Certified Information Privacy Professional - CIPP/US NOTES
Module 1: Introduction to Privacy
1. Define the term privacy
2. Review fair information practices
3. Examine the modern history of privacy
4. Differentiate between personal and nonpersonal information
5. Examine potential sources of personal information
6. Define data protection roles
7. Clarify what actions constitute processing of personal information
8. Identify sources of privacy protection
9. Compare models of privacy protection
1. Privacy – “Right to be left a lone.” Also:
● Appropriate use of personal information under the circumstances
● An individual’s right to be control the collection, use and disclosure of personal information.
● Used in U.S. policies, laws and regulations.
● Types:
o Information Privacy – PII, and the right to control the collection, use and disclosure
o Territorial Privacy – Stay out my house
o Bodily Privacy – My eyes are up here.
o Communications Privacy – No middle man
2. Fair Information Privacy Practices “FIPPs”
● Rights of the Individual –
o Notice, Choice and Consent, Data Subject Access
● Controls on the Information –
o Information Security, Information Quality
● Information Lifecycle –
o Collection, Use and Retention, Disclosure, Destruction
● Management –
o Management an Administration, Monitoring and Enforcement
3. History of Privacy
● U.S. Health, Education and Welfare FIPs (1973)
● OECD Guidelines (1980)
● Council of Europe Convention (1981)
● APEC Privacy Framework (2004)
● Madrid Resolution (2009)
4. Personal versus Non Personal Information
● Personal Information
o Name
o Gender
o Address
o Telephone number
o Email address
o Age and date of birth
o Marital status
o Citizenship
o Government-issued identification numbers
● “Sensitive Information”
o Social Security Number
o Financial Information
o Driver’s License Number
o Medical Records
● Nonpersonal and Pseudonymized Information is not PII
5. Sources of Personal Information
● Public Records
o Real Estate
● Publicly Available Information
o Names and Addresses in Phone Books
o Newspaper Publishing
● Nonpublic Information
o Name
6. Data Protection Roles
● Data Subject – an individual about whom information is being processed.
● Data Controller – An organization or individual with the authority to decide how and why information about data subjects is to be processed.
● Data Processor – An organization or individual that processes data on behalf of a data controller.
● Regulatory or Data Processing Authority (DPA) – Supervisory authority chartered to enforce privacy rules / laws / regulations
o US has no national has no national DPA per se. FTC, state attorneys general, federal financial regulators
7. Processing
● Anything you do with personal information is considered processing.
● Everything you do with personal information, from the moment you come in contact with it, all the way through its destruction or disposal, is considered processing
8. Sources of Privacy Protection
● Markets – Moreso done by company’s concern for their brand. E.g. Facebook and their bullshit.
● Technology – E.g. encryption
● Law – Traditional approach. Might not be enough.
● Self-Regulation Co-Regulation - Complement to state and federal laws
o Legislative – Who decides the rules
o Enforcement – Who enforces the rules
o Adjudication – Who decides if there’s been a violation
9. Models of Privacy Protection
● Few or no Laws (Cuba) – Nada. Probably due to cultural values.
● CoRegulatory (Australia) – Combination of law and self-regulation / code of conduct. E.g. Australia Industry organizations are ‘encouraged’ to develop self regulation that aligns with the National Privacy Principles
● Sectoral (USA) – Industry specific laws. HIPAA, FERPA. Governed by statutes (versus constitutional law).
● Comprehensive (EU) – Omnibus law that covers nearly all data and all processing of data
Module 2: Structure of U.S. Law
1. Describe the main functions and composition of the three branches of U.S. government
2. Recognize the sources of federal and stat U.S. Law
3. Define basic terms relative to U.S. Law
4. Identify governmental bodies with privacy and information security authority
1. Primary Functions of US Government
● Executive Branch –
o Enforce Laws
o Appoints federal judges.
o Can veto laws passed by congress.
● Legislative Branch –
o Overrides presidential vetos
o Makes and passes laws (house and senate, respectively)
o Confirms presidential appointees
● Judicial Branch –
o Interpret Laws and determine constitutionality
o Made up of Federal Courts:
▪ U.S. Supreme Court
▪ Court of Appeals
▪ Circuit Courts
▪ District Courts
2. Sources of US Federal and State Law
● Constitutions – both U.S. and State
o No mention of Privacy in the U.S. Constitution
o Fourth amendment limits searches
o State constitutions may create stronger rights
● Legislation (Statutes) –
o May regulate applications of information, certain industries, certain data elements or specific harms
o Law-making power shared between national and state governments
o State legislation may be stricter than national legislation
● Regulation and rules –
o Issued by Regulatory Agencies
o Required by certain laws
▪ E.g. Telemarketing Sales Rules created by FTC and FCC
● Contract Law –
o Binding Contract must include
▪ Offer (terms or agreement)
▪ Acceptance
▪ Consideration (money, property, services[1] )
● Case Law –
o Final court case decisions that set precedents for future cases
▪ May change over time
● Common Law –
o Legal principles developed over time based on prior case law decisions
▪ Doctor / Patient
▪ Attorney / Client
● Consent Decree –
o Agreement between two parties that resolves a dispute between two parties without the admission of guilt or liability. Describes the actions the defendant will take:
▪ Defendant Agrees to stop illegal activity
▪ May be subject to public comment period
▪ Same effect as a gourt decision
▪ Generally requires violators to pay money to the government and agree not to violate the relevant law in the future.
● Tort Laws –
o Civil wrongs recognized by law as having grounds for a lawsuit
o Primary goals are to provide relief for damages incurred and to deter others from taking similar actions
o Three tort categories:
▪ Intentional – Defendant knew they were doing something wrong
▪ Negligent – Defendant’s actions unreasonably safe
▪ Strict Liability – Defendant has legal responsibility for damages or injury even if not negligent or at fault[2]
● Product Liability
3. Terms
o Person – Any entity with legal rights. Can be a person or a corporation.
o Private right of action – Right of an individual to file a lawsuit against a violator
o Jurisdiction – The authority of a court to hear a particular case
▪ Must have both subject matter jurisdiction and personal jurisdiction
o Authority –
▪ General Authority – Blanket authority to regulate a field of activity
▪ Specific Authority – Targeted in a singular activities, which are outlined by legislation[3]
o Preemption –
▪ A superior government’s ability to have the laws supersede an inferior government. E.g. CAN-SPAM Act.
o Privacy Notice –
▪ A description of the organization’s information management practices
▪ For consumer education and corporate accountability.
o Choice –
▪ The ability to specify whether personal information will be collected and/or how it will be disclosed.
▪ Can be express or implied
● Opt-in – Individual actively gives consent
● Opt-out – Consent assumed unless specifically withdrawn
o Access –
▪ The ability to view information.
