The National Academies Press

Currently Skimming:

V. SURVEY OF FEDERAL STATUTORY PROVISIONS AND FEDERAL AGENCY ACTIONS
Pages 26-34

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 26... ... Early Federal Statutory Efforts to Address Privacy tions, the First and Fourteenth Amendments also offer theories Understanding two particular 1970s statutes is critical to of protecting information associated with individuals. For ex- understanding the U.S. Read the entire page →
From page 27... ... The covered information.130 But generally, information sought for ability to seek damages against data holders who fail to meet law enforcement investigative purposes will require some legal those standards is also a common feature. process requirement like a court order.131 Exceptions exist for access related to counterterrorism and national security. Read the entire page →
From page 28... ... The court approved certification over an argument ing individuals, access to files maintained by governmental enti- by the defendant that certifying a class action where the likely ties. Its terms specifically apply only to data maintained by the plaintiffs would have no actual damages and only an entitlement federal government, but those provisions have been used as a to statutory awards would result in an unreasonable penalty for model by state and local entities seeking to provide their own failure to comply with FACTA. Read the entire page →
From page 29... ... Dis- nationwide putative class action claim filed under the SCA trict Court for the Northern District of Texas, Dallas Division, against a company called "24/7"167 for the same malware attack dismissed a nationwide putative class action claim filed under in the Pica case, but used different grounds for its decision.168 As the SCA against American Airlines (American) .153 The com- to the Section 2701 claim, the court found that "Plaintiff 's conplaint asserted that the putative class was allegedly injured when sumer data is not a ‘facility' (i.e., servers and databases) Read the entire page →
From page 30... ... Supreme Court, in April 2020, agreed to hear Van Rule.186 The Privacy Rule contains a provision that specifically Buren v. United States, a case that will determine whether it is a addresses the wrongful disclosure of individually identifiable federal crime for someone authorized to access information on health information with penalties including both fines and ima computer system to access that information for an unauthor- prisonment.187 ized purpose.176 In Van Buren, a police sergeant was convicted HIPAA also contains a provision that states its effect on state under the CFAA for selling license plate information obtained law as it relates to public health issues.188 In this regard, HIPAA from a police database, and the U.S. Read the entire page →
From page 31... ... Department of responders, and public health authorities with the individual's Labor's Office of Occupational Safety and Health AdministraHIPAA authorization under certain circumstances.191 tion (OSHA) issued interim Guidance that classified COVID-19 It is important to emphasize that the HIPAA Privacy Rule192 as a recordable illness, making it reportable to OSHA if the emapplies only to covered entities or their business associates. Read the entire page →
From page 32... ... 219 access to and exchange of health information.211 The ONC final FISMA2014 replaced the Federal Information Security rule prohibits "information blocking" of electronic health in Management Act of 2002 (FISMA) .220 FISMA2014 requires that formation (EHI) Read the entire page →
From page 33... ... ,232 which provides a template for use in information system planning.225 has very detailed information on developing a data security Previously it was thought that information security planning policy and highlights the CJIS Security Policy approach. was completed with system accreditation through the certifica- Section 4.1 of the Policy233 defines CJI to include the followtion and accreditation process defined in NIST Special Publi- ing data sets housed by the FBI CJIS architecture: cation 800-837.226 However, that guidance was subsequently revised to recognize the reality of rapid information system 1. Read the entire page →
From page 34... ... 248 ployees to recognize and deflect inquiries made under pretext.261 Enacted in 1999, the GLBA removed barriers that prohibited The GLBA provisions and rules provide stringent and comany one institution from acting as a combination of an invest- prehensive requirements for dealing with nonpublic informament bank, a commercial bank, and an insurance company.249 tion that may provide insights for developing data collection and Key provisions under GLBA include the Financial Privacy data sharing policies in the airport space. Given the fact that the Rule,250 the Safeguards Rule,251 and Pretexting Protection.252 GLBA Privacy Rule and Safeguard Rule are authored by the FTC, The GLBA Financial Privacy Rule defines what constitutes which is principally responsible for privacy enforcement across a "financial institution."253 The FTC has published advice that a range of activities, airports should familiarize themselves with retailers offering credit directly to consumers by issuing its own them as they prepare their privacy policies and practices to safecredit card are considered to be significantly engaged in finan- guard data, particularly data relating to financial matters. Read the entire page →

From page 26...

