Professional Documents
Culture Documents
Intro Contract
Four types of privacy: information, bodily, territorial, comms Tort (intentional, negligent, strict liability). Privacy:
FIPPs codifications: Dept of HEW FIPP, OECD, 1981 EU Conv, APEC · intruding on seclusion
Privacy Framework, Madrid · public revelation of private facts
Rights: notice, choice/consent, access · interfering with person’s right to publicity
Info security and quality · casting person false light
Life cycle: collection, use/retention/disclosure subject to 1A
Management/Admin and Monitor/Enforce
negligent failure provide adequate safeguards unsettled area of
United States Privacy Act IP addresses not PI
law
But FTC said breaches of healthcare information, IP addresses are
personal information Self-regulation
A. Structure of U.S. Law Quasi regulatory
Branches of Govt · Industry drafts code of conduct
Congress may delegate power to promulgate regs to federal · FTC enforces, adjudicates
agencies (FTC, CAN SPAM) PCI DSS does all three roles
Agencies may operate under statutes that give them legislative, · 3P assessment and detection
executive, and judicial auth · Penalty is getting kicked out of CC systems, $$
Sources of law Seal/Certification/trust mark
Constitutions - CA constitution = right to privacy · COPPA authorized FTC to confirm cert program
Legislation - 10th A reserved to states · DAA icon and choices
Regs and Rules - Some agencies required to issue · White House encourages self-regulation with consumer input
Case law - stare decisis E.g. NTIA and telcos for drones
Common law - via judicial decisions, social customs and Cross border
expectations, special privilege rules Global Privacy Enforcement Network (GPEN) in 2010. promote
Contract law - offer, acceptance, consideration cross-border info sharing, investigation and enforcement
cooperation w/ global privacy authorities
Legal definitions
Asia-Pacific Economic Cooperation (APEC).
Jurisdiction - authority to hear
· framework to share info and evidence in cross-border
Person is entity with legal rights (natural and legal) investigations/enforcement in APAC
Preemption - supersede inferior government · CPEA mechanism to cooperate x-border enforcement
Private right of action · FTC is a CPEA participant
B. Enforcement
Intl conflicts (CH 13 14)
Federal Criminal C. Information management
· DOJ sole fed agency - criminal action, jail and fines Role of Privacy Professional
· HIPAA both civil and criminal enforcement Manage risks consistent with company goals, ID areas where
Civil enforcement - use courts for private right of action FCRA compliance is difficult, design policies to close gaps in policy vs.
JFPA VPPA Cable Comm, invasion of privacy operations
Federal Administrative actions - agency action per statute Risks: legal, reputation, operational, investment
· basic rules under Administrative Procedure Act (APA). Four steps: discover, build, communicate, evolve
· FTC = general field authority, COPPA = specific Data sharing and Transfers
· Often use consent decrees Inventory - collect, store, use or disclose, customer and EE, data
State enforcement - similar UDAP statutes, some include location/flow, how/when/who, transfer means
“unconscionable” practices · Mitigate penalties, Required under GLBA Safeguards
· CAN SPAM allows state AG to enforce Classification by level of sensitivity (restricted, public)
· state common law privacy torts who has clearance, level of protection
· contract, when physician, financial institution breaches · segregate data
promise of confidentiality and causes harm · helps compliance with sector specific laws, discovery
· CA AG privacy task force, app platform providers
flow mapping to ID areas for attention
Other Regulatory Authorities
Accountability - retention policy, sensitivity, encryption?, intl
HIPAA HHS (shared with FTC) transfer, who is controller/BA, define process steps, dependency
GLBA Federal Reserve, Office of Comptroller of Currency on other systems (cloud)
Education FERPA Privacy Program Development
Tele/Marketing FTC and FCC under TCPA How many privacy policies?
ADA, discrimination statutes EEOC Consult legal and executives
DoS, DoC, DoT, FAA (drones) Revisions - notify EEs, then current and past customers
NHTSA (connected cars) Need opt-in for retroactive changes (FTC says unfair, even if
OMB (Privacy Act of 1974) FIPs changes are truthful)
IRS (tax records) notice accessible - online, post high traffic area, annual updates
FinCEN (money laundering) for FIs, training for EEs, CSRs
DHS (E Verify), ICE Policy version control - at least once a year
State AGs Managing User Preferences
Self regulatory programs and trust marks Opt-In, Opt-Out. Failure Sec 5 violation
Understanding laws (scope and application, analyzing, · Not needed for “commonly accepted practices” - consumer
determining jurisdiction, preemption) orders a product online.
Theories of Liability · internal ops, improving services, fraud prevention, legal
compliance and first-party marketing
1
· concern with innovative services Threats: unauth access, malware, phishing, spear phishing, social
Opt Ins: COPPA, HIPAA, FCRA engineering; Technical: SQL injection, XSS
Opt Outs: GLBA transfer unA 3P who gains access to data collected from the web
· VPPA video data to 3P · 2 factor auth, password field in HTML
· CAN SPAM email, Do Not Call · Cookies suck for this
· DMA (mail), NAI, DAA (digital) Industry standard is to encrypt in transit, TLS
Scope of choice, subject or channel authentication and protecting online identity
Mechanism - channel consistency · password practice, antivirus software, firewall, wifi and
Link user’s interactions thru multiple channels Bluetooth interception, file sharing - limit accessible files,
Time period to implement required by law? public computers and chargers
3P vendors, must communicate preference to them verification, certification of compliance with org policy
Customer Access and Redress email security, follow CIA (confidentiality, integrity, avail)
By Law under FCRA HIPAA FERPA · methods, remove HTML tags, scanning bad content
FIPs per OECD, APEC principles, GDPR SPAM principles
Judicial Redress Act 2015, non US person in civil action against · No false or misleading header information
US Govt, to access records · No deceptive subject lines
APEC = good baseline for when to give access · Opt-out mechanism in each message
· Notification that message contains adv or promo
Find out whether PI held by controller
· Information about the sending organization
With sufficient proof of ID, get PI
Info Sec (CIA)
within reasonable time, charge, manner; understandable;
Three: Physical, Administrative, Technical
challenge accuracy, rectify, complete, amend, delete
Types of Data Breach Incidents
except where:
Unintended disclosure; Hacking or malware; Payment card fraud
· burden or expense disproportionate to risks
skimming devices; Insider; Physical loss paper documents;
· legal or security reasons, protect CI; or
Portable device, Stationary device
· third person rights violated
Incident Management for Data Breaches
reasons why and be able to challenge such denial
Four steps
Contract and Vendor Management
· 1. Determine if breach occurred, difficult to detect
K should have: CI provision, use limitation, subK, must notify of · 2. Containment and analysis
breach, infosec, effect of termination
° Recover lost data
Due Dili: reputation, financial condition, insurance, infosec
° Ask recipient of misdirected data
controls, point of transfer security, disposal requirements, EE
° Network intrusion, shut down
awareness, incident response, audit
D. Online Privacy (CH5) ° Forensics, audit
Web Tech · 3. Notify affected parties
° Info re: risks, how to mitigate
HTTPS data txr over encrypted cxn
· 4. Follow up, adapt
Hypertext transfer protocol (HTTP), how messages formatted and
transmitted over a TCP/IP network OMB guidance to Fed agencies:
HTML markup language to render, dynamic links, doctags · Designate breach response team
· ID privacy compliance documentation
XML markup language, big data
· Share info to understand extent of the breach
Firewall as web client for 2 step process
· Determine what reporting is required
Proxy server, mask activity, block bad software, logs
· Assess and mitigate risk of harm for individuals
VPN encrypts info
· Notify individuals affected
Web server log: IP address, date/time stamp, referring URL,
OMB also focused on contracts with vendors: provide training to
browser type and OS
EEs, encrypt PII, report breaches, cooperate
IP address = unique #
Mobile privacy
ISP assign IP address
Concerns re: LBS, smart watches, health data, biometrics
IPv6, ID based on hardware interface of device
Children’s Privacy
TCP reliable data connection
COPPA, DOPPA for teens, CCPA for teens
TLS security protocol, succeeded SSL
Web privacy notice. TrustArc recommends:
Javascript, XSS danger, DoS
Say what the organization does and do what is stated
CSS language
Tailor disclosures to actual business operations
Flash, can’t delete cookies
Do not treat privacy statements as disclaimers
Data Definitions
Revisit privacy statement frequently
Pseudonymous data. direct identifiers removed. Indirect
Communicate these privacy practices to entire company
identifiers remain
Layered notices, increased use
Deidentified data. Direct and indirect identifiers removed
Mobile Privacy notice
Anonymous data. Direct and indirect identifiers removed or
technically manipulated to prevent reidentification. FTC best practices for platforms, ad networks, app developers,
app developer networks
Blurring. reduces precision of disclosed data to reduce the
certainty of individual identification. include “privacy by design (PbD)” or even privacy by default,
transparency, simplification of consumer choices
Masking. masks the original values in a data set with the goal of
data privacy protection. Desktop app with web interfaces
Differential Privacy. mathematical approach - risk to privacy is Privacy by design approach
not substantially increased as part of database Financial software: GAO advised segregate duties, disaster
2
recovery · maintain reasonable security
Third Party F. International Data Transfers
Syndication, XSS SCC, Derogation, Adequacy, Appropriate safeguards
Web services, facilitate comms between computers G. Multinational Considerations
Cobranded sites GDPR fundamental right to access and correct personal info about
Web widgets, installed on another page the data subject
Online ad networks conflict with discovery disclosure
Onward Transfers employees in both continents
Orgs that receive data: processor, distinct service like process CLOUD, Hague last ditch
payment, controller
FTC: onward transfer is responsibility of host website—not the
third party
· Issued guidance, enforcement actions, Privacy Shield
Consumer: data contract, notify of transfer, opt out
E. Digital Advertising
Cookies small HTML file that web server places on the hard drive of
a user’s computer
personal information if cookie linked to identified transaction
with a user, CC purchase with user’s name
If CC purchase linked in company’s database with other cookie
info all info is identifiable
GDPR, cookie = PI
Session cookie for shopping cart, chat session
First vs. 3P cookie, Flash cookie respawning problem
EU Cookie Directive
Opt in consent before cookies placed
ePrivacy cookies are personal data (so users must consent)
