Data Loss Prevention

Data Loss Prevention Copyright Doug Knehr

Click on the above link for a condensed view of my deep research and expertise in DLP Data Loss Prevention covering the following areas:

Note also view information governance blogs posted here.

identify and monitor many categories of sensitive information
• Monitor and control the movement of sensitive information across enterprise networks
• Monitor and control the movement of sensitive information on end-user systems

Document fingerprinting
Exchange Server 2013
Government forms
Health Insurance Portability and Accountability Act (HIPAA) compliance forms
Employee information forms for Human Resources departments
Custom forms created specifically for your organization

DLP Concerns


Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP (Training)



US Privacy Laws Workplace Investigations Notifications

US Privacy Laws Workplace Investigations Notifications Copyright Douglas Knehr -2 of 2

Click on the above link for a condensed view of my deep research and expertise in US based data privacy laws as same applies to the workplace, investigations and notifications covering the following areas:

Information security and data breach notification laws continued
How to notify
Connecticut requirements
New York and North Carolina have specific online forms for reporting
The CRA’s designated email addresses for breach notification reports
Exceptions the notification
Penalties and right of action
State Data destruction laws
North Carolina
Arizona applies only to paper records
Alaska authorizes private action
California requires records unreadable or undecipherable to any means
Illinois and Utah apply only to government entities
New York applies only to for-profit businesses
Privacy issues investigations and litigation
Disclosures required permitted or forbidden by law
Civil litigation
Privacy issues in law enforcement investigations and constitutional effects under the fourth amendment
Federal law pertaining to
National security investigations

Workplace privacy
The US does not have a overarching or organize law for employment privacy
Constitutional law
State contract tort and statutory law
Federal laws dealing with employment privacy
Workplace privacy


Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP (Training)


US Privacy Laws Broad Picture 1 of 2

US Privacy Laws Broad Categories Copyright Douglas Knehr -1 of 2

Click on the above link for a condensed view of my deep research and expertise in US Privacy Laws covering the following areas:

Risk of using personal information improperly
Legal risks
Operational risks
Understanding laws
Notice which serves two purposes
Access to view personal information held by organization
Regulatory authorities
FTC has the general authority to enforce unfair and deceptive trade practices
Federal banking regulatory agencies
Department Health and human services
Dept Homeland security
Dept Commerce and DOT share enforcement for safe harbor between US and EU
Sources of law in the United States
United states constitution
Regulation rules
Case law
Consent decree
Contract law requiring offer acceptance consideration
Tort law
Structure of US Laws
Types of litigation
Enforcement of LAws
New Hampshire Breach notification law
Who is covered
Types info covered
exact requirements
whats required
who enforces
what happens if I don’t comply
why does law exist
Medical privacy laws Hippa and Gina
Health insurance portability and accountability act of 1996 hIPAA which was updated by the health information technology for economic and clinical health act of 2009 HI TEC H
HITECH health information technology for economic and clinical health
Genetic information nondiscrimination act 2000 8G GINA
Financial privacy
Fair credit reporting act Fcra
Fair and accurate credit transactions act FACTA of2003
GL BA Graham Leach Bliley act of 1999
California SB-1the California financial information privacy
Anti Money Laundering Laws
Dodd frank Wall Street reform and consumer protection act 2010
Consumer financial protection Bureau CFPB
Education records
Family educational rights and privacy act of 1974 FERPA ( Buckley amendment)
Protection of pupils rights amendment act 1970 ppra
When a student turns 18 the student is the person Control of Rights connected to education records including grades rather than the parent

Telecommunication and marketing privacy laws
Communication channels
Information collected by telecommunication companies
Information security and data breach notification laws
Privacy statutes about online activities
COP PA children’s online privacy protection act of 1998
California online privacy protection act of 2003
Telecommunications and marketing laws continued
Information management program to create policies and procedures for following departments
Direct marketing
Human resources
International data flows and proper contracts
Publishing online privacy notices one data is collected
Steps to building information management privacy program
Data sharing and transfer
Privacy policies and disclosure ( internal to communicate internallly within corp)
Managing user preferences and access requests
Data Retention
Incident Response
Contract and vendor management
Data Preference & Access
Payment card Institute data security standard PCI DSS
Digital advertising alliance DAA which uses an icon program
Uses third-party Privacy sean and certification programs such as
Preemption Issues
Federal Preemption is based on
FACTA preempts stricted state laws
State law can preempt GLBA
State AGs can enforce HIPAA and GLBA
State Enforcement of privacy laws
Each state has a comparable section to section 5 of FTC act all commonly known as unfair and deceptive practices and practices for UD AP statutes
State Public Utilities commissions
Private rights of action Privacy Torts
Contract theory
Review the National Association Attorney’s general consumer protection project
Federal regulators and enforcement of privacy
X other federal agencies to consider
Workplace privacy
Telemarketing and marketing privacy
Education privacy
Financial privacy Graham Leach Bliley act
Medical privacy
Future consumer privacy Bill of Rights from the White House report
Cross-border enforcement issues

Global Privacy Considerations

Privacy -Global Considerations – Copyright- Doug Knehr Esq

Click on the above link for a condensed view of my deep research and expertise in Global Privacy Considerations covering the following areas:

Choice & Consent Access to review two opt in or opt out
Management and administration to define document and communicate and assign accountability for the privacy policies and procedures as well as monitoring same
Data Subject Access
Rights : Consent and Choice

Sectoral United States and Japan
Coregulatory and self-regulatory -Australia
General Laws –

Sectors of privacy and data protection laws
Financial sector
Telecommunication sector
Online privacy
Human resources
Smart grid information
Direct Marketing
Administrative policies and procedures for the organization see p 24 for responsible management processes for data privacy compliance exhibit
Technical safeguards such as passwords and authentication
Physical safeguards

Information lifecycle Principles
Disclosure & Transfer
Storage and destruction

Information security
Management and Administration
There are three key attributes including confidentiality integrity and availability
Controls on Information
Security controls – Actual Processes used to ensure security of information system
Information Securities the protection of information from unauthorized access use and disclosure while information privacy also concerns rules for the collection and handling of personal information
See the privacy versus security exhibit a page 78
Security Requirement Sources
Human resources information security
Physical and environmental information security
Intrusion detection and prevention
Perimeter controls to Safeguard entire network environments from outside penetration
Security monitoring of IDS IPS and other perimeter controls through the use analysis of log files or reports generated by computer software applications
External threat management
Incident management and data breach notification
Monitoring in compliance

Online Security
Web User Authentication
Online privacy
Web infrastructure
Privacy considerations for online information

Fair information practices
1973 US Department of health education welfare fare information practice principles
OECD – 1980 organization for economic cooperation and development guidelines governing the protection of privacy and transborder data flows of personal data that’s the OECD guidelines
1981 Council of Europe (convention for the protection of individuals with regard to the automatic processing of personal data) that’s the COE convention codified in 1995 under the EU data protection directive
Asia-Pacific economic cooperative or APEC
European Union 1995
2009 Madrid resolution international standards on the protection of personal data and privacy
Shared Categories of all FIPS
Middle East – few PI laws but Israel deemed adequate
Privacy risk assessments
Privacy notice
Policy vs Notice
Information assets of an organization
Privacy Classes
Data Protection Authority
Data Controller
data processor
Data subject


Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP (Training)


Online Behavioral Advertising Considerations

OBA Online Behavioral Advertising Considerations Copyright Douglas Knehr 609-635-2226

Click on the above link for a condensed view of my deep research and expertise in online behavioral advertising considerations covering the following areas:

Regulation – Govt
four central FTC Principles
Overarching themes is the need for simplified consumer choice relating to information collection, use and disclosure.
FTC Staff report
Regulation – Self – Industry
Digital Advertising Alliance (DAA)
places compliance obligations on publishers
DAA Program Components
Industry Website guidance
Browser Based Tools


Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP (Training)


Mobile Apps Broad Privacy Implications

Mobile Apps Broad Privacy Implications Copyright Douglas Knehr

Click on the above link for a condensed view of my deep research and expertise in Mobile Apps – Broad Privacy Implications covering the following areas:

Mobile App Information Collection
General info collected
Purpose of collection
Info is shared with third parties to
Tracking Technology

Legal Concerns

California Online Privacy Protection Act (CalOPPA)
California’s Privacy Rights for California Minors in the Digital World act permits
General Claims and causes of action for violations
Children’s Online Privacy and Apps

Best Practices

Truthful advertising.
Clear and conspicuous disclosures
Privacy promises
Data security.
FTC Guidance
FTC Focus
PAyment Guidance
Making a mobile app’s general privacy policies easy to understand and readily available before a user downloads the app.
Making readily available from within an app both:
a short privacy statement highlighting potentially unexpected practices; and
privacy controls that allow users to make, review and change their privacy choices.


Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP (Training)


Mobile App Privacy Compliance Considerations

Mobile App Privacy Compliance Checklist Douglas S Knehr Copyright

Click on the above link for a condensed view of my deep research and expertise in Mobile App Privacy Compliance Considerations covering the following areas:

Mobile application categories
Hacking Defense Strategies (20+ things you can do to prevent hacking)

General Considerations
Security by Design Considerations
Consider traditional and non traditional PI
Know the Business Rationale
Maintain Technical and Legal Control
Info collected automatically
Comply with Industry-specific Laws
Commission Privacy Reviews or Audits
Requested information
Commission privacy reviews or audits

Industry regs


Douglas S. Knehr Esq.,MBA, CIPM, CIPP, CISSP (Training)