Name! That! Thing!
This type of entity collects, aggregates, and sells individuals' personal data.
Data Broker
What is the difference between data processors and data controllers?
Data processors process information on behalf of, and with instructions from, a data controller.
A data controller determines the purpose and means of processing a subject's data.
What counts as Protected Health Information under HIPAA?
Individually identifiable health information relating to physical or mental health
The CCPA defines personal information as this.
Any information that relates to a particular consumer or household.
Includes exceptions such as publicly available information.
The FTC has enforcement authority over these types of bad practices.
Unfair and Deceptive practices
This results from a settlement between a regulator and a private party without admitting guilt or liability.
Consent Decree
Daily Double!
Consumers hold these rights under the GDPR.
This department is responsible for enforcing HIPAA.
Dept. of Health & Human Services (HHS)
This law created a new state enforcement agency and expanded liability for data breaches.
CPRA
True/False: US privacy law stems from the right to privacy, which is explicitly granted by the 14th Amendment of the US Constitution.
Under some privacy laws, this allows for individuals to sue companies for data breaches.
Private Right of Action
True/False: The GDPR is typically enforceable in the US, so US companies continue to comply.
False, it is unclear whether the GDPR is enforceable in the US, but US companies comply as a courtesy.
True/False: Under GINA, employers can ask employees for genetic information, but they cannot require employees to provide it.
False, employers can neither require nor as for genetic information under GINA.
True/False: The CCPA created a private right of action for data breaches.
True! With a $7.5k fine per violation.
Name at least 2 jobs of a privacy professional.
Research laws
Monitor current events and changing guidelines
Educate the organization in privacy laws and policies
Design policies & procedures
Monitor the organization's risk
This contract clause can be used for GDPR compliance, but must be approved by supervisory authority first.
Ad Hoc Contract Clause
The EU invalidated the EU-US Privacy Shield for these reasons.
US surveillance is not limited to what is strictly necessary.
EU data subjects lacked actionable judicial redress.
This law was enacted to incentivize using electronic health records and creating a national electronic health information exchange.
HITECH
The CCPA protects these individuals.
People in CA for more than a temporary purpose, and people domiciled in CA but temporarily outside the state
Which of these is not a real privacy law?
HIPAA GINA SHERPA BIPA CPRA
SHERPA
An IL law defines this type of data as a "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry".
Biometric Identifier
Data controllers are subject to these 7 requirements.
Data Protection by Design
Data Protection by Default
Data Protection on Impact Assessments
Hiring a Data Protection Officer
Records Keeping
Security
Data Breach Reporting
What is the full name of the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act
Daily Double!
To be considered a "covered business" under the CCPA, you must be a for-profit entity that falls under at least one of these three categories.
Name 4 elements of an Incident Response Program (There are more than 4, but name at least 4).
Training, Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned