TreatiseTreatise

Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age

 by Kristen J Mathews, Proskauer Rose LLP
 
 Copyright: 2006-2014
 Last Updated: October 2014

 Product Details >> 

Product Details

  • ISBN Number: 9781402408048
  • Page Count: 568
  • Number of Volumes: 1
  •  
  • The purchase of PLI titles may include Basic Upkeep Service, whereby
    supplements, replacement pages and new editions may be shipped
    to you immediately upon publication for a 30-day examination. This
    service is cancelable at any time.

”Resources such as Proskauer on Privacy are invaluable reference tools for the growing ranks of privacy professionals in the marketplace.”
—J. Trevor Hughes, Executive Director, International Association of Privacy Professionals

”A must-have for every professional who has a serious interest in this field, as well as for the newbie who wants to learn the 'ins and outs’ of privacy from a legal perspective.” 
—Doron Rotman, Managing Director, National Privacy Service Leader Advisory, KPMG LLP

Today’s hodgepodge of privacy and data security standards creates greater compliance burdens for corporations, employers, public agencies, and legal advisers.

PLI’s Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age reduces those costly burdens. This comprehensive, one-stop reference covers the laws governing every area where data privacy and security is potentially at risk — including government records, electronic surveillance, the workplace, medical data, financial information, commercial transactions, and online activity, including communications involving children.

Proskauer on Privacy provides essential details on how to develop compliance programs that help your entity satisfy federal and state standards, ensure data privacy and security, prevent cybercrime, and help entities avoid fines, penalties, litigation, damages, and negative publicity. Proskauer on Privacy also examines Europe’s rigorous privacy and data security standards, the laws in Canada, Australia, Japan, China, Hong Kong, India, Russia, and Dubai, as well as legal initiatives in California and other states.

Updated at least once a year, Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age is vital reading for privacy and data security professionals and corporate attorneys, executives, managers, and human resource personnel, as well as for federal and state regulators.

