What are key pieces of legislation to understand for CIPP/US?
Federal Laws to Protect Privacy
FCRA
FACTA
HIPAA/HITECH
GLBA
FERPA
COPPA
DPPA
FTC Section 5
Add others (CANSPAM) FISA PPA, RFPA Red Flags Rule
U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA U.S. state data breach notification and select state laws Regulation of privacy in the U.S. workplace: FCRA, EPP, ADA and ECPA.
Who enforces federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP).
a. Federal Trade Commission (FTC)
b. State Attorneys General
What are the differences between statutes and regulations?
Statutes – local, state or federal laws that have been enacted by Congress
Regulations – published by regulatory agencies (e.g. FTC; Federal Trade Commission)
Code of Federal Regulation
Online Behavioral Advertising (OBA) involves the usage of a consumer's personal information in order to deliver personal advertising. This practice allows businesses to specifically target their advertisements towards individual customers. (T/F)
False
Online Behavioral Advertising (OBA) involves the tracking of consumer's online activities not personal information in order to deliver personal advertising. They do not use personal information.
This practice allows business to specifically target their advertisements towards individual customers.
The data collected is generally not personal identity information, but data relating to their browsing history.
FTC's Bureau of Consumer Protection stops unfair, deceptive and fraudulent business practices by doing what four things?
What are the four procedures that)
What process does the FTC follow. investigation, enforcement, compliance
Collecting complaints
Conducting investigations
Suing companies and people that break the law
Developing rules to maintain a fair marketplace.
PCI DSS uses which data protection model in the US to protect payment card information?
a. Self Regulatory
b. Sectoral
c. Co Regulatory
d. Comprehensive
See P38 Section 1.10.3 Sectoral Model (United States)
The Co-Regulatory and Self-Regulatory Models Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information. Under both approaches, a mix of government and nongovernment institutions protects personal information.
The co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models. One U.S. example is the Children’s Online Privacy Protection Act in the United States (COPPA), which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC.
The self-regulatory model emphasizes creation of codes of practice for the protection of personal information by a company, industry or independent body. In contrast to the co-regulatory model, there may be no generally applicable data protection law that creates a legal framework for the self-regulatory code.38 A prominent example that affects the wide range of businesses that process credit card data is the Payment Card Industry Data Security Standard (PCI-DSS), which enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally.
A security firm provides customer information to a third party without their customer's consent. Which regulatory body would enforce that action?
a. FINRA
b. FTC
c. Security and Exchange Commission
d. Department of Justice
Financial institutions are required to take steps to protect the privacy of consumers’ finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act.
The FTC is one of the federal agencies that enforces provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services. Under the law, agencies enforce the Financial Privacy Rule.
Financial Privacy Rule
Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain to customers their right to "opt out" if they don't want their information shared with certain third parties. Is your company following the requirements of the Privacy Rule?
The US Federal Government attempts to achieve a ? approach to privacy?
a. Self Regulatory
b. Sectoral
c. Behavioral
d. Comprehensive
See P37 Section 1.10.2 Sectoral Model (United States)
1.10.2 Sectoral Model (United States) This framework protects personal information by enacting laws that address a particular industry sector.36 For example, in the United States, different laws delineate conduct and specify the requisite level of data protection for video rental records, consumer financial transactions, credit records, law enforcement and medical records. In a comprehensive model, laws addressing specific market segments may be enacted to provide more specific protection for data particular to that segment, such as the healthcare sector.
Supporters of the sectoral approach emphasize that different parts of the economy face different privacy and security challenges; it is appropriate, for instance, to have stricter regulation for medical records than for ordinary commerce. Supporters also underscore the cost savings and lack of regulatory burden for organizations outside of the regulated sectors.
COPPA uses which data protection model in the US to protect children's privacy online?
a. Self Regulatory
b. Sectoral
c. Co Regulatory
d. Comprehensive
See P38 Section 1.10.3 Sectoral Model (United States)
The Co-Regulatory and Self-Regulatory Models Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information. Under both approaches, a mix of government and nongovernment institutions protects personal information.
The co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models. One U.S. example is the Children’s Online Privacy Protection Act in the United States (COPPA), which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC.
