0003952
Maryland Code Commercial Law Title 14 Subtitle 46 Sections 4601 thru 4614, Online Data Privacy Act
Maryland General Assembly
Statutes (Bills or Acts)
Free
Maryland Online Data Privacy Act
Maryland Code Commercial Law Title 14 Subtitle 46 Sections 4601 thru 4614, Online Data Privacy Act
Not Defined
The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.
0003952
Free
Maryland General Assembly
Statutes (Bills or Acts)
Maryland Online Data Privacy Act
Maryland Code Commercial Law Title 14 Subtitle 46 Sections 4601 thru 4614, Online Data Privacy Act
Not Defined
The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Maryland Code Commercial Law Title 14 Subtitle 46 Sections 4601 thru 4614, Online Data Privacy Act that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Maryland Code Commercial Law Title 14 Subtitle 46 Sections 4601 thru 4614, Online Data Privacy Act are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition/Sale of Assets or Services | Preventive | |
| Refrain from providing products and services, as necessary. CC ID 15580 [NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE THAT REQUIRES THE PERSONAL DATA OF A CONSUMER THAT THE CONTROLLER DOES NOT COLLECT OR MAINTAIN; OR § 14–4607.(C)(1)] | Acquisition/Sale of Assets or Services | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [AN ASSESSMENT CONDUCTED IN ACCORDANCE WITH PARAGRAPH (3)(V) OF THIS SUBSECTION SHALL BE CONDUCTED USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT PROCEDURE FOR THE ASSESSMENTS. § 14–4608.(A)(4)(II) A CONTROLLER SHALL CONDUCT AND DOCUMENT, ON A REGULAR BASIS, A DATA PROTECTION ASSESSMENT FOR EACH OF THE CONTROLLER'S PROCESSING ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM TO A CONSUMER, INCLUDING AN ASSESSMENT FOR EACH ALGORITHM THAT IS USED. § 14–4610.(B) {be similar} IF A CONTROLLER CONDUCTS A DATA PROTECTION ASSESSMENT FOR THE PURPOSE OF COMPLYING WITH ANOTHER APPLICABLE LAW OR REGULATION, THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISFY THE REQUIREMENTS ESTABLISHED IN THIS SECTION IF THE DATA PROTECTION ASSESSMENT IS REASONABLY SIMILAR IN SCOPE AND EFFECT TO THE DATA PROTECTION ASSESSMENT THAT WOULD OTHERWISE BE CONDUCTED IN ACCORDANCE WITH THIS SECTION. § 14–4610.(F) A SINGLE DATA PROTECTION ASSESSMENT MAY ADDRESS A COMPARABLE SET OF PROCESSING OPERATIONS THAT INCLUDE SIMILAR ACTIVITIES. § 14–4610.(E) A DATA PROTECTION ASSESSMENT CONDUCTED UNDER THIS SECTION: SHALL APPLY TO PROCESSING ACTIVITIES THAT OCCUR ON OR AFTER OCTOBER 1, 2025; AND § 14–4610.(H)(1)] | Process or Activity | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 [A DATA PROTECTION ASSESSMENT CONDUCTED IN ACCORDANCE WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS THAT MAY FLOW DIRECTLY AND INDIRECTLY FROM THE PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER INTERESTED PARTIES, AND THE PUBLIC AGAINST: THE NECESSITY AND PROPORTIONALITY OF PROCESSING IN RELATION TO THE STATED PURPOSE OF THE PROCESSING. § 14–4610.(C)(1)(II)] | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE RELATIONSHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE PROCESSED. § 14–4610.(C)(2)(IV)] | Establish/Maintain Documentation | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [A DATA PROTECTION ASSESSMENT CONDUCTED IN ACCORDANCE WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS THAT MAY FLOW DIRECTLY AND INDIRECTLY FROM THE PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER INTERESTED PARTIES, AND THE PUBLIC AGAINST: THE POTENTIAL RISKS TO THE RIGHTS OF THE CONSUMER ASSOCIATED WITH THE PROCESSING AS MITIGATED BY SAFEGUARDS THAT MAY BE EMPLOYED BY THE CONTROLLER TO REDUCE THESE RISKS; AND § 14–4610.(C)(1)(I)] | Establish/Maintain Documentation | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE CONTEXT OF THE PROCESSING; AND § 14–4610.(C)(2)(III)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [THE DIVISION MAY REQUIRE THAT A CONTROLLER MAKE AVAILABLE TO THE DIVISION A DATA PROTECTION ASSESSMENT THAT IS RELEVANT TO AN INVESTIGATION CONDUCTED BY THE DIVISION. § 14–4610.(D)(1)] | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE REASONABLE EXPECTATIONS OF CONSUMERS; § 14–4610.(C)(2)(II)] | Establish/Maintain Documentation | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE USE OF DE–IDENTIFIED DATA; § 14–4610.(C)(2)(I)] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES AS MUCH AS REASONABLY PRACTICABLE TO FULFILL THE CONTROLLER'S OBLIGATION TO RESPOND TO CONSUMER RIGHTS REQUESTS, CONSIDERING THE NATURE OF PROCESSING AND THE INFORMATION AVAILABLE TO THE PROCESSOR; AND § 14–4608.(B)(2)(I)] | Human Resources Management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY ASSISTING THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS IN RELATION TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO THE NOTIFICATION OF A BREACH OF THE SECURITY OF A SYSTEM, AS DEFINED IN § 14–3504 OF THIS TITLE; AND § 14–4608.(B)(2)(II)] | Human Resources Management | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
| Establish, implement, and maintain a legal support program. CC ID 13710 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR, OR DEFEND A LEGAL CLAIM; § 14–4612.(A)(4) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Establish/Maintain Documentation | Preventive | |
| Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources Management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Communicate | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Behavior | Preventive | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Investigate | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Behavior | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Monitor and Evaluate Occurrences | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Business Processes | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Behavior | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Behavior | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Business Processes | Corrective | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Behavior | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources Management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources Management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources Management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CONTROLLER OR PROCESSOR WITH THE SUBTITLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER STATE LAW. § 14–4612.(C)(1)] | Establish/Maintain Documentation | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Establish/Maintain Documentation | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL DATA IN ACCORDANCE WITH AN EXEMPTION UNDER THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL DEMONSTRATE THAT THE PROCESSING: QUALIFIES FOR AN EXEMPTION; AND § 14–4612.(F)(1) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL DATA IN ACCORDANCE WITH AN EXEMPTION UNDER THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL DEMONSTRATE THAT THE PROCESSING: COMPLIES WITH THE REQUIREMENTS OF SUBSECTION (G) OF THIS SECTION. § 14–4612.(F)(2)] | Establish/Maintain Documentation | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Business Processes | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Communicate | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Audits and Risk Management | Preventive | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Establish/Maintain Documentation | Preventive | |
| Implement a fraud detection system. CC ID 13081 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Business Processes | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PRESERVE THE INTEGRITY OR SECURITY OF SYSTEMS; OR § 14–4612.(A)(10)] | Testing | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
| Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
| Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
| Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A CONTROLLER THAT DISCLOSES DE–IDENTIFIED DATA SHALL: EXERCISE REASONABLE OVERSIGHT TO MONITOR COMPLIANCE WITH ANY CONTRACTUAL COMMITMENTS TO WHICH THE DE–IDENTIFIED DATA IS SUBJECT; AND § 14–4611.(C)(1)(I)] | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
| Correct compliance violations. CC ID 13515 [A CONTROLLER THAT DISCLOSES DE–IDENTIFIED DATA SHALL: TAKE APPROPRIATE STEPS TO ADDRESS ANY BREACHES OF ANY CONTRACTUAL COMMITMENTS. § 14–4611.(C)(1)(II) IF THE DIVISION ISSUES A NOTICE OF VIOLATION UNDER SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL HAVE AT LEAST 60 DAYS TO CURE THE VIOLATION AFTER RECEIPT OF THE NOTICE. § 14–4614.(C)(1)] | Process or Activity | Corrective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Establish/Maintain Documentation | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Establish/Maintain Documentation | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: THE EMPLOYEE OR CONTRACTOR IS SUBJECT TO A CONTRACTUAL OR STATUTORY DUTY OF CONFIDENTIALITY; OR § 14–4604.(1)(I)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: CONFIDENTIALITY IS REQUIRED AS A CONDITION OF EMPLOYMENT OF THE EMPLOYEE; § 14–4604.(1)(II)] | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [CONTROLLERS AND PROCESSORS THAT COMPLY WITH THE VERIFIABLE PARENTAL CONSENT REQUIREMENTS OF COPPA SHALL BE CONSIDERED COMPLIANT WITH AN OBLIGATION TO OBTAIN PARENTAL CONSENT IN ACCORDANCE WITH THIS SUBTITLE WITH RESPECT TO A CONSUMER WHO IS A CHILD. § 14–4603.(C) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS OR REGULATIONS; § 14–4612.(A)(1) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: THE DISCLOSING CONTROLLER WAS, AND REMAINED, IN COMPLIANCE WITH ITS OBLIGATIONS AS THE DISCLOSER OF THE PERSONAL DATA. § 14–4612.(D)(1)(II)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PRESERVE THE INTEGRITY OR SECURITY OF SYSTEMS; OR § 14–4612.(A)(10)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Human Resources Management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Establish/Maintain Documentation | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Establish/Maintain Documentation | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
| Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Establish/Maintain Documentation | Preventive | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Technical Security | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Process or Activity | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Data and Information Management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Establish/Maintain Documentation | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Establish/Maintain Documentation | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Communicate | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Establish Roles | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY ASSISTING THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS IN RELATION TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO THE NOTIFICATION OF A BREACH OF THE SECURITY OF A SYSTEM, AS DEFINED IN § 14–3504 OF THIS TITLE; AND § 14–4608.(B)(2)(II)] | Communicate | Corrective | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Establish/Maintain Documentation | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CONTROLLER'S PURPOSE FOR PROCESSING PERSONAL DATA; § 14–4607.(D)(2)] | Establish/Maintain Documentation | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: AN ACTIVE E–MAIL ADDRESS OR OTHER ONLINE MECHANISM THAT A CONSUMER MAY USE TO CONTACT THE CONTROLLER. § 14–4607.(D)(6)] | Establish/Maintain Documentation | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3) THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: § 14–4607.(F)(1)] | Establish/Maintain Documentation | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF THIRD PARTIES WITH WHICH THE CONTROLLER SHARES PERSONAL DATA WITH A LEVEL OF DETAIL THAT ENABLES A CONSUMER TO UNDERSTAND THE TYPE OF, BUSINESS MODEL OF, OR PROCESSING CONDUCTED BY EACH THIRD PARTY; § 14–4607.(D)(4)] | Establish/Maintain Documentation | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER, INCLUDING SENSITIVE DATA; § 14–4607.(D)(1)] | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF PERSONAL DATA, INCLUDING SENSITIVE DATA, THAT THE CONTROLLER SHARES WITH THIRD PARTIES; AND § 14–4607.(D)(5)] | Establish/Maintain Documentation | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Establish/Maintain Documentation | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3)] | Establish/Maintain Documentation | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: § 14–4607.