FTC's consent order was void because the order's security program requirements were not sufficiently specific to be enforceable.
65
FTC Enforcement
Section 5(1) - administrative enforcement
Section 13(b) & Section 19 - judicial enforcement
66
FTC Enforcement of Section 5(1)
FTC issues a complaint and then determines via an administrative proceeding whether a violation has occurred.
67
FTC Enforcement of Section 13(b)
FTC seeks "equitable money relief" such as restitution and disgorgement without first issuing a final cease-and-desist order
NOTE: AMG Capital Management v. FTC (2021)
68
AMG Capital Management v. FTC (2021)
SCOTUS held the FTC was NOT authorized to obtain monetary relief, or damages, under Section 13(b).
69
FTC Enforcement of Section 19
Allows the court to grant necessary relief if the FTC first issued a final cease-and-desist order to the company.
70
FTC Rulemaking Authority under Magnuson-Moss
The FTC can promulgate a trade rule regulation, which defines an act or practice as unfair or deceptive, "only where it has reason to believe that the unfair or deceptive acts or practices which are subject of the proposed rule-making are prevalent."
71
Magnuson-Moss requires the FTC to establish:
The prevalence of the acts or practices
How the acts and practices are unfair or deceptive
The economic effect of the rule, including on consumers and small businesses.
72
FTC Enforcement Process of Section 5
1. FTC identifies questionable practices or complaints via press reports & consumers
2. FTC formally investigates the complaints or claims
3. If a law is or has been violated, then the FTC issues a complaint, and an administrative trial proceeds before the ALJ
4. If the ALJ finds a violation, the ALJ can enjoin the respondent from continuing the violating practices
Note: FTC cannot assess civil penalties
5. The respondent can appeal the ALJ's decision to the five commissioners.
6. The commissioner's decision can then be appealed to federal court.
7. If an FTC ruling is ignored, then the FTC can seek civil penalties in federal court
73
Consent Decrees
The respondent does not admit fault but promises to change its practices and avoids further litigation on the issue
Note: majority of FTC enforcement actions end in consent decrees
74
Consent Decree Violations
Violations of consent decrees can lead to an FTC investigation and enforcement in federal court, including civil penalties
75
Consent Decrees in Privacy Cases
Periodic outside audits or reviews of their practices
May be required to adopt and implement a comprehensive privacy program
76
Deceptive Trade Practice
A practice is deceptive when there is a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances
77
Deceptive Practices Include:
False promises
Misrepresentations
Failures to comply with representations made to consumers (e.g., privacy notices or compliance with an industry standard)
78
Deceptive Privacy Practice Example
A company promised a certain level of privacy or security on its website or elsewhere, and did not fulfill its promise
79
In the Matter of Facebook
In 2019, Facebook agreed to pay a $5 billion fine to settle allegations that the company deceived users about their ability to control the privacy of personal data
80
In the Matter if Everalbum
Facts: Everalbum misled users by automatically activating the facial recognition feature and failed to delete users' videos and photos when they deleted their accounts
Settlement: Everalbum agreed to algorithmic disgorgement, which required the company to delete the facial recognition algorithms developed using inappropriately obtained consumer data
81
Unfair Trade Practices
Practices that cause or are likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition
82
Unfair Trade Practices can exist when:
(1) The company has not made any deceptive statements if the injury is substantial, (2) lacks offering benefits, and (3) cannot be easily avoided by consumers
83
Unfair Trade Practices - Privacy Examples
Companies failed to implement adequate protection measures for sensitive personal information
Companies provided inadequate disclosures to consumers
84
In the Matter of Equifax
Facts: Equifax failed to engage in reasonable security measures to protect its network, which led to a data security breach
Settlement: Equifax agreed to pay $300 million to create a fund for affected customers and implement a comprehensive security program for 20 years
85
In the Matter of Uber
Facts: 2016 breach: Uber's chief of security & his team did not disclose the breach to the general counsel as required by internal policies. Instead, they paid the $100,000 ransom & had the hackers sign a non-disclosure agreement. They also failed to notify the FTC of the breach.