T/F Comprehensive data protection laws govern the collection, use and dissemination of personal information in the public but not private sectors.
See IAPP Section 1.10 World Models of Data Protection
Comprehensive data protection laws govern the collection, use and dissemination
of personal information in the public and private sectors.33
G
A securities firm provides customer information to a third party without their customer's consent. Which regulatory body would enforce that action?
a. FINRA
b. FTC
c. Security and Exchange Commission
d. Department of Justice
Financial institutions are required to take steps to protect the privacy of consumers’ finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act.
The FTC is one of the federal agencies that enforces provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services. Under the law, agencies enforce the Financial Privacy Rule.
Financial Privacy Rule
Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain to customers their right to "opt out" if they don't want their information shared with certain third parties. Is your company following the requirements of the Privacy Rule?
The FTC is tasked with enforcing all of the following but:
a. Fair and Accurate Credit Transactions Act of 2003
b. Dodd-Frank Wall Street Reform and Consumer Protection Act,
c. GLB
d. Do Not Call Registry Legislation
e. All of the above
e - all of the above
Under the privacy rule, HIPAA uses the following principle to release protected health information to a third party.
a. Opt in for all third parties
b. Notice
c. Consent
d. Opt out for specific third parties
e. Any of the above
Under the Privacy Rule a patient has the right to: Notice of a covered entity’s privacy practices which include the type of information collected and its intended use. Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information. Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records. Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy. Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient‟s information.
Exceptions to the HIPAA privacy rule allow disclosures of protected health information without consent for which of the following:
a. Information needed for public health activities and safety
b. In coordination with law enforcement of judicial activities and proceedings
c. Certain research purposes
d. Special Government functions
e. Any of the above
E. all of the above are authorized.
Breech notifications are part of all of the following but:
a. State Breach Notification laws (CA AB 1950)O
b. HIPAA/HITECH
c. Federal Personal Data Protection Act
d. Gramm-Leach-Bliley Act
See section 6.5
C - there are no federal data breach notification laws at all.
6.5 Lack of Federal Data Breach Law With massive, high-profile data breaches making the front pages, calls for a uniform federal data breach law have continued. 35 These discussions began at the national level in 2003, when Senator Diane Feinstein of California introduced the first federal breach notification bill. In 2015, President Obama proposed the Personal Data Notification Act,36 which he said would correct the “patchwork problem” of laws that are said to be confusing for consumers and for companies.37 The proposal was criticized by state attorneys general and privacy advocates because it would preempt stricter state laws. As of the writing of this book, no federal legislation has been enacted.38 Reaching consensus on such a law is difficult—privacy advocates have generally supported approaches that would match federal law to the strictest state laws, while businesses have generally supported a federal law with fewer regulatory requirements as well as preemption of stricter state laws.
6.8 Conclusion - The United States lacks comprehensive private- sector information security and data breach notification statutes, leading some observers to suggest the nation is less stringent about protection of personal data than other jurisdictions, notably Europe.
The Fair and Accurate Credit Transactions Act of 2003 applies to the following person or companies except:
a. Consumer reporting agencies (CRAs)
b. Online Resellers
c. Auto dealers
d. Employers
b. Online Resellers
The FACTA applies to any person or company that maintains or retains consumer information, such as consumer reports, for a business purpose. Examples of those who would be impacted by the FACTA include: Consumer reporting agencies (CRAs) Resellers of consumer reports Lenders Insurers Employers Landlords Government agencies Mortgage brokers Auto dealers Waste disposal companies
The Privacy Rule of the GLBA protects the privacy of customers of financial institutions by requiring which one of the following before sharing customer information with another third party without what?
a. Privacy Notice
b. Opt In
c. Opt Out
d. Red Flags Rule in effect
The Privacy Notice must contain a statement notifying the customer of the opportunity to opt out of disclosure of information to unaffiliated third parties so as to comply with the Fair Credit Reporting Act
Under the Privacy Rule: A customer must receive a copy of the financial institution‟s privacy notice upon entering the relationship and once every year for the duration of the relationship. A new copy of the notice must be provided upon the modification of any of the privacy policies. The Privacy Notice must contain the type of information collected by the financial institution how it is used, notice of possible third party disclosures and a statement regarding the safeguarding of their personal information. The Privacy Notice must contain a statement notifying the customer of the opportunity to opt out of disclosure of information to unaffiliated third parties so as to comply with the Fair Credit Reporting Act. Financial Institutions are prohibited from sharing customer account numbers with nonaffiliated third parties.
