Contents -- Preface -- Introduction: A Systematic Approach to U.S. Privacy Law Compliance -- The Approach to Privacy Compliance -- Step I. Narrowing the Legal Field-the First Cut -- Step II. Narrowing the Legal Field 2-Sharpening the Focus -- Step III. Identifying Compliance Requirements -- Step IV. Assessing Your Compliance -- Step V. Developing and Implementing Compliant Policies and Practices -- Notes -- P A R T I Information About Consumers and Customers -- CHAPTER 1 Collection and Use of Personal Information on the Internet -- 1.1 Should You Have a Privacy Policy? If So, What Should It Say? -- 1.2 What Happens If You Violate Your Privacy Policy? -- 1.2.1 Federal Regulatory Enforcement -- 1.2.2 State Actions -- 1.2.3 Private Actions-The Airlines Litigation and Other Lawsuits -- 1.3 Collecting Information from Children: The Children's Online Privacy Protection Act -- 1.3.1 Is My Web Site Subject to COPPA? -- 1.3.2 How Do Web Sites Comply with COPPA? -- 1.3.3 COPPA Enforcement Proceedings -- Notes -- CHAPTER 2 Data Protection: The Evolving Obligation of Business to Protect Personal Information -- 2.1 The FTC's Data Security Standard -- 2.1.1 The Content of the FTC's Data Security Standard -- 2.1.2 How to Comply with the FTC Standard -- 2.2 State Enforcement Actions -- 2.3 State Secure Disposal Laws -- 2.4 Comprehensive State Data Security Protection Laws -- 2.4.1 The State Information Security Laws Apply to a Wide Range of Information and Media -- 2.4.2 The State Laws Protect Information at All Stages of Its Life Cycle -- 2.5 The States' Data Security Breach Notification Laws -- 2.6 Private Negligence Actions -- 2.7 A Data Security Assessment Proposal for Icarus Hang Gliders, Inc. -- 2.7.1 Asset Valuation and Classification -- 2.7.2 Risk Identification -- 2.7.3 Data Security Evalation -- 2.7.4 Risk Management -- Notes.

CHAPTER 3 If Your Organization Is a Financial Institution: The Gramm-Leach-Bliley Act and Other Financial Privacy Legislation -- 3.1 The Gramm-Leach-Bliley Financial Modernization Act of 1999 -- 3.1.1 Financial Institutions and Activities Subject to the GLBA -- 3.1.2 Protecting Privacy Under the GLBA -- 3.2 The Right to Financial Privacy Act -- 3.3 The Fair Credit Reporting Act -- 3.3.1 Reporting Agencies May Furnish Reports Only as Permitted by FCRA -- 3.3.2 Reporting Agencies Must Maintain Accuracy of Information -- 3.3.3 Reporting Agencies Must Police Users -- 3.3.4 Reporting Agencies Must Permit Consumers to Review Consumer Report Information -- 3.3.5 Reporting Agencies and Users Must Observe Rules Concerning Investigative Consumer Reports -- 3.3.6 Reporting Agencies Must Delete Obsolete Information -- 3.3.7 Reporting Agencies May Not Report Medical Information Without Consumer Consent -- 3.3.8 Users Must Comply with FCRA -- 3.3.9 FACTA Amendments -- 3.3.10 FCRA Enforcement -- 3.3.11 State Regulation of Credit Reporting -- 3.4 Section 326 of the USA PATRIOT Act -- 3.5 Electronic Funds Transfer Act -- 3.6 State Financial Privacy Statutes -- Notes -- CHAPTER 4 If Your Organization Is an Electronic Communication Service Provider: The Electronic Communications Privacy Act and Stored Communications Act -- 4.1 Disclosing Customer Information -- 4.1.1 Disclosing the Contents of Communications -- 4.1.2 Disclosing Basic Subscriber Information -- 4.1.3 Disclosing Records or Other Information Pertaining to a Customer or Subscriber -- 4.2 Disclosure of Customer Records Under the First Amendment -- 4.3 Disclosure in Circumstances That May Violate Foreign Law -- Notes -- CHAPTER 5 If Your Organization Is a Provider of Health Care, Health Insurance, or Related Services -- 5.1 HIPAA -- 5.1.1 Entities Covered by HIPAA -- 5.1.2 Information Protected by HIPAA.

