CIPP-US Certified Information Privacy Professional/United States (CIPP/US) Questions and Answers

In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

 The U.S. Constitution plays a limited role in the area of workplace privacy, because it mainly applies to the actions of the government, not private employers. The Fourth Amendment protects the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures1. The Supreme Court has interpreted this right to include a reasonable expectation of privacy in certain situations, such as in one’s home, car, or personal belongings2. However, this right does not extend to private-sector employees, who are not protected by the Constitution from the actions of their employers, unless the employer is acting as an agent of the government3. Private-sector employees may have some privacy rights under state laws, common law, or contractual agreements, but these vary depending on the jurisdiction and the circumstances4.

Public-sector employees, on the other hand, are protected by the Constitution from unreasonable searches and seizures by their employers, who are considered part of the government. Public-sector employees have a reasonable expectation of privacy in their workplace, unless there is a legitimate work-related reason for the search or seizure, such as to ensure safety, security, or efficiency. Public-sector employers must also comply with the due process and equal protection clauses of the Fifth and Fourteenth Amendments, which prohibit the government from depriving any person of life, liberty, or property without due process of law, or from denying any person the equal protection of the laws. These clauses protect public-sector employees from arbitrary or discriminatory actions by their employers that affect their employment status or benefits.

Therefore, the U.S. Constitution plays a significant role in the area of workplace privacy for federal and state governments, but not for private-sector employment, because it only regulates the actions of the government, not private actors. References:

1: Cornell Law School, Fourth Amendment, https://www.law.cornell.edu/constitution/fourth_amendment

2: FindLaw, What Is a Reasonable Expectation of Privacy?, https://www.findlaw.com/criminal/criminal-rights/what-is-a-reasonable-expectation-of-privacy.html

3: FindLaw, Workplace Privacy, https://www.findlaw.com/smallbusiness/employment-law-and-human-resources/workplace-privacy.html

4: Nolo, Privacy Rights of Employees, https://www.nolo.com/legal-encyclopedia/privacy-rights-employees-29849.html

: OPM, Employee Relations, https://www.opm.gov/policy-data-oversight/employee-relations/reference-materials/employee-privacy/

: Cornell Law School, Fifth Amendment, https://www.law.cornell.edu/constitution/fifth_amendment

: FindLaw, Public Employees and the Constitution, https://www.findlaw.com/employment/employment-rights/public-employees-and-the-constitution.html

 The most likely reason that states have adopted their own data breach notification laws is that many types of organizations are not currently subject to federal laws regarding breaches. As explained in the Data Breach Response: A Guide for Business from the Federal Trade Commission (FTC), certain federal laws govern obligations to report data breaches in particular industries, such as health care, financial services, or telecommunications. However, these laws do not cover all types of businesses or all types of personal information that may be compromised in a data breach. Therefore, states have enacted their own data breach notification laws to fill the gaps and protect the privacy andsecurity of their residents. According to the National Conference of State Legislatures, as of January 2022, all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. These state laws vary in terms of the definitions of personal information, the triggers for notification, the methods and timing of notification, the exemptions and exceptions, and the penalties and enforcement mechanisms.

References: 1: Data Breach Response: A Guide for Business, Section 2 2: 2022 Security Breach Legislation

Redaction is the permanent removal of sensitive data—the digital equivalent of “blacking out” text in printed material. Redaction can be accomplished by simply deleting characters from a file or database record, or by replacing characters with asterisks or other placeholders. Redaction is often used to protect personal information, such as names, addresses, social security numbers, or financial data, on documents that are disclosed in litigation, such as pleadings, exhibits, or discovery responses. Redaction is required by courts to comply with privacy laws and rules, such as the Federal Rules of Civil Procedure (FRCP), which mandate that parties must redact certain types of personal information from documents filed with the court or produced to the other party. Redaction is also a best practice to minimize the risk of unauthorized access, identity theft, or reputational harm that may result from exposing personal information in litigation. References:

When to redact, or not, disclosable documents in litigation - Stewarts

The approach to redaction – High Court guidance - Lexology

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.2: Federal Rules of Civil Procedure (FRCP).

