IAPP CIPP / US Certified Information Privacy Professional Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editors

Introduction

The CIPP/US Exam

CIPP/US Exam Objectives

CIPP/US Certification Exam Objective Map

Assessment Test

Answers to Assessment Test

Chapter 1: Privacy in the Modern Era

Introduction to Privacy

Generally Accepted Privacy Principles

Developing a Privacy Program

Online Privacy

Privacy and Cybersecurity

Privacy by Design

Summary

Exam Essentials

Review Questions

Chapter 2: Legal Environment

Branches of Government

Understanding Laws

Legal Liability

Torts and Negligence

Summary

Exam Essentials

Review Questions

Chapter 3: Regulatory Enforcement

Federal Regulatory Authorities

State Regulatory Authorities

Self‐Regulatory Programs

Summary

Exam Essentials

Review Questions

Chapter 4: Information Management

Data Governance

Workforce Training

Cybersecurity  Threats

Incident Response

Vendor Management

Summary

Exam Essentials

Review Questions

Chapter 5: Private Sector Data Collection

FTC Privacy Protection

Medical Privacy

Financial Privacy

Educational Privacy

Telecommunications and Marketing Privacy

Summary

Exam Essentials

Review Questions

Chapter 6: Government and Court Access to Private Sector Information

Law Enforcement and Privacy

National Security and Privacy

Civil Litigation and Privacy

Summary

Exam Essentials

Review Questions

Chapter 7: Workplace Privacy

Introduction to Workplace Privacy

Privacy Before, During, and After Employment

Summary

Exam Essentials

Review Questions

Chapter 8: State Privacy Laws

Federal vs. State Authority

Financial Data

Data Security

Data Breach Notification Laws

Marketing Laws

Summary

Exam Essentials

Review Questions

Chapter 9: International Privacy Regulation

International Data  Transfers

APEC Privacy Framework

Cross‐Border Enforcement Issues

Summary

Exam Essentials

Review Questions

Appendix: Answers to Review Questions

Chapter 1: Privacy in the Modern Era

Chapter 2: Legal Environment

Chapter 3: Regulatory Enforcement

Chapter 4: Information Management

Chapter 5: Private Sector Data Collection

Chapter 6: Government and Court Access to Private Sector Information

Chapter 7: Workplace Privacy

Chapter 8: State Privacy Laws

Chapter 9: International Privacy Regulation

Index

Get Certified!

Comprehensive Online Learning Environment

Register and Access the Online Test Bank

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Height and weight information

TABLE 1.2 Anonymized height and weight information

TABLE 1.3 Aggregated height and weight information

List of Illustrations

Chapter 1

FIGURE 1.1 Excerpt from ISO 27701

FIGURE 1.2 Excerpt from the LinkedIn Privacy Policy

FIGURE 1.3 The three key objectives of cybersecurity programs are confidenti...

FIGURE 1.4 The relationship between privacy and security

Chapter 2

FIGURE 2.1 Jurisdictional areas of U.S. Circuit Courts of Appeal

Chapter 3

FIGURE 3.1 TRUSTe certification of the Enterprise car rental website

Chapter 4

FIGURE 4.1 Classified information cover sheets

FIGURE 4.2 Account management control listing from NIST 800‐53

FIGURE 4.3 Data flow diagram with technical detail

FIGURE 4.4 Data flow diagram without technical detail

FIGURE 4.5 Logo of the hacktivist group Anonymous

FIGURE 4.6 Incident response process

FIGURE 4.7 Incident response checklist

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editors

Introduction

Begin Reading

Index

Get Certified!

Comprehensive Online Learning Environment

End User License Agreement

Pages

iii

iv

v

vii

ix

xi

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

259

260

261

262

263

264

265

266

267

268

269

270

IAPPCIPP/USSM Certified Information Privacy Professional Study Guide

United States Exam

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada and the United Kingdom.

ISBN: 978‐1‐119‐75546‐3

ISBN: 978‐1‐119‐75761‐0 (ebk.)

ISBN: 978‐1‐119‐75551‐7 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐3993 or fax (317) 572‐4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021937722

TRADEMARKS: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. IAPP and CIPP/US are registered trademarks or service marks of The International Association of Privacy Professionals, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover Image: © Getty Images Inc./Jeremy Woodhouse

Cover Design: Wiley

Acknowledgments

Even though only the authors' names appear on the front cover, the production of a book is a collaborative effort involving a huge team. Wiley always brings a top‐notch collection of professionals to the table, and that makes the work of authors so much easier.

In particular, we'd like to thank Jim Minatel, our acquisitions editor. Jim is a consummate professional, and it is an honor and a privilege to continue to work with him on yet another project. Here's to many more!

We also greatly appreciated the editing and production team for the book, including David Clark, our project editor, who brought years of experience and great talent to the project. Our technical editors, Joanna Grama and Marcos Vierya, provided indispensable insight and expertise. This book would not have been the same without their valuable contributions. Saravanan Dakshinamurthy, our production editor, guided us through layouts, formatting, and final cleanup to produce a great book. We would also like to thank the many behind‐the‐scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers.

Finally, we would like to thank our families who supported us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Authors

Mike Chapple, Ph.D., CIPP/US, is the author of the best‐selling CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide (Sybex, 9th edition, 2021) and the CISSP (ISC)2Official Practice Tests (Sybex 3rd edition, 2021). He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as a teaching professor in the IT, Analytics, and Operations department at the University of Notre Dame's Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami‐based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.