Web Cookies best practices:
Not store unencrypted PI
adequate notice of usage
Use persistent variation only if needed
Not set long expiration dates
Disclose third-party cookie provider
opt-out (or in Europe, an opt-in) mechanism
session, persistent, 1P, 3P, Flash cookie
Web Beacons clear gif set by browser or HTML email
Use w/ cookie to track, create profiles w/ web server logs
Online ad impression counting, monitor file download, ad
campaign performance, opened email
Digital Fingerprinting
ID device from web server logs & fonts used computer
Used by banks to ask for additional auth
Q over what is sufficient notice
Search Engines
Tracking queries can ID person, religion
Encrypted searches, anonymize after time period
Virtual assistants as surveillance device
Social Networking
Inconsistent control mechanisms, still evolving
Desktop Ad Ecosystem
Supply, demand, ad exchanges
Mobile Ad Ecosystem
app-based usage, sandbox
Default mobile browser settings block third-party cookies
detailed location, GPS Bluetooth for targeted advertising
store map with MAC address database
Cross Device Tracking
Deterministic, predictive profiling
FTC report recommendations
· transparent
· choice about tracking
· companies refraining from cross-device tracking of sensitive
topics (health, financial, children)
3
II. Limits on Private Sector · Do Not Track; Mobile self-regulation; Data brokers
Cross-sector FTC Privacy Protection · Large platform providers, comprehensive tracking
A. Sec 5 of FTC Act. Unfair and deceptive trade practices UDTP · Enforceable self regulatory codes
…unfair methods of competition, Sec 6 investigate power FTC Updates
FTC Enforcement · smart TVs, drones, ransomware, Audio beacons, cross device
tracking, cars, mobile practices, streamline updating
Broad authority to investigate, subpoena, demand reports, admin
D. Emerging Issues
trial before ALJ and enjoin
· Consent decree most used, avoid litigation Artificial intelligence
· Can appeal to 5 commish, then district ct Convergence with big data
· FTC cannot assess civil penalties for violation, but can if ruling · Data minimization and deidentification
is ignored. AI must be designed to help humanity, must be designed for
BCP and DOJ litigate violations of consent decrees intelligent privacy, must be transparent, algorithmic
accountability so we can undo unintended harm
force redress of harms to consumers
Data broker laws
Early FTC
LeapLab, bought SSNs from payday loan sites, sold to biz with
Geocities misrep’ed privacy policy
no legitimate use, failure to protect data sold to 3P
Eli Lilly accidently sent mass email with addresses, required to
FCRA, ECOA FTC Act all apply
maintain info privacy and sec program
Unfair Medical Privacy
Can exist without deception A. 1996 (HIPAA) Updated by HITECH
fail to implement adequate protection measures for sensitive PI, Does not preempt state laws
inadequate disclosure, breach promise California Confidential Medical Information Act CMIA
FTC v. Wyndham 2015; crappy practices, no changes after No private right of action
breaches. Order: PCI, comprehensive infosec Enforcement:
FTC v. LabMD, hacking breach, failed to take APM for sPI. Primary enforcer is HHS’s office of Civil Rights
Order: comp sec program, ruled unenforceable · Tiered Penalties based on awareness and willfulness: up to
Equifax - failed to take rble SM, breach exposed SSNs and $1.5 mil for most willful violations
home addresses of 147M, $300M consumer fund, $175 to State AGs under HITECH, or UDAP or state law
states, $100M civil pen CFPB DOJ criminal enforcement (prison up to 10 years for IHII)
Lifelock deceptive, and failed to encrypt, no infosec (FTC and 35 FTC can enforce under section 5 UDAP
states), paid $11M to FTC, then failed to comply with Order =
FERPA = student health records.
$100M
HIPAA = non-student health records.
DesignerWare - unfair to secretly collect keystroke logging and
geolo, deceptive to use fake registration covered entities = healthcare providers, insurers, business
associates, doctors’ offices, hospitals, Healthcare clearinghouses,
Deceptive
Business associates
material statement or omission likely to mislead (rble)
Transactions Rule
false promises, misreps, breach reps, privacy policies or
Electronic format for reimbursement
certifications
Privacy Rule:
Facebook - 3P access to user friends’ data
Privacy Notice: must provide at date of first service delivery and
BLU- info to 3P unnecessary to provide services, misrep
detail patient’s rights to PHI, unless indirect relationship or
protection of PI
medical emergency
Snapchat - misrep deletion, lax security
Allows use and disclosure for treatment, payment (TPO)
Google - failed to comply consent order, overriding default
Need auth for outside TPO: what PHI, purpose, 3P recipients.
cookie settings in Safari
Cannot condition treatment on consent
Excludes banks, federally regulated financial institutions, common
carriers (transportation and communications) · Psychotherapy notes, stricter
B. COPPA Children’s Online Privacy Protection Act · Marketing, sale of PHI
Does not preempt state laws Exceptions:
Privacy Rule: clear and conspicuous notice of data collection · De-identified: Remove 18 elements; expert certify
methods, privacy policy on every web page where PI is collected · Research: permitted on de-identified data
consent by parents prior to collection of personal information for · Other: LE suspect or victim, etc.
children under the age of 13 ° report abuse, neglect, or domestic violence,
No public security exception to allow disclosure ° court order, certain government functions
C. Future of Federal Enforcement ° public health (epidemic)
2012 White House Report: Traditional fair information practices ° mandated reporting (LE, gunshot wound)
FIP/Consumer Privacy Bill of Rights ° to fed for national security under Nat Sec Act
· Individual control ° to patient or personal rep; and HHS
· Transparency; Security; Accountability
· Subpoena Civil: must notify patient so they have chance to
· Respect for context of collection object, seek QPO - litigating parties can’t use/disclose PHI
· Access and accuracy for other purpose, requires destruction afterwards
· Focused collection (reasonable limits) · Admin subpoena no court involvement for LE:
2012 FTC Report ° info is relevant and material, specific, limited scope
· Privacy by Design ° De-identified info could not be reasonably used
· Simplified consumer choice Minimum Necessary limit to purpose; BA’s must have K
· Transparency
Access and accountings: right to access, copy, amend, if denied
FTC Priorities
4
append. PHI kept in “designated record set” legally required genetic monitoring for toxin exposure in the
· Accounting of recipients; respond w/in 30 days workplace, employee voluntarily participates
· Reasonable cost based fee ok DNA lab EE’s for quality control (contamination)
Safeguards: Admin Physical Tech safeguards ER must keep separate from medical files
Accountability: must appt privacy official, train personnel, No private right to action but may be available under the
complaint procedures, enforcement by OCR: Anthem federal laws that GINA revises, similar state laws
cyberbreach, Feinstein FERPA stolen laptop Amended ERISA, Public Health Service Act, Social Security Act, can’t
Security Rule: minimum security reqmts for ePHI adjust premiums, absent symptoms
Requires reasonable security measures, APT Penalties: $100/day of noncompliance, min up to $15,000
· Some specs are required E. The 21st Century Cures Act of 2016 (Cures Act)
· some are addressable so each CEBA must decide for itself Expedite research process, new medical devices, drug approval,
based on: cost, size, tech, risk reform mental health treatment
Admin: appoint officer, policies and processes, EE training Privacy Provisions:
program and discipline for non-compliance FOIA exempt for individual biomedical research info
Physical: access, workstation policies, disposal/backup Researchers can remotely view PHI (must meet minimum
Tech: encryption, login, track users safeguards of HIPAA’s Privacy and Security Rules)
Protect v. rbly anticipated threats/disclosure to ePHI Information blocking prohibited but HIPAA’s protection of PHI
Unencrypted data loss = presumed breach by OCR remains, fine up to $1M
B. Health Information Technology for Economic and Clinical Health NIH Certificates of confidentiality, fed funded research, can’t use
Act (HITECH) info legal/admin proceedings w/o consent
Breach notice, penalties, limited data Compassionate sharing of mental health or substance abuse
BA’s subject to privacy and security rules, must sign BAA, information with family or caregivers
implement reasonable appropriate safeguards
Breach: must notify individuals within 60 days
· >500 people, must notify HHS immediately
· 500 or more in same jurisdiction, must notify media Financial Privacy CH 9
· can avoid liability if use encryption software A. The Fair Credit Reporting Act (FCRA)
Disclosure must be minimum amount necessary Generally, preempts state law (see FACTA)
may not sell EHR without patient consent Does not preempt states from stricter laws re: employment credit
C. Confid of Substance Use Disorder Patient Records Rule history checks such as the California ICRAA
Does not preempt state laws, criminal violation Enforcement: private right of action, dispute resolution, FTC & CFPB
Scope: disclosure of “patient identifying” information by treatment share, State AGs = concurrent enf. Auth.
programs for alcohol and substance abuse ASA FTC v TeleCheck, check authorization co. and CRA, did not
Applicability: any program that receives federal funding: comply with dispute procedures for consumers whose checks
Individual or entity that … were denied. TRS debt-collection co. violated Furnisher Rule who
identified unit within a general medical facility that … must ensure accuracy of info provided to CRAs. FTC targeting
Medical personnel or other staff in a general medical facility data brokers
whose primary function is … provide ASA diagnosis, treatment, CFPB v. Clarity Services failed to properly investigate
referral for treatment consumers who disputed info on credit reports & obtained credit
Must obtain written patient consent before disclosing, consent must reports without permissible purpose
specify type of info, general designation ok CFPB v. JPMorgan Chase failed to have reasonable policies re:
Redisclosure prohibited if info would identify individual as having accuracy of info it gave to CRAs, and failed to give consumers
been diagnosed, treated, or referred for treatment results of investigations where the consumer disputed accuracy
Cannot use info for criminal charges against patient CFPB consent order with CitiFinancial—failed to reasonably
investigate consumer’s disputes, failed complete investigations in
Must have formal policies to protect PI
timely manner, failed to accurately report certain delinquent
Exceptions to consent requirements: accounts.
Medical emergencies Violations: civil/criminal penalties. Statutory damages of at least
Scientific Research; Audits and evals $1000 per violation, at least $3,756 for willful
Comms with a qualified service organization Amended by FACTA re: to ID theft, truncate #s KYC, free annual
Crimes on program premise or against personnel report, Disposal, Red Flag rules, EE internal invest.
