Professional Documents
Culture Documents
CCPA:GDPR
CCPA:GDPR
Statutes that REQUIRE disclosure: FDA (disclose recall reasons)/ HIPAA (give PHI — med.
condition such as abuse, gun shot, immunization records, specific transfer disease) / Bank Secrecy
Act (evidence of money laundry)/ Patriot Act (terrorist activities)/ OSHA (workplace)/ State
Specific Laws (labs must notify DOH if you have covid-19)/ Civil Investigative Demand (45)/
Court Order (issue above)/ Criminal Proceedings or Subpoena (warrant & probable cause).
Permitted disclosure: HIPAA Privacy Rule TPO (public health, national security)/ Patriot Act (law
enforcement access computer when interception allowed by owner; color of law in investigation;
contents of computer are relevant to investigation; just need what’s been transmitted).
Forbidden disclosure: HIPAA & COPPA (cannot disclose PHI of penitent unless required (to third
parties), unless there is opt-in consent, or another exception)/ GLBA (need consent for disclosure to
third parties except for permitted disclosure to third parties)/ Website Privacy policies (lots of
websites of companies not covered by GLBA also give opt-outs, and disclosures in violation of such
promises may trigger §5 of FTC/ company Privacy policies (violations of Section 5 of FTC Act)/
Privileged Communications (attorney-client; Husband-wife; Clergy; Physician-patient).
2. Civil litigation: Public Access to Information (FOIA; court records; motion for protective
order/seal records (26(c)) — needs to be relevant to the case). For example, HIPPA Privacy
Regulation specifically addresses when protected health information may be disclosed during
discovery:
a. First, a covered entity may disclose PHI if the subject of those records authorizes their
release.
b. Second, absent a release, a covered entity may release PHI subject to a court order.
c. Third, a covered entity may disclose PHI subject to a discovery request if satisfactory
assurances are provided. An assurance is satisfactory under HIPAA if the parties seeking
the request for information have agreed to a qualified protective order and have submitted
it to the court, or if the party seeking the information has requested a qualified protective
order from the court.
i. A qualified protective order requires both that the parties are prohibited from
using or disclosing the PHI for any purpose other than the litigation and that the
PHI will be returned or destroyed at the end of the litigation.
3. Law Enforcement: criminal investigations are an occurrence for a company to disclose PI.
a. The 4th Amendment comes up because it is applicable based on probable cause, limits
searches and seizures, and addresses wiretaps
i. What a person knowingly exposes to the public, even in his own home or office,
is not subject to the 4th. Visa Versa is protected.
b. Electronic Communications Privacy Act (ECPA) says that interception of wire, oral,
and electronic communication is a crime (with exceptions) and has a PRIVATE RIGHT
OF ACTION.
i. Both people on the call need to give consent (e.g., “your call may be recorded for
[x] purpose”)
c. Stored Communications Act (SCA) prohibits unauthorized acquisition, alteration or
blocking of electronic communications while in e-storage in a facility. Criminal penalties
or civil lawsuits if violated.
d. Communications Assistance to Law Enforcement Act (CALEA) applies to
telecommunications and Internet service industry. FCC.
e. Right to Financial Privacy Act (RFA) PROHIBITS disclosures by financial institutions
unless customer authorizes, appropriate administrate subpoena or summons, qualifies
search warrant, appropriate judicial subpoena, appropriate formal written request from
government authority (BE AWARE), Consumers must be given notice.
i. Right to challenge. Penalties to wrongful disclosure include private right of
action, punitive damages, and attorneys’ fees
f. Privacy Protection Act (PPA) added protection to members of media and media
organizations from government searches or seizures during criminal investigation (unless
the reporter is suspected of committing a crime). NEED search warrant(s) AND showing
of probable cause. Violations — penalties of $1,000, actual damages and attorney’s fees.
National Security
1. Foreign Intelligence Surveillance Act of 1978 (FISA) telecommunications and Internet service
providers releasing data to law enforcement for national security.
a. Granting IMMUNITY to the phone companies so they would not be liable for records
they had provided to the government because of 9/11. Authority between President and
judicial branch.
b. National Security Letter: Section 215 federal court order to produce tangible thing for
defined foreign intelligence
c. FISA requires the purpose to be for foreign intelligence, it be a significant purpose of an
investigation, for surveillance of foreign powers or agents of foreign powers.
Cybersecurity Information Sharing Act (CISA) enacted in 2015 and allows the federal government to
share unclassified technical data with companies about how networks have been attacked and how
successful defenses against attacks have been carried out.
California Consumer Privacy Act (CCPA)*
Generally: CA consumer designed law. Meant to give the consumer power to decide how a business
disclose, use, sell, collect PI.
Scope & Applicability: Applies to any for-profit company that does business in CA. (Size of business
does not matter)
CCPA defines PI: any nonpublic information that may reasonably identify, relate, describe, or otherwise
be associated with either directly or indirectly a particular person or their household.
Identifiers (Name; email; address; IP address; SSN; DLN; acct name; passport #)
Character protected information (race; religion; sexual orientation)
Commercial information (past purchases; consuming tendencies based on ads)
Biometric information (eyes, hair, fingerprint, voice, hand)
Geolocation (coordinates)
Professional/Employment & Educational related information
First, determine whether a breach has occurred. Does the information fall within the
definition of “breach” and has a “breach” occurred?
Encryption
Unauthorized Access
disclosure
Further disclosure
Use of information after hours
Second, contain and analyze the incident. Subsequent to containment (notify the right
people, system audit, contact actual recipient), carefully analyze the information and log
it.
Third, notify the affected parties. This may also include government authorities if the JX
requires it. Aas well, a number of states have notification letter content requirements.
Also include how to mitigate the harm.