Mike is technical editor for Information Security Magazine and has written more than 25 books. He earned both his B.S. and Ph.D. degrees from Notre Dame in computer science and engineering. Mike also holds an M.S. in computer science from the University of Idaho and an MBA from Auburn University. Mike holds the Certified Information Privacy Professional/US (CIPP/US), Cybersecurity Analyst+ (CySA+), Security+, Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and Certified Information Systems Security Professional (CISSP) certifications.

Learn more about Mike and his other security certification materials at his website, CertMike.com.

Joe Shelley, M.A., CIPP/US, is a leader in higher education information technologies. He is currently the vice president for Libraries and Information Technology at Hamilton College in New York. In his role, Joe oversees central IT infrastructure, enterprise systems, information security and privacy programs, IT risk management, business intelligence and analytics, institutional research and assessment, data governance, and overall technology strategy. Joe also directs the Library and Institutional Research. In addition to supporting the teaching and research mission of the college, the library provides education in information sciences, digital and information literacy, and information management.

Before joining Hamilton College, Joe served as the chief information officer at the University of Washington Bothell in the Seattle area. During his 12 years at UW Bothell, Joe was responsible for learning technologies, data centers, web development, enterprise applications, help desk services, administrative and academic computing, and multimedia production. He implemented the UW Bothell information security program, cloud computing strategy, and IT governance, and he developed new initiatives for supporting teaching and learning, faculty research, and e‐learning.

Joe earned his bachelor's degree in interdisciplinary arts and sciences from the University of Washington and his master's degree in educational technology from Michigan State University. Joe has held certifications and certificates for CIPP/US, ITIL, project management, and Scrum.

About the Technical Editors

Joanna Lyn Grama, JD, CIPT is an associate vice president with Vantage Technology Consulting Group and has more than 20 years of experience with a strong focus in law, higher education, information security, and data privacy. A former member of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee, Joanna is a frequent author and regular speaker on information security and privacy topics. She is also a board member for the Central Indiana chapter of the Information Systems Audit and Control Association (ISACA), and a member of the International Association for Privacy Professionals (IAPP), the American Bar Association, Section of Science and Technology Law (Information Security Committee), and the Indiana State Bar Association (Written Publications Committee). She has earned the CISSP, CIPT, CDPSE, CRISC, and GSTRT certifications. Joanna graduated from the University of Illinois College of Law with honors.

Marcos Vieyra is the associate vice president and chief information security officer for the University of South Carolina, where he leads the information security, privacy, and digital accessibility programs and is a trusted adviser to the CIO and other university executives.

Prior to returning to the University of South Carolina, Marcos served as the CISO‐in‐residence for the SANS Technology Institute, and before that served as the chief information security officer for the state of South Carolina.

Marcos began his IT career in 1995, where he served as his squadron's system administrator in the U.S. Air Force, and learned the importance of operational security. Marcos's full‐time information security and privacy career started at the University of South Carolina in 2004, where he also eventually earned his Bachelor of Arts degree in philosophy. Marcos has earned and maintains current the following information security and privacy certifications: GSTRT, CISSP, CIPP/IT, CIPP/US, CIPM. He is a member of the IAPP Fellow of Information Privacy (FIP) inaugural class.

When Marcos isn't working, he can be found spending time with his wife Michelle, usually doing something outdoors, with animals, watching movies, or some combination of those activities.

Introduction

If you're preparing to take the Certified Information Privacy Professional/US (CIPP/US) exam, you'll undoubtedly want to find as much information as you can about privacy. The more information you have at your disposal and the more hands‐on experience you gain, the better off you'll be when attempting the exam. We wrote this study guide with that in mind. The goal was to provide enough information to prepare you for the test—but not so much that you'll be overloaded with information that's outside the scope of the exam.

We've included review questions at the end of each chapter to give you a taste of what it's like to take the exam. If you're already working in the privacy field, we recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.

If you can answer 90 percent or more of the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you're unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.

Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

The CIPP/US Exam

The CIPP/US certification is designed to be the gold standard credential for privacy professionals working in the United States and those seeking to enter the field. It is offered by the International Association of Privacy Professionals (IAPP) and fits into their suite of geographic‐based privacy certifications.

The exam covers five major domains of privacy knowledge:

Introduction to the U.S. Privacy Environment

Limits on Private‐ Sector Collection and Use of Data

Government and Court Access to Private‐ Sector Information

Workplace Privacy

State Privacy Laws

These five areas include a range of topics, from building a privacy program to understanding U.S. privacy laws and regulations. You'll find that the exam focuses heavily on scenario‐based learning. For this reason, you may find the exam easier if you have some real‐world privacy experience, although many individuals pass the exam before moving into their first privacy role.

The CIPP/US exam consists of 90 multiple‐choice questions administered during a 150‐minute exam period. Each of the exam questions has four possible answer options. Exams are scored on a scale ranging from 100 to 500, with a minimum passing score of 300. Every exam item is weighted equally, but the passing score is determined using a secret formula, so you won't know exactly what percentage of questions you need to answer correctly to pass.

Exam Tip

There is no penalty for answering questions incorrectly. A blank answer and an incorrect answer have equal weight. Therefore, you should fill in an answer for every question, even if it is a complete guess!

