(Legal Issues in Information Security chapter 2)Privacy and Information Security Overview

Questions and Answers

PDF Questions PDF Answers

Which federal law specifically governs the collection and disclosure of personally identifiable information (PII) by federal agencies?

Privacy Act (correct)

E-Government Act

Electronic Communications Privacy Act

Freedom of Information Act

What is the primary purpose of the Electronic Communications Privacy Act (ECPA) of 1986?

To protect census data confidentiality

To require privacy notices from cable companies

To mandate privacy technologies in government

To regulate access to electronic communications (correct)

Which of the following acts allows employers that provide electronic communication services to access stored messages?

Stored Communications Act (correct)

Wiretap Act

Census Confidentiality Act

Freedom of Information Act

Which of the following states is notably recognized for being at the forefront of enacting privacy laws?

California

What is the main focus of the Driver's Privacy Protection Act of 1994?

Protection of motor vehicle records

Which privacy tort involves invading someone's private space, either physically or electronically?

Intrusion into Seclusion

What type of law primarily addresses explicit privacy guarantees to residents in certain states?

State Law

Which common law privacy tort relates to publishing private information that creates a false impression, even if the information is true?

Portrayal in a False Light

Which statement correctly differentiates between privacy and information security?

Information security focuses on unauthorized access, while privacy involves personal data control.

What is the significance of the Fourth Amendment in relation to privacy law?

It guarantees protection against governmental surveillance.

Which Supreme Court case established the concept of 'reasonable expectation of privacy'?

Katz v. United States

What does the term 'informational privacy' refer to as established by Whalen v. Roe?

The right to control personal information usage and dissemination.

Which statement about U.S. privacy laws is accurate?

They are sector-specific and vary by industry.

In privacy law, what principle was established by Griswold v. Connecticut?

It established the right to privacy as a fundamental right.

According to the content, which of the following amendments is NOT directly related to the interpretation of privacy rights?

Second Amendment

What constitutes appropriation of likeness or identity?

Employing someone's image or name for profit without permission.

What is a common misconception about the relationship between privacy and information security?

Privacy can exist without any security measures.

What is a characteristic of spyware?

It collects personal information silently in the background.

Which of the following is a primary concern regarding cookies?

They can be intercepted by third parties to track users across websites.

How can organizations demonstrate their commitment to personal data privacy?

Through the participation in recognized seal programs.

What is the main function of clickstream data?

To analyze the order of pages visited by a user.

Which threat involves monitoring user behavior through electronic files?

Web beacons

What privacy issue is directly related to online profiling?

Creation of tailored advertisements based on user activities.

What challenge does technology present regarding personal data privacy?

It complicates how data is collected, used, and shared.

What is a significant concern associated with RFID technology?

Unauthorized access to stored information

Which of the following statements about Bluetooth technology is accurate?

Bluetooth enables short-range wireless communication.

What does NFC technology primarily facilitate?

Mobile payments with reduced risks

What is a main risk associated with GPS-enabled devices?

Potential for constant monitoring of movements

Which of the following best describes a security breach?

Failure of security measures leading to data exposure

What method involves manipulating individuals into revealing confidential information?

Social engineering

Which practice involves searching through trash to find sensitive information?

Dumpster diving

What is a potential risk of excessive information sharing on social networking sites?

Higher chances of identity theft

Which principle emphasizes the importance of only collecting necessary data?

Data Minimization

What do employers in the United States generally have regarding employee privacy?

Limited privacy expectations in the workplace

What key factor can lead to unintended data exposure in digital environments?

Misunderstanding of privacy controls

Which of the following is NOT a key principle for privacy protection?

Financial Gain

What does the term 'Use Limitation' refer to in data privacy?

Using data only for the specified purpose

Which scandal highlighted the complex privacy implications of social media platforms?

The Cambridge Analytica scandal

How should organizations prioritize privacy throughout the data life cycle?

By ensuring comprehensive privacy policies

What potential misuse of personal information was exemplified in data scandals?

Political manipulation for campaign strategies

Study Notes

Privacy and Information Security

• Privacy is the right to control personal information collection, use, storage, and sharing.
• Information security protects data from unauthorized access.
• Information security supports privacy, but secure information is not automatically private.

Sources of Privacy Law

• There is no single, comprehensive data privacy law in the U.S.
• Privacy laws are sector-specific, regulating industries like healthcare, finance, and education.

Constitutional Law

• The U.S. Constitution doesn't explicitly mention privacy.
• Supreme Court cases interpreted several amendments to establish a constitutional right to privacy.
• Key cases:
  • Wheaten v. Peters (1834) recognized the "right to be let alone."
  • Griswold v. Connecticut (1965) established privacy as a fundamental right.
  • Katz v. United States (1967) recognized "reasonable expectation of privacy" even in public spaces.
  • Whalen v. Roe (1977) acknowledged "informational privacy" – the right to control personal information.

Federal Law

• Several federal laws address data privacy in specific sectors:
  • Freedom of Information Act (FOIA) (1966) grants the public access to information from federal agencies.
  • Privacy Act (1974) governs the collection, use, and disclosure of personally identifiable information (PII) by federal agencies.
  • E-Government Act (2002) mandates privacy-protective technologies for federal government operations.
  • Electronic Communications Privacy Act (ECPA) (1986) regulates access to electronic communications (emails, phone calls).
    • Includes the Wiretap Act forbidding eavesdropping without a court order and the Stored Communications Act governing employer access to stored messages.
  • Census Confidentiality (1952) mandates protection of census responses.
  • Cable Communications Policy Act (1984) requires cable companies to provide annual privacy notices and obtain consent before using customer data.
  • Driver's Privacy Protection Act (1994) safeguards personal information in motor vehicle records.

