Privacy for Cybersecurity Professionals

What is Privacy according to Warren and Brandeis?

1890 Harvard Law Review article established fundamental definition: "the right to be let alone." Four classes: 1) Information privacy (rules governing collection/handling), 2) Bodily privacy (physical being and invasion), 3) Territorial privacy (ability to intrude into environment), 4) Communications privacy (protection of correspondence).

What are the origins of Privacy protection?

Far-reaching history including classical Greece, Bible, Jewish law, Qur'an, sayings of Mohammed. England: Justices of Peace Act 1361 called for arrest of "peeping Toms" and eavesdroppers. 1765: British Lord Camden protected privacy of home. Built into US Constitution ratified 1789.

What Constitutional Amendments relate to privacy?

Although word "privacy" doesn't appear in US Constitution, Third, Fourth, Fifth, and Fourteenth Amendments relate to privacy.

What are sources of privacy law in the US?

Federal government (Constitution, three branches). State governments (state constitutions can create stronger rights where federal doesn't preempt, same three branches). Local governments (city, county, special districts, municipal entities).

What is the difference between HIPAA and CAN-SPAM preemption?

HIPAA: states can pass stricter laws (federal doesn't fully preempt). CAN-SPAM Act: federal law preempts state law (states cannot pass stricter laws).

What is Common Law?

Legal principles developed over time in judicial decisions (case law), drawing on social customs and expectations. For privacy, common law upheld special privilege rules like doctor-patient confidentiality and attorney-client privilege.

What is Contract Law in privacy?

Legally binding agreement enforceable in court. May include provisions on data usage, security, breach notification, jurisdiction, damages. Privacy notice may be contract if consumer provides data based on company's promise to use data per notice terms. Breach occurs when party fails to meet obligation.

What are the three types of Torts?

Intentional Torts: defendant knew/should have known action was wrong (hitting person, stealing personal info). Negligence Torts: defendant's actions unreasonably unsafe (car accident by not obeying laws, not having appropriate security controls). Strict Liability Torts: defendant liable regardless of intent or mental state (often used for privacy torts).

What federal agencies engage in privacy activities?

Federal Trade Commission (FTC), Federal Communications Commission (FCC), Consumer Financial Protection Bureau, US Department of Transportation, US Department of Health and Human Services, US Department of Education.

What is a Consent Decree?

Judgment entered by consent of parties where defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing. Has same effect as court decision.

What are UDAP statutes?

Unfair and Deceptive Acts and Practices statutes. All 50 states have them. Privacy regulated at both federal and state levels. No federal-level comprehensive privacy law yet, but many states enacted their own.

What are the three types of enforcement actions?

Criminal prosecution: action by government for criminal law violations (Federal-DOJ, State-attorneys general/local district attorneys). Civil litigation: plaintiff sues defendant seeking monetary judgment/injunction. Administrative Actions: carried out pursuant to statutes like Administrative Procedures Act.

What are the five states with comprehensive privacy laws?

California: CCPA (2018), CPRA (2020, effective Jan 1 2023). Colorado: CPA (effective July 1 2023). Connecticut: CTDPA (effective July 1 2023). Utah: UCPA (effective Dec 31 2023). Virginia: VCDPA (effective Jan 1 2023).

What is HIPAA's scope?

Applies to Protected Health Information (PHI) transmitted/maintained in any form, held by covered entity or business associate, identifies individual, created/received by covered entity or employer, relates to past/present/future physical/mental condition, healthcare provision, or payment.

What are HIPAA's two rules?

Security rule: applies only to electronic PHI. Privacy rule: applies to both electronic PHI and non-electronic PHI.

Who enforces HIPAA?

Civil: US Department of Health and Human Services Office of Civil Rights and State AGs. Criminal: US Department of Justice.

What are key protections of HIPAA Privacy Rule?

Privacy notices, authorizations and limits for uses/disclosures of PHI to minimum necessary, access/accounting rights, accountability, security safeguards. Provides most detailed implementation of Fair Information Privacy Practices (FIPPs) but does not preempt state laws.

