Four Types of Privacy Information Bodily Territorial Comms Fipps Codifications Dept of Hew Fipp Oecd 1981 Eu Conv Apec

I.
Intro  Contract
Four types of privacy: information, bodily, territorial, comms  Tort (intentional, negligent, strict liability). Privacy:
FIPPs codifications: Dept of HEW FIPP, OECD, 1981 EU Conv, APEC · intruding on seclusion
Privacy Framework, Madrid · public revelation of private facts
Rights: notice, choice/consent, access · interfering with person’s right to publicity
Info security and quality · casting person false light
Life cycle: collection, use/retention/disclosure  subject to 1A
Management/Admin and Monitor/Enforce
 negligent failure provide adequate safeguards unsettled area of
United States Privacy Act IP addresses not PI
law
But FTC said breaches of healthcare information, IP addresses are
personal information  Self-regulation
A. Structure of U.S. Law  Quasi regulatory
 Branches of Govt · Industry drafts code of conduct
 Congress may delegate power to promulgate regs to federal · FTC enforces, adjudicates
agencies (FTC, CAN SPAM)  PCI DSS does all three roles
 Agencies may operate under statutes that give them legislative, · 3P assessment and detection
executive, and judicial auth · Penalty is getting kicked out of CC systems, $$
 Sources of law  Seal/Certification/trust mark
 Constitutions - CA constitution = right to privacy · COPPA authorized FTC to confirm cert program
 Legislation - 10th A reserved to states · DAA icon and choices
 Regs and Rules - Some agencies required to issue · White House encourages self-regulation with consumer input
 Case law - stare decisis E.g. NTIA and telcos for drones
 Common law - via judicial decisions, social customs and  Cross border
expectations, special privilege rules  Global Privacy Enforcement Network (GPEN) in 2010. promote
 Contract law - offer, acceptance, consideration cross-border info sharing, investigation and enforcement
cooperation w/ global privacy authorities
 Legal definitions
 Asia-Pacific Economic Cooperation (APEC).
 Jurisdiction - authority to hear
· framework to share info and evidence in cross-border
 Person is entity with legal rights (natural and legal) investigations/enforcement in APAC
 Preemption - supersede inferior government · CPEA mechanism to cooperate x-border enforcement
 Private right of action · FTC is a CPEA participant
B. Enforcement
 Intl conflicts (CH 13 14)
 Federal Criminal C. Information management
· DOJ sole fed agency - criminal action, jail and fines  Role of Privacy Professional
· HIPAA both civil and criminal enforcement  Manage risks consistent with company goals, ID areas where
 Civil enforcement - use courts for private right of action FCRA compliance is difficult, design policies to close gaps in policy vs.
JFPA VPPA Cable Comm, invasion of privacy operations
 Federal Administrative actions - agency action per statute  Risks: legal, reputation, operational, investment
· basic rules under Administrative Procedure Act (APA).  Four steps: discover, build, communicate, evolve
· FTC = general field authority, COPPA = specific  Data sharing and Transfers
· Often use consent decrees  Inventory - collect, store, use or disclose, customer and EE, data
 State enforcement - similar UDAP statutes, some include location/flow, how/when/who, transfer means
“unconscionable” practices · Mitigate penalties, Required under GLBA Safeguards
· CAN SPAM allows state AG to enforce  Classification by level of sensitivity (restricted, public)
· state common law privacy torts who has clearance, level of protection
· contract, when physician, financial institution breaches · segregate data
promise of confidentiality and causes harm · helps compliance with sector specific laws, discovery
· CA AG privacy task force, app platform providers
 flow mapping to ID areas for attention
 Other Regulatory Authorities
 Accountability - retention policy, sensitivity, encryption?, intl
 HIPAA HHS (shared with FTC) transfer, who is controller/BA, define process steps, dependency
 GLBA Federal Reserve, Office of Comptroller of Currency on other systems (cloud)
 Education FERPA  Privacy Program Development
 Tele/Marketing FTC and FCC under TCPA  How many privacy policies?
 ADA, discrimination statutes EEOC  Consult legal and executives
 DoS, DoC, DoT, FAA (drones)  Revisions - notify EEs, then current and past customers
 NHTSA (connected cars)  Need opt-in for retroactive changes (FTC says unfair, even if
 OMB (Privacy Act of 1974) FIPs changes are truthful)
 IRS (tax records)  notice accessible - online, post high traffic area, annual updates
 FinCEN (money laundering) for FIs, training for EEs, CSRs
 DHS (E Verify), ICE  Policy version control - at least once a year
 State AGs  Managing User Preferences
 Self regulatory programs and trust marks  Opt-In, Opt-Out. Failure Sec 5 violation
 Understanding laws (scope and application, analyzing, · Not needed for “commonly accepted practices” - consumer
determining jurisdiction, preemption) orders a product online.
 Theories of Liability · internal ops, improving services, fraud prevention, legal
compliance and first-party marketing
1
· concern with innovative services  Threats: unauth access, malware, phishing, spear phishing, social
 Opt Ins: COPPA, HIPAA, FCRA engineering; Technical: SQL injection, XSS
 Opt Outs: GLBA transfer unA 3P  who gains access to data collected from the web
· VPPA video data to 3P · 2 factor auth, password field in HTML
· CAN SPAM email, Do Not Call · Cookies suck for this
· DMA (mail), NAI, DAA (digital)  Industry standard is to encrypt in transit, TLS
 Scope of choice, subject or channel  authentication and protecting online identity
 Mechanism - channel consistency · password practice, antivirus software, firewall, wifi and
 Link user’s interactions thru multiple channels Bluetooth interception, file sharing - limit accessible files,
 Time period to implement required by law? public computers and chargers
 3P vendors, must communicate preference to them  verification, certification of compliance with org policy
 Customer Access and Redress  email security, follow CIA (confidentiality, integrity, avail)
 By Law under FCRA HIPAA FERPA · methods, remove HTML tags, scanning bad content
 FIPs per OECD, APEC principles, GDPR  SPAM principles
 Judicial Redress Act 2015, non US person in civil action against · No false or misleading header information
US Govt, to access records · No deceptive subject lines
 APEC = good baseline for when to give access · Opt-out mechanism in each message
· Notification that message contains adv or promo
 Find out whether PI held by controller
· Information about the sending organization
 With sufficient proof of ID, get PI
 Info Sec (CIA)
 within reasonable time, charge, manner; understandable;
 Three: Physical, Administrative, Technical
 challenge accuracy, rectify, complete, amend, delete
 Types of Data Breach Incidents
 except where:
 Unintended disclosure; Hacking or malware; Payment card fraud
· burden or expense disproportionate to risks
skimming devices; Insider; Physical loss paper documents;
· legal or security reasons, protect CI; or
Portable device, Stationary device
· third person rights violated
 Incident Management for Data Breaches
 reasons why and be able to challenge such denial
 Four steps
 Contract and Vendor Management
· 1. Determine if breach occurred, difficult to detect
 K should have: CI provision, use limitation, subK, must notify of · 2. Containment and analysis
breach, infosec, effect of termination
° Recover lost data
 Due Dili: reputation, financial condition, insurance, infosec
° Ask recipient of misdirected data
controls, point of transfer security, disposal requirements, EE
° Network intrusion, shut down
awareness, incident response, audit
D. Online Privacy (CH5) ° Forensics, audit
 Web Tech · 3. Notify affected parties
° Info re: risks, how to mitigate
 HTTPS data txr over encrypted cxn
· 4. Follow up, adapt
 Hypertext transfer protocol (HTTP), how messages formatted and
transmitted over a TCP/IP network  OMB guidance to Fed agencies:
 HTML markup language to render, dynamic links, doctags · Designate breach response team
· ID privacy compliance documentation
 XML markup language, big data
· Share info to understand extent of the breach
 Firewall as web client for 2 step process
· Determine what reporting is required
 Proxy server, mask activity, block bad software, logs
· Assess and mitigate risk of harm for individuals
 VPN encrypts info
· Notify individuals affected
 Web server log: IP address, date/time stamp, referring URL,
 OMB also focused on contracts with vendors: provide training to
browser type and OS
EEs, encrypt PII, report breaches, cooperate
 IP address = unique #
 Mobile privacy
 ISP assign IP address
 Concerns re: LBS, smart watches, health data, biometrics
 IPv6, ID based on hardware interface of device
 Children’s Privacy
 TCP reliable data connection
 COPPA, DOPPA for teens, CCPA for teens
 TLS security protocol, succeeded SSL
 Web privacy notice. TrustArc recommends:
 Javascript, XSS danger, DoS
 Say what the organization does and do what is stated
 CSS language
 Tailor disclosures to actual business operations
 Flash, can’t delete cookies
 Do not treat privacy statements as disclaimers
 Data Definitions
 Revisit privacy statement frequently
 Pseudonymous data. direct identifiers removed. Indirect
 Communicate these privacy practices to entire company
identifiers remain
 Layered notices, increased use
 Deidentified data. Direct and indirect identifiers removed
 Mobile Privacy notice
 Anonymous data. Direct and indirect identifiers removed or
technically manipulated to prevent reidentification.  FTC best practices for platforms, ad networks, app developers,
app developer networks
 Blurring. reduces precision of disclosed data to reduce the
certainty of individual identification.  include “privacy by design (PbD)” or even privacy by default,
transparency, simplification of consumer choices
 Masking. masks the original values in a data set with the goal of
data privacy protection.  Desktop app with web interfaces
 Differential Privacy. mathematical approach - risk to privacy is  Privacy by design approach
not substantially increased as part of database  Financial software: GAO advised segregate duties, disaster
2
recovery · maintain reasonable security
 Third Party F. International Data Transfers
 Syndication, XSS  SCC, Derogation, Adequacy, Appropriate safeguards
 Web services, facilitate comms between computers G. Multinational Considerations
 Cobranded sites  GDPR fundamental right to access and correct personal info about
 Web widgets, installed on another page the data subject
 Online ad networks  conflict with discovery disclosure
 Onward Transfers  employees in both continents
 Orgs that receive data: processor, distinct service like process  CLOUD, Hague last ditch
payment, controller
 FTC: onward transfer is responsibility of host website—not the
third party
· Issued guidance, enforcement actions, Privacy Shield
 Consumer: data contract, notify of transfer, opt out
E. Digital Advertising
 Cookies small HTML file that web server places on the hard drive of
a user’s computer
 personal information if cookie linked to identified transaction
with a user, CC purchase with user’s name
 If CC purchase linked in company’s database with other cookie
info all info is identifiable
 GDPR, cookie = PI
 Session cookie for shopping cart, chat session
 First vs. 3P cookie, Flash cookie respawning problem
 EU Cookie Directive