(D)] | Communicate | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING OR FOR THE PURPOSES OF PROFILING THE CONSUMER IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS, THE CONTROLLER SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE SALE OR PROCESSING. § 14–4607.(E)(1)] | Establish/Maintain Documentation | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Communicate | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 [THE NOTICE PROVIDED UNDER SUBSECTION (A) OF THIS SECTION SHALL BE PROVIDED IN A MANNER AND AT A TIME REASONABLY CALCULATED TO ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE. § 14–4609.(B)] | Data and Information Management | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Communicate | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA OR IT WOULD BE UNREASONABLY BURDENSOME FOR THE CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA; § 14–4611.(B)(1)] | Communicate | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A CONSUMER SHALL HAVE THE RIGHT TO: IF A CONTROLLER IS PROCESSING A CONSUMER'S PERSONAL DATA, ACCESS THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(2)] | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [A CONTROLLER MAY NOT REQUIRE A CONSUMER TO CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT. § 14–4607.(F)(2)(I) A CONTROLLER MAY REQUIRE A CONSUMER TO USE AN EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. § 14–4607.(F)(2)(II)] | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A CONSUMER SHALL HAVE THE RIGHT TO: CONFIRM WHETHER A CONTROLLER IS PROCESSING THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(1) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING OR FOR THE PURPOSES OF PROFILING THE CONSUMER IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS, THE CONTROLLER SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE SALE OR PROCESSING. § 14–4607.(E)(1)] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Establish/Maintain Documentation | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 [{clear and conspicuous language} THE DISCLOSURE REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION SHALL BE PROMINENTLY DISPLAYED, AND USE CLEAR, EASY TO UNDERSTAND, AND UNAMBIGUOUS LANGUAGE, TO STATE WHETHER THE CONSUMER'S PERSONAL DATA WILL BE SOLD OR SHARED WITH A THIRD PARTY. § 14–4607.(E)(2)] | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 [A CONSUMER SHALL HAVE THE RIGHT TO: OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH THE CONTROLLER HAS DISCLOSED THE CONSUMER'S PERSONAL DATA OR A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH THE CONTROLLER HAS DISCLOSED ANY CONSUMER'S PERSONAL DATA IF THE CONTROLLER DOES NOT MAINTAIN THIS INFORMATION IN A FORMAT SPECIFIC TO THE CONSUMER; AND § 14–4605.(B)(6)] | Data and Information Management | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 [THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE NEED FOR SECURE AND RELIABLE COMMUNICATION OF CONSUMER REQUESTS; AND § 14–4607.(F)(1)(II)] | Business Processes | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Communicate | Corrective | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [IF A CONSUMER'S DECISION TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR THE SALE OF PERSONAL DATA THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT IN ACCORDANCE WITH SUBSECTION (F)(3) OF THIS SECTION CONFLICTS WITH THE CONSUMER'S EXISTING CONTROLLER–SPECIFIC PRIVACY SETTING OR THE CONSUMER'S VOLUNTARY PARTICIPATION IN A CONTROLLER'S BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, THE CONTROLLER MAY NOTIFY THE CONSUMER OF A CONFLICT AND PROVIDE THE CHOICE TO CONFIRM CONTROLLER–SPECIFIC PRIVACY SETTINGS OR PARTICIPATION IN A PROGRAM LISTED IN THIS PARAGRAPH. § 14–4607.(G)(1)] | Establish/Maintain Documentation | Preventive | |
| Provide a copy of the data subject's consent to the data subject. CC ID 17234 | Communicate | Preventive | |
| Date the data subject's consent. CC ID 17233 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 [A CONTROLLER SHALL ESTABLISH A SECURE AND RELIABLE METHOD FOR A CONSUMER TO EXERCISE A CONSUMER RIGHT UNDER THIS SECTION. § 14–4605.(C)(1) THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE WAYS IN WHICH CONSUMERS NORMALLY INTERACT WITH THE CONTROLLER; § 14–4607.(F)(1)(I)] | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A CONTROLLER MAY NOT: DISCRIMINATE AGAINST A CONSUMER FOR EXERCISING A CONSUMER RIGHT CONTAINED IN THIS SUBTITLE, INCLUDING DENYING GOODS OR SERVICES, CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, OR PROVIDING A DIFFERENT LEVEL OF QUALITY OF GOODS OR SERVICES TO THE CONSUMER; § 14–4607.(A)(6)] | Human Resources Management | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Business Processes | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Establish/Maintain Documentation | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Establish/Maintain Documentation | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Establish/Maintain Documentation | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Establish/Maintain Documentation | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Establish/Maintain Documentation | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Establish/Maintain Documentation | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFERING IS IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, PROVIDED THAT THE SELLING OF PERSONAL DATA IS NOT A CONDITION OF PARTICIPATION IN THE PROGRAM. § 14–4607.(C)(2)] | Business Processes | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 [{be different} NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFERING IS IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, PROVIDED THAT THE SELLING OF PERSONAL DATA IS NOT A CONDITION OF PARTICIPATION IN THE PROGRAM. § 14–4607.(C)(2)] | Business Processes | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: TARGETED ADVERTISING; § 14–4605.(B)(7)(I) A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: THE SALE OF PERSONAL DATA; OR § 14–4605.