CIPP/US – Flashcard
Unlock all answers in this set
Unlock answersquestion
Access
answer
The ability to view personal information held by an organization. This may be supplemented by allowing updates or corrections to the information. U.S. laws often provide for access and correction when the information is used for any type of substantive decision making, such as for credit reports.
question
Americans with Disabilities Act (ADA)
answer
Bars discrimination against qualified individuals with disabilities; places restrictions on pre-employment medical screening.
question
Consumer Financial Protection Bureau (CFPB)
answer
Has enforcement power for unfair, deceptive or abusive acts and practices for financial institutions.
question
Choice
answer
The ability to specify whether personal information will be collected and/or how it will be used or disclosed. Choice can be express or implied.
question
Common Law
answer
Legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations.
question
Consent Decree
answer
A judgment entered by consent of the parties (a federal or state agency and an adverse party) whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing.
question
Consumer Reporting Agency (CRA)
answer
Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.
question
Data Breach
answer
The intentional or unintentional release of secure information to an untrusted environment.
question
Data Classification
answer
Defines the clearance of individuals who can access or handle a given set of data, as well as the baseline level of protection that is appropriate for that data.
question
Deceptive Trade Practices
answer
Along with unfair trade practices, behavior of an organization that can be enforced against by the FTC.
question
Defamation
answer
Any act or communication intending to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him.
question
Electronic Discovery (e-discovery)
answer
Discovery in civil litigation dealing with the exchange of information in electronic format, often requiring digital forensics analysis.
question
Electronically Stored Information (ESI)
answer
A category of information that can include e-mail, word-processing documents, server logs, instant messaging transcripts, voicemail systems, social networking records, thumb drives, or data on SD cards.
question
Equal Employment Opportunity Commission (EEOC)
answer
A federal agency overseeing many laws preventing discrimination in the workplace, include Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA) and Titles I and V of the Americans with Disabilities Act of 1990 (ADA).
question
Evidentiary Privilege
answer
Privileges limiting or prohibiting disclosure of personal information in the context of investigations and litigation, such as attorney-client privilege.
question
Fair Credit Reporting Act (FCRA)
answer
Enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports, FCRA mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes.
question
Federal Trade Commission (FTC)
answer
An independent consumer protection agency governed by a chairman and four other commissioners with the authority to enforce against unfair and deceptive trade practices.
question
Global Privacy Enforcement Network (GPEN)
answer
Established in 2010 by the FTC and enforcement authorities from around the world, the GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
question
Gramm-Leach Bliley Act (GLBA)
answer
Alo known as the Financial Services Modernization Act of 1999, GLBA is a United States federal law to control the ways that financial institutions deal with the private information of individuals.
question
Health Information
answer
Any information related to the past, present or future physical or mental condition, provision of health care or payment for health care for a specific individual.
question
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
answer
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt-in before their information can be shared with other organizations - although there are important exceptions such for treatment, payment and healthcare operations.
question
National Labor Relations Board (NLRB)
answer
An independent agency of the United States government responsible for investigating and remedying unfair labor practices.
question
National Security Letter (NSL)
answer
A category of subpoena generally issued to seek records considered relevant to protect against international terrorism or clandestine intelligence activities.
question
Negligence
answer
The failure to exercise the care that a reasonably prudent person would exercise in like circumstances, leading to unintended harm.
question
Notice
answer
A description of an organization's information management practices, with the purposes of consumer education and corporate accountability.
question
Organisation for Economic Co-operation and Development (OECD)
answer
A multinational organization with the goal of creating policies that contribute to the economic, environmental, and social well-being of its member countries.
question
Personal Health Information (PHI)
answer
Any individually indentifiable health information with data elements which could reasonably be expected to allow individual identification.
question
Personal Health Record (PHR)
answer
A record maintained by the patient to track health and medical care information across a duration of time.
question
Preemption
answer
The ability for one government's laws to supersede those of another, such as federal law overriding individual state law.
question
Privacy Notice
answer
An external communication from an organization to consumers, customers or users to describe an organization's privacy practices.
question
Privacy Policy
answer
An internal standards document to describe an organization's privacy practices.