  Preface
  Table of Contents
  Introduction
Chapter 1: A Brief History of Information Privacy Law
  • § 1:1 : Introduction1-3
  • § 1:2 : Colonial America1-4
  • § 1:3 : The Nineteenth Century1-6
    • § 1:3.1 : New Threats to Privacy1-6
      • [A] : The Census and Government Records1-6
      • [B] : The Mail1-6
      • [C] : Telegraph Communications1-7
    • § 1:3.2 : The Fourth and Fifth Amendments1-9
    • § 1:3.3 : Privacy of the Body1-9
    • § 1:3.4 : Warren and Brandeis’s the Right to Privacy1-10
  • § 1:4 : The Twentieth Century1-12
    • § 1:4.1 : 1900 to 19601-12
      • [A] : Warren and Brandeis’s Privacy Torts1-12
        • [A][1] : Early Recognition1-12
        • [A][2] : William Prosser and the Restatement1-14
          • [A][2][a] : Intrusion upon Seclusion1-14
          • [A][2][b] : Public Disclosure of Private Facts1-15
          • [A][2][c] : False Light1-16
          • [A][2][d] : Appropriation1-16
      • [B] : The Emergence of the Breach of Confidentiality Tort1-17
      • [C] : The Growth of Government Record Systems1-18
      • [D] : The Telephone and Wiretapping1-18
        • [D][1] : The Fourth Amendment: Olmstead v. United States1-18
        • [D][2] : Federal Communications Act Section 6051-19
      • [E] : The FBI and Increasing Domestic Surveillance1-20
      • [F] : Freedom of Association and the McCarthy Era1-21
    • § 1:4.2 : The 1960s and 1970s1-22
      • [A] : New Limits on Government Surveillance1-22
        • [A][1] : Fourth Amendment Resurgence: Katz v. United States1-22
        • [A][2] : Title III of the Omnibus Crime and Control Act of 19681-23
      • [B] : The Constitutional Right to Privacy1-23
        • [B][1] : Decisional Privacy: Griswold v. Connecticut1-23
        • [B][2] : Information Privacy: Whalen v. Roe1-23
      • [C] : Responses to the Rise of the Computer1-24
        • [C][1] : Burgeoning Interest in Privacy1-24
        • [C][2] : Freedom of Information Act of 19661-24
        • [C][3] : Fair Information Practices1-25
        • [C][4] : Privacy Act of 19741-26
        • [C][5] : Family Educational Rights and Privacy Act of 19741-27
        • [C][6] : Foreign Intelligence Surveillance Act of 19781-27
      • [D] : Financial Privacy1-28
        • [D][1] : Fair Credit Reporting Act of 19701-28
        • [D][2] : Bank Secrecy Act of 19701-29
        • [D][3] : United States v. Miller1-29
        • [D][4] : Right to Financial Privacy Act of 19781-30
      • [E] : The Retreat from Boyd1-30
      • [F] : The Narrowing of the Fourth Amendment1-31
    • § 1:4.3 : The 1980s1-32
      • [A] : Receding Fourth Amendment Protection1-32
      • [B] : The Growth of Federal Privacy Statutory Protection1-33
        • [B][1] : Privacy Protection Act of 19801-33
        • [B][2] : Cable Communications Policy Act of 19841-33
        • [B][3] : Computer Matching and Privacy Protection Act of 19881-33
        • [B][4] : Employee Polygraph Protection Act of 19881-34
        • [B][5] : Video Privacy Protection Act of 19881-34
      • [C] : Electronic Communications Privacy Act of 19861-34
      • [D] : OECD Guidelines and International Privacy1-35
    • § 1:4.4 : The 1990s1-36
      • [A] : The Internet, Computer Databases, and Privacy1-36
      • [B] : The Continued Growth of Federal Statutory Protection1-36
        • [B][1] : Telephone Consumer Protection Act of 19911-36
        • [B][2] : Driver’s Privacy Protection Act of 19941-37
        • [B][3] : Health Insurance Portability and Accountability Act of 19961-37
        • [B][4] : Children’s Online Privacy Protection Act of 19981-38
        • [B][5] : The Gramm-Leach-Bliley Act of 19991-39
      • [C] : The FTC and Privacy Policies1-39
      • [D] : The EU Data Protection Directive1-39
  • § 1:5 : The Twenty-First Century1-41
    • § 1:5.1 : After September 11: Privacy in a World of Terror1-41
      • [A] : The USA PATRIOT Act of 20011-41
      • [B] : The FISA “Wall”1-41
      • [C] : The Homeland Security Act of 20021-42
      • [D] : The Intelligence Reform and Terrorism Prevention Act of 20041-42
      • [E] : The Real ID Act of 20051-43
      • [F] : NSA Warrantless Surveillance1-43
    • § 1:5.2 : Consumer Privacy1-43
      • [A] : The Fair and Accurate Credit Transactions Act of 20031-43
      • [B] : The National Do-Not-Call Registry1-44
      • [C] : The CAN-SPAM Act of 20031-44
      • [D] : Remsburg v. Docusearch1-44
      • [E] : Privacy Policies and Contract Law1-44
      • [F] : Data Security Breaches1-45
  • § 1:6 : Conclusion1-46
Chapter 2: Financial Privacy Law; and Appendices 2A-2B
  • § 2:1 : Summary and Introduction2-3
    • § 2:1.1 : Evolution of Financial Privacy Law Parallels Developments in Computing2-4
  • § 2:2 : Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act2-5
    • § 2:2.1 : Purpose and Background of the Fair Credit Reporting Act2-5
    • § 2:2.2 : Coverage Under the FCRA2-6
      • [A] : Definition of “Consumer” Under the FCRA2-6
      • [B] : Definition of “Consumer Report” Under the FCRA2-7
      • [C] : Definition of “Consumer Reporting Agency” Under the FCRA2-10
    • § 2:2.3 : Permissible Use and Disclosure of Consumer Reports: The Obligation to Protect Against Unauthorized Access or Use of Consumer Information2-13
    • § 2:2.4 : General Procedural Requirements for CRAs Under the FCRA2-16
    • § 2:2.5 : Procedural Requirements for CRAs When Preparing and Issuing Consumer Reports for Employment Purposes2-17
    • § 2:2.6 : Notice and Disclosure Requirements for CRAs Under the FCRA2-18
    • § 2:2.7 : Unique Obligations with Respect to Investigative Consumer Reports2-19
    • § 2:2.8 : Obligations for Users of Consumer Reports Under the FCRA2-20
    • § 2:2.9 : Obligations for Resellers of Consumer Reports Under the FCRA2-22
    • § 2:2.10 : Consumer Rights Under the FCRA to Dispute Information Contained in Consumer Reports2-23
    • § 2:2.11 : Security Requirements of the FCRA Pertaining to Consumer Fraud and Identity Theft2-25
    • § 2:2.12 : Affiliate Marketing Limits Under FACTA2-31
      • [A] : Opt-Out Requirements2-32
      • [B] : Exceptions2-33
      • [C] : Delivery of Opt-Out Notices2-34
      • [D] : Reasonable Opportunity and Means to Opt Out2-34
      • [E] : Duration of Opt-Out2-35
      • [F] : Model Forms and Safe Harbor2-35
    • § 2:2.13 : FACTA’s Identity Theft Red Flags and Notices of Address Discrepancy Rules2-35
      • [A] : Identity Theft Red Flags2-35
      • [B] : Scope of the Red Flag Rules2-37
      • [C] : Examples of Red Flags2-39
      • [D] : Change of Address Requests2-41
      • [E] : Address Discrepancy Notices2-41
    • § 2:2.14 : Preemption of State Law by the FCRA2-43
    • § 2:2.15 : Penalties for Violations of or Noncompliance with the FCRA2-45
  • § 2:3 : Right to Financial Privacy Act2-46
    • § 2:3.1 : Purpose and History of the Right to Financial Privacy Act2-46
    • § 2:3.2 : Procedural Operation of the RFPA2-47
    • § 2:3.3 : Substantive Aspects of the RFPA2-49
    • § 2:3.4 : Interplay with State Statutes2-51
  • § 2:4 : Gramm-Leach-Bliley Act2-52
    • § 2:4.1 : Purpose and History of the Gramm-Leach-Bliley Act2-52
    • § 2:4.2 : Internal Procedures and Systems to Ensure Confidentiality of Information2-53
    • § 2:4.3 : Financial Institution’s Notice Obligations2-60
    • § 2:4.4 : Required Substance of Notice2-64
      • [A] : Parties Who Must Serve Customers with Notice2-65
    • § 2:4.5 : Limitations on Disclosure2-66
      • [A] : Customer Must Opt Out of Third-Party Disclosures2-66
      • [B] : Exceptions to Opt-Out Requirement2-67
    • § 2:4.6 : Enforcement of the GLBA’s Privacy Provisions2-68
    • § 2:4.7 : GLBA’s Relationship to Other Laws2-69
      • [A] : GLBA Does Not Preempt State Laws2-69
      • [B] : GLBA’s Relationship with Other Federal Privacy Statutes2-71
  • § 2:5 : Wall Street Reform and Consumer Protection Act2-72
    • § 2:5.1 : Purpose and Background of Wall Street Reform and Consumer Protection Act2-72
    • § 2:5.2 : Scope of CFPB Authority2-73
    • § 2:5.3 : Powers and Duties of the CFPB2-75
      • [A] : Rulemaking Authority2-75
      • [B] : Evaluation of Existing Standards2-75
      • [C] : Regulation of Unfair, Deceptive, and Abusive Acts or Practices2-76
      • [D] : Examination of Financial Industry Participants2-77
    • § 2:5.4 : Enforcement Authority of the CFPB2-77
  • § 2:6 : Bank Secrecy Act2-78
    • § 2:6.1 : Purpose and Background of the Bank Secrecy Act2-78
    • § 2:6.2 : BSA Requirements2-79
      • [A] : Record Creation, Storage, and Access2-80
      • [B] : Reports of Suspicious Transactions2-81
  • § 2:7 : Freedom of Information Act2-82
    • § 2:7.1 : Background and Overview of FOIA2-82
    • § 2:7.2 : Procedural Aspects of FOIA2-83
    • § 2:7.3 : Protection of Financial Information2-85
      • [A] : Trade Secrets and Commercial or Financial Information2-85
      • [B] : Files Whose Disclosure Would Constitute Unwarranted Invasion of Privacy2-87
      • [C] : Regulation or Supervision of Financial Institutions2-89
  • § 2:8 : Electronic Fund Transfers Act2-90
    • § 2:8.1 : Scope and Application2-90
    • § 2:8.2 : Disclosure Requirements Under EFTA and the Act’s Implementing Regulations2-90
    • § 2:8.3 : Additional EFTA Requirements Relating to Pre-Authorized Fund Transfers2-91
  • § 2:9 : Sarbanes-Oxley Act2-93
  • § 2:10 : State Laws Governing Financial Privacy2-93
    • § 2:10.1 : Introduction2-93
    • § 2:10.2 : State Constitutional Provisions Protecting Financial Privacy2-94
    • § 2:10.3 : Statutory Provisions Protecting Financial Privacy Under State Law2-94
      • [A] : Statutes Specifically Addressing Financial Privacy2-94
      • [B] : General Privacy Statutes Implicating Financial Privacy2-96
      • [C] : Statutes Restricting Access to Employee Credit Reports2-97
      • [D] : State Security Breach Notification Laws2-97
      • [E] : State Laws Implicating Information Security2-100
      • [F] : State Laws Protecting Against Financial Fraud and Identity Theft2-100
    • § 2:10.4 : Common Law Theories Asserted with Regard to Financial Privacy2-101
      • [A] : Implied Contract2-102
      • [B] : General Negligence2-102
