The US has sectoral laws, where laws apply to different industries for their own privacy regulations. Really!

With a sectoral framework, the government protects personal information by enacting laws that address a particular industry sector.36

For example, in the United States, different laws delineate conduct and specify the requisite level of data protection for video rental records, consumer nancial transactions, credit records, law enforcement, and medical records. (Section 1.10.2 IAPP - CIPP/US Handbook)

Harvard Law Review, set forth the essential definition of privacy as “the right to be let alone".

The Justices of the Peace Act, enacted in 1361, included provisions calling for the arrest of “peeping Toms” and eavesdroppers.

The four categories are:

1. rights of individuals

   • Notice

   • Choice and consent

   • Data Subject Access

2. Controls on the information

   • Information Security

   • Information quality

3. Information life cycle

   • Collection

   • Use and Retention

   • Disclosure

4. Management

   • Management and administration

   • Monitoring and enforcement

HIPAA applies to 3 different entities, but is a law that applies to Protected Health Information only.

It doesn't cover other types of personal information, thus it is a sectoral law.

FERPA - Applies to student education records at federally funded institution.

Video Privacy Protection Act

As new technologies emerge, questions arise:

• Will new legislation be needed to provide proper protection?

• Who will enforce the data protection and provide oversight?

Sectoral Laws may have multiple parties enforce for example HIPAA

DHHS enforces HIPAA, but FTC may enforce unfair and deceptive practices that a covered entity is involved with.

Comprehensive laws have a single DPA that will get involved and enforce the privacy legislation. In the GDPR model, individual countries have different DPAs.

Comprehensive Laws are king! GDPR (EU), CCPA (US-CA), LGPD (Brazil), PDPA (Argentina), and others.

• • See this site.

Industry develops enforceable codes or standards.

Legal requirements overseen by the privacy agency.

Industry enforces the standards.

• • Adopted by Australia and Canada

Who is it protecting - Consumers.

What do Consumers get under the act?

They get notified anytime when an organization makes an adverse action after reviewing the data in the report.

Access to information on their credit report.

Who enforces the FCRA - FTC & CFPB

Rule making authority - CFPB

See FTC Website for information on Adverse Action

Who - Originally enforced by FTC, Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) 4 granted rulemaking authority for most provisions of Subtitle A of Title V of GLBA to the Consumer Financial Protection Bureau (CFPB) w

How - CFPB has oversight on consumer financial companies (loans, financial investment advice, or insurance).

What does GLBA protect?

Non Public Consumer Financial Information: sensitive data, like account information

Rules

Privacy Rule - Tell consumers what you are collecting, how, who it will go to, and provide right to opt out.

Safeguards Rule - Institutions must protect data they collect

Pretexting provisions-Can't access information using false pretenses

• • Provides various rules to protect personal health information.

  • HITECH amends the HIPAA law to add additional protections and breach notification.

• • What - Children's online privacy info

  • How - Enforced by FTC to ensure online providers have parental consent before collecting data of children under age 13.

  • Ref: See the actual law at the FTC Site.

Drivers Privacy Protection Act (DPPA)

Provides uniform protection across all state DMVs.

The WebTrust Seal Program - created by the AICPA (American Institute of Certified Public Accountants )-after a careful review of an organization's privacy practices, by an external 3rd party, an organization can post the Web Trust Seal on their website.

• Background Screening/Checks - what goes on here? Somebody not only checks employment records but also education records. If a potential employer wants to dig deeper they can run credit checks.

  • Is there any restrictions - not at the federal level, some states require that a candidate sign a background check authorization form.

• • It's enforced by the FTC.

  • It's really directed at two types of sites:

    • Online service that is directed for children under the age of 13.

    • A website that collects personal information from Kids Under 13.

  • Parents must provide consent, but how?

    • Sign a consent form - seriously, that's true.

    • Call a toll free number, connect to a video conference,

  • See the FTC COPPA Site for more info and the COPPA FAQ.

First off the cruxt of consent is Limiting Use of personal data according to the FIPP Use Limitation Principle.

