Maine Act to Protect the Privacy of Online Customer Information of 2019

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello everyone. It's Chris and
00:00
I'm Cybrary's instructor for
00:00
>> US information privacy course.
00:00
>> We're going to continue our review of
00:00
several US state-level data privacy,
00:00
data security, and other applicable laws.
00:00
It's in lesson 9.5 that we're
00:00
going to look at the main act to protect
00:00
the privacy of online customer information
00:00
of 2019, which is a mouthful.
00:00
Now this act is the first act paths by
00:00
US state that really governed
00:00
how Internet service providers had
00:00
offered broadband Internet access service to
00:00
a state's residents had to protect
00:00
that customer personal information.
00:00
It's important that we review these laws
00:00
to understand it especially if you're
00:00
supporting a company that is providing
00:00
these services to residents
00:00
of Maine physically living within the state.
00:00
We have several learning objectives.
00:00
We're going to talk about this Act's applicability.
00:00
We're going to look at certain definitions just like
00:00
the customer personal information.
00:00
We're going to talk about some of
00:00
the customer consent requirements and exceptions.
00:00
We'll look at some of the security requirements,
00:00
and then we'll conclude with
00:00
a discussion on notice requirements.
00:00
When we look at this act you know it has applicability,
00:00
and as I stated in my introduction,
00:00
those Internet service providers that are providing
00:00
broadband Internet access service to
00:00
>> Maine's residents that are subscribing
00:00
>> to those services that are physically located in
00:00
>> the state of Maine
00:00
or living in Maine must comply with this act.
00:00
There are several definitions that I like to discuss.
00:00
Those defines a customer as someone who subscribe
00:00
to those services that's
00:00
living physically within the state.
00:00
It defines customer personal information
00:00
is person identified
00:00
information that includes a customer's name,
00:00
billing information, social security numbers,
00:00
billing address, and other demographic data.
00:00
It also includes information that pertains
00:00
to that customers use of these services,
00:00
and that could include
00:00
a customer's web browsing history,
00:00
the application user's history,
00:00
some precise geolocation information,
00:00
financial information, health information,
00:00
any information pertaining to or
00:00
relating to that customer's children,
00:00
device identifiers like MAC addresses,
00:00
media access control,
00:00
Internet protocol addresses,
00:00
or from a device perspective that
00:00
device's international mobile equipment identifier.
00:00
It could include any content,
00:00
traffic content that's related
00:00
to that consumer's communications.
00:00
It could include the origin and destination of
00:00
any Internet protocol addresses.
00:00
What it charges these providers to do is that they
00:00
must ensure that they are not using,
00:00
disclosing, selling,
00:00
or permitting access to
00:00
this consumer or customer personal information
00:00
without explicit written consent.
00:00
It states that,
00:00
before you can use, disclose,
00:00
or sale or provide access
00:00
to this customer's personal information,
00:00
you must have their written consent,
00:00
and it gives a consumer the option
00:00
of revoking that consent at any time and
00:00
>> this is pretty consistent over most privacy notices.
00:00
>> Now, which you can't do as a provider,
00:00
they'd have to comply with this act,
00:00
you can't refuse to give me service
00:00
just because I won't provide consent
00:00
for the used sale or
00:00
disclosure of my customer personal information.
00:00
But what you can't do is charged me
00:00
a penalty or offer me some type of discount based on
00:00
my decision on whether
00:00
to provide or not to provide you with
00:00
consent to use my customer personal information.
00:00
Now, there are some exceptions to consent,
00:00
with that provider is using
00:00
this information to comply with a lawful order.
00:00
If I've already have an established
00:00
>> business relationship with the customer,
00:00
>> and I'm already providing them with services and I can
00:00
send advertisements or market to them,
00:00
I can use it for
00:00
billing and to collect payment for services
00:00
rendered. In cases of
00:00
fraudulent use without unlawful use of those services,
00:00
then I can share that information without consent.
00:00
I can make sure and use in certain cases,
00:00
I can share geolocation information,
00:00
but you can only do so in cases
00:00
of emergency services where
00:00
the customer or family member might be placed at risk,
00:00
and so you're sharing that information
00:00
with fire service,
00:00
emergency service, law enforcement or others.
00:00
This act also has security provisions.
00:00
It requires those providers
00:00
that half comply with this act,
00:00
they got to make sure they take
00:00
the reasonable actions and
00:00
ensure that they have the administrative, physical,
00:00
and technical security safeguards in
00:00
place to ensure the confidentiality,
00:00
the security, and the integrity of
00:00
a customer's personal information.
00:00
You might ask, how does a provider do that?
00:00
It has to consider several factors.
00:00
It has looked at the nature and scope of
00:00
that provider's activities and services.
00:00
It has to look at the data itself,
00:00
that personal information to
00:00
determine it's origin and sensitivity.
00:00
It's got to look at the size of the providers.
00:00
Smaller providers may not have the resource
00:00
necessary to implement
00:00
a comprehensive information security program.
00:00
Larger providers may, but they do so with ease,
00:00
and then they also have to consider
00:00
the technical feasibility of
00:00
implementing those security measures.
00:00
Now what the act does
00:00
provide to those providers is that it gives in
00:00
the latitude of employing any
00:00
or taking any measures that are
00:00
lawful to comply with these requirements.
00:00
This act also requires that
00:00
these providers provide notice in
00:00
the form of a privacy notice to their customers.
00:00
Like with any privacy notice,
00:00
it has to be clear, conspicuous, and non deceptive.
00:00
It must be presented to
00:00
that customer at the initial offering of service,
00:00
and then annually, unless you have
00:00
some significant change to your privacy practices.
00:00
Then that notice has to really outline what
00:00
the customer's individual rights
00:00
and freedoms are under their act,
00:00
as well as the provider's obligations
00:00
and complying with this act.
00:00
Question 1 asks Maine's act to
00:00
protect the privacy of consumer online information,
00:00
which is a mouthful,
00:00
applies to which private entities.
00:00
The appropriate answer is A.
00:00
Question 2 asks about
00:00
the definition of customer personal information.
00:00
The appropriate answers are A and B.
00:00
We also talked about information that might
00:00
apply to that customer's actual services,
00:00
like web browsing activity,
00:00
certain application usage, IP addresses,
00:00
origin and destination of IP addresses,
00:00
device identifiers and things of that sort.
00:00
Some remains this Maine act to protect
00:00
the online personal information
00:00
of Maine's residents that are
00:00
subscribing to Internet service providers for
00:00
broadband Internet access services
00:00
are protected under this act.
00:00
Now at these ISPs,
00:00
they have to be providing these services to residents
00:00
of Maine that are physically living within the state.
00:00
This act says, hey,
00:00
you as a provider,
00:00
have to provide notice,
00:00
you have to have security measures in place.
00:00
You have to comply with the consent preferences of
00:00
a customer unless there are exceptions to consent.
Up Next