 Opt in consent before cookies placed
 ePrivacy cookies are personal data (so users must consent)
 Web Cookies best practices:
 Not store unencrypted PI
 adequate notice of usage
 Use persistent variation only if needed
 Not set long expiration dates
 Disclose third-party cookie provider
 opt-out (or in Europe, an opt-in) mechanism
 session, persistent, 1P, 3P, Flash cookie
 Web Beacons clear gif set by browser or HTML email
 Use w/ cookie to track, create profiles w/ web server logs
 Online ad impression counting, monitor file download, ad
campaign performance, opened email
 Digital Fingerprinting
 ID device from web server logs & fonts used computer
 Used by banks to ask for additional auth
 Q over what is sufficient notice
 Search Engines
 Tracking queries can ID person, religion
 Encrypted searches, anonymize after time period
 Virtual assistants as surveillance device
 Social Networking
 Inconsistent control mechanisms, still evolving
 Desktop Ad Ecosystem
 Supply, demand, ad exchanges
 Mobile Ad Ecosystem
 app-based usage, sandbox
 Default mobile browser settings block third-party cookies
 detailed location, GPS Bluetooth for targeted advertising
 store map with MAC address database
 Cross Device Tracking
 Deterministic, predictive profiling
 FTC report recommendations
· transparent
· choice about tracking
· companies refraining from cross-device tracking of sensitive
topics (health, financial, children)
3
II. Limits on Private Sector · Do Not Track; Mobile self-regulation; Data brokers
Cross-sector FTC Privacy Protection · Large platform providers, comprehensive tracking
A. Sec 5 of FTC Act. Unfair and deceptive trade practices UDTP · Enforceable self regulatory codes
…unfair methods of competition, Sec 6 investigate power  FTC Updates
 FTC Enforcement · smart TVs, drones, ransomware, Audio beacons, cross device
tracking, cars, mobile practices, streamline updating
 Broad authority to investigate, subpoena, demand reports, admin
D. Emerging Issues
trial before ALJ and enjoin
· Consent decree most used, avoid litigation  Artificial intelligence
· Can appeal to 5 commish, then district ct  Convergence with big data
· FTC cannot assess civil penalties for violation, but can if ruling · Data minimization and deidentification
is ignored.  AI must be designed to help humanity, must be designed for
 BCP and DOJ litigate violations of consent decrees intelligent privacy, must be transparent, algorithmic
accountability so we can undo unintended harm
 force redress of harms to consumers
 Data broker laws
 Early FTC
 LeapLab, bought SSNs from payday loan sites, sold to biz with
 Geocities misrep’ed privacy policy
no legitimate use, failure to protect data sold to 3P
 Eli Lilly accidently sent mass email with addresses, required to
 FCRA, ECOA FTC Act all apply
maintain info privacy and sec program
 Unfair Medical Privacy
 Can exist without deception A. 1996 (HIPAA) Updated by HITECH
 fail to implement adequate protection measures for sensitive PI,  Does not preempt state laws
inadequate disclosure, breach promise  California Confidential Medical Information Act CMIA
 FTC v. Wyndham 2015; crappy practices, no changes after  No private right of action
breaches. Order: PCI, comprehensive infosec  Enforcement:
 FTC v. LabMD, hacking breach, failed to take APM for sPI.  Primary enforcer is HHS’s office of Civil Rights
Order: comp sec program, ruled unenforceable · Tiered Penalties based on awareness and willfulness: up to
 Equifax - failed to take rble SM, breach exposed SSNs and $1.5 mil for most willful violations
home addresses of 147M, $300M consumer fund, $175 to  State AGs under HITECH, or UDAP or state law
states, $100M civil pen CFPB  DOJ criminal enforcement (prison up to 10 years for IHII)
 Lifelock deceptive, and failed to encrypt, no infosec (FTC and 35  FTC can enforce under section 5 UDAP
states), paid $11M to FTC, then failed to comply with Order =
 FERPA = student health records.
$100M
 HIPAA = non-student health records.
 DesignerWare - unfair to secretly collect keystroke logging and
geolo, deceptive to use fake registration  covered entities = healthcare providers, insurers, business
associates, doctors’ offices, hospitals, Healthcare clearinghouses,
 Deceptive
Business associates
 material statement or omission likely to mislead (rble)
 Transactions Rule
 false promises, misreps, breach reps, privacy policies or
 Electronic format for reimbursement
certifications
 Privacy Rule:
 Facebook - 3P access to user friends’ data
 Privacy Notice: must provide at date of first service delivery and
 BLU- info to 3P unnecessary to provide services, misrep
detail patient’s rights to PHI, unless indirect relationship or
protection of PI
medical emergency
 Snapchat - misrep deletion, lax security
 Allows use and disclosure for treatment, payment (TPO)
 Google - failed to comply consent order, overriding default
 Need auth for outside TPO: what PHI, purpose, 3P recipients.
cookie settings in Safari
Cannot condition treatment on consent
 Excludes banks, federally regulated financial institutions, common
carriers (transportation and communications) · Psychotherapy notes, stricter
B. COPPA Children’s Online Privacy Protection Act · Marketing, sale of PHI
 Does not preempt state laws  Exceptions:
 Privacy Rule: clear and conspicuous notice of data collection · De-identified: Remove 18 elements; expert certify
methods, privacy policy on every web page where PI is collected · Research: permitted on de-identified data
 consent by parents prior to collection of personal information for · Other: LE suspect or victim, etc.
children under the age of 13 ° report abuse, neglect, or domestic violence,
 No public security exception to allow disclosure ° court order, certain government functions
C. Future of Federal Enforcement ° public health (epidemic)
 2012 White House Report: Traditional fair information practices ° mandated reporting (LE, gunshot wound)
FIP/Consumer Privacy Bill of Rights ° to fed for national security under Nat Sec Act
· Individual control ° to patient or personal rep; and HHS
· Transparency; Security; Accountability
· Subpoena Civil: must notify patient so they have chance to
· Respect for context of collection object, seek QPO - litigating parties can’t use/disclose PHI
· Access and accuracy for other purpose, requires destruction afterwards
· Focused collection (reasonable limits) · Admin subpoena no court involvement for LE:
 2012 FTC Report ° info is relevant and material, specific, limited scope
· Privacy by Design ° De-identified info could not be reasonably used
· Simplified consumer choice  Minimum Necessary limit to purpose; BA’s must have K
· Transparency
 Access and accountings: right to access, copy, amend, if denied
 FTC Priorities
4
append. PHI kept in “designated record set”  legally required genetic monitoring for toxin exposure in the
· Accounting of recipients; respond w/in 30 days workplace, employee voluntarily participates
· Reasonable cost based fee ok  DNA lab EE’s for quality control (contamination)
 Safeguards: Admin Physical Tech safeguards  ER must keep separate from medical files
 Accountability: must appt privacy official, train personnel,  No private right to action but may be available under the
complaint procedures, enforcement by OCR: Anthem federal laws that GINA revises, similar state laws
cyberbreach, Feinstein FERPA stolen laptop  Amended ERISA, Public Health Service Act, Social Security Act, can’t
 Security Rule: minimum security reqmts for ePHI adjust premiums, absent symptoms
 Requires reasonable security measures, APT  Penalties: $100/day of noncompliance, min up to $15,000
· Some specs are required E. The 21st Century Cures Act of 2016 (Cures Act)
· some are addressable so each CEBA must decide for itself  Expedite research process, new medical devices, drug approval,
based on: cost, size, tech, risk reform mental health treatment
 Admin: appoint officer, policies and processes, EE training  Privacy Provisions:
program and discipline for non-compliance  FOIA exempt for individual biomedical research info
 Physical: access, workstation policies, disposal/backup  Researchers can remotely view PHI (must meet minimum
 Tech: encryption, login, track users safeguards of HIPAA’s Privacy and Security Rules)
 Protect v. rbly anticipated threats/disclosure to ePHI  Information blocking prohibited but HIPAA’s protection of PHI
 Unencrypted data loss = presumed breach by OCR remains, fine up to $1M
B. Health Information Technology for Economic and Clinical Health  NIH Certificates of confidentiality, fed funded research, can’t use
Act (HITECH) info legal/admin proceedings w/o consent
 Breach notice, penalties, limited data  Compassionate sharing of mental health or substance abuse
 BA’s subject to privacy and security rules, must sign BAA, information with family or caregivers
implement reasonable appropriate safeguards
 Breach: must notify individuals within 60 days
· >500 people, must notify HHS immediately
· 500 or more in same jurisdiction, must notify media Financial Privacy CH 9
· can avoid liability if use encryption software A. The Fair Credit Reporting Act (FCRA)
 Disclosure must be minimum amount necessary  Generally, preempts state law (see FACTA)
 may not sell EHR without patient consent  Does not preempt states from stricter laws re: employment credit
C. Confid of Substance Use Disorder Patient Records Rule history checks such as the California ICRAA
 Does not preempt state laws, criminal violation  Enforcement: private right of action, dispute resolution, FTC & CFPB
 Scope: disclosure of “patient identifying” information by treatment share, State AGs = concurrent enf. Auth.
programs for alcohol and substance abuse ASA  FTC v TeleCheck, check authorization co. and CRA, did not
 Applicability: any program that receives federal funding: comply with dispute procedures for consumers whose checks
 Individual or entity that … were denied. TRS debt-collection co. violated Furnisher Rule who
 identified unit within a general medical facility that … must ensure accuracy of info provided to CRAs. FTC targeting
 Medical personnel or other staff in a general medical facility data brokers
whose primary function is … provide ASA diagnosis, treatment,  CFPB v. Clarity Services failed to properly investigate
referral for treatment consumers who disputed info on credit reports & obtained credit
 Must obtain written patient consent before disclosing, consent must reports without permissible purpose
specify type of info, general designation ok  CFPB v. JPMorgan Chase failed to have reasonable policies re:
 Redisclosure prohibited if info would identify individual as having accuracy of info it gave to CRAs, and failed to give consumers
been diagnosed, treated, or referred for treatment results of investigations where the consumer disputed accuracy
 Cannot use info for criminal charges against patient  CFPB consent order with CitiFinancial—failed to reasonably
investigate consumer’s disputes, failed complete investigations in
 Must have formal policies to protect PI
timely manner, failed to accurately report certain delinquent
 Exceptions to consent requirements: accounts.
 Medical emergencies  Violations: civil/criminal penalties. Statutory damages of at least
 Scientific Research; Audits and evals $1000 per violation, at least $3,756 for willful
 Comms with a qualified service organization  Amended by FACTA re: to ID theft, truncate #s KYC, free annual
 Crimes on program premise or against personnel report, Disposal, Red Flag rules, EE internal invest.