IAPP charges $550 for your first attempt at the CIPP/US exam and then $375 for retake attempts if you do not pass on the first try. More details about the CIPP/US exam and how to take it can be found in the IAPP Candidate Certification Handbook at iapp.org/certify/candidate-handbook.

You should also know that certification exams are notorious for including vague questions. You might see a question for which two of the possible four answers are correct—but you can choose only one. Use your knowledge, logic, and intuition to choose the best answer and then move on. Sometimes, the questions are worded in ways that would make English majors cringe—a typo here, an incorrect verb there. Don't let this frustrate you; answer the question and move on to the next one.

Certification providers often use a process called item seeding, which is the practice of including unscored questions on exams. They do this as part of the process of developing new versions of the exam. So, if you come across a question that does not appear to map to any of the exam objectives—or for that matter, does not appear to belong in the exam—it is likely a seeded question. You never really know whether or not a question is seeded, however, so always make your best effort to answer every question.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the IAPP website to purchase your exam voucher:

iapp.org/store/certifications

IAPP partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non‐U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to “Find a test center.”

www.pearsonvue.com/iapp

In addition to the live testing centers, you may also choose to take the exam at your home or office through Pearson VUE's OnVUE service. More information about this program is available here:

home.pearsonvue.com/Test-takers/OnVUE-online-proctoring.aspx

Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam. One important note: Once you purchase your exam on the IAPP website, you have one year to register for and take the exam before your registration will expire. Be sure not to miss that deadline!

On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials into the exam with you.

Exam policies can change from time to time. We highly recommend that you check both the IAPP and Pearson VUE sites for the most up‐to‐date information when you begin your preparing, when you register, and again a few days before your scheduled exam date.

After the CIPP/US Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Maintaining Your Certification

IAPP certifications must be renewed periodically. To renew your certification, you either must maintain a paid IAPP membership or pay a $250 non‐member renewal fee. You must also demonstrate that you have successfully completed 20 hours of continuing professional education (CPE).

IAPP provides information on the CPE process via their website:

iapp.org/certify/cpe

Study Guide Elements

This study guide uses a number of common elements to help you prepare. These include the following:

Summaries

  The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

  The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by IAPP.

Chapter Review Questions

  A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter's topics.

Additional Study Tools

This book comes with a number of additional study tools to help you prepare for the exam. They include the following.

Go to www.wiley.com/go/sybextestprep , register your book to receive your unique PIN, and then once you have the PIN, return to www.wiley.com/go/sybextestprep and register a new account or add this book to an existing account.

Sybex Online Learning Environment

Sybex's online learning environment lets you prepare with electronic test versions of the review questions from each chapter and the practice exams that are included in this book. You can build and take tests on specific domains, by chapter, or cover the entire set of CIPP/US exam objectives using randomized tests.

Electronic Flashcards

Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.

Glossary of Terms

Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.

Practice Exams

In addition to the practice questions for each chapter, this book includes access to two full 90‐question online practice exams. We recommend that you use them both to test your preparedness for the certification exam.

Several months after publication of this book, slight changes were made to the exam objectives. You can download an update to this Study Guide, covering those changes, at https://www.wiley.com/go/iappcippstudyguide

CIPP/US Exam Objectives

IAPP goes to great lengths to ensure that its certification programs accurately reflect the privacy profession's best practices. They also publish ranges for the number of questions on the exam that will come from each domain. The following table lists the five CIPP/US domains and the extent to which they are represented on the exam.

Domain

Questions

Introduction to the U.S. Privacy Environment

28–34

Limits on Private‐ Sector Data Collection

20–24

Government and Court Access to Private‐ Sector Information

6–8

Workplace Privacy

8–12

State Privacy Laws

5–7

CIPP/US Certification Exam Objective Map

OBJECTIVE

CHAPTER

I. Introduction to the U.S Privacy Environment

I.A Structure of U.S. Law

Chapters 2

and

3

     I.A.a Branches of government

Chapters 2

     I.A.b Sources of law

Chapter 2

     I.A.c Legal definitions

Chapter 2

     I.A.d Regulatory authorities

Chapter 3

     I.A.e Understanding laws

Chapter 2

I.B Enforcement of U.S. Privacy and Security Laws

Chapters 2

,

3

, and

9

     I.B.a Criminal versus civil liability

Chapters 2

     I.B.b General theories of legal liability

Chapter 2

     I.B.c Negligence

Chapter 2

     I.B.d Unfair and deceptive trade practices (UDTP)

Chapter 3

     I.B.e Federal enforcement actions

Chapter 3

     I.B.f State enforcement (Attorneys General (AGs), etc.)

Chapter 3

     I.B.g Cross‐border enforcement issues (Global Privacy Enforcement Network (GPEN))

Chapter 9

     I.B.h Self‐regulatory enforcement (PCI, Trust Marks)

Chapter 3

I.C Information Management from a U.S. Perspective

Chapter 1

,

4

, and

9

     I.C.a Data sharing and transfers

Chapter 1

     I.C.b Privacy program development

Chapter 1

     I.C.c Managing user preferences

Chapter 1

     I.C.d Incident response programs

Chapter 4

     I.C.e Workforce training

Chapter 4

     I.C.f Accountability

Chapter 1

     I.C.g Data retention and disposal (FACTA)