• Don't disclose personal data without consent

• Don't make it available to others without consent

• Don't use it for other purposes than specified

Exception:

• • Do let the law access personal data when authorized

See: Fair Information Practice Principles

• Why?

  • At the 50000' level, amends the FCRA to provide enhanced protection for consumers.

  • Protect consumers from identify theft. (FCRA = Protect Consumers Credit Reports, FACTA = Identity Theft)

    • Consumers can place a credit freeze - can't open new credit

    • Consumers can place fraud alerts - notifications when people attempt to open new credits.

    • Consumers can get free yearly credit report.

    • Agencies must implement programs to detect identity theft.

• Who: Federal banking agencies

• Who enforces: CFPB and FTC, but CFPB is the rule making authority.

  • Note: The Dodd-Frank Act transferred most rulemaking and one ongoing study requirement under this Act to the Consumer Financial Protection Bureau, but the Commission retains responsibility for two data security rules ("red flags" and "disposal") as well as all rulemaking under the Act relating to certain motor vehicle dealers.

• Identify security risks & privacy risks

• Block email or file transfers

• Identify security risks & privacy risks

• Block email or file transfers

Who - The CFPB sits in the Federal Reserve

What - Oversees the financial industry in the US with enforcement powers over abusive acts and practices. (Not just banks but payday loan scammers as well)

When - It was created by the Dodd-Frank Act

Why - Before CFPB was established, seven different Federal agencies were responsible for various aspects of consumer financial protection. No single agency had effective tools to oversee the whole market. For more info click here.

How

• Enforce against abusive acts and practices (make rules, supervise and enforce consumer laws)

• Educate

• Research

Where: CFPB Site

Consumer Reporting Agency - they make money by compiling information on you and providing it for a fee. See the CFPB site for more info

CRAs are a pool of sensitive, personal, and protected information on consumers!

Consumer Reporting Agency - they make money by compiling information on you and providing it for a fee. See the CFPB site for more info

FCRA = Federal law that provides consumers the right to see their credit report data

See the law:

FACTA = Ammended FCRA, prevents identity theft, more access to credit report data than FCRA, provides standards on data that can be stored in Credit Report.

See the law: https://www.ftc.gov/enforcement/statutes/fair-accurate-credit-transactions-act-2003

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act-identity-theft

See: https://personalreports.custhelp.com/app/answers/detail/a_id/3112/~/what-is-the-difference-between-fact-act-and-fcra%3F

The Red Flags Rule calls for financial institutions and creditors to implement red flags to detect and prevent against identity theft. Institutions are required to have a written Identity Theft Prevention Program (ITPP) to govern their organization and protect their consumers.

See the Rules: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red-flags-rule

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act-identity-theft

Credit Freeze restricts access to your credit report, making it harder for identity thieves to open new accounts in your name... See this FTC site for more info

The Credit Freeze won't let a credit company access your data at the CRA, thus they probably won't open that shiny credit card.

Confidentiality - the data is disclosed to an unauthorized individual, even an employee or possibly a thief

Integrity - the data gets altered by an unauthorized individual. Scary!!!

The Federal Trade Commission.

BTW, what is a deceptive trade practice?

When a business uses false advertising - product or service. "We clean your carpets with our special chemical solution that is organic and safe to pets and children", when in actuality it's soap and water.

https://www.ftc.gov/sites/default/files/u52513/fb-socmed-tw-1200x600-pen.png

Do Not Call Implementation Act of 2003

Is a real law. It authorized the Federal Trade Commission to implement the National Do Not Call Registry. Consumers can register their phone number (mobile and landline).

Enforcement:

• Federal Enforcement Coordinated between these two agencies:

  • Federal Trade Commission (National Do Not Call Registry-Consumer Info, National Do Not Call Registry - Business Info)

  • Federal Communications Commission (FCC Info on Robocalls, Robotexts, Spoofing Caller ID, and Do Not Call List)

  • Both have to coordinate their actions but the FCC will issue warnings and fines while the FTC

• State Attorney Generals - some states add additional requirements for Telemarketers to operate within a state but they can also enforce this act.

• Private Rights of Action - individuals can sue for damages over $50,000.