(B)(7)(II) A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: PROFILING IN FURTHERANCE OF SOLELY AUTOMATED DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS CONCERNING THE CONSUMER. § 14–4605.(B)(7)(III) {be easy} A CONTROLLER SHALL: PROVIDE AN EFFECTIVE MECHANISM FOR A CONSUMER TO REVOKE THE CONSUMER'S CONSENT UNDER THIS SECTION THAT IS AT LEAST AS EASY AS THE MECHANISM BY WHICH THE CONSUMER PROVIDED THE CONSUMER'S CONSENT. § 14–4607.(B)(1)(III) A CONTROLLER MAY UTILIZE THE FOLLOWING METHODS TO SATISFY PARAGRAPH (1) OF THIS SUBSECTION: ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER TO OPT OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSONAL DATA, THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT, WITH THE CONSUMER'S CONSENT, BY A PLATFORM, TECHNOLOGY, OR MECHANISM TO THE CONTROLLER INDICATING THE CONSUMER'S INTENT TO OPT OUT OF THE PROCESSING OR SALE. § 14–4607.(F)(3)(II)] | Data and Information Management | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [{opt-out mechanism} {opt out} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION MAY NOT: USE A DEFAULT SETTING TO OPT A CONSUMER OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4607.(F)(5)(II) {be consistent} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: BE AS CONSISTENT AS POSSIBLE WITH ANY OTHER SIMILAR PLATFORM, TECHNOLOGY, OR MECHANISM REQUIRED BY ANY FEDERAL OR STATE LAW OR REGULATION; § 14–4607.(F)(4)(III) {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE, UNAMBIGUOUS, AND VOLUNTARY CHOICE IN ORDER TO OPT OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4607.(F)(4)(V) {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: ENABLE THE CONTROLLER TO REASONABLY DETERMINE WHETHER THE CONSUMER: HAS MADE A LEGITIMATE REQUEST TO OPT OUT OF ANY SALE OF THE CONSUMER'S PERSONAL DATA OR TARGETED ADVERTISING; AND § 14–4607.(F)(4)(IV) 2. {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: ENABLE THE CONTROLLER TO REASONABLY DETERMINE WHETHER THE CONSUMER: IS A RESIDENT OF THE STATE; AND § 14–4607.(F)(4)(IV) 1. {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION MAY NOT: UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER; OR § 14–4607.(F)(5)(I) {be easy to use} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: BE CONSUMER–FRIENDLY AND EASY TO USE BY THE AVERAGE CONSUMER; § 14–4607.(F)(4)(I) {clear and conspicuous language} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: USE CLEAR, EASY TO UNDERSTAND, AND UNAMBIGUOUS LANGUAGE; § 14–4607.(F)(4)(II)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Technical Security | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [IF A CONSUMER REVOKES CONSENT UNDER THIS SECTION, THE CONTROLLER SHALL STOP PROCESSING THE CONSUMER'S PERSONAL DATA AS SOON AS PRACTICABLE, BUT NOT LATER THAN 30 DAYS AFTER RECEIVING THE REQUEST. § 14–4607.(B)(2) A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: § 14–4606.(B)] | Business Processes | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Process or Activity | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Establish/Maintain Documentation | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Communicate | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Records Management | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Data and Information Management | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Data and Information Management | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Data and Information Management | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 [IF A CONSUMER'S DECISION TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR THE SALE OF PERSONAL DATA THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT IN ACCORDANCE WITH SUBSECTION (F)(3) OF THIS SECTION CONFLICTS WITH THE CONSUMER'S EXISTING CONTROLLER–SPECIFIC PRIVACY SETTING OR THE CONSUMER'S VOLUNTARY PARTICIPATION IN A CONTROLLER'S BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, THE CONTROLLER MAY NOTIFY THE CONSUMER OF A CONFLICT AND PROVIDE THE CHOICE TO CONFIRM CONTROLLER–SPECIFIC PRIVACY SETTINGS OR PARTICIPATION IN A PROGRAM LISTED IN THIS PARAGRAPH. § 14–4607.(G)(1)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [IF A CONTROLLER USES A PROCESSOR TO PROCESS THE PERSONAL DATA OF CONSUMERS, THE CONTROLLER AND THE PROCESSOR SHALL ENTER INTO A CONTRACT THAT GOVERNS THE PROCESSOR'S DATA PROCESSING PROCEDURES WITH RESPECT TO PROCESSING PERFORMED ON BEHALF OF THE CONTROLLER. § 14–4608.(A)(1) A PROCESSOR SHALL: ADHERE TO THE CONTRACT AND INSTRUCTIONS OF A CONTROLLER; § 14–4608.(B)(1) {data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: § 14–4608.(A)(2)] | Establish/Maintain Documentation | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE PERSONAL DATA; § 14–4608.(A)(3)(I)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: INSTRUCTIONS FOR PROCESSING DATA; § 14–4608.(A)(2)(I)] | Establish/Maintain Documentation | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE NATURE AND PURPOSE OF PROCESSING; § 14–4608.(A)(2)(II)] | Establish/Maintain Documentation | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE TYPE OF DATA SUBJECT TO PROCESSING; § 14–4608.(A)(2)(III)] | Establish/Maintain Documentation | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE DURATION OF PROCESSING; AND § 14–4608.(A)(2)(IV)] | Establish/Maintain Documentation | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ALLOW AND COOPERATE WITH REASONABLE ASSESSMENTS BY THE CONTROLLER, THE CONTROLLER'S DESIGNATED ASSESSOR, OR A QUALIFIED AND INDEPENDENT ASSESSOR ARRANGED FOR BY THE PROCESSOR TO ASSESS THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER THIS SUBTITLE. § 14–4608.(A)(3)(VII) A PROCESSOR SHALL: PROVIDE NECESSARY INFORMATION TO ENABLE THE CONTROLLER TO CONDUCT AND DOCUMENT DATA PROTECTION ASSESSMENTS. § 14–4608.(B)(3)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO THE CONTROLLER ALL INFORMATION IN THE PROCESSOR'S POSSESSION NECESSARY TO DEMONSTRATE THE PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS SUBTITLE; § 14–4608.(A)(3)(V) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT OF AN ASSESSMENT REQUIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION TO THE CONTROLLER. § 14–4608.