 Child abuse reporting; Court order  Consumer report is any comms by a CRA that pertains to:
 Criminal Fines Violations: (USA office)  Creditworthiness , Credit Standing, Credit Capacity
 First not more than $500  Character, General Reputation
 $5000 for each subsequent offense  Personal Characteristics, Mode of Living
D. Genetic Information Nondiscrimination Act of 2008 (GINA)  Four User requirements:
 genetic information in health insurance and employment  3P data for decision making, accurate, current, complete
 Civil Rights Act no employment discrimination; ERs can’t use genetic  Give consumers notice when 3P data used to take AA
info about EEs or family except:  only use for permissible purposes
 request was inadvertent  consumer must have access to their consumer reports and
 part of an employer-wellness program and voluntary opportunity to dispute or correct errors
 comply with FMLA  Also: record keeping, certifications, securely dispose
 ER buys commercial, publicly available info  CRA’s MUST:
5
 Must give Consumers access to their consumer reports and · any user must include with each written solicitation a clear
opportunity to dispute or correct errors and conspicuous statement that:
 Must ensure maximum possible accuracy of report ° Info in consumer’s CRA file was used
 Not report outdated negative info, >7 years old, bankruptcies ° consumer received offer b/c they satisfied the criteria
>10 years for creditworthiness or insurability
 Provide only to entities with permissible purpose · Credit or insurance may not be extended if, it determines
 Maintain records regarding entities that received reports that consumer does not meet the criteria, or he does not
furnish required collateral.
 Provide consumer assistance as required by FTC
 consumer can optout of use of info in their file with future
 FTC drafted Notice  User
prescreened offers by contacting the notification system
 Users must have a “permissible purpose” established by CRA that provided the report
· Court order; icw child support payments;  2015, must give simple easy-to-understand notices explaining
· Consumer requests in writing consumer’s right to opt out of receiving offers
· Extension of credit B. The Fair and Accurate Credit Transactions Act (FACTA)
· Underwriting of insurance  Made substantial amendments to FCRA
· Employment purposes  CFPB is rule-making and enforcement authority
· See if consumer breached terms of account  preempts most stricter state laws except:
· Eligibility for license or other govt benefit · states retain some powers to enact laws re: ID theft
· Valuation assessment by investor/servicer/insurer · laws re: insurers use of credit-based insurance scores
· Prescreened unsolicited offers of credit or insurance  called out by FACTA as not preempted
 Users must provide certifications of permissible purpose · credit scores, state laws in CA CO
 Users must notify consumers when adverse actions · frequency of free credit reports, state laws in CO, GA, ME,
 Adverse Action based on Info from CRA: inform consumer (oral MD, MA, NJ, and VT remain in effect
ok):  Required truncation of debit and credit card numbers
 Contact info of CRA  Required more detailed “know your customer” documentation for
 Statement CRA didn’t take adverse action, can’t explain domestic and foreign FI
 Statement consumer’s right to obtain free disclosure of file from  Gave consumers new rights to explanation of credit scores and
CRA if consumer requests within 60 days right to request a free annual credit report
 Statement consumer’s right to dispute directly with CRA the  Add’l rules for “free offers” of report w/ font limitations
accuracy and completeness of info  Disposal Rule and Red Flags Rule
 Adverse Action based on info from non-CRA: credit for personal,  FACTA Disposal Rule
family or household purpose, must inform consumer of right to be  Disposal = sales, transfer, donation
informed of the nature of the info that was relied upon if request is
 User of consumer report and derived info, must dispose in a way
made within 60 days. User must disclose within reasonable period
that prevents unauthorized access and misuse, reasonable
of time.
methods based on media
 Adverse Action based on info from affiliates: insurance,
 Enforcement: FTC, federal banking regulators, CFPB
employment, or credit: must inform consumer they may obtain
disclosure of nature of info relied upon by making a request within  Violations: civil liability
60 days. user must disclose within 30 days  State disposal rules may impose broader requirements
 Other Disclosures  FACTA Red Flags Rule
 If use credit scores re: mortgages, must give credit scores and  required FTC and fed banking agencies to develop rules for FIs
other info about credit scores to applicant to detect, prevent and mitigate ID theft
 Risk-based pricing notice to the consumer if CR used icw  CFPB has rulemaking and enforcement authority
application for credit on terms that are less favorable than the  Red Flags Program Clarification Act of 2010 narrowed
most favorable terms available to most other consumers. E.g., definition of creditor to exclude service providers who bill in
Sprint arrears. Applies if you’re a creditor:
 Companies that extend credit to consumers must implement Red · Use consumer reports icw credit transaction
Flag program to deter identity theft · Furnish information to CRA
 Medical Info (usually just payment info) · Advance funds to or on behalf of someone
 payment info must be coded, not ID medical provider  Each entity must create its own list flags. FTC recs:
 For insurance txn, must be coded or need prior consent · Alerts from CRA; Suspicious ID documents; personal
 For employment or credit purpose, need prior consent and info identifying data; unusual use of covered account
must be relevant C. State Financial Data
 Disclose only as necessary, or as required by law  Credit History
 Prescreened Lists  FCRA does not preempt states from stronger laws for
 creditors and insurers can obtain limited consumer report info icw employment credit history checks, such as ICRAA.
firm unsolicited offers of credit or insurance  11 states CA CO CT HI IL MD NV OR VT WA limit the use of
credit information in employment
 obtain from CRA a list of consumers who meet certain
preestablished criteria · credit history info used only for position applied for
· must: (1) before the offer is made, establish the criteria that  some states allow credit history checks to be performed for
will be relied upon to make the offer and to grant credit or predened occupational categories:
insurance · nance or management or exposure to CI
· (2) maintain such criteria on file for three-year period from
date offer is made to each consumer.
6
D. Gramm-Leach-Bliley Act (GLBA) privacy framework for modern · If FI wants to share with nonAff 3P and no exception:
banking ° must give privacy notice
 Does not preempt stricter state laws ° including an opt-out notice.
 banks, insurance providers, securities firms, payment settlement · can give short-form notice instead of full if:
services, check-cashing services, credit counselors, pawn shops, ° explain full privacy notice is available on request;
mortgage lenders (significantly engaged in financial activities) ° reasonable way to get the full privacy notice; and
 Enforcement: ° include an opt-out notice
 No Fed private right to action ° model notice short privacy notice Financial Services
· private right to action in some states Regulatory Relief Act (FSRRA)
 failure to give certain notice may be deceptive trade practice  FI can never share consumer account numbers w/ nonAff 3P
per Fed and state law for marketing, even if consumer hasn’t opted out
 by federal financial regulators for institutions in their jurisdiction  FI must ensure service providers not use consumer data for
- Federal Reserve, Office of Comptroller of Currency, FDIC, and anything other than intended purpose
SEC  GLBA allows disclosure for investigation on matter “related to
 Financial institutions not in the jurisdiction of the other agencies public safety” (national sec)
FTC and CFPB F. GLBA Safeguards Rule
 state AGs can enforce  FIs must protect CIA of personal consumer info
 TaxSlayer poor security measures  develop program that addresses ATP safeguards
 Venmo misled re: privacy practices, security of data  Five Must-Dos:
 Violations: civil and criminal · Designate an employee to coordinate safeguards
 penalties under Financial Institution Reform, Recovery, and · Identify and assess risks to customer info
Enforcement Act (FIRREA). · implement safeguard program and regularly monitor
· up to $5,500 for violation · Select appropriate vendors and sign Ks
· max of $27,500 if violations are unsafe, reckless. · Evaluate, update program upon changes
· $1.1M for knowing violations  Note: CFIPA conflict
 U.S. Bancorp / MemberWork v. MN AG, sold NPI to G. CA SB-1 California Financial Information Privacy Act
telemarketer that used account to autocharge  CCPA applies to FI’s when engaged outside of GLBA
 Definitions  CFIPA applies to FI’s when engaged in GLBA activity
 Consumer = anyone who buys or applies for financial product · caution - applies to dataset, not who holds dataset
for personal, family, or household purposes.  opt in for FI to share data with nonaffiliated parties
 Customer = consumer who has an ongoing customer relationship  opt out for FI to share data with affiliates not in the same line of
(account holder) business
 Customer, non-consumer = customer who is not also a consumer.  But FI can share nonmedical info with affiliates in same line of
I.e. large institutional customer business e.g., insurance, banking, securities
 FIs must protect consumers’ nonpublic personal info  Violations:
 Regulates “nonpublic personal information” defined as · negligent noncompliance statutory damages of $2,500 per
personally identifiable financial information: consumer, up to $500,000/occurrence.
· Provided by consumer to a financial institution · Willful non-compliance eliminates the $500,000 cap
· Resulting from a transaction or service performed for the
consumer or
· Otherwise obtained by financial institution
· That someone is FI’s customer
 Publicly avail info is not NPI (phone book, govt records)
E. GLBA Privacy Rule: Financial institutions must:
 Customers clear and conspicuous notice of FI’s info sharing
policies, annually
· Info collected from customers and consumer
· Recipients
· How it protects/safeguards the info
· how consumer can opt out of info shared thru reasonable
opt-out process
 After giving notice, FI can share any info it has with affiliates
and joint marketing partners
 If FI also wants to share with nonAff 3P and no exception:
· Must also disclose info sharing practices and optout
· wait reasonable time to optout B4 sharing NPI
 Exceptions: Can’t opt out (FI can share w/o notice)
· Outsourced crucial services (txn processing)
· Outsourced marketing service provider
· Disclosure is legally required
 must process opt outs within 30 days
· can’t discriminate against those who optout
 Customers who are not consumers: fewer notice req’s
7
H. New York Cybersecurity Reg 2017 NYDFS comprehensive strict · Additional $5000 per day for failure to comply
cybersecurity regulations that far exceed GLBA  Penalties up to $25,000, fail to meet info sharing requirements
 cybersecurity mandates on all covered FIs of PATRIOT Act.
 National Institute of Standards and Technology (NIST)  Penalties up to $1M fail due dili req’mts
Cybersecurity Framework  Criminal penalties
 risk assessments, document policies, designate CISO, limit data · up to $100,000 fine and/or 1 year jail and
retention, incident response plan, audit trails · up to $10,000 fine and or/5 year jail
 defines nonpublic information more broadly than GLBA K. International Money Laundering Abatement and Anti-Terrorist
 key requirements not in GLBA: personnel, reporting, Financing Act of 2001
documentation, and 3P service providers req’mts  Part of USA PATRIOT Act
İ. Dodd-Frank Wall Street Reform & Consumer Protection Act  Expanded BSA’s reach
 Created CFPB, indie bureau Fed Reserve, Broad authority  Gave Treas Sec ability to make broad, modified KYC rules
 Rule making auth. for existing financial privacy laws: FCRA,  USA PATRIOT Act compliance issues categories:
GLBA, Fair Debt Collection Practices Act  Info-sharing regs, cooperate to deter money laundering
 Over all nondepository FIs, depository FIs with $100B  KYC rules, ID of beneficial owners of account, procedures
 investigations and issue subpoenas, hold hearings  Development of formal money-laundering programs
 civil actions under UDAP & “abusive acts and practices”  BSA expansions, new reporting and record-keeping for different
· Materially interferes with the ability of a consumer to industries (broker-dealers) and currency txns
understand a term or condition of financial product or  Evolving: Foreign Account Tax Compliance Act of 2010 (FATCA)
· Takes unreasonable advantage of: more detaile “KYC” doc for domestic/foreign FIs
° C’s lack understanding of risks, costs, conditions;
° inability of consumer to protect its interests; or
° reasonable reliance on a covered person to act in the
interests of the consumer
 Violations:
 $5,526/day for federal violations
 $27,631/day for reckless violations
 $1,105,241/day for knowing violations.
