The Certified Information Privacy Professional/United States (CIPP/US) (CIPP-US)

 The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located 1 .  The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household 2 .  This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual 3 .  Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures 4 .  References:

CIPP/US Practice Questions (Sample Questions) , Question 124, Answer C, Explanation C.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.

California Consumer Privacy Act (CCPA) , Section 1798.140, Subsection (o).

CCPA Compliance Checklist for Businesses , Section 2, Subsection (a).

The GLBA prohibits financial institutions from disclosing a consumer’s account number or similar form of access number or access code to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. This restriction is intended to prevent unauthorized access to a person’s bank account by third parties who may use the account number to initiate fraudulent transactions or identity theft. The GLBA also requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and to notify customers and regulators in the event of a security breach involving such information.  References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Financial Privacy, p. 49-50

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financial institutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 14

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financial institutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 5

The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation. GPEN was created in response to the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network of PEAs. GPEN’s main purpose is to facilitate cross-border cooperation and coordination among PEAs, especially in cases involving multiple jurisdictions or regions. GPEN also aims to enhance information sharing, promote awareness and education, and support capacity building among PEAs.  References:

Home (public) | Global Privacy Enforcement Network

Global Privacy Enforcement Network - International Association of Privacy Professionals

International Partnerships - Office of the Privacy Commissioner of Canada

Specialised networks – Global Privacy Assembly

Action Plan for the Global Privacy Enforcement Network (GPEN)

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees’ privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes. Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization. Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms.  References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 109-110.

IAPP CIPP/US Body of Knowledge , Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 1: Employee Monitoring.

IAPP CIPP/US Practice Questions , Question 134.

The FTC has stated that it is a deceptive practice to make retroactive changes to a privacy policy that affect how a company uses or shares previously collected personal information, unless the company obtains affirmative consent from the affected consumers. This means that the company must clearly and conspicuously disclose the changes and obtain the consumers’ express agreement to them. Simply describing the policy changes on the website, publicizing them through social media, or reassuring customers of the security of their information are not sufficient to comply with the FTC’s position.  References:

FTC Staff Revises Online Behavioral Advertising Principles , paragraph 3.

Do I really have to obtain consent from all my customers to make a change to my privacy policy? , paragraph 2.

IAPP CIPP/US Study Guide, page 64.

 The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights.  References:

U.S. Private-Sector Privacy, Third Edition  by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.

U.S. Private-Sector Privacy, Third Edition  by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.

U.S. Private-Sector Privacy, Third Edition  by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.

IAPP CIPP/US Certified Information Privacy Professional Study Guide  by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

Phishing is a form of social engineering that involves sending fraudulent emails or other messages that appear to come from a legitimate source, but are designed to trick recipients into revealing sensitive information, such as passwords, account numbers, or personal identifiers 1 .  Phishing is one of the most common and effective methods of cyberattacks, and it can lead to data breaches, identity theft, ransomware infections, or other serious consequences 2 .  Therefore, training on how to recognize and avoid phishing attempts is crucial for any organization that handles sensitive data, especially ePHI, which is subject to strict regulations under HIPAA 3 . Training on techniques for identifying phishing attempts can help employees to spot the signs of a phishing email, such as:

Sender’s address or domain name that does not match the expected source or contains spelling errors 4

Generic salutations or impersonal tone that do not address the recipient by name or use proper grammar 4

Urgent or threatening language that creates a sense of pressure or fear and asks the recipient to take immediate action, such as clicking on a link, opening an attachment, or providing information 4

Suspicious links or attachments that may contain malware or lead to fake websites that mimic the appearance of a legitimate site, but have a different URL or request login credentials or other data 4

Requests for sensitive information that are unusual or out of context, such as asking for passwords, account numbers, or personal identifiers that the sender should already have or should not need 4

Training on techniques for identifying phishing attempts can also help employees to learn how to respond to a phishing email, such as:

Not clicking on any links or opening any attachments in the email 4

Not replying to the email or providing any information to the sender 4

Reporting the email to the IT department or security team and deleting it from the inbox 4

Verifying the legitimacy of the email by contacting the sender directly using a different channel, such as phone or another email address 4

Updating the antivirus software and scanning the device for any malware infection 4

Training on techniques for identifying phishing attempts is the most effective kind of training that CloudHealth could have given its employees to help prevent this type of data breach, because it would have enabled them to recognize the phishing email that compromised the PHI of more than 10,000 HealthCo patients, and to avoid falling victim to it. Training on the terms of the contractual agreement with HealthCo, the difference between confidential and non-public information, or CloudHealth’s HR policy regarding the role of employees involved in data breaches, while important, would not have been as effective in preventing this specific type of data breach, because they would not have addressed the root cause of the breach, which was the phishing email.

References:

1 : IAPP, Phishing, https://iapp.org/resources/glossary/phishing/

2 : SpinOne, The Top 5 Phishing Awareness Training Providers 2023, https://spinbackup.com/blog/phishing-awareness-training-best-providers/

3 : IAPP, HIPAA, https://iapp.org/resources/glossary/hipaa/

4 : Expert Insights, The Top 11 Phishing Awareness Training and Simulation Solutions, https://expertinsights.com/insights/the-top-11-phishing-awareness-training-and-simulation-solutions/

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime.  The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion 1 2 3 .  References:

1 : IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/

2 : DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980

3 : Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980

California’s SB 1386, also known as the California Security Breach Information Act, was enacted in 2002 and became effective in 2003. It was the first law of its kind in the United States to require commercial entities that own or license personal information of California residents to notify them in the event of a security breach that compromises their unencrypted data. The law aims to protect the privacy and security of personal information and to enable individuals to take preventive measures against identity theft and fraud. The law applies to any business or person that conducts business in California and that owns or licenses computerized data that includes personal information, as defined by the law. Personal information includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver’s license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or medical information or health insurance information. The law does not apply to encrypted information, publicly available information, or information that is lawfully obtained from federal, state, or local government records. The law requires the disclosure of a breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The disclosure may be made by written notice, electronic notice, or substitute notice, as specified by the law. The law also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law also authorizes a civil action for damages by a customer injured by a violation of the law and provides that the rights and remedies available under the law are cumulative to each other and to any other rights and remedies available under law.  References:

California Senate Bill 1386 (2002)

California SB 1386: For the Love of Privacy

What Is the California Security Breach Information Act?

California Raises the Bar on Data Security and Privacy