USA Freedom Act
Uniting and strengthening America by fulfilling rights and ensuring effective discipline over monitoring (2015)
- established a new process for how and when the FBI should submit applications to FISA court requesting approval to obtain business records for an investigation intended to obtain foreign intelligence info about a non-US citizen or protect against international terrorism
- enforced by the DoJ
When to notify of a data breach
as expeditiously as possible
- many states limit the time (ex: 45 days after discovery)
- national companies - industry practice is to report within 30 days
Americans with Disabilities Act
bars discrimination against qualified individuals with disabilities
Pregnancy Discrimination Act
bars discrimination due to pregnancy, childbirth, and related medical conditions
How to notify of a data breach
written notice to data subjects via postal mail first and then alternatives if the subject chose before (ex: phone or e-message)
Safe Harbor for Data Breaches
most states have
- exempt organizations from notification requirements if the data was encrypted, redacted, unreadable, or unusable when lost
FISA orders
Foreign Intelligence Surveillance Act
- issued by foreign intelligence surveillance court based on PROBABLE CAUSE that party being monitored is a “foreign power” or “agent of a foreign power”
- approved orders allow intel gathering via pen register, tap and trace, wiretap, and video surveillance
- those receiving FISA order cannot disclose it to targets
BUT
Companies are allowed to publish stats about the number of FISA orders and national security letters they receive
MRPPA
Medical Record and Private Protection Act
(Zurcher vs. Stanford Daily 1978)
- gives extra protection from government searches and seizures through criminal investigations for media members and organizations
- exception: only if there is cause to believe the reporter committed a crime. UNLESS the crime is possession, receipt, or communication of work product itself
Penalties: minimum of 1000$, actual damage and attorney fees
RFPA
Right to Financial Privacy Act of 1978
No government authority may have access to or obtain copies of info contained in financial records of any customer from financial institutions unless financial records are reasonably described
+ NEED 1 of the following:
- customer authorization
- Appropriate administrative subpoena/summons
- Qualified search warrant
- Judicial subpoena
- Formal request (written) from authorized gov authorities
USA PATRIOT Act
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
- in response to 9/11
- enforced mainly by DoJ and DHS
- Organizations, private businesses, law enforcement and intelligence agencies, financial institutions
- Enhance government’s ability to prevent and respond to terrorist acts by providing law enforcement and intelligence agencies and strengthen ability of them to extend capabilities for investigation, surveillance, info sharing
Specific USA PATRIOT Act Provisions
- allows law enforcement agencies to share foreign intelligence obtained in criminal proceedings with intelligence agencies
- strengthen ability of law enforcement to authorize installation of pen register, trap and trace, record computer routing, addressing, signal info
- establish authorities to request NATIONWIDE search warrants and issue nationwide surveillance orders
- lower NSL approval bar
Violations: criminal fines, criminal penalties
TCPA
Telephone Consumer Protection Act of 1991
- restrictions on unsolicited ads by telephone and facsimile and update them in 2012 to address robocalls
- encompass texts
- protect consumer’s privacy and reduce unwanted and intrusive communications
- allows for a private right of action
Covered entities: those engaged in telemarketing and communication acts
Regulating authorities: FCC and FTC
Penalties: fines of 500$ per violation with possibility to increase up to $1500 if found willful
National Security Letters
- subpoena for NON-CONTENT financial/ communication records of anyone relating to a national security investigation
- for national security, US can use FISA to request non-confidential and confidential information but use NSL for limited info about a user’s ID
- does not require judicial oversight —- only FBI
3 provisions of the ECPA
Electronic Communications Privacy Act
Title 1: Wiretap Act
- federal criminal code extending prohibition against unauthorized interception of communications to include specific types of electronic comms
Title 2: Stored Communications Act
- criminal offense to: Willfully access without authorization, a facility that provides e-comms AND willfully exceed an authorized access to such a facility
Title 3: Pen Register Act
- prohibits installation of pen registers or trap and trace device without court order
Criminal penalties for violations