question
Private Right of Action
answer
The ability of an individual harmed by a violation of law to bring suit against the violator.
question
Privilege
answer
A rule of evidence that protects confidential information communicated between a client and legal advisor.
question
Protective Order
answer
A judge-issued determination of what information contained in court records should not be made public and what conditions apply to who may access the protected information.
question
Publicity Given to Private Life
answer
A tort claim that considers publicity given to an individual's private life by another is an invasion of privacy and subject to liability.
question
Qualified Protection Order (QPO)
answer
Under HIPAA, a QPO prohibits the use of disclosure of PHI for any purpose other than the litigation for which the information was requested; it also requires the return of PHI to the covered entity at the close of litigation.
question
Red Flags Rule
answer
Promulgated under FACTA, the Red Flags Rule requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft.
question
Redaction
answer
The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or evidence in a court proceeding.
question
Sedona Conference
answer
A nonprofit research and educational institute responsible for the establishment of standards and best practices for managing electronic discovery compliance through data retention policies.
question
Stored Communications
answer
A category of data prohibited from unauthorized acquisitionn, alteration or blocking while stored in a facility through which electronic communications service is provided.
question
Substitute Notice
answer
Pursuant to breach notification laws, certain entities must provide for substitute notice of data breach in a situation where insufficient or out-of-date contact information is held.
question
Trust Marks
answer
Demonstration of compliance with self-regulatory programs by display of a seal, logo, or certification.
question
Unfair Trade Practices
answer
Along with deceptive trade practices, behavior of an organization that can be enforced against by the FTC.
question
Authentication
answer
The identification of an individual account user based on a combination of security measures.
question
Authorization
answer
After authentication, the proces of determining if the end user is permitted to have access to the desired resource, such as the information asset or the information system containing the asset.
question
Choice and Consent
answer
Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is often considered especially important for disclosures of personal information to other data controllers.
question
Comprehensive Model
answer
A method of data protection to govern the collection, use and dissemination of personal information in the public and private sectors, generally with an official or agency responsible for overseeing enforcement.
question
Confidentiality
answer
The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.
question
Co-regulatory Model
answer
Used in Australia and New Zealand, this model emphasizes industry development of enforceable codes or standards for privacy and data protection, against the backdrop of legal requirements by the government.
question
Data Controller
answer
An organization that has the authority to decide how and why personal information is to be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership.
question
Data Processor
answer
An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller.
question
Data Protection Authority (DPA)
answer
An official, or body, who ensures compliance with the law and investigates alleged breaches of the law's provisions.
question
Data Subject
answer
The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company, or the customer of a retail store.
question
EU Data Protection Directive
answer
The EU Directive was adopted in 1995 and became effective in 1998 and protects individuals' privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data.
question
Habeas Data
answer
Constitutional guarantees that the citizenry may "have the data" archived about them by governmental and commercial repositories.
question
Privacy Impact Assessment (PIA)
answer
Checklists or tools to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to legal, regulatory and industry standards, and maintains consistency between policy and practice.
question
Sectoral Model
answer
This framework protects personal information by enacting laws that address a particular industry sector.
question
Sensitive Personal Information
answer
That which is more significantly related to the notion of a reasonable expectation of privacy. One's medical or financial information is often considered sensitive personal information (SPI), but other types of personal information might be as well.
question
Opt In
answer
Opt in means an individual actively affirms that information can be shared with third parties (e.g., an individual checks a box stating that she wants her information to go to another organization).
question
Opt Out
answer
Opt out means that, in the absence of action by the individual, information can be shared with third parties (e.g., unless the individual checks a box to opt out, her information can go to another organization).
question
What are the four phases of privacy program development?
answer
1. Discover - Issue identification - Identify best practices - Perform PIA 2. Build - Procedure development and identification - Full implementation 3. Communicate - Documentation (Training and Awareness) 4. Evolve - Affirmation and Monitoring - Adaptation
question
What are the elements of data sharing and transfer?
answer
1. Data inventory 2. Data classification 3. Data flows 4. Accountability
question
What are the four elements of privacy policies and disclosure?
answer
1. How many policies? 2. Policy review and approval 3. Privacy notice 4. Policy version control
question
What are the six phases of privacy incident response programs?
