| |
|
|
Preface |
|
|
|
|
Introduction |
|
|
|
|
Table of Contents |
|
|
|
Chapter 1: |
A Brief History of Information Privacy Law |
Daniel J. Solove ~ |
|
- § 1:1 : Introduction1-3
- § 1:2 : Colonial America1-4
- § 1:3 : The Nineteenth Century1-6
- § 1:3.1 : New Threats to Privacy1-6
- [A] : The Census and Government Records1-6
- [B] : The Mail1-6
- [C] : Telegraph Communications1-7
- § 1:3.2 : The Fourth and Fifth Amendments1-9
- § 1:3.3 : Privacy of the Body1-9
- § 1:3.4 : Warren and Brandeis’s the Right to Privacy1-10
- § 1:4 : The Twentieth Century1-12
- § 1:4.1 : 1900 to 19601-12
- [A] : Warren and Brandeis’s Privacy Torts1-12
- [A][1] : Early Recognition1-12
- [A][2] : William Prosser and the Restatement1-14
- [A][2][a] : Intrusion upon Seclusion1-14
- [A][2][b] : Public Disclosure of Private Facts1-15
- [A][2][c] : False Light1-16
- [A][2][d] : Appropriation1-16
- [B] : The Emergence of the Breach of Confidentiality Tort1-17
- [C] : The Growth of Government Record Systems1-18
- [D] : The Telephone and Wiretapping1-18
- [D][1] : The Fourth Amendment: Olmstead v. United States1-18
- [D][2] : Federal Communications Act Section 6051-19
- [E] : The FBI and Increasing Domestic Surveillance1-20
- [F] : Freedom of Association and the McCarthy Era1-21
- § 1:4.2 : The 1960s and 1970s1-22
- [A] : New Limits on Government Surveillance1-22
- [A][1] : Fourth Amendment Resurgence: Katz v. United States1-22
- [A][2] : Title III of the Omnibus Crime and Control Act of 19681-23
- [B] : The Constitutional Right to Privacy1-23
- [B][1] : Decisional Privacy: Griswold v. Connecticut1-23
- [B][2] : Information Privacy: Whalen v. Roe1-23
- [C] : Responses to the Rise of the Computer1-24
- [C][1] : Burgeoning Interest in Privacy1-24
- [C][2] : Freedom of Information Act of 19661-24
- [C][3] : Fair Information Practices1-25
- [C][4] : Privacy Act of 19741-26
- [C][5] : Family Educational Rights and Privacy Act of 19741-27
- [C][6] : Foreign Intelligence Surveillance Act of 19781-27
- [D] : Financial Privacy1-28
- [D][1] : Fair Credit Reporting Act of 19701-28
- [D][2] : Bank Secrecy Act of 19701-29
- [D][3] : United States v. Miller1-29
- [D][4] : Right to Financial Privacy Act of 19781-30
- [E] : The Retreat from Boyd1-30
- [F] : The Narrowing of the Fourth Amendment1-31
- § 1:4.3 : The 1980s1-32
- [A] : Receding Fourth Amendment Protection1-32
- [B] : The Growth of Federal Privacy Statutory Protection1-33
- [B][1] : Privacy Protection Act of 19801-33
- [B][2] : Cable Communications Policy Act of 19841-33
- [B][3] : Computer Matching and Privacy Protection Act of 19881-33
- [B][4] : Employee Polygraph Protection Act of 19881-34
- [B][5] : Video Privacy Protection Act of 19881-34
- [C] : Electronic Communications Privacy Act of 19861-34
- [D] : OECD Guidelines and International Privacy1-35
- § 1:4.4 : The 1990s1-36
- [A] : The Internet, Computer Databases, and Privacy1-36
- [B] : The Continued Growth of Federal Statutory Protection1-36
- [B][1] : Telephone Consumer Protection Act of 19911-36
- [B][2] : Driver’s Privacy Protection Act of 19941-37
- [B][3] : Health Insurance Portability and Accountability Act of 19961-37
- [B][4] : Children’s Online Privacy Protection Act of 19981-38
- [B][5] : The Gramm-Leach-Bliley Act of 19991-39
- [C] : The FTC and Privacy Policies1-39
- [D] : The EU Data Protection Directive1-39
- § 1:5 : The Twenty-First Century1-41
- § 1:5.1 : After September 11: Privacy in a World of Terror1-41
- [A] : The USA PATRIOT Act of 20011-41
- [B] : The FISA “Wall”1-41
- [C] : The Homeland Security Act of 20021-42
- [D] : The Intelligence Reform and Terrorism Prevention Act of 20041-42
- [E] : The Real ID Act of 20051-43
- [F] : NSA Warrantless Surveillance1-43
- § 1:5.2 : Consumer Privacy1-43
- [A] : The Fair and Accurate Credit Transactions Act of 20031-43
- [B] : The National Do-Not-Call Registry1-44
- [C] : The CAN-SPAM Act of 20031-44
- [D] : Remsburg v. Docusearch1-44
- [E] : Privacy Policies and Contract Law1-44
- [F] : Data Security Breaches1-45
- § 1:6 : Conclusion1-46
|
|
Chapter 2: |
Financial Privacy Law; and Appendices 2A-2B |
Kristen J. Mathews ~
Christopher Wolf ~ |
|
- § 2:1 : Summary and Introduction2-4
- § 2:1.1 : Evolution of Financial Privacy Law Parallels Developments in Computing2-4
- § 2:2 : Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act2-5
- § 2:2.1 : Purpose and Background of the Fair Credit Reporting Act2-5
- § 2:2.2 : Coverage Under the FCRA2-6
- [A] : Definition of “Consumer” Under the FCRA2-6
- [B] : Definition of “Consumer Report” Under the FCRA2-7
- [C] : Definition of “Consumer Reporting Agency” Under the FCRA2-10
- § 2:2.3 : Permissible Use and Disclosure of Consumer Reports: The Obligation to Protect Against Unauthorized Access or Use of Consumer Information2-13
- § 2:2.4 : General Procedural Requirements for CRAs Under the FCRA2-15
- § 2:2.5 : Procedural Requirements for CRAs When Preparing and Issuing Consumer Reports for Employment Purposes2-17
- § 2:2.6 : Notice and Disclosure Requirements for CRAs Under the FCRA2-18
- § 2:2.7 : Unique Obligations with Respect to Investigative Consumer Reports2-18
- § 2:2.8 : Obligations for Users of Consumer Reports Under the FCRA2-20
- § 2:2.9 : Obligations for Resellers of Consumer Reports Under the FCRA2-22
- § 2:2.10 : Consumer Rights Under the FCRA to Dispute Information Contained in Consumer Reports2-23
- § 2:2.11 : Security Requirements of the FCRA Pertaining to Consumer Fraud and Identity Theft2-24
- § 2:2.12 : Affiliate Marketing Limits Under FACTA2-30
- [A] : Opt-Out Requirements2-31
- [B] : Exceptions2-32
- [C] : Delivery of Opt-Out Notices2-33
- [D] : Reasonable Opportunity and Means to Opt Out2-34
- [E] : Duration of Opt-Out2-34
- [F] : Model Forms and Safe Harbor2-34
- § 2:2.13 : FACTA’s Identity Theft Red Flags and Notices of Address Discrepancy Rules2-35
- [A] : Identity Theft Red Flags2-35
- [B] : Scope of the Red Flag Rules2-37
- [C] : Examples of Red Flags2-38
- [D] : Change of Address Requests2-40
- [E] : Address Discrepancy Notices2-41
- § 2:2.14 : Preemption of State Law by the FCRA2-42
- § 2:2.15 : Penalties for Violations of or Noncompliance with the FCRA2-45
- § 2:3 : Right to Financial Privacy Act2-46
- § 2:3.1 : Purpose and History of the Right to Financial Privacy Act2-46
- § 2:3.2 : Procedural Operation of the RFPA2-47
- § 2:3.3 : Substantive Aspects of the RFPA2-49
- § 2:3.4 : Interplay with State Statutes2-51
- § 2:4 : Gramm-Leach-Bliley Act2-52
- § 2:4.1 : Purpose and History of the Gramm-Leach-Bliley Act2-52