(A)(4)(I)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [A PERSON MAY NOT: PROVIDE A PROCESSOR ACCESS TO CONSUMER HEALTH DATA UNLESS THE PERSON PROVIDING ACCESS TO THE CONSUMER HEALTH DATA AND THE PROCESSOR COMPLY WITH 14–4608 OF THIS SUBTITLE; OR § 14–4604.(2) {data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: STOP PROCESSING DATA ON REQUEST BY THE CONTROLLER MADE IN ACCORDANCE WITH A CONSUMER'S AUTHENTICATED REQUEST; § 14–4608.(A)(3)(III) A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: § 14–4608.(B)(2) {data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES. § 14–4608.(A)(2)(V) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: ASSIST ANOTHER CONTROLLER, PROCESSOR, OR THIRD PARTY WITH AN OBLIGATION UNDER THIS SUBTITLE. § 14–4612.(A)(11)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: AFTER PROVIDING THE CONTROLLER AN OPPORTUNITY TO OBJECT, ENGAGE A SUBCONTRACTOR TO ASSIST WITH PROCESSING PERSONAL DATA ON THE CONTROLLER'S BEHALF ONLY IN ACCORDANCE WITH A WRITTEN CONTRACT THAT REQUIRES THE SUBCONTRACTOR TO MEET THE PROCESSOR'S OBLIGATIONS REGARDING THE PERSONAL DATA UNDER THE PROCESSOR'S CONTRACT WITH THE CONTROLLER; AND § 14–4608.(A)(3)(VI)] | Human Resources Management | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL DATA TO THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICE, UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; § 14–4608.(A)(3)(IV)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 [IF A THIRD PARTY USES OR SHARES A CONSUMER'S INFORMATION IN A MANNER INCONSISTENT WITH PROMISES MADE TO THE CONSUMER AT THE TIME OF COLLECTION OF THE INFORMATION, THE THIRD PARTY SHALL PROVIDE AN AFFECTED CONSUMER WITH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE IMPLEMENTING THE NEW OR CHANGED PRACTICE. § 14–4609.(A)] | Behavior | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not necessary} {be incompatible} A CONTROLLER MAY NOT: UNLESS THE CONTROLLER OBTAINS THE CONSUMER'S CONSENT, PROCESS PERSONAL DATA FOR A PURPOSE THAT IS NEITHER REASONABLY NECESSARY TO, NOR COMPATIBLE WITH, THE DISCLOSED PURPOSES FOR WHICH THE PERSONAL DATA IS PROCESSED, AS DISCLOSED TO THE CONSUMER. § 14–4607.(A)(8)] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: TAKE IMMEDIATE STEPS TO PROTECT AN INTEREST THAT IS ESSENTIAL FOR THE LIFE OR PHYSICAL SAFETY OF A CONSUMER OR ANOTHER INDIVIDUAL AND WHEN THE PROCESSING CANNOT BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS; § 14–4612.(A)(8)] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3)] | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 [A CONSUMER MAY EXERCISE A CONSUMER RIGHT UNDER THIS SECTION BY THE METHOD ESTABLISHED BY THE CONTROLLER UNDER PARAGRAPH (1) OF THIS SUBSECTION. § 14–4605.(C)(2)] | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [EXCEPT AS OTHERWISE PROVIDED IN THIS SUBTITLE, A CONTROLLER SHALL COMPLY WITH A REQUEST BY A CONSUMER TO EXERCISE A CONSUMER RIGHT LISTED IN THIS SECTION. § 14–4605.(E)(1) A CONTROLLER SHALL RESPOND TO A CONSUMER REQUEST NOT LATER THAN 45 DAYS AFTER THE CONTROLLER RECEIVES THE CONSUMER REQUEST. § 14–4605.(E)(2)(I)] | Behavior | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Communicate | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: IT IS REASONABLY NECESSARY TO COMPLETE THE REQUEST BASED ON THE COMPLEXITY AND NUMBER OF THE CONSUMER'S REQUESTS; AND § 14–4605.(E)(2)(II) 1.] | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: THE CONTROLLER INFORMS THE CONSUMER OF THE EXTENSION AND THE REASON FOR THE EXTENSION WITHIN THE INITIAL 45–DAY RESPONSE PERIOD. § 14–4605.(E)(2)(II) 2.] | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A CONTROLLER SHALL INFORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR NOT TAKEN IN RESPONSE TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF THE REASONS FOR THE DECISIONS. § 14–4605.(F)(3)] | Behavior | Preventive | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Records Management | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA OR IT WOULD BE UNREASONABLY BURDENSOME FOR THE CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA; § 14–4611.(B)(1)] | Process or Activity | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [A CONTROLLER MAY NOT: PROCESS PERSONAL DATA IN VIOLATION OF STATE OR FEDERAL LAWS THAT PROHIBIT UNLAWFUL DISCRIMINATION; § 14–4607.(A)(3) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: § 14–4607.(A)(7) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: THE CONTROLLER'S DIVERSIFYING OF AN APPLICANT, PARTICIPANT, OR CUSTOMER POOL; OR § 14–4607.(A)(7)(II) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: THE CONTROLLER'S SELF–TESTING TO PREVENT OR MITIGATE UNLAWFUL DISCRIMINATION; § 14–4607.(A)(7)(I) {be private} A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: A PRIVATE CLUB OR GROUP NOT OPEN TO THE PUBLIC, AS DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR § 14–4607.(A)(7)(III)] | Data and Information Management | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Establish Roles | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO: IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR THAT ADVERSELY AFFECTS THE RIGHTS OR FREEDOMS OF ANY PERSON, INCLUDING THE RIGHTS OF A PERSON TO FREEDOM OF SPEECH OR FREEDOM OF THE PRESS AS GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR § 14–4612.(E)(1) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Data and Information Management | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{minor} A CONTROLLER MAY NOT: PROCESS THE PERSONAL DATA OF A CONSUMER FOR THE PURPOSES OF TARGETED ADVERTISING IF THE CONTROLLER KNEW OR SHOULD HAVE KNOWN THAT THE CONSUMER IS UNDER THE AGE OF 18 YEARS; § 14–4607.(A)(4)] | Business Processes | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: § 14–4605.(E)(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: REMAINS DELETED FROM THE CONTROLLER'S RECORDS; AND § 14–4605.(E)(7)(I) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Establish/Maintain Documentation | Preventive | |
