TreatiseTreatise

Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age

 by Proskauer Rose LLP, Kristen J Mathews
 
 Copyright: 2006-2013
 Last Updated: September 2013

 Product Details >> 

Product Details

  • ISBN Number: 9781402408048
  • Page Count: 568
  • Number of Volumes: 1
  •  
  • The purchase of PLI titles may include Basic Upkeep Service, whereby
    supplements, replacement pages and new editions may be shipped
    to you immediately upon publication for a 30-day examination. This
    service is cancelable at any time.

”Resources such as Proskauer on Privacy are invaluable reference tools for the growing ranks of privacy professionals in the marketplace.”
—J. Trevor Hughes, Executive Director, International Association of Privacy Professionals

”A must-have for every professional who has a serious interest in this field, as well as for the newbie who wants to learn the 'ins and outs’ of privacy from a legal perspective.” 
—Doron Rotman, Managing Director, National Privacy Service Leader Advisory, KPMG LLP

Today’s hodgepodge of privacy and data security standards creates greater compliance burdens for corporations, employers, public agencies, and legal advisers.

PLI’s Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age reduces those costly burdens. This comprehensive, one-stop reference covers the laws governing every area where data privacy and security is potentially at risk — including government records, electronic surveillance, the workplace, medical data, financial information, commercial transactions, and online activity, including communications involving children.

Proskauer on Privacy provides essential details on how to develop compliance programs that help your entity satisfy federal and state standards, ensure data privacy and security, prevent cybercrime, and help entities avoid fines, penalties, litigation, damages, and negative publicity. Proskauer on Privacy also examines Europe’s rigorous privacy and data security standards, the laws in Canada, Australia, Japan, China, Hong Kong, India, Russia, and Dubai, as well as legal initiatives in California and other states.

Updated at least once a year, Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age is vital reading for privacy and data security professionals and corporate attorneys, executives, managers, and human resource personnel, as well as for federal and state regulators.

  Preface
  Introduction
  Table of Contents
Chapter 1: A Brief History of Information Privacy Law Daniel J. Solove ~
  • § 1:1 : Introduction1-3
  • § 1:2 : Colonial America1-4
  • § 1:3 : The Nineteenth Century1-6
    • § 1:3.1 : New Threats to Privacy1-6
      • [A] : The Census and Government Records1-6
      • [B] : The Mail1-6
      • [C] : Telegraph Communications1-7
    • § 1:3.2 : The Fourth and Fifth Amendments1-9
    • § 1:3.3 : Privacy of the Body1-9
    • § 1:3.4 : Warren and Brandeis’s the Right to Privacy1-10
  • § 1:4 : The Twentieth Century1-12
    • § 1:4.1 : 1900 to 19601-12
      • [A] : Warren and Brandeis’s Privacy Torts1-12
        • [A][1] : Early Recognition1-12
        • [A][2] : William Prosser and the Restatement1-14
          • [A][2][a] : Intrusion upon Seclusion1-14
          • [A][2][b] : Public Disclosure of Private Facts1-15
          • [A][2][c] : False Light1-16
          • [A][2][d] : Appropriation1-16
      • [B] : The Emergence of the Breach of Confidentiality Tort1-17
      • [C] : The Growth of Government Record Systems1-18
      • [D] : The Telephone and Wiretapping1-18
        • [D][1] : The Fourth Amendment: Olmstead v. United States1-18
        • [D][2] : Federal Communications Act Section 6051-19
      • [E] : The FBI and Increasing Domestic Surveillance1-20
      • [F] : Freedom of Association and the McCarthy Era1-21
    • § 1:4.2 : The 1960s and 1970s1-22
      • [A] : New Limits on Government Surveillance1-22
        • [A][1] : Fourth Amendment Resurgence: Katz v. United States1-22
        • [A][2] : Title III of the Omnibus Crime and Control Act of 19681-23
      • [B] : The Constitutional Right to Privacy1-23
        • [B][1] : Decisional Privacy: Griswold v. Connecticut1-23
        • [B][2] : Information Privacy: Whalen v. Roe1-23
      • [C] : Responses to the Rise of the Computer1-24
        • [C][1] : Burgeoning Interest in Privacy1-24
        • [C][2] : Freedom of Information Act of 19661-24
        • [C][3] : Fair Information Practices1-25
        • [C][4] : Privacy Act of 19741-26
        • [C][5] : Family Educational Rights and Privacy Act of 19741-27
        • [C][6] : Foreign Intelligence Surveillance Act of 19781-27
      • [D] : Financial Privacy1-28
        • [D][1] : Fair Credit Reporting Act of 19701-28
        • [D][2] : Bank Secrecy Act of 19701-29
        • [D][3] : United States v. Miller1-29
        • [D][4] : Right to Financial Privacy Act of 19781-30
      • [E] : The Retreat from Boyd1-30
      • [F] : The Narrowing of the Fourth Amendment1-31
    • § 1:4.3 : The 1980s1-32
      • [A] : Receding Fourth Amendment Protection1-32
      • [B] : The Growth of Federal Privacy Statutory Protection1-33
        • [B][1] : Privacy Protection Act of 19801-33
        • [B][2] : Cable Communications Policy Act of 19841-33
        • [B][3] : Computer Matching and Privacy Protection Act of 19881-33
        • [B][4] : Employee Polygraph Protection Act of 19881-34
        • [B][5] : Video Privacy Protection Act of 19881-34
      • [C] : Electronic Communications Privacy Act of 19861-34
      • [D] : OECD Guidelines and International Privacy1-35
    • § 1:4.4 : The 1990s1-36
      • [A] : The Internet, Computer Databases, and Privacy1-36
      • [B] : The Continued Growth of Federal Statutory Protection1-36
        • [B][1] : Telephone Consumer Protection Act of 19911-36
        • [B][2] : Driver’s Privacy Protection Act of 19941-37
        • [B][3] : Health Insurance Portability and Accountability Act of 19961-37
        • [B][4] : Children’s Online Privacy Protection Act of 19981-38
        • [B][5] : The Gramm-Leach-Bliley Act of 19991-39
      • [C] : The FTC and Privacy Policies1-39
      • [D] : The EU Data Protection Directive1-39
  • § 1:5 : The Twenty-First Century1-41
    • § 1:5.1 : After September 11: Privacy in a World of Terror1-41
      • [A] : The USA PATRIOT Act of 20011-41
      • [B] : The FISA “Wall”1-41
      • [C] : The Homeland Security Act of 20021-42
      • [D] : The Intelligence Reform and Terrorism Prevention Act of 20041-42
      • [E] : The Real ID Act of 20051-43
      • [F] : NSA Warrantless Surveillance1-43
    • § 1:5.2 : Consumer Privacy1-43
      • [A] : The Fair and Accurate Credit Transactions Act of 20031-43
      • [B] : The National Do-Not-Call Registry1-44
      • [C] : The CAN-SPAM Act of 20031-44
      • [D] : Remsburg v. Docusearch1-44
      • [E] : Privacy Policies and Contract Law1-44
      • [F] : Data Security Breaches1-45
  • § 1:6 : Conclusion1-46
Chapter 2: Financial Privacy Law; and Appendices 2A-2B Kristen J. Mathews ~
Christopher Wolf ~
  • § 2:1 : Summary and Introduction2-4
    • § 2:1.1 : Evolution of Financial Privacy Law Parallels Developments in Computing2-4
  • § 2:2 : Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act2-5
    • § 2:2.1 : Purpose and Background of the Fair Credit Reporting Act2-5
    • § 2:2.2 : Coverage Under the FCRA2-6
      • [A] : Definition of “Consumer” Under the FCRA2-6
      • [B] : Definition of “Consumer Report” Under the FCRA2-7
      • [C] : Definition of “Consumer Reporting Agency” Under the FCRA2-10
    • § 2:2.3 : Permissible Use and Disclosure of Consumer Reports: The Obligation to Protect Against Unauthorized Access or Use of Consumer Information2-13
    • § 2:2.4 : General Procedural Requirements for CRAs Under the FCRA2-15
    • § 2:2.5 : Procedural Requirements for CRAs When Preparing and Issuing Consumer Reports for Employment Purposes2-17
    • § 2:2.6 : Notice and Disclosure Requirements for CRAs Under the FCRA2-18
    • § 2:2.7 : Unique Obligations with Respect to Investigative Consumer Reports2-18
    • § 2:2.8 : Obligations for Users of Consumer Reports Under the FCRA2-20
    • § 2:2.9 : Obligations for Resellers of Consumer Reports Under the FCRA2-22
    • § 2:2.10 : Consumer Rights Under the FCRA to Dispute Information Contained in Consumer Reports2-23
    • § 2:2.11 : Security Requirements of the FCRA Pertaining to Consumer Fraud and Identity Theft2-24
    • § 2:2.12 : Affiliate Marketing Limits Under FACTA2-30
      • [A] : Opt-Out Requirements2-31
      • [B] : Exceptions2-32
      • [C] : Delivery of Opt-Out Notices2-33
      • [D] : Reasonable Opportunity and Means to Opt Out2-34
      • [E] : Duration of Opt-Out2-34
      • [F] : Model Forms and Safe Harbor2-34
    • § 2:2.13 : FACTA’s Identity Theft Red Flags and Notices of Address Discrepancy Rules2-35
      • [A] : Identity Theft Red Flags2-35
      • [B] : Scope of the Red Flag Rules2-37
      • [C] : Examples of Red Flags2-38
      • [D] : Change of Address Requests2-40
      • [E] : Address Discrepancy Notices2-41
    • § 2:2.14 : Preemption of State Law by the FCRA2-42
    • § 2:2.15 : Penalties for Violations of or Noncompliance with the FCRA2-45
  • § 2:3 : Right to Financial Privacy Act2-46
    • § 2:3.1 : Purpose and History of the Right to Financial Privacy Act2-46
    • § 2:3.2 : Procedural Operation of the RFPA2-47
    • § 2:3.3 : Substantive Aspects of the RFPA2-49
    • § 2:3.4 : Interplay with State Statutes2-51
  • § 2:4 : Gramm-Leach-Bliley Act2-52
    • § 2:4.1 : Purpose and History of the Gramm-Leach-Bliley Act2-52
    • § 2:4.2 : Internal Procedures and Systems to Ensure Confidentiality of Information2-53
    • § 2:4.3 : Financial Institution’s Notice Obligations2-59
    • § 2:4.4 : Required Substance of Notice2-63
      • [A] : Parties Who Must Serve Customers with Notice2-65
    • § 2:4.5 : Limitations on Disclosure2-65
      • [A] : Customer Must Opt Out of Third-Party Disclosures2-65
      • [B] : Exceptions to Opt-Out Requirement2-66
    • § 2:4.6 : Enforcement of the GLBA’s Privacy Provisions2-67
    • § 2:4.7 : GLBA’s Relationship to Other Laws2-68
      • [A] : GLBA Does Not Preempt State Laws2-68
      • [B] : GLBA’s Relationship with Other Federal Privacy Statutes2-70
  • § 2:5 : Wall Street Reform and Consumer Protection Act2-71
    • § 2:5.1 : Purpose and Background of Wall Street Reform and Consumer Protection Act2-71
    • § 2:5.2 : Scope of CFPB Authority2-71
    • § 2:5.3 : Powers and Duties of the CFPB2-74
      • [A] : Rulemaking Authority2-74
      • [B] : Evaluation of Existing Standards2-74
      • [C] : Regulation of Unfair, Deceptive, and Abusive Acts or Practices2-74
      • [D] : Examination of Financial Industry Participants2-75
    • § 2:5.4 : Enforcement Authority of the CFPB2-76
