Information Management From A US Perspective

Question 1

What risks should a company consider in designing a privacy program?

Answer 1

Legal - compliance with laws, contracts and industry standards
Reputational - protect company reputation
Operational - ensure privacy program is administratively efficient
Investment - receive return on investments in light of privacy regulations

Question 2

What are the 4 steps for information management?

Answer 2

Discover - what are the companies practices and goals
- determination of best practices
- issue identification and self - assessment
Build - how to meet those goals
- procedure development and verification
- full implementation
Communicate - internally and externally
- documentation and education
Evolve - review and update program based on changes in technology laws etc
- affirmation and monitoring
- adaptation

Question 3

What controls / practices should orgs use for managing PI?

Answer 3

Data inventory - inventory PI an organization collects
**identifies risks that could affect reputation or legal compliance
Data classification - classify data to determine appropriate level of protection
** helps an org address compliance audits for a particular type of data respond to legal discovery requests and use storage resources in a cost effective manner
Documenting data flows - systems / apps / processes for handling data
- ***helps identify areas for compliance attention
Determining data accountability - ensuring compliance with privacy laws and policies

Question 4

When to have one or two privacy policies?

Answer 4

1 - if the org has consistent set of values and practices for all its operations
2 - org that has well defined divisions of lines of business who uses data in different ways, doesn’t share data and is perceived as a different business

Question 5

Privacy policy review and approval

Answer 5

Needs legal consultation and executive approval
If a policy needs to be revised the org should announce the change first to employees and then to customers
Companies should obtain opt-in or consent before making material retroactive changes to privacy (sharing consumer data with 3rd parties)

Question 6

How to communicate privacy policies through a notice?

Answer 6

Make the notice available online
Make the notice accessible in places of business
Provide updates and revisions
Ensure that the appropriate personnel are knowledgeable about the policy

Question 7

Policy version control best practices

Answer 7

Ensure all locations where policies are stored are updated systematically
Include revision dare and a version number
Save and store older versions of privacy policies and notice

Question 8

What is opt-in?

Answer 8

Or affirmative consumer consent or expressed consent
Affirmative indication of choice based on an express act of the person giving the consent.
Selecting a checkbox.

Question 9

What is opt-out?

Answer 9

A choice that can be implied by the failure of the person to object to the use or disclosure.
“Unless you tell us not to we will share your data”
Unchecking a box

Question 10

What legal acts require opt-in?

Answer 10

COPPA
HIPAA
FCRA

Question 11

What is no option?

Answer 11

No consumer choice
Companies do not need to provide choice before collecting and using consumers data for practices that are consistent with the context of the transaction, consistent with the companies relationship with the consumer, or as required by law

Question 12

What are challenges for managing user preferences?

Answer 12

• The scope of an opt-out or another user preference can vary
• The mechanism for providing an opt-out or another user preference can also vary
• Linking a users interactions through multiple channels
• The time period for implanting user preferences
• Third party vendors processing on behalf of the company

Question 13

What laws give consumers the right to access PI held about them?

Answer 13

FCRA
HIPAA
OECD guidelines
APEC principles 
Privacy shield

Question 14

What should be included in a contract with a vendor?

Answer 14

Confidentiality provision 
No further use of shared information 
Use of subcontractors 
Requirements to notify and disclose a data breach
Information security provisions

Question 15

What vendor due diligence standards should a company consider using?

Answer 15

Reputation
Financial condition and insurance
Information security controls
Point of transfer / secure transfer 
Disposal of information
Employee training and awareness
Vendor incident response
Audit rights / assessments (ISO Sox etc)

Question 16

GDRP requirements

Answer 16

Notification of security breaches
Requirements for processors 
Designation of a DPO
Accountability obligations
Rules for international transfers 
Sanctions of up to 4% of a companies revenue 
DSRs
Data protection by design and default principles

Question 17

What are the lawful bases for transfer between the US and EU?

Answer 17

Privacy shield
Standard contractual clauses
Binding corporate rules

Question 18

What is privacy shield?

Answer 18

Commitments by US companies wishing to import personal data from the EU accept obligations on how the data can be used which are legally binding and enforceable

Question 19

Standard contractual clauses

Answer 19

A company contractually promises to comply with EU law and submit to the supervision of an EU privacy supervisory agency

Question 20

Binding corporate rules

Answer 20

A multinational company can transfer data between countries after certification of its practices by an EU privacy supervisory agency

Question 21

What are threats to online privacy

Answer 21

Unauthorized access
Malware
Phishing
Spear phishing
Social engineering 
Technically based attacks

Question 22

Unauthorized access

Answer 22

When there is unauthorized access to a website or computer system this access may be criminal behavior such as fraudulent use of identity credentials and related financial information.

Question 23

Malware

Answer 23

Software that is designed for malicious purposes

Ex: provide an attacker unauthorized control over a remote computer

Question 24

Phishing

Answer 24

Term for emails or other communications that are designed to trick a user into believing that he or she should provide a password account number or information

Question 25

Spear phishing

Answer 25

A phishing attack that is tailored to the individual user | Ex: an email that to be from a users boss instructing the user to provide information

Question 26

Social engineering

Answer 26

General term for how attackers can try to persuade a user to provide or create some other sort of security vulnerability. The social engineer targets a user within an org that may have access to private information Ex: using an assumed identity in communications, eavesdropping on private convos or calls, impersonating an employee or hired worker

Question 27

Technically based attacks

Answer 27

The attacker exploits a technical vulnerability or inserts malicious code Examples: sql injection, cookie poisoning or use of malware, XXS

Question 28

How to ensure online security

Answer 28

Secure Web access - multi-factor authentication Encryption in transit with TLS Protect online identity - Use unique passwords, regularly change, use a password manager - Use antivirus software, install patches - Keep current on known Wifi vulnerabilities - Restrict what files and directories can be accessed by the website and services - Be cautious of public shared computers and public charging stations - Be cautious of providing personal info unless they know the site is secure

Question 29

What types of online attacks do users face

Answer 29

Spam email - an unsolicited commercial email Phishing Malware - spyware & ransomware

Question 30

Whaling

Answer 30

Specialized type of phishing that is targeted at c-suite executives celebrities and politicians

Question 31

Examples of malware

Answer 31

Viruses Worms Spyware Ransomware

Question 32

Mobile online privacy concerns

Answer 32

Location based service LBS is expanding quickly How to provide notice Geolocation data

Question 33

What types of third party interactions are causing the boundaries of websites to become blurred and what should privacy professionals ensure?