      • [C] : Invasion of Privacy2-102
      • [D] : Defamation2-103
  • Appendix 2A : Model Form with No Opt-OutApp. 2A-1
  • Appendix 2B : Model Form with All Opt-OutApp. 2B-1
Chapter 3: Medical Privacy
  • § 3:1 : Introduction3-3
  • § 3:2 : HIPAA Administrative Simplification3-3
    • § 3:2.1 : Background3-3
    • § 3:2.2 : Definitions3-4
    • § 3:2.3 : HIPAA Privacy3-7
      • [A] : Basic Rules3-7
      • [B] : Limitations on Sale of PHI3-7
      • [C] : Limitation on Use of PHI for Paid Marketing3-7
    • § 3:2.4 : HIPAA Security: Basic Rules3-9
    • § 3:2.5 : Business Associates3-10
    • § 3:2.6 : HIPAA Security Breach Notification3-11
    • § 3:2.7 : Sanctions for Violations of Privacy and Security Rules3-13
  • § 3:3 : State Law and HIPAA Privacy Preemption3-18
  • § 3:4 : Heightened Protection for Specialized Types of Medical Information3-20
    • § 3:4.1 : Communicable Diseases3-20
      • [A] : HIV/AIDS3-20
      • [B] : Confidentiality and Disclosure of HIV Test Results3-21
    • § 3:4.2 : Authorized Disclosure3-22
    • § 3:4.3 : Remedies for Breach of Confidentiality3-23
    • § 3:4.4 : Sexually Transmitted Disease3-26
    • § 3:4.5 : Tuberculosis3-28
    • § 3:4.6 : Genetic Information3-30
      • [A] : Genetic Discrimination3-30
      • [B] : DNA Sampling by Law Enforcement3-31
  • § 3:5 : Privacy of Substance Abuse Records3-32
    • § 3:5.1 : Introduction3-32
    • § 3:5.2 : Scope of Applicability3-32
    • § 3:5.3 : Exceptions to Substance Abuse Confidentiality Laws3-34
    • § 3:5.4 : Other Exceptions Permitting Information Release3-35
      • [A] : Release with Patient’s Consent3-35
      • [B] : Voluntary Disclosure to the Criminal Justice System3-36
      • [C] : Release Without a Patient’s Consent3-36
      • [D] : Releases Authorized by a Court Order3-37
      • [E] : Request for Records in a Criminal Proceeding3-38
        • [E][1] : Confidential Information3-39
    • § 3:5.5 : Conclusion3-40
  • § 3:6 : Medical Privacy at Common Law3-41
    • § 3:6.1 : Actions Arising Out of the Disclosure of Confidential Medical Information3-41
      • [A] : Theory of Recovery3-41
      • [B] : Exceptions to Liability3-43
    • § 3:6.2 : The Duty to Warn3-45
  • § 3:7 : Privilege3-47
    • § 3:7.1 : State Law3-47
      • [A] : Physician-Patient Privilege3-47
        • [A][1] : Majority of States Have Enacted Privilege by Statute3-47
        • [A][2] : Scope of the Privilege3-47
          • [A][2][a] : Types of Providers Covered3-47
          • [A][2][b] : Subject Matter of the Privilege3-48
          • [A][2][c] : Who May Assert the Privilege3-49
          • [A][2][d] : Waiver3-49
          • [A][2][e] : Exceptions/Exemptions3-50
      • [B] : Psychotherapist-Patient Privilege3-51
        • [B][1] : Every State Has Enacted Privilege by Statute3-51
        • [B][2] : Scope of the Privilege3-51
          • [B][2][a] : Types of Providers Covered3-51
          • [B][2][b] : Subject Matter of the Privilege3-51
          • [B][2][c] : Who May Assert the Privilege3-52
          • [B][2][d] : Waiver3-52
          • [B][2][e] : Exceptions/Exemptions3-52
    • § 3:7.2 : Federal Law3-54
      • [A] : Psychiatrist-Patient Privilege3-54
        • [A][1] : Rule3-54
        • [A][2] : Waiver3-54
        • [A][3] : Exceptions3-55
          • [A][3][a] : The Dangerous-Patient Exception3-55
          • [A][3][b] : The Crime-Fraud Exception3-56
          • [A][3][c] : Other Exceptions3-56
      • [B] : Physician-Patient Privilege3-57
      • [C] : Diversity and Supplemental Jurisdiction3-58
        • [C][1] : Diversity Jurisdiction3-58
        • [C][2] : Supplemental Jurisdiction3-58
  • § 3:8 : Employers and Medical Privacy3-58
    • § 3:8.1 : Americans with Disabilities Act3-58
    • § 3:8.2 : HIPAA and Employer-Sponsored Health Plans3-61
      • [A] : Overview of HIPAA Privacy Rules and Applicability to Health Plans3-61
      • [B] : Sharing Information with Plan Sponsors Under HIPAA3-62
Chapter 4: Federal Trade Commission Enforcement of Privacy
  • § 4:1 : FTC Privacy Enforcement Authority Under the Federal Trade Commission Act and Other Laws4-3
    • § 4:1.1 : Introduction and Overview4-3
    • § 4:1.2 : Primary Enforcement Authority: The Federal Trade Commission Act4-4
      • [A] : Unfairness4-4
        • [A][1] : Injury to Consumers4-4
        • [A][2] : Violation of Established Public Policy4-5
        • [A][3] : Unethical or Unscrupulous Conduct4-6
      • [B] : Deception4-6
        • [B][1] : Representation, Omission or Practice Likely to Mislead4-6
        • [B][2] : Perspective of a Reasonable Consumer in the Circumstances4-7
        • [B][3] : Materiality of Representation, Omission or Practice4-7
    • § 4:1.3 : Other Privacy Enforcement Authorities4-8
      • [A] : Children’s Online Privacy Protection Act4-8
      • [B] : Gramm-Leach-Bliley Act4-9
        • [B][1] : Pretexting4-10
        • [B][2] : Financial Privacy Rule4-10
        • [B][3] : Safeguards Rule4-11
      • [C] : Telemarketing and Consumer Fraud Abuse and Prevention Act4-12
      • [D] : Fair Credit Reporting Act4-12
  • § 4:2 : FTC Enforcement Practice4-13
    • § 4:2.1 : Overview4-13
    • § 4:2.2 : Investigation4-14
    • § 4:2.3 : Initiation of Enforcement Action4-14
      • [A] : Administrative Enforcement4-14
      • [B] : Judicial Enforcement4-15
  • § 4:3 : FTC Enforcement of Privacy and Security Promises4-15
    • § 4:3.1 : Overview4-15
    • § 4:3.2 : Commission Authority to Investigate and Enforce4-16
    • § 4:3.3 : Security and Privacy Enforcement Actions4-16
      • [A] : Enforcing General Privacy Policies and Promises4-16
      • [B] : Enforcing Affirmative Data Security Promises4-24
      • [C] : Enforcing Data Security Absent an Affirmative Promise4-35
      • [D] : Material Change to Privacy Policy4-48
      • [E] : U.S.–EU Safe Harbor Privacy Framework4-49
      • [F] : Spyware4-54
        • [F][1] : Tracking, Monitoring, Locating Rent-to-Own Computers4-55
        • [F][2] : Online Behavioral Advertising4-58
  • § 4:4 : FTC Enforcement of Children’s Privacy5-63
    • § 4:4.1 : Overview5-63
    • § 4:4.2 : Commission Authority to Investigate and Enforce4-64
    • § 4:4.3 : Children’s Privacy Enforcement Actions4-64
      • [A] : Pre-COPPA Enforcement Actions4-65
      • [B] : COPPA Enforcement Actions4-67
      • [C] : COPPA Enforcement Actions Involving Mobile Applications4-81
      • [D] : Children’s Privacy Offline4-84
  • § 4:5 : FTC Enforcement of Financial Privacy4-85
    • § 4:5.1 : Overview4-85
    • § 4:5.2 : Commission Authority to Investigate and Enforce4-85
    • § 4:5.3 : Financial Privacy Enforcement Actions4-85
      • [A] : Pretexting4-85
      • [B] : Telemarketing4-89
      • [C] : Unsolicited Commercial Email4-91
      • [D] : Phishing4-93
      • [E] : Data Security4-95
  • § 4:6 : FTC Enforcement of Credit Information Privacy4-101
    • § 4:6.1 : Overview4-101
    • § 4:6.2 : Commission Authority to Investigate and Enforce4-101
    • § 4:6.3 : Credit Information Privacy Enforcement Actions4-102
      • [A] : Consumer Reporting Agencies4-102
      • [B] : Use of Credit Reports4-110
      • [C] : Data Security4-112
Chapter 5: State Privacy Laws
  • § 5:1 : Introduction5-3
    • § 5:1.1 : Overview: Role of State Governments5-3
    • § 5:1.2 : Origins of State Privacy Laws5-4
      • [A] : Judicial—Torts and Crimes5-4
      • [B] : Constitutional5-5
      • [C] : Statutory5-7
        • [C][1] : The California Invasion of Privacy Standard5-8
  • § 5:2 : Online Privacy5-10
    • § 5:2.1 : State Online Privacy Protection Statutes5-10
      • [A] : California Online Privacy Protection Act (OPPA)5-10
      • [B] : Other States5-13
      • [C] : Related State Legislation Affecting Online Businesses5-14
    • § 5:2.2 : Employee Social Media Protection Laws5-15
    • § 5:2.3 : Revenge Porn Laws5-16
  • § 5:3 : Spyware5-17
    • § 5:3.1 : California5-17
    • § 5:3.2 : Other States Following California’s Approach5-18
    • § 5:3.3 : Other States with More Limited Spyware Statutes5-20
  • § 5:4 : Spam5-20
    • § 5:4.1 : The Federal Statute and Preemption5-21
    • § 5:4.2 : State Regulation of Spam5-25
      • [A] : Opt-In Provisions5-25
      • [B] : Opt-Out Provisions5-25
      • [C] : Subject-Line Labeling Requirements5-25
      • [D] : Provisions Prohibiting False or Misleading Practices5-26
      • [E] : Bans on Selling Software That Can Be Used to Falsify Routing Information5-27
  • § 5:5 : Identity Theft5-27
    • § 5:5.1 : Laws Criminalizing Identity Theft5-27
    • § 5:5.2 : Laws Allowing Victims to Initiate Investigations and/or Clear Their Names5-28
    • § 5:5.3 : Rights of Action Against Perpetrators5-29
    • § 5:5.4 : Protections and Rights of Action Against Debt Collectors5-30
    • § 5:5.5 : Notice of Security Breach Legislation5-30
      • [A] : The California Framework5-32
      • [B] : Other State Security Breach Notification Provisions5-34
        • [B][1] : “Material” Breach Necessary to Trigger Notification5-34
        • [B][2] : Expanded Definition of “Personal Information”5-37
        • [B][3] : Necessity to Notify Customers of a Breach of Non-Computerized Data5-40
        • [B][4] : Notification Procedures5-41
        • [B][5] : Duty to Notify Other Entities5-44
        • [B][6] : Duty of Non-Owners Maintaining Data5-47
        • [B][7] : Exemption from Notification for Entities in Compliance with GLBA5-48
        • [B][8] : Exemption from Notification for Encrypted Information5-48
        • [B][9] : Penalties for Violation5-50
        • [B][10] : Minnesota Law Requires Reimbursement of Card-Issuing Financial Institutions for Costs Associated with a Data Breach5-53
        • [B][11] : State Credit Freeze Laws5-54
    • § 5:5.6 : Data Security and Destruction Requirements5-56
  • § 5:6 : Financial Privacy5-57
    • § 5:6.1 : California Financial Information Privacy Act5-58
    • § 5:6.2 : Other States5-59
    • § 5:6.3 : Preemption5-60
    • § 5:6.4 : Credit Card Transactions5-61
      • [A] : Restrictions on Merchants5-61
      • [B] : Prohibition on Disclosure of Marketing Information5-64
  • § 5:7 : Privacy of Insurance-Related Information5-64