Child abuse reporting; Court order Consumer report is any comms by a CRA that pertains to:
Criminal Fines Violations: (USA office) Creditworthiness , Credit Standing, Credit Capacity
First not more than $500 Character, General Reputation
$5000 for each subsequent offense Personal Characteristics, Mode of Living
D. Genetic Information Nondiscrimination Act of 2008 (GINA) Four User requirements:
genetic information in health insurance and employment 3P data for decision making, accurate, current, complete
Civil Rights Act no employment discrimination; ERs can’t use genetic Give consumers notice when 3P data used to take AA
info about EEs or family except: only use for permissible purposes
request was inadvertent consumer must have access to their consumer reports and
part of an employer-wellness program and voluntary opportunity to dispute or correct errors
comply with FMLA Also: record keeping, certifications, securely dispose
ER buys commercial, publicly available info CRA’s MUST:
5
Must give Consumers access to their consumer reports and · any user must include with each written solicitation a clear
opportunity to dispute or correct errors and conspicuous statement that:
Must ensure maximum possible accuracy of report ° Info in consumer’s CRA file was used
Not report outdated negative info, >7 years old, bankruptcies ° consumer received offer b/c they satisfied the criteria
>10 years for creditworthiness or insurability
Provide only to entities with permissible purpose · Credit or insurance may not be extended if, it determines
Maintain records regarding entities that received reports that consumer does not meet the criteria, or he does not
furnish required collateral.
Provide consumer assistance as required by FTC
consumer can optout of use of info in their file with future
FTC drafted Notice User
prescreened offers by contacting the notification system
Users must have a “permissible purpose” established by CRA that provided the report
· Court order; icw child support payments; 2015, must give simple easy-to-understand notices explaining
· Consumer requests in writing consumer’s right to opt out of receiving offers
· Extension of credit B. The Fair and Accurate Credit Transactions Act (FACTA)
· Underwriting of insurance Made substantial amendments to FCRA
· Employment purposes CFPB is rule-making and enforcement authority
· See if consumer breached terms of account preempts most stricter state laws except:
· Eligibility for license or other govt benefit · states retain some powers to enact laws re: ID theft
· Valuation assessment by investor/servicer/insurer · laws re: insurers use of credit-based insurance scores
· Prescreened unsolicited offers of credit or insurance called out by FACTA as not preempted
Users must provide certifications of permissible purpose · credit scores, state laws in CA CO
Users must notify consumers when adverse actions · frequency of free credit reports, state laws in CO, GA, ME,
Adverse Action based on Info from CRA: inform consumer (oral MD, MA, NJ, and VT remain in effect
ok): Required truncation of debit and credit card numbers
Contact info of CRA Required more detailed “know your customer” documentation for
Statement CRA didn’t take adverse action, can’t explain domestic and foreign FI
Statement consumer’s right to obtain free disclosure of file from Gave consumers new rights to explanation of credit scores and
CRA if consumer requests within 60 days right to request a free annual credit report
Statement consumer’s right to dispute directly with CRA the Add’l rules for “free offers” of report w/ font limitations
accuracy and completeness of info Disposal Rule and Red Flags Rule
Adverse Action based on info from non-CRA: credit for personal, FACTA Disposal Rule
family or household purpose, must inform consumer of right to be Disposal = sales, transfer, donation
informed of the nature of the info that was relied upon if request is
User of consumer report and derived info, must dispose in a way
made within 60 days. User must disclose within reasonable period
that prevents unauthorized access and misuse, reasonable
of time.
methods based on media
Adverse Action based on info from affiliates: insurance,
Enforcement: FTC, federal banking regulators, CFPB
employment, or credit: must inform consumer they may obtain
disclosure of nature of info relied upon by making a request within Violations: civil liability
60 days. user must disclose within 30 days State disposal rules may impose broader requirements
Other Disclosures FACTA Red Flags Rule
If use credit scores re: mortgages, must give credit scores and required FTC and fed banking agencies to develop rules for FIs
other info about credit scores to applicant to detect, prevent and mitigate ID theft
Risk-based pricing notice to the consumer if CR used icw CFPB has rulemaking and enforcement authority
application for credit on terms that are less favorable than the Red Flags Program Clarification Act of 2010 narrowed
most favorable terms available to most other consumers. E.g., definition of creditor to exclude service providers who bill in
Sprint arrears. Applies if you’re a creditor:
Companies that extend credit to consumers must implement Red · Use consumer reports icw credit transaction
Flag program to deter identity theft · Furnish information to CRA
Medical Info (usually just payment info) · Advance funds to or on behalf of someone
payment info must be coded, not ID medical provider Each entity must create its own list flags. FTC recs:
For insurance txn, must be coded or need prior consent · Alerts from CRA; Suspicious ID documents; personal
For employment or credit purpose, need prior consent and info identifying data; unusual use of covered account
must be relevant C. State Financial Data
Disclose only as necessary, or as required by law Credit History
Prescreened Lists FCRA does not preempt states from stronger laws for
creditors and insurers can obtain limited consumer report info icw employment credit history checks, such as ICRAA.
firm unsolicited offers of credit or insurance 11 states CA CO CT HI IL MD NV OR VT WA limit the use of
credit information in employment
obtain from CRA a list of consumers who meet certain
preestablished criteria · credit history info used only for position applied for
· must: (1) before the offer is made, establish the criteria that some states allow credit history checks to be performed for
will be relied upon to make the offer and to grant credit or predened occupational categories:
insurance · nance or management or exposure to CI
· (2) maintain such criteria on file for three-year period from
date offer is made to each consumer.
6
D. Gramm-Leach-Bliley Act (GLBA) privacy framework for modern · If FI wants to share with nonAff 3P and no exception:
banking ° must give privacy notice
Does not preempt stricter state laws ° including an opt-out notice.
banks, insurance providers, securities firms, payment settlement · can give short-form notice instead of full if:
services, check-cashing services, credit counselors, pawn shops, ° explain full privacy notice is available on request;
mortgage lenders (significantly engaged in financial activities) ° reasonable way to get the full privacy notice; and
Enforcement: ° include an opt-out notice
No Fed private right to action ° model notice short privacy notice Financial Services
· private right to action in some states Regulatory Relief Act (FSRRA)
failure to give certain notice may be deceptive trade practice FI can never share consumer account numbers w/ nonAff 3P
per Fed and state law for marketing, even if consumer hasn’t opted out
by federal financial regulators for institutions in their jurisdiction FI must ensure service providers not use consumer data for
- Federal Reserve, Office of Comptroller of Currency, FDIC, and anything other than intended purpose
SEC GLBA allows disclosure for investigation on matter “related to
Financial institutions not in the jurisdiction of the other agencies public safety” (national sec)
FTC and CFPB F. GLBA Safeguards Rule
state AGs can enforce FIs must protect CIA of personal consumer info
TaxSlayer poor security measures develop program that addresses ATP safeguards
Venmo misled re: privacy practices, security of data Five Must-Dos:
Violations: civil and criminal · Designate an employee to coordinate safeguards
penalties under Financial Institution Reform, Recovery, and · Identify and assess risks to customer info
Enforcement Act (FIRREA). · implement safeguard program and regularly monitor
· up to $5,500 for violation · Select appropriate vendors and sign Ks
· max of $27,500 if violations are unsafe, reckless. · Evaluate, update program upon changes
· $1.1M for knowing violations Note: CFIPA conflict
U.S. Bancorp / MemberWork v. MN AG, sold NPI to G. CA SB-1 California Financial Information Privacy Act
telemarketer that used account to autocharge CCPA applies to FI’s when engaged outside of GLBA
Definitions CFIPA applies to FI’s when engaged in GLBA activity
Consumer = anyone who buys or applies for financial product · caution - applies to dataset, not who holds dataset
for personal, family, or household purposes. opt in for FI to share data with nonaffiliated parties
Customer = consumer who has an ongoing customer relationship opt out for FI to share data with affiliates not in the same line of
(account holder) business
Customer, non-consumer = customer who is not also a consumer. But FI can share nonmedical info with affiliates in same line of
I.e. large institutional customer business e.g., insurance, banking, securities
FIs must protect consumers’ nonpublic personal info Violations:
Regulates “nonpublic personal information” defined as · negligent noncompliance statutory damages of $2,500 per
personally identifiable financial information: consumer, up to $500,000/occurrence.
· Provided by consumer to a financial institution · Willful non-compliance eliminates the $500,000 cap
· Resulting from a transaction or service performed for the
consumer or
· Otherwise obtained by financial institution
· That someone is FI’s customer
Publicly avail info is not NPI (phone book, govt records)
E. GLBA Privacy Rule: Financial institutions must:
Customers clear and conspicuous notice of FI’s info sharing
policies, annually
· Info collected from customers and consumer
· Recipients
· How it protects/safeguards the info
· how consumer can opt out of info shared thru reasonable
opt-out process
After giving notice, FI can share any info it has with affiliates
and joint marketing partners
If FI also wants to share with nonAff 3P and no exception:
· Must also disclose info sharing practices and optout
· wait reasonable time to optout B4 sharing NPI
Exceptions: Can’t opt out (FI can share w/o notice)
· Outsourced crucial services (txn processing)
· Outsourced marketing service provider
· Disclosure is legally required
must process opt outs within 30 days
· can’t discriminate against those who optout
Customers who are not consumers: fewer notice req’s
7
H. New York Cybersecurity Reg 2017 NYDFS comprehensive strict · Additional $5000 per day for failure to comply
cybersecurity regulations that far exceed GLBA Penalties up to $25,000, fail to meet info sharing requirements
cybersecurity mandates on all covered FIs of PATRIOT Act.
National Institute of Standards and Technology (NIST) Penalties up to $1M fail due dili req’mts
Cybersecurity Framework Criminal penalties
risk assessments, document policies, designate CISO, limit data · up to $100,000 fine and/or 1 year jail and
retention, incident response plan, audit trails · up to $10,000 fine and or/5 year jail
defines nonpublic information more broadly than GLBA K. International Money Laundering Abatement and Anti-Terrorist
key requirements not in GLBA: personnel, reporting, Financing Act of 2001
documentation, and 3P service providers req’mts Part of USA PATRIOT Act
İ. Dodd-Frank Wall Street Reform & Consumer Protection Act Expanded BSA’s reach
Created CFPB, indie bureau Fed Reserve, Broad authority Gave Treas Sec ability to make broad, modified KYC rules
Rule making auth. for existing financial privacy laws: FCRA, USA PATRIOT Act compliance issues categories:
GLBA, Fair Debt Collection Practices Act Info-sharing regs, cooperate to deter money laundering
Over all nondepository FIs, depository FIs with $100B KYC rules, ID of beneficial owners of account, procedures
investigations and issue subpoenas, hold hearings Development of formal money-laundering programs
civil actions under UDAP & “abusive acts and practices” BSA expansions, new reporting and record-keeping for different
· Materially interferes with the ability of a consumer to industries (broker-dealers) and currency txns
understand a term or condition of financial product or Evolving: Foreign Account Tax Compliance Act of 2010 (FATCA)
· Takes unreasonable advantage of: more detaile “KYC” doc for domestic/foreign FIs
° C’s lack understanding of risks, costs, conditions;
° inability of consumer to protect its interests; or
° reasonable reliance on a covered person to act in the
interests of the consumer
Violations:
$5,526/day for federal violations
$27,631/day for reckless violations
$1,105,241/day for knowing violations.
