Privacy Tech: January 2014

If like me you need a compass to wade through legal references in a privacy context, here is a quick lexicon of all the US law acts I stumbled upon. Over time, I will update this article with more links and data while trying to keep it small and manageable. Tough goal. However, this is not meant to be comprehensive but a map of legal lingo to layman's terms as it relates to privacy.

ADA: Americans with Disabilities Act

http://www.ada.gov
bars discrimination on permanent medical conditions

ADEA: Age Discrimination and Employment Act

http://www.eeoc.gov/laws/statutes/adea.cfm
bars discrimination against individuals over 40.

APA: Administrative Procedure Act

empowers a gov agency to adjudicate internally before an administrative law judge.

BA: Bankruptcy Act

bars discrimination against persons who have filed for bankruptcy

BSA: Bank Secrecy Act

aka: Currency and Foreign Transactions Reporting Act
money laundering
record retention requirements
Suspicious activity reports

CALEA: Communications Assistance to Law Enforcement Act

aka: Digital Telephony Bill
yes, it really *is* what it sounds like

CAN-SPAM: Controlling the Assault of Non-solicited Pornography and Marketing Act

requires sender to provide a simple unsubscribe mechanism
bars deceptive subjects, misleading headers

COBRA: Consolidated Omnibus Budget Reconciliation Act

continued health coverage after leaving employment

COPPA: Children's Online Privacy Act

http://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule
requires parent consent for collection of personal data about kids under 13

CRA: Civil Rights Act

major anti-discrimination act, guarantees equal protection to all citizens regardless of race, color, sex, religion, origin

Dodd-Frank Act: Wall Street Reform and Consumer Protection Act

created the Consumer Financial Protection Bureau (CFPB)
redefines "unfair and deceptive practices"
enforcement powers over "abusive acts and practices"

EEOC: Equal Employment Opportunity Commission

enforcement agency against workplace discrimination

ECPA: Electronic Communications Privacy Act

bars interception of electronic communications
many nuanced and complex exceptions like if one party gives consent

ERISA: Employee Retirement Income Act

ensures employee benefits programs are created fairly requiring disclosure to beneficiaries

FACTA: Fair and Accurate Credit Transactions Act

Amendment to FCRA
Focuses on identity theft
Disposal Rule: safely dispose of consumer reports to prevent fraud
Red Flags Rule: detect, prevent, mitigate identity theft

FCRA: Fair Credit Reporting Act

requires accurate and relevant data collection
provides access and correction
limits use to permissible purposes (as defined in section 604)

FDCPA: Fair Debt Collection Practices Act

protection against unfair, deceptive or abusive collection practices

FERPA: Family Educational Rights and Privacy Act

aka: Buckley amendment
places consent and disclosure requirements on educational institutions (or third party related to institutions) storing education records

FISA: Foreign Intelligence Surveillance Act

allows wiretap for national security investigations
amended by US Patriot Act

FLSA: Fair Labor Standards Act

aka: Wages and Hours Bill
established 40 hours week

FSRRA: Financial Services Regulatory Relief Act

provides a short privacy notice model for easier comparison of privacy practices by various financial institutions.

GINA: Genetic Information Non-discrimination Act

aims at prohibiting the use of genetic information for the purpose of employment or health insurance eligibility

GLBA: Gramm-Leach-Bliley Act

Privacy Rule: sets standard for privacy notice (9 categories annual report with opt-outs)
Safeguards Rule: requires comprehensive information security program

HIPAA: Health Information Portability and Accountability Act

PHI: protected Health Information = any individually identifiable health information
Privacy Rule:

Privacy notices provided at or before date of first service
Authorizations for uses, disclosures: use of PHI for essential healthcare purposes, anything requires patient explicit opt-in
minimum necessary: limit use or disclosure of PHI to minimum
Access given to patient to their PHI and disclosures. reasonable charges may apply
Safeguards: administrative, physical and technical
Accountability: designated person responsible for compliance
Exceptions: de-identified data, research, law enforcement access ... no patient consent

Security Rule:

sets minimum security requirements for PHI

"reasonable" security measures
policies, procedures to prevent, detect, contain and remedy security issues

requires to ensure confidentiality, integrity, availability of PHI
to protect against reasonably foreseeable threats
to ensure compliance
training program, security awareness
ongoing risk assessment

HITECH: Health Information Technology for Economic and Clinical Health Act

Reinforces on HIPAA
Notice of Breach:

notify HHS for a breach affecting 500 people or more
notify media for a breach affecting 500 or more people in same jurisdiction

definition of limited data set to the purpose

ICRAA: CA Investigative Credit Reporting Agencies Act

requires to disclose credit report request and obtain prior consent

JFPA: Junk Fax Prevention Act

restrict commercial fax to existing business relationship (EBR)

Magnusson-Moss Warranty Act

protect consumers from deceptive warranty practices
gives FTC enforcement power against deceptive warranty practices

No Child Left Behind Act:

Restricts the use of student survey for commercial purposes

NLRA: National Labor Relations Act

sets standards for collective bargaining

OSHA: Occupational Safety and Health Act

compliance with OSHA might prompt employers to monitor employees while on the workplace. This prompts privacy questions. No audio recording. CCTV ok with no sound but only in non-private areas (no restrooms, locker room)

OPPA: Online Privacy Protection Act

requires to publish a privacy notice and enforce privacy policy

Patriot Act

Covers many topics with regards to privacy
money laundering (International Money Laundering Abatement and Anti-Terrorist Financing Act)
Computer trespasser exception (aka: hacker exception) allows electronic communication interception (with caveats)
National Security Letters (NSL) can be issued by officials
Pen register, trap and trace orders definitions are expanded beyond just telephony
Section 215 "tangible records": federal court order can require the production of any "tangible record" for foreign intelligence and terrorism investigations

PDA: Pregnancy Discrimination Act

protects against discrimination for pregnancy, childbirth or related medical conditions

PPA: Privacy Protection Act

provides extra protection for journalists, newsrooms or any person engaged in First Amendment activities

PPRA: Protection of Pupil Rights Amendment

aka: Hatch Amendment
protects pupils and parents in federally funded programs

RFPA: Right to Financial Privacy Act

Financial instituions cannot disclose financial records to federal agencies unless "reasonably described" and accompanied with

explicit consent
administrative subpoena, summons, search warrant, judicial subpoena, ...

Securities and Exchange Act of 1934
SCA: Stored Communications Act

part of ECPA
bars unauthorized acquisition, alteration or blocking of electronic communications while in storage

TCPA: Telephone Consumer Protection Act

amended by JFPA
prohibits unsolicited commercial faxes

TCFAPA: Telemarketing and Consumer Fraud and Abuse Prevention Act

one of FTC statutes
issued TSR as implementation, of which the most popular requirement is the Do Not Call registry

VPPA: Video Privacy Protection Act

requires video rental companies to provide opt-out of sharing video rental data

WPA: Whistleblower Protection Act

protects federal workers against personal actions related to their whistleblowing activity

Privacy Tech

January 29, 2014

US Privacy Lexicon