- § 2:4.2 : Internal Procedures and Systems to Ensure Confidentiality of Information2-53
- § 2:4.3 : Financial Institution’s Notice Obligations2-59
- § 2:4.4 : Required Substance of Notice2-63
- [A] : Parties Who Must Serve Customers with Notice2-65
- § 2:4.5 : Limitations on Disclosure2-65
- [A] : Customer Must Opt Out of Third-Party Disclosures2-65
- [B] : Exceptions to Opt-Out Requirement2-66
- § 2:4.6 : Enforcement of the GLBA’s Privacy Provisions2-67
- § 2:4.7 : GLBA’s Relationship to Other Laws2-68
- [A] : GLBA Does Not Preempt State Laws2-68
- [B] : GLBA’s Relationship with Other Federal Privacy Statutes2-70
- § 2:5 : Wall Street Reform and Consumer Protection Act2-71
- § 2:5.1 : Purpose and Background of Wall Street Reform and Consumer Protection Act2-71
- § 2:5.2 : Scope of CFPB Authority2-71
- § 2:5.3 : Powers and Duties of the CFPB2-74
- [A] : Rulemaking Authority2-74
- [B] : Evaluation of Existing Standards2-74
- [C] : Regulation of Unfair, Deceptive, and Abusive Acts or Practices2-74
- [D] : Examination of Financial Industry Participants2-75
- § 2:5.4 : Enforcement Authority of the CFPB2-76
- § 2:6 : Bank Secrecy Act2-77
- § 2:6.1 : Purpose and Background of the Bank Secrecy Act2-77
- § 2:6.2 : BSA Requirements2-78
- [A] : Record Creation, Storage, and Access2-78
- [B] : Reports of Suspicious Transactions2-79
- § 2:7 : Freedom of Information Act2-81
- § 2:7.1 : Background and Overview of FOIA2-81
- § 2:7.2 : Procedural Aspects of FOIA2-82
- § 2:7.3 : Protection of Financial Information2-83
- [A] : Trade Secrets and Commercial or Financial Information2-84
- [B] : Files Whose Disclosure Would Constitute Unwarranted Invasion of Privacy2-86
- [C] : Regulation or Supervision of Financial Institutions2-88
- § 2:8 : Electronic Fund Transfers Act2-88
- § 2:8.1 : Scope and Application2-88
- § 2:8.2 : Disclosure Requirements Under EFTA and the Act’s Implementing Regulations2-89
- § 2:8.3 : Additional EFTA Requirements Relating to Pre-Authorized Fund Transfers2-90
- § 2:9 : Sarbanes-Oxley Act2-91
- § 2:10 : State Laws Governing Financial Privacy2-92
- § 2:10.1 : Introduction2-92
- § 2:10.2 : State Constitutional Provisions Protecting Financial Privacy2-92
- § 2:10.3 : Statutory Provisions Protecting Financial Privacy Under State Law2-93
- [A] : Statutes Specifically Addressing Financial Privacy2-95
- [B] : General Privacy Statutes Implicating Financial Privacy2-95
- [C] : Statutes Restricting Access to Employee Credit Reports2-96
- [D] : State Security Breach Notification Laws2-98
- [E] : State Laws Implicating Information Security2-99
- [F] : State Laws Protecting Against Financial Fraud and Identity Theft2-100
- § 2:10.4 : Common Law Theories Asserted with Regard to Financial Privacy2-100
- [A] : Implied Contract2-101
- [B] : General Negligence2-101
- [C] : Invasion of Privacy2-100
- [D] : Defamation2-100
- Appendix 2A : Model Form with No Opt-OutApp. 2A-1
- Appendix 2B : Model Form with All Opt-OutApp. 2B-1
|
|
Chapter 3: |
Medical Privacy |
|
|
- § 3:1 : Introduction3-3
- § 3:2 : HIPAA Administrative Simplification3-4
- § 3:2.1 : Definitions3-4
- § 3:2.2 : Recent Developments3-5
- [A] : The Omnibus Rule3-5
- [A][1] : Extension of HHS Enforcement Authority over Business Associates3-6
- [A][2] : Expansion of the Definition of “Business Associate”3-7
- [A][3] : New Requirements Related to Business Associate Subcontractors3-8
- [A][4] : Expanded Liability of Covered Entities and Business Associates for Acts of Their Agents3-8
- [A][5] : Tougher Breach-Reporting Standard Adopted3-9
- [A][6] : New Requirements for Notices of Privacy Practices3-11
- [A][7] : Limitations on the Sale of PHI3-12
- [A][8] : Limitation on the Use of PHI for
Paid Marketing3-12
- [A][9] : Relaxation of Restrictions on the Use of PHI for Fundraising3-13
- [A][10] : Improvements to Requirements for Authorizations Related to Research3-14
- [A][11] : Additional Modifications to HIPAA3-14
- § 3:2.3 : Definitions3-15
- § 3:2.4 : HIPAA Privacy: Basic Rules3-17
- § 3:2.5 : HIPAA Security: Basic Rules3-17
- § 3:2.6 : Business Associates3-17
- § 3:2.7 : HIPAA Security Breach Notification3-20
- § 3:2.8 : Sanctions for Violations of Privacy and Security Rules3-21
- § 3:3 : State Law and HIPAA Privacy Preemption3-26
- § 3:4 : Heightened Protection for Specialized Types of Medical Information3-27
- § 3:4.1 : Communicable Diseases3-27
- [A] : HIV/AIDS3-27
- [B] : Confidentiality and Disclosure of HIV Test Results3-28
- § 3:4.2 : Authorized Disclosure3-29
- § 3:4.3 : Remedies for Breach of Confidentiality3-30
- § 3:4.4 : Sexually Transmitted Disease3-33
- § 3:4.5 : Tuberculosis3-35
- § 3:4.6 : Genetic Information3-37
- [A] : Genetic Discrimination3-37
- [B] : DNA Sampling by Law Enforcement3-38
- § 3:5 : Privacy of Substance Abuse Records3-39
- § 3:5.1 : Introduction3-39
- § 3:5.2 : Scope of Applicability3-40
- § 3:5.3 : Exceptions to Substance Abuse Confidentiality Laws3-42
- § 3:5.4 : Other Exceptions Permitting Information Release3-42
- [A] : Release with Patient’s Consent3-43
- [B] : Voluntary Disclosure to the Criminal Justice System3-43
- [C] : Release Without a Patient’s Consent3-44
- [D] : Releases Authorized by a Court Order3-44
- [E] : Request for Records in a Criminal Proceeding3-45
- [E][1] : Confidential Information3-46
- § 3:5.5 : Conclusion3-48
- § 3:6 : Medical Privacy at Common Law3-48
- § 3:6.1 : Actions Arising Out of the Disclosure of Confidential Medical Information3-49
- [A] : Theory of Recovery3-49
- [B] : Exceptions to Liability3-50
- § 3:6.2 : The Duty to Warn3-52
- § 3:7 : Privilege3-54
- § 3:7.1 : State Law3-55
- [A] : Physician-Patient Privilege3-55
- [A][1] : Majority of States Have Enacted Privilege by Statute3-55
- [A][2] : Scope of the Privilege3-55
- [A][2][a] : Types of Providers Covered3-55
- [A][2][b] : Subject Matter of the Privilege3-56
- [A][2][c] : Who May Assert the Privilege3-56
- [A][2][d] : Waiver3-57
- [A][2][e] : Exceptions/Exemptions3-57
- [B] : Psychotherapist-Patient Privilege3-58
- [B][1] : Every State Has Enacted Privilege by Statute3-58
- [B][2] : Scope of the Privilege3-59
- [B][2][a] : Types of Providers Covered3-59
- [B][2][b] : Subject Matter of the Privilege3-59
- [B][2][c] : Who May Assert the Privilege3-59
- [B][2][d] : Waiver3-60
- [B][2][e] : Exceptions/Exemptions3-60
- § 3:7.2 : Federal Law3-61
- [A] : Psychiatrist-Patient Privilege3-62
- [A][1] : Rule3-62
- [A][2] : Waiver3-62
- [A][3] : Exceptions3-63
- [A][3][a] : The Dangerous-Patient Exception3-63
- [A][3][b] : The Crime-Fraud Exception3-63
- [A][3][c] : Other Exceptions3-64
- [B] : Physician-Patient Privilege3-64
