What are common appropriate safeguards for data transfer for countries without EU GDPR adequacy decision?
Binding corporate rules, standard contractual clauses, derogations, codes of conduct, certification mechanisms, ad hoc contractual clauses
Business Associate Agreement
contract outlining how a business associate will handle PHI on behalf of covered entity
Partnership Intermediary Agreement
contract, agreement, or memorandum of understanding with a non-profit partnership intermediary to engage academia and industry on behalf of government to accelerate tech transfer and licensing
Comptroller of Currency
charters, regulates, supervises all national banks, federal savings associations, as well as federal branches and agencies of foreign banks
Head of Office of the Comptroller of the Currency (OCC)
CA State Privacy Laws
CCPA + CPRA
- give consumers more control over PI
Requires:
extensive transparency and disclosure obligations. Right to not be discriminated against for exercising rights
Enforced by: CPPA (CA Privacy Protection Agency) and AG of CA
Violations: penalties up to $7500 per, if unintentional = $2500
covers:
- for-profit businesses in CA (Gross Annual Revenue > 25M)
- buy/sell/share private info of 100k or more CA residents/households/devices, OR derive 50% of their annual revenue from selling CA residents’ PI
When can covered entities disclose under VPPA?
with written consent or to fulfill order, request processing, transfer of ownership/ debt collection
Data Flow Map
- Data ID to be mapped
- ID data sources
- Gather info on how it was collected, used stored, transferred
- Connect data process. establish responsible parties
- Create data inventory
- Get collaborative (involve multiple people to ID system interfaces, quality assurance groups)
- Collection data processing locations (find out how)
Where is legislative focus and concern in privacy?
consumer rights
FIPs
fair info practices
- set of guidelines for handling, storing, protecting and managing PI
- provide framework for most privacy laws around the world
What do cookies do?
help web/ ad network track user’s browsing acts potentially across multiple websites visited
Common sources of data breach
- criminal hacking
- human error
- social engineering
- malware
- unauthorized use
- physical actions
FAST Act
part of Fixing America’s Surface Transportation Act Amendment
Establishes exception to annual privacy notice requirements to if you meet the criteria, don’t need to provide notice to customers
What international data transfer method was invalidated as a result of Schrems I?
EU-US Safe Harbor
Tort
civil wrong recognized by law as having grounds for lawsuit
Examples of self-regulatory system for managing privacy compliance within US regulations/ US industry best practices
AdChoices, TrustArc Privacy Certification, Payment Card Industry Data Security Standard
When may substance-use testing occur?
- pre-employment
- reasonable suspicion
- routine, post-accident or random
NOT regulated by federal law
Excludes illegal drug use from protections
Certain restrictions, but federal law MANDATES it for certain positions like US Customs and Border Protection, aviation, railroading and trucking industries
Layered Notices
“Just in time” notices
Privacy dashboard
layered - provide key points in a short notice but give users option to read a detailed notice or click through to greater detail
Just in time - notice of privacy policies are given at or before the point of info collection
Privacy dashboard - offers summary of privacy-related info in format intended to be easy to access and navigate
Difference between a business associate and a business vendor under HIPAA
business associate - vendor that needs access and use protected health info to perform services for covered entity
Business vendor - any company providing goods/ services to a covered entity but does not necessarily require access to PHI
Key diff: whether they handle PHI
Who handles data breach notification enforcement?
AG
If an employer denies employment based on a CRA report, they must:
Issue a notice that an adverse action was taken
What is the FERPA request for access response deadline
Within 45 days of receiving the request
What are the 3 laws the department of labor oversees?
FLSA, OSHA, ERISA
Types of Cookies
session (essential) remember activities on one site
Persistent - permanent, expiration date determined by expiration date over when the user deletes cookies
3rd party - used to track user acts across internet (ads)
Zombie - tracks data even after cookies are deleted
Secure - can’t be accessed by malicious software/ unauthorized parties
GLBA Security Levels
established through Safeguards Rule — mandates financial institutions to implement computer info security programs (3 key areas):
Physical (secure access controls to facilities), technical (encryptions, firewalls), administrative (employee training, security policies, incident response procedures)
