What's your privacy IQ?

Test your legislative knowledge.

Maintaining the privacy and protection of customers’ and employees’ personal information is a risk management issue for all organizations. The increase in identity theft is also a concern for all organizations. Laws and regulations continue to place requirements on businesses for the protection of personal data. Myriad laws and regulations address privacy concerns and the collection, use, disclosure, and disposal of personally identifiable information. How much do you know about the multitude of privacy regulations that exist today? Take this quiz to find out.

1. Which was the first state to enact a data security breach law?

a. Mississippi.
b. California.
c. Massachusetts.
d. Kentucky.

2. Which of the following laws deals with the privacy of student education records?


3. The CAN-SPAM Act is a law that sets the rules for commercial email and establishes requirements for commercial messages. Which of the following is not a requirement of the CAN-SPAM Act?

a. Don’t use false or misleading header information in emails.
b. Don’t use deceptive subject lines in emails.
c. Honor opt-out requests within 90 days of receipt.
d. Tell recipients where you’re located.

4. The Red Flags Rule requires financial institutions and creditors to implement a written program to prevent and respond to which of the following?

a. Network security breaches.
b. Identity theft.
c. Loan fraud.
d. All of the above.

5. Many companies collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. Which of the following items are parts of the GLB Act?

a. Safeguards rule.
b. Financial privacy rule.
c. Pretexting provisions.
d. All of the above.

6. What types of entities (considered as covered entities) must comply with the Health Insurance Portability and Accountability Act (HIPAA)?

a. Health insurers.
b. Health care providers.
c. Pharmacies.
d. Health care clearinghouses.
e. All of the above.

7. Which of the following is true about the Health Information Technology for Economic and Clinical Health Act (HITECH)?

a. Electronic health records are not covered.
b. If 500 or more health records are breached, the U.S. Department of Health and Human Services must be notified.
c. Only HIPAA-required entities are covered, not business associates.
d. Individuals are allowed to bring lawsuits against health care providers for data breaches.
e. All of the above.

8. The U.S. Department of Commerce, in consultation with the European Commission, developed a “safe harbor” framework to bridge the different privacy approaches of the European Union and the United States. To ensure compliance with the framework, an organization must have which of the following components in place?

a. Verification.
b. Dispute resolution.
c. Remedy.
d. All of the above.

9. What is the Personal Information Protection and Electronic Documents Act (PIPEDA) ?

a. The Canadian law relating to data privacy.
b. The U.K. law relating to data privacy.
c. The Massachusetts privacy law, the toughest in the United States.
d. None of the above.

10. The Privacy Act of 1974 establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals maintained in records systems by:

a. Hospitals.
b. Federal agencies.
c. The IRS.
d. Departments of motor vehicles.


1. (b) California in 2002 became the first state to enact a data security breach law. S.B. 1386, which took effect July 1, 2003, requires state agencies—and all people and organizations that conduct business in California and that own or license computerized data containing personal information—to disclose any data security breaches to California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Definitions of personal information vary by state. California defines it as an individual’s name and one or more of the following: (1) Social Security number; (2) driver’s license or California identification card number; or (3) an account, credit, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account. Security breach definitions also differ among the states. In California, a security breach occurs when there is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.

Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. Mississippi, in April 2010, became the most recent state to enact a data security breach notification law. Massachusetts has one of the most aggressive data security regulatory regimes of any state. Even organizations that have no facilities or personnel in Massachusetts may be subject to the state’s regulations if they maintain personal information about any Massachusetts resident. Kentucky is one of four states that do not have a data security breach law. Alabama, New Mexico, and South Dakota are the others.

2. (c) The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records and provides guidelines for the inspection, review, and request for correction of inaccuracies discovered in the information either through formal or informal hearings. FERPA provides rights to parents regarding their children’s academic records. Students, when they turn 18, become “eligible” students, and the rights are transferred to them. Parents and eligible students may request to review their education records and can ask schools to correct any errors on their records. Schools releasing a student’s information are required to have written permission by the parent or eligible student prior to release of information.

