Studied by 14 people
(CISA) Cyber Thread Indicator
information is information necessary to describe or identify a malicious cyber threat or vulnerability. Excludes sensitive personal or business information
(CISA) Defensive Measure
actions, devices, techniques applied to “an information system that detects/prevents/mitigates a cyber threat"
CISA Requirements
must remove PI not related to a cyber threat
Exercise data minimization of PI when collecting & sharing threat information
Gov agencies are prohibited from using information recieved from cyber threats
Aggregate and annonymize shared information
Privacy & Civil Liberties Oversight Board
oversees and reviews privacy and civil liberty implications within CISA activities.
Gov can share technical data with companies about cyber attacks
Right to Financial Privacy Act of 1978
No gov authority may have access to, copies of, info contained in the financial records of any customer from a financial institution unless the records are reasonably described.
Unless atleast 1 of:
customer authorization
appropriate subpoena
warrant
judicial subpoena
formal request from authorized government authority
Only applies requests from Feds. Most States have a similar requirement.
Superseding laws include FISA, Patriot Act and Anti-Money Launderying Act
Privacy Protection Act
Layer of protection from government searches or seizures throughout a criminal investigation for members of the media.
Only for criminal investigations (not civil)
Violation - $1,000 + Attorney fees.
National Security Letters
used narrowly, certain financial and communication records.
Unlike subpoenas, NSL’s do not require judicial oversight…only FBI judgement
Foreign Intelligence Survellance Act (FISA) Amendments Act of 2008
Provide legal authorization for new surveillance practices
require more reporting to congress
grant immunity to telephone companies for records provided to gov
Section 702 of FISA
Only targets non-US citizens located abroad
meant to avoid getting court orders to surveil with probable cause. No warrent.
Oversight by all 3 branches to ensure US Citizens are protected.
reform is subject to debate.
USA FREEDOM Act
Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring.
Enacted as part of the Patriot act expired, establishing a new process for how and when FBI should submit a FISA court request.
DOJ
Reforms:
prohibit FBI applying for tangible thing unless specific selection term is used
limits & prohibs FBI from applying for tangible thing productions for threat assessment
prohbits pen register and trap n’ trace
yearly transparency report
requires target warrants from FISA before collecting phone metadata from companies
Communications Assistance for Law Enforcement Act (CALEA)
Why: preserve law enforcements ability to conduct electronic surveillance pursuant to a warrant or other legal authoirty while protecting privacy outside the scope of the investigation.
Who: telecom carriers
What Info & Uses: wire and e-communications and call-identifying information
Prohibitied: Must have infra that allows gov to access & have up-to-date system security and integrity plans
Enforces: FCC
Violations: Fines, Court Orders, Criminal Charges
Cybersecurity Information Sharing Act of 2015 (CISA)
Why: facilitate sharing of cyber threat information
Who: private sectory & feds
What Info & Uses: cyber threat indicators and defense measures
Prohibitied: private entities should share with government. Gov can’t use information for any other purposes. Shared info can be aggregated & annonymized.
Enforces: Department of Homeland Security
Violations: compliance is voluntary
(FISA) Foreign Intelligence Surveillance Act of 1978
Why: establish procedures for surveillance and collection of foreign intelligence on domestic soil
Who: intelligence agencies seeking foreign surveillance
What Info & Uses: any foreign intelligence collected in the US
Prohibitied: FISA requires gov must obtain permission from a judge on the court
Enforces: DOJ
Violations: DOJ may pursue prosecution
USA PATRIOT Act
Why: prevent and respond to terrorist activities by providing law enforcement more capabilities
Who: individuals, foreign terrorist orgs, law enforcement, financial institutions, ISP’s, private business handling sensitive information
What Info & Uses: information related to suspected terrorist activity
Prohibitied: share foreign intelligence, pen registers, trap & trace, nationwide search warrant, wiretaps, subpoenas, secret court order
Enforces: DOJ, Homeland Security
Violations: Civil fines and criminal penalties
Covered Entities
those conducting businesss in the state that, in the ordinary course of such person’s business, maintain computerized data that includes personal information.