State AG’s can bring civil actions under Act
J. Bank Secrecy Act of 1970 (BSA)
Currency and Foreign Transaction Reporting Act
Treas Sec can impose record-keeping and reporting
requirements on FI’s to fight money laundering and fraud
Applies to: entities subject to supervision by state or federal bank
supervisory authority: banks, securities brokers, card clubs,
telegraph, casinos - evolves as launderers get creative
Reporting
currency txns in excess of $10,000
check txns for $3000, info re: purchaser
certain wire transfers
exempted: Electronic Funds Transfer Act, automated
clearinghouses, ATM or POS systems
Record Retention:
$10,000 extension of credit
Other records, those with “high degree of usefulness”
· Borrower’s name and address
· Credit amount and purpose and date of credit
· Such records may be maintained for five years
Deposit account records: taxpayer ID; Signature cards
CD’s
Wire, direct deposit if $100+
Suspicious Activity Reports (SAR)
Alert U.S Dept of Treasury’s Financial Crimes Enforcement
Network (FinCEN):
· FI suspects an insider committing a crime
· detects crime $5000 and basis for identifying suspect
· detects crime $25000 (no need for suspect)
· detect currency transactions aggregating $5000+ that
involves potential money laundering
Violations:
Civil penalties, fines:
· $25000, txn amount, $100,000 max
· negligence $500/violation
8
II.D Education CH 10
A. Family Educational Rights and Privacy Act (FERPA)
Applies all educational institutions that get federal funding
Does not preempt state law
Provides students with the right to: (FIPPs)
Control the disclosure of their education records
Review and seek amendment of their education records
Receive annual notice of their rights under FERPA
File complaints with the U.S Department of Education
Education Record directly related to student, maintained by the
school or behalf of - all formats. Excluded:
· Campus police, Employment, Treatment, Applicant, Alumni;
Grades on peer-graded papers
Disclosure of Education Record permitted if:
· Info is not PI
· Info is directory info, and no opt out
· Consent provided by parent or 18 y/o student
· To holder of FERPA rights
· Statutory exception, health or safety purposes
· PII in directory information
GPA, grades, or transcripts not released without consent
Personally Identifiable Info:
Name of student’s, student’s parent or other family
Mailing address; SSN or student number
Other identifiers such as DOB
Other info that alone or in combo would link
Info requested by a person whom the school reasonably believes
knows the identity of student
Directory Info - not generally considered an invasion of privacy or
harmful if disclosed (self determined by school)
Name, DOB, address, email, ph#, major honors
Never SSN, maybe student ID
Consent under FERPA
must be signed and dated. Must also identify:
· record to be disclosed; purpose; recipient
Use reasonable methods to authenticate
Records Disclosure Consent Exceptions:
to school officials with “legitimate educational interest”
· outsourcer can’t re-disclose
education institutions where student seeks to enroll
icw financial aid
to orgs doing research studies for educational institutions
to accrediting orgs
to alleged victim of forcible or nonforcible sex
· info related to sex offenders
· verified party that provided or created the record
· to law enforcement, judicial order or subpoena
· appropriate parties icw a health or safety emergency
Right to access records
within 45 days of request
If denied opportunity to fix, must be given hearing
No right to access parent’s financial records, treatment records,
LoRec, LE records, third party info
Right to correct records if inaccurate, misleading, violation of
privacy
Enforcement
Dept of Education, FPCA investigates complaints
Penalty loss of federal funding
No private right of action
Who has rights?
18 y/o student is person in control of rights
Parent for minor
If student has left high school and is attending only a
9
postsecondary institution, rights are held by student regardless Telemarketing and Marketing Privacy
of age. A. FTC issues Telemarketing Sales Rule (TSR) in 1995
school may disclose to parents the educational records of student FCC counterpart, issued Telephone Consumer Protection Act of
without student’s consent, if student is a dependent for tax 1991 (TCPA)
purposes. · restricts unsolicited advertising by phone, fax, texts
B. FERPA and Protection of Pupil Rights Amendment (PPRA)
FCC and FTC share regulatory jurisdiction
Applies to elementary and secondary schools that receive
federal funding, no colleges · FCC promotes transparency in online comms, monitor online
markets, consumer complaints and investigate.
parents rights re: to collection of sensitive info from students
through surveys: · FTC prevents UDAP, takes enforcement actions
· Political, Mental and psychological; Sex; Illegal, antisocial, Does not preempt stricter state laws
self-incriminating and demeaning behavior, Critical Some states require marketer license or register w/state
appraisals of individuals privileged relationships, Religion, State DNC with differing exceptions/fines
Income (other than by law) Some require written contract for certain transactions
C. No Child Left Behind Act of 2001
Enforcement by FTC, state AGs, or private individuals
Broadened PPRA to limit collection/disclosure of student survey
Civil penalties up to $42,530 per call
info. Now requires schools to:
· Enact policies re: commercial purposes State private right of action via intrusion on seclusion tort
B. Rules Governing How Calls Can Be Made Under Telemarketing
· Allow parents to inspect surveys, opt-out; prior notice
Laws
D. FERPA and the HIPAA Privacy Rule
health records are subject to FERPA and not HIPAA where a Defines telemarketing as plan, program, or campaign conducted
public K12 school has a nurse for student health to induce purchase of goods/services/ charitable contribution,
use of phones interstate
FERPA does not apply to private elementary or secondary
schools that do not receive federal funding TSR requires covered orgs to:
· subject to HIPAA if school is “covered entity” Call only between 8am and 9pm
Both FERPA and HIPAA Privacy Rule typically apply to college Screen and scrub names against national DNC list
healthcare b/c treats both students and staff Display caller ID info
· FERPA applies to student health records ID themselves and ID product they are selling
· HIPAA Privacy applies to nonstudent health records. Disclose all material info and terms
E. Education Technology Comply with special rules for prizes and promotions
Google Apps students sued under FERPA violation Respect requests to call back
Self Reg - tech pledge to safeguard student privacy, violation
Retain records for at least 24 hours
enforced as deceptive trade practice Sec 5
Comply with special rules for automated dialers
TSR requires disclosures at beginning of call:
Identity of seller
Purpose of the call is to sell goods/services
Nature of goods/services
No purchase or payment is necessary to participate/win
promotion, does not increase chances of winning
If call has multiple purposes (sale of different types of products
or different purposes), disclosures have to be made for all sales
purposes
Misreps/material omissions: Ten categories of info that must
always be disclosed:
Cost and quantity
Material restrictions, limitations, conditions
Performance, efficacy, central characteristics
Refund, repurchase, or cancellation policies
Material aspects of prizes, investment opportunities
Affiliations, endorsements, or sponsorships
Credit card loss protection
Negative option features
Debt relief services
More disclosures for non CC payment (phone or utility billing), with
express verifiable authorization
Caller ID must transmit if technically feasible
Call Abandonment prohibited: must connect call to a live sales rep
within 2 secs of person’s completed greeting.
No pre-recorded sales pitches w/o opt in from consumer
Abandonment Safe Harbor:
· Use tech to ensure less than 3% abandonment measured per
day per calling campaign
· Allows telephone to ring for 15 secs or four rings before
disconnecting unanswered call
10
· Play recorded message w/ name and ph# of seller if live D. Junk Fax Marketing TCPA covers faxes
sales rep is unavail w/in 2 secs of person answer Junk Fax Prevention Act (JFPA) consent can be inferred from an
· Maintains records documenting adherence to preceding 3 EBR, as long as sender offers an opt-out
req’mts, 97% of calls answered private right of action
Unauthorized Billing can’t bill without consent statutory damages of up to $500 per fax
· More rules for billing to Pre-acquired account info Preempted CA law based on interstate regulation
· Special requirements for freemium E. Controlling the Assault of Non-Solicited Pornography and
° Last four digits Marketing Act of 2003 (CAN-SPAM)
° Audio recording of txn No private right to action
Robocall Autodialers - TCPA Updates Preempts most state spam laws
FCC revised TCPA to reconcile with TSR not superseded if they prohibit false or deceptive activity
· Even if business has EBR, still need prior express written Applies: - covers transmission of commercial email primary purpose
consent for robocall to residential # is advertising product directed to or from U.S.