- [C] : Diversity and Supplemental Jurisdiction3-65
- [C][1] : Diversity Jurisdiction3-65
- [C][2] : Supplemental Jurisdiction3-65
- § 3:8 : Employers and Medical Privacy3-66
- § 3:8.1 : Americans with Disabilities Act3-66
- § 3:8.2 : HIPAA and Employer-Sponsored Health Plans3-68
- [A] : Overview of HIPAA Privacy Rules and Applicability to Health Plans3-69
- [B] : Sharing Information with Plan Sponsors Under HIPAA3-70
|
|
Chapter 4: |
Federal Trade Commission Enforcement of Privacy |
Marcia Hofmann ~ |
|
- § 4:1 : FTC Privacy Enforcement Authority Under the Federal Trade Commission Act and Other Laws4-2
- § 4:1.1 : Introduction and Overview4-2
- § 4:1.2 : Primary Enforcement Authority: The Federal Trade Commission Act4-3
- [A] : Unfairness4-3
- [A][1] : Injury to Consumers4-4
- [A][2] : Violation of Established Public Policy4-5
- [A][3] : Unethical or Unscrupulous Conduct4-5
- [B] : Deception4-6
- [B][1] : Representation, Omission or Practice Likely to Mislead4-6
- [B][2] : Perspective of a Reasonable Consumer in the Circumstances4-6
- [B][3] : Materiality of Representation, Omission or Practice4-7
- § 4:1.3 : Other Privacy Enforcement Authorities4-7
- [A] : Children’s Online Privacy Protection Act4-8
- [B] : Gramm-Leach-Bliley Act4-9
- [B][1] : Pretexting4-10
- [B][2] : Financial Privacy Rule4-10
- [B][3] : Safeguards Rule4-11
- [C] : Telemarketing and Consumer Fraud Abuse and Prevention Act4-11
- [D] : Fair Credit Reporting Act4-12
- § 4:2 : FTC Enforcement Practice4-13
- § 4:2.1 : Overview4-13
- § 4:2.2 : Investigation4-13
- § 4:2.3 : Initiation of Enforcement Action4-14
- [A] : Administrative Enforcement4-14
- [B] : Judicial Enforcement4-15
- § 4:3 : FTC Enforcement of Privacy and Security Promises4-15
- § 4:3.1 : Overview4-15
- § 4:3.2 : Commission Authority to Investigate and Enforce4-15
- § 4:3.3 : Security and Privacy Enforcement Actions4-16
- § 4:4 : FTC Enforcement of Children’s Privacy4-47
- § 4:4.1 : Overview4-47
- § 4:4.2 : Commission Authority to Investigate and Enforce4-48
- § 4:4.3 : Children’s Privacy Enforcement Actions4-48
- § 4:5 : FTC Enforcement of Financial Privacy4-66
- § 4:5.1 : Overview4-66
- § 4:5.2 : Commission Authority to Investigate and Enforce4-66
- § 4:5.3 : Financial Privacy Enforcement Actions4-66
- § 4:6 : FTC Enforcement of Credit Information Privacy4-82
- § 4:6.1 : Overview4-82
- § 4:6.2 : Commission Authority to Investigate and Enforce4-82
- § 4:6.3 : Credit Information Privacy Enforcement Actions4-82
|
|
Chapter 5: |
State Privacy Laws |
Scott P. Cooper ~
Tanya L. Forsheit ~
Navid Soleymani ~
Clifford S. Davidson ~ |
|
- § 5:1 : Introduction5-3
- § 5:1.1 : Overview: Role of State Governments5-3
- § 5:1.2 : Origins of State Privacy Laws5-4
- [A] : Judicial—Torts and Crimes5-4
- [B] : Constitutional5-5
- [C] : Statutory5-7
- [C][1] : The California Invasion of Privacy Standard5-8
- § 5:2 : Online Privacy5-10
- § 5:2.1 : State Online Privacy Protection Statutes5-10
- [A] : California Online Privacy Protection Act (OPPA)5-10
- [B] : Other States5-13
- [C] : Related State Legislation Affecting Online Businesses5-14
- § 5:2.2 : Employee Social Media Protection Laws5-14
- § 5:3 : Spyware5-15
- § 5:3.1 : California5-15
- § 5:3.2 : Other States Following California’s Approach5-17
- § 5:3.3 : Other States with More Limited Spyware Statutes5-18
- § 5:4 : Spam5-19
- § 5:4.1 : The Federal Statute and Preemption5-19
- § 5:4.2 : State Regulation of Spam5-23
- [A] : Opt-In Provisions5-23
- [B] : Opt-Out Provisions5-23
- [C] : Subject-Line Labeling Requirements5-24
- [D] : Provisions Prohibiting False or Misleading Practices5-24
- [E] : Bans on Selling Software That Can Be Used to Falsify Routing Information5-25
- § 5:5 : Identity Theft5-26
- § 5:5.1 : Laws Criminalizing Identity Theft5-26
- § 5:5.2 : Laws Allowing Victims to Initiate Investigations and/or Clear Their Names5-27
- § 5:5.3 : Rights of Action Against Perpetrators5-28
- § 5:5.4 : Protections and Rights of Action Against Debt Collectors5-28
- § 5:5.5 : Notice of Security Breach Legislation5-29
- [A] : The California Framework5-30
- [B] : Other State Security Breach Notification Provisions5-32
- [B][1] : “Material” Breach Necessary to Trigger Notification5-32
- [B][2] : Expanded Definition of “Personal Information”5-35
- [B][3] : Necessity to Notify Customers of a Breach of Non-Computerized Data5-38
- [B][4] : Notification Procedures5-39
- [B][5] : Duty to Notify Other Entities5-42
- [B][6] : Duty of Non-Owners Maintaining Data5-45
- [B][7] : Exemption from Notification for Entities in Compliance with GLBA5-46
- [B][8] : Exemption from Notification for Encrypted Information5-46
- [B][9] : Penalties for Violation5-48
- [B][10] : Minnesota Law Requires Reimbursement of Card-Issuing Financial Institutions for Costs Associated with a Data Breach5-51
- [B][11] : State Credit Freeze Laws5-52
- § 5:5.6 : Data Security and Destruction Requirements5-53
- § 5:6 : Financial Privacy5-55
- § 5:6.1 : California Financial Information Privacy Act5-55
- § 5:6.2 : Other States5-57
- § 5:6.3 : Preemption5-58
- § 5:6.4 : Credit Card Transactions5-59
- [A] : Restrictions on Merchants5-59
- [B] : Prohibition on Disclosure of Marketing Information5-61
- § 5:7 : Privacy of Insurance-Related Information5-61
- § 5:7.1 : The National Association of Insurance Commissioners (NAIC) Model Acts5-62
- § 5:7.2 : Definitions of “Personal Information” and Similar Terms5-63
- § 5:7.3 : The GLBA Joint Marketing Exception and 2003 Model Act States5-64
- § 5:8 : Laws Governing Disclosure and Use of Social Security Numbers5-64
- § 5:8.1 : The California Framework5-66
- [A] : Jurisdictional Modification to the California Framework5-67
- [A][1] : Prohibiting SSNs in Customer Mailings5-67
- [A][2] : Expanded Exemptions from the California Framework5-67
- § 5:8.2 : Other State Law Regulation of the Use of Social Security Numbers5-69
- [A] : Requiring a Consumer’s SSN to Complete a Transaction5-69
- [B] : Privacy Policy for Handling SSNs5-70
- [C] : Employers5-70
- [D] : Other Modifications5-71
- § 5:9 : Unsolicited Telephone Marketing5-71
- § 5:9.1 : Telemarketing: State Do-Not-Call Laws5-71
- § 5:9.2 : Laws Restricting Cell Phone Marketing5-73
- § 5:10 : Electronic Eavesdropping5-75
- § 5:10.1 : State Statutory Schemes5-75
- § 5:11 : Radio Frequency Identification5-76
|
|
Chapter 6: |
Privacy of Electronic Communications |
|
|
- § 6:1 : Introduction6-2
- § 6:1.1 : Purpose and History of the ECPA6-4
- § 6:1.2 : Amendments6-9
- § 6:2 : Title I—The Wiretap Act6-10
- § 6:2.1 : Communications Covered6-12
- [A] : Oral Communications6-12