Breaches
Hacking
Human error
social engineering
malware
unauthorized use
physical actiosn (theft, skimming)
Breach Notify (Who)
primary: residents at risk
State attorney general
nationwide credit reporting agency
Breach Notify (What)
description
date
type of PI
changes implements to prevent next
phone# for questions
steps to protect self
toll-free & address for major credit reporting agencies
toll-free & address for FTC, Attorney General for info on identity theft
*Iff SSN, 1 free year of credit monitoring
Breach Notify (How)
written mail
phone or email are alternatives
website
major media
Breach Notfiy (penalties)
civil penalties
1/3 of states, the AG can impose fines
many, grant private right to action
CA, statutory damages
FTC Act, Sec 5 (Security)
FTC uses sec.5 power against companies misrepresenting security practices and procedures
Elements of Descruction law
whom the law applies
required notice
exemptions (HIPAA)
covered media
penalties
California Online Privacy Protection Act (CalOPPA)
first law requiring websites to post privacy notices.
laid groundwork for the content and structure of privacy notices today.
Data Breach Notification Law - elements
definition of PI
Definition of covered entities
definition of security breach
whom to notify
when to notify
what to include
how to notify
exceptions and penalties
Data Security & Breach Notification Law (elements)
security measure to protect PI
reasonable standard for security
or safe harbor safegaurds
State Law (Controllers)
Require a written contract in place with processors
State Law (Cookies)
some states regulate cookies
each defines consent and opt-out requirements
State Data Broker Law
nevada, california, new jersey
brokers before collect>sell>disclose
timeline for breach notification
45 (expeditiously as possible without unreasonable delay)
Telephone Consumer Protection Act 1991 (TCPA)
FCC issued. FCC & FTC have authority of fines ($500)
enacted to reduce unwanted and intrusive communications
2012 - robocalls
Covered entites: engaged in telemarketing
Info: involved in solicitations and telemarketing (Phone#, name, calls, faxes, messages
private right to action
US National Do Not Call Registry
must be respected and checked every 31-days
fines up to 51,744 and civil penalities
Exceptions
nonprofits
existing relationships
consent
Safe Harbors for telemarketers
State telemarketing laws
obtain a license
seperate DNC list
identify themselves
end call w/out rebuttal
more limited hours
written contract for certain transactions
Lousiana is an example.
TSR or FCC do not preempt stricter state laws
Junk Fax Prevention 2008 (JFPA)
prohibits unsolicited ad’s to fax’s
sender has relationship
got number voluntarily
conspicuous notice to request not be sent further ad’s
enforced by FCC
500 > 1500 fines
Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003 (CANSPAM)
all commercial messages, intended to eliminate all unsolicited commercial emails
Prohibits:
false or misleading headers
deceptive subject lines
emailing opt-outs
address harvesting
creating multiple email accounts
transmission through unauth’ed accounts
Requires
clear and conspicuous explanation of how recipients can opt-out
functioning return email address
clear identification of commercial message
valid physical address
warning label for sexually oritented content
10 day grace period from revocation of permissions
Cable Communications Policy Act 1984
regulate cable TV by Fed/State/Local authorities
requires cable provide notice to customers at the time of agreement, annually and include nature of PI collected, how its used, retention period and how to access and correct their own PI
may only collect minimum PI necessary to service or prevent unauth reception
No retention period, must be destroyed when no longer needed
Enforced by FCC
Violations are civil penalties
Telecommunications Act 1996
to modernize regulations by promoting competition, encourage technical innovation and foster growth of telecom’s sector
addresses
misuse of personal records for marketing
primarily telecom carriers and cable operators. ++ broadcast companies and ISP’s
enforced by FCC
investigate and audit practices and issue warning letters & notices
fines, seize property and implement compliance plans through consent decrees
revoke licenses
Section 222 of Cable Communication Act
restricts access/use/disclosure of customer proprietary network information
CPNI data
subscription information, services used, network and billing information
phone features and capabilities
call logs
NOT CPNI
name
phone #
address
Communication Decency Act 1996
Title V of the Telecommunications Act
Regulat indecency and obscenity in cyberspace
Section 230 of CDA - no publisher of an interactive computer shall be treated as the publisher of any information provided by another information content provider
encourage growth of internet
Immunized platforms from liability for posts/comments from users
Section 230(C)(2) - good samaritan protection from civil liability for websites that remove or restrict offensive content
Video Privacy Protection Act 1988
passed in response to concerns raised by Congress after video rental history of a Supreme Court Nominee was published.