The Gramm-Leach-Bliley Act Safeguards Rule requires all financial institutions to have security plans in place to ensure the confidentiality and integrity of customer data. Which will include the following:
a. Administrative safeguards, such as employee oversight and training;
b. Physical safeguards, such as restricted access to hardware and disaster recovery plans;
c. FTC onsight inspection and monitoring annually
d. Technical safeguards such as firewalls, encryption, access controls and secure computer networks.
C. FTC Has enforcement authority but that safeguard is not listed as part of the GLBA rules.
Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
(T/F) Red Flags Rule requires businesses and organizations to implement a formal Data Breach Notification Program.
False
Red Flags Rule requires businesses and organizations to implement a formal Identity Theft Prevention Program.
Such a program should detect the “red flags,” or warning signs that identity theft may be taking place. Red flags are defined as “suspicious patterns or practices, or specific activities, that indicate the possibility of an identity theft.”
The Rule sets out that the Identity Theft Prevention Program be composed of the following four elements:
1. Identify relevant red flags: The Program should be made up of policies and procedures for identifying red flags during day-to-day operations.
2. Detect red flags: The Program should be designed to detect the red flags that have been identified. \
3. Prevent and mitigate identity theft: The Program must outline appropriate actions for dealing with red flags. 4. Update the Program: The Program should periodically be re-evaluated, in order to appropriately address the evolving threat of identity theft.
This legislation created the Bureau of Consumer Financial Protection (BCFP), a new independent consumer watchdog that is part of the Federal Reserve Board (FRB).
a. Dodd-Frank Wall Street Reform and Consumer Legislation Act
b. Fair and Accurate Credit Transactions Act of 2003
c. Fair Credit Reporting
Answer A
The CFPB is headed by an independent director that is appointed by the President and confirmed by the Senate. The director serves a five year term. The Bureau has a dedicated budget that is paid by the Federal Reserve and the amount must not exceed a percentage of the Fed‟s earning, an up to $200 million in appropriations from 2010-2014. The Dodd-Frank Act provides the CFPB with the authority to issue and interpret many of the federal consumer protection laws. Further, state attorney generals have been empowered with expanded authority to litigate against national banks and federal thrifts. One of the main advantages of the CFPB is that it consolidates consumer protection powers within one office. Prior to the Dodd-Frank Act, up to seven agencies had responsibility for the federal protection of consumer finance, resulting in oversights and vast sectors of the market not being regulated at all. Many of these agencies were federal banking agencies that were not centrally focused on consumer protection, but rather on the solidity of financial institutions.
Some of the more important provisions of the Dodd-Frank Act include: -
The Dodd-Frank Act is significant legislation towards changing the regulatory system. However, it is unlikely that once piece of legislation will be able to confront all issues raised by the crisis. Loopholes will exist and banks will attempt to exploit them so it is important that the regulators ensure that the rules are adhered to. There is no guarantee that the Dodd-Frank Act will prevent a financial crisis in the future but is, at the very minimum, a step closer to a stronger and better regulated economy
The creation of the Bureau of Consumer Financial Protection (BCFP), a new independent consumer watchdog that is part of the Federal Reserve Board (FRB). This office has the authority to ensure consumers get clear accurate information on financial products, along with protecting them from hidden fees and deceptive practices. -
Grants the US Department of the Treasury, Federal Deposit Insurance Corporation (FDIC) and the FRB powers to seize, close and wind down „too big to fail‟ financial institutions in an orderly fashion. This power also seeks to limit the size of any one financial institution. The FRB is prohibited from approving mergers or acquisitions that would result in the total consolidated liabilities of the resulting company exceeding 10% of the aggregated consolidated liabilities of all financial companies as of the end of the preceding calendar year.
