The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1.However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3.Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver's license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH's data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services.SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3.Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient's opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing

Practice Exam - International Association of Privacy Professionals

Under Section 702 of the Foreign Intelligence Surveillance Act (FISA), the National Security Agency (NSA) is authorized to collect and analyze communications of non-U.S. persons located outside the United States for foreign intelligence purposes. Section 702 allows the NSA to compel U.S.-based service providers, such as AWS or Microsoft, to provide access to data without requiring a warrant from the Foreign Intelligence Surveillance Court (FISC) if certain criteria are met.

Key Aspects of Section 702:

Scope of Surveillance: Section 702 applies to non-U.S. persons located outside the United States. It cannot be used to target U.S. citizens or individuals located within the United States, even if they communicate with non-U.S. persons.

Provider Obligations: The NSA can compel U.S.-based service providers (e.g., AWS, Microsoft) to disclose information about communications involving foreign individuals if the data is relevant to foreign intelligence purposes.

Explanation of the Options:

A. Compel AWS to disclose Jane's email communications with a Taiwanese national residing in Taiwan: Incorrect. Jane is a U.S. citizen, and Section 702 cannot be used to directly target U.S. persons or their communications, even if the other party in the communication is a non-U.S. person.

B. Compel AWS to disclose email communications between two Chinese nationals residing in the EU: Correct. Section 702 allows the NSA to target non-U.S. persons located outside the U.S. without a warrant, even if their communications are hosted by a U.S.-based service provider like AWS. This scenario falls directly under the scope of Section 702.

C. Compel Microsoft to disclose Patrick's Skype calls with a Brazilian national living in Peru: Incorrect. Patrick is a U.S. resident, even though he is a French citizen. Section 702 cannot be used to target individuals who are lawfully residing in the United States.

D. Compel Jane to disclose the PIN code for her corporate mobile phone: Incorrect. Section 702 applies to electronic communications data held by service providers, not to individuals. Compelling an individual to disclose a PIN code would require a different legal authority, such as a court-issued subpoena or warrant.

Legal Framework:

Section 702 of FISA: Provides the NSA with the authority to compel U.S.-based service providers to assist in collecting data on non-U.S. persons located outside the U.S. for foreign intelligence purposes.

Targeting Limitations: Section 702 cannot be used to intentionally target U.S. persons or anyone located within the United States.

Service Providers: Examples include U.S.-based companies such as Amazon AWS, Microsoft, and Google.

Practical Considerations for Jones Labs:

Jones Labs should be aware that:

Data stored with U.S.-based providers (even if located in the EU) may still be subject to Section 702 requests.

International data transfer compliance may require careful consideration of Standard Contractual Clauses (SCCs) or other safeguards to align with EU privacy regulations, such as the GDPR, in light of the extraterritorial nature of U.S. surveillance laws.

Reference from CIPP/US Materials:

FISA Section 702 (50 U.S.C. 1881a): Outlines the legal authority for targeting non-U.S. persons located outside the United States.

IAPP CIPP/US Certification Textbook: Discusses Section 702 and its implications for U.S.-based service providers handling international data.

Schrems II Decision: Highlights conflicts between U.S. surveillance laws and EU privacy laws, particularly for data stored by U.S. companies overseas.

The APEC Privacy Framework is a set of non-binding principles adopted by the Asia-Pacific Economic Cooperation (APEC) that aim to promote electronic commerce and protect information privacy in the region. The Framework is consistent with the core values of the OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and reaffirms the value of privacy to individuals and to the information society. The Framework consists of nine principles: Preventing Harm, Notice, Collection Limitation, Use of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability. Privacy by Design is not one of the principles in the APEC Privacy Framework, although it is a concept that is endorsed by the OECD Guidelines and other privacy frameworks.Reference:APEC Privacy Framework (2015),APEC Privacy Principles, IAPP CIPP/US Study Guide, Chapter 4.

The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions.Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123

Option A violates FERPA because it involves the disclosure of a student's personally identifiable information (PII) from the education records without consent.A student's signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12Therefore, the school must obtain the student's (or the parent's, if the student is a minor) written consent before providing the essay to the vendor for public release.

Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA.Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12

Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records.FERPA only applies to education records that are directly related to a student and maintained by the school or a party acting for the school12A newspaper's publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper's own sources and reporting. Therefore, FERPA does not prohibit such disclosure.

Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent.FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123If the university police provide an arrest report to the student's hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.