Applies to video tap service providers
regulate the disclosure and sharing of video rental records containing personally identifiable information
VPPA porhibits video tape service providers from disclosing PI
Mandates data be destroyed no later than 1 year
private right to action - civil lawsuit
minimum fee 2500
VPPA Ammendments of 2012 (H.R. 6671)
digital platforms (netflix) and social media integration
1-time consumer consent valid for 2-years
despite the amendment courts have held disclosure of online streaming history can be viewed as violation of VPPA
Driver Privacy Protection Act (1994)
response to state DMV selling driver information
limits disclosure of PI obtained from state DMV
Permitted if:
legal proceedings
car alterations
towed/impoound
licensed private investigator
consent
insurance
research and stat’s
employment
PI includes
photo
ssn
driver id
name
address (not zip)
phone
medical
Does not include
car accidents
driving violations
driving status
DPPA enforced by AG with civil suits up to 5000 + criminal record
Digital Advertising Alliance (DAA)
nonprofit that establishes and enforces “responsible privacy practices in digital advertising, providing consumers with transparency and control”
self-regulatory with guidelines
consumer management of opt outs
Network Advertising Initiative Code of Conduct (NAI Code of Conduct)
self regulatory principles that NAI members agree to uphold
requires notice & choice
limits types of data use for advertising
restricts member companies collection, use and transfer regarding advertising
Digital Advertising Ethics
dark patterns == recurring solutions that are used to manipulate individuals into giving up PI
web scraping is an ethical issue
caution with children
should data be collected
should not be targeted with ads
Child = 6-12
? = 13-18
Telemarketing Sales Rule
11,000 violation fine
FTC enforced
require or prohibit
call between 0800-2100
identify their org and reason for call
disclose information about goods or services
follow payment processing rules
Health Insurance Portability and Accountability Act
Why
create national standard that protect patient health information in clinical settings while also allowing for the sharing of health information
Who
health care providers, health plans, clearinghouses
Info & Uses
any medical record information that can be used to identify an individual…created, used or shared while providing health services
Required or Prohibited
may not use or disclose PHI unless permitted by Privacy Rule or auth’ed in writting
must comply with individual rights over protected health information (Access, Portability and correction)
Enforces
(HHS) Health and Human Services Office for Civil Rights
Office for Civil Rights (OCR)
Noncompliance
criminal provision of HIPAA
OCR refer complaint to DOJ
voluntary compliance, corrective action or resolution agreement
OCR may have $ penalities
Health Information Technology for Economic and Clinical Health Act (HITECH)
Why
promote and expand adoption of health info tech and create a nationwide network of eHR’s
Who
same as HIPAA
health providers, health plans, clearinghouses
Info & Uses
e-Health Records
protected health info and data
Required or Prohibited
HIPAA covered entities must report breaches of 500 of more people to HHS, Media and affected
additional notifications on covered entities if unsecured PHI is included in breaches
Enforces
Health and Human Services (HHS)
Noncompliance
tiered ranges of min/max' fines
up to 1.5million
Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2)
Why
protect substance use disorder treatment records
Who
anyone except Veterans/Armed Forces/Part 2 Programs/Investigations
Info & Uses
any record that identifies a patient as having substance use disorder after the 70’s
Required or Prohibited
patient records w/ substance use cannot be used or disclosed in legal proceedings with Fed/State/Local authority
record keepers must have security policies in place
procedures to obtain consent from patients
Enforces
Health and Human Services (HHS)
Noncompliance
Civil penalties up to 50,000
21st Century Cures Act
Why
Facilitate and accelerate the discovery/development/delivery of medical innovations and cures
provide patients with full access to their health records via interoperability
Authorizes (NIH, HHS, FDA and Office of National Coordinator for Health Info Tech) to collaborate
known as Cures Act Final Rule
Who
health providers, health IT, e-HR vendors, health info exchange networks
Info & Uses
eHR’s
past/present/future physical or mental health
provision of health care to individual
past/present/future payment of provision of health care
Required or Prohibited
build government-certified data paths, data sharing standards and faciliate access to clinical notes
Orgs can not interfere with access and exchange (info block)
there are exceptions
Enforces
Office National Coordinator (ONC) fields complaints
HHS Office Inspector General (OIG) enforces info blocking
Noncompliance
Civil monetary penalities
Certification Ban for Health IT developers
HIPAA Privacy Rule
Modified to HITECH
Must provide detailed privacy notice at the date of service delivery
Use and disclosure outside of HIPAA requires opt-in
Right to access a copy of their own PHI and amend
Must have Admin/Physical/Technical safegaurds
Personnel must be trained
de-identified health info is not PHI
remove 18 elements listed
expert certify the risk is small
Research can occur with consent
PHI may be shared without consent for public health activities:
abuse
judicial proceedings
lesson a serious threat
HIPAA Security Rule
Modified to meet HITECT
designed to require implmementation of reasonable security measures (tech-neutral)
Policies, procedures to prevent/detect/contain/correct security violations
Requirements
ensure confidentiality, integrity and availability of ePHI
protect against any reasonably anticipated threats
protect against any reasonable anticipated uses or disclosures
identify and individual responsible for Security
Conduct intitial and ongoing risk assessment
implement security awareness and training programs
HIPAA does not preempt stricter state law…should also review state law to ensure complaiance
HIPAA Breach Notification
exceptions
info was unintentionally acquired/accessed/used by workforce member acting under good faith of their scope
info accidently disclosed between two authorized individuals
unauthorized person who saw information could not have retained that info
Notification requirements
business associates must report any breaches to covered entity
covered entities must notify
individuals within 60 days
media if more than 500
HHS Secretary within 60 days if over 500, otherwise annually
GINA Title 1
prohibits insurance providers from implementing higher premiums based on genetic tests and genetic predisposition to deny coverage
GINA Title II
prohibits employment discrimination based on genetic information or family members who have manifested a disease.