- [A][1] : Expectation of Privacy6-12
- [A][2] : Silent Video6-19
- [B] : Wire Communications6-20
- [B][1] : Cordless Phones6-21
- [B][2] : Voice Mail6-23
- [C] : Electronic Communications6-24
- § 6:2.2 : Intentional Interception of Communications6-25
- [A] : “Intercept”6-26
- [A][1] : Contemporaneous Acquisition Requirement6-26
- [A][2] : Access to Temporarily Stored Emails6-31
- [A][3] : Access to Telephone Numbers or Other Associated Information6-41
- [A][4] : Keyloggers and Screen Captures6-43
- [B] : Intent6-46
- § 6:2.3 : Use or Disclosure of an Intercepted Communication6-49
- § 6:2.4 : Exceptions6-52
- [A] : Communications Service in Normal Course of Operation6-53
- [B] : Consent by a Party to a Communication6-57
- [B][1] : Implied Consent6-61
- [B][2] : Tortious or Criminal Purpose Exception6-62
- [B][3] : The Case of “Cookies”6-64
- Figure 6-1 : Placing Third-Party Advertisements on a Website6-66
- [C] : Business Extensions6-68
- [D] : Communications to the Public6-74
- [E] : First Amendment6-76
- § 6:2.5 : Private Cause of Action6-80
- [A] : Litigating Wiretap Act Claims6-82
- [B] : Limitations6-84
- [C] : Damages6-85
- [D] : Good-Faith Defense6-88
- § 6:2.6 : State Wiretap Acts6-90
- § 6:3 : Title II—Stored Communications Act6-92
- § 6:3.1 : Access to Stored Communications6-93
- [A] : Electronic Communication Service Facility6-93
- [B] : “Unauthorized Access”6-98
- [B][1] : Privacy Policies6-101
- [B][2] : Subpoenas6-102
- [B][3] : Exceeding Authorized Access6-104
- [C] : “Electronic Storage”6-105
- [C][1] : Cookies and Other Data Stored on Computers6-107
- [D] : Exceptions6-109
- [D][1] : Access Authorized by a Service Provider6-109
- [D][2] : Access Authorized by a Party6-110
- § 6:3.2 : Disclosures by Communications Services6-112
- [A] : Disclosures Prohibited Under Section 27026-112
- [A][1] : Contents of Communications6-116
- [A][1][a] : Exceptions6-117
- [A][2] : Customer Records6-122
- [A][2][a] : Exceptions6-125
- [A][3] : Anti-Pretexting Laws6-125
- [B] : Disclosures to the Government Required Under Section 27036-127
- § 6:3.3 : Private Cause of Action6-129
- § 6:4 : Title III—Pen Registers and Trap-and-Trace Devices6-133
|
|
Chapter 7: |
The Foreign Intelligence Surveillance Act |
Christopher Wolf ~
Rachel Glickman ~ |
|
- § 7:1 : Introduction7-2
- § 7:1.1 : Connection to Privacy Principles7-2
- § 7:1.2 : Historical Background: Electronic Surveillance for National Security Purposes7-3
- § 7:2 : The Foreign Intelligence Surveillance Act (FISA)7-5
- § 7:2.1 : Scope of the FISA7-5
- § 7:2.2 : Permissible Electronic Surveillance Under FISA: The Target Must Be a Foreign Power7-5
- § 7:2.3 : Procedure for Obtaining a FISA Court Order for Surveillance7-6
- § 7:2.4 : Permissible Electronic Surveillance Without a Court Order7-7
- § 7:2.5 : Covered Surveillance Methods7-8
- § 7:2.6 : Foreign Intelligence Must Be a “Significant Purpose of Surveillance”7-10
- § 7:2.7 : Minimization Procedures7-10
- § 7:2.8 : Remedies for Violation7-12
- § 7:3 : The Foreign Intelligence Surveillance Court7-13
- § 7:3.1 : Basic Structure7-13
- § 7:3.2 : Legal Standards7-14
- § 7:3.3 : Appellate Review7-15
- § 7:4 : Controversy Surrounding the Warrantless Interception of Communication by the NSA7-15
- § 7:4.1 : Background7-15
- § 7:4.2 : Codifying the Terrorist Surveillance Program Under FISA7-19
- § 7:4.3 : The FISA Amendments Act of 20087-20
- § 7:5 : Conclusion7-21
|
|
Chapter 8: |
Privacy and Homeland Security; and Appendices 8A-8F |
Holly Chapin ~
Hugo Teufel ~ |
|
- § 8:1 : Background: Intelligence, Surveillance, and Privacy Pre-9/118-2
- § 8:2 : Establishment of Department of Homeland Security8-4
- § 8:2.1 : DHS Organization and Functions8-5
- § 8:2.2 : Authorities for Privacy Protection at DHS8-6
- § 8:3 : Privacy Protection at Other Agencies8-8
- § 8:3.1 : Internal Privacy Protection Requirements for Executive-Branch Agencies8-8
- § 8:3.2 : Executive-Branch Privacy/Civil Liberties Oversight8-10
- [A] : Board on Safeguarding Americans’ Civil Liberties8-10
- [B] : Privacy and Civil Liberties Oversight Board8-11
- § 8:4 : DHS Privacy Office Functions8-14
- § 8:4.1 : Policy8-15
- [A] : Fair Information Practice Principles8-15
- [B] : Use of Social Media8-16
- [C] : Other Guidance8-17
- § 8:4.2 : Compliance8-18
- § 8:4.3 : Oversight8-19
- § 8:4.4 : Incidents and Breaches8-22
- § 8:4.5 : Education and Training8-23
- § 8:4.6 : Outreach8-26
- § 8:5 : High-Profile Privacy Issues in Homeland Security8-26
- § 8:5.1 : Information-Sharing8-27
- [A] : Breaking Down the Wall of Separation8-27
- [B] : Information Sharing Environment (ISE)8-28
- § 8:5.2 : Fusion Centers8-31
- [A] : Organization and Mission8-31
- [B] : Civil Liberties Concerns8-33
- § 8:5.3 : Watchlists8-36
- [A] : Watchlists, Pre-9/118-36
- [B] : Integration and Use of Screening Information8-37
- [C] : Redress and Oversight8-38
- § 8:5.4 : Data Mining8-39
- [A] : Privacy Concerns Versus Combating Terrorism8-40
- [B] : Establishing a Uniform Definition of “Data Mining”8-41
- [C] : High-Profile Data Mining8-45
- [C][1] : Program “Able Danger”8-45
- [C][2] : JetBlue Data Transfer8-46
- [C][3] : Total Information Awareness/Terrorism Information Awareness (TIA)8-47
- [C][4] : Multistate Anti-Terrorism Information Exchange (MATRIX)8-48
- [C][5] : Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE)8-49
- § 8:5.5 : Transatlantic Exchanges of Personal Data8-50
- [A] : Background8-50
- [B] : Conflicting Data-Protection Requirements8-51
- [C] : Common Principles Underlying Future Information-Sharing8-53
- Appendix 8A : The Fair Information Practice PrinciplesApp. 8A-1
- Appendix 8B : DHS Policy Regarding Privacy Impact AssessmentsApp. 8B-1
- Appendix 8C : DHS Privacy Policy Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. PersonsApp. 8C-1
- Appendix 8D : Privacy and Homeland Security Issues in the Airline IndustryApp. 8D-1
- Appendix 8E : Department of Homeland Security Organizational ChartApp. 8E-1
- Appendix 8F : Privacy Act Amendment RequestsApp. 8F-1
|
|
Chapter 9: |
Workplace Privacy Law |
Kathleen M. McKenna ~
Anthony J. Oncidi ~ |
|
- § 9:1 : Selection of Employees9-3
- § 9:1.1 : Pre-Hire Inquiries9-3
- [A] : Inquiries Regarding Race, Sex, Religion, and Other Protected Characteristics9-3
- [B] : Disability-Related Inquiries9-5
- [C] : Psychological Testing and Examinations9-6
- [D] : Union Status9-7
- [E] : Litigation History9-7
- § 9:1.2 : References9-7
- § 9:1.3 : Blacklisting9-10
- § 9:2 : Collection of Personal Information9-11
- § 9:2.1 : Medical Information9-13
- [A] : Health Insurance Portability and Accountability Act of 19969-13