 The Privacy Act allows agencies to exempt certain records from some of its provisions, including the right to disclosure, if the records fall within one of the categories specified in subsections (j) or (k) of the Act. One of these categories is records maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities, and which consists of (A) informationcompiled for the purpose of identifying individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and probation status; (B) information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; or © reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision. 5 U.S.C. § 552a (j) (2). Therefore, material reporting investigative efforts pertaining to the enforcement of criminal law falls within this category and can be exempted from the right to disclosure under the Privacy Act. References:

Overview of the Privacy Act: 2020 Edition, Ten Exemptions, subsection (j) (2).

Privacy Act Exemptions, subsection (j) (2).

IAPP CIPP/US Study Guide, page 66.

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to adhere to its industry’s code of conduct. Self-regulation is a process by which an industry or a group of companies voluntarily adopts and enforces standards or guidelines to protect consumers and promote fair competition. The FTC encourages self-regulation as a way to complement its enforcement efforts and address emerging issues in the marketplace. The FTC also monitors self-regulatory programs and may take action against companies that fail to comply with their own codes of conduct or misrepresent their participation in such programs. References:

Federal Trade Commission Act, Section 5 of

Self-Regulation | Federal Trade Commission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 3, page 79

Nevada’s privacy law, Senate Bill 260 (SB 260), is an amendment to the existing Nevada Revised Statutes (NRS) Chapter 603A that was enacted in June 2021 and will take effect on October 1, 2021. SB 260 expands the scope and definition of “covered information” under NRS 603A to include any information that identifies, relates to, describes, or is capable of being associated with a consumer, such as name, address, email, phone number, social security number, biometric data, geolocation data, and online identifiers. SB 260also grants Nevada consumers the right to opt out of the sale of their covered information by an operator of a website or online service that collects and maintains such information.

Under SB 260, an operator is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, and purposefully directs its activities toward Nevada. A sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are some exceptions to the definition of a sale, such as:

If the consumer has consented to the sale after being provided with clear and conspicuous notice of the sale and the opportunity to opt out.

If the sale is to a person who processes the covered information on behalf of the operator.

If the sale is to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.

If the sale is to a person for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information to the operator.

If the sale is to a person who is an affiliate of the operator.

If the sale is to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the operator’s assets.

To comply with SB 260, an operator that sells covered information must provide a designated request address through which a consumer may submit a verified request to opt out of the sale. The designated request address may be an email address, a toll-free telephone number, or an Internet website. The operator must respond to the verified request within 60 days, and may extend the response period for an additional 30 days if reasonably necessary. The operator must also provide a notice to the consumer that identifies the categories of covered information that the operator collects and the categories of third parties to whom the operator may disclose the covered information.

Therefore, the best privacy compliance step for SuperMart to comply with SB 260 is to provide a mechanism for consumers to opt out of sales, as this is the core requirement of the law. Option A is the correct answer.

Option B is incorrect, as SB 260 does not grant consumers the right to access or delete their covered information, unlike other state privacy laws such as the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA).

Option C is incorrect, as SB 260 does not require operators to provide a notice of financial incentive for any loyalty programs offered to their customers, unlike the CCPA.

Option D is incorrect, as SB 260 does not impose service provider restrictions on the vendors of the operators, unlike the CCPA or the VCDPA.

References:

[IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 229-230.

CIPP/US Practice Questions (Sample Questions), Question 33.

The false statement regarding the provisions of the EPPA is C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits. The EPPA does not regulate psychological testing, only polygraph testing. Psychological testing is a broad term that covers various types of assessments that measure cognitive abilities, personality traits, interests, values, and skills. Employers may use psychological testing for various purposes, such as hiring, promotion, training, or development, as long as they comply with other laws and regulations, such as the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) guidelines, and the Uniform Guidelines on Employee Selection Procedures. However, employers should be careful to ensure that thepsychological tests they use are valid, reliable, job-related, and nondiscriminatory, and that they respect the privacy and dignity of the test takers. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 115-116.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 2: Employee Polygraph Protection Act.

IAPP CIPP/US Practice Questions, Question 142.