Chapter 4

     I.C.h Online privacy

Chapter 1

     I.C.i Privacy notices

Chapter 1

     I.C.j Vendor management

Chapter 4

     I.C.k International data transfers

Chapter 9

     I.C.l Other key considerations for U.S.‐based global multinational companies

Chapter 9

     I.C.m Resolving multinational compliance conflicts

Chapter 9

II. Limits on Private‐ Sector Collection and Use of Data

II.A Cross‐ Sector FTC Privacy Protection

Chapter 5

     II.A.a The Federal Trade Commission Act

Chapter 5

     II.A.b FTC Privacy Enforcement Actions

Chapter 5

     II.A.c FTC Security Enforcement Actions

Chapter 5

     II.A.d The Children's Online Privacy Protection Act

Chapter 5

     II.A.e Future of federal enforcement (Data brokers, Big Data, IoT, AI, unregulated data)

Chapter 5

II.B Medical

Chapter 5

     II.B.a The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Chapter 5

     II.B.b Health Information Technology for Economic and Clinical Health (HITECH) Act of 2000

Chapter 5

     II.B.c The 21st Century Cures Act of 2016

Chapter 5

     II.B.d Confidentiality of Substance Use Disorder Patient Records Rule

Chapter 5

II.C Financial

Chapter 5

     II.C.a The Fair Credit Reporting Act (FCRA) of 1970

Chapter 5

     II.C.b The Fair and Accurate Credit Transactions Act (FACTA) of 2003

Chapter 5

     II.C.c The Financial Services Modernization Act of 1999 (“Gramm‐Leach‐Bliley” or GLBA)

Chapter 5

     II.C.d Red Flags Rule

Chapter 5

     II.C.e Dodd‐Frank Wall Street Reform and Consumer Protection Act of 2010

Chapter 5

     II.C.f Consumer Financial Protection Bureau

Chapter 5

     II.C.g Online banking

Chapter 5

II.D Education

Chapter 5

     II.D.a Family Educational Rights and Privacy Act (FERPA) of 1974

Chapter 5

     II.D.b Education technology

Chapter 5

II.E Telecommunications and Marketing

Chapter 5

     II.E.a Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)

Chapter 5

     II.E.b Combating the Assault of Non‐Solicited Pornography and Marketing Act of 2003 (CAN SPAM)

Chapter 5

     II.E.c The Junk Fax Prevention Act (JPFA) of 2005

Chapter 5

     II.E.d The Wireless Domain Registry

Chapter 5

     II.E.e Telecommunications Act of 1996 and Customer Proprietary Network Information

Chapter 5

     II.E.f Cable Communications Privacy Act of 1984

Chapter 5

     II.E.g Video Privacy Protection Act (VPPA) of 1988

Chapter 5

     II.E.h Digital advertising

Chapter 5

III. Government and Court Access to Private‐Sector Information

III.A Law Enforcement and Privacy

Chapter 6

     III.A.a Access to financial data

Chapter 6

     III.A.b Access to communications

Chapter 6

     III.A.c The Communications Assistance to Law Enforcement Act (CALEA)

Chapter 6

III.B National Security and Privacy

Chapter 6

     III.B.a Foreign Intelligence Surveillance Act (FISA) of 1978

Chapter 6

     III.B.b Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA‐Patriot Act) of 2001

Chapter 6

     III.B.c The USA Freedom Act of 2015

Chapter 6

     III.B.d The Cybersecurity Information Sharing Act (CISA) of 2015

Chapter 6

III.C Civil Litigation and Privacy

Chapter 6

     III.C.a Compelled disclosure of media information

Chapter 6

     III.C.b Electronic discovery

Chapter 6

IV. Workplace Privacy

IV.A Introduction to Workplace Privacy

Chapter 7

     IV.A.a Workplace privacy concepts

Chapter 7

     IV.A.b U.S. agencies regulating workplace privacy issues

Chapter 7

     IV.A.c U.S. Anti‐discrimination laws

Chapter 7

IV.B Privacy before, during, and after employment

Chapter 7

     IV.B.a Employee background screening

Chapter 7

     IV.B.b Employee monitoring

Chapter 7

     IV.B.c Investigation of employee misconduct

Chapter 7

     IV.B.d Termination of the employment relationship

Chapter 7

V. State Privacy Laws

V.A Federal vs. state authority

Chapter 8

V.B Marketing laws

Chapter 8

V.C Financial Data

Chapter 8

     V.C.a Credit history

Chapter 8

     V.C.b California SB‐1

Chapter 8

V.D Data Security Laws

Chapter 8

     V.D.a SSN

Chapter 8

     V.D.b Data destruction

Chapter 8

     V.D.c Security procedures

Chapter 8

     V.D.d Recent developments

Chapter 8

V.E Data Breach Notification Laws

Chapter 8

     V.E.a Elements of state data breach notification laws

Chapter 8

     V.E.b Key differences among states today

Chapter 8

     V.E.c Recent developments

Chapter 8

IAPP occasionally makes minor adjustments to the exam objectives. Please be certain to check their website for any recent changes that might affect your exam experience.

Assessment Test

What kind of liability may only be asserted in court by governmental authorities and not by a private citizen?

Civil

Negligence

Criminal

Invasion of privacy

Which of the following preemployment screening activities would turn a regular consumer report into an investigative report?

The report includes information about prior bankruptcies.

The CRA furnishing the report includes information about a job seeker's mortgage payments.

The preemployment screening includes a criminal background check.

A third‐party agent interviews a job seeker's neighbors about their character.