- [B] : HIV/AIDS9-16
- [C] : Confidentiality of Patient Medical Records9-18
- [C][1] : Federal Law9-18
- [C][2] : State Law9-18
- § 9:2.2 : Past Criminal and Arrest Records9-23
- [A] : Federal Law9-23
- [A][1] : Title VII9-23
- [A][2] : Intelligence Reform and Terrorism Prevention Act9-25
- [B] : State Law9-26
- § 9:2.3 : Fingerprints and Photographs9-28
- § 9:2.4 : Financial Data9-30
- [A] : Federal Law9-30
- [A][1] : Fair Credit Reporting Act of 19709-30
- [A][2] : Fair and Accurate Credit Transactions Act9-31
- [B] : State Law9-32
- § 9:2.5 : Educational Records9-33
- [A] : Federal Law9-33
- [B] : State Law9-34
- § 9:2.6 : Personal Identification Information9-34
- [A] : Information Stored on Computers9-34
- [B] : Social Security Numbers9-35
- [C] : Motor Vehicle Information9-37
- [D] : Verification of Employment Eligibility: E-Verify9-38
- § 9:2.7 : Access to Personnel Records9-39
- § 9:2.8 : Genetic Information9-41
- § 9:3 : Policies Regulating Employee Conduct9-43
- § 9:3.1 : Sexual Conduct, Intimate Relationships, Fraternization, Procreation, Marriage9-43
- [A] : Common Law Claims—Private Employees9-43
- [A][1] : Invasion of Privacy9-43
- [A][1][a] : Public Disclosure of Private Facts9-43
- [A][1][b] : Intrusion upon Seclusion9-45
- [A][2] : Wrongful Termination in Violation of Public Policy9-46
- [B] : Statutory Claims9-47
- [C] : Constitutional Privacy Right9-47
- § 9:3.2 : Grooming and Dress Codes9-49
- [A] : Mutable Versus Immutable Characteristics9-49
- [B] : Hair Length and Style9-50
- [B][1] : Federal Law9-50
- [B][2] : State Law9-53
- [C] : Beards and Moustaches9-53
- [C][1] : Federal Law9-53
- [C][2] : State Law9-55
- [D] : Dress Codes9-56
- [D][1] : Federal Law9-56
- [D][2] : State Law9-57
- [E] : Gender Identity Issue9-58
- § 9:3.3 : Polygraphs and Lie Detector Tests9-59
- § 9:3.4 : Genetic Testing9-60
- § 9:3.5 : Drug and Alcohol Use9-61
- [A] : Federal Law9-61
- [A][1] : Constitution9-61
- [A][2] : Americans with Disabilities Act (ADA)9-63
- [A][3] : Other Federal Statutes and Regulations9-65
- [B] : State Laws9-66
- [B][1] : Constitutions9-66
- [B][2] : Statutes9-66
- [C] : Contractual and Common Law Theories of Liability9-68
- § 9:3.6 : Smoking9-69
- [A] : Restrictions on Smoking in the Workplace9-69
- [B] : Off-Duty Smoking9-70
- § 9:3.7 : Disclosure of Wages9-71
- § 9:3.8 : Blogging and Cybersmearing9-72
- [A] : Validity of Employee Confidentiality Policies9-73
- [B] : Potential Causes of Action9-73
- [B][1] : Private Blogs and the Stored Communication Act9-73
- [B][2] : Trespass to Chattels9-75
- [B][3] : Defamation9-75
- § 9:4 : Surveillance of Employees9-77
- § 9:4.1 : Employer Investigations Generally9-77
- § 9:4.2 : Physical Searches9-78
- [A] : Introduction9-78
- [B] : Public Employer Searches9-79
- [C] : Private Employer Searches9-82
- [C][1] : Third-Party Consent9-83
- [D] : NLRA9-84
- § 9:4.3 : Email and Internet Use Searches9-84
- [A] : Notice9-84
- [B] : Statutory Provisions9-88
- [B][1] : Federal Law9-88
- [B][1][a] : The Electronic Communications Privacy Act9-88
- [B][1][a][i] : Exceptions9-91
- [B][1][b] : The Federal Computer Fraud and Abuse Act9-93
- [B][1][c] : NLRA9-95
- [C] : State Law9-95
- § 9:4.4 : Instant Electronic Communications9-97
- [A] : Instant Messaging9-97
- [B] : Text Messaging9-98
- § 9:4.5 : Eavesdropping, Recording Telephone Conversations, and Video Monitoring9-99
- § 9:4.6 : Human Tracking Devices9-102
- § 9:4.7 : USA PATRIOT Act9-106
|
|
Chapter 10: |
Privacy and Commercial Communications |
Michael Hintze ~
Robert Forbes ~ |
|
- § 10:1 : Overview10-3
- § 10:1.1 : Connection to Privacy Principles and Laws10-3
- § 10:1.2 : General Considerations10-4
- § 10:2 : Email Communications10-4
- § 10:2.1 : Source and Scope of Rules10-4
- § 10:2.2 : What Is a “Commercial Electronic Mail Message”?10-6
- § 10:2.3 : What Is an “Electronic Mail Address”?10-8
- § 10:2.4 : Who Is the “Sender”?10-10
- § 10:2.5 : Consent Requirements10-12
- § 10:2.6 : Information to Be Included in Each Message10-13
- § 10:2.7 : Forward-to-a-Friend Features10-14
- § 10:2.8 : Specific Rules for Messages Sent to Wireless Domains10-16
- § 10:2.9 : Prohibitions on Fraudulent, Deceptive, and Abusive Practices10-18
- § 10:2.10 : Additional Rules Regarding Sexually Oriented Material10-19
- § 10:3 : Telephone Communications10-21
- § 10:3.1 : Source and Scope of Rules10-21
- § 10:3.2 : Consent Requirements10-22
- [A] : Company-Specific Consent Requirements10-23
- [B] : National Do Not Call Registry10-24
- [C] : State Do-Not-Call Lists10-25
- § 10:3.3 : Required Call Content10-26
- § 10:3.4 : Time and Frequency Restrictions10-28
- § 10:3.5 : Use of Autodialers, Prerecorded Messages, and Other Technologies10-28
- § 10:3.6 : Prohibitions on Deceptive or Abusive Telemarketing Practices10-31
- § 10:3.7 : Record-Keeping and Compliance Requirements10-32
- § 10:4 : Fax Communication10-33
- § 10:4.1 : Source and Scope of Rules10-33
- § 10:4.2 : Consent Requirements10-34
- § 10:4.3 : Information to Be Included in Each Message10-35
- § 10:5 : Direct Mail Communications10-36
- § 10:5.1 : Source and Scope of Rules10-36
- § 10:5.2 : Restrictions and Prohibitions on Mailing Certain Content10-36
- [A] : Fraudulent or Deceptive Content10-36
- [B] : Prohibited or Restricted Advertising Content10-37
- [C] : Mailings Containing Certain Goods, Samples, Etc.10-38
- § 10:5.3 : Consent Requirements10-38
- [A] : Sexually Oriented Advertisements10-39
- [B] : “Pandering” Advertisements10-40
- [C] : Sweepstakes and Skill Contests10-40
- § 10:6 : Text Messaging10-41
- § 10:6.1 : Source and Scope of Rules10-41
- § 10:6.2 : What Is a Text Message?10-41
- § 10:6.3 : Consent Requirements10-42
- [A] : Messages Sent to a Number10-42
- [A][1] : Do Not Call Rules10-42
- [B] : Messages Sent to a Username and Domain Name10-43
- [B][1] : Express Prior Authorization10-44
- [B][2] : FCC List of Wireless Domains10-45
- [B][3] : Procedures for Receiving and Honoring Opt-Out Requests10-45
- [C] : State-Law Consent Requirements10-46
- [C][1] : California10-46
- [C][2] : Rhode Island10-48
- [C][3] : Washington10-49
- [C][4] : State Spam Laws10-51
- § 10:6.4 : Sending Automated Text Messages10-51
- § 10:6.5 : Industry Self-Regulation10-52
- [A] : Mobile Marketing Association10-52
- [B] : Direct Marketing Association’s Guidelines for Ethical Business Practice10-56
- § 10:7 : Social Media10-57
- § 10:7.1 : Source and Scope of Rules10-57
- § 10:7.2 : What Is Social Media?10-57
- § 10:7.3 : Sending Messages via Social Media10-58
- § 10:7.4 : Gathering and Using Consumer Data from Social Media Sites10-58
- [A] : Disclosure of Users’ Personal Information to Third Parties10-58
- [B] : Address Book Harvesting10-59
- [C] : Location-Based Services10-60
- [D] : Computer Fraud Statutes10-60
- [E] : Industry Self Regulation of Information Gathering and Distribution10-62
- § 10:7.5 : Using Social Media Users’ Actions As Advertisements10-63
- [A] : Advertising Social Media Users’ Activity Within the Social Media Site10-63
- [B] : Advertising Social Media Users’ Internet Activity Outside the Social Media Site10-64
- § 10:8 : Conclusions10-64
|
|
Chapter 11: |
The Children’s Online Privacy Protection Act (COPPA) |
Nancy L. Savitt ~ |
|
- § 11:1 : Introduction/Overview11-3
- § 11:1.1 : Enactment11-3
- § 11:1.2 : Statutory Overview11-4
- § 11:1.3 : Who Enforces the Statute11-5
- § 11:2 : Who Is Subject to the Statute11-6
- § 11:2.1 : “Operator”11-6
- [A] : Factors Determining Operator Status11-8
- [B] : Special Cases11-9
- [B][1] : Internet Service Providers and Other “Mere Conduits”11-9
- [B][2] : Advertisers11-10
- [B][3] : Non-U.S. Operators11-11
- [B][4] : Nonprofits11-11
- § 11:2.2 : “Website or Online Service Directed to Children”11-11
- [A] : Primary Content Provider Versus Plug-Ins11-12
- [B] : Age-Screening Where Children Are Not “Primary Audience”11-12
- § 11:2.3 : General Audience Website11-15
- [A] : “Actual Knowledge”11-16
- § 11:3 : What Activities Does COPPA Cover?11-17
- § 11:3.1 : “Personal Information”11-17
- § 11:3.2 : “Collection”11-19
- [A] : Requesting a Child to Submit Personal Information Online11-19
- [B] : Enabling a Child to Publicly Disclose Personal Information11-20
- [B][1] : To Monitor or Not to Monitor11-21
- [C] : Cookies and Passive Tracking11-22
- § 11:3.3 : “Disclosure”11-22
- [A] : Release of Personal Information11-22
- [A][1] : Third Party Versus Provider of “Support for the Internal Operations of the Website”11-23
- [B] : Making Personal Information Publicly Available11-25
- § 11:4 : How to Comply with COPPA11-25
- § 11:4.1 : Need Prior Parental Consent Unless Fall Within Exception11-26
- [A] : “Verifiable Parental Consent” (“Verifiable Consent”)11-26
- [B] : “Parent”11-27
- [B][1] : Schools11-27
- [B][2] : Ascertaining Whether Someone Is a “Parent”11-27
- [B][3] : Parents’ Right to Review and Have Information Deleted11-28
- § 11:4.2 : Exceptions to Consent11-30
- [A] : To Obtain Parental Consent11-30
- [B] : To Respond to a Child’s Specific Request on a One-Time Basis11-31
- [C] : To Respond More Than Once to a Child’s Specific Request11-32
- [D] : To Protect the Child’s Safety11-34
- [E] : To Protect the Website11-34
- [F] : To Notify and Update Parents About a Website That Does Not Collect Personal Information11-35
- [G] : To Collect a Persistent Identifier in Limited Circumstances11-36
- § 11:4.3 : How to Get Consent11-36
- [A] : Notice11-36
- [A][1] : Requirements for Notice11-37
- [A][1][a] : “Clear and Understandable”11-37
- [A][1][b] : Information Collected and How It Is Used11-37
- [A][1][c] : Disclosures to Third Parties and Others11-38
- [A][1][d] : Parental Review Rights11-38
- [A][1][e] : Operators’ Contact Information11-39
- [A][2] : Privacy Policy Placement11-41
- [A][3] : Direct Notice to Parents11-41
- [A][3][a] : “Material Change”11-41
- [B] : Consent11-42
- [B][1] : Full Consent11-42
- [B][1][a] : Print and Send or Scan11-42
- [B][1][b] : Credit Card Transaction11-42
- [B][1][c] : Toll-Free Number or Video Conference11-43
- [B][1][d] : Government-Issued Identification11-43
- [B][1][e] : Other Methods11-43
- [B][2] : Email Plus Consent11-44
- [B][3] : Online Consent Form Insufficient11-46
- § 11:4.4 : What Happens If the Operator Does Not Get Parental Consent11-46
- [A] : Delete Information11-46
- [B] : Limited Permission to Terminate Service11-47
- [B][1] : Cannot Terminate for Non-Consent to Third-Party Disclosure11-47
- § 11:4.5 : Security and Data Retention/Deletion11-48
- § 11:4.6 : Safe Harbors11-51
- § 11:5 : Sanctions/Penalties11-51
- § 11:5.1 : FTC COPPA Enforcement Actions11-53
- § 11:5.2 : FTC Non-COPPA Enforcement11-55
|
|
Chapter 12: |
The Privacy Act of 1974 and Its Progeny |
Kenneth P. Mortensen ~
Nuala O’Connor Kelly ~ |
|
- § 12:1 : Introduction12-3
- § 12:2 : Privacy Act Statutory Provisions12-4
- § 12:2.1 : 5 U.S.C. § 552a(a): Definitions12-4
- [A] : “Agency”12-4
- [A][1] : Privacy Act Applies Only to Federal Agencies12-4
- [A][2] : Executive Office of the President12-5
- [A][3] : State and Local Government Agencies12-7
- [A][4] : Other Entities12-7
- [B] : “Individual”12-8
- [C] : “Maintain”12-10
- [D] : “Record”12-10
- [E] : “System of Records”12-13
- [F] : “Statistical Record”12-16
- [G] : “Routine Use”12-17
- § 12:2.2 : 5 U.S.C. § 552a(b): Conditions of Disclosure12-18
- [A] : Disclosure Within Agencies12-19
- [B] : Disclosure to the Public12-19
- [C] : Disclosure for a “Routine Use”12-20
- [D] : Disclosure to the Bureau of the Census12-22
- [E] : Disclosure for Statistical Research and Reporting12-23
- [F] : Disclosure to National Archives12-24
- [G] : Disclosure for Law Enforcement Purposes12-24
- [H] : Disclosure Under Emergency Circumstances12-25
- [I] : Disclosure to Congress12-26
- [J] : Disclosure to the General Accountability Office12-26
- [K] : Disclosure Pursuant to Court Order12-26
- [L] : Disclosure to a Consumer Reporting Agency12-27
- [M] : Disclosure of Social Security Numbers12-27
- § 12:2.3 : 5 U.S.C. § 552a(d): Access to Records12-28
- [A] : Individual Access12-28
- [B] : Amending Records12-30
- § 12:2.4 : 5 U.S.C. § 552a(g)(4): Remedies12-32
- § 12:3 : Systems of Records Notice Guidance12-32
- § 12:3.1 : Definitions12-32
- § 12:3.2 : Contents12-32
- § 12:3.3 : How to Prepare a System of Records Notice12-33
- [A] : Key Elements12-33
- [B] : Storage12-34
- [C] : Record Identification12-34
- [D] : Security Safeguards12-34
- [E] : Retention and Disposal12-34
- [F] : Notification Procedures; Record Access Procedures; Contesting Record Procedures12-35
- [G] : Record Source Categories12-35
- [H] : Systems Exempted from Certain Provisions of the Act12-35
- [I] : Routine Uses12-36
- § 12:4 : E-Government Act Section 208 Statutory Provisions: Privacy Impact Assessments12-37
- § 12:4.1 : Section 208(b)(1): Responsibilities of Agencies12-38
- [A] : When to Do a Privacy Impact Assessment12-38
- [B] : Agency Activities12-39
- [C] : Sensitive Information12-39
- § 12:4.2 : Section 208(b)(2): Contents of a Privacy Impact Assessment12-40
- [A] : OMB Guidance12-40
- [B] : What Information Is Collected?12-40
- [C] : Why Is the Information Collected?12-41
- [D] : What Is the Intended Use of the Information?12-41
- [E] : Who Will the Information Be Shared With?12-41
- [F] : What Notice Will Be Given Regarding the Information’s Use and Collection?12-42
- [G] : How Will the Information Be Secured?12-42
- [H] : Is a System of Records Notice Created?12-42
- § 12:5 : Privacy Impact Assessment Guidance12-42
- § 12:5.1 : Introduction12-42
- § 12:5.2 : What Is a PIA?12-43
- § 12:5.3 : Complying with the PIA Requirement12-43
- § 12:5.4 : Information Covered by the PIA12-45
- § 12:5.5 : Regarding “Private” Information12-45
- § 12:5.6 : Regarding Privacy Act System of Records Notice (SORN) Requirements Versus PIA Requirements12-46
- § 12:5.7 : When to Conduct a PIA12-46
- § 12:5.8 : Classified Information and Systems12-46
- § 12:5.9 : Negative PIAs12-46
- § 12:5.10 : How to Conduct a PIA12-46
- § 12:5.11 : Writing the PIA12-47
- [A] : Introduction12-47
- [B] : Section 1.0—The System and the Information Collected and Stored with the System12-48
- [C] : Section 2.0—Uses of the System and the Information12-49
- [D] : Section 3.0—Retention12-51
- [E] : Section 4.0—Internal Sharing and Disclosure12-51
- [F] : Section 5.0—External Sharing and Disclosure12-52
- [G] : Section 6.0—Notice12-53
- [H] : Section 7.0—Individual Access, Redress, and Correction12-54
- [I] : Section 8.0—Technical Access and Security12-55
- [J] : Section 9.0—Technology12-56
- [K] : Conclusion12-56
- [L] : Approval and Signature Page12-56
|
|
Chapter 13: |
Canadian Privacy Law |
John Beardwood ~
Gabriel M.A. Stern ~
Daniel Fabiano ~ |
|
- § 13:1 : Nature of the Canadian Privacy Framework13-3
- § 13:1.1 : Intersecting Federal and Provincial Privacy Regimes13-3
- [A] : Public Sector13-3
- [B] : Private Sector13-4
- [B][1] : Québec13-4
- [B][2] : Federal13-5
- [B][3] : Provincial (Other Than Québec)13-6
- [C] : Personal Health Information13-7
- [D] : Statutory Tort of Invasion of Privacy13-8
- § 13:1.2 : Privacy Principles from Common Law13-9
- [A] : Common-Law Tort of Privacy13-9
- [B] : Work Product13-11
- [C] : Surveillance13-12
- [C][1] : Reasonableness of Surveillance in the Workplace13-12
- [C][2] : Surveillance Evidence in Litigation13-13
- § 13:1.3 : Relationship Between the Canadian and European Privacy Regimes13-14
- § 13:2 : Personal Information13-16
- § 13:2.1 : Scope of Definition of “Personal Information”13-16
- § 13:2.2 : Employee Information13-17
- § 13:2.3 : Carve-Outs from the Obligations Applying to Personal Information13-18
- § 13:2.4 : Sensitivity of Personal Information13-18
- § 13:2.5 : Grandfathering Provisions13-19
- § 13:3 : Nature of Privacy Obligations13-19
- § 13:3.1 : Consent/Notice Obligations13-19
- [A] : Generally13-19
- [B] : Content of the Notice13-20
- [C] : Withdrawing Consent13-20
- [D] : Extra-Jurisdictional Transfers of Personal Information13-21
- § 13:3.2 : Administrative Obligations13-23
- § 13:3.3 : Access Obligations13-23
- § 13:3.4 : Breach Notification13-24
- [A] : Comparison of the Federal and Alberta Models13-24
- [B] : Differences Between the Federal and Alberta Models13-25
- [B][1] : Threshold for Reporting a Breach13-25
- [B][2] : Threshold for Notifying the Affected Individuals13-26
- [B][3] : Definition of “Significant Harm”13-26
- [B][4] : Responsibility for Notification13-27
- [B][5] : Offenses13-27
- § 13:3.5 : Enforcement13-28
- [A] : Generally13-28
- [B] : Powers13-28
- [C] : Offenses13-28
- [D] : “Naming and Shaming”13-29
- [E] : Review of Findings/Appeals13-29
- [F] : Remedies13-29
- § 13:4 : Canadian Privacy Law in Transition13-30
- § 13:4.1 : Recent Changes to Canadian Privacy Law13-30
- § 13:4.2 : 2010 Changes to the Alberta PIPA13-30
- [A] : Privacy Policies and Practices13-30
- [B] : Maintaining Accuracy of Personal Information13-31
- [C] : Retention and Destruction13-31
- § 13:4.3 : Proposed Revisions to PIPEDA13-32
- [A] : Scope of Application13-32
- [B] : Consent13-32
- [C] : Consent Exceptions13-32
- [D] : Definition of “Lawful Authority”13-33
- [E] : Federal Commissioners’ Proposed 2013 Revisions to PIPEDA13-34
- § 13:4.4 : Canada’s FISA: A Comparative Perspective13-35
- [A] : Overview of Canadian, U.S., and U.K. Legislation13-35
- [B] : Definition of “Commercial” Messages/Communications13-37
- [C] : Consent13-40
- [C][1] : “Opt-In” Versus “Opt-Out” Provisions13-40
- [C][2] : “Natural Persons” Versus “Legal Persons”13-42
- [D] : Additional Exemptions13-43
- [E] : Content13-46
- [F] : Enforcement13-49
- [G] : Jurisdiction13-52
- § 13:4.5 : Class Actions and Privacy Litigation13-55
- § 13:4.6 : Federal Commissioner Decision on Credit-Based Insurance Scores13-59
- [A] : Introduction13-59
- [B] : Summary of PIPEDA Report of Findings No. 2012-00513-60
- [C] : Analysis13-62
- § 13:5 : Conclusions13-64
|
|
Chapter 14: |
International Privacy Law; and Appendices 14A-14E |
Donald C. Dowling ~ |
|
- § 14:1 : Data Privacy Regulation Outside the United States: A Clash of Jurisprudential Perspectives14-3
- § 14:2 : The European Union Data Privacy Directive14-5
- § 14:2.1 : EU Draft Legislation Package14-6
- § 14:2.2 : What the EU Data Directive Does14-9
- § 14:2.3 : Social and Legal Context Underlying the EU Data Directive14-10
- § 14:2.4 : Terminology14-12
- § 14:2.5 : Data Processing Rules Domestically Within Europe14-13
- [A] : Complying with Data Quality Principles and Rules14-14
- § 14:2.6 : Disclosing to Data Subjects14-17
- § 14:2.7 : Reporting to State Agencies14-18
- § 14:3 : Transfers of Data to Countries Outside Europe14-19
- § 14:3.1 : Data Transfers Allowed to “Third Countries”— and Companies Abroad14-20
- § 14:3.2 : Safe Harbor14-23
- § 14:3.3 : The Seven Safe Harbor Principles14-26
- [A] : Notice14-27
- [B] : Choice14-27
- [C] : Onward Transfer14-28
- [D] : Security14-28
- [E] : Data Integrity14-28
- [F] : Access14-29
- [G] : Enforcement14-30
- § 14:3.4 : Self-Certification Process14-31
- § 14:3.5 : Criticisms of Safe Harbor14-33
- § 14:3.6 : Binding/Standard Contractual Clauses14-35
- § 14:3.7 : Obligations of the Data Exporter and Data Importer14-38
- § 14:3.8 : Liability14-38
- § 14:3.9 : Binding Corporate Rules14-39
- § 14:4 : “Transposition” (Adoption) of the Directive in European Union Member States14-44
- § 14:4.1 : Denmark14-44
- § 14:4.2 : England14-45
- § 14:4.3 : France14-46
- § 14:4.4 : Germany14-46
- § 14:4.5 : Italy14-48
- § 14:4.6 : Netherlands14-48
- § 14:4.7 : Spain14-49
- § 14:5 : Data Privacy Laws Beyond the European Union14-50
- § 14:5.1 : Argentina14-51
- § 14:5.2 : Australia14-52
- § 14:5.3 : Brazil14-54
- § 14:5.4 : China14-56
- § 14:5.5 : Colombia14-58
- § 14:5.6 : Costa Rica14-59