  • § 2:6 : Bank Secrecy Act2-77
    • § 2:6.1 : Purpose and Background of the Bank Secrecy Act2-77
    • § 2:6.2 : BSA Requirements2-78
      • [A] : Record Creation, Storage, and Access2-78
      • [B] : Reports of Suspicious Transactions2-79
  • § 2:7 : Freedom of Information Act2-81
    • § 2:7.1 : Background and Overview of FOIA2-81
    • § 2:7.2 : Procedural Aspects of FOIA2-82
    • § 2:7.3 : Protection of Financial Information2-83
      • [A] : Trade Secrets and Commercial or Financial Information2-84
      • [B] : Files Whose Disclosure Would Constitute Unwarranted Invasion of Privacy2-86
      • [C] : Regulation or Supervision of Financial Institutions2-88
  • § 2:8 : Electronic Fund Transfers Act2-88
    • § 2:8.1 : Scope and Application2-88
    • § 2:8.2 : Disclosure Requirements Under EFTA and the Act’s Implementing Regulations2-89
    • § 2:8.3 : Additional EFTA Requirements Relating to Pre-Authorized Fund Transfers2-90
  • § 2:9 : Sarbanes-Oxley Act2-91
  • § 2:10 : State Laws Governing Financial Privacy2-92
    • § 2:10.1 : Introduction2-92
    • § 2:10.2 : State Constitutional Provisions Protecting Financial Privacy2-92
    • § 2:10.3 : Statutory Provisions Protecting Financial Privacy Under State Law2-93
      • [A] : Statutes Specifically Addressing Financial Privacy2-95
      • [B] : General Privacy Statutes Implicating Financial Privacy2-95
      • [C] : Statutes Restricting Access to Employee Credit Reports2-96
      • [D] : State Security Breach Notification Laws2-98
      • [E] : State Laws Implicating Information Security2-99
      • [F] : State Laws Protecting Against Financial Fraud and Identity Theft2-100
    • § 2:10.4 : Common Law Theories Asserted with Regard to Financial Privacy2-100
      • [A] : Implied Contract2-101
      • [B] : General Negligence2-101
      • [C] : Invasion of Privacy2-100
      • [D] : Defamation2-100
  • Appendix 2A : Model Form with No Opt-OutApp. 2A-1
  • Appendix 2B : Model Form with All Opt-OutApp. 2B-1
Chapter 3: Medical Privacy
  • § 3:1 : Introduction3-3
  • § 3:2 : HIPAA Administrative Simplification3-4
    • § 3:2.1 : Definitions3-4
    • § 3:2.2 : Recent Developments3-5
    • [A] : The Omnibus Rule3-5
      • [A][1] : Extension of HHS Enforcement Authority over Business Associates3-6
      • [A][2] : Expansion of the Definition of “Business Associate”3-7
      • [A][3] : New Requirements Related to Business Associate Subcontractors3-8
      • [A][4] : Expanded Liability of Covered Entities and Business Associates for Acts of Their Agents3-8
      • [A][5] : Tougher Breach-Reporting Standard Adopted3-9
      • [A][6] : New Requirements for Notices of Privacy Practices3-11
      • [A][7] : Limitations on the Sale of PHI3-12
      • [A][8] : Limitation on the Use of PHI for Paid Marketing3-12
      • [A][9] : Relaxation of Restrictions on the Use of PHI for Fundraising3-13
      • [A][10] : Improvements to Requirements for Authorizations Related to Research3-14
      • [A][11] : Additional Modifications to HIPAA3-14
    • § 3:2.3 : Definitions3-15
    • § 3:2.4 : HIPAA Privacy: Basic Rules3-17
    • § 3:2.5 : HIPAA Security: Basic Rules3-17
    • § 3:2.6 : Business Associates3-17
    • § 3:2.7 : HIPAA Security Breach Notification3-20
    • § 3:2.8 : Sanctions for Violations of Privacy and Security Rules3-21
  • § 3:3 : State Law and HIPAA Privacy Preemption3-26
  • § 3:4 : Heightened Protection for Specialized Types of Medical Information3-27
    • § 3:4.1 : Communicable Diseases3-27
      • [A] : HIV/AIDS3-27
      • [B] : Confidentiality and Disclosure of HIV Test Results3-28
    • § 3:4.2 : Authorized Disclosure3-29
    • § 3:4.3 : Remedies for Breach of Confidentiality3-30
    • § 3:4.4 : Sexually Transmitted Disease3-33
    • § 3:4.5 : Tuberculosis3-35
    • § 3:4.6 : Genetic Information3-37
      • [A] : Genetic Discrimination3-37
      • [B] : DNA Sampling by Law Enforcement3-38
  • § 3:5 : Privacy of Substance Abuse Records3-39
    • § 3:5.1 : Introduction3-39
    • § 3:5.2 : Scope of Applicability3-40
    • § 3:5.3 : Exceptions to Substance Abuse Confidentiality Laws3-42
    • § 3:5.4 : Other Exceptions Permitting Information Release3-42
      • [A] : Release with Patient’s Consent3-43
      • [B] : Voluntary Disclosure to the Criminal Justice System3-43
      • [C] : Release Without a Patient’s Consent3-44
      • [D] : Releases Authorized by a Court Order3-44
      • [E] : Request for Records in a Criminal Proceeding3-45
        • [E][1] : Confidential Information3-46
    • § 3:5.5 : Conclusion3-48
  • § 3:6 : Medical Privacy at Common Law3-48
    • § 3:6.1 : Actions Arising Out of the Disclosure of Confidential Medical Information3-49
      • [A] : Theory of Recovery3-49
      • [B] : Exceptions to Liability3-50
    • § 3:6.2 : The Duty to Warn3-52
  • § 3:7 : Privilege3-54
    • § 3:7.1 : State Law3-55
      • [A] : Physician-Patient Privilege3-55
        • [A][1] : Majority of States Have Enacted Privilege by Statute3-55
        • [A][2] : Scope of the Privilege3-55
          • [A][2][a] : Types of Providers Covered3-55
          • [A][2][b] : Subject Matter of the Privilege3-56
          • [A][2][c] : Who May Assert the Privilege3-56
          • [A][2][d] : Waiver3-57
          • [A][2][e] : Exceptions/Exemptions3-57
      • [B] : Psychotherapist-Patient Privilege3-58
        • [B][1] : Every State Has Enacted Privilege by Statute3-58
        • [B][2] : Scope of the Privilege3-59
          • [B][2][a] : Types of Providers Covered3-59
          • [B][2][b] : Subject Matter of the Privilege3-59
          • [B][2][c] : Who May Assert the Privilege3-59
          • [B][2][d] : Waiver3-60
          • [B][2][e] : Exceptions/Exemptions3-60
    • § 3:7.2 : Federal Law3-61
      • [A] : Psychiatrist-Patient Privilege3-62
        • [A][1] : Rule3-62
        • [A][2] : Waiver3-62
        • [A][3] : Exceptions3-63
          • [A][3][a] : The Dangerous-Patient Exception3-63
          • [A][3][b] : The Crime-Fraud Exception3-63
          • [A][3][c] : Other Exceptions3-64
      • [B] : Physician-Patient Privilege3-64
      • [C] : Diversity and Supplemental Jurisdiction3-65
        • [C][1] : Diversity Jurisdiction3-65
        • [C][2] : Supplemental Jurisdiction3-65
  • § 3:8 : Employers and Medical Privacy3-66
    • § 3:8.1 : Americans with Disabilities Act3-66
    • § 3:8.2 : HIPAA and Employer-Sponsored Health Plans3-68
      • [A] : Overview of HIPAA Privacy Rules and Applicability to Health Plans3-69
      • [B] : Sharing Information with Plan Sponsors Under HIPAA3-70
Chapter 4: Federal Trade Commission Enforcement of Privacy Marcia Hofmann ~
  • § 4:1 : FTC Privacy Enforcement Authority Under the Federal Trade Commission Act and Other Laws4-2
    • § 4:1.1 : Introduction and Overview4-2
    • § 4:1.2 : Primary Enforcement Authority: The Federal Trade Commission Act4-3
      • [A] : Unfairness4-3
        • [A][1] : Injury to Consumers4-4
        • [A][2] : Violation of Established Public Policy4-5
        • [A][3] : Unethical or Unscrupulous Conduct4-5
      • [B] : Deception4-6
        • [B][1] : Representation, Omission or Practice Likely to Mislead4-6
        • [B][2] : Perspective of a Reasonable Consumer in the Circumstances4-6
        • [B][3] : Materiality of Representation, Omission or Practice4-7
    • § 4:1.3 : Other Privacy Enforcement Authorities4-7
      • [A] : Children’s Online Privacy Protection Act4-8
      • [B] : Gramm-Leach-Bliley Act4-9
        • [B][1] : Pretexting4-10
        • [B][2] : Financial Privacy Rule4-10
        • [B][3] : Safeguards Rule4-11
      • [C] : Telemarketing and Consumer Fraud Abuse and Prevention Act4-11
      • [D] : Fair Credit Reporting Act4-12
  • § 4:2 : FTC Enforcement Practice4-13
    • § 4:2.1 : Overview4-13
    • § 4:2.2 : Investigation4-13
    • § 4:2.3 : Initiation of Enforcement Action4-14
      • [A] : Administrative Enforcement4-14
      • [B] : Judicial Enforcement4-15
  • § 4:3 : FTC Enforcement of Privacy and Security Promises4-15
    • § 4:3.1 : Overview4-15
    • § 4:3.2 : Commission Authority to Investigate and Enforce4-15
    • § 4:3.3 : Security and Privacy Enforcement Actions4-16
  • § 4:4 : FTC Enforcement of Children’s Privacy4-47
    • § 4:4.1 : Overview4-47
    • § 4:4.2 : Commission Authority to Investigate and Enforce4-48
    • § 4:4.3 : Children’s Privacy Enforcement Actions4-48
  • § 4:5 : FTC Enforcement of Financial Privacy4-66