| Capture personal data removal requests. CC ID 13507 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: § 14–4605.(E)(7)] | Communicate | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A CONSUMER SHALL HAVE THE RIGHT TO: REQUIRE A CONTROLLER TO DELETE PERSONAL DATA PROVIDED BY, OR OBTAINED ABOUT, THE CONSUMER UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; § 14–4605.(B)(4)] | Records Management | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
| Refrain from selling restricted data, as necessary. CC ID 17165 [A CONTROLLER MAY NOT: SELL SENSITIVE DATA; § 14–4607.(A)(2) {minor} A CONTROLLER MAY NOT: SELL THE PERSONAL DATA OF A CONSUMER IF THE CONTROLLER KNEW OR SHOULD HAVE KNOWN THAT THE CONSUMER IS UNDER THE AGE OF 18 YEARS; § 14–4607.(A)(5)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: INFORM THE CONSUMER WITHOUT UNDUE DELAY, BUT NOT LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST, OF THE JUSTIFICATION FOR DECLINING TO ACT; AND § 14–4605.(E)(3)(I) IF A CONTROLLER IS UNABLE TO AUTHENTICATE A REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) OF THIS SECTION USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER: MAY NOT BE REQUIRED TO COMPLY WITH A REQUEST TO INITIATE AN ACTION IN ACCORDANCE WITH THIS SECTION; AND § 14–4605.(E)(5)(I) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: DOES NOT SELL THE PERSONAL DATA TO A THIRD PARTY OR OTHERWISE VOLUNTARILY DISCLOSE THE PERSONAL DATA TO A THIRD PARTY OTHER THAN A PROCESSOR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBTITLE. § 14–4611.(B)(3) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: DOES NOT USE THE PERSONAL DATA TO RECOGNIZE OR RESPOND TO THE SPECIFIC CONSUMER WHO IS THE SUBJECT OF THE PERSONAL DATA OR ASSOCIATE THE PERSONAL DATA WITH OTHER PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER; AND § 14–4611.(B)(2)] | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: DECLINE TO ACT ON THE REQUEST. § 14–4605.(E)(4)(II) 2.] | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [IF A CONTROLLER IS UNABLE TO AUTHENTICATE A REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) OF THIS SECTION USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER: SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT UNTIL THE CONSUMER PROVIDES ADDITIONAL INFORMATION REASONABLY NECESSARY TO AUTHENTICATE THE CONSUMER AND THE CONSUMER'S REQUEST TO EXERCISE THE CONSUMER'S RIGHTS. § 14–4605.(E)(5)(II)] | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [NOTHING IN THIS SECTION MAY BE CONSTRUED TO REQUIRE A CONTROLLER TO REVEAL A TRADE SECRET. § 14–4605.(A)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: INFORM THE CONSUMER WITHOUT UNDUE DELAY, BUT NOT LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST, OF THE JUSTIFICATION FOR DECLINING TO ACT; AND § 14–4605.(E)(3)(I) {be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: THE CONTROLLER HAS THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE NATURE OF THE REQUEST. § 14–4605.(E)(4)(III)] | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVILEGE UNDER STATE LAW AS PART OF A PRIVILEGED COMMUNICATION. § 14–4612.(C)(2)] | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: THE CONTROLLER INFORMS THE CONSUMER OF THE EXTENSION AND THE REASON FOR THE EXTENSION WITHIN THE INITIAL 45–DAY RESPONSE PERIOD. § 14–4605.(E)(2)(II) 2.] | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [A CONTROLLER SHALL PROVIDE INFORMATION TO A CONSUMER IN RESPONSE TO A CONSUMER'S REQUEST TO EXERCISE RIGHTS UNDER THIS SUBTITLE FREE OF CHARGE ONCE DURING ANY 12–MONTH PERIOD. § 14–4605.(E)(4)(I) {be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: CHARGE THE CONSUMER A REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING WITH THE REQUEST; OR § 14–4605.(E)(4)(II) 1.] | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [A CONSUMER SHALL HAVE THE RIGHT TO: IF THE PROCESSING OF PERSONAL DATA IS DONE BY AUTOMATIC MEANS, OBTAIN A COPY OF THE CONSUMER'S PERSONAL DATA PROCESSED BY THE CONTROLLER IN A PORTABLE AND, TO THE EXTENT TECHNICALLY FEASIBLE, READILY USABLE FORMAT THAT ALLOWS THE CONSUMER TO EASILY TRANSMIT THE DATA TO ANOTHER CONTROLLER WITHOUT HINDRANCE; § 14–4605.(B)(5)] | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3) A PERSON MAY NOT: USE A GEOFENCE TO ESTABLISH A VIRTUAL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY MENTAL HEALTH FACILITY OR REPRODUCTIVE OR SEXUAL HEALTH FACILITY FOR THE PURPOSE OF IDENTIFYING, TRACKING, COLLECTING DATA FROM, OR SENDING ANY NOTIFICATION TO A CONSUMER REGARDING THE CONSUMER'S CONSUMER HEALTH DATA. § 14–4604.(3)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: IS NOT BEING USED FOR ANY OTHER PURPOSE. § 14–4605.(E)(7)(II) {be adequate} {be relevant} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: MAY BE PROCESSED TO THE EXTENT THAT THE PROCESSING IS: ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS NECESSARY IN RELATION TO THE SPECIFIC PURPOSES LISTED IN THIS SECTION. § 14–4612.(G)(2)(II) {be necessary} {be proportionate} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: MAY BE PROCESSED TO THE EXTENT THAT THE PROCESSING IS: REASONABLY NECESSARY AND PROPORTIONATE TO THE PURPOSES LISTED IN THIS SECTION; AND § 14–4612.(G)(2)(I)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 [{be proportionate} A CONTROLLER SHALL: LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE DATA PERTAINS; § 14–4607.(B)(1)(I)] | Data and Information Management | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: MAINTAIN DATA IN AN IDENTIFIABLE FORM; OR § 14–4611.(A)(2) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: RE–IDENTIFY DE–IDENTIFIED DATA; § 14–4611.(A)(1)] | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [A CONSUMER SHALL HAVE THE RIGHT TO: CONSIDERING THE NATURE OF THE CONSUMER'S PERSONAL DATA AND THE PURPOSES OF THE PROCESSING OF THE PERSONAL DATA, CORRECT INACCURACIES IN THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(3)] | Data and Information Management | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTIGATION, SUBPOENA, OR SUMMONS BY A FEDERAL, STATE, LOCAL, OR OTHER GOVERNMENTAL AUTHORITY; § 14–4612.(A)(2) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAWS OR REGULATIONS; § 14–4612.(A)(3)] | Business Processes | Corrective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [IF A CONTROLLER DENIES AN APPEAL, THE CONTROLLER SHALL PROVIDE THE CONSUMER WITH AN ONLINE MECHANISM, IF AVAILABLE, THROUGH WHICH THE CONSUMER MAY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. § 14–4605.