... Early Federal Statutory Efforts to Address Privacy tions, the First and Fourteenth Amendments also offer theories Understanding two particular 1970s statutes is critical to of protecting information associated with individuals. For ex- understanding the U.S.

Read the entire page →

From page 27...

... The covered information.130 But generally, information sought for ability to seek damages against data holders who fail to meet law enforcement investigative purposes will require some legal those standards is also a common feature. process requirement like a court order.131 Exceptions exist for access related to counterterrorism and national security.

Read the entire page →

From page 28...

... The court approved certification over an argument ing individuals, access to files maintained by governmental enti- by the defendant that certifying a class action where the likely ties. Its terms specifically apply only to data maintained by the plaintiffs would have no actual damages and only an entitlement federal government, but those provisions have been used as a to statutory awards would result in an unreasonable penalty for model by state and local entities seeking to provide their own failure to comply with FACTA.

Read the entire page →

From page 29...

... Dis- nationwide putative class action claim filed under the SCA trict Court for the Northern District of Texas, Dallas Division, against a company called "24/7"167 for the same malware attack dismissed a nationwide putative class action claim filed under in the Pica case, but used different grounds for its decision.168 As the SCA against American Airlines (American) .153 The com- to the Section 2701 claim, the court found that "Plaintiff 's conplaint asserted that the putative class was allegedly injured when sumer data is not a ‘facility' (i.e., servers and databases)

Read the entire page →

From page 30...

... Supreme Court, in April 2020, agreed to hear Van Rule.186 The Privacy Rule contains a provision that specifically Buren v. United States, a case that will determine whether it is a addresses the wrongful disclosure of individually identifiable federal crime for someone authorized to access information on health information with penalties including both fines and ima computer system to access that information for an unauthor- prisonment.187 ized purpose.176 In Van Buren, a police sergeant was convicted HIPAA also contains a provision that states its effect on state under the CFAA for selling license plate information obtained law as it relates to public health issues.188 In this regard, HIPAA from a police database, and the U.S.

Read the entire page →

From page 31...

... Department of responders, and public health authorities with the individual's Labor's Office of Occupational Safety and Health AdministraHIPAA authorization under certain circumstances.191 tion (OSHA) issued interim Guidance that classified COVID-19 It is important to emphasize that the HIPAA Privacy Rule192 as a recordable illness, making it reportable to OSHA if the emapplies only to covered entities or their business associates.

Read the entire page →

From page 32...

... 219 access to and exchange of health information.211 The ONC final FISMA2014 replaced the Federal Information Security rule prohibits "information blocking" of electronic health in Management Act of 2002 (FISMA) .220 FISMA2014 requires that formation (EHI)

Read the entire page →

From page 33...

... ,232 which provides a template for use in information system planning.225 has very detailed information on developing a data security Previously it was thought that information security planning policy and highlights the CJIS Security Policy approach. was completed with system accreditation through the certifica- Section 4.1 of the Policy233 defines CJI to include the followtion and accreditation process defined in NIST Special Publi- ing data sets housed by the FBI CJIS architecture: cation 800-837.226 However, that guidance was subsequently revised to recognize the reality of rapid information system 1.

Read the entire page →

From page 34...

... 248 ployees to recognize and deflect inquiries made under pretext.261 Enacted in 1999, the GLBA removed barriers that prohibited The GLBA provisions and rules provide stringent and comany one institution from acting as a combination of an invest- prehensive requirements for dealing with nonpublic informament bank, a commercial bank, and an insurance company.249 tion that may provide insights for developing data collection and Key provisions under GLBA include the Financial Privacy data sharing policies in the airport space. Given the fact that the Rule,250 the Safeguards Rule,251 and Pretexting Protection.252 GLBA Privacy Rule and Safeguard Rule are authored by the FTC, The GLBA Financial Privacy Rule defines what constitutes which is principally responsible for privacy enforcement across a "financial institution."253 The FTC has published advice that a range of activities, airports should familiarize themselves with retailers offering credit directly to consumers by issuing its own them as they prepare their privacy policies and practices to safecredit card are considered to be significantly engaged in finan- guard data, particularly data relating to financial matters.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

V. SURVEY OF FEDERAL STATUTORY PROVISIONS AND FEDERAL AGENCY ACTIONS Pages 26-34

V. SURVEY OF FEDERAL STATUTORY PROVISIONS AND FEDERAL AGENCY ACTIONS
Pages 26-34