5.1.3 When PHI May Be Disclosed -- 5.1.4 The "Minimum Necessary" Principle -- 5.1.5 Rights of Notice, Access, and Amendment -- 5.1.6 Rights of Disclosure Accounting, Restriction, and Confidentiality -- 5.1.7 Covered Entity Compliance Measures -- 5.1.8 HIPAA Data Security Obligations -- 5.2 State Medical Privacy Statutes -- Notes -- CHAPTER 6 Doing Business in-or with- Europe: The European Union Data Protection Directive -- Notes -- P A R T I I Information About Job Applicants and Employees -- CHAPTER 7 The Hiring Process -- 7.1 The Americans with Disabilities Act -- 7.2 Fair Credit Reporting Act -- 7.3 State Laws Restricting Employer Use of Credit Reports -- 7.4 Laws Restricting Use of Criminal Records -- 7.5 Requesting and Giving References -- 7.6 Other Restrictions on Pre-Employment Screening -- Notes -- CHAPTER 8 Internal Investigations and Other Aspects of the Employment Relationship -- 8.1 Internal Investigations -- 8.1.1 Workplace Searches -- 8.1.2 Labor Law Considerations in Internal Investigations -- 8.1.3 Civil Rights Laws and Regulations -- 8.1.4 Sexual Harassment Investigations -- 8.1.5 Other Considerations in Internal Investigations -- 8.2 Use of Credit Reports -- 8.3 Privacy of Employee Medical Records -- 8.4 Employees' Rights of Access to Personnel Files -- 8.5 Lie Detectors, Drug Tests, and Medical Tests -- 8.5.1 Lie Detectors -- 8.5.2 Drug Tests -- 8.5.3 Medical Tests -- Notes -- CHAPTER 9 Surveillance of Employees and Employee Communications -- 9.1 Telephone and E-Mail Communications -- 9.1.1 The ECPA and SCA -- 9.1.2 Compliance with State "Two-Party Consent" Statutes -- 9.2 Monitoring Employees' Internet Use -- 9.3 Video Surveillance of the Workplace -- Notes -- P A R T I I I Communicating with Customers and Consumers -- CHAPTER 10 Telemarketing -- 10.1 Conflicting Rules and Overlapping Jurisdiction.

10.2 The Federal Communications Commission's Telemarketing Regulations -- 10.2.1 Autodialers, Artificial Voices, Prerecorded Messages, and Other Issues -- 10.2.2 Time-of-Day Restrictions -- 10.2.3 The Federal Do-Not-Call List -- 10.2.4 Company-Specific DNC Lists -- 10.2.5 The EBR Exception -- 10.2.6 The "Caller ID" Requirements -- 10.3 The Federal Trade Commission's Telemarketing Regulations -- 10.4 Other Sources of Telemarketing Regulation -- Notes -- CHAPTER 11 Fax Advertising -- 11.1 Communications Covered by the Junk Fax Rules -- 11.2 The EBR Exception to the Junk Fax Rules -- 11.3 Notice and Opt-Out Requirements -- 11.4 Senders and Broadcasters -- 11.5 Transactional Communications -- 11.6 Conclusion -- Notes -- CHAPTER 12 Spam: Regulation of Commercial E-Mail -- 12.1 Federal Antispam Law: The CAN-SPAM Act of 2003 -- 12.1.1 The Act Applies Primarily to "Commercial Electronic Mail Messages" -- 12.1.2 Transactional or Relationship Messages -- 12.1.3 Opt-Out Requirements -- 12.1.4 Labeling Requirements -- 12.1.5 Aggravated Violations -- 12.1.6 Fraudulent or Misleading Practices -- 12.1.7 Antifraud Provisions Applicable to Multiple CEMMs -- 12.1.8 Antifraud Provisions Applicable to All CEMMs -- 12.1.9 Antifraud Provisions Applicable to CEMMs and Transactional or Relationship Messages -- 12.1.10 How the Act Is Enforced -- 12.1.11 State Antispam Laws Are Partially Preempted -- 12.1.12 FTC Rulemaking Proceedings -- 12.2 State Antispam Laws -- Notes -- CHAPTER 13 Monitoring and Recording Customer Communications -- Note -- PART IV Other U.S. Privacy Laws -- A. Educational Institutions -- B. Video Rental Stores -- C. Cable Television Operators -- D. Insurance Companies -- E. Doctors, Lawyers, and Other Professionals -- F. Automobile Manufacturers and Rental Car Companies -- G. Merchants That Issue "Club Cards".

H. Users and Providers of Computer "Spyware" -- Notes -- APPENDIX A Selected Federal and State Privacy Statutes and Regulations -- Federal Statutes And Regulations -- State Statutes and Regulations -- APPENDIX B Key Provisions of State Secure Disposal Laws, Data Security Laws, and Data Security Breach Notification Laws -- 1. State Secure Disposal Statutes -- 2. State Data Protection Statutes -- 3. State Data Security Breach Notification Statutes -- APPENDIX C The Jurisdiction and Enforcement Powers of the Federal Trade Commission -- Endnotes: -- APPENDIX D The Federal Trade Commission Safeguards Rule -- Federal Trade Commission Rules Implementing the Information Security Provisions of the Gramm-Leach-Bliley Act -- About the Author -- Index.