    • § 5:7.1 : The National Association of Insurance Commissioners (NAIC) Model Acts5-65
    • § 5:7.2 : Definitions of “Personal Information” and Similar Terms5-66
    • § 5:7.3 : The GLBA Joint Marketing Exception and 2003 Model Act States5-66
  • § 5:8 : Laws Governing Disclosure and Use of Social Security Numbers5-67
    • § 5:8.1 : The California Framework5-68
      • [A] : Jurisdictional Modification to the California Framework5-70
        • [A][1] : Prohibiting SSNs in Customer Mailings5-70
        • [A][2] : Expanded Exemptions from the California Framework5-70
    • § 5:8.2 : Other State Law Regulation of the Use of Social Security Numbers5-72
      • [A] : Requiring a Consumer’s SSN to Complete a Transaction5-72
      • [B] : Privacy Policy for Handling SSNs5-73
      • [C] : Employers5-73
      • [D] : Other Modifications5-74
  • § 5:9 : Unsolicited Telephone Marketing5-74
    • § 5:9.1 : Telemarketing: State Do-Not-Call Laws5-74
    • § 5:9.2 : Laws Restricting Cell Phone Marketing5-77
  • § 5:10 : Electronic Eavesdropping5-78
    • § 5:10.1 : State Statutory Schemes5-78
  • § 5:11 : Radio Frequency Identification5-80
Chapter 6: Privacy of Electronic Communications
  • § 6:1 : Introduction6-2
    • § 6:1.1 : Purpose and History of the ECPA6-4
    • § 6:1.2 : Amendments6-9
  • § 6:2 : Title I—The Wiretap Act6-10
    • § 6:2.1 : Communications Covered6-12
      • [A] : Oral Communications6-12
        • [A][1] : Expectation of Privacy6-12
        • [A][2] : Silent Video6-19
      • [B] : Wire Communications6-20
        • [B][1] : Cordless Phones6-21
        • [B][2] : Voice Mail6-23
      • [C] : Electronic Communications6-24
    • § 6:2.2 : Intentional Interception of Communications6-25
      • [A] : “Intercept”6-26
        • [A][1] : Contemporaneous Acquisition Requirement6-26
        • [A][2] : Access to Temporarily Stored Emails6-31
        • [A][3] : Access to Telephone Numbers or Other Associated Information6-41
        • [A][4] : Keyloggers and Screen Captures6-43
      • [B] : Intent6-47
    • § 6:2.3 : Use or Disclosure of an Intercepted Communication6-49
    • § 6:2.4 : Exceptions6-53
      • [A] : Communications Service in Normal Course of Business6-53
      • [B] : Consent by a Party to a Communication6-58
        • [B][1] : Implied Consent6-62
        • [B][2] : Tortious or Criminal Purpose Exception6-64
        • [B][3] : The Case of “Cookies”6-66
  • § Figure 6-1 : Placing Third-Party Advertisements on a Website6-68
    • [C] : Business Extensions6-70
    • [D] : Communications to the Public6-76
    • [E] : First Amendment6-78
  • § 6:2.5 : Private Cause of Action6-82
    • [A] : Litigating Wiretap Act Claims6-84
    • [B] : Limitations6-86
    • [C] : Damages6-88
    • [D] : Good-Faith Defense6-91
  • § 6:2.6 : State Wiretap Acts6-93
  • § 6:3 : Title II—Stored Communications Act6-95
    • § 6:3.1 : Access to Stored Communications6-96
      • [A] : Electronic Communication Service Facility6-96
      • [B] : “Unauthorized Access”6-102
        • [B][1] : Privacy Policies6-104
        • [B][2] : Subpoenas6-105
        • [B][3] : Exceeding Authorized Access6-107
      • [C] : “Electronic Storage”6-108
        • [C][1] : Cookies and Other Data Stored on Computers6-110
      • [D] : Exceptions6-112
        • [D][1] : Access Authorized by a Service Provider6-112
        • [D][2] : Access Authorized by a Party6-113
    • § 6:3.2 : Disclosures by Communications Services6-115
      • [A] : Disclosures Prohibited Under Section 27026-115
        • [A][1] : Contents of Communications6-119
          • [A][1][a] : Exceptions6-120
        • [A][2] : Customer Records6-125
          • [A][2][a] : Exceptions6-128
        • [A][3] : Anti-Pretexting Laws6-128
      • [B] : Disclosures to the Government Required Under Section 27036-130
    • § 6:3.3 : Private Cause of Action6-132
      • [A] : Damages6-135
  • § 6:4 : Title III—Pen Registers and Trap-and-Trace Devices6-136
Chapter 7: The Foreign Intelligence Surveillance Act
  • § 7:1 : Introduction7-2
    • § 7:1.1 : Purpose7-3
    • § 7:1.2 : “Special-Needs” Exception to Warrant Requirement7-3
    • § 7:1.3 : Evolution of FISA7-4
      • [A] : The Church Committee7-5
      • [B] : Amendments to FISA7-6
  • § 7:2 : The Foreign Intelligence Surveillance Act7-7
    • § 7:2.1 : The Scope of FISA7-7
      • [A] : Intelligence-Gathering Activities Targeting Persons Within the United States7-7
      • [B] : Intelligence-Gathering Activities Targeting Persons Outside the United States7-10
    • § 7:2.2 : Required Elements for Authorized Intelligence-Gathering Pursuant to FISA7-11
      • [A] : Probable Cause7-11
      • [B] : Significant Purpose7-13
      • [C] : Identification and Description of the Targeted Individual, Facility, Place, or Property7-14
      • [D] : Target Is a Foreign Power or an Agent of a Foreign Power7-16
      • [E] : The Method and Time Frame of Intelligence Collection7-18
      • [F] : Minimization Procedures7-20
      • [G] : Certification Requirements7-21
    • § 7:2.3 : Exceptions to FISA Authorization or Order Requirement7-23
      • [A] : Surveillance of Certain Foreign Powers7-23
      • [B] : During Emergencies While FISC Order Is Being Pursued7-25
      • [C] : Declaration of War7-28
      • [D] : Testing of Equipment7-29
      • [E] : Discovery of Unauthorized Surveillance Equipment7-29
      • [F] : Training7-30
    • § 7:2.4 : Remedies7-30
      • [A] : Motion to Suppress7-30
      • [B] : Request to Modify or Set Aside Order7-32
      • [C] : Civil Liability7-34
      • [D] : Criminal Liability7-35
  • § 7:3 : The Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review7-36
    • § 7:3.1 : Membership and Structure7-36
    • § 7:3.2 : Authority, Jurisdiction, and Scope of Review7-36
    • § 7:3.3 : Transparency of Proceedings and Publication of Opinions7-37
    • § 7:3.4 : Procedure for Obtaining a FISC Order7-39
  • § 7:4 : Controversies and Amendments7-43
    • § 7:4.1 : The Terrorist Surveillance Program and Retroactive Immunity7-43
    • § 7:4.2 : Targeting U.S. and Non-U.S. Persons Abroad7-45
      • [A] : Bulk Collection of Telephonic Metadata7-46
      • [B] : PRISM and the Collection of Internet Communications in Transit7-48
    • § 7:4.3 : Expansion of the Business Records Provision7-50
    • § 7:4.4 : Roving Wiretaps7-51
    • § 7:4.5 : Lone Wolf Provision7-52
  • § 7:5 : Proposed Reforms7-53
    • § 7:5.1 : Increasing Transparency Through the Disclosure of FISA Opinions7-54
    • § 7:5.2 : Adding an Adversary in the Form of a Public Advocate7-55
    • § 7:5.3 : Involvement of Amici Curiae7-58
    • § 7:5.4 : Requirement to Sit En Banc7-59
    • § 7:5.5 : Higher Voting Thresholds7-59
Chapter 8: Privacy and Homeland Security; and Appendices 8A-8F
  • § 8:1 : Background: Intelligence, Surveillance, and Privacy Pre-9/118-2
  • § 8:2 : Establishment of Department of Homeland Security8-4
    • § 8:2.1 : DHS Organization and Functions8-5
    • § 8:2.2 : Authorities for Privacy Protection at DHS8-6
  • § 8:3 : Privacy Protection at Other Agencies8-8
    • § 8:3.1 : Internal Privacy Protection Requirements for Executive-Branch Agencies8-8
    • § 8:3.2 : Executive-Branch Privacy/Civil Liberties Oversight8-10
      • [A] : Board on Safeguarding Americans’ Civil Liberties8-10
      • [B] : Privacy and Civil Liberties Oversight Board8-11
  • § 8:4 : DHS Privacy Office Functions8-14
    • § 8:4.1 : Policy8-15
      • [A] : Fair Information Practice Principles8-15
      • [B] : Use of Social Media8-17
      • [C] : Other Guidance8-18
    • § 8:4.2 : Compliance8-19
    • § 8:4.3 : Oversight8-20
    • § 8:4.4 : Incidents and Breaches8-24
    • § 8:4.5 : Education and Training8-24
    • § 8:4.6 : Outreach8-27
  • § 8:5 : High-Profile Privacy Issues in Homeland Security8-28
    • § 8:5.1 : Information-Sharing8-28
      • [A] : Breaking Down the Wall of Separation8-28
      • [B] : Information Sharing Environment (ISE)8-29
    • § 8:5.2 : Fusion Centers8-32
      • [A] : Organization and Mission8-32
      • [B] : Civil Liberties Concerns8-35
    • § 8:5.3 : Watchlists8-37
      • [A] : Watchlists, Pre-9/118-37
      • [B] : Integration and Use of Screening Information8-38
      • [C] : Redress and Oversight8-39
    • § 8:5.4 : Data Mining8-41
      • [A] : Privacy Concerns Versus Combating Terrorism8-41
      • [B] : Establishing a Uniform Definition of “Data Mining”8-42
      • [C] : High-Profile Data Mining8-46
        • [C][1] : Program “Able Danger”8-47
        • [C][2] : JetBlue Data Transfer8-48
        • [C][3] : Total Information Awareness/Terrorism Information Awareness (TIA)8-48
        • [C][4] : Multistate Anti-Terrorism Information Exchange (MATRIX)8-50
        • [C][5] : Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE)8-50
    • § 8:5.5 : Transatlantic Exchanges of Personal Data8-51
      • [A] : Background8-51
      • [B] : Conflicting Data-Protection Requirements8-52
      • [C] : Common Principles Underlying Future Information-Sharing8-54
  • Appendix 8A : The Fair Information Practice PrinciplesApp.8A-1
  • Appendix 8B : DHS Policy Regarding Privacy Impact AssessmentsApp. 8B-1
  • Appendix 8C : DHS Privacy Policy Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. PersonsApp. 8C-1
  • Appendix 8D : Privacy and Homeland Security Issues in the Airline IndustryApp. 8D-1
  • Appendix 8E : Department of Homeland Security Organizational ChartApp. 8E-1
  • Appendix 8F : Privacy Act Amendment RequestsApp. 8F-1
Chapter 9: Workplace Privacy Law
  • § 9:1 : Selection of Employees9-3
    • § 9:1.1 : Pre-Hire Inquiries9-3
      • [A] : Inquiries Regarding Race, Sex, Religion, and Other Protected Characteristics9-3
      • [B] : Disability-Related Inquiries9-5
      • [C] : Psychological Testing and Examinations9-6
      • [D] : Union Status9-7
      • [E] : Litigation History9-7
    • § 9:1.2 : References9-8
    • § 9:1.3 : Blacklisting9-10
  • § 9:2 : Collection of Personal Information9-11
    • § 9:2.1 : Medical Information9-13
      • [A] : Health Insurance Portability and Accountability Act of 19969-13
      • [B] : HIV/AIDS9-16
      • [C] : Confidentiality of Patient Medical Records9-18