 State AG’s can bring civil actions under Act
J. Bank Secrecy Act of 1970 (BSA)
 Currency and Foreign Transaction Reporting Act
 Treas Sec can impose record-keeping and reporting
requirements on FI’s to fight money laundering and fraud
 Applies to: entities subject to supervision by state or federal bank
supervisory authority: banks, securities brokers, card clubs,
telegraph, casinos - evolves as launderers get creative
 Reporting
 currency txns in excess of $10,000
 check txns for $3000, info re: purchaser
 certain wire transfers
 exempted: Electronic Funds Transfer Act, automated
clearinghouses, ATM or POS systems
 Record Retention:
 $10,000 extension of credit
 Other records, those with “high degree of usefulness”
· Borrower’s name and address
· Credit amount and purpose and date of credit
· Such records may be maintained for five years
 Deposit account records: taxpayer ID; Signature cards
 CD’s
 Wire, direct deposit if $100+
 Suspicious Activity Reports (SAR)
 Alert U.S Dept of Treasury’s Financial Crimes Enforcement
Network (FinCEN):
· FI suspects an insider committing a crime
· detects crime $5000 and basis for identifying suspect
· detects crime $25000 (no need for suspect)
· detect currency transactions aggregating $5000+ that
involves potential money laundering
 Violations:
 Civil penalties, fines:
· $25000, txn amount, $100,000 max
· negligence $500/violation
8
II.D Education CH 10
A. Family Educational Rights and Privacy Act (FERPA)
 Applies all educational institutions that get federal funding
 Does not preempt state law
 Provides students with the right to: (FIPPs)
 Control the disclosure of their education records
 Review and seek amendment of their education records
 Receive annual notice of their rights under FERPA
 File complaints with the U.S Department of Education
 Education Record directly related to student, maintained by the
school or behalf of - all formats. Excluded:
· Campus police, Employment, Treatment, Applicant, Alumni;
Grades on peer-graded papers
 Disclosure of Education Record permitted if:
· Info is not PI
· Info is directory info, and no opt out
· Consent provided by parent or 18 y/o student
· To holder of FERPA rights
· Statutory exception, health or safety purposes
· PII in directory information
 GPA, grades, or transcripts not released without consent
 Personally Identifiable Info:
 Name of student’s, student’s parent or other family
 Mailing address; SSN or student number
 Other identifiers such as DOB
 Other info that alone or in combo would link
 Info requested by a person whom the school reasonably believes
knows the identity of student
 Directory Info - not generally considered an invasion of privacy or
harmful if disclosed (self determined by school)
 Name, DOB, address, email, ph#, major honors
 Never SSN, maybe student ID
 Consent under FERPA
 must be signed and dated. Must also identify:
· record to be disclosed; purpose; recipient
 Use reasonable methods to authenticate
 Records Disclosure Consent Exceptions:
 to school officials with “legitimate educational interest”
· outsourcer can’t re-disclose
 education institutions where student seeks to enroll
 icw financial aid
 to orgs doing research studies for educational institutions
 to accrediting orgs
 to alleged victim of forcible or nonforcible sex
· info related to sex offenders
· verified party that provided or created the record
· to law enforcement, judicial order or subpoena
· appropriate parties icw a health or safety emergency
 Right to access records
 within 45 days of request
 If denied opportunity to fix, must be given hearing
 No right to access parent’s financial records, treatment records,
LoRec, LE records, third party info
 Right to correct records if inaccurate, misleading, violation of
privacy
 Enforcement
 Dept of Education, FPCA investigates complaints
 Penalty loss of federal funding
 No private right of action
 Who has rights?
 18 y/o student is person in control of rights
 Parent for minor
 If student has left high school and is attending only a
9
postsecondary institution, rights are held by student regardless Telemarketing and Marketing Privacy
of age. A. FTC issues Telemarketing Sales Rule (TSR) in 1995
 school may disclose to parents the educational records of student  FCC counterpart, issued Telephone Consumer Protection Act of
without student’s consent, if student is a dependent for tax 1991 (TCPA)
purposes. · restricts unsolicited advertising by phone, fax, texts
B. FERPA and Protection of Pupil Rights Amendment (PPRA)
 FCC and FTC share regulatory jurisdiction
 Applies to elementary and secondary schools that receive
federal funding, no colleges · FCC promotes transparency in online comms, monitor online
markets, consumer complaints and investigate.
 parents rights re: to collection of sensitive info from students
through surveys: · FTC prevents UDAP, takes enforcement actions
· Political, Mental and psychological; Sex; Illegal, antisocial,  Does not preempt stricter state laws
self-incriminating and demeaning behavior, Critical  Some states require marketer license or register w/state
appraisals of individuals privileged relationships, Religion,  State DNC with differing exceptions/fines
Income (other than by law)  Some require written contract for certain transactions
C. No Child Left Behind Act of 2001
 Enforcement by FTC, state AGs, or private individuals
 Broadened PPRA to limit collection/disclosure of student survey
 Civil penalties up to $42,530 per call
info. Now requires schools to:
· Enact policies re: commercial purposes  State private right of action via intrusion on seclusion tort
B. Rules Governing How Calls Can Be Made Under Telemarketing
· Allow parents to inspect surveys, opt-out; prior notice
Laws
D. FERPA and the HIPAA Privacy Rule
 health records are subject to FERPA and not HIPAA where a  Defines telemarketing as plan, program, or campaign conducted
public K12 school has a nurse for student health to induce purchase of goods/services/ charitable contribution,
use of phones interstate
 FERPA does not apply to private elementary or secondary
schools that do not receive federal funding  TSR requires covered orgs to:
· subject to HIPAA if school is “covered entity”  Call only between 8am and 9pm
 Both FERPA and HIPAA Privacy Rule typically apply to college  Screen and scrub names against national DNC list
healthcare b/c treats both students and staff  Display caller ID info
· FERPA applies to student health records  ID themselves and ID product they are selling
· HIPAA Privacy applies to nonstudent health records.  Disclose all material info and terms
E. Education Technology  Comply with special rules for prizes and promotions
 Google Apps students sued under FERPA violation  Respect requests to call back
 Self Reg - tech pledge to safeguard student privacy, violation
 Retain records for at least 24 hours
enforced as deceptive trade practice Sec 5
 Comply with special rules for automated dialers
 TSR requires disclosures at beginning of call:
 Identity of seller
 Purpose of the call is to sell goods/services
 Nature of goods/services
 No purchase or payment is necessary to participate/win
promotion, does not increase chances of winning
 If call has multiple purposes (sale of different types of products
or different purposes), disclosures have to be made for all sales
purposes
 Misreps/material omissions: Ten categories of info that must
always be disclosed:
 Cost and quantity
 Material restrictions, limitations, conditions
 Performance, efficacy, central characteristics
 Refund, repurchase, or cancellation policies
 Material aspects of prizes, investment opportunities
 Affiliations, endorsements, or sponsorships
 Credit card loss protection
 Negative option features
 Debt relief services
 More disclosures for non CC payment (phone or utility billing), with
express verifiable authorization
 Caller ID must transmit if technically feasible
 Call Abandonment prohibited: must connect call to a live sales rep
within 2 secs of person’s completed greeting.
 No pre-recorded sales pitches w/o opt in from consumer
 Abandonment Safe Harbor:
· Use tech to ensure less than 3% abandonment measured per
day per calling campaign
· Allows telephone to ring for 15 secs or four rings before
disconnecting unanswered call
10
· Play recorded message w/ name and ph# of seller if live D. Junk Fax Marketing TCPA covers faxes
sales rep is unavail w/in 2 secs of person answer  Junk Fax Prevention Act (JFPA) consent can be inferred from an
· Maintains records documenting adherence to preceding 3 EBR, as long as sender offers an opt-out
req’mts, 97% of calls answered  private right of action
 Unauthorized Billing can’t bill without consent  statutory damages of up to $500 per fax
· More rules for billing to Pre-acquired account info  Preempted CA law based on interstate regulation
· Special requirements for freemium E. Controlling the Assault of Non-Solicited Pornography and
° Last four digits Marketing Act of 2003 (CAN-SPAM)
° Audio recording of txn  No private right to action
 Robocall Autodialers - TCPA Updates  Preempts most state spam laws
 FCC revised TCPA to reconcile with TSR  not superseded if they prohibit false or deceptive activity
· Even if business has EBR, still need prior express written  Applies: - covers transmission of commercial email primary purpose
consent for robocall to residential # is advertising product directed to or from U.S.