Dana is frustrated because she continues to receive telemarketing calls from her current internet service provider (ISP), even though she added her number to the national do‐not‐call list. Is Dana's ISP breaking the law?

Yes, because it is the responsibility of the ISP to maintain an updated copy of the national do‐not‐call registry.

No, because she is a customer of the ISP and the TSR provides an exemption for firms that have an existing business relationship with a consumer.

No, because Dana’s ISP may not know she has added her number to the do‐not‐call registry.

Yes, because the DNC does not provide an exemption for existing customers.

Nick and Jenny often meet with other employees in the company cafeteria to advocate for collective bargaining. One day, Jenny notices that a security camera has suddenly been installed in the cafeteria, near where they usually sit. Why might this be a problem?

Employees have not consented to video surveillance during their lunch hours when not conducting company business.

Video surveillance may inadvertently reveal an employee's physical disability and lead to compliance risks under the Americans with Disabilities Act (ADA).

The company did not post adequate signage to notify the employees of the new video surveillance system.

The NLRB may view the security camera as an attempt to intimidate employees engaging in unionizing activities.

Gary's firm was recently sued by an athlete who claimed that the firm used his picture in marketing materials without permission. What type of claim was brought against Gary's firm?

False light

Appropriation

Invasion of solitude

Public disclosure of private facts

Which one of the following statements about workforce privacy training is incorrect?

Computer‐based training is an acceptable training option.

Training should include content on specific regulatory requirements.

Training should include details on an individual's role in minimizing privacy risks.

Every user should receive the same level of training.

Which one of the following categories would include any information that uniquely identifies an individual person?

PII

PHI

PFI

PCI

Carla is building an inventory of the information maintained by her organization that should be considered within the scope of its privacy program. Which one of the following types of information would not normally be included?

Customer transaction records

Manufacturing work order records

Employee payroll records

Job candidate application records

Which of the following laws was primarily intended to help combat money laundering?

RFPA

SCA

BSA

EPCA

What term is used to describe a voluntary agreement between a firm and the federal government where the firm agrees to engage or not engage in certain business practices?

Conviction

Retainer agreement

Theory of liability

Consent decree

What article in the U.S. Constitution defines the powers of the judicial branch?

Article I

Article II

Article III

Article IV

What federal privacy law contains specific requirements for how organizations must dispose of sensitive personal information when it is no longer needed?

FERPA

FACTA

GLBA

SOX

Which one of the following is an example of a check‐and‐balance held by the executive branch of government?

Power of the purse

Veto

Confirmation

Judicial review

Why are antidiscrimination laws relevant to workplace privacy?

Pro‐privacy lawmakers have used large antidiscrimination legislation as an opportunity to include unrelated privacy regulations.

Antidiscrimination laws require employers to collect personal data on employees to prove they have diverse workforces.

Antidiscrimination laws require large employers to conduct surveillance of employees to prevent discrimination.

Personal data about workers may be used in discriminatory decision making.

Which of the following is not likely to appear as a state breach notification requirement?

Notifications to the three major CRAs to monitor for identity theft

Notification to state regulators about individuals affected in their state

A notification to the families of victims to warn them of potential identity fraud

Notice to local media outlets, in case all affected individuals cannot be contacted.

What individual within an organization is likely to bear overall responsibility for a privacy program?

CIO

CFO

CPO

CEO

Tom recently filled out a survey about his political and religious views. The survey data is maintained by a nonprofit research organization. What term best describes Tom's role with respect to this data?

Data controller

Data processor

Data steward

Data subject

It is probably permissible to use a polygraph test in preemployment screening for all of the following jobs, except:

U.S. Treasury employee

Daycare worker

Armored car driver

Pharmacist

Which one of the following firms was sanctioned by the Federal Trade Commission (FTC) after an investigation showed that they were not diligently carrying out privacy program recertifications of their clients?

Snapchat

Nomi

TRUSTe

GeoCities

The Washington State Biometric Privacy Law protects all of the following forms of biometric data except:

Fingerprint

Eye retinas

Voiceprint

Photographs

Answers to Assessment Test

C. The two types of liability are criminal and civil. Only governmental prosecutors may bring a court case alleging criminal liability. Anyone may bring a case alleging civil liability.

D. Under the Fair Credit Reporting Act (FCRA), a consumer report becomes an investigative report when the process includes interviews with a person's contacts to learn more about factors in the report such as “mode of living.”

B. The Telemarketing Sales Rule (TSR) does provide an existing business relationship (EBR) exemption that would allow Dana's ISP to call her even though she has added her phone number to the national do‐not‐call registry.

D. The National Labor Relations Board (NLRB) has ruled that certain management actions, such as targeting labor union advocates for surveillance, may be seen as attempts at employee intimidation to discourage lawful union activity.

B. Appropriation is the unauthorized use of someone's name or likeness. False light is a legal term that applies when someone discloses information that causes another person to be falsely perceived by others. The public disclosure of private facts involves the disclosure of truthful information when the release of that information would offend a reasonable person. Invasion of solitude is a physical or electronic intrusion into the private affairs of a person.

D. Not every user requires the same level of training. Organizations should use role‐based training to make sure that individuals receive the appropriate level of training based on their job responsibilities.

A. Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.

B. Privacy programs should encompass all personal information handled by the organization. This would include employee payroll records, job candidate application records, and customer transaction records. Manufacturing work orders would not normally contain personal information and, therefore, would not be included in the scope of a privacy program.