        • [C][1] : Federal Law9-18
        • [C][2] : State Law9-19
    • § 9:2.2 : Past Criminal and Arrest Records9-24
      • [A] : Federal Law9-24
        • [A][1] : Title VII9-24
        • [A][2] : Intelligence Reform and Terrorism Prevention Act9-26
      • [B] : State Law9-27
    • § 9:2.3 : Fingerprints and Photographs9-29
    • § 9:2.4 : Financial Data9-30
      • [A] : Federal Law9-30
        • [A][1] : Fair Credit Reporting Act of 19709-30
        • [A][2] : Fair and Accurate Credit Transactions Act9-32
      • [B] : State Law9-32
    • § 9:2.5 : Educational Records9-33
      • [A] : Federal Law9-33
      • [B] : State Law9-34
    • § 9:2.6 : Personal Identification Information9-35
      • [A] : Information Stored on Computers9-35
      • [B] : Social Security Numbers9-36
      • [C] : Motor Vehicle Information9-38
      • [D] : Verification of Employment Eligibility: E-Verify9-39
    • § 9:2.7 : Access to Personnel Records9-40
    • § 9:2.8 : Genetic Information9-42
  • § 9:3 : Policies Regulating Employee Conduct9-44
    • § 9:3.1 : Sexual Conduct, Intimate Relationships, Fraternization, Procreation, Marriage9-44
      • [A] : Common Law Claims—Private Employees9-44
        • [A][1] : Invasion of Privacy9-44
          • [A][1][a] : Public Disclosure of Private Facts9-44
          • [A][1][b] : Intrusion upon Seclusion9-46
        • [A][2] : Wrongful Termination in Violation of Public Policy9-47
      • [B] : Statutory Claims9-48
      • [C] : Constitutional Privacy Right9-48
    • § 9:3.2 : Grooming and Dress Codes9-51
      • [A] : Mutable Versus Immutable Characteristics9-51
      • [B] : Hair Length and Style9-52
        • [B][1] : Federal Law9-52
        • [B][2] : State Law9-54
      • [C] : Beards and Moustaches9-55
        • [C][1] : Federal Law9-55
        • [C][2] : State Law9-57
      • [D] : Dress Codes9-57
        • [D][1] : Federal Law9-57
        • [D][2] : State Law9-59
      • [E] : Gender Identity Issue9-59
    • § 9:3.3 : Polygraphs and Lie Detector Tests9-60
    • § 9:3.4 : Genetic Testing9-62
    • § 9:3.5 : Drug and Alcohol Use9-63
      • [A] : Federal Law9-63
        • [A][1] : Constitution9-63
        • [A][2] : Americans with Disabilities Act (ADA)9-65
        • [A][3] : Other Federal Statutes and Regulations9-66
      • [B] : State Laws9-67
        • [B][1] : Constitutions9-67
        • [B][2] : Statutes9-68
      • [C] : Contractual and Common Law Theories of Liability9-70
    • § 9:3.6 : Smoking9-71
      • [A] : Restrictions on Smoking in the Workplace9-71
      • [B] : Off-Duty Smoking9-72
    • § 9:3.7 : Disclosure of Wages9-73
    • § 9:3.8 : Blogging and Cybersmearing9-74
      • [A] : Validity of Employee Confidentiality Policies9-74
      • [B] : Potential Causes of Action9-75
        • [B][1] : Private Blogs and the Stored Communication Act9-75
        • [B][2] : Trespass to Chattels9-76
        • [B][3] : Defamation9-77
  • § 9:4 : Surveillance of Employees9-79
    • § 9:4.1 : Employer Investigations Generally9-79
    • § 9:4.2 : Physical Searches9-80
      • [A] : Introduction9-80
      • [B] : Public Employer Searches9-81
      • [C] : Private Employer Searches9-83
        • [C][1] : Third-Party Consent9-85
      • [D] : NLRA9-86
    • § 9:4.3 : Email and Internet Use Searches9-86
      • [A] : Notice9-86
      • [B] : Statutory Provisions9-89
        • [B][1] : Federal Law9-89
          • [B][1][a] : The Electronic Communications Privacy Act9-89
            • [B][1][a][i] : Exceptions9-93
          • [B][1][b] : The Federal Computer Fraud and Abuse Act9-95
          • [B][1][c] : NLRA9-96
      • [C] : State Law9-97
    • § 9:4.4 : Instant Electronic Communications9-98
      • [A] : Instant Messaging9-98
      • [B] : Text Messaging9-99
      • [C] : Social Media9-100
    • § 9:4.5 : Eavesdropping, Recording Telephone Conversations, and Video Monitoring9-101
    • § 9:4.6 : Human Tracking Devices9-105
    • § 9:4.7 : USA PATRIOT Act9-109
Chapter 10: Privacy and Commercial Communications
  • § 10:1 : Overview10-3
    • § 10:1.1 : Connection to Privacy Principles and Laws10-3
    • § 10:1.2 : General Considerations10-4
  • § 10:2 : Email Communications10-4
    • § 10:2.1 : Source and Scope of Rules10-4
    • § 10:2.2 : What Is a “Commercial Electronic Mail Message”?10-6
    • § 10:2.3 : Who Is the “Sender”?10-9
    • § 10:2.4 : Consent Requirements10-11
    • § 10:2.5 : Information to Be Included in Each Message10-12
    • § 10:2.6 : Forward-to-a-Friend Features10-13
    • § 10:2.7 : Specific Rules for Messages Sent to Wireless Domains10-15
    • § 10:2.8 : Prohibitions on Fraudulent, Deceptive, and Abusive Practices10-17
    • § 10:2.9 : Additional Rules Regarding Sexually Oriented Material10-18
  • § 10:3 : Telephone Communications10-20
    • § 10:3.1 : Source and Scope of Rules10-20
    • § 10:3.2 : Consent Requirements10-21
      • [A] : Company-Specific Consent Requirements10-22
      • [B] : National Do Not Call Registry10-23
      • [C] : State Do-Not-Call Lists10-24
    • § 10:3.3 : Required Call Content10-25
    • § 10:3.4 : Time and Frequency Restrictions10-27
    • § 10:3.5 : Use of Autodialers, Prerecorded Messages, and Other Technologies10-27
    • § 10:3.6 : Prohibitions on Deceptive or Abusive Telemarketing Practices10-31
    • § 10:3.7 : Record-Keeping and Compliance Requirements10-31
  • § 10:4 : Fax Communication10-33
    • § 10:4.1 : Source and Scope of Rules10-33
    • § 10:4.2 : Consent Requirements10-33
    • § 10:4.3 : Information to Be Included in Each Message10-34
  • § 10:5 : Direct Mail Communications10-35
    • § 10:5.1 : Source and Scope of Rules10-35
    • § 10:5.2 : Restrictions and Prohibitions on Mailing Certain Content10-36
      • [A] : Fraudulent or Deceptive Content10-36
      • [B] : Prohibited or Restricted Advertising Content10-37
      • [C] : Mailings Containing Certain Goods, Samples, Etc.10-38
    • § 10:5.3 : Consent Requirements10-38
      • [A] : Sexually Oriented Advertisements10-38
      • [B] : “Pandering” Advertisements10-39
      • [C] : Sweepstakes and Skill Contests10-40
  • § 10:6 : Text Messaging10-40
    • § 10:6.1 : Source and Scope of Rules10-40
    • § 10:6.2 : What Is a Text Message?10-40
    • § 10:6.3 : Consent Requirements10-41
      • [A] : Messages Sent to a Number10-41
        • [A][1] : Do-Not-Call Rules10-42
      • [B] : Messages Sent to a Username and Domain Name10-42
        • [B][1] : Express Prior Authorization10-44
        • [B][2] : FCC List of Wireless Domains10-44
        • [B][3] : Procedures for Receiving and Honoring Opt-Out Requests10-45
      • [C] : State-Law Consent Requirements10-46
        • [C][1] : California10-46
        • [C][2] : Rhode Island10-47
        • [C][3] : Washington10-48
        • [C][4] : State Spam Laws10-50
    • § 10:6.4 : Sending Automated Text Messages10-50
    • § 10:6.5 : Industry Self-Regulation10-51
      • [A] : Mobile Marketing Association10-51
      • [B] : Direct Marketing Association’s Guidelines for Ethical Business Practice10-55
  • § 10:7 : Social Media10-56
    • § 10:7.1 : Source and Scope of Rules10-56
    • § 10:7.2 : What Is Social Media?10-56
    • § 10:7.3 : Sending Commercial Messages via Social Media10-57
    • § 10:7.4 : Gathering and Using Consumer Data from Social Media Sites10-58
      • [A] : Disclosure of Users’ Personal Information to Third Parties10-59
      • [B] : Address Book Harvesting10-60
      • [C] : Location-Based Services10-60
      • [D] : Computer Fraud Statutes10-61
      • [E] : Industry Self Regulation of Information Gathering and Distribution10-62
    • § 10:7.5 : Using Social Media Users’ Actions As Advertisements10-63
      • [A] : Advertising Social Media Users’ Activity Within the Social Media Site10-63
      • [B] : Advertising Social Media Users’ Internet Activity Outside the Social Media Site10-64
  • § 10:8 : Conclusions10-64
Chapter 11: The Children’s Online Privacy Protection Act (COPPA)
  • § 11:1 : Introduction/Overview11-3
    • § 11:1.1 : Enactment11-3
    • § 11:1.2 : Statutory Overview11-4
    • § 11:1.3 : Who Enforces the Statute11-5
  • § 11:2 : Who Is Subject to the Statute11-6
    • § 11:2.1 : “Operator”11-6
      • [A] : Factors Determining Operator Status11-8
      • [B] : Special Cases11-9
        • [B][1] : Internet Service Providers and Other “Mere Conduits”11-9
        • [B][2] : Advertisers11-10
        • [B][3] : Non-U.S. Operators11-11
        • [B][4] : Nonprofits11-11
    • § 11:2.2 : “Website or Online Service Directed to Children”11-11
      • [A] : Primary Content Provider Versus Plug-Ins11-12
      • [B] : Age-Screening Where Children Are Not “Primary Audience”11-12
    • § 11:2.3 : General Audience Website11-15
      • [A] : “Actual Knowledge”11-16
  • § 11:3 : What Activities Does COPPA Cover?11-17
    • § 11:3.1 : “Personal Information”11-17
    • § 11:3.2 : “Collection”11-19
      • [A] : Requesting a Child to Submit Personal Information Online11-19
      • [B] : Enabling a Child to Publicly Disclose Personal Information11-20
        • [B][1] : To Monitor or Not to Monitor11-21
      • [C] : Passive Tracking11-22
    • § 11:3.3 : “Disclosure”11-22
      • [A] : Release of Personal Information11-22
        • [A][1] : Third Party Versus Provider of “Support for the Internal Operations of the Website”11-23
      • [B] : Making Personal Information Publicly Available11-25
  • § 11:4 : How to Comply with COPPA11-25
    • § 11:4.1 : Need Prior Parental Consent Unless Fall Within Exception11-26
      • [A] : “Verifiable Parental Consent” (“Verifiable Consent”)11-26
      • [B] : “Parent”11-27
        • [B][1] : Schools11-27
        • [B][2] : Ascertaining Whether Someone Is a “Parent”11-27
          • [B][3] : Parents’ Right to Review and Have Information Deleted11-28
    • § 11:4.2 : Exceptions to Consent11-30
      • [A] : To Obtain Parental Consent11-30
      • [B] : To Respond to a Child’s Specific Request on a One-Time Basis11-31
      • [C] : To Respond More Than Once to a Child’s Specific Request11-32
      • [D] : To Protect the Child’s Safety11-34
      • [E] : To Protect the Website11-34
      • [F] : To Notify and Update Parents About a Website That Does Not Collect Personal Information11-35