· Consumer opt out of future robocalls during robocall  Enforcement: FTC, other federal regulators, state AGs and other
· Align with FTC, requires assessment of call abandonment state officials
rate, every 30 days  Violation:
· HIPAA health related entities are exempt  fines up to $40,654/violation
 Consent can be revoked at any time by any rble means  Authorizes ISP’s to sue, act allows injunctive relief, damages up
 Robotexts to $250/violation with max of $2M
 Texts subject to TCPA  court may increase damage award up to 3 times in cases of
 Prior written consent must be clear and conspicuous willful or aggravated violations
 Consent cannot be requirement of purchase  egregious punishable up to 5 years’ imprisonment
 mere fact that consumer’s wireless # appears in contact list of  2009, federal judge shut down 3FN based on FTC’s allegations
another customer is not consent that it knowingly distributed spam and malware and hosted
 When caller has consent for wireless #, and # reassigned, caller illegal content, child porn
is not liable for first call but liable for subsequent  Commercial email content:
 Records:  Prohibits false or misleading headers
 Advertising and promotional materials  Prohibits deceptive subject lines
 Prize recipients info  C&C notice of opt out, by return email or opt out link
 Sales and Employee records  10 business days grace period for opt out
 All verifiable authorizations or records of express informed  C&C ID that message is commercial (unless affirmative consent
consent or express agreement was provided) and
 each sales record must include:  physical address of the sender
 name and last known home address of each customer  Prohibits aggravated violations re: commercial email:
 Goods or services to be purchased  Address-harvesting and dictionary attacks
 date the goods or services were shipped/provided  Automated creation of multiple email accounts
 amount the customer paid for goods/services  Retransmission of commercial email through unauthorized
 Info on former and current employees: accounts
 Name, Job title, home address and phone number, alias  Email with sexually oriented material must have warning label
C. Rules Governing Who can be called Under Telemarketing Laws (unless recipient has given prior affirmative consent)
 FTC created U.S National Do Not Call (DNC) Registry  Marketer liable for vendor violations
 Enforced by FTC, FCC, and state AGs  deceptive commercial email could be false, misleading ad
· Civil penalties up to $42,530 per call  FTC has authority to issue rules implementing CAN-SPAM
· private right of action state intrusion on seclusion tort  commercial vs. transactional or relationship messages whose
primary purpose is to:
 Must receive a Subscription Account No, non transferable
· Facilitate or confirm commercial transaction
 must update call lists every 31 days
· Warranty or safety info re: product purchased
 Exceptions to list:
· Info re: ongoing commercial relationship
· Nonprofits calling on their own behalf
· Provide info re: employment or a related benefit plan
· Calls to customers with EBRs within last 18 mons
· Deliver purchased service to recipient
° prospect, last three months F. Wireless Message Rules Under CAN-SPAM
· Inbound calls, no upsell of additional products/service
 MSCM is commercial email transmitted directly to wireless
· Most business to business calls device used by subscriber of commercial mobile service, that has
· Consumer C&C opts in to calls with signature and phone #, or uses a unique electronic address that includes a reference to
don’t bundle consent with sweepstakes Internet domain
 Telemarketers can avoid liability under the DNC safe harbor:  FCC says designed to apply only to mail addresses designed by
 implement written procedures to honor requests carriers for mobile services messaging
 train personnel and entity assisting in its compliance  Rules cover SMS but not phone to phone messages
 maintain and record an entity specific DNC  Requires subscriber’s express prior authorization, opt in
 maintain records documenting DNC and National DNC within 31 · given prior to sending MSCM
days of call · authorization/revocation is free to user, enable revocation
 someone monitors and enforces compliance by same means
 call is result of error · authorization must be documented
11
· Each authorization must disclose:  PI must be destroyed when no longer needed for original
° Sub agrees to receive MSCMs on device purpose and there are no pending requests for access
° from a particular ID’ed sender (no 3Ps) İ. Video Privacy Protection Act of 1988 (VPPA)
° may be charged for receipt of message  Private right of action for violations
° may revoke authorization at any time · Statutory damages set at $2,500
· Disclosures must be C&C, be separate, have conspicuous opt · Allows actual, punitive, and rble attorney fees
out link  Does not preempt more protective state laws
 10 business day grace period to revoke auth · CA laws covering the same privacy issues as VPPA
 Wireless Domain Registry  Applies to video tape service providers, rental, sale or delivery
 FCC registry of wireless domain names that are do not text. of pre-recorded video cassette tapes, individuals who receive PI
commercial mobile radio service providers must ID all email in ordinary course of business or for marketing purposes. N/A to
domains dedicated to subs for wireless devices video streaming
 Senders are responsible for checking before sending commercial  Prohibited from disclosing PI. Exceptions:
messages to anyone on domain · Disclosure is made to the consumer themselves
 providers must update within 30 days before issuing any new or · Per contemporaneous written consent of consumer
modified domain names · to LE per warrant, subpoena or other court order
G. Telecommunications Act of 1996 · per civil court order and consumer had right to object
 CPNI is info collected by telco carriers re: to subscribers. · Includes only the names and addresses of consumers
subscription info, services used, network and billing info, phone · If only used for marketing to consumer: only names,
features and capabilities, call log data such as time, date, addresses, subject matter descriptions
destination and duration of calls
· for order fulfillment, request processing, transfer of
· Not CPNI: certain PI such as name, ph #, address ownership or debt collection
 No sale of CPNI without prior consent:  PI must be destroyed as soon as practicable but no later than
· Need opt in before carriers can share CPNI with joint one year after no longer necessary and no pending requests
venture partners and vendor for marketing purposes for access
 Restrictions on access, use, and disclosure of CPNI J. Video Privacy Protection Act Amendments Act of 2012
· Ok in service categories customers already subscribed  Allowed for one-time consumer consent that was valid for up to
· Carriers can use CPNI for billing and collections, fraud two years replacing contemporaneous reqmt
prevention, customer service, and emergency services  Addresses social media concerns
· U.S West Inc v FCC set legal standard of opt out for
carrier’s own use of CPNI
 Other requirements aimed at curbing pretexting, or gaining
access to CPNI through fraudulent means
· Carriers must notify LE if CPNI is disclosed in security breach
w/in seven business days
· Customers must give password before they can access their
CPNI via telephone or online account
· Carriers must certify compliance annually, explain how
systems ensure compliance, provide annual summary of
consumer complaints re: unauth disclosure of CPNI
 Applies to carriers and VoIP, Trump repealed FCC attempt to
regulate ISPs
H. Cable Communications Policy Act of 1984
 Provides private right of action
 Excludes internet services via cable b/c defined as: oneway
transmission to subs of video programming and sub interaction
required for selection of programming
 Cable service providers must give 1st and annual privacy notice
that C&C informs subscribers of:
· nature of the PI collected
· How PI will be used
· retention period of such info
· manner by which sub can access and correct such info
 provider can only collect PI that is necessary to render services
or detect unauthorized reception of services
 Can’t share PI w/o written or econsent. Exceptions:
· extent necessary to render services
· conduct legit business activities
· only name & address, and sub was given optout
· Subject to court order with notice to sub
° in conflict ECPA, which allows w/o notice to consumer,
b/c notice may negatively impact LE investigation
° Courts have resolved tension by allowing w/o notice to
sub per ECPA
12
K. Federal Regulation: FCC Broadband Privacy Rule · interception is done in ordinary course of business
 Pre-2015, FTC primary enforcer of digital ad violations  offensive to a rble person can be state invasion of privacy or
 2015 FCC reclassified broadband internet service as a public other common-law claims
utility per “Open Internet” or net neutrality rule E. Stored Communications Act (SCA)
 2016 Appeals Ct upheld FCC’s authority to regulate broadband  Private right of action and criminal penalties
internet providers  voluntary and compelled disclosure of "stored wire and e-comms
· telephone Verizon, cable companies Comcast and transactional records" held by third-party ISP
· Effect = subject to Telco Act of 1996, including CPNI privacy  prohibits unauthorized acquisition, alteration, or blocking of ecomms
req’mts in 222 while in storage at e-comm facility
 FCC issued Privacy Rule for broadband … but  Two exceptions:
 2017 Congress rescinded FCC Privacy Rule · By entity providing wire or ecomm service
· But FCC order said Section 222 and CPNI rules still apply to · By user of service/comm or intended for that user
broadband internet providers  upon govt request, wire or ecomm provider must preserve records
L. California Online Privacy Protection Act of 2013 (CalOPPA) and evidence pending court order
 operator of website must display a privacy notice:  Over 180 days, unopened, only need subpoena
· Categories of PII collected through the site  Microsoft, CLOUD act overrides SCA - now requires Co. to provide
· Categories of 3P operator may share PII with electronic evidence even if stored outside U.S
· How operator treats browser’s Do Not Track signals F. Pen Registration and Tap Trace Order
· Whether other parties collect PII about consumer’s online  no private cause of action
activities and across different websites  New pen register and trap/trace order from judge under lax
 implementation of Do Not Track by browsers varies standard of “relevant to an ongoing investigation”
· Default = tracking is acceptable unless user sets browser to  PATRIOT Act Section 217 expanded to include dialing, routing,
send Do Not Track to requesting site addressing, or signaling info
· Do Not Track as a default  Freedom Act ended its use for bulk collection
· Selective Do Not Track as default G. Communications Assistance to Law Enforcement Act (CALEA)
 Caution: embedded dynamic code from 3Ps (such as advertisers) Aka Digital Telephony Bill
operator may not be fully aware of their tracking activities  FCC implemented CALEA
taking place on their own site over time  Applies to telcos to cooperate in interception of comms for LE
needs relating to security and safety of the public
 carriers must design to give gov access to comms
 2005, FCC expanded to broadband internet access and VoIP
