Glossary

    C

    A B C D E F G H I L M N O P R S U V W

    California AB 1298

    • Description: Expands California’s data breach notification law to include medical and health insurance information as protected personal information.
    • Origin: Enacted October 14, 2007; effective January 1, 2008.
    • Impacts Data Types: Medical information, health insurance information, and other personal identifiers.
    • Examples: Notification required if a database containing patient records is breached.
    • Potential Fines: Civil penalties, including actual damages and statutory penalties per affected individual.

    California AB 1950

    • Description: Requires businesses that own or license personal information about Californians to implement and maintain reasonable security procedures to protect that data.
    • Origin: Enacted September 29, 2004; effective January 1, 2005.
    • Impacts Data Types: Personal information such as names, Social Security numbers, driver’s license numbers, and financial account data.
    • Examples: Companies must encrypt sensitive data and train employees in data security.
    • Potential Fines: Civil penalties and possible liability for damages resulting from data breaches.

    California Confidentiality of Medical Information Act (CMIA)

    • Description: Protects the confidentiality of medical information by regulating the collection, use, and disclosure of such information by healthcare providers and insurers in California.
    • Origin: Enacted in 1981; amended multiple times since.
    • Impacts Data Types: Medical information, health records, and patient identifiers.
    • Examples: Prohibits unauthorized sharing of patient diagnoses or treatment details.
    • Potential Fines: Up to $2,500 per violation for negligent release; up to $25,000 for willful violations; additional penalties possible.

    California Consumer Privacy Act (CCPA)

    • Description: Grants California residents rights regarding their personal data, including the right to know, delete, and opt out of the sale of their information.
    • Origin: Enacted June 28, 2018; effective January 1, 2020.
    • Impacts Data Types: Personal information such as names, addresses, IP addresses, browsing history, and more.
    • Examples: Allows consumers to request a business disclose or delete their stored data.
    • Potential Fines: $2,500 per unintentional violation; $7,500 per intentional violation; civil actions for data breaches.

    California Financial Information Privacy Act (SB 1)

    • Description: Provides California consumers with increased rights regarding the sharing of their nonpublic personal financial information by financial institutions.
    • Origin: Enacted August 27, 2003; effective July 1, 2004.
    • Impacts Data Types: Financial account numbers, balances, transaction history, and other private financial data.
    • Examples: Requires opt-in consent before sharing information with nonaffiliated third parties.
    • Potential Fines: Civil penalties up to $2,500 per violation; actual damages available for affected individuals.

    California Privacy Rights Act (CPRA) Sensitive Personal Information (SPI)

    • Description: Expands the CCPA by introducing a new category of Sensitive Personal Information, with additional protections and consumer rights.
    • Origin: Passed November 2020; effective January 1, 2023.
    • Impacts Data Types: Social Security numbers, driver’s license numbers, geolocation, racial/ethnic origin, health data, and more.
    • Examples: SPI must not be used for cross-context behavioral advertising without explicit consent.
    • Potential Fines: $2,500 per unintentional violation; $7,500 per intentional violation; civil actions for breaches.

    California SB 1386

    • Description: The first U.S. state law requiring notification to residents when their unencrypted personal information is acquired by an unauthorized person due to a security breach.
    • Origin: Enacted September 25, 2002; effective July 1, 2003.
    • Impacts Data Types: Names in combination with Social Security numbers, driver’s license numbers, or financial account data.
    • Examples: Companies must notify Californians if their credit card data is stolen in a breach.
    • Potential Fines: Civil penalties and possible class action lawsuits for non-compliance.

    California SB 541 and AB 211

    • Description: Require healthcare facilities to prevent unauthorized access to patient medical information and to report any breaches to the California Department of Public Health and affected patients.
    • Origin: Enacted 2008; effective January 1, 2009.
    • Impacts Data Types: Patient medical records and health information.
    • Examples: Hospitals must notify patients and regulators if a staff member improperly accesses patient files.
    • Potential Fines: Up to $250,000 per reported event; disciplinary action against responsible individuals.

    CASB (Cloud Access Security Broker)

    • Description: Security policy enforcement points placed between cloud service consumers and providers to monitor and control cloud application use.
    • Origin: Emerged as a security solution in the early 2010s as cloud adoption increased.
    • Impacts Data Types: All data transferred to or from cloud services, including files, emails, and sensitive business information.
    • Examples: Blocking the upload of confidential files to unauthorized cloud storage.
    • Potential Fines: Not directly fined, but failure to use CASB could result in regulatory penalties for breaches.

    CDO (Chief Data Officer)

    • Description: An executive responsible for enterprise-wide governance and utilization of information as an asset.
    • Origin: Role established in large organizations in the early 2000s as data became a strategic asset.
    • Impacts Data Types: All enterprise data, including personal, financial, and operational information.
    • Examples: Oversees data governance, quality, and compliance programs.
    • Potential Fines: Not fined personally, but responsible for organizational compliance and risk mitigation.

    CISO (Chief Information Security Officer)

    • Description: Senior executive responsible for an organization’s information and data security strategy and management.
    • Origin: Role emerged in the late 1990s as cybersecurity threats grew in scope and complexity.
    • Impacts Data Types: All organizational data, especially sensitive and regulated information.
    • Examples: Develops security policies, oversees incident response, and ensures regulatory compliance.
    • Potential Fines: Not fined personally, but responsible for preventing breaches and reducing organizational liability.