(F)(4)] | Behavior | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [NOTHING IN THIS SECTION MAY BE CONSTRUED TO RELIEVE A CONTROLLER OR A PROCESSOR FROM THE LIABILITIES IMPOSED ON THE CONTROLLER OR PROCESSOR BY VIRTUE OF THE CONTROLLER'S OR PROCESSOR'S ROLE IN THE PROCESSING RELATIONSHIP IN ACCORDANCE WITH THIS SECTION. § 14–4608.(C) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: AT THE TIME THE DISCLOSING CONTROLLER OR PROCESSOR DISCLOSED THE PERSONAL DATA, THE DISCLOSING CONTROLLER OR PROCESSOR DID NOT HAVE ACTUAL KNOWLEDGE THAT THE RECEIVING PROCESSOR OR THIRD–PARTY CONTROLLER WOULD VIOLATE THIS SUBTITLE; AND § 14–4612.(D)(1)(I) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: § 14–4612.(D)(1)] | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 [A CONTROLLER SHALL ESTABLISH A PROCESS FOR A CONSUMER TO APPEAL THE CONTROLLER'S REFUSAL TO ACT ON A CONSUMER RIGHTS REQUEST WITHIN A REASONABLE PERIOD AFTER THE CONSUMER RECEIVES THE DECISION. § 14–4605.(F)(1) {be conspicuously available} THE APPEAL PROCESS SHALL BE: CONSPICUOUSLY AVAILABLE; AND § 14–4605.(F)(2)(I) {be similar} THE APPEAL PROCESS SHALL BE: SIMILAR TO THE PROCESS FOR SUBMITTING REQUESTS TO INITIATE AN ACTION IN ACCORDANCE WITH THIS SECTION. § 14–4605.(F)(2)(II)] | Establish/Maintain Documentation | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: PROVIDE INSTRUCTIONS FOR HOW TO APPEAL THE DECISION. § 14–4605.(E)(3)(II)] | Communicate | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A CONTROLLER SHALL INFORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR NOT TAKEN IN RESPONSE TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF THE REASONS FOR THE DECISIONS. § 14–4605.(F)(3)] | Communicate | Preventive | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE ABILITY OF THE CONTROLLER TO VERIFY THE IDENTITY OF A CONSUMER MAKING THE REQUEST. § 14–4607.(F)(1)(III) A CONTROLLER MAY NOT BE REQUIRED TO AUTHENTICATE AN OPT–OUT REQUEST. § 14–4605.(E)(6)] | Establish/Maintain Documentation | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Data and Information Management | Preventive | |
| Record restricted data correctly. CC ID 00089 | Testing | Detective | |
| Check the data accuracy of new accounts. CC ID 04859 | Data and Information Management | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Establish/Maintain Documentation | Preventive | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Testing | Detective | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Data and Information Management | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Data and Information Management | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Data and Information Management | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Data and Information Management | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Data and Information Management | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Data and Information Management | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Data and Information Management | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Data and Information Management | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Data and Information Management | Detective | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Behavior | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Data and Information Management | Detective | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Process or Activity | Preventive | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Business Processes | Detective | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 [A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: IDENTITY OF THE CONSUMER; AND § 14–4606.(B)(1)] | Business Processes | Preventive | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Process or Activity | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A CONSUMER MAY DESIGNATE AN AUTHORIZED AGENT IN ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA UNDER SUBSECTION (B)(7) OF THIS SECTION ON BEHALF OF A CONSUMER. § 14–4605.(D)(1) A PARENT OR LEGAL GUARDIAN OF A CHILD MAY EXERCISE A CONSUMER RIGHT LISTED IN SUBSECTION (B) OF THIS SECTION ON THE CHILD'S BEHALF REGARDING THE PROCESSING OF PERSONAL DATA. § 14–4605.(D)(2) A GUARDIAN OR CONSERVATOR OF A CONSUMER SUBJECT TO A GUARDIANSHIP, CONSERVATORSHIP, OR OTHER PROTECTIVE ARRANGEMENT MAY EXERCISE A CONSUMER RIGHT LISTED IN SUBSECTION (B) OF THIS SECTION ON THE CONSUMER'S BEHALF REGARDING THE PROCESSING OF PERSONAL DATA. § 14–4605.(D)(3) A CONSUMER MAY DESIGNATE AN INDIVIDUAL TO SERVE AS THE CONSUMER'S AUTHORIZED AGENT AND ACT ON THE CONSUMER'S BEHALF TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR ONE OR MORE OF THE PURPOSES SPECIFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. § 14–4606.(A)(1) A CONSUMER MAY DESIGNATE AN AUTHORIZED AGENT BY AN INTERNET LINK OR A BROWSER SETTING, BROWSER EXTENSION, GLOBAL DEVICE SETTING, OR OTHER SIMILAR TECHNOLOGY, INDICATING A CONSUMER'S INTENT TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4606.(A)(2) A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: AUTHORIZED AGENT'S AUTHORITY TO ACT ON THE CONSUMER'S BEHALF. § 14–4606.(B)(2)] | Establish/Maintain Documentation | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Establish/Maintain Documentation | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Establish/Maintain Documentation | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
| Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: § 14–4604.(1)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain an organizational website program. CC ID 14815 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain consent web pages and consent forms in accordance with external requirements. CC ID 14816 | Records Management | Preventive | |