Janice’s first draft of the privacy policy may be too restrictive and impractical for Fitness Coach, Inc. to follow, given the nature of its business and the expectations of its customers. By limiting the retention of personal information to one year and requiring written consent for any third-party sharing, the policy may create operational challenges and customer dissatisfaction. For example, customers may want to resume their fitness programs after a long hiatus and expect the company to have their previous records and preferences. Similarly, third-party contractors may need access to customer information to provide better services and tailor their classes. If the company fails to adhere to its own privacy policy, it may face legal consequences, reputational damage, and loss of trust from its customers. Therefore, the company should adopt a more realistic and flexible privacy policy that balances its business needs and its customers’ privacy rights. References:

Privacy Policy for Health Coaches

Privacy Policies for Online Coaches

Privacy Policy - Coaching.com

The CCPA grants California residents the right to request that a business delete, disclose, or stop selling their personal information, but it does not grant them the right to request that a business correct their personal information. However, the CPRA, which will amend and expand the CCPA in 2023, will grant California residents the right to request that a business correct inaccurate personal information. References: CCPA, CPRA, IAPP CIPP/US Study Guide (p. 62)

 Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed. References: IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.1, IAPP CIPP/US Body of Knowledge, Domain IV, Objective B

The UK company can ensure an adequate level of data protection for the restricted data transfer to the US parent company by using the EU Standard Contractual Clauses (SCCs), which are contractual terms that provide safeguards for personal data transferred from the UK to third countries. The UK GDPR recognizes the validity of the EU SCCs adopted before the end of the Brexit transition period, and allows the UK Information Commissioner’s Office (ICO) to issue new SCCs in the future. The other options are not correct because:

A. Signing up to an approved code of conduct under the UK GDPR is not sufficient to ensure an adequate level of data protection for restricted transfers, as it is not a transfer mechanism on its own. The UK company would still need to use another appropriate safeguard, such as SCCs or Binding Corporate Rules (BCRs), to transfer personal data to the US parent company.

C. Submitting a new application for the UK BCRs is not necessary, as the UK GDPR recognizes the existing authorized EU BCRs as valid for restricted transfers from the UK. The UK company can continue to rely on its EU BCRs, as long as they are updated to reflect the UK GDPR requirements and the role of the ICO as the competent supervisory authority.

D. Allowing each employee the option to opt-out to the restricted transfer is not a valid transfer mechanism under the UK GDPR, as it does not provide adequate safeguards for the personal data of the employees. The UK company would need to obtain the explicit consent of each employee for the restricted transfer, which must be freely given, specific, informed, and unambiguous. References:

UK GDPR, Chapter V, Article 46

UK GDPR, Chapter V, Article 47

UK GDPR, Chapter V, Article 49

ICO guidance on international transfers

IAPP CIPP/US Study Guide, Chapter 10, Section 10.3.2

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime. The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion123. References:

1: IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/

2: DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980

3: Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

 The European approach to privacy is based on the recognition of privacy as a fundamental human right that requires strong legal protection and oversight. The EU has adopted comprehensive and binding privacy laws, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, that apply to all sectors and activities involving personal data. The EU also has independent data protection authorities (DPAs) that monitor and enforce compliance with the privacy laws, and a European Data Protection Board (EDPB)that issues guidance and opinions on privacy matters. The EU also requires adequate levels of privacy protection for personal data transferred to third countries or international organizations.

In contrast, the U.S. approach to privacy is based on a sectoral and self-regulatory model that relies on a combination of federal and state laws, industry codes of conduct, consumer education, and market forces. The U.S. does not have a single, comprehensive, and enforceable federal privacy law that covers all sectors and activities involving personal data. Instead, the U.S. has a patchwork of federal and state laws that address specific issues or sectors, such as health, financial, children’s, and electronic communications privacy. The U.S. also has various federal and state agencies that share jurisdiction over privacy matters, such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Department of Health and Human Services (HHS). The U.S. also relies on self-regulation by industries that develop and adhere to voluntary codes of conduct, standards, and best practices for privacy. The U.S. also allows personal data to be transferred to third countries or international organizations without requiring adequate levels of privacy protection, as long as the data subjects have given their consent or the transfer is covered by a mechanism such as the Privacy Shield or the Standard Contractual Clauses.