The TSR imposes Telemarketers to make certain disclosures at the outset of the sales call except:
a. That the call is made for sales purposes
b. Name of the seller
c. Total charge of the sale
d. If the customer wants to be added to a do not call list.
d.If the customer wants to be added to a do not call list.
Telemarketing and Consumer Fraud Abuse Prevention Act (TCFAP Act)
Enforced by the FTC
FTC created the Telemarketing Sales Rule (TSR)
The TCFAP Act addresses specific aspects of telemarketing and permits the FTC to issue the . The TSR imposes the following restrictions on telemarketers: Telemarketers must make certain disclosures at the outset of the sales call: o Name of the seller
That the call is made for sales purposes
Total charge of the sale o Any restrictions on the sale
If a refund policy exists
Sweepstakes telemarketing involves special disclosures:
No purchase is necessary in order to participate
The odds for winning o If there is a cost associated with participation
Calls cannot be initiated before 8AM or after 9PM in the recipient‟s time zone. Telemarketers must obtain “express verifiable authorization” before engaging in certain transactions (e.g. making a draft directly from a bank account). Telemarketers must maintain records, including records of advertisements, sales records and employee records.
CAN-SPAM Act
The Controlling the Assault on Non-Solicited Pornography and Marketing Act was passed in 2003 with the aim of reducing the amount of unsolicited marketing messages, particularly those with sexually explicit content.
Unsolicited marketing messages can be sent as long as the sender provides all of the following except:
a. Contains an opt out mechanism
b. Contains info that it is an advertisement
c. Puts appropriate language on CAN SPAM enforcement in the footer.
d. Uses accurate, unambiguous subject lines
The act allows unsolicited marketing messages to be sent as long as the sender provides an opt-out mechanism, the message contains certain identifying information (see below), and does not use harvested email addresses or an open relay to send messages. The CAN-SPAM Act has been criticized because it prevents states from implementing strong regulations and disallows customers from suing spammers.
c. Puts appropriate language on CAN SPAM enforcement in the footer.
The Elements of a CAN-SPAM Compliant Marketing Message
The message contains an accurate and identifying header– the “From,” “To,” “Reply To,” and similar information fields must accurately identify the sender
The message uses accurate, unambiguous subject lines– the subject line must reflect the content of the message
The message must identify itself an advertisement somewhere within the body or header of the message.
The message must include a valid physical address or location where the recipient may contact the sender.
o The message includes a working opt-out mechanism– requests must be honored within 10 business days
The FCC revised the Telephone Consumer Protection Act to include regulations over all of the following except:
a. Robocalls
b. Robotexts
c. Accurate Caller ID info on all calls
d. Autodialers
c - Accurat caller ID is part of the TSR
Telemarketers must transmit their telephone number and, if possible, their name, to your caller ID service. This protects your privacy, increases accountability on the telemarketer’s part and helps in law enforcement efforts.
Which act enforced by the FCC protects telephone company customers confidential and proprietary network information of?
a. Cable Communications Privacy Act of 1984
b. Telecommunications Act of 1996
c. US Patriot Act
d. Telephone Consumer Protection Act 1991 (TCPA)
The Telecommunications Act of 1996
The Telecommunications Act of 1996 was signed by Congress with the intention on providing customers with more competition and diversity from their telecommunication services.
But wait there's more!
Section 222(a) of the 1996 Act states: “Every telecommunication carrier has a duty to protect the confidentiality of proprietary information of and relating to customers.” This restricts the use of Customer Proprietary Network Information (CPNI) to the limited purpose of providing the telecommunications services from which the CPNI was derived in the first place. For any other purposes the carrier must obtain consent from the customer before using or disclosing CPNI. It also limits the rights of a carrier or provider to use CPNI to gain unfair competitive advantage in relation to other carriers.
The TSR is enforced by both the FTC/FCC and requires or prohibits all of the following except?
a. Numbers must be screened against the Federal Do-Not-Call Registry
b. Calls can be made only between 8AM-9PM
c. Requests not to be called back must be respected
d. Records must be retained for 12 months
d. Records must be retained for 12 months - actually records must be maintained for 24 months.
What is required or prohibited?