    • § 4:5.1 : Overview4-66
    • § 4:5.2 : Commission Authority to Investigate and Enforce4-66
    • § 4:5.3 : Financial Privacy Enforcement Actions4-66
  • § 4:6 : FTC Enforcement of Credit Information Privacy4-82
    • § 4:6.1 : Overview4-82
    • § 4:6.2 : Commission Authority to Investigate and Enforce4-82
    • § 4:6.3 : Credit Information Privacy Enforcement Actions4-82
Chapter 5: State Privacy Laws Scott P. Cooper ~
Tanya L. Forsheit ~
Navid Soleymani ~
Clifford S. Davidson ~
  • § 5:1 : Introduction5-3
    • § 5:1.1 : Overview: Role of State Governments5-3
    • § 5:1.2 : Origins of State Privacy Laws5-4
      • [A] : Judicial—Torts and Crimes5-4
      • [B] : Constitutional5-5
      • [C] : Statutory5-7
        • [C][1] : The California Invasion of Privacy Standard5-8
  • § 5:2 : Online Privacy5-10
    • § 5:2.1 : State Online Privacy Protection Statutes5-10
      • [A] : California Online Privacy Protection Act (OPPA)5-10
      • [B] : Other States5-13
      • [C] : Related State Legislation Affecting Online Businesses5-14
    • § 5:2.2 : Employee Social Media Protection Laws5-14
  • § 5:3 : Spyware5-15
    • § 5:3.1 : California5-15
    • § 5:3.2 : Other States Following California’s Approach5-17
    • § 5:3.3 : Other States with More Limited Spyware Statutes5-18
  • § 5:4 : Spam5-19
    • § 5:4.1 : The Federal Statute and Preemption5-19
    • § 5:4.2 : State Regulation of Spam5-23
      • [A] : Opt-In Provisions5-23
      • [B] : Opt-Out Provisions5-23
      • [C] : Subject-Line Labeling Requirements5-24
      • [D] : Provisions Prohibiting False or Misleading Practices5-24
      • [E] : Bans on Selling Software That Can Be Used to Falsify Routing Information5-25
  • § 5:5 : Identity Theft5-26
    • § 5:5.1 : Laws Criminalizing Identity Theft5-26
    • § 5:5.2 : Laws Allowing Victims to Initiate Investigations and/or Clear Their Names5-27
    • § 5:5.3 : Rights of Action Against Perpetrators5-28
    • § 5:5.4 : Protections and Rights of Action Against Debt Collectors5-28
    • § 5:5.5 : Notice of Security Breach Legislation5-29
      • [A] : The California Framework5-30
      • [B] : Other State Security Breach Notification Provisions5-32
        • [B][1] : “Material” Breach Necessary to Trigger Notification5-32
        • [B][2] : Expanded Definition of “Personal Information”5-35
        • [B][3] : Necessity to Notify Customers of a Breach of Non-Computerized Data5-38
        • [B][4] : Notification Procedures5-39
        • [B][5] : Duty to Notify Other Entities5-42
        • [B][6] : Duty of Non-Owners Maintaining Data5-45
        • [B][7] : Exemption from Notification for Entities in Compliance with GLBA5-46
        • [B][8] : Exemption from Notification for Encrypted Information5-46
        • [B][9] : Penalties for Violation5-48
        • [B][10] : Minnesota Law Requires Reimbursement of Card-Issuing Financial Institutions for Costs Associated with a Data Breach5-51
        • [B][11] : State Credit Freeze Laws5-52
    • § 5:5.6 : Data Security and Destruction Requirements5-53
  • § 5:6 : Financial Privacy5-55
    • § 5:6.1 : California Financial Information Privacy Act5-55
    • § 5:6.2 : Other States5-57
    • § 5:6.3 : Preemption5-58
    • § 5:6.4 : Credit Card Transactions5-59
      • [A] : Restrictions on Merchants5-59
      • [B] : Prohibition on Disclosure of Marketing Information5-61
  • § 5:7 : Privacy of Insurance-Related Information5-61
    • § 5:7.1 : The National Association of Insurance Commissioners (NAIC) Model Acts5-62
    • § 5:7.2 : Definitions of “Personal Information” and Similar Terms5-63
    • § 5:7.3 : The GLBA Joint Marketing Exception and 2003 Model Act States5-64
  • § 5:8 : Laws Governing Disclosure and Use of Social Security Numbers5-64
    • § 5:8.1 : The California Framework5-66
      • [A] : Jurisdictional Modification to the California Framework5-67
        • [A][1] : Prohibiting SSNs in Customer Mailings5-67
        • [A][2] : Expanded Exemptions from the California Framework5-67
    • § 5:8.2 : Other State Law Regulation of the Use of Social Security Numbers5-69
      • [A] : Requiring a Consumer’s SSN to Complete a Transaction5-69
      • [B] : Privacy Policy for Handling SSNs5-70
      • [C] : Employers5-70
      • [D] : Other Modifications5-71
  • § 5:9 : Unsolicited Telephone Marketing5-71
    • § 5:9.1 : Telemarketing: State Do-Not-Call Laws5-71
    • § 5:9.2 : Laws Restricting Cell Phone Marketing5-73
  • § 5:10 : Electronic Eavesdropping5-75
    • § 5:10.1 : State Statutory Schemes5-75
  • § 5:11 : Radio Frequency Identification5-76
Chapter 6: Privacy of Electronic Communications
  • § 6:1 : Introduction6-2
    • § 6:1.1 : Purpose and History of the ECPA6-4
    • § 6:1.2 : Amendments6-9
  • § 6:2 : Title I—The Wiretap Act6-10
    • § 6:2.1 : Communications Covered6-12
      • [A] : Oral Communications6-12
        • [A][1] : Expectation of Privacy6-12
        • [A][2] : Silent Video6-19
      • [B] : Wire Communications6-20
        • [B][1] : Cordless Phones6-21
        • [B][2] : Voice Mail6-23
      • [C] : Electronic Communications6-24
    • § 6:2.2 : Intentional Interception of Communications6-25
      • [A] : “Intercept”6-26
        • [A][1] : Contemporaneous Acquisition Requirement6-26
        • [A][2] : Access to Temporarily Stored Emails6-31
        • [A][3] : Access to Telephone Numbers or Other Associated Information6-41
        • [A][4] : Keyloggers and Screen Captures6-43
      • [B] : Intent6-46
    • § 6:2.3 : Use or Disclosure of an Intercepted Communication6-49
    • § 6:2.4 : Exceptions6-52
      • [A] : Communications Service in Normal Course of Operation6-53
      • [B] : Consent by a Party to a Communication6-57
        • [B][1] : Implied Consent6-61
        • [B][2] : Tortious or Criminal Purpose Exception6-62
        • [B][3] : The Case of “Cookies”6-64
  • Figure 6-1 : Placing Third-Party Advertisements on a Website6-66
    • [C] : Business Extensions6-68
    • [D] : Communications to the Public6-74
    • [E] : First Amendment6-76
    • § 6:2.5 : Private Cause of Action6-80
      • [A] : Litigating Wiretap Act Claims6-82
      • [B] : Limitations6-84
      • [C] : Damages6-85
      • [D] : Good-Faith Defense6-88
    • § 6:2.6 : State Wiretap Acts6-90
  • § 6:3 : Title II—Stored Communications Act6-92
    • § 6:3.1 : Access to Stored Communications6-93
      • [A] : Electronic Communication Service Facility6-93
      • [B] : “Unauthorized Access”6-98
        • [B][1] : Privacy Policies6-101
        • [B][2] : Subpoenas6-102
        • [B][3] : Exceeding Authorized Access6-104
      • [C] : “Electronic Storage”6-105
        • [C][1] : Cookies and Other Data Stored on Computers6-107
      • [D] : Exceptions6-109
        • [D][1] : Access Authorized by a Service Provider6-109
        • [D][2] : Access Authorized by a Party6-110
    • § 6:3.2 : Disclosures by Communications Services6-112
      • [A] : Disclosures Prohibited Under Section 27026-112
        • [A][1] : Contents of Communications6-116
          • [A][1][a] : Exceptions6-117
        • [A][2] : Customer Records6-122
          • [A][2][a] : Exceptions6-125
        • [A][3] : Anti-Pretexting Laws6-125
      • [B] : Disclosures to the Government Required Under Section 27036-127
    • § 6:3.3 : Private Cause of Action6-129
      • [A] : Damages6-132
  • § 6:4 : Title III—Pen Registers and Trap-and-Trace Devices6-133
Chapter 7: The Foreign Intelligence Surveillance Act Christopher Wolf ~
Rachel Glickman ~
  • § 7:1 : Introduction7-2
    • § 7:1.1 : Connection to Privacy Principles7-2
    • § 7:1.2 : Historical Background: Electronic Surveillance for National Security Purposes7-3
  • § 7:2 : The Foreign Intelligence Surveillance Act (FISA)7-5
    • § 7:2.1 : Scope of the FISA7-5
    • § 7:2.2 : Permissible Electronic Surveillance Under FISA: The Target Must Be a Foreign Power7-5
    • § 7:2.3 : Procedure for Obtaining a FISA Court Order for Surveillance7-6
    • § 7:2.4 : Permissible Electronic Surveillance Without a Court Order7-7
    • § 7:2.5 : Covered Surveillance Methods7-8
    • § 7:2.6 : Foreign Intelligence Must Be a “Significant Purpose of Surveillance”7-10
    • § 7:2.7 : Minimization Procedures7-10
    • § 7:2.8 : Remedies for Violation7-12
  • § 7:3 : The Foreign Intelligence Surveillance Court7-13
    • § 7:3.1 : Basic Structure7-13
    • § 7:3.2 : Legal Standards7-14
    • § 7:3.3 : Appellate Review7-15