Some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices because they believe that self-regulation is not effective, consistent, or accountable enough to protect the rights and interests of data subjects. They argue that self-regulation may not provide sufficient incentives or sanctions for industries to comply with privacy rules, or to adopt privacy-enhancing technologies and practices. They also contend that self-regulation may not reflect the views and expectations of data subjects, or address the emerging and complex privacy challenges posed by new technologies and business models. They also question the transparency and legitimacy of self-regulation, and the ability of data subjects to exercise their rights and seek redress for privacy violations. References:

IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 9-10, 16-17

IAPP website, CIPP/US Certification

NICCS website, Certified Information Privacy Professional/United States (CIPP/US) Training

The state UDAP statute, which stands for Unfair and Deceptive Acts and Practices, is a law that protects consumers from unfair or deceptive business practices. In this case, the employer’s failure to protect the employee’s personal information from a phishing attack could be considered an unfair or deceptive act or practice that harmed the employee. The employee could sue the employer under the state UDAP statute for damages, injunctive relief, or other remedies. The other options are not relevant to this scenario, as they deal with different aspects of data protection, such as confidentiality, access, or destruction of personal information. References:

[IAPP CIPP/US Study Guide], Chapter 8, Section 8.3.1, page 227

IAPP CIPP/US Practice Questions, Question 153, page 13

A consent decree is a settlement agreement between the FTC and a company that has engaged in unfair or deceptive privacy practices. A consent decreetypically requires the company to stop the unlawful conduct, implement remedial measures, pay a civil penalty, and submit to ongoing monitoring and reporting. A consent decree benefits both parties involved because it spares the expense of going to trial, which can be costly, time-consuming, and uncertain. A consent decree also allows the parties to negotiate the terms of the settlement, rather than having a court impose a judgment. A consent decree does not admit liability or wrongdoing by the company, but it has the force of law and can be enforced by the FTC or the courts if the company violates its terms. References:

IAPP CIPP/US Body of Knowledge, Section I.A.1.a

IAPP CIPP/US Textbook, Chapter 1, pp. 10-11

FTC Consent Decrees

Unlike many other countries, the United States does not have a comprehensive federal law that regulates the privacy of private-sector employees. Instead, the privacy protection of employees depends largely on state law, contract law, and tort law. State law may provide specific rights and remedies for employees regarding issues such as drug testing, background checks, electronic monitoring, social media access, and genetic information. Contract law may create obligations and expectations for employers and employees based on written or implied agreements, such as employment contracts, employee handbooks, or collective bargaining agreements. Tort law may allow employees to sue their employers for invasion of privacy, such as intrusion upon seclusion, public disclosure of private facts, false light, or appropriation of name or likeness. The other options are less likely to provide privacy protection to private-sector employees in the United States. The FTC Act primarily regulates the privacy practices of businesses that collect and use consumer data, not employee data. The U.S. Constitution only protects individuals from unreasonable searches and seizures by the government, not by private employers. The HHS only enforces the HIPAA Privacy Rule, which applies to covered entities and business associates that handle protected health information, not to all private-sector employers. References:

IAPP CIPP/US Study Guide, Chapter 6: Workplace Privacy

Privacy Rights of Employees Using Workplace Computers in the United States

Employee Privacy Laws

The CCPA provides consumers with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. The CCPA defines personal information for this purpose as an individual’s name in combination with any of the following: social security number, driver’s license number, account number, credit or debit card number, medical information, or health insurance information. The CCPA allows consumers to seek damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. The CCPA also requires consumers to provide the business with 30 days’ written notice and an opportunity to cure the violation before initiating an action. Additionally, the CCPA requires consumers to notify the Attorney General within 30 days of filing the action and obtain the Attorney General’s approval or nonobjection before proceeding with the action. Therefore, John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm, as long as he meets the requirements of the CCPA. References:

CCPA Provides Private Right of Action for Data Security Breaches

CCPA Private Right of Action – Data Breach Security Requirement

CCPA Fines & Penalties for Data Protection Violations | MatrixPoint

According to the Family Educational Rights and Privacy Act (FERPA), a policy of “no consumer choice” or “no option” means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer’s financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer’s consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB. However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1. The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2. The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA. References: 1: FTC3, Fair Credit Reporting Act; 2: CFPB4, Fair Credit Reporting Act; 3: FTC; 4: CFPB.

