Missed Questions Flashcards
(113 cards)
1
Q
What legislation ended certain bulk collection practices of the US government for national security purposes?
A
The USA Freedom Act
1
Q
What are requirements regarding use of directory information under FERPA?
A
social security number may never be considered directory information
students must be provided right to opt out before directory info is shared
schools can determine their own list of what constitutes directory information
2
Q
what organization created K-12 school service provider pledge to safeguard student privacy?
A
software and information industry association in concert with the Future Privacy Forum
pledgees agree not to undertake numerous activities as well as undertake affirmative obligations aimed at protecting student privacy
violation is enforced as deceptive trade practice by FTC
3
Q
majority of state data breach notification laws include
A
requirement that notice to affected consumers be provided in writingm
4
Q
minority of state data breach notification laws include
A
- materiality requirement for determining when breach occurs
- specific requirements about what must be included in notice to affected individuals
- inclusion of biometric data in definition of personal info
5
Q
type of security failure that is primary cause of most data security incidents
A
human error
6
Q
technical protection examples
A
computer code
electronic systems designed to limit access to authorized users and maintain integrity of data from outside attack
7
Q
administrative protections examples
A
policies designed to limit access to data to only employees who need access to accomplish their assigned job functions
8
Q
are non profit entities are subject to FTCs jurisdiction under FTC ACT or COPPA or both
A
neither FTC act nor COPPA
COPPA_ exempt from definition of operator
FTC- specifically exempt under FTC act
9
Q
HITECH made the following changes to HIPAA
A
- business associates directly subject to HIPPA
- term limited data set is defined
- term covered entity, business associate, and protected health information are codified
didn’t change minimum necessary requirements
10
Q
what feature of binding corporate rules separates it from other international transfer mechanisms available under GDPR
A
only apply to international data transfers that occur within an organization not transfers to 3rd parties
11
Q
Fair Information Practice of access is commonly considered to include
A
- ability to view information an organization collects
- ability to update or correct inaccurate info
12
Q
what must a user of a consumer report do before re-selling a consumer report?
A
notify CRA of
1. identity of end users of report
2. each permissible purpose to which the end user will be utilizing the report for
13
Q
what are benefits of data flow mapping
A
- mitigate risk associated with data processing
- facilitate identifying problems within an organizations data processing
- increase confidence in regulatory compliance
doesn’t help limit amount of data disclosed in event of data breach
14
Q
GDPR individual rights
A
- data portability
- rectify data
- right to be forgotten
- consent
doesn’t include right to opt out of data selling
15
Q
National Institute of Standards and Technology recommends that employees be provided data privacy and security training when all of the following occurs
A
- upon being hired (or promoted)
- as needed by the organization
- when changes are made to the information system or policies
not once annually
16
Q
What article in the GDPR makes it illegitimate to transfer data to a 3rd country or to an international organization in the absence of a valid transfer mechanism?
A
article 44
17
Q
what type of privacy protection model is overseen by multiple regulators
A
sectoral model
- select market segments are governed by different privacy laws
- no overarching regulatory regimen applicable across the entire economy
18
Q
standard order of privacy operational life cycle
A
assess (create processes to evaluate program)
protect (implement practices)
sustain (manage program)
respond (respond to failures)
19
Q
when is no option form of consent to be expected
A
product fulfillment
fraud prevention
internal operations
legal compliance
public purpose
1st party marketing
20
Q
CA attorney general has authority to bring civil action for violation in
A
- Consuperm Financial Protection Act
- Fair Credit Reporting Act
- Red Flags Rule
not GLBA
21
Q
GLBA privacy rule notice requirement
A
notice must be provided at the start of customer relationship and annually thereafter
no requirement for notice to be online but doing so is a best practice and may be required under state law (CALOPPA)
22
Q
what law or regulation was enacted to facilitate in certain cases the compassionate sharing of info related to patients
A
21st Century Cures Act
- HHS must issue guidance on compassionate sharing of mental health and substance abuse info with family members and caregivers
23
Q
CCPA parental consent must be obtained before selling PI of children under what age
A
under 13 years old
13-15- may obtain consent directly from child through opt in procedure
24
what unique characteristic makes a consent decree different than most other types of contracts?