prohibits employers from requiring genetic info
GINA and other Laws
Employee Retirement Income Security Act (ERISA)
prohibits health plan providers from adjusting premiums based off genetics
allows for gov enforcements
Public Health Services Act
similar to ERISA but to health insurance market
Social Security Act
Similar to ERISA but Medicare
Civil Rights Act
employment discrimination
discrimination against individuals based on a family member with a disease
employers requiring genetic info
Gaps in HIPAA
mobile device
apps/wearable fitness tracker
Washington’s “My Health My Data” Act
broad definitions of consumer/covered data and health care services
Applies to any legal entity in or targets Washington consumers
Determines the purpose and means of collecting, processing, sharing or selling consumer health info
Excluded
gov
tribal nations
contracted service providers
Legal Basis
consent or necessity
written & signed auth
prohibits geofencing
limited right to deletion
right of action***
other states
nevada
connecticut
Illinois Genetic Information Privacy Act (GIPA)
1998
prohibits employers from conditioning employment on gentic info
private right of action
damages 2,500
Childrens Online Privacy Protection Act (COPPA)
Why
protect online privacy of children under 13
Who
website operators/services directed to children
website operators/services with known PI of children
What
PI collected from a child online
Require / Prohibit
unfair or deceptive acts with collection, use and disclosure
must have parental consent
Enforced
FTC
State AG
Noncompliance
enforcement actions and financial penalties
Family Educational Rights and Privacy Act (FERPA) (Buckley Amendment)
Why
protect student education records
Who
schools that receive funds from Department of Education
What
student education records (parent info, home, contacts, schedule)
directory info (name, address, phone, DOB, attendance)
Require / Prohibit
schools may disclose Directory info
must warn with reasonable amount of time
Annual notice of rights under FERPA
Enforced
department of education
Noncompliance
loss of federal funding (grants and aid)
State Children’s Online Privacy Law
California
under age 16
Age-Appropriate Design (Design Act) to consider children’s best interest
CA and Delaware
minors can request removal of info
prohibit online ad’s children cannot buy
restrict certain ad practices
Colorado and Connecticut
regulate processing of a known child
Texas, Arkansas, Utah
social media requirements for under 18
Ammendments to FERPA
Protection of Pupil Rights amendments 1978
governs student survey/analysis or evaluation of sensitive info (political affiliations, sex, etc.)