      • [G] : To Collect a Persistent Identifier in Limited Circumstances11-36
    • § 11:4.3 : How to Get Consent11-36
      • [A] : Notice11-36
        • [A][1] : Requirements for Notice11-37
          • [A][1][a] : “Clear and Understandable”11-37
          • [A][1][b] : Information Collected and How It Is Used11-37
          • [A][1][c] : Disclosures to Third Parties and Others11-38
          • [A][1][d] : Parental Review Rights11-38
          • [A][1][e] : Operators’ Contact Information11-39
          • [A][2] : Privacy Policy Placement11-41
          • [A][3] : Direct Notice to Parents11-41
            • [A][3][a] : “Material Change”11-41
        • [B] : Consent11-42
          • [B][1] : Full Consent11-42
            • [B][1][a] : Print and Send or Scan11-42
            • [B][1][b] : Credit Card Transaction11-42
            • [B][1][c] : Toll-Free Number or Video Conference11-43
            • [B][1][d] : Government-Issued Identification11-43
            • [B][1][e] : Other Methods11-43
          • [B][2] : Email Plus Consent11-44
          • [B][3] : Online Consent Form Insufficient11-46
      • § 11:4.4 : What Happens If the Operator Does Not Get Parental Consent11-46
        • [A] : Delete Information11-46
        • [B] : Limited Permission to Terminate Service11-47
          • [B][1] : Cannot Terminate for Non-Consent to Third-Party Disclosure11-47
      • § 11:4.5 : Security and Data Retention/Deletion11-48
      • § 11:4.6 : Safe Harbors11-51
  • § 11:5 : Sanctions/Penalties11-51
    • § 11:5.1 : FTC COPPA Enforcement Actions11-53
    • § 11:5.2 : FTC Non-COPPA Enforcement11-55
Chapter 12: The Privacy Act of 1974 and Its Progeny
  • § 12:1 : Introduction12-3
  • § 12:2 : Privacy Act Statutory Provisions12-4
    • § 12:2.1 : 5 U.S.C. § 552a(a): Definitions12-4
      • [A] : “Agency”12-4
        • [A][1] : Privacy Act Applies Only to Federal Agencies12-4
        • [A][2] : Executive Office of the President12-5
        • [A][3] : State and Local Government Agencies12-7
        • [A][4] : Other Entities12-7
      • [B] : “Individual”12-8
      • [C] : “Maintain”12-10
      • [D] : “Record”12-10
      • [E] : “System of Records”12-13
      • [F] : “Statistical Record”12-16
      • [G] : “Routine Use”12-17
    • § 12:2.2 : 5 U.S.C. § 552a(b): Conditions of Disclosure12-18
      • [A] : Disclosure Within Agencies12-19
      • [B] : Disclosure to the Public12-19
      • [C] : Disclosure for a “Routine Use”12-20
      • [D] : Disclosure to the Bureau of the Census12-22
      • [E] : Disclosure for Statistical Research and Reporting12-23
      • [F] : Disclosure to National Archives12-24
      • [G] : Disclosure for Law Enforcement Purposes12-24
      • [H] : Disclosure Under Emergency Circumstances12-25
      • [I] : Disclosure to Congress12-26
      • [J] : Disclosure to the General Accountability Office12-26
      • [K] : Disclosure Pursuant to Court Order12-26
      • [L] : Disclosure to a Consumer Reporting Agency12-27
      • [M] : Disclosure of Social Security Numbers12-27
    • § 12:2.3 : 5 U.S.C. § 552a(d): Access to Records12-28
      • [A] : Individual Access12-28
      • [B] : Amending Records12-30
    • § 12:2.4 : 5 U.S.C. § 552a(g)(4): Remedies12-32
  • § 12:3 : Systems of Records Notice Guidance12-32
    • § 12:3.1 : Definitions12-32
    • § 12:3.2 : Contents12-32
    • § 12:3.3 : How to Prepare a System of Records Notice12-33
      • [A] : Key Elements12-33
      • [B] : Storage12-34
      • [C] : Record Identification12-34
      • [D] : Security Safeguards12-34
      • [E] : Retention and Disposal12-34
      • [F] : Notification Procedures; Record Access Procedures; Contesting Record Procedures12-35
      • [G] : Record Source Categories12-35
      • [H] : Systems Exempted from Certain Provisions of the Act12-35
      • [I] : Routine Uses12-36
  • § 12:4 : E-Government Act Section 208 Statutory Provisions: Privacy Impact Assessments12-37
    • § 12:4.1 : Section 208(b)(1): Responsibilities of Agencies12-38
      • [A] : When to Do a Privacy Impact Assessment12-38
      • [B] : Agency Activities12-39
      • [C] : Sensitive Information12-39
    • § 12:4.2 : Section 208(b)(2): Contents of a Privacy Impact Assessment12-40
      • [A] : OMB Guidance12-40
      • [B] : What Information Is Collected?12-40
      • [C] : Why Is the Information Collected?12-41
      • [D] : What Is the Intended Use of the Information?12-41
      • [E] : Who Will the Information Be Shared With?12-41
      • [F] : What Notice Will Be Given Regarding the Information’s Use and Collection?12-42
      • [G] : How Will the Information Be Secured?12-42
      • [H] : Is a System of Records Notice Created?12-42
  • § 12:5 : Privacy Impact Assessment Guidance12-42
    • § 12:5.1 : Introduction12-42
    • § 12:5.2 : What Is a PIA?12-43
    • § 12:5.3 : Complying with the PIA Requirement12-43
    • § 12:5.4 : Information Covered by the PIA12-45
    • § 12:5.5 : Regarding “Private” Information12-45
    • § 12:5.6 : Regarding Privacy Act System of Records Notice (SORN) Requirements Versus PIA Requirements12-46
    • § 12:5.7 : When to Conduct a PIA12-46
    • § 12:5.8 : Classified Information and Systems12-46
    • § 12:5.9 : Negative PIAs12-46
    • § 12:5.10 : How to Conduct a PIA12-46
    • § 12:5.11 : Writing the PIA12-47
      • [A] : Introduction12-47
      • [B] : Section 1.0—The System and the Information Collected and Stored with the System12-48
      • [C] : Section 2.0—Uses of the System and the Information12-49
      • [D] : Section 3.0—Retention12-51
      • [E] : Section 4.0—Internal Sharing and Disclosure12-51
      • [F] : Section 5.0—External Sharing and Disclosure12-52
      • [G] : Section 6.0—Notice12-53
      • [H] : Section 7.0—Individual Access, Redress, and Correction12-54
      • [I] : Section 8.0—Technical Access and Security12-55
      • [J] : Section 9.0—Technology12-56
      • [K] : Conclusion12-56
      • [L] : Approval and Signature Page12-56
Chapter 13: Canadian Privacy Law
  • § 13:1 : Nature of the Canadian Privacy Framework13-3
    • § 13:1.1 : Intersecting Federal and Provincial Privacy Regimes13-3
      • [A] : Public Sector13-3
      • [B] : Private Sector13-4
        • [B][1] : Québec13-4
        • [B][2] : Federal13-5
        • [B][3] : Provincial (Other Than Québec)13-6
      • [C] : Personal Health Information13-7
      • [D] : Statutory Tort of Invasion of Privacy13-8
    • § 13:1.2 : Privacy Principles from Common Law13-9
      • [A] : Common-Law Tort of Privacy13-9
      • [B] : Work Product13-11
      • [C] : Surveillance13-12
        • [C][1] : Reasonableness of Surveillance in the Workplace13-12
        • [C][2] : Surveillance Evidence in Litigation13-13
    • § 13:1.3 : Relationship Between the Canadian and European Privacy Regimes13-14
  • § 13:2 : Personal Information13-16
    • § 13:2.1 : Scope of Definition of “Personal Information”13-16
    • § 13:2.2 : Employee Information13-17
    • § 13:2.3 : Carve-Outs from the Obligations Applying to Personal Information13-18
    • § 13:2.4 : Sensitivity of Personal Information13-18
    • § 13:2.5 : Grandfathering Provisions13-19
  • § 13:3 : Nature of Privacy Obligations13-19
    • § 13:3.1 : Consent/Notice Obligations13-19
      • [A] : Generally13-19
      • [B] : Content of the Notice13-20
      • [C] : Withdrawing Consent13-20
      • [D] : Extra-Jurisdictional Transfers of Personal Information13-21
    • § 13:3.2 : Administrative Obligations13-23
    • § 13:3.3 : Access Obligations13-23
    • § 13:3.4 : Breach Notification13-24
      • [A] : Comparison of the Federal and Alberta Models13-24
      • [B] : Differences Between the Federal and Alberta Models13-25
        • [B][1] : Threshold for Reporting a Breach13-25
        • [B][2] : Threshold for Notifying the Affected Individuals13-26
        • [B][3] : Definition of “Significant Harm”13-26
        • [B][4] : Responsibility for Notification13-27
        • [B][5] : Offenses13-27
    • § 13:3.5 : Enforcement13-28
      • [A] : Generally13-28
      • [B] : Powers13-28
      • [C] : Offenses13-28
      • [D] : “Naming and Shaming”13-29
      • [E] : Review of Findings/Appeals13-29
      • [F] : Remedies13-29
  • § 13:4 : Canadian Privacy Law in Transition13-30
    • § 13:4.1 : Recent Changes to Canadian Privacy Law13-30
    • § 13:4.2 : 2010 Changes to the Alberta PIPA13-30
      • [A] : Privacy Policies and Practices13-30
      • [B] : Maintaining Accuracy of Personal Information13-31
      • [C] : Retention and Destruction13-31
    • § 13:4.3 : Proposed Revisions to PIPEDA13-32
      • [A] : Scope of Application13-32
      • [B] : Consent13-32
      • [C] : Consent Exceptions13-32
      • [D] : Definition of “Lawful Authority”13-33
      • [E] : Federal Commissioners’ Proposed 2013 Revisions to PIPEDA13-34
    • § 13:4.4 : Canada’s FISA: A Comparative Perspective13-35
      • [A] : Overview of Canadian, U.S., and U.K. Legislation13-35
      • [B] : Definition of “Commercial” Messages/Communications13-37
      • [C] : Consent13-40
        • [C][1] : “Opt-In” Versus “Opt-Out” Provisions13-40
        • [C][2] : “Natural Persons” Versus “Legal Persons”13-42
      • [D] : Additional Exemptions13-43
      • [E] : Content13-46
      • [F] : Enforcement13-49
      • [G] : Jurisdiction13-52
    • § 13:4.5 : Class Actions and Privacy Litigation13-55
    • § 13:4.6 : Federal Commissioner Decision on Credit-Based Insurance Scores13-59
      • [A] : Introduction13-59
      • [B] : Summary of PIPEDA Report of Findings No. 2012-00513-60
      • [C] : Analysis13-62
  • § 13:5 : Conclusions13-64
Chapter 14: International Privacy Law; and Appendices 14A-14E
  • § 14:1 : Introduction14-8
  • § 14:2 : EU Data Protection Directive14-9
    • § 14:2.1 : Key Components of the EU Data Protection Directive14-10
    • § 14:2.2 : Terminology14-11
    • § 14:2.3 : Compliance with the EU Data Protection Directive14-12
    • § 14:2.4 : Disclosure Requirements to Data Subjects14-14
    • § 14:2.5 : Reporting to Supervisory Authorities14-14
    • § 14:2.6 : Controllers and Processors14-15
      • [A] : Controllers14-15
      • [B] : Processors14-17