a consent decree is approved by a court which enters a judgement incorporating the parties settlement agreement
25
what change to the VPPA was made by congress in 2012
contemporaneous consent to disclosure of personally identifiable information is not necessary and a one time consent may be made that is valid for two years
26
social engineering refers to
manipulation of individuals so as to create security vulnerabilities
often used in concert with specific types of cyber attacks
27
two primary goals served by implementing legal protections over personal information
compensation to those ho have been wronged
create deterrence
28
what is thought of as the 3rd model of governmental privacy protection
co-regulatory model
combines aspects of self regulatory model and either comprehensive or sectoral model
industry will develop and enforce appropriate standards but that industry is then overseen by a government regulatory agency
29
Tennessee data breach notification law
amended law in 2016 to remove provision that exempted encryption data from notification requirements
following year it provided that a breach of encrypted data will only subject a company to the laws notice requirements where the encryption key is also compromised
30
HIPPA privacy rule not entitled to access to
psychotherapy notes
information compiled in anticipation of litigation or regulatory action
31
what jurisdiction recently imposed a requirement on employers utilizing automated tools to make employment decisions the requirement to conduct bias audits related to the use of any such tool?
New York city
must be subject of bias audit conducted no more than 1 year prior to use of tool
bias audit- impartial evaluation by independent auditor that includes assessment of its disparate impact on persons on basis of sex race or ethnicity
32
pseudonymizing data
process of transforming data so that it can no longer be attributed to a specific person without the use of additional information
can be reversed so that info can be reidentified with specific person
33
what type of information may never be shared with nonaffiliated 3rd party for marketing purposes under GLBA privacy rule
customer account number and access codes
34
what entities have authority to enforce HIPAA
department of HHS
state attorneys genera
department of justice
not private individuals
35
who the protection of pupil rights amendment act of 198 grants individual rights to
parents of student if student is under 18
student if student is over 18 or emancipated
36
medical examinations
ADA- prospective employee may be required to submit to medical examination if
- all entering employees are subject to same examination
- info about any med condition is kept separate form other info and treated as confidential med record
- results of test are used only in accordance with the other provisions of ADA
MAY NEVER BE USED UNLESS EXAM OR INQUIRY IS JOB RELATED AND CONSISTENT WITH BUSINESS NECESSITY
37
Fair Credit Reporting Act mandates what type of consumer consent with respect to the use of firm offers of credit or insurance
opt out consent
38
structure transaction under bank secrecy act
engaging in transactions in such a way as to avoid reporting requirements
39
what law does the department of labor enforce
fair labor standards act
employment retirement security act
houses occupational safety and health administration which oversees the enforcement of workplace safety
40
who bears the burden of considering the impact that a 3rd country's laws will have on the use of standard contract clauses
controllers and processors that make use of the standard clauses
41
preemption GLBA vs FCRA
there is no preemption under GLBA
FCRA preempts state laws
exception for laws relating to identify theft and laws carved out by congress
42
Prism and upstream programs are authorized under which of the following
section 702 of the Fish amendment act of 2008
allows attorney general and director of national intelligence to jointly authorize for period of up to one year the targeting of persons outside the US to acquire foreign intelligence information
43
SCC schemes II
1. supervisory authorities must prohibits use of SCC if they are not and cannot be complied with in 3rd county
2. SCC must ensure essentially equivalent level of protection as that afforded under GDPR
3. determining whether the use of SCC is valid requires consideration of the legal system of the 3rd country where data will be transferred
44
what is the third form of litigation
administrative enforcement action
CPPA is 1st administrative agency dedicated solely to consumer privacy issues and is created by CPRA
45
global privacy enforcement network
network that connects privacy enforcement authorities from around the world to promote and support cooperation in cross boarder enforcement of laws protecting privacy