What is the Fair Credit Reporting Act (FCRA)?

Enacted 1970, substantially updated by Fair and Accurate Credit Transactions Act 2003 (FACTA) which addressed identity theft and preempted state financial privacy laws. Regulates consumer reporting agencies (CRAs): Experian, Equifax, TransUnion. Mandates accurate/relevant data collection. Provides consumers ability to access/correct information. Limits use of consumer reports to defined permissible purposes.

What is the Gramm-Leach-Bliley Act (GLBA)?

Enacted 1999. Supplies general framework for confidentiality of records in financial services sector. Eliminated legal barriers to affiliations among banks, securities firms, insurance companies, other financial services. Added privacy restrictions requiring secured storage of personal financial info, notice to customers of policies, consumers given choice to opt out of sharing some personal info.

What is FERPA?

Family Educational Rights and Privacy Act. Enacted 1974. Generally prevents schools from divulging education records info to parties other than student without consent. Includes FIPPs of notice, consent, access/correction, security/accountability. Important exceptions: campus criminal records, employment records, treatment records, applicant records, alumni records, peer-graded papers before recorded by faculty.

Who holds rights under FERPA?

High schools: parents until student is 18. Colleges/universities: students regardless of age if left high school. Exception: tax purposes when student is dependent.

What are FERPA disclosure exceptions?

School officials with "legitimate educational interest," educational institutions where student enrolled/intends to enroll, connection with financial aid, organizations doing research (usually anonymized), fulfill accrediting duties, alleged victim of forcible/nonforcible sex offense, person/entity that provided/created record, law enforcement or to comply with judicial order/subpoena, appropriate parties in "health or safety emergency."

What is PPRA (Protection of Pupil Rights Amendment)?

Enacted 1998 to address FERPA limitations. Provides certain rights to parents of minors regarding collection of sensitive info from students through surveys. No Child Left Behind Act broadened PPRA to limit collection/disclosure of student survey info. Does not apply to colleges/universities, applies to all K-12 schools receiving federal funding.

How do FERPA and HIPAA interact for health records?

Public elementary/secondary school with nurse for student health: FERPA applies, not HIPAA. Private elementary/secondary school without federal funding: not subject to FERPA, HIPAA applies. University healthcare clinic treating only students: FERPA applies. Clinic treating students and non-students: FERPA for student records, HIPAA for non-student records.

What is the Telephone Consumer Protection Act (TCPA)?

1991 act placing restrictions on unsolicited advertising by telephone/facsimile and robocalls. FCC issued regulations.

What is the Telemarketing Sales Rule (TSR)?

Implemented 1998. Call only between 8am-9pm. Screen and scrub names against national Do Not Call Registry. Display caller ID. Identify themselves and what selling. Comply with special rules for automated dialers.

What is the Do Not Call Registry?

Provides means for US residents to register phone numbers they don't wish called for telemarketing purposes. Most popular consumer program ever implemented by FCC.

What is FOIA (Freedom of Information Act)?

Federal law designed to ensure public access to US government records. Signed by President Johnson 1966. Applies only to executive branch. Nine exemptions including classified documents, trade secrets/financial info, documents related to law enforcement investigations.

What are issues with court records on the Internet?

States and localities provide access to wide range of public records (birth/death, professional/business licenses, real estate ownership, voter registration, many more). Civil/criminal trials generally open for public to attend. Placing court records on internet raised privacy issues. Response: litigants seeking protective orders for personal information. Judge determines what info should not be public and conditions for accessing protected info.

What is GDPR?

General Data Protection Regulation. 2018 updates to comprehensive EU privacy requirements, effective May 2018. More than 150 nations globally have enacted significant privacy laws applying to companies doing business within borders and with citizens. Fines for violations can be very significant (4% of worldwide revenues).

What are the seven key principles of GDPR?

Lawfulness, fairness, and transparency. Purpose Limitation. Data Minimization. Accuracy. Storage Limitation. Integrity and Confidentiality. Accountability.