    CMMC (Cybersecurity Maturity Model Certification)

    • Description: A unified standard for implementing cybersecurity across the defense industrial base, required for Department of Defense contractors.
    • Origin: Released January 2020; phased implementation ongoing.
    • Impacts Data Types: Controlled Unclassified Information (CUI), Federal Contract Information (FCI).
    • Examples: Contractors must meet specific security requirements to bid on DoD contracts.
    • Potential Fines: Loss of contract eligibility; potential False Claims Act liability for non-compliance.

    Colorado Privacy Act (CPA)

    • Description: Grants Colorado residents rights to access, correct, delete, and opt out of the processing of their personal data.
    • Origin: Enacted July 7, 2021; effective July 1, 2023.
    • Impacts Data Types: Personal data including identifiers, commercial information, biometric data, and more.
    • Examples: Businesses must allow Colorado residents to opt out of targeted advertising.
    • Potential Fines: Up to $20,000 per violation; enforced by the Colorado Attorney General.

    Connecticut Data Privacy Act (CDPA)

    • Description: Provides Connecticut residents with rights to access, correct, delete, and opt out of the sale and processing of their personal data.
    • Origin: Enacted May 10, 2022; effective July 1, 2023.
    • Impacts Data Types: Personal data including identifiers, sensitive data, and inferences.
    • Examples: Businesses must provide privacy notices and allow consumers to opt out of targeted advertising.
    • Potential Fines: Up to $5,000 per violation; enforced by the Connecticut Attorney General.

    Consent

    • Description: A freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which they agree to the processing of personal data.
    • Origin: Required under major privacy laws including GDPR, CCPA, and HIPAA.
    • Impacts Data Types: All personal and sensitive data types.
    • Examples: Checking a box to agree to a privacy policy before submitting personal information online.
    • Potential Fines: Non-compliance can result in major regulatory fines (e.g., up to €20 million under GDPR).

    CPO (Chief Privacy Officer)

    • Description: Senior executive responsible for an organization’s privacy strategy, compliance, and data protection programs.
    • Origin: Role emerged in the early 2000s as privacy regulations increased in scope and complexity.
    • Impacts Data Types: All personal and regulated data types.
    • Examples: Oversees privacy impact assessments, manages data subject requests, and ensures regulatory compliance.
    • Potential Fines: Not fined personally, but responsible for organizational compliance and risk mitigation.

    Confidentiality

    • Description: The obligation to protect personal or sensitive information from unauthorized access or disclosure.
    • Origin: Core principle in privacy laws and security frameworks worldwide.
    • Impacts Data Types: All confidential, personal, and sensitive information.
    • Examples: Encrypting emails containing confidential business or health data.
    • Potential Fines: Regulatory fines for breaches, e.g., under HIPAA, GDPR, or CCPA.

    Controlled Unclassified Information (CUI)

    • Description: Information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or government-wide policy, but is not classified.
    • Origin: Defined by Executive Order 13556 (2010); NIST SP 800-171 provides protection requirements.
    • Impacts Data Types: Sensitive but unclassified federal information, including legal, financial, and technical data.
    • Examples: Federal contract information, export control data, and law enforcement records.
    • Potential Fines: Contract penalties, loss of eligibility, and possible civil or criminal penalties for mishandling.

    Cross-border Data Transfer

    • Description: The movement of personal data from one country or jurisdiction to another, often subject to legal restrictions and safeguards.
    • Origin: Addressed in laws such as GDPR, which restricts transfers outside the EU unless adequate protections exist.
    • Impacts Data Types: Any personal or sensitive data transferred internationally.
    • Examples: Using cloud services to store EU customer data on U.S. servers.
    • Potential Fines: Up to €20 million or 4% of annual global turnover under GDPR for unlawful transfers.

    Criminal Justice Information System (CJIS) Identity History Summary (Rap sheet)

    • Description: A record maintained by the FBI containing a summary of an individual’s criminal history, also known as a “rap sheet.”
    • Origin: Managed by the FBI’s CJIS Division; governed by federal and state statutes.
    • Impacts Data Types: Criminal history, fingerprints, arrest records, and court dispositions.
    • Examples: Used by law enforcement during background checks for employment or licensing.
    • Potential Fines: Criminal and civil penalties for unauthorized access or disclosure under federal law.

    CSP (Cloud Service Provider)

    • Description: A company that offers network, infrastructure, or application services in the cloud, such as storage and computing power.
    • Origin: Emerged in the mid-2000s with the rise of cloud computing (e.g., AWS, Microsoft Azure, Google Cloud).
    • Impacts Data Types: Any data stored, processed, or managed in the cloud, from personal files to enterprise databases.
    • Examples: Hosting business applications and customer data on third-party cloud platforms.
    • Potential Fines: Not fined directly, but improper handling can result in regulatory action against customers.

    Cybersecurity

    • Description: The practice of protecting systems, networks, and data from digital attacks, unauthorized access, or damage.
    • Origin: Evolved as a discipline since the 1970s, with rapid growth in the 21st century due to increased cyber threats.
    • Impacts Data Types: All digital data, including personal, financial, and operational information.
    • Examples: Implementing firewalls, encryption, and multi-factor authentication to secure information assets.
    • Potential Fines: Regulatory fines for breaches, loss of business, and reputational damage.
    A B C D E F G H I L M N O P R S U V W