Criminal Prosecution: In 2022, Uber's former chief of security was found guilty by a jury of the following crimes: obstructing an FTC investigation and concealing a felony from authorities.
86
Additional FTC Authority to Protect Consumer Privacy and Security
The FTC also has authority over privacy and security issues under COPPA, HITECH, FCRA, and the CAN-SPAM Act.
87
State Enforcement Actions
Several federal statutes specifically permit state attorneys general to bring enforcement actions alongside, or independent of, federal regulators (e.g., the Fair Credit Reporting Act "FCRA")
88
State Unfair and Deceptive Practices
UDAP statutes have been adopted in every state
Similar to FTC's Section 5 authority
Enforced by the state attorney general
Every state except Iowa, provides a private right of action under their respective UDAP statute
89
California Privacy Protection Agency
The California Privacy Protection Agency (CPPA) is charged with administering and enforcing the California Consumer Privacy Act (CPPA).
90
Global Privacy Enforcement Network (GPEN)
A network that connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy.
The US is a member through the FTC, FCC, and the CA AGO
91
5 Ways GPEN Promotes Cooperation
1. By exchanging information about relevant issues, trends, and experiences
2. By encouraging training opportunities and sharing of enforcement know-how, expertise, and good practice
3. By promoting dialogue with organizations having a role in privacy enforcement
4. By creating, maintaining, and supporting processes or mechanisms useful to bilateral or multilateral cooperation
5. By undertaking or supporting a set of specific actions related to communications and training outlined in the action plan
92
The Organization for Economic Cooperation and Development (OECD)
Adopted the Recommendation on Cross-Border Cooperation in the Enforcement of Laws Protecting Privacy.
93
OECD Purpose
"Member countries . . . Foster the establishment of an informal network or Privacy Enforcement Authorities and other appropriate stakeholders to discuss the practical aspects of privacy law enforcement co-operation, share best practices in addressing cross-border challenges, work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns."
94
Cross-border Privacy Enforcement Arrangement (CPEA)
An international coordination for the cross-border regulation of information privacy.
95
CPEA Goals
1. To facilitate information sharing among Privacy Enforcement Authorities in APEC economies
2. To provide mechanisms to promote effective cross-border cooperation between authorities in the enforcement of Privacy Law
3. To encourage information sharing and cooperation on privacy investigation and enforcement with PE Authorities outside APEC
96
Self-Regulatory Enforcement
The self-policing of industry groups for compliance with established privacy protection standards.
Example: PCI-DSS imposes significant obligations, enforced by individual card brands
97
Self-Regulatory Benefits
Relies upon industry expertise
Increased efficiency
More flexibility
Quicker to respond to changes
98
Self-Regulatory Critiques
Anti-competitive
Not as robust
Lack of enforcement
Fails to incorporate diverse perspectives
99
Co-Regulatory Enforcement
Occurs when both industry groups and government authorities jointly administer the regulatory process.
Example: Regulation of children's online privacy under the Children's Online Privacy Protection Act of 1998 (COPPA)
100
Payment Card Industry Data Security Standard (PCI-DSS)
Developed by the PCI Security Standards Council, which includes all major credit card companies.
101
PCI-DSS applies to:
PCI-DSS applies to anyone who accepts or processes payment cards.
102
PCI-DSS 12 Requirements
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to systems components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
103
PCI-DSS requires companies accepting or processing payment cards to hire:
A Qualified Security Assessor and an Approved Scanning Vendor to assess and detect security violations
104
Trust Marks (a.k.a. Privacy Seal Program)
Programs that require companies to abide by a set of principles and operating procedures in exchange for the right to display a seal or logo indicating certification with those principles.
E.g., The Better Business Bureau
105
The Digital Advertising Alliance (DAA)
A consortium of advertising and marketing trade groups that developed the AdChoices System.
AdChoices allows consumer to opt-out of online interest-based ads.
