Federal Laws to Protect Privacy
FCRA
FACTA
HIPAA
GLBA
FERPA
COPPA
DPPA
U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA U.S. state data breach notification and select state laws Regulation of privacy in the U.S. workplace: FCRA, EPP, ADA and ECPA.
Statutes – local, state or federal laws that have been enacted by Congress
Regulations – published by regulatory agencies (e.g. FTC; Federal Trade Commission)
Online Behavioral Advertising (OBA) involves the usage of a consumer's personal information in order to deliver personal advertising. This practice allows business to specifically target their advertisements towards individual customers. (T/F)
False
Online Behavioral Advertising (OBA) involves the tracking of consumer's online activities not personal information in order to deliver personal advertising. They do not use personal information.
This practice allows business to specifically target their advertisements towards individual customers.
The data collected is generally not personal identity information, but data relating to their browsing history.
Who enforces federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP).
a. Federal Trade Commission (FTC)
b. State Attorneys General
FTC's Bureau of Consumer Protection stops unfair, deceptive and fraudulent business practices by doing what four things?
Collecting complaints
Conducting investigations
Suing companies and people that break the law
Developing rules to maintain a fair marketplace.
PCI DSS uses which data protection model in the US to protect payment card information?
a. Self Regulatory
b. Sectoral
c. Co Regulatory
d. Comprehensive
See P38 Section 1.10.3 Sectoral Model (United States)
The Co-Regulatory and Self-Regulatory Models Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information. Under both approaches, a mix of government and nongovernment institutions protects personal information.
The co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models. One U.S. example is the Children’s Online Privacy Protection Act in the United States (COPPA), which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC.
The self-regulatory model emphasizes creation of codes of practice for the protection of personal information by a company, industry or independent body. In contrast to the co-regulatory model, there may be no generally applicable data protection law that creates a legal framework for the self-regulatory code.38 A prominent example that affects the wide range of businesses that process credit card data is the Payment Card Industry Data Security Standard (PCI-DSS), which enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally.
A security firm provides customer information to a third party without their customer's consent. Which regulatory body would enforce that action?
a. FINRA
b. FTC
c. Security and Exchange Commission
d. Department of Justice
Financial institutions are required to take steps to protect the privacy of consumers’ finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act.
The FTC is one of the federal agencies that enforces provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services. Under the law, agencies enforce the Financial Privacy Rule.
Financial Privacy Rule
Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain to customers their right to "opt out" if they don't want their information shared with certain third parties. Is your company following the requirements of the Privacy Rule?
The US Federal Government attempts to achieve a ? approach to privacy?
a. Self Regulatory
b. Sectoral
c. Behavioral
d. Comprehensive
See P37 Section 1.10.2 Sectoral Model (United States)
1.10.2 Sectoral Model (United States) This framework protects personal information by enacting laws that address a particular industry sector.36 For example, in the United States, different laws delineate conduct and specify the requisite level of data protection for video rental records, consumer financial transactions, credit records, law enforcement and medical records. In a comprehensive model, laws addressing specific market segments may be enacted to provide more specific protection for data particular to that segment, such as the healthcare sector.
Supporters of the sectoral approach emphasize that different parts of the economy face different privacy and security challenges; it is appropriate, for instance, to have stricter regulation for medical records than for ordinary commerce. Supporters also underscore the cost savings and lack of regulatory burden for organizations outside of the regulated sectors.
COPPA uses which data protection model in the US to protect children's privacy online?
a. Self Regulatory
b. Sectoral
c. Co Regulatory
d. Comprehensive
See P38 Section 1.10.3 Sectoral Model (United States)
The Co-Regulatory and Self-Regulatory Models Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information. Under both approaches, a mix of government and nongovernment institutions protects personal information.
The co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models. One U.S. example is the Children’s Online Privacy Protection Act in the United States (COPPA), which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC.
A security firm provides customer information to a third party without their customer's consent. Which regulatory body would enforce that action?
a. FINRA
b. FTC
c. Security and Exchange Commission
d. Department of Justice
Financial institutions are required to take steps to protect the privacy of consumers’ finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act.
The FTC is one of the federal agencies that enforces provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services. Under the law, agencies enforce the Financial Privacy Rule.
Financial Privacy Rule
Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain to customers their right to "opt out" if they don't want their information shared with certain third parties. Is your company following the requirements of the Privacy Rule?