Government and Court Access to Private-sector Info when interconnect w/ traditional telephone services
III.A Law Enforcement and Privacy H. Media Records & Privacy Protection Act (PPA) 1980
A. Fourth Amendment - Right to be secure in persons, houses, papers,  Does not preempt state laws
effects, against unrble searches seizures, warrants need probable  extra layer of protection for media and media orgs from gov
cause, particularity of place searched search or seizures in course of criminal investigation
 Olmstead subjective and objective rble exp of privacy  LE must use subpoenas or voluntary cooperation to obtain
 Katz v. US. warrant needed for police bug in restaurant, placed to evidence from those engaged in 1A activities
hear calls behind closed doors of phone booth.  Applies to gov officers or employees at all levels of gov
 3P and in public doctrines - can share customer and employee  Applies to criminal investigations (not civil)
records to LE if given to company as 3P  Violations: $1,000 actual damages and attorney’s fees
 Jones, warrant needed for GPS car tracking for a month. police  Exception: Probably cause that reporter is involved or in process
had trespassed, even public movements of committing a crime (does not apply if crime is possession,
 Riley v. California - need warrant to search contents of cell phone receipt or communication of work product)
b/c large quantity/qual of data
 Carpenter v. U.S, reduced scope of the third-party doctrine. need
warrant to access cell site location info
B. HIPAA - Disclosure is permitted per court order or subpoena, or
admin request, if three criteria are met:
 relevant and material to legitimate LE inquiry
 specific and limited in scope for purpose
 Deidentified information could not reasonably be used
C. Electronic Communications Privacy Act (ECPA)
 Private right of action and criminal penalties
 Does not generally preempt state
· CalECPA protects email comms
 Amended Wiretap and SCA
D. Wiretap (Title III) - real time interception of wire, oral, and email
comms. Most strict and require a super warrant
 Only certain offenses, only necessary/minimize
 Violations are criminal offence, PRA, does not preempt
 Two exceptions to needing warrant:
· If a person is a party to a call or one party consent, some
states require all party consent
13
İ. Right to Financial Privacy Act (RFPA)
 Only applies to requests from federal agencies
 Applies to FI, such as banks, credit card companies, and
consumer finance companies
 No gov authority may access unless financial records are
reasonably described and meet one of these conditions:
· customer authorizes access
· appropriate admin judicial subpoena or summons
· qualified search warrant
· appropriate formal request by gov authority
 Customers must receive notice in advance of the gov request for
the records, right to challenge disclosure
J. Cybersecurity Information Sharing Act (CISA) 2015
 federal gov may share unclassified technical data with
companies re: network attacks and successful defenses
 CISA encourages companies to voluntarily share the same info
with gov
 Companies that share info receive certain protections
· Limitations on liability, Non-waiver of privileges
· Exemption from FOIA disclosure
 Provisions:
· Reqmt to remove personal info before sharing
· Sharing info with federal gov does not waive privileges
(doesn’t apply with state/local gov)
· Prohibition on gov using shared info to regulate or take
enforcement actions against lawful activities
· Authorization for company’s monitoring and operating
defensive measures
B. Judicial Redress Act of 2016
 Extends U.S Privacy Act protections to non-U.S persons
C. Bank Secrecy Act (see above)
14
III.B National Security and Privacy U.S. persons (currently expired)
A. Foreign Intelligence Surveillance Act (FISA) 1978  If info relates to U.S. person, must be relevant to preventing
 4A left gap for “national security” terrorism, not based solely on 1A activities
 Needed cold war monitoring of Russian embassy  requires adoption of minimization procedures, per recently
 Covered wiretaps, emails/stored records, NSL declassified FISC orders
 statutory system to authorize foreign intelligence wiretaps, that  permitted bulk collection telephony metadata/call-log info, from
did not meet reqmts of 4A searches telcos. No content. (ended by FREEDOM)
 checks and balances on previously unfettered discretion of pres  Disclosure is permitted to the persons necessary to comply with
and AG to conduct national security surveillance the order, and to an attorney
 2001 Amended by PATRIOT Act allowed foreign wiretaps and  Expanded use of National Security Letters
relaxed rules, expanded NSL use, but telcos were sued Fed statutes: ECPA, NSA, RFPA, FCRA, amended by PATRIOT Act
 2008 FISA Amendment Act and reauth of 2006
Subpoena-like = allows FBI to get a customer’s name, address,
 Legal authorization for wiretap, pen register, trap and trace for
length of service, comms (phone and Internet) records, banking,
phone # and emails, and video surveil for foreign intel, even
financial, credit, travel records
outside US
 No court action required. Typically FBI
 Immunity for telcos
 Can’t disclose that you received an NSL to customer
 More reporting to Congress; Some limits on NSL secrecy
 2006 amendment: recipients under gag order only if Fed thinks
 foreign intel must be significant purpose of investigation
it will interfere w/ criminal or counterterrorism investigation or
 Instead of PC of a crime, FISC orders issue on PC that party listed purposes
monitored is foreign power or agent of
 Recipients can petition court to modify or end secrecy
 fine up to $10,000 or up to 5 years in prison, Wiretap Act,
 2015 FBI now presumptively terminates NSL secrecy when
punishable with fine or up to 5 years in prison
investigation closes, or 3 years after inv. opened
 Section 702 of FISAA C. USA FREEDOM Act 2015 (reform of FISA)
 Applies to collection of e-comms that takes place in US, and  Stopped bulk collection under Sec 215 Patriot Act with pen
only for comms of targeted individuals for listed foreign intel register/trap and trace orders
purposes, and gov must have rble belief that person is non-U.S
 Must use specific selectors - email or phone number
citizen located outside U.S
 Companies now allowed to publish statistics about the number of
 FISC must annually approve certifications by DNI and US AG FISA orders and NSLs they receive
setting the terms for section 702 surveillance
 government issues yearly transparency reports, and has
 cannot notify FISA target before or during investigation
declassified lots of orders from FISA Court
 include content, not just metadata
 # of FISA orders exceed traditional LE wiretap orders
 Previously, prez could authorize elec surveillance w/o court
 FISA can be important for comm providers, such as telephone
order for one year (Bush warrantless wiretap)
companies and email services, but arise much less often for most
 Two surveillance programs under Section 702 other companies.
 PRISM: judicially approved, supervised directive to collect  Other U.S. privacy laws with national security exceptions.
to/from messages with certain selectors such as an email
 HIPAA “to authorized federal officials for lawful intl, counter-
address. Co’s (ISP) lawyers can challenge the request
intel, national security under Nat. Security Act
 Upstream: filters Internet based comms as they pass thru
 GLBA privacy exception vaguely worded, for an investigation
physical infrastructure located in U.S. if they contain a tasked
on a matter related to public safety.
selector, and stored for access by the NSA
 COPPA makes no mention of national security exception
 2018 amendments to Section 702
 reqmts for querying procedures consistent with 4A
 restrictions on the use of information pertaining to U.S. persons in
criminal proceedings, and
 congressional oversight of “about” collection
B. USA Patriot Act 2001
 Section 217 “hacker trespasser” exception
 O&O of computer can face penalties under ECPA for providing
access to LE without following procedures
 permits, does not require, O&O to provide access
 LE can perform interceptions if:
· O&O authorizes interception of computer trespasser’s
communications on protected computer
· LE is lawfully engaged in an investigation
· reasonable grounds to believe contents of trespasser’s
comms relevant to investigation
· interception does not acquire comms other than those
transmitted
 Section 217 Expanded definition of pen register/trap and trace to
include dialing, routing, addressing, signaling info
 Section 215 Snowden Tangible Things or Business Records FISC
order can require production of any tangible thing
 Seeks to obtain foreign intelligence info that does not concern
15
III.C Civil Litigation and Privacy deprive American court to order a party subject to its jurisdiction
A. Disclosures Required by Law to produce even if it violates that law
 BSA reporting reqmts  Or focus on nature of documents, prepare a privacy log
 FDA report serious adverse events describing the documents without disclosing contents
G. Hague Convention, party seeking bears burden of demonstrating
 DOL’s OSHA reporting of workplace injuries and illnesses
that foreign law prohibits discovery
 Many states - injuries, med conditions, abuse, gunshot wounds,
 importance of the documents or data to litigation
immunization records, contagious diseases
 specificity of the request
 HIPAA permits disclosure of PHI where required by law
 whether information originated in United States
 FRCP 45 subpoena
 alternative means of securing information
 LE - PEN register, stored content, search warrant, wiretap
B. Disclosures Permitted by Law  important interest of U.S. & foreign (fighting terrorism)
 “computer trespasser” or “hacker trespasser” exception created  ensure storage and transmission are secure
by Section 217 of the USA PATRIOT Act H. Clarifying Lawful Overseas Use of Data Act (CLOUD Act)
C. Disclosures Forbidden by Law  addresses Intl issue
 Opt In: HIPAA COPPA  appropriate request through a mechanism such as a Mutual
 Opt Out: GLBA, FTC Legal Assistance Treaty MLAT
 evidentiary “privileges” can prohibit disclosure  US has first agreement with UK
· generally defined under state law  negotiations with the EU and Australia concerning possible
· attorney-client privilege, exceptions: waive to prevent CLOUD Act executive agreements
imminent physical harm to another person
 assert privilege against self-incrimination under 5A
D. Public Access to Court Records, Protective Orders, and Required
Redaction
 U.S. has strong tradition of transparency, FOIA
 litigants seeks protective orders for PI
· judge decides what info should not be made public
· conditions that apply
 Rule 26(c) of FRCP - party may seek protective order that CI
may not be revealed or “attorney’s eyes only”
· must demonstrate good cause, court three-part test
° info is confidential
° info is relevant and necessary
° harm vs. need for info
 HIPAA Privacy Rule requires consent or court order
· QPO can apply in state court
 Redact to limit to only what’s necessary - FRCP Privacy
Protection for Filings Made with the Court
· Last 4 digits of SSN or Fin acct, DOB Minor’s initials
· Federal Criminal Rules of Procedure, Bankruptcy similar
redaction. Criminal: city and state of the home address are
a fifth category must be redacted too
E. Electronic Discovery
 e-discovery = well-managed data retention program.