4. Identify Governmental Bodies with Authority
● Agencies that Regulate Privacy
o Federal Trade Commission (FTC) – General authority to enforce rules against unfair or deceptive trade practices
▪ Includes the power to bring deception enforcement actions when an organization has broken a privacy promise.
o Federal Banking regulatory agencies
▪ Consumer Financial Protection Bureau (CFPB)
▪ Federal Reserve Board
▪ Office of Comptroller of the Currency
o Federal Communications Commission (FCC)
o Department of Transportation (DoT)
o Department of Health and Human Services (HHS), through the Office of Civil Rights (OCR)
o Department of Commerce
▪ No regulatory authority for privacy, but plays a role in privacy policy for the executive branch
● State Level
▪ State Attorney General – May take enforcement action based on state laws prohibiting unfair and deceptive practices
Module 3: General Data Protection Regulation Overview
1. Review effects of the General Data Protection Regulation (GDPR) on information management in the U.S.
2. Recognize the significance of the GDPR to U.S. organizations
3. Examine rules and considerations that impact cross-border data transfers to the U.S.
4. Summarize accountability obligations of controllers and processors under the GDPR
5. Review conditions for appointing a DPO, DPO tasks and responsibilities, and related controller/processor obligations under the GDPR
6. Summarize controller and processor data breach notification obligations under the GDPR
7. Review data subject rights under the GDPR
1. Review effects of the General Data Protection Regulation (GDPR) on information management in the U.S.
● Provisions of the EU’s General Data Protection Regulation (GDPR) include:
o Accountability obligations
o Rules for cross-border data transfers
o Requirements for processors (contractors who act on behalf of data controllers)
o Designation of data protection officers
● Notification of security breaches The GDPR also provides extensions of individual rights, including:
o The right to be forgotten
o The right to data portability
o Implementation of principles of Data Protection by Design and Data Protection by Default
2. Recognize the significance of the GDPR to U.S. organizations
● Territorial scope: Just one must be met for GDPR to be applicable (Article 3)
o Processing of personal data when a controller or processor is established in the EU (regardless of whether or not the actual processing takes place in the EU).
o Processing of personal data of EU subjects relating to offering goods or services or monitoring behavior (regardless of whether or not the controller or processor is established in the EU).
o Processing of personal data by a controller not established in the EU but in a place where member state law applies.[4]
● Material scope (Article 2)
o Processing of personal data wholly or partly by automated means
o Personal data that forms part of a filing system[5]
o Exclusions:
▪ Activity outside the scope of Union law (e.g., national security)
▪ Border checks, asylum and immigration
▪ Household activity
▪ Law enforcement and public security
3. Examine rules and considerations that impact cross-border data transfers to the U.S.
● U.S. Safe Harbor - Adequacy decision overturned in 2015, based partly on concerns about U.S. government surveillance
● EU-U.S. Privacy Shield (2016) – U.S. organizations wishing to import personal data from the EU under the Privacy Shield accept obligations on how that data can be used; commitments are legally binding and enforceable
● Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs)
o Binding Corporate Rules (BCRs): A multi-national company can transfer data between countries after certification of their practices by an EU privacy supervisory agency
o Standard Contract Clause: A company contractually promises to comply with EU law and submit to the supervision of an EU privacy supervisory agency
● Other approved transfer mechanisms
o Codes of conduct and certification mechanisms
o Ad hoc contractual clauses authorized by supervisory authorities (i.e., non-standardized contractual clauses)
4. Summarize accountability obligations of controllers and processors under the GDPR
●
● Privacy by Design and Privacy by Default
o Implementation of technical and organizational measures should take place “both at the time of the determination and the time of processing itself.”
o Article 25
● Data Processor Impact Assessment (DPIA) –
o “Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in high risk to the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
o Article 35
o Specific Conditions: Systemic, extensive evaluation of personal aspects based on profiling or processing of special categories; large scale processing of special categories, monitoring public areas systemically and on a large scale
● Record Keeping required content differs between controller and processor
● Security -
o Taking into account the state of the art, the costs of the implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
5. Review conditions for appointing a DPO, DPO tasks and responsibilities, and related controller/processor obligations under the GDPR
● Data Protection Officer (DPO) – A staff member or contractor tasked with ensuring and demonstrating compliance with EU data protection law; an expert in data protection
o Expert in data protection law and policy
o Required when the core activities of the controller or processor are:
▪ Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale”
▪ Processing sensitive data on a “large scale.”
▪ Processing by public bodies, other than courts acting in judicial capacity
o Responsibilities of the DPO:
▪ Monitor compliance with GDPR
▪ Advise controller and processer
▪ Manage risk
▪ Cooperate with supervisory authorities
▪ Communicate with data subjects and supervisory authorities
▪ Exercise professional secrecy
6. Summarize controller and processor data breach notification obligations under the GDPR
●
● “‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4)
● The sole notification duty of processors: They must inform controllers without “undue delay” after becoming aware of a breach (timed from becoming “aware” of the breach) (Article 33)
7. Review data subject rights under the GDPR
● Notification of Processing (Article 13)
● Data portability (Article 20)
o Structured, commonly used and machine readable format
o Interoperability – accessible through multiple systems
o Transfer to data subject, another controller or a trusted third party
● Erasure and the right to be forgotten (Article 17)
o Erasure: Data subject may request their personal data be erased
o Right to be Forgotten: Removal of personal data that extends beyond controllers records
● Restriction of Processing: Personal data is stored without being further processed (Article 18)
● Right to object to processing (Article 21)
o Public interest or legitimate interest
o Research or statistical purposes
o Direct Marketing
● Right to request access to a copy of their personal data, among other items
● Right “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects.”
Module 4: The California Consumer Privacy Act
1. Highlight key components that make up the scope of the California Consumer Protection Act
2. Outline rights of consumers under the California Consumer Privacy Act
3. List obligations of businesses under the California Consumer Privacy Act
4. Discuss actions businesses may take to ensure compliance with the California Consumer Privacy Act
5. Describe how the California Consumer Privacy Act may be enforced
1. Key Components
● Covered Businesses – Any for profit business doing business in California that either:
o Does more than $25 million in annual revenue
o Holds the personal information of 50,000 people, households, or devices
o Makes at least half its revenue from sale of PI
o The Phrase ‘does business in California’ is not defined by CCPA. Instead it really applies to any business that deals with California residents.
● Definition of Personal Information –
o Any information relates to a particular consumer or household
o Exceptions
▪ Publicly available information. Government sources only.
▪ This does not apply to social media information.
● Protected Individuals –
o Any “consumer” defined as a “natural person who is a California resident,” who is:
▪ “Every individual who is in the State for other than a temporary or transitory purpose”
▪ “Every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”
2. Consumer’s Rights
● Request a record of:
o Types of PI an organization holds on a requestor
o Its sources and the specific PI that has been collected
o Information about the use of data in terms of both business and third party sharing
● A full right to erasure:
o Deletion of PI (with exceptions for completion of a transaction, research, free speech, some internal analytical use)
▪ Including the disclosure of the right to erasure
● Opt out options
o Consumers can opt out of having their data sold to third parties.