answer
1. Detection 2. Prevent further activity 3. Investigation 4. Notice 5. Review 6. Corrective actions
question
What are the three elements of data subject preference and access
answer
1. Opt-in, opt-out, no option 2. Managing preferences 3. Access and redress
question
What are the two elements of vendor management?
answer
1. Contracts - Confidentiality - No further use - Subcontractors - Breach disclosure - Information security 2. Due diligence - Reputation - Financial condition, insurance - Information security - Point of transfer - Disposal - Training and user awareness - Incident response
question
Which branch of the U.S. Federal Government makes laws?
answer
Legislative
question
Where is privacy mentioned in the U.S. Constitution?
answer
It's not. Usually privacy falls under the 4th amendment.
question
What federal agency is the most active in enforcing privacy rights?
answer
FTC
question
How does punishment differ in civil and criminal cases?
answer
Civil punishments are compensation such as monetary and injunctive while criminal punishments include fine, incarceration, and death.
question
When an FTC investigation finds a company guilty of violating privacy, what are its two recourses?
answer
1. Administrative trial 2. Consent decree
question
What was the basis of the FTC's findings against BJ's Wholesale Club?
answer
Unfair practices because private data was not encrypted during transmission
question
What are the six questions you should ask in understanding a law?
answer
1. Who is covered by this law? 2. What types of information and what uses of information are covered? 3. What exactly is required and/or prohibited? 4. Who enforces the law? 5. What happens if I don't comply? 6. Why does this law exist?
question
Define civil litigation
answer
Disputes between individuals and/or organizations
question
Define criminal litigation
answer
Legal punishment of criminal offenses
question
Who initiates civil litigation?
answer
Private party
question
Who initiates criminal litigation?
answer
Government
question
What is the burden of proof for civil litigation?
answer
Preponderance of evidence
question
What is the burden of proof for criminal litigation?
answer
Reyond a reasonable doubt
question
List the five theories of legal liability
answer
1. Negligence - absence of, or failure to exercise, proper or ordinary care. 2. Breach of Warranty - failure of a seller to fulfill the terms of a promise, claim, or representation. 3. Misrepresentation - false security about the safety of a particular product. 4. Defamation - an untruth about another which untruth will harm the reputation of the person defamed (wrtten defamation is libel; oral defamation is slander). 5. Strict tort liability - extending the responsibility of the vendor or manufacturer to all individuals who might be injured by the product.
question
What does article 5 of the FTC Act declare unlawful?
answer
unfair or deceptive acts or practices in or affecting commerce.
question
What is Children's Online Privacy Protection Act of 1998 (COPPA)?
answer
1. Regulates collection and use of children's information by commercial website operators. 2. Compels website owners to adhere to specific notice and choice practices. 3. Applies to websites and services targeted to children under 13.
question
Who handles the enforcement of COPPA?
answer
FTC
question
Who handles the enforcement of CAN-SPAM?
answer
FTC
question
What does the FTC consider a deceptive practice?
answer
Saying one thing and completely going against it
question
What does the FTC consider an unfair practice?
answer
When reasonable practice are not being followed
question
What does the "Consumer Privacy Bill of Rights" emphasize?
answer
1. Privacy by Design 2. Simplified choice 3. Transparency
question
What does the "Consumer Privacy Bill of Rights" prioritize?
answer
1. Do not track 2. Mobile 3. Large platform providers 4. Enforceable self-regulation
question
What are the three goals of APEC Cross-border Privacy Enforcement Arrangement (CPEA)
answer
1. Facilitate information sharing 2. Promote effective cross-border cooperation 3. Encourage information sharing and investigative/enforcement cooperation
question
What are the three components of self-regulatory enforcement?
answer
1. Legislation - Who determines the rules? 2. Enforcement - Who initiates actions? 3. Ajudication - Who decides if something is in violation?
question
What does HIPAA require?
answer
Covered entities to protect health information that is transmitted or maintained in any form or medium
question
List the three HIPAA covered entities
answer
1. Healthcare providers that conduct transactions in electronic form 2. Health insurers 3. Health clearinghouses
question
Does HIPAA preempt stronger state laws?