      • [C] : Determining Whether an Entity Is a Controller or Processor14-18
    • § 14:2.7 : Anonymity of Data Subjects14-18
      • [A] : Anonymization of Data14-19
      • [B] : Pseudonymization of Data14-20
    • § 14:2.8 : Specific Issues Concerning Consent14-20
      • [A] : When Consent Is Necessary14-20
      • [B] : Definition of Consent14-22
        • [B][1] : “Freely Given”14-24
        • [B][2] : Specific and Informed Indication14-25
        • [B][3] : Unambiguous Consent14-26
      • [C] : Withdrawal of Consent14-27
    • § 14:2.9 : Territorial Scope14-27
      • [A] : Location of the Data Controller14-29
        • [A][1] : Identifying the Data Controller14-29
        • [A][2] : Determining the Existence of an “Establishment”14-30
        • [A][3] : The Location of the Establishment14-30
        • [A][4] : Involvement of Establishment in Activities Relating to Data Processing14-31
      • [B] : International Law14-32
      • [C] : Place of Processing14-32
        • [C][1] : Difference Between Article 4.1(a) and Article 4.1(c)14-33
        • [C][2] : What Is Meant by “Equipment”?14-33
        • [C][3] : What Is Meant by “For Purposes of Processing Personal Data Makes Use of Equipment”?14-34
        • [C][4] : When Equipment Is Used Only for Purposes of Transit Through the EU14-36
      • [D] : Proposed Reforms14-36
    • § 14:2.10 : EU Draft Legislation Package14-36
    • § 14:2.11 : Safe Harbor14-41
      • [A] : Safe Harbor Principles14-42
        • [A][1] : Notice14-43
        • [A][2] : Choice14-43
        • [A][3] : Onward Transfer14-44
        • [A][4] : Security14-44
        • [A][5] : Data Integrity14-44
        • [A][6] : Access14-44
        • [A][7] : Enforcement14-45
      • [B] : Self-Certification Process14-47
      • [C] : Safe Harbor Enforcement14-48
    • § 14:2.12 : Other Transfer Mechanisms14-50
      • [A] : Model Contractual Clauses14-50
        • [A][1] : Overview14-50
        • [A][2] : Model Contracts Governing Controller-Controller Relationships14-51
        • [A][3] : Model Contracts Governing Controller-Processor Relationships14-54
      • [B] : Binding Corporate Rules14-58
        • [B][1] : Overview14-58
        • [B][2] : Requirements14-59
        • [B][3] : Application Process14-62
        • [B][4] : Recent Developments14-63
      • [C] : The Role of Model Contracts and BCRs in Cloud Computing14-64
    • § 14:2.13 : Alternative Approach to Regulating Data Privacy—APEC Privacy Framework14-65
      • [A] : APEC Cross-Border Privacy Rules14-65
      • [B] : Comparison with the EU Data Privacy Model14-67
  • § 14:3 : Consumer Privacy14-68
    • § 14:3.1 : Cookies14-68
    • § 14:3.2 : Privacy Policies14-72
      • [A] : Purpose of Privacy Policies14-72
        • [A][1] : Obtaining Consent14-72
        • [A][2] : Complying with the Directive’s “Purpose Limitation” Requirement14-73
      • [B] : Content of Privacy Policies14-73
      • [C] : Necessary Provisions in a Privacy Policy14-74
      • [D] : Accessibility and Availability of Privacy Policies14-76
    • § 14:3.3 : Data Breach Requirements and Best Practices14-77
    • § 14:3.4 : Direct Marketing14-78
      • [A] : Direct Marketing by Email, SMS, MMS, Fax, and Automated Calling14-80
        • [A][1] : Notification of Purpose14-80
        • [A][2] : Prior “Opt-in” Consent14-80
        • [A][3] : Right to Opt Out14-82
      • [B] : Non-Automated (“Person to Person”) Telephone Marketing14-83
      • [C] : Postal Direct Marketing14-83
  • § 14:4 : Employee Privacy14-83
    • § 14:4.1 : Employee Notice Requirements14-83
    • § 14:4.2 : Monitoring of Employees14-84
    • § 14:4.3 : Social Media Policies and Blogging14-86
      • [A] : Limitations on Employer Monitoring of Social Media14-87
      • [B] : Global Laws Affecting Social Media14-88
        • [B][1] : Argentina14-88
        • [B][2] : Brazil14-89
        • [B][3] : Canada14-89
        • [B][4] : China14-89
        • [B][5] : France14-89
        • [B][6] : Germany14-90
        • [B][7] : Hong Kong14-90
        • [B][8] : India14-91
        • [B][9] : Ireland14-91
        • [B][10] : Italy14-91
        • [B][11] : Japan14-92
        • [B][12] : The Netherlands14-93
        • [B][13] : Spain14-93
        • [B][14] : United Kingdom14-93
    • § 14:4.4 : “Bring-Your-Own-Device” Policies14-94
    • § 14:4.5 : Diversity Initiatives14-95
    • § 14:4.6 : Investigations and Discovery14-97
    • § 14:4.7 : Background Screening14-98
    • § 14:4.8 : Company Intranet14-100
    • § 14:4.9 : Human Resource Information Systems14-101
  • § 14:5 : Country Summaries14-102
    • § 14:5.1 : Europe (European Union)14-102
      • [A] : Belgium14-102
        • [A][1] : Overview14-102
        • [A][2] : Personal Information14-102
        • [A][3] : Restrictions on Processing and Use14-103
        • [A][4] : Transfer and Disclosure14-104
        • [A][5] : Sensitive Data14-104
        • [A][6] : Enforcement14-104
      • [B] : France14-105
        • [B][1] : Overview14-105
        • [B][2] : Personal Data14-105
        • [B][3] : Restrictions on Processing and Use14-106
        • [B][4] : Sensitive Data14-108
        • [B][5] : Enforcement14-108
        • [B][6] : Recent Developments14-108
      • [C] : Germany14-109
        • [C][1] : Overview14-109
        • [C][2] : Personal Data14-109
        • [C][3] : Restrictions on Processing and Use14-109
        • [C][4] : Transfer and Disclosure14-110
        • [C][5] : Sensitive Data14-111
        • [C][6] : Enforcement14-112
        • [C][7] : Recent Developments14-113
      • [D] : Italy14-113
        • [D][1] : Overview14-113
        • [D][2] : Personal Data14-114
        • [D][3] : Restrictions on Processing and Use14-114
        • [D][4] : Transfer and Disclosure14-114
        • [D][5] : Sensitive Data14-115
        • [D][6] : Enforcement14-116
        • [D][7] : Recent Developments14-116
      • [E] : The Netherlands14-117
        • [E][1] : Overview14-117
        • [E][2] : Personal Data14-117
        • [E][3] : Restrictions on Processing and Use14-118
        • [E][4] : Transfer and Disclosure14-119
        • [E][5] : Sensitive Data14-120
        • [E][6] : Enforcement14-120
        • [E][7] : Recent Developments14-121
      • [F] : Poland14-122
        • [F][1] : Overview14-122
        • [F][2] : Personal Data14-123
        • [F][3] : Restrictions on Processing and Use14-123
        • [F][4] : Transfer and Disclosure14-123
        • [F][5] : Enforcement14-124
      • [G] : Spain14-124
        • [G][1] : Overview14-124
        • [G][2] : Personal Data14-125
        • [G][3] : Restrictions on Processing and Use14-125
        • [G][4] : Transfer and Disclosure14-125
        • [G][5] : Sensitive Data14-126
        • [G][6] : Enforcement14-126
      • [H] : United Kingdom14-127
        • [H][1] : Overview14-127
        • [H][2] : Personal Data14-128
        • [H][3] : Restrictions on Processing and Use14-128
        • [H][4] : Transfer and Disclosure14-129
        • [H][5] : Sensitive Data14-130
        • [H][6] : Enforcement14-131
    • § 14:5.2 : Europe (Non–European Union)14-132
      • [A] : Russian Federation14-132
        • [A][1] : Overview14-132
        • [A][2] : Personal Information14-133
        • [A][3] : Restrictions on Processing and Use14-133
        • [A][4] : Transfer and Disclosure14-134
        • [A][5] : Sensitive Data14-135
        • [A][6] : Enforcement14-135
        • [A][7] : Recent Developments14-136
      • [B] : Switzerland14-137
        • [B][1] : Overview14-137
        • [B][2] : Personal Information14-137
        • [B][3] : Restrictions on Processing and Use14-138
        • [B][4] : Transfer and Disclosure14-138
        • [B][5] : Sensitive Data14-140
        • [B][6] : Enforcement14-140
    • § 14:5.3 : Asia/Pacific14-142
      • [A] : Australia14-142
        • [A][1] : Overview14-142
        • [A][2] : Personal Data14-144
        • [A][3] : Restrictions on Processing and Use14-144
        • [A][4] : Sensitive Data14-146
        • [A][5] : Transfer and Disclosure14-146
        • [A][6] : Enforcement14-147
        • [A][7] : Recent Developments14-148
      • [B] : China (People’s Republic of China)14-149
        • [B][1] : Overview14-149
        • [B][2] : Personal Information14-150
        • [B][3] : Disclosure and Use14-150
        • [B][4] : Transfer and Disclosure14-151
        • [B][5] : Enforcement14-151
        • [B][6] : Recent Developments14-152
      • [C] : Hong Kong14-153
        • [C][1] : Overview14-153
        • [C][2] : Personal Data14-154
        • [C][3] : Restrictions on Processing and Use14-154
        • [C][4] : Transfer and Disclosure14-154
        • [C][5] : Enforcement14-155
        • [C][6] : Recent Developments14-155
      • [D] : India14-156
        • [D][1] : Overview14-156
        • [D][2] : Personal and Sensitive Data14-157
        • [D][3] : Restrictions on Processing and Use14-158
        • [D][4] : Transfer and Disclosure14-159
        • [D][5] : Enforcement14-159
        • [D][6] : Recent Developments14-160
      • [E] : Japan14-160
        • [E][1] : Overview14-160
        • [E][2] : Personal Information14-161
        • [E][3] : Restrictions on Processing and Use14-161
        • [E][4] : Transfer and Disclosure14-161
        • [E][5] : Sensitive Data14-162
        • [E][6] : Enforcement14-162
      • [F] : Malaysia14-162
        • [F][1] : Overview14-162
        • [F][2] : Personal Information14-163
        • [F][3] : Restrictions on Processing and Use14-163
        • [F][4] : Transfer and Disclosure14-167
        • [F][5] : Sensitive Personal Data14-167
        • [F][6] : Enforcement14-169
      • [G] : Philippines14-170
        • [G][1] : Overview14-170
        • [G][2] : Personal Information14-170
        • [G][3] : Restrictions on Processing and Use14-171
        • [G][4] : Transfer and Disclosure14-172
        • [G][5] : Sensitive Data14-173
        • [G][6] : Enforcement14-174
      • [H] : Singapore14-175
        • [H][1] : Overview14-175
        • [H][2] : Personal Information14-175
        • [H][3] : Restrictions on Processing and Use14-175
        • [H][4] : Transfer and Disclosure14-176
        • [H][5] : Sensitive Data14-176