C. The Bank Secrecy Act (BSA) requires that financial institutions maintain records to make transactions traceable and to monitor transactions for signs of money laundering.

D. Federal agencies often enter into consent decrees that prohibit offending firms from engaging in offending behavior in the future and often impose substantial fines.

C. The legislative branch powers are defined in Article I of the U.S. Constitution. Executive branch powers are defined in Article II of the U.S. Constitution. Judicial branch powers are defined in Article III of the U.S. Constitution.

B. The Fair and Accurate Credit Transactions Act (FACTA) includes specialized guidance for organizations that use consumer reports. The basic requirement of the FACTA Disposal Rule is that covered organizations must take “reasonable measures to protect against unauthorized access or use of the information in connection with its disposal.”

B. These are all examples of checks and balances. However, only veto power is an executive branch power. The power of the purse and confirmation of nominees are legislative branch powers. Judicial review is a judicial branch power.

D. Antidiscrimination laws incentivize employers to minimize the collection and use of personal information about a person's race, religion, sex, or any other information about their status as a member of a protected class in order to lower the risk of any discriminatory decision making.

C. Although state breach notification laws require notifications to many different parties, none currently require notification to the families of victims.

C. The chief privacy officer (CPO) of an organization often bears overall responsibility for carrying out the organization's privacy program. Other executive officers, including the chief executive officer (CEO), chief information officer (CIO), and chief financial officer (CFO) may have shared responsibility, but the CPO has primary accountability.

D. Tom is the individual about whom the data was collected. Therefore, he can be best described as the data subject in this instance.

B. The Employee Polygraph Protection Act (EPPA) forbids the use of polygraph tests for employment purposes for all but a few jobs. Exceptions include government agencies, certain private security jobs, and certain pharmaceutical positions.

C. TRUSTe is a privacy firm that provides other companies with certifications of their privacy practices. The FTC charged them with failing to conduct annual recertifications of clients, as required.

D. The state of Washington excludes photographs, video, and audio recordings from its definition of protected biometric data.

Chapter 1Privacy in the Modern Era

THE CIPP/US EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE:

Domain I. Introduction to the U.S. Privacy Environment

I.C. Information Management from a U.S. Perspective

I.C.b Privacy program development

I.C.c Managing user preferences

I.C.f Accountability

I.C.h Online privacy

I.C.i Privacy notices

Privacy concerns surround us in our daily lives. We hear troubling reports of companies acquiring and misusing personal information about their customers. News stories inform us of data breaches where massive quantities of personal information wound up in unknown hands. Legislators at the federal and state levels debate these issues and often pass new laws regulating different aspects of privacy.

We are left to navigate a confusing environment full of ambiguous and overlapping ethical obligations, laws, regulations, and industry standards. Companies and consumers alike find themselves confused about the requirements they face and the appropriate course of action. Privacy professionals play a crucial role in helping their organizations navigate these confusing waters.

Introduction to Privacy

Privacy is one of the core rights inherent to every human being. The term is defined in many historic works, but they all share the basic tenet of individuals having the right to protect themselves and their information from unwanted intrusions by others or the government. Let's take a brief look at the historical underpinnings of privacy in the United States.

In 1890, a young lawyer named Louis D. Brandeis wrote an article for the Harvard Law Review titled “The Right to Privacy.” In that article, Brandeis wrote:

Recent inventions and business methods call attention to the next step which must be undertaking for the protection of the person, and for securing to the individual … the right “to be let alone.” Instantaneous photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house‐tops.” For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons; and the evil of the invasion of privacy by the newspapers, long keenly felt, has been but recently discussed by an able writer.

Reading that excerpt over a century later, it's easy to see echoes of Brandeis's concerns about technology in today's world. We could just as easily talk about the impact of social media, data brokerages, and electronic surveillance as having the potential to cause “what is whispered in the closet to be proclaimed from the house‐tops.”

The words that this young attorney wrote might have slipped into obscurity were it not for the fact that 25 years later its author would ascend to the Supreme Court where, as Justice Brandeis, he would take the concepts from this law review article and use them to argue for a constitutional right to privacy. In a dissenting opinion in the case Olmstead v. United States, Justice Brandeis wrote:

The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness … They conferred, as against the Government, the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the Government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.

This text, appearing in a dissenting opinion, was not binding upon the courts, but it has surfaced many times over the years in arguments establishing a right to privacy as that right “to be let alone.” Recently, the 2018 majority opinion of the court in Carpenter v. United States cited Olmstead in an opinion declaring warrantless searches of cell phone location records unconstitutional, saying:

As Justice Brandeis explained in his famous dissent, the Court is obligated as “[s]ubtler and more far‐reaching means of invading privacy have become available to the Government”—to ensure that the “progress of science” does not erode Fourth Amendment protections. Here the progress of science has afforded law enforcement a powerful new tool to carry out its important responsibilities. At the same time, this tool risks Government encroachment of the sort the Framers, “after consulting the lessons of history,” drafted the Fourth Amendment to prevent.

This is just one example of many historical precedents that firmly establish a right to privacy in U.S. law and allow the continued reinterpretation of that right in the context of technologies and tools that the authors of the Constitution could not possibly have imagined.

What Is Privacy?

It would certainly be difficult to start a book on privacy without first defining the word privacy, but this is a term that eludes a common definition in today's environment. Legal and privacy professionals who are asked this question often harken back to the words of Justice Brandeis, describing privacy simply as the right “to be let alone.”

