IAPP CIPP-US - Certified Information Privacy Professional/United States (CIPP/US)

When storing biometric data, such as fingerprints, organizations in the U.S. must comply with state-specific biometric privacy laws if they operate in states that regulate biometric information. The most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA), but similar laws also exist or are developing in other states, such as Texas and Washington.

Key Considerations for Storing Biometric Data:

Illinois Biometric Information Privacy Act (BIPA):BIPA (740 ILCS 14) is a leading and highly influential state law regulating the collection, storage, and use of biometric information. It requires organizations to:

Obtain informed, written consent before collecting biometric data.

Establish a publicly available policy governing the retention and destruction of biometric data.

Use a reasonable standard of care to protect biometric data from unauthorized access or use.

Prohibit the sale or transfer of biometric data without consent.

California and Biometric Data:While California's California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide general protections for personal information, including biometric data, they do not have the specific consent and handling requirements that BIPA does. Nevertheless, California residents have rights related to access, deletion, and the sale of biometric information.

Explanation of Options:

A. The Privacy Rule of the HITECH Act:The HITECH Act applies to the protection of protected health information (PHI) under HIPAA. While the Privacy Rule regulates healthcare-related information, it does not apply to Jane’s biometric data used for remote authentication unless it is tied to PHI. This scenario is unrelated to healthcare, so this answer is incorrect.

B. The California IoT Security Law (SB 327):California's IoT Security Law primarily focuses on ensuring security requirements for connected devices. It does not regulate the collection or storage of biometric information. This is not relevant to the question.

C. The applicable state law such as Illinois BIPA:This is correct. State biometric privacy laws, such as Illinois BIPA, explicitly govern the collection, storage, and use of biometric data like fingerprints. Organizations like Jones Labs must ensure compliance with such laws, including obtaining consent and properly securing and destroying biometric information.

D. The federal Genetic Information Nondiscrimination Act (GINA):GINA prohibits discrimination based on genetic information in employment and health insurance. However, it does not regulate the storage of biometric data like fingerprints. This is not applicable to this scenario.

Best Practices for Compliance:

Jones Labs should:

Understand the applicable state biometric laws: If Jane resides in Illinois or other states with biometric laws, Jones Labs must comply with those specific legal requirements.

Obtain informed consent: Ensure that employees like Jane sign a written consent form before storing their fingerprints for authentication.

Secure biometric data: Use strong encryption and other security measures to protect the biometric information.

Define retention and destruction policies: Clearly establish how long biometric data will be stored and how it will be destroyed after its purpose is fulfilled.

References from CIPP/US Materials:

Illinois Biometric Information Privacy Act (BIPA): Sets the standard for biometric privacy regulations in the U.S.

California Consumer Privacy Act (CCPA): Protects personal information but does not specifically regulate biometric data like fingerprints with the same rigor as BIPA.

IAPP CIPP/US Certification Textbook: Discusses the emergence of state-specific biometric privacy laws and their applicability in different scenarios.

Phishing is a form of social engineering that involves sending fraudulent emails or other messages that appear to come from a legitimate source, but are designed to trick recipients into revealing sensitive information, such as passwords, account numbers, or personal identifiers1. Phishing is one of the most common and effective methods of cyberattacks, and it can lead to data breaches, identity theft, ransomware infections, or other serious consequences2. Therefore, training on how to recognize and avoid phishing attempts is crucial for any organization that handles sensitive data, especially ePHI, which is subject to strict regulations under HIPAA3. Training on techniques for identifying phishing attempts can help employees to spot the signs of a phishing email, such as:

Sender’s address or domain name that does not match the expected source or contains spelling errors4

Generic salutations or impersonal tone that do not address the recipient by name or use proper grammar4

Urgent or threatening language that creates a sense of pressure or fear and asks the recipient to take immediate action, such as clicking on a link, opening an attachment, or providing information4

Suspicious links or attachments that may contain malware or lead to fake websites that mimic the appearance of a legitimate site, but have a different URL or request login credentials or other data4

Requests for sensitive information that are unusual or out of context, such as asking for passwords, account numbers, or personal identifiers that the sender should already have or should not need4

Training on techniques for identifying phishing attempts can also help employees to learn how to respond to a phishing email, such as:

Not clicking on any links or opening any attachments in the email4

Not replying to the email or providing any information to the sender4

Reporting the email to the IT department or security team and deleting it from the inbox4

Verifying the legitimacy of the email by contacting the sender directly using a different channel, such as phone or another email address4

Updating the antivirus software and scanning the device for any malware infection4

Training on techniques for identifying phishing attempts is the most effective kind of training that CloudHealth could have given its employees to help prevent this type of data breach, because it would have enabled them to recognize the phishing email that compromised the PHI of more than 10,000 HealthCo patients, and to avoid falling victim to it. Training on the terms of the contractual agreement with HealthCo, the difference between confidential and non-public information, or CloudHealth’s HR policy regarding the role of employees involved in data breaches, while important, would not have been as effective in preventing this specific type of data breach, because they would not have addressed the root cause of the breach, which was the phishing email.

References:

1: IAPP, Phishing, https://iapp.org/resources/glossary/phishing/

2: SpinOne, The Top 5 Phishing Awareness Training Providers 2023, https://spinbackup.com/blog/phishing-awareness-training-best-providers/

3: IAPP, HIPAA, https://iapp.org/resources/glossary/hipaa/

4: Expert Insights, The Top 11 Phishing Awareness Training and Simulation Solutions, https://expertinsights.com/insights/the-top-11-phishing-awareness-training-and-simulation-solutions/

HIPAA requires covered entities to provide a notice of privacy practices (NPP) to individuals who receive health care services from the covered entity. The NPP must describe how the covered entity may use and disclose protected health information (PHI), the individual’s rights with respect to their PHI, and the covered entity’s obligations to protect the privacy of PHI. The NPP must be provided to the individual no later than the date of the first service delivery, either in person or electronically. The covered entity must also make the NPP available on request and post it on its website if it has one. The covered entity must also make a good faith effort to obtain a written acknowledgment from the individual that they received the NPP. If the individual refuses to sign the acknowledgment, the covered entity must document the attempt and the reason for the refusal.

The other options are not sufficient to comply with HIPAA. Stating the privacy policy verbally (option A) does not provide the individual with a written or electronic copy of the NPP that they can keep for future reference. Posting the privacy notice in a prominent location (option B) does not ensure that the individual receives the NPP or has an opportunity to review it before receiving services. Directing patients to the correct area of the hospital website (option C) does not provide the individual with the NPP at the time of service delivery, unless the individual agrees to receive the NPP electronically and has access to the website at that time. References:

Notice of Privacy Practices for Protected Health Information

Model Notices of Privacy Practices

Sample Notice: Availability of Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices (NPP) Distribution and Acknowledgement

 According to the IAPP CIPP/US Study Guide, more than half of U.S. states require telemarketers to register with the state before conducting business within the state. This registration requirement may involve paying a fee, posting a bond, or providing information about the telemarketer’s identity, location, and business practices. The purpose of this requirement is to protect consumers from fraudulent or deceptive telemarketing calls and to facilitate the enforcement of state laws and regulations. The other options are not required by most states, although some states may have additional rules or guidelines for telemarketers regarding identification, consent, or contracts. References:

IAPP CIPP/US Study Guide, Chapter 7: Marketing and Advertising

State Telemarketing Registration Requirements

The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA’s notice and opt-out requirements, as well as the FCRA’s requirements for using consumer reports. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.

IAPP CIPP/US Practice Questions, Question 150.

The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section. The APEC information privacy principles are:

Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.

Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.

Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.

Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.

Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.

Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.

Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.

Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the legitimate rights of persons other than the individual would be violated.

Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.

The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information, such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond. References:

APEC Privacy Framework (2015)

APEC Cross-Border Privacy Rules (CBPR) System

APEC Privacy Recognition for Processors (PRP) System

APEC Privacy Framework: A New Model for Transborder Data Flows

According to the web search results from my predefined tool, Florida is the only state among the four options that currently imposes a definite limit for notification to affected individuals in case of a data breach. Florida’s law requires that notice be provided within 30 days after determination of the breach or reason to believe a breach occurred, unless delayed by law enforcement or measures to determine the scope of the breach and restore the integrity of the system1. The other states have more flexible or vague terms for the notification timeframe, such as “as soon as practicable” (Maine), “in the most expedient time possible and without unreasonable delay” (New York), or “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement” (California)2. References:

Security Breach Notification Chart | Perkins Coie

State Data Breach Notification Chart - International Association of …

The Federal Trade Commission (FTC) issued its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”1, which outlined a framework for privacy protection based on three main principles: privacy by design, simplified consumer choice, and greater transparency. The report also identified five priority areas for the FTC’s privacy enforcement and policy efforts, which were:

Data brokers

Large platform providers

Mobile

Promoting enforceable self-regulatory codes

International data transfers

Do Not Track was not one of the five priority areas, but rather a specific mechanism for implementing the principle of simplified consumer choice. The report endorsed the development of a Do Not Track system that would allow consumers to opt out of online behavioral advertising across websites and platforms1. The report also noted the progress made by various stakeholders, such as the World Wide Web Consortium (W3C), the Digital Advertising Alliance (DAA), and browser companies, in advancing the Do Not Track initiative1. References: 1: Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at 1.

The Illinois Biometric Information Privacy Act (BIPA) regulates the collection, storage, and use of biometric identifiers and biometric information, such as fingerprints, retina scans, and facial recognition data. However, BIPA does not regulate photographs, as they are explicitly excluded from the definition of "biometric identifiers" under the law.

Key Definitions Under BIPA:

Biometric Identifier:Includes fingerprints, retina or iris scans, voiceprints, and scans of hand or face geometry.

Biometric Information:Refers to any information derived from biometric identifiers.

Exclusions:BIPA explicitly excludes certain types of data from regulation, such as photographs, writing samples, and physical descriptions.

Explanation of Options:

A. Photographs of local convicted felons uploaded to a news website:This is correct because photographs are explicitly excluded from BIPA's definition of biometric identifiers.

B. Fingerprint scans of elementary school students used to open their lockers:This would be regulated under BIPA, as fingerprints are considered biometric identifiers.

C. Security software designed to identify local convicted felons in retail stores via facial recognition:This would also be regulated under BIPA, as facial recognition involves scans of face geometry, which qualify as biometric identifiers.

D. Retina scans of elementary school students used to verify their identities for attendance purposes:Retina scans are biometric identifiers under BIPA and would therefore be regulated.

References from CIPP/US Materials:

Illinois BIPA (740 ILCS 14/10): Defines biometric identifiers and excludes photographs from regulation.

IAPP CIPP/US Certification Textbook: Discusses the scope and application of BIPA.

According to the Wiley study guide, one of the steps in developing a privacy policy is to conduct a privacy assessment, which involves identifying the organization’s information goals and needs, as well as the legal and regulatory requirements that apply to its data collection and use practices3. By spending more time understanding the company’s information goals, Janice would have been able to tailor the privacy policy to fit the company’s business model and customer expectations, while still complying with the relevant privacy laws and standards. This would have also helped Janice to address Cheryl’s concerns about the impact of the policy on the company’s operations and customer relationships, and to propose solutions that balance privacy protection and service delivery.

References:

1: https://iapp.org/certify/cippus/

2: https://iapp.org/certify/get-certified/cippus/

3: https://www.wiley.com/en-be/IAPP+CIPP+US+Certified+Information+Privacy+Professional+Study+Guide-p-9781119755517

4: https://www.techtarget.com/searchsecurity/quiz/10-CIPP-US-practice-questions-to-test-your-privacy-knowledge

5: https://www.study4exam.com/iapp/free-cipp-us-questions

https://www.passitcertify.com/iapp/cipp-us-questions.html