Do Not Track Act (proposed legislation 2019)

It's not actually a law at this time, but boy it will change a lot of things.

Why?

The bill would allow individuals to, at a touch of a button, prohibit any company from collecting any more data than is indispensable to providing its service, and the bill would impose strict penalties on any company that violated the act.

Enforcement - none at this time, untl an official law.

Well, actually the full name is the Dodd-Frank Wall Street Reform and Consumer Protection act

• The full act, all 848 pages is here.

• Created the Consumer Financial Protection Bureau -for consumer Protection

  • Charged with protecting consumers against abuses related to credit cards, mortgages, and other financial products.

  • Granted it rule-making authority over FCRA and GLBA.

• Improve financial stability:

  • Create Financial Stability Oversight Council

  • Create Office of Financial Research

• • Difference between EHR and EMR

    • EMR are a digital patient's charts for a single practice. The data in the EMR would get uploaded to an EHR so it can be shared.

    • EHR allows physicians to easily share records with other healthcare providers regardless of location.

  • For a whole FAQ on EHR Info see the Office of the National Coordinator for Health Information Technology.

  • Health IT Playbook

  • The information in the EHR is protected by HIPAA in these three regulations:

    • The Privacy Rule, which protects the privacy of individually identifiable health information

    • The Security Rule, which sets national standards for the security of electronic protected health information

    • The Breach Notification Rule, which requires CEs to notify affected individuals, the HHS secretary, and, in certain circumstances, the media after a breach of unsecured protected health information. Business Associates must provide breach notification to the CE or another BA.

Difference between CE and BA:

• Under HIPAA Rules, covered entities (CEs) and business associates (BAs) must institute federal protections for personal health information created, received, used, or maintained by or on behalf of a covered entity, and patients have an array of rights with respect to that information.

• CEs include health plans, healthcare clearinghouses, and clinicians who conduct certain healthcare transactions electronically, including billing.

• BAs who maintain this information — on behalf of covered entities — must comply with the Privacy Rule, the Security Rule, and the Business Associate Agreement (BAA) with the CE

In 1995, was the first EU-wide legislation that protected individuals’ privacy and personal data use.

In 2018 GDPR took over.

This act focused on consumer access and identity theft prevention.

• FTC got authority to prevent identity theft

• FTC took that authority and created the Red Flag rules.

• Red Flag Rules are:

  • In the Code of Federal Regulations known as Detection, Prevention, and Mitigation of Identity Theft.

  • Businesses must implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft.

Enforced by: Federal Trade Commission -

What:

• Goal of allowing consumers to have access and correct the information in their credit report

• Limit how the credit reports can be used:

  • Extension of credit

  • Employment

Note: By the way this is one of the oldest US Privacy Laws still in effect today?

FCRA FAQ

FTC focuses on collecting complaints about consumers, business practices, and identity theft.

FTC is focused on protecting consumers.

FCC is focused on regulating interstate communications over satellite, wires, radio, and cable.

Note: FCC and FTC MOU FAQ

FINRA - FINRA is the successor to the National Association of Securities Dealers, Inc. and the member regulation, enforcement, and arbitration operations of the New York Stock Exchange.

From FINRA.org

FINRA investigates potential securities violations and, when appropriate, brings formal disciplinary actions against firms and their associated persons. FINRA investigations may be opened from various sources, including automated surveillance reports, examination findings, filings made with FINRA, customer complaints, tips, referrals from other regulators or other FINRA departments and press reports.

This is really helpful in understanding:

Working under the supervision of the Securities and Exchange Commission, FINRA does these:

• Write and enforce rules governing the ethical activities of all registered broker-dealer firms and registered brokers in the U.S.;

• Examine firms for compliance with those rules;

• Foster market transparency; and

• Educate investors.

FINRA FAQ - very helpful, it is actually a collection of FAQs.

Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.

Everything you wanted to know about FOIA but were afraid to ask is in the FAQ

Are there any exemptions?

Not all records are required to be released under the FOIA. Congress established nine exemptions from disclosure for certain categories of information to protect against certain harms, such as an invasion of personal privacy, or harm to law enforcement investigations. See the FOIA FAQ for 9 exemptions.