  • § 7:4 : Controversy Surrounding the Warrantless Interception of Communication by the NSA7-15
    • § 7:4.1 : Background7-15
    • § 7:4.2 : Codifying the Terrorist Surveillance Program Under FISA7-19
    • § 7:4.3 : The FISA Amendments Act of 20087-20
  • § 7:5 : Conclusion7-21
Chapter 8: Privacy and Homeland Security; and Appendices 8A-8F Holly Chapin ~
Hugo Teufel ~
  • § 8:1 : Background: Intelligence, Surveillance, and Privacy Pre-9/118-2
  • § 8:2 : Establishment of Department of Homeland Security8-4
    • § 8:2.1 : DHS Organization and Functions8-5
    • § 8:2.2 : Authorities for Privacy Protection at DHS8-6
  • § 8:3 : Privacy Protection at Other Agencies8-8
    • § 8:3.1 : Internal Privacy Protection Requirements for Executive-Branch Agencies8-8
    • § 8:3.2 : Executive-Branch Privacy/Civil Liberties Oversight8-10
      • [A] : Board on Safeguarding Americans’ Civil Liberties8-10
      • [B] : Privacy and Civil Liberties Oversight Board8-11
  • § 8:4 : DHS Privacy Office Functions8-14
    • § 8:4.1 : Policy8-15
      • [A] : Fair Information Practice Principles8-15
      • [B] : Use of Social Media8-16
      • [C] : Other Guidance8-17
  • § 8:4.2 : Compliance8-18
  • § 8:4.3 : Oversight8-19
  • § 8:4.4 : Incidents and Breaches8-22
  • § 8:4.5 : Education and Training8-23
  • § 8:4.6 : Outreach8-26
  • § 8:5 : High-Profile Privacy Issues in Homeland Security8-26
    • § 8:5.1 : Information-Sharing8-27
      • [A] : Breaking Down the Wall of Separation8-27
      • [B] : Information Sharing Environment (ISE)8-28
    • § 8:5.2 : Fusion Centers8-31
      • [A] : Organization and Mission8-31
      • [B] : Civil Liberties Concerns8-33
    • § 8:5.3 : Watchlists8-36
      • [A] : Watchlists, Pre-9/118-36
      • [B] : Integration and Use of Screening Information8-37
      • [C] : Redress and Oversight8-38
    • § 8:5.4 : Data Mining8-39
      • [A] : Privacy Concerns Versus Combating Terrorism8-40
      • [B] : Establishing a Uniform Definition of “Data Mining”8-41
      • [C] : High-Profile Data Mining8-45
        • [C][1] : Program “Able Danger”8-45
        • [C][2] : JetBlue Data Transfer8-46
        • [C][3] : Total Information Awareness/Terrorism Information Awareness (TIA)8-47
        • [C][4] : Multistate Anti-Terrorism Information Exchange (MATRIX)8-48
        • [C][5] : Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE)8-49
    • § 8:5.5 : Transatlantic Exchanges of Personal Data8-50
      • [A] : Background8-50
      • [B] : Conflicting Data-Protection Requirements8-51
      • [C] : Common Principles Underlying Future Information-Sharing8-53
  • Appendix 8A : The Fair Information Practice PrinciplesApp. 8A-1
  • Appendix 8B : DHS Policy Regarding Privacy Impact AssessmentsApp. 8B-1
  • Appendix 8C : DHS Privacy Policy Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. PersonsApp. 8C-1
  • Appendix 8D : Privacy and Homeland Security Issues in the Airline IndustryApp. 8D-1
  • Appendix 8E : Department of Homeland Security Organizational ChartApp. 8E-1
  • Appendix 8F : Privacy Act Amendment RequestsApp. 8F-1
Chapter 9: Workplace Privacy Law Kathleen M. McKenna ~
Anthony J. Oncidi ~
  • § 9:1 : Selection of Employees9-3
    • § 9:1.1 : Pre-Hire Inquiries9-3
      • [A] : Inquiries Regarding Race, Sex, Religion, and Other Protected Characteristics9-3
      • [B] : Disability-Related Inquiries9-5
      • [C] : Psychological Testing and Examinations9-6
      • [D] : Union Status9-7
      • [E] : Litigation History9-7
    • § 9:1.2 : References9-7
    • § 9:1.3 : Blacklisting9-10
  • § 9:2 : Collection of Personal Information9-11
    • § 9:2.1 : Medical Information9-13
      • [A] : Health Insurance Portability and Accountability Act of 19969-13
      • [B] : HIV/AIDS9-16
      • [C] : Confidentiality of Patient Medical Records9-18
        • [C][1] : Federal Law9-18
        • [C][2] : State Law9-18
    • § 9:2.2 : Past Criminal and Arrest Records9-23
      • [A] : Federal Law9-23
        • [A][1] : Title VII9-23
        • [A][2] : Intelligence Reform and Terrorism Prevention Act9-25
      • [B] : State Law9-26
    • § 9:2.3 : Fingerprints and Photographs9-28
    • § 9:2.4 : Financial Data9-30
      • [A] : Federal Law9-30
        • [A][1] : Fair Credit Reporting Act of 19709-30
        • [A][2] : Fair and Accurate Credit Transactions Act9-31
      • [B] : State Law9-32
    • § 9:2.5 : Educational Records9-33
      • [A] : Federal Law9-33
      • [B] : State Law9-34
    • § 9:2.6 : Personal Identification Information9-34
      • [A] : Information Stored on Computers9-34
      • [B] : Social Security Numbers9-35
      • [C] : Motor Vehicle Information9-37
      • [D] : Verification of Employment Eligibility: E-Verify9-38
    • § 9:2.7 : Access to Personnel Records9-39
    • § 9:2.8 : Genetic Information9-41
  • § 9:3 : Policies Regulating Employee Conduct9-43
    • § 9:3.1 : Sexual Conduct, Intimate Relationships, Fraternization, Procreation, Marriage9-43
      • [A] : Common Law Claims—Private Employees9-43
        • [A][1] : Invasion of Privacy9-43
          • [A][1][a] : Public Disclosure of Private Facts9-43
          • [A][1][b] : Intrusion upon Seclusion9-45
        • [A][2] : Wrongful Termination in Violation of Public Policy9-46
      • [B] : Statutory Claims9-47
      • [C] : Constitutional Privacy Right9-47
    • § 9:3.2 : Grooming and Dress Codes9-49
      • [A] : Mutable Versus Immutable Characteristics9-49
      • [B] : Hair Length and Style9-50
        • [B][1] : Federal Law9-50
        • [B][2] : State Law9-53
      • [C] : Beards and Moustaches9-53
        • [C][1] : Federal Law9-53
        • [C][2] : State Law9-55
      • [D] : Dress Codes9-56
        • [D][1] : Federal Law9-56
        • [D][2] : State Law9-57
      • [E] : Gender Identity Issue9-58
    • § 9:3.3 : Polygraphs and Lie Detector Tests9-59
    • § 9:3.4 : Genetic Testing9-60
    • § 9:3.5 : Drug and Alcohol Use9-61
      • [A] : Federal Law9-61
        • [A][1] : Constitution9-61
        • [A][2] : Americans with Disabilities Act (ADA)9-63
        • [A][3] : Other Federal Statutes and Regulations9-65
      • [B] : State Laws9-66
        • [B][1] : Constitutions9-66
        • [B][2] : Statutes9-66
      • [C] : Contractual and Common Law Theories of Liability9-68
    • § 9:3.6 : Smoking9-69
      • [A] : Restrictions on Smoking in the Workplace9-69
      • [B] : Off-Duty Smoking9-70
    • § 9:3.7 : Disclosure of Wages9-71
    • § 9:3.8 : Blogging and Cybersmearing9-72
      • [A] : Validity of Employee Confidentiality Policies9-73
      • [B] : Potential Causes of Action9-73
        • [B][1] : Private Blogs and the Stored Communication Act9-73
        • [B][2] : Trespass to Chattels9-75
        • [B][3] : Defamation9-75
  • § 9:4 : Surveillance of Employees9-77
    • § 9:4.1 : Employer Investigations Generally9-77
    • § 9:4.2 : Physical Searches9-78
      • [A] : Introduction9-78
      • [B] : Public Employer Searches9-79
      • [C] : Private Employer Searches9-82
        • [C][1] : Third-Party Consent9-83
      • [D] : NLRA9-84
    • § 9:4.3 : Email and Internet Use Searches9-84
      • [A] : Notice9-84
      • [B] : Statutory Provisions9-88
        • [B][1] : Federal Law9-88
          • [B][1][a] : The Electronic Communications Privacy Act9-88
            • [B][1][a][i] : Exceptions9-91
          • [B][1][b] : The Federal Computer Fraud and Abuse Act9-93
          • [B][1][c] : NLRA9-95
      • [C] : State Law9-95
    • § 9:4.4 : Instant Electronic Communications9-97
      • [A] : Instant Messaging9-97
      • [B] : Text Messaging9-98
    • § 9:4.5 : Eavesdropping, Recording Telephone Conversations, and Video Monitoring9-99
    • § 9:4.6 : Human Tracking Devices9-102
    • § 9:4.7 : USA PATRIOT Act9-106
Chapter 10: Privacy and Commercial Communications Michael Hintze ~
Robert Forbes ~
  • § 10:1 : Overview10-3
    • § 10:1.1 : Connection to Privacy Principles and Laws10-3
    • § 10:1.2 : General Considerations10-4
  • § 10:2 : Email Communications10-4
    • § 10:2.1 : Source and Scope of Rules10-4
    • § 10:2.2 : What Is a “Commercial Electronic Mail Message”?10-6
    • § 10:2.3 : What Is an “Electronic Mail Address”?10-8
    • § 10:2.4 : Who Is the “Sender”?10-10
    • § 10:2.5 : Consent Requirements10-12
    • § 10:2.6 : Information to Be Included in Each Message10-13
    • § 10:2.7 : Forward-to-a-Friend Features10-14
    • § 10:2.8 : Specific Rules for Messages Sent to Wireless Domains10-16