includes: FTC, FCC, and CA AG
46
data flow map
how info flows through organization across the entire life cycle of that data
47
data classification scheme
classification system that provides the basis for managing access to and protection of data assets
48
privacy operational lifecycle may also be called (not APSR)
discover
build
communicate
evolve
49
accountability principle
organization must take responsibility for protecting PI and using it in a matter that is both
- consistent with the law
- done in manner that treats individual equitably
organization has ultimate responsibility for legal compliance
50
EU cookie directive
info stored in cookie is considered PI under GDPR
thus it requires user consent
51
GDPR- processing of children data
prohibits processing data of children under 16 in absence of verifiable parental consent
52
CCPA- children
prohibits sale of personal data of children under 16 without appropriate consent
53
layer privacy notice
privacy notice that includes short notice at top of document that sets forth key points of a privacy disclosure followed by an option for users to review a more detailed privacy notice
54
just in time notice
providing privacy notice at the time that information is collected
may take form of layered notice
55
privacy dashboard
single point provided to consumers where they can view privacy information and make choices about how their data is processed
56
privacy icons
symbols used to indicate that an organization processes info in a particular manner (ex. adchoices)
57
ad hoc contract clauses
specifically drafted clauses that must be approved prior to transfer of data
disfavored
58
codes of conduct
co regulatory programs in which an organization undertakes a binding and enforceable obligation to abide by that code of conduct
59
derogations
exceptions to general prohibition on international transfer
relied on as last resort
ex. explicit consent of data subject
60
is there a private cause of action under the FTC act
no
61
in the matter of geocities
1st privacy enforcement action taken by FTC against company based upon its web based promises
62
in the matter of Eli Lilly and co
1st enforcement action in which the FTC entered into a consent decree requiring a company to develop and maintain an information privacy and security program
63
FTC v Wyndham worldwide corp
upheld FTC unfairness authority to regulate cybersecurity
didn't answer whether FTC had section 5 authority over cyber security practices
64
labmd inc v FTC
FTC cease and desist order based upon lab meds general negligent failure to act was unenforceable because the prohibitions and directive to implement a reasonable security program were not specific enough
65
COPPA
NOCAP
no unfair or deceptive acts or practices in connection with collection use or disclosure of PI of children 13 years old and under
operators of commercial websites that collect PI of visitors
need
NO- notice,
C- verifiable parental consent,
A- access,
P- procedures for confidentiality, security and integrity
safe harbor program- to be deemed in compliance with COPPA if copy with guidelines of participating seal program (Ex. ADchoice)
66
is there a private cause of action under COPPA
no
67
HIPAA
official DNAAA
covered entity(health plan/insurance, clearing house/storage, provider) and business associates
electronic protected health information - doesn't apply to de-identified information
privacy rule
official- designate privacy officiel
D- no disclosure unless PEACES exception
N- privacy notices
A- access (designated record set)
A -amend
A- accounting
security rule
- reasonable and appropriate minimum security standards
- required and addressable standards
68
HIPAA disclosure exceptions under privacy rule
PEACES
P- patient
E-emergency (3rd party)
A- authorization (through independent doc in plain language)
C-court
E-enforcement (law)
S- secretary of HHS
must be in form of limited data set and made at time of delivery or time of enrollment/request
69
HIPAA safe harbor
if have recognized security practice for 1+ year
- fines are lessened
- security audits may be terminated early
- other remedies mitigated
70
HITECH
new data breach rules applicable to PHI
if data breach of unencrypted PHI- notify within 60 days of discovery
- affected individuals
-secretary of HHS(annually)
- media (500+)
-covered entity (business associate is source)
breach is presumed unless CE/BA can show
- low probability PHI compromised by analyzing nature and extent/ who unauthorized person is/ whether PHI was actually acquired/ mitigation of risk
71
GINA
overseen by HHS
exception of Title II
genetic info classified as protected health info under HIPAA
not used for
- underwriting purposes
- basis of discrimination in insurance