In their Generally Accepted Privacy Principles (GAPP), the American Institute of Certified Public Accountants (AICPA) offers a more hands‐on definition, describing privacy as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and destruction of personal information.”

The GAPP definition may not be quite as pithy and elegant as Justice Brandeis's right “to be let alone,” but it does provide privacy professionals with a better working definition that they can use to guide their privacy programs, so it is the definition that we will adopt in this book.

What Is Personal Information?

Now that we have privacy defined, we're led to another question. If privacy is about the protection of personal information, what information fits into this category? Here, we turn our attention once again to GAPP, which defines personal information as “information that is or can be about or related to an identifiable individual.”

More simply, if information is about a person, that information is personal information as long as you can identify the person that it is about. For example, the fairly innocuous statement “Mike Chapple and Joe Shelley wrote this book” fits the definition of personal information. That personal information might fall into the public domain (after all, it's on the cover of this book!), but it remains personal information.

You'll often hear the term personally identifiable information (PII) used to describe personal information. The acronym PII is commonly used in privacy programs as a shorthand notation for all personal information.

Of course, not all personal information is in the public domain. There are many other types of information that fit into this category that most people would consider private. Our bank balances, medical records, college admissions test scores, and email communications are all personal information that we might hold sensitive. This information fits into the narrower category of sensitive personal information (SPI). For example, the European Union's General Data Protection Regulation (GDPR) includes a listing of “special categories of personal data,” which include

Racial or ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic data

Biometric data used for the purpose of uniquely identifying a natural person

Health data

Data concerning a natural person's sex life or sexual orientation

GDPR uses this list to create special boundaries and controls around the categories of information that EU lawmakers found to be most sensitive.

What Isn't Personal Information?

With a working knowledge of personal information under our belts, it's also important to make sure that we have a clear understanding about what types of information do not fit the definition of personal information and, therefore, fall outside the scope of privacy programs.

First, clearly, if information is not about a person, it is not personal information. Information can be sensitive, but not personal. For example, a business's product development plans or a military unit's equipment list might both be very sensitive but they aren't about people, so they don't fit the definition of personal information and would not be included within the scope of a privacy program.

Second, information is not personal information if it does not provide a way to identify the person that the information is about. For example, consider the height and weight information presented in Table 1.1.

TABLE 1.1 Height and weight information

Name

Age

Gender

Height

Weight

Mary Smith

43

F

5′9″

143 lbs

Matt Jones

45

M

5′11″

224 lbs

Kevin Reynolds

32

M

5′10″

176 lbs

This information clearly fits the definition of personal information. But what if we remove the names from this table, as shown in Table 1.2?

TABLE 1.2 Anonymized height and weight information

Age

Gender

Height

Weight

43

F

5′9″

143 lbs

45

M

5′11″

224 lbs

32

M

5′10″

176 lbs

Here, we have a set of information that is about an individual, but it doesn't seem to be about an identifiable individual, making it fall outside the definition of personal information. However, we must be careful here. What if this table was known to be the information about individuals in a certain department? If Mary Smith is the only 43‐year‐old female in that department, it would be trivial to determine that the first row contains her personal information, making it once again identifiable information.

This leads us to the concept of anonymization, the process of taking personal information and making it impossible to identify the individual to whom the information relates. As illustrated in our height and weight example, simply removing names from a table of data does not necessarily anonymize that data. Anonymization is actually a quite challenging problem and requires the expertise of privacy professionals.

The U.S. Department of Health and Human Services (HHS) publishes a de‐identification standard that may be used to render information unidentifiable using two different techniques:

The HHS de‐identification standards cover medical records, so they include fields specific to medical records. You may use them as general guidance for the de‐identification of other types of record, but you must also supplement them with industry‐specific fields that might identify an individual. You can read the full HHS de‐identification standard at www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#standard.

Expert determination

requires the involvement of a trained statistician who analyzes a de‐identified dataset and determines that there is very little risk that the information could be used to identify an individual, even if that information is combined with other publicly available information.

Safe harbor

requires the removal of 18 different types of information to remove direct and indirect links to an individual. These include

Names

Geographic divisions and ZIP codes containing fewer than 20,000 people

The month and day of a person's birth, death, hospital admission or discharge or the age in years of a person over 89.

Telephone numbers

Vehicle identifiers and serial numbers, including license plate numbers

Fax numbers

Device identifiers and serial numbers

Email addresses

Web URLs

Social Security numbers

IP addresses

Medical record numbers

Biometric identifiers, including finger and voice prints

Health plan beneficiary numbers

Full‐face photographs and any comparable images

Account numbers

Any other uniquely identifying number, characteristic, or code

Certificate/license numbers

We will cover how this standard fits into the broader requirements of the Health Insurance Portability and Accountability Act (HIPAA) in Chapter 5, “Private Sector Data Collection.” We only discuss it here as an example of the difficulty of anonymizing personal information.

Closely related to anonymization is the process of aggregation, summarizing data about a group of individuals in a manner that makes it impossible to draw conclusions about a single person. For example, we might survey all the students at a university and ask them their height and weight. If the students included any identifying information on their survey responses, those individual responses are clearly personal information. However, if we provide the summary table shown in Table 1.3, the information has been aggregated to an extent that renders it nonpersonal information. There is no way to determine the height or weight of an individual student from this data.