Numbers must be screened against the Federal Do-Not-Call Registry
Rules for automated dialers
Calls can be made only between 8AM-9PM
Requests not to be called back must be respected
Records must be retained for 24 months
All material terms must be disclosed
Who enforces the law? FTC and FCC What happens if there is no compliance? Fines imposed by FTC and FCC. Why does the law exist? Does not preempt state laws regarding telemarketing.
The TSR does not apply to:
a. Non-profit organizations calling on their own behalf
b. Existing business relationships (i.e. calls to existing customers, prospects) Inbound calls
c. Calls made authentic Caller ID with correct phone number and title.
d. Companies not subject to FTC jurisdiction.
c - Calls made authentic Caller ID with correct phone number and title.
What is covered? Telemarketing communications TSR does not apply to:
Non-profit organizations calling on their own behalf
Existing business relationships (i.e. calls to existing customers, prospects) Inbound calls
Business-to-business calls
Companies not subject to FTC jurisdiction
The Junk Fax Prevention Act (JFPA) enforced by the FTC requires or prohibits all of the following except?
a. Consent required before sending commercial faxes.
b. Faxing permitted if there is an existing business relationship (EBR) and fax number provided before sending commercial faxes.
c. Safe Harbor when sent within 30 days of a prior telemarketing call
d. Opt-outs must be received 24/7, processed within 30 days
C.
Which one of these items is a source of personal information?
a. Public Records
b. Non Public Information
c.Publicly available information
d. All of the above
d. All of the above.
1. Public records consist of information collected and maintained by a government entity and available to the public. These government entities include the national, state or provincial, and local governments. Public records laws vary considerably across jurisdictions.
For instance, real estate records in some jurisdictions contain detailed information about ownership, assessed value, amount paid for the
parcel, taxes imposed on the parcel, and improvements. Making this information public has certain advantages, such as enabling a person
who owns real estate to determine if the taxes assessed are fair relative to other parcels in the area. Other jurisdictions, by contrast, do not
release such information, considering it to be private.
2. Publicly available information is information that is generally available to a wide range of persons. Some traditional examples are names and addresses in telephone books and information published in newspapers or other public media. Today, search engines are a major source of publicly available information.
3. Nonpublic information is not generally available or easily accessed due to law or custom. Examples of this type of data are medical records, financial information and adoption records. A company’s customer or employee database usually contains nonpublic information.
Family Educational Rights and Privacy Act 1974 (FERPA) covers all schools that receive funds under an applicable program of the US Department of Education. It created legislation that protects the following rights:
a. Right to inspect and review education records.
b. Private right of action for records that are believed to be inaccurate, misleading, or otherwise in violation of privacy rights under the FERPA.
c. Right to provide written consent before the institution discloses PII from the student‟s education records.
d. Right to file a complaint with the US Department of Education regarding failures to comply.
b. Private right of action for records that are believed to be inaccurate, misleading, or otherwise in violation of privacy rights under the FERPA.
What are the liabilities or penalties if an education agency or institution violates FERPA?
A. An education agency or institution subject to FERPA may not have a policy or practice of disclosing education records, or nondirectory, personally identifiable information from education records, without the written consent of the parent or eligible student, except as allowed by law. If a complaint is received by the Department of Education alleging a violation of FERPA, the FPCO investigates the complaint to determine if a violation of FERPA occurred. If a school is found to be out of compliance with FERPA, the FPCO works to bring the school into voluntary compliance with the law. If voluntary compliance is not achieved, then a school would be in jeopardy of losing federal education dollars. There is no private cause of action (right to sue) under FERPA and, in 2002, the U.S. Supreme Court ruled in Gonzaga University v. John Doe that students and parents may not sue for damages under 42 USC § 1983 to enforce provisions of FERPA.
The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transaction Reporting Act was passed in 1970 to help the United States Government monitor and prevent possible money laundering schemes. Under the BSA, all financial institutions must keep records about customer transactions and submit reports except which of the following:
a. Currency Transaction Report (CTR)
b.Currency and Monetary Instrument Report (CMIR)
c.Electronic Funds Transfer Report
d. Suspicious Activity Report (SAR)
C.