Answer 33

``` Syndicated content Web services Co branded online ventures Widgets Online advertising networks ``` Appropriate privacy protections are in place and ensure its clear which entities are capturing or receiving personal info in these scenarios

Question 34

What is cross device tracking

Answer 34

When advertisers map users as they move between devices such as laptops and smartphones

Question 35

Cross context tracking

Answer 35

Where advertisers gather information as users move among different online environments such as search engines and social media sites

Question 36

What is the do not track approach in digital advertising

Answer 36

A suggestion by the FTC which would allow individuals to make a single choice not to be subjected to targeted online advertising

Question 37

What is the EU cookie directive

Answer 37

Requires that users give consent before having cookies placed on their computers, preventing cookie tracking of their online activities if they don’t opt in

Question 38

What are some online advertising techniques

Answer 38

Pop-up ads Adware - software bundled with free software which monitors end users online behavior to target advertising; without consent this may be considered spyware

Question 39

What are web cookies?

Answer 39

Link a computing device to previous actions by the same device

Question 40

What are the types of cookies

Answer 40

Session cookie - stored only while the user is connected to the particular web server and deleted when browser is closed. Ex: online shopping carts Persistent cookies - is set to expire at some point in the future Ex: mechanism for authenticating visitors to a website where they have an account, social networking, personalizing sites based on a users interests First party cookie - set by the web server hosting the application Third part cookie - set and read by or on behalf of a party other than the web server Flash cookie - stored and accessed by adobe flash which can’t be deleted and users aren’t notified when they are collected and stored HTML cookie - a small text file that a web server places on the hard drive of a user, which can be deleted

Question 41

Web beacon

Answer 41

Provides the ability to produce specific profiles of users behavior in combination with web server logs Ex: online ad impression counting, file download monitoring, ad campaign management (click through rates, ad frequency limitation), read receipts on emails

Question 42

Digital fingerprinting

Answer 42

Can identify a device based on information revealed to a website by the user. Certain information is provided to the website in the log files. Some information may include “fonts used by the requesting computers” which can be used to fingerprint a device. Used by financial institutions so that an account holder is asked for additional security assurances before logging in from a new device. Privacy Concerns about digital fingerprinting techniques being used for targeted advertising instead of just security and what notice and consent is sufficient

Question 43

Privacy concerns with search engines

Answer 43

Contents of the search may give clues about a searchers identity’s when a user looks up their own name, as may search patterns around a persons address or workplace. Searches may include medical information, political views

Question 44

Privacy concerns with online social networking

Answer 44

Privacy Controls are not consistent Transmission of personal data to unwanted third parties Personal data being sold to advertisers and intruders stealing passwords or other unencrypted data

Question 45

Desktop / laptop advertising ecosystem

Answer 45

Cookies allow advertisers to build profiles on a devices online activities which can then be used to create targeted advertising tailored to the user of the device

Question 46

Mobile advertising ecosystem

Answer 46

A single user on three different apps on the same device will appear as three different users ( sandboxing ), creating app specific device IDs Rich source of location data which enables precise advertising targeting Wi fi routers and Bluetooth offer advertisers to target ads based on the users location

Question 47

EU data protection vs e-discovery

Answer 47

Remains challenging with no simple resolution | Hague convention on the taking of evidence

Question 48

Accountability

Answer 48

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law

Question 49

APEC privacy framework

Answer 49

A set of non-binding principles adopted by the Asia-pacific economic cooperative that mirror the OECD fair information privacy practices. They seek to promote electronic commerce throughout the Asia-pacific region by balancing privacy with business needs.

Question 50

What are the principles of the APEC framework

Answer 50

``` Preventing harm Notice collection limitation Uses of personal information Choice Integrity of personal information Security safeguards Access and correction Accountability ```

Question 51

Ransomware

Answer 51

A type of malware with which the malicious actor either locks a users operating system or restricting the users access to their data and or device or encrypts the data do the user is prevented from accessing their files. The victim is then told to pay a ransom to regain access.

Question 52

Spyware

Answer 52

Software that is downloaded covertly without the understanding or consent of the user. Used to fraudulently collect and use sensitive personal information Some can take control of of the devices camera, microphone or report keystroke

Question 53

Fair information practices

Answer 53

Guidelines for handling storing and managing data with privacy security and fairness in an information society that is rapidly evolving

Question 54

Principles of fair information practices

Answer 54

``` Rights of individuals -notice - choice and consent - data subject access Controls on the information - information security and quality Information lifecycle -collection - use and retention - disclosure Management - management and administration - monitoring and enforcement ```

Question 55

OECD guidelines

Answer 55

International org | The most widely recognized framework for FIPs and endorsed by the US FTC and many other government orgs

Question 56

Comprehensive model of data protection

Answer 56

Govern the collection use and dissemination of personal information in the public and private sectors An official or agency is responsible for overseeing enforcement Data protection authority in the EU

Question 57

Sectoral model of data protection

Answer 57

Used by the US | Framework protects personal information by enacting laws that address a particular industry sector.