Gramm-Leach-Bliley Act

Enforced by the Federal Trade Commission.

Opt Out - to prevent sharing information

Protected Information - Non public personal information.

Notification - must notify consumers of their privacy policies.

GLBA Information from FTC Site

The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a "financial institution" may disclose a consumer's "nonpublic personal information" to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain "financial activities." Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties.

Financial Privacy Rule

An overview of the privacy requirements of the GLB Act is available online. This guide provides more detailed information than in the overview, to help you comply with the Privacy Rule's requirements for protecting consumer financial information. It was written for businesses that provide financial products or services to individuals for personal, family, or household use.

A financial institution must provide a notice of its privacy policies and practices with respect to both affiliated and nonaffiliated third parties, and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions.

HIPAA master FAQ

Jurisdiction-Courts must have jurisdiction over both the parties to the dispute (personal jurisdiction) and the type of dispute (subject ma er jurisdiction).

National Labor Relations Board -

• The NLRB is an independent federal agency enforcing the National Labor Relations Act, which guarantees the right of most private sector employees to organize, to engage in group efforts to improve their wages and working conditions, to determine whether to have unions as their bargaining representative, to engage in collective bargaining, and to refrain from any of these activities.

• It acts to prevent and remedy unfair labor practices committed by both private sector employers and unions.

• The NLRA has info here. Congress enacted the National Labor Relations Act ("NLRA") in 1935 to protect the rights of employees and employers, to encourage collective bargaining, and to curtail certain private sector labor and management practices, which can harm the general welfare of workers, businesses and the U.S. economy.

• See the NLRB FAQ for a collection of information about this organization.

Before the Patriot act, the government had FISA, FISA allowed the government to search after foreign intelligence agents and seek information.

Ref: FTC Website - Using Consumer Reports for Credit Decisions: What to Know About Adverse Action and Risk-Based Pricing Notices

Background

If you use consumer reports (sometimes called “credit reports”) to make credit decisions, you have legal obligations under the Fair Credit Reporting Act, known as the FCRA and the Risk-Based Pricing Rule. In particular:

• if you deny a consumer credit based on information in a consumer report, you must provide an “adverse action” notice to the consumer.

• if you grant credit, but on less favorable terms based on information in a consumer report, you must provide a “risk-based pricing” notice.

When they receive these notices, consumers can contact the consumer reporting agency (“CRA”) that supplied the information to you to ensure their consumer report is accurate.

ADVERSE ACTION

If you take adverse action against a consumer based on information in a consumer report, you must tell the consumer. The most common type of adverse action is a denial of credit. Adverse action is defined in the Equal Credit Opportunity Act and the FCRA to include:

• a denial or revocation of credit

• a refusal to grant credit in the amount or terms requested

• a negative change in account terms in connection with an unfavorable review of a consumer’s account 5 U.S.C. § 1691(d)(6); FCRA § 603(k)

Denying a consumer’s request for additional credit under an existing account generally isn’t considered an adverse action but changing the terms of the existing account can be.

Your Obligations When Taking Adverse Action

If you take adverse action based on information in a consumer report, you must tell the consumer. Your notice may be oral, written or electronic; it must contain certain information: FCRA § 615(a)

• the name, address and phone number of the CRA (including a toll-free number for nationwide CRAs) that supplied the report

• a statement that the CRA didn’t make the adverse decision and can’t explain why the decision was made

• notice of the consumer's right to a free copy of their report from the CRA if they ask for it within 60 days FCRA § 612

• notice of the consumer's right to dispute the accuracy or completeness of any information provided by the CRA FCRA § 611

• the consumer’s credit score, if a score was used

These do not apply to the CRA but the organization that made the decision to deny.

THE COST OF NON-COMPLIANCE

If you don’t comply with the FCRA and the Risk-Based Pricing Rule, you may be sued by the Federal Trade Commission, Consumer Financial Protection Bureau, state governments, or in some cases, consumers. The FCRA provides for maximum penalties of $4,063 per violation in the case of lawsuits brought by the FTC. FCRA §§ 616, 617, 621

Try these Quizlet decks