- § 14:5.7 : Dubai14-60
- § 14:5.8 : Hong Kong14-61
- § 14:5.9 : India14-62
- § 14:5.10 : Israel14-63
- § 14:5.11 : Japan14-64
- § 14:5.12 : Malaysia14-65
- § 14:5.13 : Mexico14-66
- § 14:5.14 : Russia14-68
- § 14:5.15 : Singapore14-70
- § 14:5.16 : South Korea14-72
- § 14:5.17 : Switzerland14-74
- § 14:5.18 : Taiwan14-74
- § 14:5.19 : Thailand14-75
- § 14:5.20 : Ukraine14-76
- § 14:5.21 : Uruguay14-76
- Appendix 14A : The EU Data Privacy DirectiveApp. 14A-1
- Appendix 14B : Controller-to-Controller Model ContractApp. 14B-1
- Appendix 14C : Alternative Controller-to-Controller Model ContractApp. 14C-1
- Appendix 14D : Controller-to-Processor Model ContractApp. 14D-1
- Appendix 14E : Working Document Establishing a Model Checklist Application for Approval of Binding Corporate RulesApp. 14E-1
|
|
Chapter 15: |
Implementing Privacy Compliance Requirements |
Jody R. Westby ~ |
|
- § 15:1 : Introduction15-2
- § 15:2 : Intersection of Privacy, Security, and Cybercrime15-3
- Figure 15-1 : Nexus Between Cybersecurity, Privacy and Cybercrime15-7
- § 15:2.1 : Cybersecurity15-8
- § 15:2.2 : Cybercrime15-11
- § 15:3 : Cybercrime-Related Legal Considerations15-15
- § 15:3.1 : Security Breach Notification Laws15-15
- § 15:3.2 : Jurisdictional Issues15-15
- § 15:3.3 : Information Sharing15-17
- § 15:3.4 : Outsourcing15-18
- § 15:4 : Creating an Enterprise Security Program15-19
- Figure 15-2 : Enterprise Security Program Flowchart15-20
- § 15:4.1 : Governance Structure15-21
- § 15:4.2 : Security Integration and Security Operations15-24
- § 15:4.3 : Implementation and Evaluation15-28
- § 15:5 : Conclusion15-30
- Table 15-1 : Top Ten Action Items for Counsel’s Role in Privacy and Security15-31
|
|
Chapter 16: |
Compliance with the Payment Card Industry Data Security Standard |
Mark MacCarthy ~
Pieter Penning ~ |
|
- § 16:1 : Introduction16-2
- § 16:2 : Background16-5
- § 16:2.1 : Industry Background16-5
- § 16:2.2 : Federal Consumer Protection Laws16-8
- § 16:2.3 : Federal and State Data Security Regulations16-10
- § 16:3 : Development of the Payment Card Industry Data Security Standard16-13
- § 16:4 : PCI Requirements16-19
- § 16:4.1 : The Basic Requirements16-19
- Figure 16-1 : Payment Card Industry Data Security
Standard16-20
- § 16:4.2 : Protecting Stored Data16-23
- Figure 16-2 : PCI Requirement 3: Protect Stored Cardholder Data16-23
- § 16:4.3 : Encrypt Transmission of Cardholder Data Across Open, Public Networks16-27
- Figure 16-3 : Requirement 4: Encrypt Transmitted Data16-28
- § 16:4.4 : Compensating Controls16-29
- § 16:4.5 : Payment Applications16-29
- § 16:5 : Validation16-31
- § 16:5.1 : Merchant Levels16-33
- Figure 16-4 : Merchant Levels (Visa CISP)16-33
- § 16:5.2 : Service Provider Levels16-34
- Figure 16-5 : Service Provider Levels (Visa CISP)16-35
- § 16:5.3 : Merchant Validation Requirements16-35
- Figure 16-6 : Merchant Levels and Validation Requirements
(Visa CISP)16-36
- § 16:5.4 : Service Provider Validation Requirements16-37
- Figure 16-7 : Service Provider Levels and Validation Requirements (Visa CISP)16-38
- § 16:5.5 : Corporate Franchise Servicers16-38
- § 16:6 : After a Compromise16-40
- § 16:6.1 : Background16-40
- § 16:6.2 : Initial Steps16-42
- § 16:6.3 : Monitoring At-Risk Accounts16-43
- § 16:6.4 : Notification to Issuing Financial Institutions16-44
- § 16:7 : Enforcement16-46
- § 16:7.1 : General16-46
- § 16:7.2 : Recent Enforcement Efforts16-47
- § 16:7.3 : CardSystems Solutions16-49
- § 16:7.4 : Other Significant Data Breaches16-50
- § 16:8 : Continued Development of Cardholder Data Protection16-52
- § 16:8.1 : Increasing Global Compliance16-53
- § 16:8.2 : Chip and PIN Security16-53
- § 16:8.3 : Tokenization16-56
- § 16:8.4 : Point-to-Point Encryption16-57
- § 16:8.5 : Mobile Payments16-58
- § 16:8.6 : Cloud Computing16-59
- § 16:8.7 : E-Commerce16-60
- § 16:8.8 : Risk Assessments16-61
|
|
Chapter 17: |
Insurance Coverage for Data Breaches and Unauthorized Privacy Disclosures |
Steven R. Gilford ~ |
|
- § 17:1 : Overview17-2
- § 17:2 : Applicability of Historic Coverages17-5
- § 17:2.1 : First- and Third-Party Coverages for Property Loss17-6
- [A] : First-Party Property Policies17-7
- [B] : Third-Party CGL Policies: Coverage for Property Damage Claims17-8
- § 17:2.2 : CGL Coverage for Personal and Advertising Injury Claims17-10
- [A] : Publication Requirement17-12
- [B] : Right to Privacy As an Enumerated Offense17-13
- § 17:2.3 : Other Coverages17-16
- [A] : Directors and Officers Liability Insurance17-16
- [B] : Errors and Omission Policies17-17
- [C] : Crime Policies17-18
- § 17:3 : Modern Cyber Policies17-18
- § 17:3.1 : Key Concepts in Cyber Coverage17-19
- [A] : Named Peril17-19
- [B] : Claims Made17-21
- § 17:3.2 : Issues of Concern in Evaluating Cyber Risk Policies17-22
- [A] : What Is Covered?17-22
- [B] : Confidential Information, Privacy Breach, and
Other Key Definitions17-23
- [C] : Overlap with Existing Coverage17-23
- [D] : Limits and Deductibles17-24
- [E] : Notice Requirements17-24
- [F] : Coverage for Regulatory Investigations or
Actions17-26
- [G] : Definition of Loss17-29
- [H] : Who Controls Defense and Settlement17-32
- [I] : Control of Public Relations Professionals17-35
- [J] : Issues Created by Policyholder Employees17-36
- [K] : Coverage of a Threatened Security Breach17-38
- [L] : Governmental Activity Exclusion17-39
- [M] : Other Exclusions17-39
- § 17:3.3 : SEC Disclosure and Other Regulatory Initiatives17-40
|
|
Chapter 18: |
Location Privacy: Technology and the Law |
|
|
- § 18:1 : Introduction18-2
- § 18:2 : Development and Uses of Location-Tracking Technologies18-2
- § 18:2.1 : Overview18-2
- § 18:2.2 : Global Positioning Systems18-4
- § 18:2.3 : Cell Site Location Information18-6
- § 18:2.4 : Indoor Positioning Systems18-10
- [A] : Radio Frequency Identification18-10
- [B] : Other IPS Technologies18-10
- § 18:2.5 : Vehicle Tracking18-11
- § 18:2.6 : Unmanned Drones18-12
- § 18:3 : Government Collection of Location Information18-13
- § 18:3.1 : Location Privacy Under the Fourth Amendment18-13
- § 18:3.1 : Government Requests for CSLI18-16
- [A] : Federal Statutes18-16
- [B] : Case Law18-19
- [C] : State Laws18-23
- § 18:4 : Private Collection and Use of Location Information18-24
- § 18:4.1 : GPS Tracking18-24
- § 18:4.2 : Mobile Devices and Applications18-27
- § 18:4.3 : Other Location Technologies18-33
- [A] : Radio Frequency Identification18-33
- [B] : Vehicle Tracking18-33
- § 18:5 : Legislative Outlook18-34
- § 18:5.1 : Federal Proposals18-34
- § 18:5.2 : State Proposals18-35
|
|
|
Index |
|
|