A Currency Transaction Report (CTR) must be filed for: Any cash financial transactions (deposit/withdrawal/exchange) made by an individual in an amount greater than $10,000 Any cash transactions made by or for one individual in a single business day in which the aggregate total is greater than $10,000 A
Currency and Monetary Instrument Report (CMIR) must be filed for: Any person or entity that transports an individual or aggregate amount greater than $10,000 into or outside of the United States in the form of currency, traveler‟s checks, bank notes or other monetary instruments.
A Suspicious Activity Report (SAR) must be filed for: Abuse by an employee of the financial institution Violations in which a suspect can be identified and the aggregate amount is $5,000 or more. Page | 153 CIPP/US Prep Guide Violations in which no suspect can be identified and the aggregate amount is $25,000 or more. A transaction through a bank in which the teller has reason to believe may be designed to avoid BSA regulations A transaction through a bank in which the teller has reason to believe may involve potential money laundering or criminal activity
The Electronic Communications Privacy Act (ECPA) consists of three parts except:
a. Title III: Prohibitions
b. FISA exception
c. Pen Registers & Trap-and-Trace Devices
d. Stored Communications Act (SCA)
b. FISA is a unique act
The USA-PATRIOT Act responded to 9/11 attacks and provided all of the following except:
a. Subpoena of ISPs to access information
b. Limitation for encrypted data on personal devices
c. “Sneak and peek” warrants = delayed notice of search warrants
d. Expanded duration of search and surveillance orders
(T/F) The FTC Red Flags Rule required businesses to implement breech notification to:
False - (Sometimes it’s referred to as one of the Fair Credit Reporting Act’s Identity Theft Rules and it appears in the Code of Federal Regulations as “Detection, Prevention, and Mitigation of Identity Theft.”) The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations. See here.
(T/F) CALEA was passed in 1994 in order to facilitate law enforcement authorities‟ wiretapping of digital telephone networks. It was the first piece of legislation in history that required telecommunications companies to modify their equipment in order to facilitate government surveillance.
True
CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation. It requires that telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information. Communications services and facilities utilizing Circuit Mode equipment, packet mode equipment, facilities-based broadband Internet access providers and providers of interconnected Voice over Internet Protocol (VoIP) service are all subject to CALEA. These compliance requirements include wireless services, routing and soft switched services, and internet-based telecommunications present in applications used by telecommunications devices.
(T/F) CALEA was passed in 1994 in order to facilitate law enforcement authorities‟ wiretapping of digital telephone networks. It was the first piece of legislation in history that required telecommunications companies to modify their equipment in order to facilitate government surveillance.
True
CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation. It requires that telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information. Communications services and facilities utilizing Circuit Mode equipment, packet mode equipment, facilities-based broadband Internet access providers and providers of interconnected Voice over Internet Protocol (VoIP) service are all subject to CALEA. These compliance requirements include wireless services, routing and soft switched services, and internet-based telecommunications present in applications used by telecommunications devices.
The Foreign Intelligence Surveillance Act of 1978 provided all of the following except:
a. Created a warrant procedure for foreign intelligence investigations
b. Instead of having to show probable cause that a crime is being, has been, or will be committed, the government must show that the target of the surveillance is a foreign power or an agent of a foreign power
c. FISA definition of a Foreign power includes foreign governments, but not terrorists.
d. Every person served with a FISA search warrant, wiretap or pen/trap order, or subpoena is also served with a gag order forbidding them from telling anyone about it
C.
See statute here: The Intelligence Reform and Terrorism Prevention Act of 2004, P.L. 108-458, amended the definition of "agent of a foreign power" in FISA (50 U.S.C. § 1801(b)(1)), to add a new category of covered individuals called the "lone wolf" provision. Under the "lone wolf" provision, a non-United States person who engages in international terrorism or activities in preparation for international terrorism is deemed to be an "agent of a foreign power" under FISA.
The Foreign Intelligence Surveillance Act of 1978 provided all of the following except:
a. Created a warrant procedure for foreign intelligence investigations
b. Instead of having to show probable cause that a crime is being, has been, or will be committed, the government must show that the target of the surveillance is a foreign power or an agent of a foreign power
c. FISA definition of a Foreign power includes foreign governments, but not terrorists.
d. Every person served with a FISA search warrant, wiretap or pen/trap order, or subpoena is also served with a gag order forbidding them from telling anyone about it
C.