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits “unfair or deceptive acts or practices in or affecting commerce.”1 This prohibition applies to all persons engaged in commerce, including banks, but also exempts some entities, such as nonprofit organizations and common carriers, from FTC jurisdiction.2 Therefore, among the four options, only an online merchant’s free shipping offer would be subject to the requirements of Section 5, as it involves a commercial activity thatcould potentially mislead or harm consumers. For example, if the online merchant fails to disclose the terms and conditions of the offer, or charges hidden fees, or delivers the products late or damaged, it could violate Section 5 by engaging in a deceptive practice.3 References: 1: Section 5 | Federal Trade Commission 2: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, page 13: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 23.

Implied consent is a form of consent that is inferred from the actions or inactions of the data subject, rather than explicitly expressed by the data subject1.

Implied consent is generally considered a valid basis for processing personal data under certain circumstances, such as when the processing is necessary for the performance of a contract, the legitimate interests of the data controller, or the reasonable expectations of the data subject2.

However, implied consent may not be sufficient for processing sensitive personal data, such as health, biometric, or genetic data, or for sending marketing communications, depending on the applicable laws and regulations2.

In the U.S., there is no comprehensive federal privacy law that regulates the use of implied consent for data processing, but there are sector-specific laws and state laws that may impose different requirements and limitations3.

Based on the scenarios given in the question, the situation that is most likely to involve a company operating under the assumption of implied consent is A. An employer contacts the professional references provided on an applicant’s resume.

This is because the employer may reasonably infer that the applicant has consented to the contact of the references by voluntarily providing their information on the resume, and that the contact is necessary for the legitimate interest of the employer to verify the applicant’s qualifications and suitability for the job4.

The other situations may not involve implied consent, but rather require explicit consent or provide opt-out options for the data subjects, depending on the type and purpose of the data processing and the relevant laws and regulations5 . For example:

B. An online retailer subscribes new customers to an e-mail list by default. This may violate the CAN-SPAM Act, which requires online marketers to obtain affirmative consent from the recipients before sending commercial e-mail messages, and to provide a clear and conspicuous opt-out mechanism in every message5.

C. A landlord uses the information on a completed rental application to run a credit report. This may violate the Fair Credit Reporting Act, which requires landlords to obtain written authorization from the applicants before obtaining their consumer reports, and to provide them with a copy of the report and a summary of their rights if they take any adverse action based on the report.

D. A retail clerk asks a customer to provide a zip code at the check-out counter. This may violate the California Song-Beverly Credit Card Act, which prohibits retailers fromrequesting and recording personal identification information from customers who pay with a credit card, unless the information is necessary for a special purpose, such as shipping or fraud prevention.

References: 1: Implied Consent 2: Consent 3: U.S. Private-Sector Privacy (CIPP/US) 4: [Reference Checks: Tips for Job Applicants and Employers] 5: [CAN-SPAM Act: A Compliance Guide for Business] : [Using Consumer Reports: What Landlords Need to Know] : [California Song-Beverly Credit Card Act] : [Reference Checks: Tips for Job Applicants and Employers] : [CAN-SPAM Act: A Compliance Guide for Business] : [Using Consumer Reports: What Landlords Need to Know] : [California Song-Beverly Credit Card Act]

The CAN-SPAM Act is a federal law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations1. The main purpose of the act is to protect consumers from unwanted and deceptive email messages and to give them more control over their online privacy2. The act applies to all commercial messages, which are defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"1. The act does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship1. The act also does not apply to non-commercial messages, such as political or charitable solicitations3. References: 1: CAN-SPAM Act: A Compliance Guide for Business2: What is the CAN-SPAM Act? | Proton3: What is the CAN-SPAM Act? | Cloudflare

The Fair and Accurate Credit Transactions Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) that was enacted in 2003. FACTA aims to enhance consumer protection against identity theft and fraud by requiring various measures, such as free annual credit reports, fraud alerts, and identity theft prevention programs. One of the consumer protections that FACTA requires is the truncation of account numbers on credit card receipts. This means that only the last four or five digits of the account number can be printed on the receipt, while the rest must be masked or deleted. This reduces the risk of unauthorized access or use of the account number by third parties who may obtain the receipt. References:

IAPP CIPP/US Body of Knowledge, Section III, B, 1

[IAPP CIPP/US Study Guide, Chapter 3, Section 3.2]

[FACTA, Section 113]

The Consumer Privacy Bill of Rights is a set of principles that the Obama administration proposed in 2012 to guide the development of privacy legislation and policies in the United States. The report that introduced the bill of rights stated that it was "generally based on the widely accepted Fair Information Practice Principles (FIPPs)"1, which are a set of standards that originated in the 1970s and have influenced many privacy laws and frameworks around the world. The FIPPs include concepts such as individual control, transparency, security, accountability, and data minimization2. The Consumer Privacy Bill of Rights adapted and expanded these principles to address the challenges and opportunities of the digital economy1. References: 1: Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy2, page 92: IAPP CIPP/US Certified Information Privacy Professional Study Guide3, page 17.