    • § 10:2.9 : Prohibitions on Fraudulent, Deceptive, and Abusive Practices10-18
    • § 10:2.10 : Additional Rules Regarding Sexually Oriented Material10-19
  • § 10:3 : Telephone Communications10-21
    • § 10:3.1 : Source and Scope of Rules10-21
    • § 10:3.2 : Consent Requirements10-22
      • [A] : Company-Specific Consent Requirements10-23
      • [B] : National Do Not Call Registry10-24
      • [C] : State Do-Not-Call Lists10-25
    • § 10:3.3 : Required Call Content10-26
    • § 10:3.4 : Time and Frequency Restrictions10-28
    • § 10:3.5 : Use of Autodialers, Prerecorded Messages, and Other Technologies10-28
    • § 10:3.6 : Prohibitions on Deceptive or Abusive Telemarketing Practices10-31
    • § 10:3.7 : Record-Keeping and Compliance Requirements10-32
  • § 10:4 : Fax Communication10-33
    • § 10:4.1 : Source and Scope of Rules10-33
    • § 10:4.2 : Consent Requirements10-34
    • § 10:4.3 : Information to Be Included in Each Message10-35
  • § 10:5 : Direct Mail Communications10-36
    • § 10:5.1 : Source and Scope of Rules10-36
    • § 10:5.2 : Restrictions and Prohibitions on Mailing Certain Content10-36
      • [A] : Fraudulent or Deceptive Content10-36
      • [B] : Prohibited or Restricted Advertising Content10-37
      • [C] : Mailings Containing Certain Goods, Samples, Etc.10-38
    • § 10:5.3 : Consent Requirements10-38
      • [A] : Sexually Oriented Advertisements10-39
      • [B] : “Pandering” Advertisements10-40
      • [C] : Sweepstakes and Skill Contests10-40
  • § 10:6 : Text Messaging10-41
    • § 10:6.1 : Source and Scope of Rules10-41
    • § 10:6.2 : What Is a Text Message?10-41
    • § 10:6.3 : Consent Requirements10-42
      • [A] : Messages Sent to a Number10-42
        • [A][1] : Do Not Call Rules10-42
      • [B] : Messages Sent to a Username and Domain Name10-43
        • [B][1] : Express Prior Authorization10-44
        • [B][2] : FCC List of Wireless Domains10-45
        • [B][3] : Procedures for Receiving and Honoring Opt-Out Requests10-45
      • [C] : State-Law Consent Requirements10-46
        • [C][1] : California10-46
        • [C][2] : Rhode Island10-48
        • [C][3] : Washington10-49
        • [C][4] : State Spam Laws10-51
    • § 10:6.4 : Sending Automated Text Messages10-51
    • § 10:6.5 : Industry Self-Regulation10-52
      • [A] : Mobile Marketing Association10-52
      • [B] : Direct Marketing Association’s Guidelines for Ethical Business Practice10-56
  • § 10:7 : Social Media10-57
    • § 10:7.1 : Source and Scope of Rules10-57
    • § 10:7.2 : What Is Social Media?10-57
    • § 10:7.3 : Sending Messages via Social Media10-58
    • § 10:7.4 : Gathering and Using Consumer Data from Social Media Sites10-58
      • [A] : Disclosure of Users’ Personal Information to Third Parties10-58
      • [B] : Address Book Harvesting10-59
      • [C] : Location-Based Services10-60
      • [D] : Computer Fraud Statutes10-60
      • [E] : Industry Self Regulation of Information Gathering and Distribution10-62
    • § 10:7.5 : Using Social Media Users’ Actions As Advertisements10-63
      • [A] : Advertising Social Media Users’ Activity Within the Social Media Site10-63
      • [B] : Advertising Social Media Users’ Internet Activity Outside the Social Media Site10-64
  • § 10:8 : Conclusions10-64
Chapter 11: The Children’s Online Privacy Protection Act (COPPA) Nancy L. Savitt ~
  • § 11:1 : Introduction/Overview11-3
    • § 11:1.1 : Enactment11-3
    • § 11:1.2 : Statutory Overview11-4
    • § 11:1.3 : Who Enforces the Statute11-5
  • § 11:2 : Who Is Subject to the Statute11-6
    • § 11:2.1 : “Operator”11-6
      • [A] : Factors Determining Operator Status11-8
      • [B] : Special Cases11-9
        • [B][1] : Internet Service Providers and Other “Mere Conduits”11-9
        • [B][2] : Advertisers11-10
        • [B][3] : Non-U.S. Operators11-11
        • [B][4] : Nonprofits11-11
    • § 11:2.2 : “Website or Online Service Directed to Children”11-11
      • [A] : Primary Content Provider Versus Plug-Ins11-12
      • [B] : Age-Screening Where Children Are Not “Primary Audience”11-12
    • § 11:2.3 : General Audience Website11-15
      • [A] : “Actual Knowledge”11-16
  • § 11:3 : What Activities Does COPPA Cover?11-17
    • § 11:3.1 : “Personal Information”11-17
    • § 11:3.2 : “Collection”11-19
      • [A] : Requesting a Child to Submit Personal Information Online11-19
      • [B] : Enabling a Child to Publicly Disclose Personal Information11-20
        • [B][1] : To Monitor or Not to Monitor11-21
      • [C] : Cookies and Passive Tracking11-22
    • § 11:3.3 : “Disclosure”11-22
      • [A] : Release of Personal Information11-22
        • [A][1] : Third Party Versus Provider of “Support for the Internal Operations of the Website”11-23
      • [B] : Making Personal Information Publicly Available11-25
  • § 11:4 : How to Comply with COPPA11-25
    • § 11:4.1 : Need Prior Parental Consent Unless Fall Within Exception11-26
      • [A] : “Verifiable Parental Consent” (“Verifiable Consent”)11-26
      • [B] : “Parent”11-27
        • [B][1] : Schools11-27
        • [B][2] : Ascertaining Whether Someone Is a “Parent”11-27
          • [B][3] : Parents’ Right to Review and Have Information Deleted11-28
    • § 11:4.2 : Exceptions to Consent11-30
      • [A] : To Obtain Parental Consent11-30
      • [B] : To Respond to a Child’s Specific Request on a One-Time Basis11-31
      • [C] : To Respond More Than Once to a Child’s Specific Request11-32
      • [D] : To Protect the Child’s Safety11-34
      • [E] : To Protect the Website11-34
      • [F] : To Notify and Update Parents About a Website That Does Not Collect Personal Information11-35
      • [G] : To Collect a Persistent Identifier in Limited Circumstances11-36
    • § 11:4.3 : How to Get Consent11-36
      • [A] : Notice11-36
        • [A][1] : Requirements for Notice11-37
          • [A][1][a] : “Clear and Understandable”11-37
          • [A][1][b] : Information Collected and How It Is Used11-37
          • [A][1][c] : Disclosures to Third Parties and Others11-38
          • [A][1][d] : Parental Review Rights11-38
          • [A][1][e] : Operators’ Contact Information11-39
          • [A][2] : Privacy Policy Placement11-41
          • [A][3] : Direct Notice to Parents11-41
            • [A][3][a] : “Material Change”11-41
        • [B] : Consent11-42
          • [B][1] : Full Consent11-42
            • [B][1][a] : Print and Send or Scan11-42
            • [B][1][b] : Credit Card Transaction11-42
            • [B][1][c] : Toll-Free Number or Video Conference11-43
            • [B][1][d] : Government-Issued Identification11-43
            • [B][1][e] : Other Methods11-43
          • [B][2] : Email Plus Consent11-44
          • [B][3] : Online Consent Form Insufficient11-46
      • § 11:4.4 : What Happens If the Operator Does Not Get Parental Consent11-46
        • [A] : Delete Information11-46
        • [B] : Limited Permission to Terminate Service11-47
          • [B][1] : Cannot Terminate for Non-Consent to Third-Party Disclosure11-47
      • § 11:4.5 : Security and Data Retention/Deletion11-48
      • § 11:4.6 : Safe Harbors11-51
  • § 11:5 : Sanctions/Penalties11-51
    • § 11:5.1 : FTC COPPA Enforcement Actions11-53
    • § 11:5.2 : FTC Non-COPPA Enforcement11-55
Chapter 12: The Privacy Act of 1974 and Its Progeny Kenneth P. Mortensen ~
Nuala O’Connor Kelly ~
  • § 12:1 : Introduction12-3
  • § 12:2 : Privacy Act Statutory Provisions12-4
    • § 12:2.1 : 5 U.S.C. § 552a(a): Definitions12-4
      • [A] : “Agency”12-4
        • [A][1] : Privacy Act Applies Only to Federal Agencies12-4
        • [A][2] : Executive Office of the President12-5
        • [A][3] : State and Local Government Agencies12-7
        • [A][4] : Other Entities12-7
      • [B] : “Individual”12-8
      • [C] : “Maintain”12-10
      • [D] : “Record”12-10
      • [E] : “System of Records”12-13
      • [F] : “Statistical Record”12-16
      • [G] : “Routine Use”12-17
    • § 12:2.2 : 5 U.S.C. § 552a(b): Conditions of Disclosure12-18
      • [A] : Disclosure Within Agencies12-19
      • [B] : Disclosure to the Public12-19
      • [C] : Disclosure for a “Routine Use”12-20
      • [D] : Disclosure to the Bureau of the Census12-22
      • [E] : Disclosure for Statistical Research and Reporting12-23
      • [F] : Disclosure to National Archives12-24
      • [G] : Disclosure for Law Enforcement Purposes12-24