No Child Left Behind Act (2002-2015)
broadened PPRA
enact policies around collect/use/disclose
parents can access surveys
notice for parents
right to opt out
Every Student Succeeds Act (2015 - present)
replaced NCLB
Sec.8545 - student info should not be shared to non-school-officials without clear notice to parents
Sec.9548 - ensure each grantee understands this Act and their responsibilites
Fair Credit Reporting Act (FCRA)
Why
Promote fair practices and accurate credit reporting to protect consumers
Who
Lenders, Credit Reporting agencies, consumers
What
info related to credit reports, consumer investigatory reports and employment background checks
holds agencies accountable for how they use credit-related data
Required or Prohibited
allow consumers yearly access
cannot report outdated info
correct errors in timely manner
how info is obtained, retained, shared
Enforced
FTC
Consumer Financial Protection Bureau (CFPB)
Noncompliance
Fines
Damages
Misc
post WWII, people were getting screwed in the 60s
Access and Correct info
Fair and Accurate Credit Transactions Act (FACTA) (2003)
Why
Ammends FCRA
improve accuracy of consumer credit records
protect from identity theft
Who
all businesses with covered accounts
covered accounts = anything with foreseeable risk to ID Theft
Primarily 3 credit agencies
What
CCN, Credit Reports, PII
Required or Prohibited
1 free credit report per year
provide risk-based pricing notices and credit scores connected to denials or less facorable credit
allow for fraud alerts
block reporting of info suspected of originating from fraud
Truncate CCN
Credit Score explanation
Enforced
FTC
Noncompliance
audit by FTC
penalties
fines
Gramm-Leach-Bliley Act (GLBA)
Why
Require financial institutions to explain their info-sharing practices to customers
Repsect consumer privacy
establish Admin/Tech/Physical safegaurds
Securely store Financial info
notice of policy
right to opt-out of sharing
Who
financial institutions that offer consumer financial products or services (investments/loans/insurance)
What
NPPI about consumers
Required or Prohibited
prohibits disclosure of NPPI to 3rd parties
unless notice and opt-out are given
provide notice of policies and practices
Enforced
FTC
Consumer Financial Protection Bureau (CFPB) rulemakers
Noncompliance
fines
individuals can be fined and imprisoned
Misc
Also the “Financial Services Modernization Act of 1999”
Dodd-Frank Wall Street Reform and Consumer Protection Act (2010)
Why
Reform and Regulate the financial market
protect consumers
create the Consumer Financial Protection Bureau (CFPB)
response to 2008 crisis
Who
entities in the financial sector
bank, insurance, investment, mortage lenders, credit agencies
What
NPPI from GLBA
Required or Prohibited
amended GLBA
privacy notices
opt out of disclosure to 3rd party
more contractual safegaurds
collection and maintenance requirements for swap data reporting
Enforced
CFPB (over $10 Billion)
FTC
SEC
Commodity Futures Trading Commision
State AG (Civil)
Noncompliance
Sames as GLBA
$6k fed violation
$34k reckless violation
$1.3m willful violation
Goals of Financial Privacy Law
Confidentiality
Security
Law and Regulation
Federal Reserve Board
Enforces provisions by specific mandates (GLBA)
Consumer Financial Protection Bureau
CFPB
independent under the Fed Reserve
Rulemaking authority for laws related to financial privacy
oversee relationship between consumer and financial product & service providers
Office of the Comptroller of Currency
OCC
Independent bureau of US Dept of Treasury
Regulate and supervise national and Fed Banks
Fair access to financial services and compliance with law
Adverse Action
broadly
to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact
Consumers must be notified of the reason for the adverse action and informed of their right to dispute
Investigative Consumer Reports
contain info about a consumer’s:
charachter
general reputation
characteristics
mode of living
info obtained through interviews
FACTA Disposal Rule
Anyone uses a consumer report - dispose of that consumer information that prevents unauthorized access and misuse
Scope: Electronic and written (reporting agencies, insurers, landlords, car dealers, attorneys, gov)
Disposal: discard or abandon. sale, donation or transfer with consumer info
Standard: reasonable protection against unauth or use
Enforcement: FTC. Fed Banking, CFPB
FACTA Red Flags
Goal: prevent, detect and mitigate identity theft
Requires: entities to develop and implement theft detection programs that can ID and respond to ‘red flags’ that signal ID Theft
For: financial institutions. Not Lawyers or Health Services
Typically:
alerts or notifications from reporting agency
suspicious documents
suspicious PI
unusual use of account
GLBA Privacy Rule
standard for privacy notices
Initial and annual notice
process opt-outs within 30 days
may share info with affiliated companies if notice requirements are met and opt-out is offered
may share with nonaffiliated companies after disclosing info-sharing practices to consumers and opt-out is offered
Notice Standard
What info
Whom shared
How it protects
Explanation of opt-out
Fixing America’s Surface Transportation Act (FAST)
amended Section 503 of GLBA
exception to annual privacy notice for certain criteria
nonpublic info is only shared with nonaffiliated thir parties in a manner that does not require a consumer opt-out
no changes in policy in that past year
GLBA Safeguards Rule (2003)
develop and implement Info Security Program
Admin
program