answer
No
question
Who enforces HIPAA?
answer
The U.S. Department of Health & Human Services (HHS)
question
What are the punishments for non-compliance of HIPAA?
answer
Fines up to $250K and/or 10 years imprisonment
question
What are the elements of the HIPAA Privacy Rule?
answer
1. Privacy notice 2. Authorizations for use and disclosure 3. "Minimum necessary" use and disclosure 4. Access and accounting of disclosures 5. Safeguards 6. Accountability 7. De-identification 8. Research 9. Other exceptions (law enforcement investigations)
question
What are the elements of the HIPAA Security Rule?
answer
1. Confidentiality, integrity and availability of ePHI 2. Protection against threats to ePHI 3. No unreasonable uses or disclosures of information not required under the Privacy Rule
question
Health Information Technology for Economic and Clinical Health, 2009 (HITECH)
answer
1. Enacted as a part of the American Recovery and Reinvestment Act of 2009. 2. Amends HIPAA - Regulates personal health records (PHR) - Covered entities and PHR vendors must provide breach notification to consumers, HHS and FTC - Extends HIPAA safeguard and breach notice requirements to business associates - Increased penalties for non-compliance - Provides state attorneys general with enforcement authority
question
The Genetic Information Nondiscrimination Act of 2008 (GINA)
answer
1. Addresses potential abuses based on genetic information in the absence of the manifestation of a condition 2. Amends federal healthcare and employment-related laws - ERISA - Social Security Act - Civil Rights Act - Public Service Health Act - HIPAA 3. Empowers government enforcement 4. Creates review commission in 2014 5. Applies prohibitions to health insurance providers
question
The Fair Credit Reporting Act of 1970 (FCRA)
answer
1. Accurate and relevant data collection required 2. Consumers can access and correct information 3. Limitation on use of credit reports
question
Who does the FCRA apply to?
answer
Consumer Reporting Agencies (CRA)
question
Who enforces the FCRA and what are the punishments?
answer
Enforced by the FTC and state attorneys general and non-compliance leads to civil and crimal penalties and fines
question
The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
answer
1. Amends FCRA, preempting state laws 2. Requires truncation of credit and debit card numbers 3. Consumers have rights to explanation of credit score 4. Free annual credit report 5. Opt-out for marketing 6. The Disposal Rule 7. The Red Flags Rule
question
The Financial Services Modernization Act of 1999 - "Gramm-Leach-Bliley" (GLBA)
answer
1. GLBA Privacy Rule - Initial and annual privacy notice required - Provide right to opt out - No disclosure of account numbers to third parties - Comply with regulatory standards 2. GLBA Safeguards Rule - Administrative Security - Technical Security - Physical Security
question
What are the three categories of security that span multiple regulations?
answer
1. Administrative 2. Technical 3. Physical
question
Dodd-Frank Wall Street Reform and Consumer Protection Act (2010)
answer
1. Created the Consumer Financial Protection Bureau (CFPB) within the Federal Reserve 2. Oversees the relationship between consumers and providers of financial products and services 3. Can enforce against "abusive acts and practices"
question
Family Educational Rights and Privacy Act of 1974 (FERPA)
answer
1. Places control over disclosure and access to educational records (with exceptions) 2. Provides students right to access and correct education records 3. Applies to all educational institutions that receive federal funding.
question
Protection of Pupil Rights Amendment 1978 (PPRA)
answer
1. Extended protections to parents of minors relative to surveys collecting sensitive information 2. Applies to all elementary and secondary schools receiving federal funding
question
No Child Left Behind Act 2001 (NCLB)
answer
1. Broadened PPRA survey restrictions - Enact policies - Parental review of surveys prior to use - Advance notice - Opt out
question
FTC Telemarketing Sales Rule (TSR) Telephone Consumer Protection Act of 1991 - FCC regulations
answer
1. Who can be called? - Prohibits calls to cell phones - U.S. National Do Not Call Registry 2. Rules governing calls - 8am - 9pm as one example 3. Call abandonment 4. Unathorized billing 5. Record keeping 6. Robocall rules (2012) 7. Does not preempt state law