3. Business Obligations
● Provide certain disclosures to consumers, such as categories of PI collected, purpose for collection, description of consumers’ rights and online privacy notice
● Provide methods for receiving consumer requests (e.g., a toll-free number, web form or email address)
● Have a verification process so consumers can prove they are who they say they are when attempting to exercise their rights
● Have a verification process so consumers can prove they are who they say they are when attempting to exercise their rights
● Upon receiving a data access request, provide the information free-of charge, within 45 days and in a portable format if delivered electronically
● Disclose to consumers the third parties to whom the business sells PI
● Include a “Do Not Sell My Personal Information” button on its website to make it easy for consumers to object to the sale of their PI
● Do not “discriminate against a consumer” based on the exercising of rights granted in the bill (may offer higher tiers of service or product in exchange for more data)
● Train certain employees on consumer rights pursuant to the law
4. Actions to Ensure Compliance
● To prepare and comply with CCPA, companies may consider:
o Updating data inventories of PI they use from any California residents (including households and devices), sources, storage locations, usage and recipients
o Evaluating/revising privacy notices and website functionality (e.g., “Do Not Sell My Personal Information” button)
o Evaluating/revising processes, procedures and systems (e.g., methods for enabling the exercise of rights and identifying minors)
5. CCPA Encfocement
● Enforcement by state attorney general
● $2,500 fine per violation—or $7,500 fine per violation for intentional violations—not addressed within 30 days
● Consumers can sue $100–$750 per violation
Module 5: Enforcement of U.S. Privacy and Security Laws
1. Distinguish between criminal and civil liability
2. Define general theories of legal liability
3. Describe the FTC’s privacy and information security-related priorities, powers and responsibilities
4. Recognize federal privacy enforcement and policy outside the FTC
5. Describe state, cross-border and self-regulatory enforcement
1. Criminal versus Civil Liability
●
2. General Theories of Legal Liability
● Negligence: Absence of or failure to exercise proper or ordinary care
● Breach of warranty: Failure of a seller to fulfill the terms of a promise, claim or representation
● Misrepresentation: False security about the safety of a particular product or service
● Defamation: Untruth about another that will harm the reputation of the person defamed
o Written defamation: Libel
o Oral defamation: Slander
● Strict tort liability: Extension of the responsibility of the vendor or manufacturer to all individuals who might be injured by a product or service
● Statutory actions: Action required, permitted or enacted by statute
3. FTC’s Privacy and Infosec Priorities, Powers and Responsibilities
● Federal Trade Commission (FTC) – Independent agency. Out of direct control of the President.
o Established by the Federal Trade Commission Act of 1914
o Section 5: Unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
▪ UDTP Unfair and Deceptive Trade Practices
▪ Does not apply to nonprofit organizations and some industries (e.g., banks, transportation, communications)
o Section 6: Authority to conduct investigations and to require businesses to submit investigatory reports under oath
● 1938 – Statutory change defined consumer protection mission.
● Fair Credit Reporting Act of 1970
● 1990’s – Privacy enforcement cases relate to unfair and deceptive practices.
● FTC’s Powers include the following:
o Preventing unfair methods of competition and unfair or deceptive acts or practice in or affecting commerce
o Seeking monetary redress and other relief for conduct injurious to consumers
o Prescribing trade regulation rules, defining with specificity acts or practices that are unfair or deceptive
o Establishing requirements designed to prevent such acts or practices
● FTC has regulatory responsibility for:
o Children’s Online Privacy Protection Act (COPPA) of 1998
o Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003
o Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
● FTC Enforcement Process:
o FTC enforcement action begins with a claim that an organization has committed an unfair or deceptive practice or has violated a specific consumer protection law
▪ Claims may come from complaints from consumer groups or competitors, or be brought to the FTC’s attention through press reports
o If the infraction is minor, the FTC may work with the organization to resolve the problem without a formal investigation
o If the infraction is significant, or reflective of a pattern of noncompliance, the FTC may launch a full investigation
▪ If the investigation confirms there is a possibility that a law is being or has been violated, it has two options:
● The commission can issue a complaint; an administrative trial is held before an administrative law judge
● If a violation is found, injunctions may result, or the commission can seek civil penalties through the federal district court
▪ The issue can be resolved through a consent decree, whereby the respondent does not admit fault, but promises to change its practice and avoids further litigation on the issue
● If, after agreeing to the consent decree, there are future violations by the respondent, the commission can request civil penalties or injunctions through the federal court
4. Federal Privacy Enforcement and Policy Outside the FTC
● State Department – Negotiates internationally on privacy issues with other countries and in multinational groups
● Department of Transportation – Responsible for transportation companies and enforcement of EU-US Privacy Shield for some.
● Department of Commerce – Leading role in federal privacy policy development. Administers EU-US – Privacy Shield.
● Office of Management and Budget – Lead agency for interpreting Privacy Act of 1974. Issues guidance to agencies and their contractors.
● IRS – Subject to Privacy Rules concerning tax records
● Department of Homeland Security (DHS) – E Verify Program, rules for air traveler records via Transportation Security Agency (TSA), immigration and border control (ICE)
● Office of Civil Rights (OCR) via Health and Human Sources (HHS) – Enforces HIPAA
5. State, Cross Boarder and Regulatory Enforcement
● State Enforcement –
o Each state has laws similar to Unfair and Deceptive Acts and Practices (UDAP)
o UDAP laws enforced by State Attorney General
o States have made other laws and statutes to protect privacy
● Cross Border –
o Orgs and government agencies in more than one jurisdiction
o Issues include cooperation between enforcement agencies
o Conflicts between privacy and disclosure laws and cross border enforcement
o Global Privacy Enforcement Network (GPEN), APEC Cross-border Privacy Enforcement Agency (CPEA)
● Self Regulation and Enforcement
o Refers to many approaches to privacy protection – analogous to government regulation
o PCI DSS, TrustArc, BBB, Privacy Shield
Module 6: Information Management from a U.S. Perspective
1. Privacy Program Development
● Policy – Interior
● Notices – Outward facing
● In 2003, Congress passed the Fair and Accurate Credit Transactions Act (FACTA)
o Preempts (most) stricter state laws
o Requires truncation of credit and debit card numbers Consumer right to an explanation of their credit scores
o Consumer right to free annual credit report from each of the three national credit agencies
o Requires regulators to institute Disposal Rule and Red Flags Rule
Module 7: Federal vs. State Authority
● Preemption: A superior government’s ability to have its laws supersede those of an inferior government
o Where federal law does not specifically prevent it, the states have power to make law
● Constitution is the ‘supreme law of the land.’