        • [H][6] : Enforcement14-177
      • [I] : South Korea14-177
        • [I][1] : Overview14-177
        • [I][2] : Personal Information14-178
        • [I][3] : Restrictions on Processing and Use14-178
        • [I][4] : Transfer and Disclosure14-180
        • [I][5] : Sensitive Data14-181
        • [I][6] : Enforcement14-181
      • [J] : Taiwan14-182
        • [J][1] : Overview14-182
        • [J][2] : Personal Information14-182
        • [J][3] : Restrictions on Processing and Use14-183
        • [J][4] : Transfer and Disclosure14-184
        • [J][5] : Sensitive Data14-185
        • [J][6] : Enforcement14-185
      • [K] : Thailand14-187
      • [L] : Vietnam14-187
        • [L][1] : Overview14-187
        • [L][2] : Personal Information14-189
        • [L][3] : Restrictions on Processing and Use14-189
        • [L][4] : Transfer and Disclosure14-189
        • [L][5] : Sensitive Data14-189
        • [L][6] : Enforcement14-189
    • § 14:5.4 : Latin America14-191
      • [A] : Argentina14-191
        • [A][1] : Overview14-191
        • [A][2] : Personal Data14-192
        • [A][3] : Restrictions on Processing and Use14-192
        • [A][4] : Transfer and Disclosure14-193
        • [A][5] : Sensitive Data14-194
        • [A][6] : Enforcement14-194
      • [B] : Brazil14-195
        • [B][1] : Overview14-195
        • [B][2] : Personal Data14-196
        • [B][3] : Enforcement14-196
        • [B][4] : Recent Developments14-197
      • [C] : Mexico14-197
        • [C][1] : Overview14-197
        • [C][2] : Personal Data14-197
        • [C][3] : Restrictions on Processing and Use14-198
        • [C][4] : Transfer and Disclosure14-198
        • [C][5] : Sensitive Data14-198
        • [C][6] : Enforcement14-199
    • § 14:5.5 : Africa and the Middle East14-200
      • [A] : Ghana14-200
        • [A][1] : Overview14-200
        • [A][2] : Personal Data14-200
        • [A][3] : Restrictions on Processing and Use14-201
        • [A][4] : Transfer and Disclosure14-202
        • [A][5] : Sensitive Data14-202
        • [A][6] : Enforcement14-204
      • [B] : Israel14-205
        • [B][1] : Overview14-205
        • [B][2] : Personal and Sensitive Data14-206
        • [B][3] : Restrictions on Processing and Use14-206
        • [B][4] : Transfer and Disclosure14-207
        • [B][5] : Enforcement14-209
        • [B][6] : Recent Developments14-209
      • [C] : Nigeria14-211
        • [C][1] : Overview14-211
        • [C][2] : Personal Information14-212
        • [C][3] : Restrictions on Processing and Use14-213
        • [C][4] : Transfer and Disclosure14-214
        • [C][5] : Sensitive Data14-214
        • [C][6] : Enforcement14-215
      • [D] : South Africa14-215
        • [D][1] : Overview14-215
        • [D][2] : Personal Information14-216
        • [D][3] : Restrictions on Processing and Use14-216
        • [D][4] : Transfer and Disclosure14-218
        • [D][5] : Sensitive Data14-219
        • [D][6] : Enforcement14-220
      • [E] : United Arab Emirates14-221
        • [E][1] : Overview14-221
          • [E][1][a] : UAE14-222
          • [E][1][b] : DIFC14-222
        • [E][2] : Personal Information14-223
          • [E][2][a] : UAE14-223
          • [E][2][b] : DIFC14-223
        • [E][3] : Restrictions on Processing and Use14-223
          • [E][3][a] : UAE14-223
          • [E][3][b] : DIFC14-224
        • [E][4] : Transfer and Disclosure14-224
          • [E][4][a] : UAE14-224
          • [E][4][b] : DIFC14-224
        • [E][5] : Sensitive Data14-225
          • [E][5][a] : UAE14-225
          • [E][5][b] : DIFC14-225
        • [E][6] : Enforcement14-225
          • [E][6][a] : UAE14-225
          • [E][6][b] : DIFC14-226
  • Appendix 14A : The EU Data Privacy DirectiveApp. 14A-1
  • Appendix 14B : Controller-to-Controller Model ContractApp. 14B-1
  • Appendix 14C : Alternative Controller-to-Controller Model ContractApp. 14C-1
  • Appendix 14D : Controller-to-Processor Model ContractApp. 14D-1
  • Appendix 14E : Working Document Establishing a Model Checklist Application for Approval of Binding Corporate RulesApp. 14E-1
Chapter 15: Compliance with the Payment Card Industry Data Security Standard
  • § 15:1 : Introduction15-2
  • § 15:2 : Background15-5
    • § 15:2.1 : Industry Background15-5
    • § 15:2.2 : Federal Consumer Protection Laws15-8
    • § 15:2.3 : Data Security Regulations15-9
      • [A] : Federal Regulation15-10
      • [B] : State Regulation15-12
  • § 15:3 : Development of the Payment Card Industry Data Security Standard15-13
  • § 15:4 : PCI Requirements15-19
    • § 15:4.1 : The Basic Requirements15-19
  • § Figure 15-1 : Payment Card Industry Data Security Standard15-20
    • § 15:4.2 : Protecting Stored Data15-24
  • § Figure 15-2 : PCI Requirement 3: Protect Stored Cardholder Data15-24
    • § 15:4.3 : Encrypt Transmission of Cardholder Data Across Open, Public Networks15-28
  • § Figure 15-3 : Requirement 4: Encrypt Transmitted Data15-30
    • § 15:4.4 : Compensating Controls15-30
    • § 15:4.5 : Payment Applications15-31
  • § 15:5 : Validation15-33
    • § 15:5.1 : Merchant Levels15-34
  • § Figure 15-4 : Merchant Levels (Visa CISP)15-35
    • § 15:5.2 : Service Provider Levels15-36
  • § Figure 15-5 : Service Provider Levels (Visa CISP)15-37
    • § 15:5.3 : Merchant Validation Requirements15-37
  • § Figure 15-6 : Merchant Levels and Validation Requirements (Visa CISP)15-38
    • § 15:5.4 : Service Provider Validation Requirements15-39
  • § Figure 15-7 : Service Provider Levels and Validation Requirements (Visa CISP)15-40
    • § 15:1.5 : Corporate Franchise Servicers15-40
  • § 15:1 : After a Compromise15-42
    • § 15:1.1 : Background15-42
    • § 15:1.2 : Initial Steps15-44
    • § 15:1.3 : Monitoring At-Risk Accounts15-45
    • § 15:1.4 : Notification to Issuing Financial Institutions15-46
  • § 15:2 : Enforcement15-48
    • § 15:2.1 : General15-48
    • § 15:2.2 : Recent Enforcement Efforts15-49
    • § 15:2.3 : CardSystems Solutions15-51
    • § 15:2.4 : Other Significant Data Breaches15-53
  • § 15:3 : Continued Development of Cardholder Data Protection15-54
    • § 15:3.1 : Increasing Global Compliance15-55
    • § 15:3.2 : Chip and PIN Security15-56
    • § 15:3.3 : Tokenization15-58
    • § 15:3.4 : Point-to-Point Encryption15-59
    • § 15:3.5 : Mobile Payments15-60
    • § 15:3.6 : Cloud Computing15-61
    • § 15:3.7 : E-Commerce15-63
    • § 15:3.8 : Risk Assessments15-64
Chapter 16: Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures
  • § 16:1 : Overview16-2
  • § 16:2 : Applicability of Historic Coverages16-6
    • § 16:2.1 : First- and Third-Party Coverages for Property Loss16-6
      • [A] : First-Party Property Policies16-7
      • [B] : Third-Party CGL Policies: Coverage for Property Damage Claims16-9
    • § 16:2.2 : CGL Coverage for Personal and Advertising Injury Claims16-11
      • [A] : Publication Requirement16-13
      • [B] : Right to Privacy As an Enumerated Offense16-15
    • § 16:2.3 : Other Coverages16-20
      • [A] : Directors and Officers Liability Insurance16-21
      • [B] : Errors and Omission Policies16-22
      • [C] : Crime Policies16-23
  • § 16:3 : Modern Cyber Policies16-23
    • § 16:3.1 : Key Concepts in Cyber Coverage16-24
      • [A] : Named Peril16-24
      • [B] : Claims Made16-25
    • § 16:3.2 : Issues of Concern in Evaluating Cyber Risk Policies16-27
      • [A] : What Is Covered?16-27
      • [B] : Confidential Information, Privacy Breach, and Other Key Definitions16-28
      • [C] : Overlap with Existing Coverage16-28
      • [D] : Limits and Deductibles16-29
      • [E] : Notice Requirements16-30
      • [F] : Coverage for Regulatory Investigations or Actions16-31
      • [G] : Definition of Loss16-34
      • [H] : Who Controls Defense and Settlement16-37
      • [I] : Control of Public Relations Professionals16-41
      • [J] : Issues Created by Policyholder Employees16-41
      • [K] : Coverage of a Threatened Security Breach16-44
      • [L] : Governmental Activity Exclusion16-44
      • [M] : Other Exclusions16-45
    • § 16:3.3 : SEC Disclosure and Other Regulatory Initiatives16-46
Chapter 17: Location Privacy: Technology and the Law
  • § 17:1 : Introduction17-2
  • § 17:2 : Development and Uses of Location-Tracking Technologies17-2
    • § 17:2.1 : Overview17-2
    • § 17:2.2 : Global Positioning Systems17-4
    • § 17:2.3 : Cell Site Location Information17-6
    • § 17:2.4 : Indoor Positioning Systems17-9
      • [A] : Radio Frequency Identification17-9
      • [B] : Other IPS Technologies17-10
    • § 17:2.5 : Vehicle Tracking17-11
    • § 17:2.6 : Unmanned Drones17-12
  • § 17:3 : Government Collection of Location Information17-12
    • § 17:3.1 : Location Privacy Under the Fourth Amendment17-13
    • § 17:3.2 : Government Requests for CSLI17-16
      • [A] : Federal Statutes17-16
      • [B] : Case Law17-18
      • [C] : State Laws17-23
  • § 17:4 : Private Collection and Use of Location Information17-24
    • § 17:4.1 : GPS Tracking17-24
    • § 17:4.2 : Mobile Devices and Applications17-27
    • § 17:4.3 : Other Location Technologies17-33
      • [A] : Radio Frequency Identification17-33
      • [B] : Vehicle Tracking17-34
  • § 17:5 : Legislative Outlook17-34
    • § 17:5.1 : Federal Proposals17-34
    • § 17:5.2 : State Legislation17-36
  Index

  Please click here to view the latest update information for this title: Last Update Information  
 

Print Share Email
”This is a timely, much-needed book that will be invaluable to practitioners approaching privacy from a wide spectrum of specialties.” 
John W. Kropf, Deputy Chief Privacy Officer, Department of Homeland Security

News & Expert Analysis

November 26, 2014

CAFC Issues Non-Precedential Claim Construction with a Dissent

From: Patent Law Practice Center

The Federal Circuit recently issued a non-preceden...

November 25, 2014

A Conversation on Patent Eligibility

From: Patent Law Practice Center

Earlier this fall, I had the opportunity to do a w...

November 24, 2014

Collateral Estoppel Prevents Reexam Claim from being Enforced

From: Patent Law Practice Center

On November 19, 2014, the United States Court of A...