· Consumer opt out of future robocalls during robocall Enforcement: FTC, other federal regulators, state AGs and other
· Align with FTC, requires assessment of call abandonment state officials
rate, every 30 days Violation:
· HIPAA health related entities are exempt fines up to $40,654/violation
Consent can be revoked at any time by any rble means Authorizes ISP’s to sue, act allows injunctive relief, damages up
Robotexts to $250/violation with max of $2M
Texts subject to TCPA court may increase damage award up to 3 times in cases of
Prior written consent must be clear and conspicuous willful or aggravated violations
Consent cannot be requirement of purchase egregious punishable up to 5 years’ imprisonment
mere fact that consumer’s wireless # appears in contact list of 2009, federal judge shut down 3FN based on FTC’s allegations
another customer is not consent that it knowingly distributed spam and malware and hosted
When caller has consent for wireless #, and # reassigned, caller illegal content, child porn
is not liable for first call but liable for subsequent Commercial email content:
Records: Prohibits false or misleading headers
Advertising and promotional materials Prohibits deceptive subject lines
Prize recipients info C&C notice of opt out, by return email or opt out link
Sales and Employee records 10 business days grace period for opt out
All verifiable authorizations or records of express informed C&C ID that message is commercial (unless affirmative consent
consent or express agreement was provided) and
each sales record must include: physical address of the sender
name and last known home address of each customer Prohibits aggravated violations re: commercial email:
Goods or services to be purchased Address-harvesting and dictionary attacks
date the goods or services were shipped/provided Automated creation of multiple email accounts
amount the customer paid for goods/services Retransmission of commercial email through unauthorized
Info on former and current employees: accounts
Name, Job title, home address and phone number, alias Email with sexually oriented material must have warning label
C. Rules Governing Who can be called Under Telemarketing Laws (unless recipient has given prior affirmative consent)
FTC created U.S National Do Not Call (DNC) Registry Marketer liable for vendor violations
Enforced by FTC, FCC, and state AGs deceptive commercial email could be false, misleading ad
· Civil penalties up to $42,530 per call FTC has authority to issue rules implementing CAN-SPAM
· private right of action state intrusion on seclusion tort commercial vs. transactional or relationship messages whose
primary purpose is to:
Must receive a Subscription Account No, non transferable
· Facilitate or confirm commercial transaction
must update call lists every 31 days
· Warranty or safety info re: product purchased
Exceptions to list:
· Info re: ongoing commercial relationship
· Nonprofits calling on their own behalf
· Provide info re: employment or a related benefit plan
· Calls to customers with EBRs within last 18 mons
· Deliver purchased service to recipient
° prospect, last three months F. Wireless Message Rules Under CAN-SPAM
· Inbound calls, no upsell of additional products/service
MSCM is commercial email transmitted directly to wireless
· Most business to business calls device used by subscriber of commercial mobile service, that has
· Consumer C&C opts in to calls with signature and phone #, or uses a unique electronic address that includes a reference to
don’t bundle consent with sweepstakes Internet domain
Telemarketers can avoid liability under the DNC safe harbor: FCC says designed to apply only to mail addresses designed by
implement written procedures to honor requests carriers for mobile services messaging
train personnel and entity assisting in its compliance Rules cover SMS but not phone to phone messages
maintain and record an entity specific DNC Requires subscriber’s express prior authorization, opt in
maintain records documenting DNC and National DNC within 31 · given prior to sending MSCM
days of call · authorization/revocation is free to user, enable revocation
someone monitors and enforces compliance by same means
call is result of error · authorization must be documented
11
· Each authorization must disclose: PI must be destroyed when no longer needed for original
° Sub agrees to receive MSCMs on device purpose and there are no pending requests for access
° from a particular ID’ed sender (no 3Ps) İ. Video Privacy Protection Act of 1988 (VPPA)
° may be charged for receipt of message Private right of action for violations
° may revoke authorization at any time · Statutory damages set at $2,500
· Disclosures must be C&C, be separate, have conspicuous opt · Allows actual, punitive, and rble attorney fees
out link Does not preempt more protective state laws
10 business day grace period to revoke auth · CA laws covering the same privacy issues as VPPA
Wireless Domain Registry Applies to video tape service providers, rental, sale or delivery
FCC registry of wireless domain names that are do not text. of pre-recorded video cassette tapes, individuals who receive PI
commercial mobile radio service providers must ID all email in ordinary course of business or for marketing purposes. N/A to
domains dedicated to subs for wireless devices video streaming
Senders are responsible for checking before sending commercial Prohibited from disclosing PI. Exceptions:
messages to anyone on domain · Disclosure is made to the consumer themselves
providers must update within 30 days before issuing any new or · Per contemporaneous written consent of consumer
modified domain names · to LE per warrant, subpoena or other court order
G. Telecommunications Act of 1996 · per civil court order and consumer had right to object
CPNI is info collected by telco carriers re: to subscribers. · Includes only the names and addresses of consumers
subscription info, services used, network and billing info, phone · If only used for marketing to consumer: only names,
features and capabilities, call log data such as time, date, addresses, subject matter descriptions
destination and duration of calls
· for order fulfillment, request processing, transfer of
· Not CPNI: certain PI such as name, ph #, address ownership or debt collection
No sale of CPNI without prior consent: PI must be destroyed as soon as practicable but no later than
· Need opt in before carriers can share CPNI with joint one year after no longer necessary and no pending requests
venture partners and vendor for marketing purposes for access
Restrictions on access, use, and disclosure of CPNI J. Video Privacy Protection Act Amendments Act of 2012
· Ok in service categories customers already subscribed Allowed for one-time consumer consent that was valid for up to
· Carriers can use CPNI for billing and collections, fraud two years replacing contemporaneous reqmt
prevention, customer service, and emergency services Addresses social media concerns
· U.S West Inc v FCC set legal standard of opt out for
carrier’s own use of CPNI
Other requirements aimed at curbing pretexting, or gaining
access to CPNI through fraudulent means
· Carriers must notify LE if CPNI is disclosed in security breach
w/in seven business days
· Customers must give password before they can access their
CPNI via telephone or online account
· Carriers must certify compliance annually, explain how
systems ensure compliance, provide annual summary of
consumer complaints re: unauth disclosure of CPNI
Applies to carriers and VoIP, Trump repealed FCC attempt to
regulate ISPs
H. Cable Communications Policy Act of 1984
Provides private right of action
Excludes internet services via cable b/c defined as: oneway
transmission to subs of video programming and sub interaction
required for selection of programming
Cable service providers must give 1st and annual privacy notice
that C&C informs subscribers of:
· nature of the PI collected
· How PI will be used
· retention period of such info
· manner by which sub can access and correct such info
provider can only collect PI that is necessary to render services
or detect unauthorized reception of services
Can’t share PI w/o written or econsent. Exceptions:
· extent necessary to render services
· conduct legit business activities
· only name & address, and sub was given optout
· Subject to court order with notice to sub
° in conflict ECPA, which allows w/o notice to consumer,
b/c notice may negatively impact LE investigation
° Courts have resolved tension by allowing w/o notice to
sub per ECPA
12
K. Federal Regulation: FCC Broadband Privacy Rule · interception is done in ordinary course of business
Pre-2015, FTC primary enforcer of digital ad violations offensive to a rble person can be state invasion of privacy or
2015 FCC reclassified broadband internet service as a public other common-law claims
utility per “Open Internet” or net neutrality rule E. Stored Communications Act (SCA)
2016 Appeals Ct upheld FCC’s authority to regulate broadband Private right of action and criminal penalties
internet providers voluntary and compelled disclosure of "stored wire and e-comms
· telephone Verizon, cable companies Comcast and transactional records" held by third-party ISP
· Effect = subject to Telco Act of 1996, including CPNI privacy prohibits unauthorized acquisition, alteration, or blocking of ecomms
req’mts in 222 while in storage at e-comm facility
FCC issued Privacy Rule for broadband … but Two exceptions:
2017 Congress rescinded FCC Privacy Rule · By entity providing wire or ecomm service
· But FCC order said Section 222 and CPNI rules still apply to · By user of service/comm or intended for that user
broadband internet providers upon govt request, wire or ecomm provider must preserve records
L. California Online Privacy Protection Act of 2013 (CalOPPA) and evidence pending court order
operator of website must display a privacy notice: Over 180 days, unopened, only need subpoena
· Categories of PII collected through the site Microsoft, CLOUD act overrides SCA - now requires Co. to provide
· Categories of 3P operator may share PII with electronic evidence even if stored outside U.S
· How operator treats browser’s Do Not Track signals F. Pen Registration and Tap Trace Order
· Whether other parties collect PII about consumer’s online no private cause of action
activities and across different websites New pen register and trap/trace order from judge under lax
implementation of Do Not Track by browsers varies standard of “relevant to an ongoing investigation”
· Default = tracking is acceptable unless user sets browser to PATRIOT Act Section 217 expanded to include dialing, routing,
send Do Not Track to requesting site addressing, or signaling info
· Do Not Track as a default Freedom Act ended its use for bulk collection
· Selective Do Not Track as default G. Communications Assistance to Law Enforcement Act (CALEA)
Caution: embedded dynamic code from 3Ps (such as advertisers) Aka Digital Telephony Bill
operator may not be fully aware of their tracking activities FCC implemented CALEA
taking place on their own site over time Applies to telcos to cooperate in interception of comms for LE
needs relating to security and safety of the public
carriers must design to give gov access to comms
2005, FCC expanded to broadband internet access and VoIP