● When federal laws do not provide a consumer protection that a state believes is necessary, the state may enact a law to provide the protection for its citizens
o In some cases, the federal government has preempted state privacy laws, even when the state laws are stricter • FCRA/FACTA preempts state la
▪ Because of how FACTA is written, states retain the right to enact identify theft laws
o CAN-SPAM preempts state law and states are not allowed to pass stricter laws
o HIPAA and GLBA do not preempt stricter state laws
▪ State attorneys general have enforcement powers under HIPAA and GLBA, shared with the FTC and other federal agencies
Module 8: HealthCare
● Prohibits employment discrimination based on genetic information, including:
● Unions and training programs
● Family members who have manifested a disease
● Requirements or requests for genetic information Prohibits insurance providers from:
● Implementing higher premiums based on genetic tests
● Using genetic predisposition to deny coverage based on a preexisting condition
● 21st Century Cures Act of 2016
● Exempts mandatory disclosure of individual biomedical research information under the Freedom of Information Act
● Researchers are allowed to remotely review PHI under HIPAA rules
● Prohibits information-blocking that would interfere with the exchange of electronic health information
● Requires “Certificates of Confidentiality” for research, particularly for those with alcohol and or substance abuse issues
● Provides guidelines for “compassionate” sharing of mental health or substance abuse information with family or caregivers that is permissible
● Confidentiality of Substance Use Disorder Patient Records Rule, 42 CFR Part 2
o Scope: Use and disclosure of patient-identifying information
o Applicability: Applies to federally funded programs. Regulations may apply to other entities that:
▪ Are required by state licensing
▪ Use controlled substances that require licensing through the U.S. DEA
o Disclosure: Consent form detailing the disclosure of information
o Re-disclosure: Prohibits the re-disclosing of information if it would identify the individual as receiving treatment
o Exceptions to consent requirements: Emergencies, research, evaluations, crimes on premises or against personnel, child abuse reporting, court orders
o Security of records: Formal policies and procedures in place to ensure the security of information
●
Module 9: Financial Privacy
● Fair Credit Reporting Act of 1970 (FCRA)
o Regulates consumer reporting agencies (CRAs)
▪ CRAs compile or evaluate personal information to furnish consumer reports to third parties for a fee
▪ A “consumer report “is any communication by a CRA, related to an individual, which is used to establish that individual’s eligibility for credit, insurance, employment, etc.
o Mandates accurate and relevant data collection
▪ Provides privacy rights in consumer reports
▪ Accurate and relevant data collection
▪ Consumer access and correction
▪ Limits use to “permissible purposes”
▪ Maintain records
▪ Provide consumer assistance defined by FTC
o Also imposes obligations on “users” (lenders, insurers, employers, etc.) and “furnishers” (lenders, retailers, etc.)
o Enforcement - Dispute resolution; private right of action; enforced by FTC, CFPB, state attorneys general
● Fair and Accurate Credit Transactions Act (FACTA)
o In 2003, Congress passed the Fair and Accurate Credit Transactions Act (FACTA)
o Preempts (most) stricter state laws
o Requires truncation of credit and debit card numbers
o Consumer right to an explanation of their credit scores
o Consumer right to a free annual credit report from each of the three national credit agencies
o Regulators: Disposal Rule and Red Flags Rule
▪ The FACTA Disposal Rule requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that consumer information in a way that prevents unauthorized access and misuse of the data.
▪ Applies to both small and large organizations (e.g., consumer reporting agencies, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors, government agencies)
▪ Definition of “disposal”: any discarding, abandonment, donation, sale or transfer of information
▪ Violators may face civil liability as well as federal and state enforcement actions
o Applies to financial institutions (banks, saving and loan associations and credit unions) and creditors
o Goal: Detection, prevention, mitigation of identity theft
o Red Flag Program Clarification Act of 2010
▪ Determined that the Red Flags Rule does not apply to creditors who extend credit only for “expenses incidental to a service” (such as lawyers and health providers)
o Each organization is required to develop its own list
▪ FTC examples
● Alerts
● Warnings from CRAs
● Suspicious identification documents
● Suspicious personal identifying data
● Unusual use of covered account
o Credit histories (as “consumer reports”):
▪ FCRA does not preempt states from creating stronger legislation in the area of employment credit history checks
▪ California Investigative Consumer Reporting Agencies Act (ICRAA)
● Disclosure requirements under the ICRAA are more stringent than under the FCRA
▪ Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington also currently limit the use of credit information in employment
● All require that credit history information be used only as related to the applied-for position
● Some states allow credit history checks to be performed if the position fits within predefined occupational categories, generally involving financial or managerial responsibility or exposure to confidential information
● GrammLeach-Bliley Act (GLBA)
o GLBA affects companies that offer consumers financial products or services, such as loans, financial or investment advice, or insurance
o Created out of concern over the consolidation of the U.S. banking, securities and insurance industries • Led to major changes in the structure of the financial services industry
▪ Provided for the creation of new financial service holding companies
▪ Eliminated legal barriers to affiliations among banks, security firms, insurance companies and other financial services companies
o Under GLBA’s privacy provisions, financial institutions are required to:
▪ Store personal information in a secure manner
▪ Provide notice of their sharing policies
▪ Provide consumers an option to opt out of third-party sharing
o Financial institution: Any U.S. company that is “significantly engaged” in financial activities
o GLBA regulates financial institution management of “nonpublic personal information”
▪ Personally identifiable financial information
● Provided by a consumer to a financial institution
● Resulting from a transaction or service performed for the consumer
● Otherwise obtained by the financial institution
o Excluded: Publicly available information and any consumer list that is derived without using personally identifiable financial information
o Banking and related financial institutions that fail to comply with GLBA requirements can be subject to substantial penalties under the Financial Institution Reform, Recovery and Enforcement Act (FIRREA)
o Dodd-Frank Wall Street and Consumer Protection Act (2010)
▪ Created the Consumer Financial Protection Bureau (CFPB) as the enforcement authority for the GLBA Privacy and Safeguards Rules
o Stricter state laws are not preempted by GLBA but can be subject to challenge under FCRA
o Financial institutions must:
▪ Provide initial and annual privacy notices
● Exception: FAST Act
▪ Process opt-outs within 30 days
o Privacy notices must:
▪ Provide customers with clear and conspicuous notice of information sharing policies and practices
▪ Provide customers with the right to opt out
▪ Refrain from disclosing account number or access codes to nonaffiliated third-party marketers
▪ Comply with regulatory standards designed to protect consumer information
▪ Include:
● What is collected
● With whom information is shared
● How information will be safeguarded
● How consumer can opt out
o Provided that the notice standard is met and the FCRA-mandated “optout” is offered, a financial institution may share any information it has with its affiliated companies and joint marketing partners
o A financial institution may also share consumer information with nonaffiliated companies and other third parties, but only after disclosing information-sharing practices to customers and providing them with the opportunity to opt out
▪ Consumer cannot opt out if:
● Information is shared with outside companies that provide essential services (e.g., data processing)
● The disclosure is legally required
● Information is shared with outside service providers that market the financial company’s products or services
o Three levels of security:
▪ Administrative security: Program definition, management of workforce risks, employee training, vendor oversight
▪ Technical security: Computer systems, networks and applications; access controls and encryption
▪ Physical security: Facilities, environmental safeguards, business continuity, disaster recovery
o Safeguards must be designed to:
▪ Ensure the security and confidentiality of customer information
▪ Protect against any anticipated threats or hazards to the information
▪ Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to the customer
o Each financial institution must:
▪ Designate an employee to coordinate the safeguards
▪ Identify and assess the risks and evaluate the effectiveness of the safeguards
▪ Design and implement a safeguard program, and monitor and test it regularly
▪ Select and provide oversight of appropriate service providers
▪ Evaluate and adjust the program as needed
● Dodd Frank
o Title X of the Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent bureau within the Federal Reserve
o The CFPB has rule-making authority for specific laws related to financial privacy and other consumer issues, such as the FCRA and GLBA
o Along with the FTC and state attorneys general, the CFPB can bring enforcement actions for “unfair and deceptive” acts or practices
o CFPB can enforce against “abusive acts and practices” that:
▪ Materially interfere with the ability of a consumer to understand a term or condition of a consumer financial product or service
▪ Take unreasonable advantage of a consumer’s:
● Lack of understanding of the material risks, costs or conditions of the product or service
● Inability to protect their interests in selecting or using a consumer financial product or service
● Ability to rely on a covered person to act in the interests of the consumer
o Meaning and application of this new language will develop over time
▪ May come to apply to privacy notices, etc.