 Sedona Conference, email retention
· policies - interdisciplinary teams
· continually develop and ID the gaps policy/practice
· reach consensus, look to industry standards
· solutions should meet functional requirements of org
 good faith, data that is “transitory in nature considered outside
the duty of preservation
 Have clear employee personal use policies
 Court will likely prevail over company policy; per 3-factor test:
(1) a retention policy should be reasonable, (2) similar
complaints against organization, and (3) bad faith
 Consistent with disclosure under HIPAA
 Consent, court order, QPO
 Consistent with disclosure under GLBA
 FI may disclose PI to comply with laws, civil, criminal, or reg
investigation or subpoena
F. Transborder / conflicts with Foreign laws (GDPR)
 Some courts require production if party sought to take
advantage of U.S. jurisdiction
 Some courts require production b/c [foreign] law does not
16
IV. Workplace Privacy  ER using any consumer report
No overarching law for EE privacy, state remedy is limited  written notice to applicant - obtaining consumer report for
employment purposes, and if investigative consumer report also
ER EE relationship fundamentally based on contract law, CBA
obtained (no notice reqd for self-performed)
Torts: invasion of privacy, publicity given to private life, defamation. All  need written auth, may be for duration of employment
narrow protections
 only use data from qualified CRA
Department of Labor (DOL), the Equal Employment Opportunity
 Certify to CRA, permissible purpose, gave notice, got consent,
Commission (EEOC), FTC, CFPB, and NLRB
will comply with anti-disc laws
DOL administers FLSA OSHA ERISA
 Before taking AA, give pre-adverse-action notice to the
HR management of multinational corp EE’s data applicant with a copy of consumer report, opportunity to dispute
A. U.S. Laws Protecting Employee Privacy  Before taking AA, provide copy of report to consumer with
4A, CA extended privacy rights to private sector EEs summary of the consumer’s rights (drafted by CRA)
HIPAA - Protect PHI
 adverse action notice sent after adverse action is taken
COBRA continuous coverage after termination
· contact info of CRA, statements, right to correct
ERISA EE benefit programs created fairly administered
FMLA unpaid leave birth or illness of self or a family member  If EE requests, ER must give complete disclosure of the nature
Fair Labors Standards Act (FLSA) Establishes minimum wage and sets and scope of the investigation
standards for fair pay · must be made in writing within five days after request, or
OSHA regulates workplace safety when report requested (whichever later)
Whistleblower Protection Act - federal EEs subjected to personnel  INTERNAL Investigative consumer reports: (Vail)
actions because of whistleblowing  No notice required if icw internal investigation of:
National Labor Relations Act (NLRA) Sets standards for collective · Suspected work misconduct or noncompliance with laws or ER
bargaining, which also applies in social media communications policy
Immigration Reform and Control Act (ICRA) Requires employment · not done for creditworthiness and no credit info
eligibility verification · only given to ER, federal or state officer/agency, Self-
SEC Act of 1934 - info about Sr execs of public companies regulating org with authority over ER or EE
Anti-Discrimination laws: Limits on background checks, secondary C. California Investigative Consumer Reporting Agencies Act
effect on how interviews are conducted (ICRAA) stricter disclosures than FCRA
Title VII of the Civil Rights Act of 1964 bars discrimination in  Need prior consent, give proper notice, give opportunity to
employment - race, color, religion, sex, and national origin request a copy of the report
Equal Pay Act of 1963 bars wage disparity based on sex
 even for internal investig, must give EE all public records unless
Age Discrimination Act bars discrimination against over 40 EE waives
Pregnancy Discrimination Act bars discrimination due to pregnancy,
 ER notice must be C&C and separate from FCRA notice
childbirth, and related medical conditions
Americans with Disabilities Act of 1990 bars discrimination against  Need consent for EACH background check
qualified individuals with disabilities  written disclosure must state:
GINA bars discrimination based on individuals’ genetic info · report may be obtained; permissible purpose
Bankruptcy Act prohibits employment discrimination against persons · disclosure may include info on character, general reputation,
who have filed for bankruptcy personal characteristics, mode of living
Americans with Disabilities Act (ADA) Medical Screenings · contact info of CRA and CRA’s website
 ERs with 15 or more employees  If ER wants to take AA based on report, must provide EEs full
 Can’t discriminate against qualified individual with a disability report even if EE waived right to get copy
because of disability · Consent not required if EEs suspected of wrongdoing
 Before an offer, ADA permits exams and medical inquiries if
job related, consistent with biz necessity
 company may require medical exam after offer and may  tracking individual’s online presence and screening candidates for
condition offer on results, if: predesignated elements selected by the employer, drug use,
· All entering EEs are subjected to exam criminal activity, or unsafe behavior. FCRA might apply to
· Confidentiality rules applied to results nontraditional providers of background check information
· results used in compliance with discrimination laws  Artificial Intelligence - used to assess candidate in video, caution re:
privacy and biases
 drug addiction is disability
Privacy During Employment
 ER must provide reasonable accommodations during employment A. Fed Employee Polygraph Protection Act of 1988 (EPPA)
but can’t ask before offer
 Violations: subject to fine by DOL and private lawsuits
 ADA Amendments Act (ADAAA) expanded scope - conditions
that are mitigated, in remission or episodic if would substantially  Does not preempt stricter state laws
limit a major life activity of EE employee when active or absent  DOL rules: ERs are prohibited from using lie detectors on
mitigation incumbent workers or to screen applicants, can’t retaliate
B. FCRA limits on EE Background Checks · OK for govt EEs, controlled substances, defense contractors,
 FCRA applies to nontraditional providers of background check and national security functions
information (like social media aggregators) · Ok for w/ ongoing investigation involving economic injury to
 covers any type of background check, criminal records or driving ER business, reasonable suspicion
records  ER must post essential EPPA provisions conspicuously
 Permissible purposes for employment checks include:  EPPA and ADA limits psych testing, ADA prohibits use of medical
 Evaluating the candidate for employment tests, impairment of mental health. ERs use psych tests
personality traits
 Existing EE, for promotion, reassignment, or retention
B. Drug Testing Law
17
 Public sector EEs covered under 4A  Social engineering may invade privacy
 Fed laws mandate for:  Most states prohibit disclosure of SM credentials
· Positions within the federal sector, e.g. CBP  Consumerization of IT and BYOD
· Aviation, Railroading, Trucking industries  work tech for personal use = lack of control over device
· preempt state laws that limit drug testing  Consider breach notification laws
 Variety of settings:  EE has higher XofP with own device
· Preemployment, if not to ID legal use or addiction  EE device could be subject to discovery
· Rble suspicion based on specific facts, evidence  DLP Data Loss Prevention - could be mass surveillance
· Routine testing: EEs notified at the time of hire  Investigation of EE Misconduct
· Post-accident: if reasonable suspicion  Take allegations seriously
· Random testing: sometimes required by state law, prohibited  Treat EE fairly, document everything
in certain states
 Comply with law, CBA, policies
° More likely regulated jobs, public safety, natsec
 Data handling risks
 Fed ADA, state laws wildly vary
 3P in investigations - FCRA Vail Letter
 Litigation re: defamation, negligent testing, invasion of privacy,
breach of contract and CBAs  Concern for retaliation vs. other EEs
 MJ legalization, IL says can’t punish EE for MJ use unless impairs  After Employment
their work. Fed EEs MJ use is prohibited  Terminate access to physical and info
 Half of states limit ability to ban EEs smoking  Manage transition, passwords
 Lifestyle Discrimination  HR issues with defamation, state laws re: references
 ADA amended in 2009 = protect person who is 100 pounds
overweight from discrimination
 No federal law protects smokers from discrimination
C. EE Monitoring
 In US, private-sector employees in general have limited
expectations of privacy at the workplace. Contrast EU
 Check CBA
 Legal Obligations or Incentives to Monitor
· OSHA requires ERs to provide safe workplace
· Call centers, customer disputes
 Defend vs. tort claim for negligent supervision
 Biometrics - in HR and employment context
 Video surveillance/CCTV.
 video w/o sound not covered under federal wiretap and stored-
record statutes, no federal prohibition
 States often forbid use in sensitive areas (CA, MI)
 Common law tort claim invasion of privacy
 Intercepting Comms
 Wiretap Act of ECPA strict prohibition, criminal
 calls, video sound, oral, bugs, emails except:
· In ordinary course of business
· Parties consent
 Stored Comms intercept
 SCA/ECPA prohibits with 2 exceptions:
· ER because they provide the comms service, and
· EE because they use that service
 Ontario v. Quon - SCOTUS held ER could review EE pager
messages to ensure personal use compliance.
· Reasonable and work related
 ECPA does not preempt stricter state laws
 DE law ERs monitor phone, email, internet access or usage w/
prior written notice and daily e-notice
 CT law ER e-monitoring must give prior notice, types of
monitoring, post notice in conspicuous place
 Geolocation tracking
 Track work vehicle ok during work hours, EE is informed
 But monitoring EE restricted under some states laws
· CT no monitoring of EE without notice
· CA criminal misD to use e-tracking device on person
 Invasion of privacy claims if RXofP
 Social Media monitoring
 May violate antidiscrimination and privacy laws
18
V. State Laws and unenforceable
A. Federal v. State Authority  not intended to supercede federal or State law
 Preemption  New Jersey Personal Information and Privacy Protection Act
· state AGs retain the ability to use state consumer protection  retail establishments, scan government-issued ID card
law to bring civil suits  Can only collect name, address, DOB, ID card number, and
 Lack of Federal Data Breach Law = patchwork jurisdiction that issued the card.
· federal privacy law: Q of whether it would preempt federal Valid Purposes of ID Scanning (8)
wiretap law and federal privacy laws that permit stricter · Verify ID if not cash, returns, refund or exchange;
state laws · Verify age for age-restricted goods or services;
B. State Data Security Laws · Prevent fraudulent returns or exchanges
 majority of states have laws limiting biz right to use SSN. · Prevent fraud re: credit account
 CA prohibits biz, state and local agencies from SSN public posting, · Establish/maintain contractual relationship
printing on mailings (unless mandated by federal law), printing on · required by law
ID or membership cards. prohibits biz from requiring transmission of · Disclose to FI, debt collector, or CRA for FRCA, GLBA, or Fair
SSN unencrypted Debt Collection Practices Acts; and
 S.B. 178 Cal Electronic Comms Privacy Act (CalECPA) · Per HIPAA by covered entity
 state LE needs warrant before they can access electronic  Data Retention and Use
information, content or metadata · report breach to affected persons and NJ State Police
· warrant must “describe with particularity” info sought · retail store may not “sell or disseminate to a third party any
· if service provider gives info, LE must destroy data within 90 info obtained” per Act for any purpose
days, unless consent, court order, or LE reasonably believes  Penalties
info is related to child porn · $2,500 civil penalty for a first violation
 Subpoenas allowed only if info is not requested in the context of · $5,000 civil penalty for each violation
a criminal investigation or prosecution. · Private right of action against store
 Notice required when warrant is executed, must state “with  Washington Biometric Privacy Law (H.B. 1493) 2017
reasonable specificity the nature of the government  Can’t store a biometric identifier in a database for commercial
investigation.” include copy of warrant or purpose without providing notice, consent, or preventing
 in emergency cases, give statement with facts to support decl of subsequent use for commercial purpose
emergency situation 3 days after data collected  “enroll” = capture biometric ID data, convert to template that
 Delaware’s Online and Personal Privacy Protection Act cannot be reconstructed, matched to an individual
 prohibits ads for products that kids can’t legally buy,  does not apply to biometric identifiers “unenrolled”
 restricts certain online ad practices based on minors’ PI. · notice required in separate from, and is not considered,
 minor = state resident under age of 18 “affirmative consent.”
 private right of action · exact notice and type of consent required is “context-
 operators must post C&C notice of data collection, privacy policy dependent
on every web page where PI is collected  may not use or disclose it in a manner materially inconsistent with
 Requires consent by parents prior to collection of personal info original terms without new consent
for children under 13  Need consent unless:
 GDPR, under 16 parental consent · (1) necessary to provide a product or service
 Nevada SB 538 · (2) 3P contractually promises that biometric ID will not be re-
 applies if (1) retain certain types of NV resident PII and disclosed or enrolled in database for a commercial purpose
 (2) direct activities towards NV residents, complete a transaction that is inconsistent with the notice and consent
with state or resident, or purposefully avail themselves of NV law  broad “security exception,” in furtherance of a “security
 cookie or tracking beacons = PII purpose.”