The Federal Trade Commission (FTC) issued its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”1, which outlined a framework for privacy protection based on three main principles: privacy by design, simplified consumer choice, and greater transparency. The report also identified five priority areas for the FTC’s privacy enforcement and policy efforts, which were:

Data brokers

Large platform providers

Mobile

Promoting enforceable self-regulatory codes

International data transfers

Do Not Track was not one of the five priority areas, but rather a specific mechanism for implementing the principle of simplified consumer choice. The report endorsed the development of a Do Not Track system that would allow consumers to opt out of online behavioral advertising across websites and platforms1. The report also noted the progress made by various stakeholders, such as the World Wide Web Consortium (W3C), the Digital Advertising Alliance (DAA), and browser companies, in advancing the Do Not Track initiative1. References: 1: Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at 1.

 According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:

Registered Data Brokers in the United States: 2021 | Privacy Rights …

Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft

 According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student’s education records without consent if the disclosure meets one of the exceptions in 34 CFR § 99.31. One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer (34 CFR § 99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student’s admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR § 99.34(a)(1)). References: https://studentprivacy.ed.gov/ferpa

https://studentprivacy.ed.gov/ferpa

 The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1. The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2. This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3. Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4. References:

CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.

California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).

CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).

The lawsuit, filed in 2014, claimed that Google violated the federal and state wiretap and privacy laws by scanning and indexing the emails of millions of students who used its Apps for Education suite, which included Gmail as a key feature12. The plaintiffs alleged that Google used the information from the scans to build profiles of students that could be used for targeted advertising or other commercial purposes, without their consent or knowledge12. The lawsuit also challenged Google’s argument that the students consented to the scans when they first logged in to their accounts, saying that such consent was not valid under FERPA, which requires written consent for any disclosure of education records12. Google denied the allegations and argued that the scans were necessary for providing security, spam protection, and other functionality to the users12. The case was settled in 2016, with Google agreeing to change some of its practices and policies regarding the scanning of student emails3. References: 1: Lawsuit Alleges That Google Has Crossed A ‘Creepy Line’ With Student Data, Huffington Post, 1. 2: Google faces lawsuit over email scanning and student data, The Guardian, 2. 3: Google data case to be heard in Supreme Court, BBC, 3.

A private right of action is a legal provision that grants individuals the ability to bring a lawsuit against a party that has wronged them and to seek redress for the harm that they have suffered. A private right of action is a fundamental component of the U.S. judicial system and an essential element of enforcingprivacy rights. Privacy advocates argue that a private right of action is necessary to hold perpetrators of privacy violations accountable and to address the limitations of the FTC’s enforcement authority. However, businesses are concerned that a private right of action would lead to a proliferation of frivolous lawsuits that would burden responsible data processors and impede innovation. References:

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 2, Section 2.3.3, pp. 35-36.

How to end the deadlock on the private right of action by Paula Bruening, IAPP Privacy Perspectives, Jan 20, 2022.

Private Right of Action (Legal Definition & Examples) by Lawrina, accessed on Jan 25, 2022.

According to the web search results from my predefined tool, Florida is the only state among the four options that currently imposes a definite limit for notification to affected individuals in case of a data breach. Florida’s law requires that notice be provided within 30 days after determination of the breach or reason to believe a breach occurred, unless delayed by law enforcement or measures to determine the scope of the breach and restore the integrity of the system1. The other states have more flexible or vague terms for the notification timeframe, such as “as soon as practicable” (Maine), “in the most expedient time possible and without unreasonable delay” (New York), or “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement” (California)2. References:

Security Breach Notification Chart | Perkins Coie

State Data Breach Notification Chart - International Association of …

 Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, hemay still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. References:

Summary of the HIPAA Privacy Rule

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19

IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7

IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3

 According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

Uses the transferred data only for limited and specified purposes;

Provides the same level of privacy protection as is required by the Privacy Shield Principles;

Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;

Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;

Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and

Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual’s consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual’s choices and expectations, as well as the Privacy Shield Principles2.