Government and Court Access to Private-sector Info when interconnect w/ traditional telephone services
III.A Law Enforcement and Privacy H. Media Records & Privacy Protection Act (PPA) 1980
A. Fourth Amendment - Right to be secure in persons, houses, papers, Does not preempt state laws
effects, against unrble searches seizures, warrants need probable extra layer of protection for media and media orgs from gov
cause, particularity of place searched search or seizures in course of criminal investigation
Olmstead subjective and objective rble exp of privacy LE must use subpoenas or voluntary cooperation to obtain
Katz v. US. warrant needed for police bug in restaurant, placed to evidence from those engaged in 1A activities
hear calls behind closed doors of phone booth. Applies to gov officers or employees at all levels of gov
3P and in public doctrines - can share customer and employee Applies to criminal investigations (not civil)
records to LE if given to company as 3P Violations: $1,000 actual damages and attorney’s fees
Jones, warrant needed for GPS car tracking for a month. police Exception: Probably cause that reporter is involved or in process
had trespassed, even public movements of committing a crime (does not apply if crime is possession,
Riley v. California - need warrant to search contents of cell phone receipt or communication of work product)
b/c large quantity/qual of data
Carpenter v. U.S, reduced scope of the third-party doctrine. need
warrant to access cell site location info
B. HIPAA - Disclosure is permitted per court order or subpoena, or
admin request, if three criteria are met:
relevant and material to legitimate LE inquiry
specific and limited in scope for purpose
Deidentified information could not reasonably be used
C. Electronic Communications Privacy Act (ECPA)
Private right of action and criminal penalties
Does not generally preempt state
· CalECPA protects email comms
Amended Wiretap and SCA
D. Wiretap (Title III) - real time interception of wire, oral, and email
comms. Most strict and require a super warrant
Only certain offenses, only necessary/minimize
Violations are criminal offence, PRA, does not preempt
Two exceptions to needing warrant:
· If a person is a party to a call or one party consent, some
states require all party consent
13
İ. Right to Financial Privacy Act (RFPA)
Only applies to requests from federal agencies
Applies to FI, such as banks, credit card companies, and
consumer finance companies
No gov authority may access unless financial records are
reasonably described and meet one of these conditions:
· customer authorizes access
· appropriate admin judicial subpoena or summons
· qualified search warrant
· appropriate formal request by gov authority
Customers must receive notice in advance of the gov request for
the records, right to challenge disclosure
J. Cybersecurity Information Sharing Act (CISA) 2015
federal gov may share unclassified technical data with
companies re: network attacks and successful defenses
CISA encourages companies to voluntarily share the same info
with gov
Companies that share info receive certain protections
· Limitations on liability, Non-waiver of privileges
· Exemption from FOIA disclosure
Provisions:
· Reqmt to remove personal info before sharing
· Sharing info with federal gov does not waive privileges
(doesn’t apply with state/local gov)
· Prohibition on gov using shared info to regulate or take
enforcement actions against lawful activities
· Authorization for company’s monitoring and operating
defensive measures
B. Judicial Redress Act of 2016
Extends U.S Privacy Act protections to non-U.S persons
C. Bank Secrecy Act (see above)
14
III.B National Security and Privacy U.S. persons (currently expired)
A. Foreign Intelligence Surveillance Act (FISA) 1978 If info relates to U.S. person, must be relevant to preventing
4A left gap for “national security” terrorism, not based solely on 1A activities
Needed cold war monitoring of Russian embassy requires adoption of minimization procedures, per recently
Covered wiretaps, emails/stored records, NSL declassified FISC orders
statutory system to authorize foreign intelligence wiretaps, that permitted bulk collection telephony metadata/call-log info, from
did not meet reqmts of 4A searches telcos. No content. (ended by FREEDOM)
checks and balances on previously unfettered discretion of pres Disclosure is permitted to the persons necessary to comply with
and AG to conduct national security surveillance the order, and to an attorney
2001 Amended by PATRIOT Act allowed foreign wiretaps and Expanded use of National Security Letters
relaxed rules, expanded NSL use, but telcos were sued Fed statutes: ECPA, NSA, RFPA, FCRA, amended by PATRIOT Act
2008 FISA Amendment Act and reauth of 2006
Subpoena-like = allows FBI to get a customer’s name, address,
Legal authorization for wiretap, pen register, trap and trace for
length of service, comms (phone and Internet) records, banking,
phone # and emails, and video surveil for foreign intel, even
financial, credit, travel records
outside US
No court action required. Typically FBI
Immunity for telcos
Can’t disclose that you received an NSL to customer
More reporting to Congress; Some limits on NSL secrecy
2006 amendment: recipients under gag order only if Fed thinks
foreign intel must be significant purpose of investigation
it will interfere w/ criminal or counterterrorism investigation or
Instead of PC of a crime, FISC orders issue on PC that party listed purposes
monitored is foreign power or agent of
Recipients can petition court to modify or end secrecy
fine up to $10,000 or up to 5 years in prison, Wiretap Act,
2015 FBI now presumptively terminates NSL secrecy when
punishable with fine or up to 5 years in prison
investigation closes, or 3 years after inv. opened
Section 702 of FISAA C. USA FREEDOM Act 2015 (reform of FISA)
Applies to collection of e-comms that takes place in US, and Stopped bulk collection under Sec 215 Patriot Act with pen
only for comms of targeted individuals for listed foreign intel register/trap and trace orders
purposes, and gov must have rble belief that person is non-U.S
Must use specific selectors - email or phone number
citizen located outside U.S
Companies now allowed to publish statistics about the number of
FISC must annually approve certifications by DNI and US AG FISA orders and NSLs they receive
setting the terms for section 702 surveillance
government issues yearly transparency reports, and has
cannot notify FISA target before or during investigation
declassified lots of orders from FISA Court
include content, not just metadata
# of FISA orders exceed traditional LE wiretap orders
Previously, prez could authorize elec surveillance w/o court
FISA can be important for comm providers, such as telephone
order for one year (Bush warrantless wiretap)
companies and email services, but arise much less often for most
Two surveillance programs under Section 702 other companies.
PRISM: judicially approved, supervised directive to collect Other U.S. privacy laws with national security exceptions.
to/from messages with certain selectors such as an email
HIPAA “to authorized federal officials for lawful intl, counter-
address. Co’s (ISP) lawyers can challenge the request
intel, national security under Nat. Security Act
Upstream: filters Internet based comms as they pass thru
GLBA privacy exception vaguely worded, for an investigation
physical infrastructure located in U.S. if they contain a tasked
on a matter related to public safety.
selector, and stored for access by the NSA
COPPA makes no mention of national security exception
2018 amendments to Section 702
reqmts for querying procedures consistent with 4A
restrictions on the use of information pertaining to U.S. persons in
criminal proceedings, and
congressional oversight of “about” collection
B. USA Patriot Act 2001
Section 217 “hacker trespasser” exception
O&O of computer can face penalties under ECPA for providing
access to LE without following procedures
permits, does not require, O&O to provide access
LE can perform interceptions if:
· O&O authorizes interception of computer trespasser’s
communications on protected computer
· LE is lawfully engaged in an investigation
· reasonable grounds to believe contents of trespasser’s
comms relevant to investigation
· interception does not acquire comms other than those
transmitted
Section 217 Expanded definition of pen register/trap and trace to
include dialing, routing, addressing, signaling info
Section 215 Snowden Tangible Things or Business Records FISC
order can require production of any tangible thing
Seeks to obtain foreign intelligence info that does not concern
15
III.C Civil Litigation and Privacy deprive American court to order a party subject to its jurisdiction
A. Disclosures Required by Law to produce even if it violates that law
BSA reporting reqmts Or focus on nature of documents, prepare a privacy log
FDA report serious adverse events describing the documents without disclosing contents
G. Hague Convention, party seeking bears burden of demonstrating
DOL’s OSHA reporting of workplace injuries and illnesses
that foreign law prohibits discovery
Many states - injuries, med conditions, abuse, gunshot wounds,
importance of the documents or data to litigation
immunization records, contagious diseases
specificity of the request
HIPAA permits disclosure of PHI where required by law
whether information originated in United States
FRCP 45 subpoena
alternative means of securing information
LE - PEN register, stored content, search warrant, wiretap
B. Disclosures Permitted by Law important interest of U.S. & foreign (fighting terrorism)
“computer trespasser” or “hacker trespasser” exception created ensure storage and transmission are secure
by Section 217 of the USA PATRIOT Act H. Clarifying Lawful Overseas Use of Data Act (CLOUD Act)
C. Disclosures Forbidden by Law addresses Intl issue
Opt In: HIPAA COPPA appropriate request through a mechanism such as a Mutual
Opt Out: GLBA, FTC Legal Assistance Treaty MLAT
evidentiary “privileges” can prohibit disclosure US has first agreement with UK
· generally defined under state law negotiations with the EU and Australia concerning possible
· attorney-client privilege, exceptions: waive to prevent CLOUD Act executive agreements
imminent physical harm to another person
assert privilege against self-incrimination under 5A
D. Public Access to Court Records, Protective Orders, and Required
Redaction
U.S. has strong tradition of transparency, FOIA
litigants seeks protective orders for PI
· judge decides what info should not be made public
· conditions that apply
Rule 26(c) of FRCP - party may seek protective order that CI
may not be revealed or “attorney’s eyes only”
· must demonstrate good cause, court three-part test
° info is confidential
° info is relevant and necessary
° harm vs. need for info
HIPAA Privacy Rule requires consent or court order
· QPO can apply in state court
Redact to limit to only what’s necessary - FRCP Privacy
Protection for Filings Made with the Court
· Last 4 digits of SSN or Fin acct, DOB Minor’s initials
· Federal Criminal Rules of Procedure, Bankruptcy similar
redaction. Criminal: city and state of the home address are
a fifth category must be redacted too
E. Electronic Discovery
e-discovery = well-managed data retention program.