o CFPB enforcement authority includes the ability to conduct investigations and issue subpoenas, hold hearings and commence civil actions against offenders
● Anti-Money Laundering Laws:
o Bank Secrecy Act (BSA), aka Currency and Foreign Transactions Reporting Act of 1970
o Broad application to “financial institutions” (may differ from GLBA)
o Rules relate to currency transactions (> $10K); transportation of monetary instruments; purchase of currency-like instruments (> $3K)
o Records retention requirements (specific to type of transaction)
o Suspicious Activity Reports (SARs)
▪ Filed with Department of Treasury’s Financial Crimes Enforcement Network when an entity
● Suspects an insider involved in a crime, regardless of amount
● Detects possible crime ≥ $5k and has substantial basis for identifying suspect
● Detects possible crime ≥ $25k (even if no suspect)
● Suspects money-laundering in currency transactions aggregated ≥ $5k
o BSA enforcement: Fines for violations, possibly imprisonment International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
o Part of the former USA PATRIOT Act
o Expanded reach of BSA
o “Know Your Customer” rules
o Bank Secrecy Act expansions
Module 10: Education
Family Education Rights and Privacy Act of 1974 (FERPA) –
● Applies to all educational institutions that receive federal funding
● “Educational Records” applies to all records directly related to the student, including academic, disciplinary and financial records.
● Key Principles:
o Notice – Students should see annual notice of their rights
o Consent – Disclosure is conditional upon information not being personally identifiable
▪ Consent has been given by parent or student once rights have been transferred
▪ Statutory exceptions such as health and safety
o Access and Correction – Students have the right to access and review their records, request corrections, and request a hearing if a request for correction is denied.
● Amendments –
o Protection of Pupil Rights Amendment (PPRA) – Provides rights to parents of minors in regard to sensitive information from students via surveys
o No Child Left Behind Act (NCLBA) – Put requirements on schools to enact collection, disclosure or use policies regarding personal information about students for commercial purposes.
▪ Notice must be given to parents, allow for review and provide an opt-out option regarding survey information.
Children’s Online Privacy Protection Act (COPPA)
● Children 13 and under
● Protection of the use of children’s use of internet, websites and services targeted at children
● Requires clear notice of data collection, including links to the website privacy policy
● Parental consent must be obtained prior to collecting any personal information for children under the age of 13
●
Module 11: Telecommunications and Marketing
Telephone Computer Protections Act of 1991 (TCPA) – Places restrictions on unsolicited advertising by phone, fax, robocalls or text.
Telemarketing Sales Rule (TSR) – Passed to implemented the Telemarketing and Consumer Fraud and Abuse Prevention Act
● Response to families complaining about deceptive marketing practices and unwanted marketing calls.
● Implemented the following:
- Do Not Call Registry
- Telemarketing rules – call between 8am and 9pm, respect requests to call back, retain records for at least 24 hours
- Entity specific suppression lists – prohibits seller from calling an individual who asked not to be contacted
- Disclosures - Prior to sales, must disclose identity, purpose of call, nature of goods or services, purchase or payment requirement
- Misrepresentations and material omissions: Disclose cost/quantity, material restrictions/conditions, no-refund policy details, prize/promotion details, credit card loss prevention program, negative option feature
- Caller ID – Accurate identification information must be transmitted
- Call abandonment - Live sales reps must connect within two seconds
- Abandonment Safe Harbor - Protects from fines for inadvertent calls so long as measures to avoid call abandonment are in place
- Unauthorized Billing - Must have “express informed consent”
- Robocalls / Autodialers - Need prior written consent, provide opt-out option; HIPAA-governed entities are exempt
- Record-keeping: Maintain activity records for two years, advertising/promotions, data on prize recipients, sales records, employee records, consent/agreement records
-
● Consent of consumer must be ‘clear and conspicuous.’
● Violations up to $40k per
● Neither TSR or the FCC rules preempt state laws
Junk Fax Protection Act of 2005 (JFPA) – Extension of Telephone Consumer Privacy Act (TCPA)
● Consent can be inferred from an existing business Relationship (EBR)
● Sender must offer opt out option to recipients
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM Act of 2003) –
● Regulates commercial email
● Requires opt out
● Sender identity must be clear
● Rules for legitimate organizations to market via email
● Up to $40k per violation
● 10 day grace period following revocation of commercial email or texts.
● Includes text messages, does not cover phone-to-phone messages
● Creates a wireless domain registry – list of wireless domains that can not receive messages
● Enforcement –
o ISPs can sue for injunctive relief and monetary damages
o Egregious conduct can be 5 years imprisonment
Cable Television Privacy Act of 1984 –
● Notice at time of initial agreement and annually to include nature of PI collected, how used, retention period, how to access and correct
● Only PI necessary to provide service or detect unauthorized reception
Telecommunications Act of 1996 – Pertains to customer information provided to and obtained by telecommunications providers.
● Introduces Customer Proprietary Network Information (CPNI)
● Information collected by telecommunications carriers related to their subscribers. Includes subscription, billing and service information, call logs.
● Carriers must notify of security breaches, require customers to provide a password before accessing CPNI and certify compliance.