      • [H] : Disclosure Under Emergency Circumstances12-25
      • [I] : Disclosure to Congress12-26
      • [J] : Disclosure to the General Accountability Office12-26
      • [K] : Disclosure Pursuant to Court Order12-26
      • [L] : Disclosure to a Consumer Reporting Agency12-27
      • [M] : Disclosure of Social Security Numbers12-27
    • § 12:2.3 : 5 U.S.C. § 552a(d): Access to Records12-28
      • [A] : Individual Access12-28
      • [B] : Amending Records12-30
    • § 12:2.4 : 5 U.S.C. § 552a(g)(4): Remedies12-32
  • § 12:3 : Systems of Records Notice Guidance12-32
    • § 12:3.1 : Definitions12-32
    • § 12:3.2 : Contents12-32
    • § 12:3.3 : How to Prepare a System of Records Notice12-33
      • [A] : Key Elements12-33
      • [B] : Storage12-34
      • [C] : Record Identification12-34
      • [D] : Security Safeguards12-34
      • [E] : Retention and Disposal12-34
      • [F] : Notification Procedures; Record Access Procedures; Contesting Record Procedures12-35
      • [G] : Record Source Categories12-35
      • [H] : Systems Exempted from Certain Provisions of the Act12-35
      • [I] : Routine Uses12-36
  • § 12:4 : E-Government Act Section 208 Statutory Provisions: Privacy Impact Assessments12-37
    • § 12:4.1 : Section 208(b)(1): Responsibilities of Agencies12-38
      • [A] : When to Do a Privacy Impact Assessment12-38
      • [B] : Agency Activities12-39
      • [C] : Sensitive Information12-39
    • § 12:4.2 : Section 208(b)(2): Contents of a Privacy Impact Assessment12-40
      • [A] : OMB Guidance12-40
      • [B] : What Information Is Collected?12-40
      • [C] : Why Is the Information Collected?12-41
      • [D] : What Is the Intended Use of the Information?12-41
      • [E] : Who Will the Information Be Shared With?12-41
      • [F] : What Notice Will Be Given Regarding the Information’s Use and Collection?12-42
      • [G] : How Will the Information Be Secured?12-42
      • [H] : Is a System of Records Notice Created?12-42
  • § 12:5 : Privacy Impact Assessment Guidance12-42
    • § 12:5.1 : Introduction12-42
    • § 12:5.2 : What Is a PIA?12-43
    • § 12:5.3 : Complying with the PIA Requirement12-43
    • § 12:5.4 : Information Covered by the PIA12-45
    • § 12:5.5 : Regarding “Private” Information12-45
    • § 12:5.6 : Regarding Privacy Act System of Records Notice (SORN) Requirements Versus PIA Requirements12-46
    • § 12:5.7 : When to Conduct a PIA12-46
    • § 12:5.8 : Classified Information and Systems12-46
    • § 12:5.9 : Negative PIAs12-46
    • § 12:5.10 : How to Conduct a PIA12-46
    • § 12:5.11 : Writing the PIA12-47
      • [A] : Introduction12-47
      • [B] : Section 1.0—The System and the Information Collected and Stored with the System12-48
      • [C] : Section 2.0—Uses of the System and the Information12-49
      • [D] : Section 3.0—Retention12-51
      • [E] : Section 4.0—Internal Sharing and Disclosure12-51
      • [F] : Section 5.0—External Sharing and Disclosure12-52
      • [G] : Section 6.0—Notice12-53
      • [H] : Section 7.0—Individual Access, Redress, and Correction12-54
      • [I] : Section 8.0—Technical Access and Security12-55
      • [J] : Section 9.0—Technology12-56
      • [K] : Conclusion12-56
      • [L] : Approval and Signature Page12-56
Chapter 13: Canadian Privacy Law John Beardwood ~
Gabriel M.A. Stern ~
Daniel Fabiano ~
  • § 13:1 : Nature of the Canadian Privacy Framework13-3
    • § 13:1.1 : Intersecting Federal and Provincial Privacy Regimes13-3
      • [A] : Public Sector13-3
      • [B] : Private Sector13-4
        • [B][1] : Québec13-4
        • [B][2] : Federal13-5
        • [B][3] : Provincial (Other Than Québec)13-6
      • [C] : Personal Health Information13-7
      • [D] : Statutory Tort of Invasion of Privacy13-8
    • § 13:1.2 : Privacy Principles from Common Law13-9
      • [A] : Common-Law Tort of Privacy13-9
      • [B] : Work Product13-11
      • [C] : Surveillance13-12
        • [C][1] : Reasonableness of Surveillance in the Workplace13-12
        • [C][2] : Surveillance Evidence in Litigation13-13
    • § 13:1.3 : Relationship Between the Canadian and European Privacy Regimes13-14
  • § 13:2 : Personal Information13-16
    • § 13:2.1 : Scope of Definition of “Personal Information”13-16
    • § 13:2.2 : Employee Information13-17
    • § 13:2.3 : Carve-Outs from the Obligations Applying to Personal Information13-18
    • § 13:2.4 : Sensitivity of Personal Information13-18
    • § 13:2.5 : Grandfathering Provisions13-19
  • § 13:3 : Nature of Privacy Obligations13-19
    • § 13:3.1 : Consent/Notice Obligations13-19
      • [A] : Generally13-19
      • [B] : Content of the Notice13-20
      • [C] : Withdrawing Consent13-20
      • [D] : Extra-Jurisdictional Transfers of Personal Information13-21
    • § 13:3.2 : Administrative Obligations13-23
    • § 13:3.3 : Access Obligations13-23
    • § 13:3.4 : Breach Notification13-24
      • [A] : Comparison of the Federal and Alberta Models13-24
      • [B] : Differences Between the Federal and Alberta Models13-25
        • [B][1] : Threshold for Reporting a Breach13-25
        • [B][2] : Threshold for Notifying the Affected Individuals13-26
        • [B][3] : Definition of “Significant Harm”13-26
        • [B][4] : Responsibility for Notification13-27
        • [B][5] : Offenses13-27
    • § 13:3.5 : Enforcement13-28
      • [A] : Generally13-28
      • [B] : Powers13-28
      • [C] : Offenses13-28
      • [D] : “Naming and Shaming”13-29
      • [E] : Review of Findings/Appeals13-29
      • [F] : Remedies13-29
  • § 13:4 : Canadian Privacy Law in Transition13-30
    • § 13:4.1 : Recent Changes to Canadian Privacy Law13-30
    • § 13:4.2 : 2010 Changes to the Alberta PIPA13-30
      • [A] : Privacy Policies and Practices13-30
      • [B] : Maintaining Accuracy of Personal Information13-31
      • [C] : Retention and Destruction13-31
    • § 13:4.3 : Proposed Revisions to PIPEDA13-32
      • [A] : Scope of Application13-32
      • [B] : Consent13-32
      • [C] : Consent Exceptions13-32
      • [D] : Definition of “Lawful Authority”13-33
      • [E] : Federal Commissioners’ Proposed 2013 Revisions to PIPEDA13-34
    • § 13:4.4 : Canada’s FISA: A Comparative Perspective13-35
      • [A] : Overview of Canadian, U.S., and U.K. Legislation13-35
      • [B] : Definition of “Commercial” Messages/Communications13-37
      • [C] : Consent13-40
        • [C][1] : “Opt-In” Versus “Opt-Out” Provisions13-40
        • [C][2] : “Natural Persons” Versus “Legal Persons”13-42
      • [D] : Additional Exemptions13-43
      • [E] : Content13-46
      • [F] : Enforcement13-49
      • [G] : Jurisdiction13-52
    • § 13:4.5 : Class Actions and Privacy Litigation13-55
    • § 13:4.6 : Federal Commissioner Decision on Credit-Based Insurance Scores13-59
      • [A] : Introduction13-59
      • [B] : Summary of PIPEDA Report of Findings No. 2012-00513-60
      • [C] : Analysis13-62
  • § 13:5 : Conclusions13-64
Chapter 14: International Privacy Law; and Appendices 14A-14E Jeremy M. Mittman ~
Donald C. Dowling ~
  • § 14:1 : Data Privacy Regulation Outside the United States: A Clash of Jurisprudential Perspectives14-3
  • § 14:2 : The European Union Data Privacy Directive14-5
    • § 14:2.1 : EU Draft Legislation Package14-6
    • § 14:2.2 : What the EU Data Directive Does14-9
    • § 14:2.3 : Social and Legal Context Underlying the EU Data Directive14-10
    • § 14:2.4 : Terminology14-12
    • § 14:2.5 : Data Processing Rules Domestically Within Europe14-13
      • [A] : Complying with Data Quality Principles and Rules14-14
    • § 14:2.6 : Disclosing to Data Subjects14-17
    • § 14:2.7 : Reporting to State Agencies14-18
  • § 14:3 : Transfers of Data to Countries Outside Europe14-19
    • § 14:3.1 : Data Transfers Allowed to “Third Countries”— and Companies Abroad14-20
    • § 14:3.2 : Safe Harbor14-23
    • § 14:3.3 : The Seven Safe Harbor Principles14-26
      • [A] : Notice14-27
      • [B] : Choice14-27
      • [C] : Onward Transfer14-28
      • [D] : Security14-28
      • [E] : Data Integrity14-28
      • [F] : Access14-29
      • [G] : Enforcement14-30
    • § 14:3.4 : Self-Certification Process14-31
    • § 14:3.5 : Criticisms of Safe Harbor14-33
    • § 14:3.6 : Binding/Standard Contractual Clauses14-35
    • § 14:3.7 : Obligations of the Data Exporter and Data Importer14-38
    • § 14:3.8 : Liability14-38
    • § 14:3.9 : Binding Corporate Rules14-39