State Law

• Many states incorporated a right to privacy in their constitutions.
• States like California are leaders in enacting privacy laws.
• All states have data breach notification laws, requiring organizations to inform residents of security breaches.
• States also have sector-specific privacy laws protecting financial, health, and motor vehicle information.

Common Law

• Common law, based on legal tradition and court decisions, recognizes privacy torts – civil wrongs that harm privacy.
• Four key privacy torts:
  • Intrusion into Seclusion: Invading someone's private space, physically or electronically.
  • Portrayal in a False Light: Publishing private information, even if true, in a way that creates a false and offensive impression.
  • Appropriation of Likeness or Identity: Using someone's name or likeness for commercial gain without consent.
  • Public Disclosure of Private Facts: Sharing embarrassing and truly private facts that a reasonable person would find offensive.

Voluntary Agreements

• Fair information practice principles (FIPPs), like those outlined by the Organization for Economic Co-operation and Development (OECD), provide a framework for responsible and transparent data handling.
• Organizations can demonstrate their commitment to privacy through participation in seal programs like WebTrust, TRUSTe, and the Better Business Bureau, verifying compliance with recognized privacy practices.

Threats to Personal Data Privacy in the Information Age

• Rapid technological advancements create challenges to personal data privacy in the digital realm.

Technology-Based Privacy Concerns

• Spyware: Malware that collects personal information and transmits it to unauthorized parties.
• Adware: Software that displays advertisements, some of which can be targeted based on user information collected through spyware.
• Cookies: Small text files stored on a user's computer by websites to track browsing activity.
  • First-party cookies are created by the website being visited.
  • Third-party cookies are placed by advertising companies to track users across multiple websites.
• Web Beacons: Invisible electronic files that monitor website traffic and user behavior.
• Clickstream Data: Information about a user's browsing path, such as the order of pages visited and links clicked.
• Online Profiling: Compiling data from a user's online activities to create a profile of their habits and preferences. This information can be used for targeted advertising.
• Wireless Technologies:
  • Radio Frequency Identification (RFID): Technology using radio waves to identify and track tagged objects. Concerns include unauthorized access to information and tracking without consent.
  • Bluetooth: Short-range wireless communication technology enabling data exchange between devices. Concerns include information tracking, data exposure, and hacking vulnerability.
  • Near Field Communication (NFC): Very short-range wireless technology for tasks like mobile payments, with less risk of information exposure due to close proximity requirements.
  • Global Positioning System (GPS): Technology providing precise location tracking. Concerns include potential for constant monitoring of individuals' movements through GPS-enabled devices.

Security Breaches

• Security breaches occur when security measures fail, resulting in unauthorized disclosure of personal information.
• Security breaches pose a significant threat to privacy, potentially leading to identity theft and fraud.

People-Based Privacy Concerns

• Phishing: Internet fraud where attackers try to trick people into revealing personal information through deceptive emails.
• Social Engineering: Manipulating people into divulging confidential information.
• Shoulder Surfing: Observing someone entering sensitive information, like passwords or credit card numbers.
• Dumpster Diving: Searching through trash to find discarded documents containing personal information.
• Social Networking Sites:
  • Information (over) sharing on social networks increases vulnerability to privacy violations and risks like stalking and identity theft.
  • Weak privacy settings or misunderstanding of privacy controls can lead to unintended data exposure.
  • The Cambridge Analytica scandal highlighted the complex privacy implications of social media platforms, data sharing with third-party apps, and the potential for misuse of personal information for political purposes.
• Online Data Gathering: The vast amount of personal data available online makes it easy to find information about individuals, which can be used for legitimate purposes but also for harassment or identity theft.

Workplace Privacy

• Workplace privacy refers to privacy issues in the context of employment.
• In the U.S., employees generally have limited privacy expectations in the workplace.
• Employers can often monitor employee activities (telephone conversations, emails, computer use, video surveillance) for legitimate business reasons.
• However, there are legal limitations and considerations regarding employee consent, notification, and restrictions on monitoring in private areas like restrooms.

General Principles for Privacy Protection in Information Systems

• Organizations need to prioritize data privacy throughout the data life cycle: collection, use, storage, retention, and destruction.

• Privacy policies are essential to inform customers about data collection practices and the organization's commitment to protecting personal information.

• Key principles for privacy protection include:

  • Data Minimization: Only collecting necessary data.
  • Data Quality: Ensuring data accuracy.
  • Purpose Specification: Stating the intended use of data.
  • Use Limitation: Using data only for the stated purpose.
  • Security Safeguards: Protecting data from unauthorized access.
  • Openness (Transparency): Informing individuals about data collection practices.
  • Individual Participation: Granting individuals access to their data and the ability to correct inaccuracies.
  • Accountability: Ensuring compliance with privacy principles.

Description

This quiz covers essential concepts related to privacy and information security, including the legal framework surrounding data privacy in the U.S. It discusses the interpretation of privacy rights in the Constitution and highlights important Supreme Court cases. Test your knowledge about the relationship between privacy and information security.