Risk Management
Training
Vendor oversight
Tech
systems, networks and applications
access controls
encryption
Physical
facilities
environmental safeguard
continuity and disaster recovery
Designated employee to coordinate safeguards
program to monitor and test
ID and assess risk
California Financial Info Privacy Act (SB-1)
expands protection under GLBA
increases disclosure requirements
grants consumers increased rights
written opt-in consent
opt-out sharing
Fines: $2,500 - $500,000
willful noncompliance, no cap
Goal of anti-money laundering Law
“follow the money” - through recordkeeping, will detect and deter illegal activity and provide evidence of proving illegality
Stem from ‘Bank Secrecy Act’ of 1970 who used large cash transactions
Bank Secrecy Act (1970)
BSA or ‘Currency and Foreign Transactions Reporting Act of 1970’
targets organized crime // large cash transactions
Requires banks to report suspicious activity (over 10k)
Report monetary instruments and currency instruments (3k)
retain name, address, $, purpose and date of 10k activity
retain for 5 years
Apply to deposit, transfers and payment order
Enforced by Dept of Treasury — Financial Crimes Enforcement Network
Fines and up to 10yr in prison
Constitutional Law (Employment)
do not affect private-sector
provide privacy protections to gov employees
4th amendment prohibits unreasonable search - can’t search a gov private space/locker/desk
CA has extended these rights to private-sector
Fed Laws Prohibiting Discrimination
Civil Rights Act
Pregenancy Discriminiation Act
Americans with Disabilities Act
Age Discrimination Act (over 40)
Equal Pay Act
Genetic Information Nondiscrimination Act
Fed Laws for Employee Benefits management
Health Insurance Portability and Accountability Act (HIPAA)
Consolidated Omnibus Budget Reconciliation Act (COBRA)
Employee Retirement Income Security Act
Family and Medical Leave Act
Regulatory Bodies that protect employee privacy
Dept of Labor
Equal Employment Opportunity Commission
FTC
Securities and exchange Commission
National Labor Relations Board
State Department of Labor
Privacy before Employment
Background screening
Equal Employment Opportunity Commission - ensure screening are job related
ensure screening are compliant with law and relevant
reasons vary - children, eldery, disabled, fit, inflated info
Background Screenings
Fair Credit Reporting Act (FCRA)
must have permissible purpose for obtaining a consumer report
screening for promotion, reassignment, retention
permits investigative consumer reports
requires written notice and written consent
Adverse Action requires notice, copy and opportunity for dispute
private right of action
Privacy During Employment
Employee Polygraph Protection Act of 1988 - Fed protection in workplace prohibiting lie detectors
Psychological tests may be done to measure honesty/preferences/habits but not depression. very limited
Substance testing - not regulated by Federal Law (alcoholism is considered a disability under ADA)
Lifestyle Discimination
weight
ADA protects ppl 100+lbs overweight as disability
EEOC discrimmination against obesity resulting from physical disability
Smoking
no Fed law
state limit bans
wellness programs
must not be an avenue for discrimination
Communications and Employee Monitoring
Electonic Communications Privacy Act
prohibits intercepting wire communication
Store Communication Act
prohibit unauth/alter/block communications
Postal Mail
Location-based services/geolocation data
telephony
6 Questions to a Law
Why does this law exist
Who is covered
What type of information are covered
what is required or prohibited
who enforces the law
what happens if i don’t comply
Co-Regulatory
empasize industry development of enforceable codes or standrds for privacy against backdrop of legal requirements.
co-regulation can exist under both comprehensive and sectoral models
example: Childrens Online Privacy Protection Act (COPPA). Allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by FTC
Self-regulatory
codes created by a company, industry or independent body
no laws
Example: Payment Card Industry (PCI) or Trust marks and seal (TrustArc)
Personal Information
any information that identifies or could identify a living individual
Fair Information Practices
Rights of individuals
Controls on the information
Information Life Cycle
Management
Organisation for Economic Co-operation and Development Guidelines (OECD)
Collection Limitation Principle
Limits to the collection of personal data. obtained by lawful and fair means.
ideally, with knowledge and consent
Organisation for Economic Co-operation and Development Guidelines (OECD)
Data Quality
Personal data should be relevant to the purposes for which they are used and should be accurate, complete and up to date
Organisation for Economic Co-operation and Development Guidelines (OECD)
Specification
purposes for collection should be specified no later that at the time of collection
Organisation for Economic Co-operation and Development Guidelines (OECD)
Limitation
Personal data should not be disclosed for any other purpose than specified
Organisation for Economic Co-operation and Development Guidelines (OECD)
Security Safeguards
personal data should be protected by reasonable security safeguards against risks (unatuh, destruction, use, modification or disclosure)
Organisation for Economic Co-operation and Development Guidelines (OECD)
Openness
general policy of opennes about developments, practices and policies with respect to personal data
Note 
Flashcard (83)