Video Privacy Protection Act of 1988 (VPPA) – Videotape service providers prohibited from sharing PI
Video Privacy Protection Act Amendment Act of 2012 – Addressed changes in video delivery (e.g. Netflix) and allows users to share their movie viewing information via social media.
● Exceptions include direct to consumer, written consent of the consumer, law enforcement via warrant
Self Regulation for Digital Advertising:
● Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising
▪ Establishes responsible privacy practices enforced via the Better Business Bureau and the Direct Marketing Association; management of consumer opt-outs
● Network Advertising Initiative (NAI) Code of Conduct –
▪ NAI Codes apply to members only and are subject to annual review; notice, choice, accountability, information security/use limitation of online advertising, mobile apps
FCC Broadband Privacy Rules –
● Broadband internet providers are classified as public utilities; CPNI rules apply
California, NJ and Nevada all have their own digital advertising laws
Module 12: Law Enforcement & Privacy
4th amendment protects citizens against unusual search and seizure.
● Stricter law around ‘real time monitoring’ versus retrieval of a stored record.
Title III of Omnibus Crime Control and Safe Streets Act of 1968 (aka the wiretap act) has requirements that prohibit the recording of ‘wire communication’ (phone calls) and ‘oral communication’ (hidden bugs / microphones). Exceptions apply:
● Person intercepting is a party to the call / discussion and has given consent
● Recording is part of the ordinary course of business (think of call recordings for collectors)
Electronic Communication Privacy Act of 1986 (ECPA) – extends ban to include ‘electronic communications,’ – email and/or other communications that are not wire or oral
● Includes the Stored Communications Act (SCA) – Creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.
● Violations can lead to civil and/or criminal penalties
● Pen Register – Records telephone numbers of outgoing calls.
● Trap and Trace – records telephone numbers inbound to a specific number
● ECPA provides for pen registers / trap and trace orders from a judge under the legal standard of ‘relevant to an ongoing investigation.’
● PATRIOT Act – expanded definitions beyond telephone numbers to include “dialing, routing, addressing, or signaling information” transmitted to or from a device or process
● USA FREEDOM Act - set new rules for national security investigations, prohibiting the use of pen register and trap and trace orders for bulk collection and restricting their use to circumstances where there were specific selectors, such as an email address or telephone number
Communication Assistance for Law Enforcement Act of 1994 (CALEA)
● Applies to telecommunication carriers but not to other information services
o Originally exclude internet services
o FCC issued an order that providers of broadband and/or VOIP were telecommunication services when they interconnect with traditional telephone carrier services.
● Sometimes referred to as ‘digital telephony bill’
● Defines duties of actors in the telecommunications industry to cooperate with law enforcement when issued a lawful order to intercept communications.
● Telecommunications providers need to design their products and/or services to ensure they can carry out a lawful order to provide this
Cybersecurity Information Sharing Act of 2015 (CISA)
● Encourages federal government to share unclassified information with companies about how networks have been attacked and defenses have been used
● Authorizes companies to share or receive cyber threat indicators or defensive measures
● Info must not contain personal information
● Prohibits government from using this information to take enforcement actions against lawful activities
● Shared information is exempt from federal and state FOIA laws.
● Information may only be used to develop or implement new cybersecurity regulations
●
Right to Financial Privacy Act of 1978 (RFPA): “No Government authority may have access to, or obtain copies of, the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and meet at least one of the following conditions:
● Customer authorization
● Appropriate administrative subpoena or summons
● Qualified search warrant
● Appropriate judicial subpoena
● Appropriate formal written request from an authorized government authority
Privacy Protection Act (PPA) – Government officials engaged in criminal investigations are not permitted to search or seize media work products or documentary materials
● Applies to government officers or employees at all levels of government
● Applies only to criminal investigations, not civil litigation
● Violation can lead to penalties of a minimum of $1,000, actual damages and attorneys’ fees
● One important exception is if there is probable cause to believe that a reporter has committed or is in the process of committing a crime (but not if the only crime is possession, receipt or communication of the work product itself).
Module 13: National Security and Privacy
Foreign Intelligence Surveillance Act of 1978 (FISA) –
● Establishes standards and procedures for use of electronic surveillance to collect ‘foreign intelligence’ within the US by the President and AG
● Allows for exceptions to ordinary wiretaps as highlighted by the fourth amendment in matters of national security
● Pen Register/Trap and Trace: record of incoming / outgoing calls to a particular number.
● National Security Letters (NSL’s) – Subpoena for financial or communication records of an agent of a foreign power, per FBI approval.
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT Act).
● Provides broader surveillance of international terrorist groups that are not strongly tied to foreign governments (e.g. Al Queda).
● Addresses advances in technology since the FISA act
● Wiretaps can be used more often and with more flexibility
● Pen Registers / Trap and Trace – Expanded to include dialing, routing, addressing or signaling information from a device.
● National Security Letters (NSL’s) – Any organization can be subject to request for records without judicial involvement
o Recipients can petition to modify or set aside an NSL due to compliance being unreasonable or oppressive.
● Section 215 – Federal court orders can require production of “any tangible thing” for defined foreign intelligence and anti-terrorism investigations.
o Tangible thing broadly defined – can be books, recordings, papers, documents, etc.
o Entities of orders are forbidden to disclose that an order has been received except to necessary personnel and/or attorneys.
FISA Amendment Act of 2008
● Provides legal authorization to new surveillance practices
● Requires more reporting to congress
● Grants immunity to telephone companies for records provided to the government post 9/11
● Section 702
o Authorizes access to the communications of targeted individuals for foreign intelligence purposes
o Must have foreign intelligence purpose and reason to believe that the subject is a non-US citizen
o Provides access to full content of the communication
Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM ACT)
● Prohibits Pen Registers / Trap and Trace order for bulk collection under the Section 215 programs.
o Requests must be based on specific selectors.
● Government issues yearly transparency reports of FISA orders and NSL’s.
● Targeted warrants from the FISA court are needed in order to collect phone metadata from telecommunications companies
●
Module 14: Civil Litigation and Privacy
Release of court records:
● Publicly available records include:
o Birth records
o Death records
o Professional and business licenses
o Real estate ownership and appraisal records
o Voter registration records
● Materials submitted to the court during trial are publicly available, including documents and exhibits.
● Annual conferences in Williamsburg, VA, address the issues of privacy and public access to records
Protecting Publicly Available Information:
Protective Orders – A judge decides what information should and should not be made public and what conditions apply to who may access the information via three part test below:
Resisting party must show the information to be confidential
Requesting party must show the information is relevant
Weigh out harm of disclosure versus need for information
Redaction – The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidenced in a court proceeding.