References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and ©; 3: Privacy Shield Framework.

In the United States, there is no comprehensive federal law that regulates employee monitoring in the private sector. Instead, there are various federal and state laws that address specific aspects of monitoring, such as electronic communications, video surveillance, GPS tracking, and biometric data. Generally, these laws provide more protection for employees’ privacy when they are using their own devices or personal accounts, or when they are outside of work hours or premises. However, when employees are using company-owned devices or accounts, or when they are performing work-related tasks, employers have broad authority to monitor their activities, as long as they have a legitimate business interest and do not violate any specific laws. Employers are also advised to inform employees of their monitoring practices and obtain their consent, either explicitly or implicitly, to avoid potential legal disputes or employee backlash123 References: https://www.jibble.io/article/us-employee-monitoring

https://www.worktime.com/most-asked-questions-on-us-employee-monitoring-laws

Under the GDPR, the complainant’s request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort. References:

Everything you need to know about the “Right to be forgotten”

Right to erasure | ICO

Art. 17 GDPR – Right to erasure (‘right to be forgotten’) - General …

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

Cheryl’s suggested method of communicating the new privacy policy by creating documents listing applicable parts of the new policy for each department and implementing it gradually over several months may create confusion and inconsistency among employees and customers. Different departments may have different interpretations and expectations of the policy, and customers may not be aware of the changes or their rights under the policy. This may lead to errors, complaints, and violations of the policy and the applicable laws. A better approach would be to communicate the policy in full to all employees and customers at once, and provide training and guidance on how to comply with it. The policy should also be easily accessible and updated on the company’s website and other channels. References:

Privacy Policy for Health Coaches

Privacy Policies for Online Coaches

Privacy Policy - Coaching.com

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) requires that any person or entity that owns or licenses personal information of Massachusetts residents must implement and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect such information. One of the technical requirements of the regulation is to encrypt all personal information of Massachusetts residents that is stored on laptops or other portable devices, regardless of where the equipment is located12. The regulation defines personal information as a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or © financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account1. The regulation also requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly1. References:

Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents

Massachusetts Law Raises the Bar for Data Security

HIPAA requires covered entities, such as hospitals, to enter into contracts with their business associates, such as billing companies, that access, use, or disclose protected health information (PHI). These contracts, known as business associate agreements (BAAs), must specify the permitted and required uses and disclosures of PHI by the business associate, as well as the safeguards, reporting, and termination procedures that the business associate must follow to protect the privacy and security of PHI. By having these contracts in place, the hospital can ensure that the billing company is complying with HIPAA and observing the minimum security standards required by law. References:

HIPAA Rules for Medical Billing - Compliancy Group

HIPAA Compliance for Billing Companies: Easy Guide - iFax

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

A. Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that wasincompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google’s privacy policy stated that "When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."1

B. Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network. Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user’s frequent email contacts, would be made public by default.1

C. Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement. The FTC alleged that Google’s conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1 References: FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network, Google, Inc., In the Matter of, Google settles with FTC over Buzz; Privacy policies to be audited for two decades, Google Settles FTC Complaint over Google Buzz Privacy

 According to the IAPP CIPP/US Study Guide, more than half of U.S. states require telemarketers to register with the state before conducting business within the state. This registration requirement may involve paying a fee, posting a bond, or providing information about the telemarketer’s identity, location, and business practices. The purpose of this requirement is to protect consumers from fraudulent or deceptive telemarketing calls and to facilitate the enforcement of state laws and regulations. The other options are not required by most states, although some states may have additional rules or guidelines for telemarketers regarding identification, consent, or contracts. References:

IAPP CIPP/US Study Guide, Chapter 7: Marketing and Advertising

State Telemarketing Registration Requirements

Phishing is a form of social engineering that involves sending fraudulent emails or other messages that appear to come from a legitimate source, but are designed to trick recipients into revealing sensitive information, such aspasswords, account numbers, or personal identifiers1. Phishing is one of the most common and effective methods of cyberattacks, and it can lead to data breaches, identity theft, ransomware infections, or other serious consequences2. Therefore, training on how to recognize and avoid phishing attempts is crucial for any organization that handles sensitive data, especially ePHI, which is subject to strict regulations under HIPAA3. Training on techniques for identifying phishing attempts can help employees to spot the signs of a phishing email, such as:

Sender’s address or domain name that does not match the expected source or contains spelling errors4

Generic salutations or impersonal tone that do not address the recipient by name or use proper grammar4

Urgent or threatening language that creates a sense of pressure or fear and asks the recipient to take immediate action, such as clicking on a link, opening an attachment, or providing information4

Suspicious links or attachments that may contain malware or lead to fake websites that mimic the appearance of a legitimate site, but have a different URL or request login credentials or other data4

Requests for sensitive information that are unusual or out of context, such as asking for passwords, account numbers, or personal identifiers that the sender should already have or should not need4

Training on techniques for identifying phishing attempts can also help employees to learn how to respond to a phishing email, such as:

Not clicking on any links or opening any attachments in the email4

Not replying to the email or providing any information to the sender4

Reporting the email to the IT department or security team and deleting it from the inbox4

Verifying the legitimacy of the email by contacting the sender directly using a different channel, such as phone or another email address4

Updating the antivirus software and scanning the device for any malware infection4

Training on techniques for identifying phishing attempts is the most effective kind of training that CloudHealth could have given its employees to help prevent this type of data breach, because it would have enabled them to recognize the phishing email that compromised the PHI of more than 10,000 HealthCo patients, and to avoid falling victim to it. Training on the terms of the contractual agreement with HealthCo, the difference between confidential and non-public information, or CloudHealth’s HR policy regarding the role of employees involved in data breaches, while important, would not have been as effective in preventing this specific type of data breach, because they would not have addressed the root cause of the breach, which was the phishing email.

References:

1: IAPP, Phishing, https://iapp.org/resources/glossary/phishing/

2: SpinOne, The Top 5 Phishing Awareness Training Providers 2023, https://spinbackup.com/blog/phishing-awareness-training-best-providers/

3: IAPP, HIPAA, https://iapp.org/resources/glossary/hipaa/

4: Expert Insights, The Top 11 Phishing Awareness Training and Simulation Solutions, https://expertinsights.com/insights/the-top-11-phishing-awareness-training-and-simulation-solutions/

The HIPAA Security Rule requires covered entities and their business associates to implement three types of safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI): administrative, physical, and technical1. Security safeguards is not a separate category of safeguards, but rather a general term that encompasses all three types. Therefore, it is not a correct answer to the question.

Administrative safeguards are the policies and procedures that govern the conduct of the workforce and the security measures put in place to protect ePHI. They include risk analysis and management, training, contingency planning, incident response, and evaluation12.

Physical safeguards are the locks, doors, cameras, and other physical measures that prevent unauthorized access to ePHI. They include workstation and device security, locks and keys, and disposal of media12.

Technical safeguards are the software and hardware tools that protect ePHI from unauthorized access, alteration, or destruction. They include access control, encryption, audit controls, integrity controls, and transmission security12.

In the scenario, HealthCo’s actions have potentially violated all three types of safeguards. For example:

HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures. This could be a breach of the administrative safeguard of risk analysis and management12.

HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. This could be a breach of the technical safeguard of encryption12.

HealthCo provides its investigative report of the breach and a copy of the PHI of the individuals affected to law enforcement. This could be a breach of the physical safeguard of disposal of media, if HealthCo did not ensure that the media was properly erased or destroyed after the transfer12.

References: 1: Summary of the HIPAA Security Rule, HHS.gov. 2: What is the HIPAA Security Rule? Safeguards … - Secureframe, Secureframe.com.

The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation. GPEN was created in response to the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network of PEAs. GPEN’s main purpose is to facilitate cross-border cooperation and coordination among PEAs, especially in cases involving multiple jurisdictions or regions. GPEN also aims to enhance information sharing, promote awareness and education, and support capacity building among PEAs. References:

Home (public) | Global Privacy Enforcement Network

Global Privacy Enforcement Network - International Association of Privacy Professionals

International Partnerships - Office of the Privacy Commissioner of Canada

Specialised networks – Global Privacy Assembly

Action Plan for the Global Privacy Enforcement Network (GPEN)

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.