Sedona Conference, email retention
· policies - interdisciplinary teams
· continually develop and ID the gaps policy/practice
· reach consensus, look to industry standards
· solutions should meet functional requirements of org
good faith, data that is “transitory in nature considered outside
the duty of preservation
Have clear employee personal use policies
Court will likely prevail over company policy; per 3-factor test:
(1) a retention policy should be reasonable, (2) similar
complaints against organization, and (3) bad faith
Consistent with disclosure under HIPAA
Consent, court order, QPO
Consistent with disclosure under GLBA
FI may disclose PI to comply with laws, civil, criminal, or reg
investigation or subpoena
F. Transborder / conflicts with Foreign laws (GDPR)
Some courts require production if party sought to take
advantage of U.S. jurisdiction
Some courts require production b/c [foreign] law does not
16
IV. Workplace Privacy ER using any consumer report
No overarching law for EE privacy, state remedy is limited written notice to applicant - obtaining consumer report for
employment purposes, and if investigative consumer report also
ER EE relationship fundamentally based on contract law, CBA
obtained (no notice reqd for self-performed)
Torts: invasion of privacy, publicity given to private life, defamation. All need written auth, may be for duration of employment
narrow protections
only use data from qualified CRA
Department of Labor (DOL), the Equal Employment Opportunity
Certify to CRA, permissible purpose, gave notice, got consent,
Commission (EEOC), FTC, CFPB, and NLRB
will comply with anti-disc laws
DOL administers FLSA OSHA ERISA
Before taking AA, give pre-adverse-action notice to the
HR management of multinational corp EE’s data applicant with a copy of consumer report, opportunity to dispute
A. U.S. Laws Protecting Employee Privacy Before taking AA, provide copy of report to consumer with
4A, CA extended privacy rights to private sector EEs summary of the consumer’s rights (drafted by CRA)
HIPAA - Protect PHI
adverse action notice sent after adverse action is taken
COBRA continuous coverage after termination
· contact info of CRA, statements, right to correct
ERISA EE benefit programs created fairly administered
FMLA unpaid leave birth or illness of self or a family member If EE requests, ER must give complete disclosure of the nature
Fair Labors Standards Act (FLSA) Establishes minimum wage and sets and scope of the investigation
standards for fair pay · must be made in writing within five days after request, or
OSHA regulates workplace safety when report requested (whichever later)
Whistleblower Protection Act - federal EEs subjected to personnel INTERNAL Investigative consumer reports: (Vail)
actions because of whistleblowing No notice required if icw internal investigation of:
National Labor Relations Act (NLRA) Sets standards for collective · Suspected work misconduct or noncompliance with laws or ER
bargaining, which also applies in social media communications policy
Immigration Reform and Control Act (ICRA) Requires employment · not done for creditworthiness and no credit info
eligibility verification · only given to ER, federal or state officer/agency, Self-
SEC Act of 1934 - info about Sr execs of public companies regulating org with authority over ER or EE
Anti-Discrimination laws: Limits on background checks, secondary C. California Investigative Consumer Reporting Agencies Act
effect on how interviews are conducted (ICRAA) stricter disclosures than FCRA
Title VII of the Civil Rights Act of 1964 bars discrimination in Need prior consent, give proper notice, give opportunity to
employment - race, color, religion, sex, and national origin request a copy of the report
Equal Pay Act of 1963 bars wage disparity based on sex
even for internal investig, must give EE all public records unless
Age Discrimination Act bars discrimination against over 40 EE waives
Pregnancy Discrimination Act bars discrimination due to pregnancy,
ER notice must be C&C and separate from FCRA notice
childbirth, and related medical conditions
Americans with Disabilities Act of 1990 bars discrimination against Need consent for EACH background check
qualified individuals with disabilities written disclosure must state:
GINA bars discrimination based on individuals’ genetic info · report may be obtained; permissible purpose
Bankruptcy Act prohibits employment discrimination against persons · disclosure may include info on character, general reputation,
who have filed for bankruptcy personal characteristics, mode of living
Americans with Disabilities Act (ADA) Medical Screenings · contact info of CRA and CRA’s website
ERs with 15 or more employees If ER wants to take AA based on report, must provide EEs full
Can’t discriminate against qualified individual with a disability report even if EE waived right to get copy
because of disability · Consent not required if EEs suspected of wrongdoing
Before an offer, ADA permits exams and medical inquiries if
job related, consistent with biz necessity
company may require medical exam after offer and may tracking individual’s online presence and screening candidates for
condition offer on results, if: predesignated elements selected by the employer, drug use,
· All entering EEs are subjected to exam criminal activity, or unsafe behavior. FCRA might apply to
· Confidentiality rules applied to results nontraditional providers of background check information
· results used in compliance with discrimination laws Artificial Intelligence - used to assess candidate in video, caution re:
privacy and biases
drug addiction is disability
Privacy During Employment
ER must provide reasonable accommodations during employment A. Fed Employee Polygraph Protection Act of 1988 (EPPA)
but can’t ask before offer
Violations: subject to fine by DOL and private lawsuits
ADA Amendments Act (ADAAA) expanded scope - conditions
that are mitigated, in remission or episodic if would substantially Does not preempt stricter state laws
limit a major life activity of EE employee when active or absent DOL rules: ERs are prohibited from using lie detectors on
mitigation incumbent workers or to screen applicants, can’t retaliate
B. FCRA limits on EE Background Checks · OK for govt EEs, controlled substances, defense contractors,
FCRA applies to nontraditional providers of background check and national security functions
information (like social media aggregators) · Ok for w/ ongoing investigation involving economic injury to
covers any type of background check, criminal records or driving ER business, reasonable suspicion
records ER must post essential EPPA provisions conspicuously
Permissible purposes for employment checks include: EPPA and ADA limits psych testing, ADA prohibits use of medical
Evaluating the candidate for employment tests, impairment of mental health. ERs use psych tests
personality traits
Existing EE, for promotion, reassignment, or retention
B. Drug Testing Law
17
Public sector EEs covered under 4A Social engineering may invade privacy
Fed laws mandate for: Most states prohibit disclosure of SM credentials
· Positions within the federal sector, e.g. CBP Consumerization of IT and BYOD
· Aviation, Railroading, Trucking industries work tech for personal use = lack of control over device
· preempt state laws that limit drug testing Consider breach notification laws
Variety of settings: EE has higher XofP with own device
· Preemployment, if not to ID legal use or addiction EE device could be subject to discovery
· Rble suspicion based on specific facts, evidence DLP Data Loss Prevention - could be mass surveillance
· Routine testing: EEs notified at the time of hire Investigation of EE Misconduct
· Post-accident: if reasonable suspicion Take allegations seriously
· Random testing: sometimes required by state law, prohibited Treat EE fairly, document everything
in certain states
Comply with law, CBA, policies
° More likely regulated jobs, public safety, natsec
Data handling risks
Fed ADA, state laws wildly vary
3P in investigations - FCRA Vail Letter
Litigation re: defamation, negligent testing, invasion of privacy,
breach of contract and CBAs Concern for retaliation vs. other EEs
MJ legalization, IL says can’t punish EE for MJ use unless impairs After Employment
their work. Fed EEs MJ use is prohibited Terminate access to physical and info
Half of states limit ability to ban EEs smoking Manage transition, passwords
Lifestyle Discrimination HR issues with defamation, state laws re: references
ADA amended in 2009 = protect person who is 100 pounds
overweight from discrimination
No federal law protects smokers from discrimination
C. EE Monitoring
In US, private-sector employees in general have limited
expectations of privacy at the workplace. Contrast EU
Check CBA
Legal Obligations or Incentives to Monitor
· OSHA requires ERs to provide safe workplace
· Call centers, customer disputes
Defend vs. tort claim for negligent supervision
Biometrics - in HR and employment context
Video surveillance/CCTV.
video w/o sound not covered under federal wiretap and stored-
record statutes, no federal prohibition
States often forbid use in sensitive areas (CA, MI)
Common law tort claim invasion of privacy
Intercepting Comms
Wiretap Act of ECPA strict prohibition, criminal
calls, video sound, oral, bugs, emails except:
· In ordinary course of business
· Parties consent
Stored Comms intercept
SCA/ECPA prohibits with 2 exceptions:
· ER because they provide the comms service, and
· EE because they use that service
Ontario v. Quon - SCOTUS held ER could review EE pager
messages to ensure personal use compliance.
· Reasonable and work related
ECPA does not preempt stricter state laws
DE law ERs monitor phone, email, internet access or usage w/
prior written notice and daily e-notice
CT law ER e-monitoring must give prior notice, types of
monitoring, post notice in conspicuous place
Geolocation tracking
Track work vehicle ok during work hours, EE is informed
But monitoring EE restricted under some states laws
· CT no monitoring of EE without notice
· CA criminal misD to use e-tracking device on person
Invasion of privacy claims if RXofP
Social Media monitoring
May violate antidiscrimination and privacy laws
18
V. State Laws and unenforceable
A. Federal v. State Authority not intended to supercede federal or State law
Preemption New Jersey Personal Information and Privacy Protection Act
· state AGs retain the ability to use state consumer protection retail establishments, scan government-issued ID card
law to bring civil suits Can only collect name, address, DOB, ID card number, and
Lack of Federal Data Breach Law = patchwork jurisdiction that issued the card.
· federal privacy law: Q of whether it would preempt federal Valid Purposes of ID Scanning (8)
wiretap law and federal privacy laws that permit stricter · Verify ID if not cash, returns, refund or exchange;
state laws · Verify age for age-restricted goods or services;
B. State Data Security Laws · Prevent fraudulent returns or exchanges
majority of states have laws limiting biz right to use SSN. · Prevent fraud re: credit account
CA prohibits biz, state and local agencies from SSN public posting, · Establish/maintain contractual relationship
printing on mailings (unless mandated by federal law), printing on · required by law
ID or membership cards. prohibits biz from requiring transmission of · Disclose to FI, debt collector, or CRA for FRCA, GLBA, or Fair
SSN unencrypted Debt Collection Practices Acts; and
S.B. 178 Cal Electronic Comms Privacy Act (CalECPA) · Per HIPAA by covered entity
state LE needs warrant before they can access electronic Data Retention and Use
information, content or metadata · report breach to affected persons and NJ State Police
· warrant must “describe with particularity” info sought · retail store may not “sell or disseminate to a third party any
· if service provider gives info, LE must destroy data within 90 info obtained” per Act for any purpose
days, unless consent, court order, or LE reasonably believes Penalties
info is related to child porn · $2,500 civil penalty for a first violation
Subpoenas allowed only if info is not requested in the context of · $5,000 civil penalty for each violation
a criminal investigation or prosecution. · Private right of action against store
Notice required when warrant is executed, must state “with Washington Biometric Privacy Law (H.B. 1493) 2017
reasonable specificity the nature of the government Can’t store a biometric identifier in a database for commercial
investigation.” include copy of warrant or purpose without providing notice, consent, or preventing
in emergency cases, give statement with facts to support decl of subsequent use for commercial purpose
emergency situation 3 days after data collected “enroll” = capture biometric ID data, convert to template that
Delaware’s Online and Personal Privacy Protection Act cannot be reconstructed, matched to an individual
prohibits ads for products that kids can’t legally buy, does not apply to biometric identifiers “unenrolled”
restricts certain online ad practices based on minors’ PI. · notice required in separate from, and is not considered,
minor = state resident under age of 18 “affirmative consent.”
private right of action · exact notice and type of consent required is “context-
operators must post C&C notice of data collection, privacy policy dependent
on every web page where PI is collected may not use or disclose it in a manner materially inconsistent with
Requires consent by parents prior to collection of personal info original terms without new consent
for children under 13 Need consent unless:
GDPR, under 16 parental consent · (1) necessary to provide a product or service
Nevada SB 538 · (2) 3P contractually promises that biometric ID will not be re-
applies if (1) retain certain types of NV resident PII and disclosed or enrolled in database for a commercial purpose
(2) direct activities towards NV residents, complete a transaction that is inconsistent with the notice and consent
with state or resident, or purposefully avail themselves of NV law broad “security exception,” in furtherance of a “security
cookie or tracking beacons = PII purpose.”