Last four of SSN/ID
Year of birth
Initials only for minors
Last four digits of financial account number
E-Discovery
Electronically stored information (ESI) includes:
Email
Word processing docs
Databases
Web pages
Server logs
Instant messaging transcripts
Voicemail systems
Social network records
Thumb drives
MicroSD cards
Data Retention Program
Sedona Conference – Source of standards and best practices for managing electronic discovery compliance through data retention policies. Four key guidelines for retention:
▪ Administered by interdisciplinary teams
▪ Teams should continually develop understanding of policies and procedures
▪ Teams should have a consensus on policies while considering industry standards
▪ Technical solutions should parallel the functional requirements of the organization
US Discovery - request for information requires broad preservation, collection and production, whereas foreign laws emphasize the protection of personal data and the fundamental rights of privacy.
Hague Convention on the Taking of Evidence – May be invoked to avoid transborder data production. Requesting party must demonstrate why it must be used.
Module 15: Legal Overview of Workplace Privacy
No overarching federal privacy laws over workplace privacy.
Constitutional Privacy provisions only impact federal workplace, do not affect private-sector employment
Fourth amendment has been interpreted to place limits on government employers ability to search employees’ private spaces, such as lockers and desks.
Laws over workplace privacy:
Contract Law:
US law reviews the relationship between employee and employer as matter of contract law
Employment is ‘at will’ but employee/employer contracts can alter the rules
Union contracts can also impact agreements between employee/employer
Tort Law:
To enforce tort law, US law generally requires a fairly egregious fact pattern before imposing liability on the employer
“Intrusion upon seclusion” – intentional intrusion into privacy
“Publicity given to private life” – public sharing of private information
Defamation – sharing false or defamatory information publicly
Statutes vary enormously from state to state
US has multiple privacy laws that impact privacy:
Civil Rights Act of 1964 (Title VII) – bars discrimination in employment due to race, color, religion, sex and national origin
Pregnancy Discrimination Act of 1978 – bars discrimination due to pregnancy, childbirth and related medical conditions
Americans with Disabilities Act 1990 (ADA) – bars discrimination against qualified individuals with disabilities.
Age Discrimination Act bars discrimination against individuals over 40 years old (yikes! Almost there)
Equal Pay Act of 1963 bars wage disparity based on gender
Genetic Information Nondiscrimination Act of 2008 (GINA) bars discrimination based on an individuals genetic makeup.
US Federal laws that oversee employee benefit management -
Health Insurance Portability and Accountability Act (HIPAA)
Consolidated Omnibus Budget Reconciliation Act (COBRA) – Requires qualified health plans to provide continuous coverage after termination to certain benefits.
Employee Retirement Income Security Act (ERISA) – Ensures employee benefits programs are created fairly and administered properly
Family and Medical Leave Act (FMLA) – entitles certain employees to unpaid leave in the event of birth or illness of self or a family member.
Multiple Federal Agencies Protect Employee Privacy:
US Department of Labor – Administers multiple laws including Fair Labor Standards Act (FLSA), Occupations Safety and Health Act (OSHA) and Employee Retirement Income Security Act (ERISA)
Equal Employment Opportunity Commission (EEOC) – Works to prevent discrimination in the workplace, and oversees laws including title VII of Civil Rights Act, Age Discrimination in Employment Act (ADEA) and Titles I and V of the Americans with Disabilities Act (ADA).
Federal Trade Commission (FTC) – Regulates unfair and deceptive practices. Enforces Fair Credit Reporting Act (FCRA), which limits employers’ ability to receive an employee’s or applicant’s credit report, driving records, criminal records and other reports.
Consumer Financial Protection Bureau (CFPB) – Oversees relationship between consumers and providers of financial products and services.
National Labor Relations Board – Administers National Labor Relations Act, and conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions.
Individual State Agencies (Department of Labor) – Oversees state labor laws, and conducts safety inspections of worker conditions.
Module 16: Privacy Before, During and After Employment
Before:
Background Checks – EEOC cautions employers to ensure screenings are job related
Fair Credit Reporting Act (FCRA) – Regulates how employers can perform background checks
▪ Requires written notice to and consent from the applicant
▪ Must obtain data from a qualified CRA
▪ Prior to adverse action, give notice and copy of report to applicant for dispute
▪ Provide adverse action notice.
▪ Civil and criminal penalties for noncompliance
Antidiscrimination Laws – Affect how interviews and background screenings are conducted
ADA –
▪ If a medical exam is required as a condition of being hired, ALL employees must go through the exam, and results must be used in accordance with antidiscrimination practices.
▪ Employers must provide accommodations
▪ Employers can not ask about prior illness and injuries or substance abuse and recovery
▪ Includes conditions that are mitigated, in remission or episodic
Wellness Programs –
▪ Employers should ensure these don’t become an avenue for discrimination
Biometric Data –
▪ Employers must give notice and obtain consent prior to collecting or disclosing biometric identifiers
▪ If used as a privacy or security identifier, could reveal protected biological information
During:
Employee Polygraph Protection Act of 1988 (EPPA)
Prohibits employers from using lie detectors and from taking adverse action on employees that refuse.
▪ Exceptions for some government employees, security services, controlled substance manufacturers, defense contractors, and national security functions
▪ Allowed with an ongoing investigation involving economic loss or injury to the employer’s business
Substance Use Testing – No federal privacy statute directly governs employer testing of employees for substances such as illegal drugs
Certain positions are required to be drug tested by federal law:
▪ US Customs and Boarder Protection
▪ Aviation
▪ Railroading and trucking industries
Video Monitoring – Federal and state law regulate workplace surveillance
Recordings without sound are outside the scope of these statutes
Federal Law generally does not limit video, but some state statutes may.
Communication Monitoring –
Electronic Communications Privacy Act of 1986 (ECPA) – Prohibits the interception of wire communication (including phones), unless party has given consent or its done in the regular course of business (e.g. Firstsource)
Stored Communications Act (SCA) –
▪ US federal law prohibits opening of another’s mail unless its business mail being opened by representative of the business
▪ Geolocation Data – monitoring of location of a business’s vehicles is allowed if for business during work hours and drivers have been informed.
Social Media Monitoring –
▪ Can use social media to inform business decisions, but must not violate current antidiscrimination laws
▪ Employers should not require access to employees’ private networks as a condition of employment (future or current)
Consumerization of Information Technology (COIT) –
▪ BYOD – Should prohibit employees from transferring company data to personal devices
Investigations – FACTA states that employers don’t need to inform employees that an outside organization is conducting an organization.
After
Record Retention –
Retain HR Records for reference, benefit and pension inquiries, address health and safety issues, legal proceedings, legal or regulatory requirements.
References
Balance reasons to provide references with the risk of a defamation suit
Provides “qualified privilege” for employers to report their experiences with and impressions of the employee, to help in defense against defamation lawsuits.
Module 17: State Data Security Laws
HIPAA has a breach component for medical information
GLBA has a breach component for financial information
FTC uses Section 5 to take enforcement against companies that misrepresent their infosec practices.