As for the other choices:

  • The Children’s Online Privacy Protection Act (COPPA) took effect April 21, 2000. It requires any website that targets children 12 and under or that “has actual knowledge that it is collecting personal information” from this age group to post a notice of its information collection practices. The notice must include types of personal information the site collects from children, how the site uses the information, whether the personal information is forwarded to advertisers or other third parties, and a contact at the site.
  • The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies (Equifax, Experian, and TransUnion).
  • HITECH is covered in answer 7.

3. (c) The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act requires unsolicited commercial email messages to be labeled and to include opt-out instructions and the sender’s physical address.

The “From,” “To,” “Reply-To,” and routing information, including the originating domain name and email address, must be accurate and clearly identify the person or business that initiated the message.

The email’s subject line must accurately reflect the message’s content.

Recipient opt-out requests must be honored within 10 business days. Conditions for honoring an opt-out request cannot include any of the following: charging a fee, requiring the recipient to provide any personally identifying information beyond an email address, and making the recipient take any steps other than sending a reply email or visiting a single page on a website to make the opt-out request.

The email message must include a valid physical postal address. This can be a current street address, a post office box, or a private mailbox.

4. (b) The Federal Trade Commission’s Red Flags Rule requires financial organizations and creditors to implement a written prevention program designed to detect the warning signs, or “red flags,” of identity theft in their day-to-day operations. CPA firms are exempted from complying with this rule. Financial organizations that fall under the Red Flags Rule include all banks, savings associations, and credit unions; many securities brokers and dealers, registered investment advisers and companies, insurance companies, and entities regulated by the Commodity Futures Trading Commission; and any other person who directly or indirectly holds a customer’s transaction account. By identifying red flags in advance, businesses are better equipped to spot suspicious patterns and to take steps to prevent a red flag from escalating into a costly episode of identity theft.

5. (d) The financial privacy rule and the safeguards rule apply to financial institutions, which in this case include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. The financial privacy rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, not just financial institutions, that receive such information. The safeguards rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information. The safeguards rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions, such as credit reporting agencies, that receive customer information from other financial institutions.

The pretexting provisions of the GLB Act protect consumers from individuals and companies attempting to obtain their personal financial information under false pretenses, a practice known as pretexting.

6. (e) A covered entity is considered in three categories:

Health care providers. Doctors; hospitals/clinics; mental health providers, including psychologists; dentists, orthopedists, etc.; chiropractors; assisted-living and nursing homes; and pharmacies.

Health plan providers. Health insurance companies; PPOs/HMOs, etc.; company health plans; and government programs, such as Medicare, Medicaid, and the military and veterans’ health care programs.

Health care clearinghouses. Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content) or vice versa.

In addition, under HITECH, business associates of health care providers are also considered to be covered entities.

7. (b) The HITECH Act is a component of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA has elements that foster and provide incentives designed to promote the adoption of electronic health record (EHR) systems among health care providers. The HITECH Act, similar to state breach notification laws, requires that breaches of health records must be reported. Civil penalties for willful neglect are increased under HITECH. They now extend up to $250,000, with fines for repeat/uncorrected violations extending up to $1.5 million.

Patients now have a right to their EHRs and can be charged only a nominal cost to cover associated processing fees. Business associates, which can include CPA firms, are covered under HITECH, which is an extension of HIPAA-covered entities. As under HIPAA, individuals may not bring individual civil suits against providers for data breaches, but the state attorneys general may.

8. (d) Safe-harbor enforcement has three components: verification, dispute resolution, and remedy. Organizations are required to have procedures for verifying compliance, to have in place an independent dispute resolution system that will investigate and resolve individual complaints and disputes, and to remedy problems arising out of a failure to comply with the Safe Harbor Privacy Principles.

To meet the verification requirement, an organization may use either a self-assessment or an outside/third-party assessment program. The method of verification should be included in the privacy policy.

By providing a means of dispute resolution, organizations promise customers that they are committed to resolving any privacy concerns that customers have. An organization should state clearly how customers who believe that their privacy has been violated in breach of the Safe Harbor Privacy Principles should contact the organization and which steps the organization will take to resolve the issues.

The dispute resolution body that is chosen must provide sufficiently rigorous sanctions to ensure compliance by organizations. The remedies should be such that noncompliance is reversed or corrected and future processing is in conformity with the Safe Harbor Privacy Principles. Sanctions should include both publicity for noncompliance and deletion of data in certain instances. In instances of persistent failure to comply, the dispute resolution body must have the ability to notify a governmental body with applicable jurisdiction or the courts, as appropriate, and to notify the U.S. Department of Commerce.

9. (a) The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian law relating to data privacy. It governs how private-sector organizations collect, use, and disclose personal information in the course of commercial business. PIPEDA excludes business contact information from the definition of personal information, with the exception of business email addresses. Other business-related information—a person’s name, title, and business telephone number—is fair game.

PIPEDA implementation occurred in three stages. Enacted in 2001, the law applied initially to federally regulated industries, such as airlines, banking, and broadcasting. In 2002, the law was expanded to include the health sector. In 2004, PIPEDA grew to cover any organization that collects personal information in the course of commercial activity, except in provinces that have “substantially similar” privacy laws in place. U.S. companies with operations in Canada are subject to PIPEDA. Even an organization based solely in the U.S. may be subject to PIPEDA, if it handles the personal information of Canadians. The AICPA worked with the Canadian Institute of Chartered Accountants to develop the Generally Accepted Privacy Principles (see “GAPP Targets Privacy Risks,” JofA, July 2011, page 52).

10. (b) The Privacy Act requires that federal agencies give the public notice of their systems of records by publication in the Federal Register. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual unless the disclosure is pursuant to one of 12 statutory exceptions, which are listed below. The act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency recordkeeping requirements.

The 12 exceptions to the Privacy Act’s prohibition on personal records disclosure are:

  1. The disclosure is to an agency employee who normally maintains the record and needs it in the performance of his or her duties;
  2. The disclosure is made under the Freedom of Information Act;
  3. The disclosure is for a “routine use”;
  4. The disclosure is to the Census Bureau for the purposes of a Census survey;
  5. The disclosure is to someone who has adequately notified the agency in advance that the record is to be used for statistical research or reporting, and the record is transferred without individually identifying data;
  6. The disclosure is to the National Archives and Records Administration as a record of historical value;
  7. The disclosure is to an agency “of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity,” and if the record is provided in response to a written request by the head of the agency;
  8. The disclosure is made where there are “compelling circumstances” affecting the health or safety of the individual whose information is disclosed, and the individual is sent a notification of the disclosure;
  9. The disclosure is made to Congress or any committee or subcommittee within Congress;
  10. The disclosure is made to the comptroller general in the course of the duties of the U.S. Government Accountability Office;
  11. The disclosure is made pursuant to a court order;
  12. The disclosure is made to a consumer reporting agency in accordance with 31 U.S.C. 3711(e).


If you answered 10 questions correctly, congratulations. You have a great grasp of the innumerable privacy regulations involving data security and identity theft. If you answered eight or nine correctly, you are well positioned to understand privacy issues regarding the protection of customers’ and employees’ personal information. If you scored a seven or lower, you may want to spend some time brushing up on the legal and regulatory requirements for businesses to protect personal information.

Nancy A. Cohen ( ncohen@aicpa.org ) is a manager with the AICPA in Durham, N.C. Marilyn Prosch ( marilyn.prosch@asu.edu ) is an associate professor at Arizona State University in Phoenix.

To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at jdrew@aicpa.org or 919-402-4056.


JofA articles


  • AICPA Privacy Principles Scoreboard (#PPS12S, online only)
  • CPA Client Bulletin (#CB_FI12, #CB_FN12, #CB_LN12, #CB_IF12, #CBDXX12, and #CBEXX12)
  • CPA Client Tax Letter (#CTLFI12, #CTLFN12, #CTLLF12, #CTLLN12, and #CTLDXX12)

CPE self-study

  • Economic Damages/Individuals: Financial Forensic Accounting Series (#154090)
  • IT: Risks and Controls in Traditional and Emerging Environments (#733520)


  • Not-for-Profit Financial Executive Forum, Oct. 22–24, San Francisco
  • Controllers Workshop East, Nov. 8–9, Atlanta

For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.


Privacy Resource Center, aicpa.org/privacy


Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.