exempt if C. State breach notification laws & Key Differences among States
· biz located in NV, revenue primarily from non-online Definition of PI CT: (1) SSN; (2) DL number or state ID card number;
· small biz with less than 20k unique visitors per year, or or (3) account number or credit or debit card number, in
· 3P that operates site, or process info on behalf of biz combination with any required security code, access code, or
no private right of action password that would permit access to an individual’s financial
account
fail to comply within 30 days = civil enforcement by AG
Some states: healthcare and med info, passwords, personal ID
injunctive relief and/or a monetary penalty not to exceed
Nos, account Nos., any Fed or State ID No. like passport, military,
$5,000 for each violation
tax ID, biometric data, DNA profile, maiden name
CCPA: IP address, commercial info, online activity, inferences
drawn to create profiles
Illinois Right to Know Act 2017
· All states PI = Unencrypted
operator that collects PII about IL residents must
· All states exclude publicly available info, lawfully
· notice: specified info re: PI sharing practices
Covered Entities:
· make available certain specified info after disclosing a
customer's PI to a third party, and · CT “any person who conducts business in this state, and who,
in the ordinary course of such person’s business, owns, licenses
· provide an email, toll-free number, or webform whereby
or maintains computerized data that includes personal
customers may request or obtain
information”
private right of action: (i) liquidated damages of $10 or actual
Conditions for notification
damages, greater; (ii) injunctive relief; and (iii) reasonable
attorneys' fees, costs, and expenses Subject rights
attempted waiver of the Act or non-compliant agreement is void Harm and Definition of Security Breach
19
CT “unauthorized access to electronic files, media, databases or notice of breach of encrypted data if:
e-data containing PI when access to PI not secured by encryption · Both encrypted data and encryption key or
or other method that renders PI unreadable or unusable. · Encrypted data when the business has a reasonable belief
Almost every state contains similar language, although some laws that the encryption key or security credentials can be
require the compromise to be “material” or event that causes (or obtained by the hacker
is likely to cause) identity theft or other material harm New Mexico Breach Notification HB 15
CCPA “an unauthorized access and exfiltration, theft, or PII includes biometric, fingerprints, voice print, iris or retina
disclosure” of the consumer’s PI resulting from business’s failure to patterns, facial characteristics or hand geometry
“implement and maintain reasonable security procedures and applies to unencrypted computerized data or encrypted data
practices when encryption key is also compromised
D. Conditions for Notification Notice to AG New Mexico Office and major CRA’s if >1,000
Whom to Notify NM residents notified
state residents who are at risk Notice to New Mexico residents within 45 days
all states require third-party notification 3P service providers are required to notify data owner or
· CT: notify owner of info of breach immediately licensor within 45 days of discovery
AG or State Agency Notification Massachusetts Data Breach Laws: House Bill No. 4806
· two-thirds of states require notify the state attorney general 2019, bill amends the state data breach notification law
and/or other state agencies · increase reporting if collect MA resident PI
· time periods vary, # of residents threshold, only if after · expands notification requirements
investigation · requires companies to contract with 3P to offer affected
Credit Reporting Agencies Notification residents free credit monitoring services, and
· two-thirds of states require notify nationwide CRAs, # of · prohibits security freeze fees
residents threshold varies Updated Notification Requirements to State:
When to Notify Affected Parties · preexisting law, notice to state regulators: (i) nature of
most common “most expedient time possible and without breach; (ii) # residents affected; and (iii) steps taken
unreasonable delay” · Whether they maintain a written infosec program
some states specify time, 45 days most common Expanded notification to affected residents.
national companies, best practice is report within 30 days · (i) resident’s right to obtain a police report; (ii) how to
allow delays for a reasonable period of time if LE requests b/c request a security freeze and necessary info; (iii) no charge
impede investigation for security freeze; and (iv) provide mitigation services (i.e.,
What to Include in the Notification (NC) free credit monitoring services).
general description · cannot be required to waive their right of action as a
type of PI condition to receiving credit monitoring services
general acts to protect PI from further access modified timing requirements.
telephone number to call · as soon “as practicable and without unreasonable delay,”;
but now can’t delay notice on ground that total number of
Advice to remain vigilant - review statements and reports
affected residents not yet known
toll-free numbers, address for CRAs, FTC, AG
Additional Notification Requirements
Exceptions to Notification
· general public notice, Officer of Consumer Affairs and
More stringent state laws Business Regulation (the “OCABR”) must publish “electronic
Ok to follow breach notification procedures of internal infosec copies of the sample notice sent to consumers on its website
policy if compatible with law and update, how to obtain a copy of the notice sent to the
Safe harbor if encrypted, redacted, unreadable, unusable agency from the breached entity.
· Encrypted no longer safe harbor in TN or CA Free Credit Monitoring Services
Penalties and Private Right of Action · Massachusetts is 4th state (CA CT DE) to require offer free
AG enforcement credit monitoring services re: SSN breach
Some states allow penalties · free credit monitoring services for a period of not less than
Private right of action - CA, AL, D.C., LA, MD, MA, NV, NH, NC, 18 months
SC, TN, VA and WA · If CRA breach of security not less than 42 months
CCPA statutory damages for sensitive data Security freeze fees prohibited; allow residents to place, lift, or
· CA first state to allow remove security freezes without charge
B. Recent developments
Tennessee SB 2005 CCPA
Requires notice of breach regardless of encryption
Right of action for certain data breaches
2017 amendment: clarified that encrypted data gets safe
unencrypted and unredacted subset of PI
harbor, unless encryption key also acquired in breach
· SSN, DL or CA identification number;
Illinois Breach Notification HB 1260
· Account number, credit or debit card number, in combination with
expanded definition of protected PI to include usernames and security code, access code, or password;
email, if when combined would allow 3P to access an individual's
· Medical or Health insurance information
online account
unauthorized access, theft, disclosure and failed to take reasonable
required to alert affected parties to change their credentials if
security practices
compromised
civil action for any of:
California SB 1386 2003
· (A) damages between $100 and $750 per consumer/incident or
Original breach notice law actual damages, greater of
California Breach Notification AB 2828 · (B) Injunctive or declaratory relief
California data breach notification law expanded: requires
20
· (C) Any other relief the court deems proper Notice/Info Right
Statutory damages, consider: nature and seriousness of misconduct, # inform consumers at time of collection:
of violations, persistence and time of misconduct, willfulness, D’s net · categories of PI and intended use for each category
worth. No proof of actual damage required Further notice is required to:
Consumer or class - 30 day notice to cure for stat damages · Collect other PI categories
· if cures and gives written statement of cure and no further · Use PI for unrelated purposes
violations, no action for stat damages allowed Upon verifiable consumer request
· but consumer may still sue to enforce written statement, statutory · Free, mail or elec, portable, readable
damages for breach · no more than twice in 12 month period
No cure notice required for individual consumer suing for actual Excludes onetime transaction, if info not sold or retained
damages
3P notice of opt out before re-selling PI from other source
Attorney General
Opt-Out Right for Personal Information Sales
Injunction and civil penalty up to $2,500 per violation or $7,500
Must post “Do Not Sell My Personal Information” link
for intentional, civil action by AG
separate link describe consumer’s rights, to “Do Not Sell My
Can seek opinion of AG for guidance
Personal Information” web page in:
Violation if fails to cure within 30 days
· (A) online privacy notice if online
Civil penalties shall be exclusively assessed and recovered in a
· (B) CA-specific consumers’ privacy rights.
civil action by AG
Must comply w/ request to opt-out of sale of PI to 3P
Civil penalties Consumer Privacy Fund
Can’t re-ask to sell for 12 months
What is covered
Opt-In Right for Sales of PI re: Children
Usual plus signature, insurance policy #, protected class
Can’t sell PI of consumer under 16 without consent
· Info linked at household or device level
Children aged 13 – 16 can directly provide consent
· biometric info collected without person’s knowledge
· records of personal property Children under 13 require parental consent
· product purchased or considered COPPA still applies on top of the CCPA
· Inferences drawn from PII: preferences, predispositions, willful disregard age deemed to have actual knowledge
attitudes, intelligence, abilities Right of Disclosure or Access (no port right)
Not PI right to disclosure or access
· Publicly available info · (1) categories of PI
· Deidentified or aggregate consumer data · (2) categories of sources
· Certain B2B comms or txns (still must comply with non · (3) commercial purpose for collecting or selling
discrimination rights and right to opt out of sale of a · (4) categories of third parties shared with
consumer’s data) · (5) specific pieces of PI it has collected
Does not apply (Covered elsewhere) verifiable consumer request from the consumer
· Education info, nonpublic PII per FERPA Disclose same info on privacy notice/website
· PI from job applicants, employees or contractors does not require business to:
· Privileged, medical, clinical trial info · Retain any PI collected for a one-time transaction
· PII per FCRA or GLBA · Reidentify or otherwise link any data
· Vehicle or ownership info, by dealer or manufacturer, for Right of Deletion consumer rights are broader than GDPR, but
warranty or recall exceptions are also broader
° still can’t sell, share, or use info for other purpose Verifiable consumer has the right to deletion
· Driver’s Privacy Protection Act · must direct service providers to delete data too
· Emergency contact info Exceptions, can keep if necessary to:
GLBA PI that is exempt from CCPA: transaction info, joint · transaction, warranty or product recall per federal law
products, account website info · rble w/in context of relationship, provide service
CFIPA applies to FI data · detect security incidents, prevent fraud, illegal activity
Who is regulated: for profits doing business in CA · debug errors that impair the service
· Gross Rev greater than $25M · exercise of free speech or other right
· Buy, receive, or sell the personal info of >50,000 CA · California Electronic Communications Privacy Act
residents, households, or devices; or · scientific, historical, statistical research in PI, render
· >50% annual revenue from selling CA residents PI impossible, impair aim, w/ informed consent
Service providers and third parties excluded if: · perform a contract
· When consumer interacts with 3P, if 3P does not further sell · legal obligation
PI inconsistently with CCPA No Right of Rectification, Restrict, Object
· Data shared with 3P in order to implement a consumer’s Non Discrimination can’t:
decision to opt out from data sales · (A) Deny goods or services to the consumer
· Data shared with vendors as necessary to provide services to · (B) Charge different prices, discounts or
the business
· (C) Different level of service, unless
· To avoid data sales, service providers must have K that
° Rsbly relates to value of consumer’s data
prohibits retention, use or disclosure of personal information
° financial incentives disclosed and opt-in consent
except to provide services
· (D) Suggest consumer will receive different price or a
Who is protected: Consumers
different level of service
In CA for other than a temporary purpose
shall not use financial incentive practices that are unjust,
Domiciled in CA but outside CA for temp purpose unreasonable, coercive, or usurious
Customers household goods, partially in B2B transactions Responding to Rights Requests
21
verifiable consumer request for info, delete, sale of info
at least 2 methods for submitting, toll-free number
online exclusive biz w/ direct relationship, only email ok
Respond within 45 days after receipt, extendable once for
another 45 or 90 days w/ notice
Inform of reasons for not taking action
free of charge, unless request is unfounded or excessive
No limits on deletion and do not sell requests
other information requests no more than twice a year and only
for a 12-month look-back
Security
No directly imposed data security requirements
A.B. 1281 –Partial Exemptions for EE and B2B Data
22