TABLE 1.3 Aggregated height and weight information

Gender

Average Height

Average Weight

F

5′5″

133 lbs

M

5′10″

152 lbs

Why Should We Care About Privacy?

Protecting privacy is hard work. Privacy programs require that organizations invest time and money in an effort that does not necessarily provide a direct financial return on that investment. This creates an opportunity cost, as those resources could easily be deployed in other areas of the organization to have a direct impact on the mission. Why, then, should organizations care about privacy?

Privacy is an ethical obligation.

  Organizations who are the custodians of personal information have a moral and ethical obligation to protect that information against unauthorized disclosure or use.

Laws and regulations require privacy protections.

  Depending on the nature of an organization's operations and the jurisdiction(s) where it operates, it may face legal and contractual obligations to protect privacy. Much of this book is dedicated to exploring these obligations.

Poor privacy practices reflect poorly on an organization.

  The failure to protect privacy presents a reputational risk to the organization, that may suddenly find its poor privacy practices covered on the front page of the

Wall Street Journal

. The reputational impact of a privacy lapse may have a lasting impact on the organization.

Generally Accepted Privacy Principles

Now that you have a basic understanding of the types of information covered by a privacy program and the reasons that organizations pay particular attention to protecting the privacy of personal information, we can start to explore the specific goals of a privacy program. These goals answer the question “What do we need to do to protect privacy?”

The Generally Accepted Privacy Principles (GAPP) are an attempt to establish a global framework for privacy management. GAPP includes 10 principles that were developed as a joint effort between two national accounting organizations: AICPA and the Canadian Institute of Chartered Accountants (CICA). These two organizations sought expert input to develop a set of commonly accepted privacy principles.

The 10 GAPP principles are

Management

Notice

Choice and Consent

Collection

Use, Retention, and Disposal

Access

Disclosure to Third Parties

Security for Privacy

Quality

Monitoring and Enforcement

The remainder of this section explores each of these principles in more detail.

Exam Note

GAPP is one of many frameworks designed to help privacy professionals articulate the goals of their privacy programs and industry best practices. Other similar frameworks include the Fair Information Practice Principles (FIPPs) and the Organisation for Economic Co‐operation and Development's Privacy Guidelines.

We present GAPP to you in this chapter as a framework to help you understand the basic requirements of privacy programs. The GAPP principles are not included in the CIPP/US exam objectives, so you shouldn't see exam questions specifically covering them.

You will see many of these principles come up repeatedly in federal, state, and international laws that are covered by the exam objectives, so expect to see questions covering these concepts, just not in the context of GAPP.

Management

Management is the first of the 10 privacy principles and GAPP defines it as follows: “The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.” The GAPP standard then goes on to list a set of criteria that organizations should follow to establish control over the management of their privacy program.

These criteria include

Creating written privacy policies and communicating those policies to personnel

Assigning responsibility and accountability for those policies to a person or team

Establishing procedures for the review and approval of privacy policies and changes to those policies

Ensuring that privacy policies are consistent with applicable laws and regulations

Performing privacy risk assessments on at least an annual basis

Ensuring that contractual obligations to customers, vendors, and partners are consistent with privacy policies

Assessing privacy risks when implementing or changing technology infrastructure

Creating and maintaining a privacy incident management process

Conducting privacy awareness and training and establishing qualifications for employees with privacy responsibilities

Notice

The second GAPP principle, notice, requires that organizations inform individuals about their privacy practices. GAPP defines notice as follows: “The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.”

The notice principle incorporates the following criteria:

Including notice practices in the organization's privacy policies

Notifying individuals about the purpose of collecting personal information and the organizations policies surrounding the other GAPP principles

Providing notice to individuals at the time of data collection, when policies and procedures change, and when the organization intends to use information for new purposes not disclosed in earlier notices

Writing privacy notices in plain and simple language and posting it conspicuously

Choice and Consent

Choice and consent is the third GAPP principle, allowing individuals to retain control over the use of their personal information. GAPP defines choice and consent as follows: “The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.”

The criteria associated with the principle of choice and consent are as follows:

Including choice and consent practices in the organization's privacy policies

Informing individuals about the choice and consent options available to them and the consequences of refusing to provide personal information or withdrawing consent to use personal information

Obtaining implicit or explicit consent at or before the time that personal information is collected

Notifying individuals of proposed new uses for previously collected information and obtaining additional consent for those new uses

Obtaining direct explicit consent from individuals when the organization collects, uses, or discloses sensitive personal information

Obtaining consent before transferring personal information to or from an individual's computer or device

Collection

The principle of collection governs the ways that organizations come into the possession of personal information. GAPP defines this principle as follows: “The entity collects personal information only for the purposes identified in the notice.”

The criteria associated with the collection principle are as follows:

Including collection practices in the organization's privacy policies

Informing individuals that their personal information will only be collected for identified purposes

Including details on the methods used to collect data and the types of data collected in the organization's privacy notice

Collecting information using fair and lawful means and only for the purposes identified in the privacy notice

Confirming that any third parties who provide the organization with personal information have collected it fairly and lawfully and that the information is reliable

Informing individuals if the organization obtains additional information about them

Use, Retention, and Disposal

Organizations must maintain the privacy of personal information throughout its lifecycle. That's where the principle of use, retention, and disposal plays an important role. GAPP defines this principle as follows: “The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.”