can't request genetic testing be done except for voluntary testing in connection with research
72
GINA employer restriction of genetic info use
I PET FMLA
can't request use disclose purchase GI unless
I- inadvertent
P-public
E-employee wellness program
T-toxin monitoring
FMLA- compliance with FMLA
73
21st century crest act of 2016
compassionate sharing
- allows for compassionate sharing of info of mental health and substance abuse under HIPAA
remote viewing
- allows remote viewing of PHI if meet HIPAA privacy and safety rules
no info blocking
- no practice of info blocking which is any practice likely to interfere with the use or exchange of electronic health info
no PHI in biomedical research used in court
- exempt from Freedom of Info Act
- certificate of confidentiality
74
confidentiality of substance use disorder patient records rule
based on public health services act
applies to
1. part 2 programs that receive federal funding (alcohol/sub abuse treatment staff, unit, or entity)
2. 3rd parties that lawfully receive personally identifying info from part 2 programs (even if not federally funded)
can't
1. use patient info to initiate criminal charges or as predicate to conduct criminal investigation of patient
2. disclose unless consent, certain entities, certain crimes
must
1. implement security program + disposal practices
2. notify patients of rights (doesn't include right to amend)
75
confidentiality of substance use disorder patient records rule disclosure exceptions
1. consent
2. court order
3. child abuse neglect report
4. crimes on program premises/against personnel
5. research
6. emergency
7. VA
8. audit. evaluation
76
Health Breach notification rule
applies to entities not subject to HIPAA
enforced by FTC
enforced for 1st time against GoodRx
notification in breach within 60 days of discovery to
- individual
- FTC
- media (500+)
77
FACTA
identity theft
protects against identity theft
1. disposal rule
- must dispose consumer report in reasonable manner to avoid unauthorized disclosure
2. identity theft program with list of red flags for FI and creditors to use to guard against identity theft
3. right to free annual credit report from 3 national CRAs and right to explanation of credit score
4. only last 4 # of credit/debit on receipt
doesn't preempt certain laws (CA and CO credit score laws, frequency of free credit reporting)
78
GLBA rulemaking
transfered to CFPB after Dodd Frank
79
GLBA- privacy rule
applies to
financial institutions (any company significantly engaged in financial activities) , consumers (obtain financial products/series) customers (ongoing relationship with FI)
FI may not
1. disclose nonpublic PI unless annual written notice of its privacy policies (safe harbor if use model disclosure form)
2. disclose to nonaffiliated 3rd party without providing opt out opportunity or consent
3. non affiliates can't reuse info or disclose account # or access code to non-affiliate for marketing purposes
80
GLBA- safeguard
must adopt info security program with TAP safeguards to protect customer info
appoint qualified individual to oversee
risk assessments
employee training
incident response plan
contract with service provider to adopt safeguards
81
GLBA enforcement parties include
bank regulators
FTC
CFPB
82
state laws that exempt financial institutions from GLBA regulation
CCPA california
VCDPA
Connecticut
CPA
83
CFPB
rule making authority under GLBA and FCRA
enforcement over all non-depository financial institutions and depository financial institutions with more than 10 billion in assets
may enforce against unfair deceptive or abusive acts or practices
- limited than FTC jurisdiction applies only to consumer financial product or service
- abusive acts interfere with consumers understanding of how a financial product/service operates or takes advantage of lack of knowledge
84
FERPA
only education institutions that receive federal funding
education records (includes health records)
right is in student if over 18 and parent if under 18
- access
- amend
- no disclosure unless consent or deidentified or for exception purpose
enforced by DOE who has authority to pull funding if compliance can't be obtained
85
PPRA
prevent sale of student info for commercial purposes
applies to federally funded elementary and secondary schools
right is for parents but transfers to student upon 18
no survey, analysis, or evaluation for education program that reveals sentitive info about student without
- parental consent
- materials used provided to student/parent
- policies covering administration of survey
- opt out of commercial sharing
enforced by DOE
86
Carpenter v US
cellphone location data required a warrant
87
electronic stored communications act
criminal violation to obtain alter or block access to stored communications without permission