 exempt if C. State breach notification laws & Key Differences among States
· biz located in NV, revenue primarily from non-online  Definition of PI CT: (1) SSN; (2) DL number or state ID card number;
· small biz with less than 20k unique visitors per year, or or (3) account number or credit or debit card number, in
· 3P that operates site, or process info on behalf of biz combination with any required security code, access code, or
 no private right of action password that would permit access to an individual’s financial
account
 fail to comply within 30 days = civil enforcement by AG
 Some states: healthcare and med info, passwords, personal ID
 injunctive relief and/or a monetary penalty not to exceed
Nos, account Nos., any Fed or State ID No. like passport, military,
$5,000 for each violation
tax ID, biometric data, DNA profile, maiden name
 CCPA: IP address, commercial info, online activity, inferences
drawn to create profiles
 Illinois Right to Know Act 2017
· All states PI = Unencrypted
 operator that collects PII about IL residents must
· All states exclude publicly available info, lawfully
· notice: specified info re: PI sharing practices
 Covered Entities:
· make available certain specified info after disclosing a
customer's PI to a third party, and · CT “any person who conducts business in this state, and who,
in the ordinary course of such person’s business, owns, licenses
· provide an email, toll-free number, or webform whereby
or maintains computerized data that includes personal
customers may request or obtain
information”
 private right of action: (i) liquidated damages of $10 or actual
 Conditions for notification
damages, greater; (ii) injunctive relief; and (iii) reasonable
attorneys' fees, costs, and expenses  Subject rights
 attempted waiver of the Act or non-compliant agreement is void  Harm and Definition of Security Breach
19
 CT “unauthorized access to electronic files, media, databases or notice of breach of encrypted data if:
e-data containing PI when access to PI not secured by encryption · Both encrypted data and encryption key or
or other method that renders PI unreadable or unusable. · Encrypted data when the business has a reasonable belief
 Almost every state contains similar language, although some laws that the encryption key or security credentials can be
require the compromise to be “material” or event that causes (or obtained by the hacker
is likely to cause) identity theft or other material harm  New Mexico Breach Notification HB 15
 CCPA “an unauthorized access and exfiltration, theft, or  PII includes biometric, fingerprints, voice print, iris or retina
disclosure” of the consumer’s PI resulting from business’s failure to patterns, facial characteristics or hand geometry
“implement and maintain reasonable security procedures and  applies to unencrypted computerized data or encrypted data
practices when encryption key is also compromised
D. Conditions for Notification  Notice to AG New Mexico Office and major CRA’s if >1,000
 Whom to Notify NM residents notified
 state residents who are at risk  Notice to New Mexico residents within 45 days
 all states require third-party notification  3P service providers are required to notify data owner or
· CT: notify owner of info of breach immediately licensor within 45 days of discovery
 AG or State Agency Notification  Massachusetts Data Breach Laws: House Bill No. 4806
· two-thirds of states require notify the state attorney general  2019, bill amends the state data breach notification law
and/or other state agencies · increase reporting if collect MA resident PI
· time periods vary, # of residents threshold, only if after · expands notification requirements
investigation · requires companies to contract with 3P to offer affected
 Credit Reporting Agencies Notification residents free credit monitoring services, and
· two-thirds of states require notify nationwide CRAs, # of · prohibits security freeze fees
residents threshold varies  Updated Notification Requirements to State:
 When to Notify Affected Parties · preexisting law, notice to state regulators: (i) nature of
 most common “most expedient time possible and without breach; (ii) # residents affected; and (iii) steps taken
unreasonable delay” · Whether they maintain a written infosec program
 some states specify time, 45 days most common  Expanded notification to affected residents.
 national companies, best practice is report within 30 days · (i) resident’s right to obtain a police report; (ii) how to
 allow delays for a reasonable period of time if LE requests b/c request a security freeze and necessary info; (iii) no charge
impede investigation for security freeze; and (iv) provide mitigation services (i.e.,
 What to Include in the Notification (NC) free credit monitoring services).
 general description · cannot be required to waive their right of action as a
 type of PI condition to receiving credit monitoring services
 general acts to protect PI from further access  modified timing requirements.
 telephone number to call · as soon “as practicable and without unreasonable delay,”;
but now can’t delay notice on ground that total number of
 Advice to remain vigilant - review statements and reports
affected residents not yet known
 toll-free numbers, address for CRAs, FTC, AG
 Additional Notification Requirements
 Exceptions to Notification
· general public notice, Officer of Consumer Affairs and
 More stringent state laws Business Regulation (the “OCABR”) must publish “electronic
 Ok to follow breach notification procedures of internal infosec copies of the sample notice sent to consumers on its website
policy if compatible with law and update, how to obtain a copy of the notice sent to the
 Safe harbor if encrypted, redacted, unreadable, unusable agency from the breached entity.
· Encrypted no longer safe harbor in TN or CA  Free Credit Monitoring Services
 Penalties and Private Right of Action · Massachusetts is 4th state (CA CT DE) to require offer free
 AG enforcement credit monitoring services re: SSN breach
 Some states allow penalties · free credit monitoring services for a period of not less than
 Private right of action - CA, AL, D.C., LA, MD, MA, NV, NH, NC, 18 months
SC, TN, VA and WA · If CRA breach of security not less than 42 months
 CCPA statutory damages for sensitive data  Security freeze fees prohibited; allow residents to place, lift, or
· CA first state to allow remove security freezes without charge
B. Recent developments
 Tennessee SB 2005 CCPA
 Requires notice of breach regardless of encryption
Right of action for certain data breaches
 2017 amendment: clarified that encrypted data gets safe
 unencrypted and unredacted subset of PI
harbor, unless encryption key also acquired in breach
· SSN, DL or CA identification number;
 Illinois Breach Notification HB 1260
· Account number, credit or debit card number, in combination with
 expanded definition of protected PI to include usernames and security code, access code, or password;
email, if when combined would allow 3P to access an individual's
· Medical or Health insurance information
online account
 unauthorized access, theft, disclosure and failed to take reasonable
 required to alert affected parties to change their credentials if
security practices
compromised
 civil action for any of:
 California SB 1386 2003
· (A) damages between $100 and $750 per consumer/incident or
 Original breach notice law actual damages, greater of
 California Breach Notification AB 2828 · (B) Injunctive or declaratory relief
 California data breach notification law expanded: requires
20
· (C) Any other relief the court deems proper  Notice/Info Right
 Statutory damages, consider: nature and seriousness of misconduct, #  inform consumers at time of collection:
of violations, persistence and time of misconduct, willfulness, D’s net · categories of PI and intended use for each category
worth. No proof of actual damage required  Further notice is required to:
 Consumer or class - 30 day notice to cure for stat damages · Collect other PI categories
· if cures and gives written statement of cure and no further · Use PI for unrelated purposes
violations, no action for stat damages allowed  Upon verifiable consumer request
· but consumer may still sue to enforce written statement, statutory · Free, mail or elec, portable, readable
damages for breach · no more than twice in 12 month period
 No cure notice required for individual consumer suing for actual  Excludes onetime transaction, if info not sold or retained
damages
 3P notice of opt out before re-selling PI from other source
 Attorney General
 Opt-Out Right for Personal Information Sales
 Injunction and civil penalty up to $2,500 per violation or $7,500
 Must post “Do Not Sell My Personal Information” link
for intentional, civil action by AG
 separate link describe consumer’s rights, to “Do Not Sell My
 Can seek opinion of AG for guidance
Personal Information” web page in:
 Violation if fails to cure within 30 days
· (A) online privacy notice if online
 Civil penalties shall be exclusively assessed and recovered in a
· (B) CA-specific consumers’ privacy rights.
civil action by AG
 Must comply w/ request to opt-out of sale of PI to 3P
 Civil penalties  Consumer Privacy Fund
 Can’t re-ask to sell for 12 months
 What is covered
 Opt-In Right for Sales of PI re: Children
 Usual plus signature, insurance policy #, protected class
 Can’t sell PI of consumer under 16 without consent
· Info linked at household or device level
 Children aged 13 – 16 can directly provide consent
· biometric info collected without person’s knowledge
· records of personal property  Children under 13 require parental consent
· product purchased or considered  COPPA still applies on top of the CCPA
· Inferences drawn from PII: preferences, predispositions,  willful disregard age deemed to have actual knowledge
attitudes, intelligence, abilities  Right of Disclosure or Access (no port right)
 Not PI  right to disclosure or access
· Publicly available info · (1) categories of PI
· Deidentified or aggregate consumer data · (2) categories of sources
· Certain B2B comms or txns (still must comply with non · (3) commercial purpose for collecting or selling
discrimination rights and right to opt out of sale of a · (4) categories of third parties shared with
consumer’s data) · (5) specific pieces of PI it has collected
 Does not apply (Covered elsewhere)  verifiable consumer request from the consumer
· Education info, nonpublic PII per FERPA  Disclose same info on privacy notice/website
· PI from job applicants, employees or contractors  does not require business to:
· Privileged, medical, clinical trial info · Retain any PI collected for a one-time transaction
· PII per FCRA or GLBA · Reidentify or otherwise link any data
· Vehicle or ownership info, by dealer or manufacturer, for  Right of Deletion consumer rights are broader than GDPR, but
warranty or recall exceptions are also broader
° still can’t sell, share, or use info for other purpose  Verifiable consumer has the right to deletion
· Driver’s Privacy Protection Act · must direct service providers to delete data too
· Emergency contact info  Exceptions, can keep if necessary to:
 GLBA PI that is exempt from CCPA: transaction info, joint · transaction, warranty or product recall per federal law
products, account website info · rble w/in context of relationship, provide service
 CFIPA applies to FI data · detect security incidents, prevent fraud, illegal activity
 Who is regulated: for profits doing business in CA · debug errors that impair the service
· Gross Rev greater than $25M · exercise of free speech or other right
· Buy, receive, or sell the personal info of >50,000 CA · California Electronic Communications Privacy Act
residents, households, or devices; or · scientific, historical, statistical research in PI, render
· >50% annual revenue from selling CA residents PI impossible, impair aim, w/ informed consent
 Service providers and third parties excluded if: · perform a contract
· When consumer interacts with 3P, if 3P does not further sell · legal obligation
PI inconsistently with CCPA  No Right of Rectification, Restrict, Object
· Data shared with 3P in order to implement a consumer’s  Non Discrimination can’t:
decision to opt out from data sales · (A) Deny goods or services to the consumer
· Data shared with vendors as necessary to provide services to · (B) Charge different prices, discounts or
the business
· (C) Different level of service, unless
· To avoid data sales, service providers must have K that
° Rsbly relates to value of consumer’s data
prohibits retention, use or disclosure of personal information
° financial incentives disclosed and opt-in consent
except to provide services
· (D) Suggest consumer will receive different price or a
 Who is protected: Consumers
different level of service
 In CA for other than a temporary purpose
 shall not use financial incentive practices that are unjust,
 Domiciled in CA but outside CA for temp purpose unreasonable, coercive, or usurious
 Customers household goods, partially in B2B transactions  Responding to Rights Requests
21
 verifiable consumer request for info, delete, sale of info
 at least 2 methods for submitting, toll-free number
 online exclusive biz w/ direct relationship, only email ok
 Respond within 45 days after receipt, extendable once for
another 45 or 90 days w/ notice
 Inform of reasons for not taking action
 free of charge, unless request is unfounded or excessive
 No limits on deletion and do not sell requests
 other information requests no more than twice a year and only
for a 12-month look-back
 Security
 No directly imposed data security requirements
 A.B. 1281 –Partial Exemptions for EE and B2B Data
22

Four Types of Privacy Information Bodily Territorial Comms Fipps Codifications Dept of Hew Fipp Oecd 1981 Eu Conv Apec

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Four Types of Privacy Information Bodily Territorial Comms Fipps Codifications Dept of Hew Fipp Oecd 1981 Eu Conv Apec

Uploaded by

Copyright:

Available Formats

I.

You might also like