  • § 14:4 : “Transposition” (Adoption) of the Directive in European Union Member States14-44
    • § 14:4.1 : Denmark14-44
    • § 14:4.2 : England14-45
    • § 14:4.3 : France14-46
    • § 14:4.4 : Germany14-46
    • § 14:4.5 : Italy14-48
    • § 14:4.6 : Netherlands14-48
    • § 14:4.7 : Spain14-49
  • § 14:5 : Data Privacy Laws Beyond the European Union14-50
    • § 14:5.1 : Argentina14-51
    • § 14:5.2 : Australia14-52
    • § 14:5.3 : Brazil14-54
    • § 14:5.4 : China14-56
    • § 14:5.5 : Colombia14-58
    • § 14:5.6 : Costa Rica14-59
    • § 14:5.7 : Dubai14-60
    • § 14:5.8 : Hong Kong14-61
    • § 14:5.9 : India14-62
    • § 14:5.10 : Israel14-63
    • § 14:5.11 : Japan14-64
    • § 14:5.12 : Malaysia14-65
    • § 14:5.13 : Mexico14-66
    • § 14:5.14 : Russia14-68
    • § 14:5.15 : Singapore14-70
    • § 14:5.16 : South Korea14-72
    • § 14:5.17 : Switzerland14-74
    • § 14:5.18 : Taiwan14-74
    • § 14:5.19 : Thailand14-75
    • § 14:5.20 : Ukraine14-76
    • § 14:5.21 : Uruguay14-76
  • Appendix 14A : The EU Data Privacy DirectiveApp. 14A-1
  • Appendix 14B : Controller-to-Controller Model ContractApp. 14B-1
  • Appendix 14C : Alternative Controller-to-Controller Model ContractApp. 14C-1
  • Appendix 14D : Controller-to-Processor Model ContractApp. 14D-1
  • Appendix 14E : Working Document Establishing a Model Checklist Application for Approval of Binding Corporate RulesApp. 14E-1
Chapter 15: Implementing Privacy Compliance Requirements Jody R. Westby ~
  • § 15:1 : Introduction15-2
  • § 15:2 : Intersection of Privacy, Security, and Cybercrime15-3
  • Figure 15-1 : Nexus Between Cybersecurity, Privacy and Cybercrime15-7
    • § 15:2.1 : Cybersecurity15-8
    • § 15:2.2 : Cybercrime15-11
  • § 15:3 : Cybercrime-Related Legal Considerations15-15
    • § 15:3.1 : Security Breach Notification Laws15-15
    • § 15:3.2 : Jurisdictional Issues15-15
    • § 15:3.3 : Information Sharing15-17
    • § 15:3.4 : Outsourcing15-18
  • § 15:4 : Creating an Enterprise Security Program15-19
    • Figure 15-2 : Enterprise Security Program Flowchart15-20
    • § 15:4.1 : Governance Structure15-21
    • § 15:4.2 : Security Integration and Security Operations15-24
    • § 15:4.3 : Implementation and Evaluation15-28
  • § 15:5 : Conclusion15-30
  • Table 15-1 : Top Ten Action Items for Counsel’s Role in Privacy and Security15-31
Chapter 16: Compliance with the Payment Card Industry Data Security Standard Mark MacCarthy ~
Pieter Penning ~
  • § 16:1 : Introduction16-2
  • § 16:2 : Background16-5
    • § 16:2.1 : Industry Background16-5
    • § 16:2.2 : Federal Consumer Protection Laws16-8
    • § 16:2.3 : Federal and State Data Security Regulations16-10
  • § 16:3 : Development of the Payment Card Industry Data Security Standard16-13
  • § 16:4 : PCI Requirements16-19
    • § 16:4.1 : The Basic Requirements16-19
  • Figure 16-1 : Payment Card Industry Data Security Standard16-20
    • § 16:4.2 : Protecting Stored Data16-23
  • Figure 16-2 : PCI Requirement 3: Protect Stored Cardholder Data16-23
    • § 16:4.3 : Encrypt Transmission of Cardholder Data Across Open, Public Networks16-27
  • Figure 16-3 : Requirement 4: Encrypt Transmitted Data16-28
  • § 16:4.4 : Compensating Controls16-29
  • § 16:4.5 : Payment Applications16-29
  • § 16:5 : Validation16-31
    • § 16:5.1 : Merchant Levels16-33
  • Figure 16-4 : Merchant Levels (Visa CISP)16-33
    • § 16:5.2 : Service Provider Levels16-34
  • Figure 16-5 : Service Provider Levels (Visa CISP)16-35
    • § 16:5.3 : Merchant Validation Requirements16-35
  • Figure 16-6 : Merchant Levels and Validation Requirements (Visa CISP)16-36
    • § 16:5.4 : Service Provider Validation Requirements16-37
  • Figure 16-7 : Service Provider Levels and Validation Requirements (Visa CISP)16-38
    • § 16:5.5 : Corporate Franchise Servicers16-38
  • § 16:6 : After a Compromise16-40
    • § 16:6.1 : Background16-40
    • § 16:6.2 : Initial Steps16-42
    • § 16:6.3 : Monitoring At-Risk Accounts16-43
    • § 16:6.4 : Notification to Issuing Financial Institutions16-44
  • § 16:7 : Enforcement16-46
    • § 16:7.1 : General16-46
    • § 16:7.2 : Recent Enforcement Efforts16-47
    • § 16:7.3 : CardSystems Solutions16-49
    • § 16:7.4 : Other Significant Data Breaches16-50
  • § 16:8 : Continued Development of Cardholder Data Protection16-52
    • § 16:8.1 : Increasing Global Compliance16-53
    • § 16:8.2 : Chip and PIN Security16-53
    • § 16:8.3 : Tokenization16-56
      • § 16:8.4 : Point-to-Point Encryption16-57
      • § 16:8.5 : Mobile Payments16-58
    • § 16:8.6 : Cloud Computing16-59
    • § 16:8.7 : E-Commerce16-60
    • § 16:8.8 : Risk Assessments16-61
Chapter 17: Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures Steven R. Gilford ~
  • § 17:1 : Overview17-2
  • § 17:2 : Applicability of Historic Coverages17-5
    • § 17:2.1 : First- and Third-Party Coverages for Property Loss17-6
      • [A] : First-Party Property Policies17-7
      • [B] : Third-Party CGL Policies: Coverage for Property Damage Claims17-8
    • § 17:2.2 : CGL Coverage for Personal and Advertising Injury Claims17-10
      • [A] : Publication Requirement17-12
      • [B] : Right to Privacy As an Enumerated Offense17-13
    • § 17:2.3 : Other Coverages17-16
      • [A] : Directors and Officers Liability Insurance17-16
      • [B] : Errors and Omission Policies17-17
      • [C] : Crime Policies17-18
  • § 17:3 : Modern Cyber Policies17-18
    • § 17:3.1 : Key Concepts in Cyber Coverage17-19
      • [A] : Named Peril17-19
      • [B] : Claims Made17-21
    • § 17:3.2 : Issues of Concern in Evaluating Cyber Risk Policies17-22
      • [A] : What Is Covered?17-22
      • [B] : Confidential Information, Privacy Breach, and Other Key Definitions17-23
      • [C] : Overlap with Existing Coverage17-23
      • [D] : Limits and Deductibles17-24
      • [E] : Notice Requirements17-24
      • [F] : Coverage for Regulatory Investigations or Actions17-26
      • [G] : Definition of Loss17-29
      • [H] : Who Controls Defense and Settlement17-32
      • [I] : Control of Public Relations Professionals17-35
      • [J] : Issues Created by Policyholder Employees17-36
      • [K] : Coverage of a Threatened Security Breach17-38
      • [L] : Governmental Activity Exclusion17-39
      • [M] : Other Exclusions17-39
    • § 17:3.3 : SEC Disclosure and Other Regulatory Initiatives17-40
Chapter 18: Location Privacy: Technology and the Law
  • § 18:1 : Introduction18-2
  • § 18:2 : Development and Uses of Location-Tracking Technologies18-2
    • § 18:2.1 : Overview18-2
    • § 18:2.2 : Global Positioning Systems18-4
    • § 18:2.3 : Cell Site Location Information18-6
    • § 18:2.4 : Indoor Positioning Systems18-10
      • [A] : Radio Frequency Identification18-10
      • [B] : Other IPS Technologies18-10
    • § 18:2.5 : Vehicle Tracking18-11
    • § 18:2.6 : Unmanned Drones18-12
  • § 18:3 : Government Collection of Location Information18-13
    • § 18:3.1 : Location Privacy Under the Fourth Amendment18-13
    • § 18:3.1 : Government Requests for CSLI18-16
      • [A] : Federal Statutes18-16
      • [B] : Case Law18-19
      • [C] : State Laws18-23
  • § 18:4 : Private Collection and Use of Location Information18-24
    • § 18:4.1 : GPS Tracking18-24
    • § 18:4.2 : Mobile Devices and Applications18-27
    • § 18:4.3 : Other Location Technologies18-33
      • [A] : Radio Frequency Identification18-33
      • [B] : Vehicle Tracking18-33
  • § 18:5 : Legislative Outlook18-34
    • § 18:5.1 : Federal Proposals18-34
    • § 18:5.2 : State Proposals18-35
  Index

  Please click here to view the latest update information for this title: Last Update Information  
 

Print Share Email
”This is a timely, much-needed book that will be invaluable to practitioners approaching privacy from a wide spectrum of specialties.” 
John W. Kropf, Deputy Chief Privacy Officer, Department of Homeland Security

News & Expert Analysis

April 21, 2014

Lenovo Buys Mobile Patents for $100 Million from Unwired Planet

From: Patent Law Practice Center

Unwired Planet, Inc. (NASDAQ:UPIP) and Lenovo (HKS...

April 16, 2014

Canine Genetic Testing Patent Dispute Settled

From: Patent Law Practice Center

On December 13, 2013, Genetic Veterinary Sciences,...

April 16, 2014

What’s Up With Conflict Minerals – Stay Tuned For More Legal Developments!

From: The SEC Institute Blog

As you may have heard, on April 14, to give us all...