government may only access by cloud computing service if
- warrant (communication less than 180 days old)
- court order/subpoena + notice to subscriber/cusotmer
CLOUD act- 2018 amendment clarifying that SCA applies extraterritorially
88
what case did the Supreme Court hold domestic surveillance of US citizen for national security purpose is subject to 4th amendment warrant requirement
Keith case
not clear whether this applies to foreign agents within the US
89
how did congress respond to Keith case
passed FISA
- screens gov applications for surveillance orders for foreign activities in the US
(application must include minimization procedures, establish significant purpose to obtain foreign intelligence, and probable cause person monitored is foreign power)
90
215 FISA
Gov can obtain court order for protection of any tangible thing that would advance foreign intelligence investigation
person receiving order is prohibited from disclosure
91
217 FISA
permits interception of computer trespassers with permission of owner or operator of computer
92
702 FISA
allows standing orders to surveil non US persons outside US
upstream and downstream are based on authority
93
FTC regulates what in relation to employment
employee background screening
94
EEOC regulates what in relation to employment
employment discrimination
95
DOL regulates what in connection to employment
workplace benefits
96
OSHA regulates what in relation to employment
collective bargaining
97
SEC regulates what in relation to employment
executive compensation
98
title VII of civil rights act of 1964
applies to employers with 15+ employees, employment agencies, labor unions, joint labor management committees
no discrimination on basis of race, color, religion, sex or national origin
no direct, motivating factor, indirect disparate impacts
P must file charge with EEOC before bringing private cause of action
99
EPPA
prohibits employers and those working for them from conducting polygraph exams on employees or prospective employees
DOL has rulemaking and enforcement authority
private cause of action
100
ADA employer restrictions
employer can't
- ask disabled person about specific condition he suffers from
employer can
- request individual submit to drug test prior to employment
- ask disabled whether they can perform job related tasks
- ask whether they can perform job related tasks if accommodations are provided
101
what is the relationship between the wiretap act and 4th amendment
the wiretap act imposes obligations only enforcement that are grater than those under 4th amendment access to private communications
4th amendment- floor of what access gov can have
wiretap act- provides greater protections than those set by 4th amendment
102
Ontario v quon
employer has authority under federal law to look at employees text messages when employer provided communication device
103
HIPAA
privacy rule applies to both PHI and ePHI
security rule only applies to ePHI
104
if company receive adverse determination form the FTC following an administrative enforcement proceeding to whom does the company appeal?
federal circuit court of appeal
(ALJ-5 member commission of FTC- us circuit court of appeal)
enforcement by FTC of orders is brought before federal district court
105
before releasing CR to user that intends to use report for employment CRA must
obtain certification from user that
1. it has obtained written permission from customer
2. it will comply with statutory requirements if adverse determination is made based on info in CR
3. CR will not be used in violation of EEO laws
106
what is not a requirement placed upon telecommunication carriers under the telecommunications act of 1996
they do not need to destroy CPNU when it is no longer necessary for purpose for which it was obtained
107
telecommunications carrier must design its system to permit access to communications that can be activated on what conduction or occurrence?
CALEA
affirmative intervention of officer or employee of carrier
108
what law specifically and expressly protects individual privacy?
california constitution
109
what is considered a privacy protection source
Market protections, legal protections and self regulatory protections
not administrative protections
110
data inventory should include what type of data that is collected stored and processed by an organization
data obtained form both external sources and data created internally
111
federal law prohibits discrimination on the basis of what
pregnancy
religion
prior bankruptcy filing
NOT marital status
112
standard by which department of treasury may impose record keeping requirements under the bank secrecy act
where records would have a high degree of usefulness in criminal or national security investigation