See statute here: The Intelligence Reform and Terrorism Prevention Act of 2004, P.L. 108-458, amended the definition of "agent of a foreign power" in FISA (50 U.S.C. § 1801(b)(1)), to add a new category of covered individuals called the "lone wolf" provision. Under the "lone wolf" provision, a non-United States person who engages in international terrorism or activities in preparation for international terrorism is deemed to be an "agent of a foreign power" under FISA.
What is the significance of FTC enforcement action against Eli Lilly in 2002?
A. Required them to stop collecting user data w/o a privacy notice.
B. FTC expanded scope of their enforcement action to require them to create a information security and privacy program.
C. The FTC required them to inform users about cookies and require opt in before sharing their data.
D. The FTC required them to display a privacy notice on their website.
B. FTC expanded scope of their enforcement action to require them to create a information security and privacy program.
From section 3.5
The FTC enforcement action against Eli Lilly resulted in settlement terms, which required Eli Lilly to adhere to representations about how it collects, uses and protects user information. It also required, for the first time in an online privacy and security case, that Eli Lilly develop and maintain an information privacy and security program. Before this case, the FTC had only required companies to stop current unfair and deceptive practices. After the settlement, it became clear that the scope of settlement terms had expanded to include implementation and evaluation of company programs for processing personal information.
The scope for HIPAA's privacy rule has exceptions for a covered entity to disclose PHI to which of the following?
A. Provide information to next of kin.
B. Research
C. Provide information to next of kin.
D. All of the above.
D. All of the above.
There are two exceptions to HIPAA's privacy rule:
Exceptions to the Privacy Rule- Examples
Covered entities may also use and disclose protected health information without individual Authorization for certain public interest-related activities. These include:
oversight of the healthcare system, including licensing and regulation
public health, and in emergencies affecting the life or safety
research
judicial and administrative proceedings
law enforcement
to provide information to next of kin
for identification of the body of the deceased person, or the cause of death
for facility�™s (hospital�™s, etc.) directories
workmen�™s compensation
medical examiner
in other situations where the use or disclosure is mandated by other laws
Exceptions are allowed for a covered entity to disclose PHI for treatment, payment and healthcare operations (TPO). These include:
any other provider (even a non-covered entity) to facilitate that providers treatment activities
any covered entity or any provider (even a non-covered entity) to facilitate that party�™s payment activities
another covered entity to facilitate that some of that entity�™s healthcare operations
any other covered entity within the same Organized Healthcare Arrangement for any healthcare operations arrangement.
States can pass laws that preempt the Federal HIPAA Law's privacy rule for which of the following exceptions?
A. Provides greater privacy protections.
B. Provides for the reporting of disease or injury, child abuse, birth, or death
C. Requires certain health plan reporting, such as for management or financial audits
D. All of the above.
E. None of the above, a state law can never preempt the Federal HIPAA Privacy law rules.
D. All of the above.
The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:
relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information,
provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.
See HHS HIPAA FAQ Does HIPAA Privacy Rule preempt state laws?
These Rules are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group?
A. GDPR Trust Rules
B. General Data Protection Rules for Non EU Business
C. Business Data Protection Rules Policy
D. Binding Corporate Rules
D.
What are binding corporate rules?
Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member concerned of the group.
Approval of binding corporate rules
Companies must submit binding corporate rules for approval to the competent data protection authority in the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in Article 63 of the GDPR. This procedure may involve several supervisory authorities since the group applying for approval of its BCRs may have entities in more than one Member State. The competent authority communicates its draft decision to the European Data Protection Board, which will issue its opinion on the binding corporate rules. When the BCRs have been finalised in accordance with the EDPB opinion, the competent authority will approve the BCRs.
Authorisations of supervisory authorities on the basis of Directive 95/46/EC remain valid until amended, replaced or repealed, if necessary, by that supervisory authorities.
International dimension of data protection (EU Pages)
The primary lawful bases for transfer of data between the EU and the United States include: (1), (2) (SCCs) and (3) .
A. The Privacy Shield Framework
B. Standard Contract Clauses
C. Binding Corporate Rules
D. All of the above
D. All of the above