The FTC is tasked with enforcing all of the following but:
a. Fair and Accurate Credit Transactions Act of 2003
b. Dodd-Frank Wall Street Reform and Consumer Protection Act,
c. GLB
d. Do Not Call Registry Legislation
e. All of the above
e - all of the above
Under the privacy rule, HIPAA uses the following principle to release protected health information to a third party.
a. Opt in for all third parties
b. Notice
c. Consent
d. Opt out for specific third parties
e. Any of the above
Under the Privacy Rule a patient has the right to: Notice of a covered entity’s privacy practices which include the type of information collected and its intended use. Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information. Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records. Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy. Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient‟s information.
Exceptions to the HIPAA privacy rule allow disclosures of protected health information without consent for which of the following:
a. Information needed for public health activities and safety
b. In coordination with law enforcement of judicial activities and proceedings
c. Certain research purposes
d. Special Government functions
e. Any of the above
E. all of the above are authorized.
Breech notifications are part of all of the following but:
a. State Breach Notification laws (CA AB 1950)O
b. HIPAA/HITECH
c. Federal Personal Data Protection Act
d. Gramm-Leach-Bliley Act
See section 6.5
C - there are no federal data breach notification laws at all.
6.5 Lack of Federal Data Breach Law With massive, high-profile data breaches making the front pages, calls for a uniform federal data breach law have continued. 35 These discussions began at the national level in 2003, when Senator Diane Feinstein of California introduced the first federal breach notification bill. In 2015, President Obama proposed the Personal Data Notification Act,36 which he said would correct the “patchwork problem” of laws that are said to be confusing for consumers and for companies.37 The proposal was criticized by state attorneys general and privacy advocates because it would preempt stricter state laws. As of the writing of this book, no federal legislation has been enacted.38 Reaching consensus on such a law is difficult—privacy advocates have generally supported approaches that would match federal law to the strictest state laws, while businesses have generally supported a federal law with fewer regulatory requirements as well as preemption of stricter state laws.
6.8 Conclusion - The United States lacks comprehensive private- sector information security and data breach notification statutes, leading some observers to suggest the nation is less stringent about protection of personal data than other jurisdictions, notably Europe.
The Fair and Accurate Credit Transactions Act of 2003 applies to the following person or companies except:
a. Consumer reporting agencies (CRAs)
b. Online Resellers
c. Auto dealers
d. Employers
b. Online Resellers
The FACTA applies to any person or company that maintains or retains consumer information, such as consumer reports, for a business purpose. Examples of those who would be impacted by the FACTA include: Consumer reporting agencies (CRAs) Resellers of consumer reports Lenders Insurers Employers Landlords Government agencies Mortgage brokers Auto dealers Waste disposal companies
The Privacy Rule of the GLBA protects the privacy of customers of financial institutions by requiring which one of the following before sharing customer information with another third party without what?
a. Privacy Notice
b. Opt In
c. Opt Out
d. Red Flags Rule in effect
The Privacy Notice must contain a statement notifying the customer of the opportunity to opt out of disclosure of information to unaffiliated third parties so as to comply with the Fair Credit Reporting Act
Under the Privacy Rule: A customer must receive a copy of the financial institution‟s privacy notice upon entering the relationship and once every year for the duration of the relationship. A new copy of the notice must be provided upon the modification of any of the privacy policies. The Privacy Notice must contain the type of information collected by the financial institution how it is used, notice of possible third party disclosures and a statement regarding the safeguarding of their personal information. The Privacy Notice must contain a statement notifying the customer of the opportunity to opt out of disclosure of information to unaffiliated third parties so as to comply with the Fair Credit Reporting Act. Financial Institutions are prohibited from sharing customer account numbers with nonaffiliated third parties.
The Gramm-Leach-Bliley Act Safeguards Rule requires all financial institutions to have security plans in place to ensure the confidentiality and integrity of customer data. Which will include the following:
a. Administrative safeguards, such as employee oversight and training;
b. Physical safeguards, such as restricted access to hardware and disaster recovery plans;
c. FTC onsight inspection and monitoring annually
d. Technical safeguards such as firewalls, encryption, access controls and secure computer networks.
C. FTC Has enforcement authority but that safeguard is not listed as part of the GLBA rules.
Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.