State laws are more direct:
California AB 1950 (2004) –
Applies to organizations holding personal information of California residents
Requires “Reasonable” security controls
▪ Does not provide guidance for what that is
▪ California AG 2016 report identifies the Center for Internet Security’s Security Controls as minimal level of compliance
Obligates any third party processors or subcontractors to provide similar security protections
Excludes publicly available information or data that is encrypted
Massachusetts state security law, Mass 201 CMR 17 (2010) –
Considered the most prescriptive in the nation
Established detailed minimum security standards:
Comprehensive Data Security Programs in which a business must:
▪ Designate a specific individual responsible for information security
▪ Anticipate risks to personal information and take appropriate steps to mitigate
▪ Develop security program rules
▪ Impose penalties for employee rule violations
▪ Present access to personal data by former employees
▪ Contractually obligate third party service providers to maintain similar procedures
▪ Restrict physical access to records containing personal information
▪ Monitor effectiveness of the security program
▪ Review the program at least once a year and when business changes could impact security
▪ Document responses from incidents
Washington State Security Law, HB 1149 (2010)
Incorporates PCIDSS to ensure the security of credit card transactions and related data.
Permits financial institutions to recover costs associated with the reissuance of credit cards and debit cards from large processors whose negligence in handling credit card data is the proximate cause of the breach
▪ Processors can avoid liability if personal data was encrypted at breach and/or if they had received PCI Certification within a year prior of the breach
SSNs –
Most states have laws limiting business ability to use SSNs
CA prohibits businesses, state and local agencies from using SSNs for many purposes, and bans businesses from requiring customers to transmit SSNs over an unencrypted connection.
Data Destruction Laws –
32+ states have them. Commonly they address:
Who law applies to
Required notice
Exemptions
Covered media
Penalties
o
Module 18: Data Breach Notification Rules
All states and Puerto Rico have a law.
o Formal definitions of Personal Information are consistently:
o First name or initial and last name in combination with any one or more of:
▪ SNN
▪ Driver’s License #
▪ State ID Card
▪ Account number, Debit Card Number, Credit Card number in combination with:
● Any required financial account security code
● Access code
● Password
o Some states go further:
▪ Includes usernames and email addresses when combined with information allowing access to a user’s online account (Illinois HB 1260)
▪ Includes medical and healthcare information (AR, CA, FL, IL, MO, MT, NV, NH, ND, OR, RI, TX, VA, WY)
▪ Applies to any federal or state identification numbers (CT, OR, WI, WY)
▪ Includes unique biometric data (CT, IL, IA, NE, NM, NC, OR, WI, WY)
▪ Lists a DNA profile (WI)
▪ Includes tax information and work-related evaluations (PR)
▪ Includes mother’s maiden name, employee number and digital signature (ND)
▪ Lists both computerized records and written material, though most states apply only to computerized data
Covered entity - Any person who conducts business in this state and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.
Some states limit this to businesses that conduct business in that state.
GA law applies only to “information brokers”
Security Breach - Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable
• CA law states that a “breach of the security of a system” occurs when there is unauthorized acquisition of the personal information that “compromises the confidentiality, security or integrity” of the information
• FL law requires the compromised information to be “material”
• KS and SC law define “breach” to be an event that causes (or is likely to cause) identity theft or other material harm
• TN law states that an “unauthorized person” extends to include an employee of the information holder who obtained the information and used it unlawfully (Tennessee SB 2005)
• MA law (HB 4806) states consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services
Notification must be provided to state residents whose personal information is believed to have been compromised.
• All state laws regarding data breaches require third-party notification
• Notification to the attorney general (AG) within a specified time period
• 24 hours of detection (ID); five business days (IL); medical information breach, the Department of Health Services within five days (CA, IA); 10 days (LA); 10 days to the Puerto Rico Department of Consumer Affairs (PR); 30 days (FL); when residents are notified (CT, MT, WA); prior to notifying subjects (MD, NJ, NY); after notifying subjects (VT)
• Minimum number affected threshold
• 250 state residents (ND, OR); 500 state residents (CA, RI); 1,000 state residents (HI, MO, SC, VA)
• Notification to Credit Reporting Agencies (CRAs) minimum numbers affected
• 500 state residents (MN); 1000 state residents (AK, CO, DC, FL, HI, IN, KS, KY, ME, MD, MI, MO, NV, NJ, NC, OH, OR, PA, SC, TN, VT, VA, WV, WI); 1000 residents of any state (ME, NH); 5000 state residents (NY); 10,000 state residents (GA); 10,000 state residents or residents of states lacking such laws (TX); entities to coordinate with CRA (MT)
Must notify without unreasonable delay / in the most expeditious time possibl:
• Laws recognize the need for the affected entity to conduct a “reasonable investigation in order to determine the scope of the breach and to restore the reasonable integrity of the data system” (LA Rev. Stat. §§ 51:3071, https://legis.la.gov/Legis/Law.aspx?d=322030)
• Laws specify an expeditious time limit of 45 days (FL, NM, OH, RI, TN, VT, WA, WI)
• For most states, “a reasonable period of time” is allowed if a law enforcement agency determines that the notification will impede a criminal investigation and that such law enforcement agency has made a request that the notification be delayed
How to notify • Written notice • Telephone • Email • Conspicuous posting • Major state-wide media
• Written notice to the data subject is always required first
• Telephonic and electronic messages are alternatives only if the data subject has previously chosen one as the preferred communication method
• Substitute notification methods for undue financial burden
• “Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person, business or agency if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.” (CT)
• AGs and regulators may be notified via letter or email
• Specific online forms must be used for this reporting (CA, NY, NC)
• CRAs have established email addresses to receive breach notification reports
Exceptions • Subject to more stringent laws such as HIPAA and GLBA • Breach notifications already in place • Safe harbor for encrypted, redacted, unreadable or unusable data
• Most states exempt organizations from notification if data was encrypted when lost
• Motivates many organizations to use encryption to protect data
• In the wake of recent massive data breaches, this safe harbor approach to encrypted data is being re-examined by some states
• Tennessee SB 2005: Requires breach notification regardless of encryption. Encrypted data must receive the protection of safe harbor, unless the encryption key is also acquired in the breach.
• California AB 2828: Requires notice that a breach occurred related to 1) Both encrypted data and the encryption key or 2) Encrypted data when the business has a reasonable belief that the encryption key or security credentials can be obtained by the hacker.
• Massachusetts Personal Information Security Regulation: All parties that own or license PI of MA residents must encrypt all PI stored on devices and sent via wireless transmissions.
Penalties:
Some states specify penalties for data breaches:
• AG has exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed $150,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation (MO)
• Specify civil penalties (LA, MI, RI, TX, VA)
• Grant a private right of action to individuals harmed by disclosure of PI to recover damages (AK, CA,DC, LA, MD, MA, NV, NH, NC, OR, SC, TN, TX, VA, WA)
AOC remember
Me
Me
Me
J