| Post a clear and conspicuous link to consent web pages and consent forms on organizational websites. CC ID 16536 [A CONTROLLER MAY UTILIZE THE FOLLOWING METHODS TO SATISFY PARAGRAPH (1) OF THIS SUBSECTION: PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE CONTROLLER'S WEBSITE TO A WEBPAGE THAT ALLOWS A CONSUMER, OR AN AUTHORIZED AGENT OF THE CONSUMER, TO OPT OUT OF THE TARGETED ADVERTISING OR THE SALE OF THE CONSUMER'S PERSONAL DATA; OR § 14–4607.(F)(3)(I)] | Process or Activity | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PERFORM UNDER A CONTRACT TO WHICH A CONSUMER IS A PARTY, INCLUDING FULFILLING THE TERMS OF A WRITTEN WARRANTY; § 14–4612.(A)(6) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: TAKE STEPS AT THE REQUEST OF A CONSUMER BEFORE ENTERING INTO A CONTRACT; § 14–4612.(A)(7)] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{administrative data security practice} {technical data security practice} {data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA, CONSIDERING THE VOLUME AND NATURE OF THE PERSONAL DATA; § 14–4608.(A)(3)(II)] | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEIVES PERSONAL DATA FROM A CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE FOR THE INDEPENDENT MISCONDUCT OF THE CONTROLLER OR PROCESSOR FROM WHICH THE THIRD–PARTY CONTROLLER OR PROCESSOR RECEIVED THE PERSONAL DATA. § 14–4612.(D)(2)] | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Business Processes | Preventive | |
| Provide products or services per customer requests. CC ID 08893 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY A CONSUMER; § 14–4612.(A)(5)] | Business Processes | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Refrain from providing products and services, as necessary. CC ID 15580 [NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE THAT REQUIRES THE PERSONAL DATA OF A CONSUMER THAT THE CONTROLLER DOES NOT COLLECT OR MAINTAIN; OR § 14–4607.(C)(1)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Monitoring and measurement | Preventive | |
| Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Human Resources management | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Notify the data subject of changes to personal data use. CC ID 00105 [IF A THIRD PARTY USES OR SHARES A CONSUMER'S INFORMATION IN A MANNER INCONSISTENT WITH PROMISES MADE TO THE CONSUMER AT THE TIME OF COLLECTION OF THE INFORMATION, THE THIRD PARTY SHALL PROVIDE AN AFFECTED CONSUMER WITH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE IMPLEMENTING THE NEW OR CHANGED PRACTICE. § 14–4609.(A)] | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [EXCEPT AS OTHERWISE PROVIDED IN THIS SUBTITLE, A CONTROLLER SHALL COMPLY WITH A REQUEST BY A CONSUMER TO EXERCISE A CONSUMER RIGHT LISTED IN THIS SECTION. § 14–4605.(E)(1) A CONTROLLER SHALL RESPOND TO A CONSUMER REQUEST NOT LATER THAN 45 DAYS AFTER THE CONTROLLER RECEIVES THE CONSUMER REQUEST. § 14–4605.(E)(2)(I)] | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: THE CONTROLLER INFORMS THE CONSUMER OF THE EXTENSION AND THE REASON FOR THE EXTENSION WITHIN THE INITIAL 45–DAY RESPONSE PERIOD. § 14–4605.(E)(2)(II) 2.] | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A CONTROLLER SHALL INFORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR NOT TAKEN IN RESPONSE TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF THE REASONS FOR THE DECISIONS. § 14–4605.(F)(3)] | Privacy protection for information and data | Preventive | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [IF A CONTROLLER DENIES AN APPEAL, THE CONTROLLER SHALL PROVIDE THE CONSUMER WITH AN ONLINE MECHANISM, IF AVAILABLE, THROUGH WHICH THE CONSUMER MAY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. § 14–4605.(F)(4)] | Privacy protection for information and data | Preventive | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Preventive | |
| Implement a fraud detection system. CC ID 13081 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Monitoring and measurement | Preventive | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Corrective | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Operational management | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [A CONTROLLER MAY NOT REQUIRE A CONSUMER TO CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT. § 14–4607.(F)(2)(I) A CONTROLLER MAY REQUIRE A CONSUMER TO USE AN EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. § 14–4607.(F)(2)(II)] | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 [THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE NEED FOR SECURE AND RELIABLE COMMUNICATION OF CONSUMER REQUESTS; AND § 14–4607.(F)(1)(II)] | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFERING IS IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, PROVIDED THAT THE SELLING OF PERSONAL DATA IS NOT A CONDITION OF PARTICIPATION IN THE PROGRAM. § 14–4607.(C)(2)] | Privacy protection for information and data | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 [{be different} NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFERING IS IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, PROVIDED THAT THE SELLING OF PERSONAL DATA IS NOT A CONDITION OF PARTICIPATION IN THE PROGRAM. § 14–4607.(C)(2)] | Privacy protection for information and data | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [IF A CONSUMER REVOKES CONSENT UNDER THIS SECTION, THE CONTROLLER SHALL STOP PROCESSING THE CONSUMER'S PERSONAL DATA AS SOON AS PRACTICABLE, BUT NOT LATER THAN 30 DAYS AFTER RECEIVING THE REQUEST. § 14–4607.(B)(2) A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: § 14–4606.(B)] | Privacy protection for information and data | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{minor} A CONTROLLER MAY NOT: PROCESS THE PERSONAL DATA OF A CONSUMER FOR THE PURPOSES OF TARGETED ADVERTISING IF THE CONTROLLER KNEW OR SHOULD HAVE KNOWN THAT THE CONSUMER IS UNDER THE AGE OF 18 YEARS; § 14–4607.(A)(4)] | Privacy protection for information and data | Preventive | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTIGATION, SUBPOENA, OR SUMMONS BY A FEDERAL, STATE, LOCAL, OR OTHER GOVERNMENTAL AUTHORITY; § 14–4612.(A)(2) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAWS OR REGULATIONS; § 14–4612.(A)(3)] | Privacy protection for information and data | Corrective | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Detective | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 [A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: IDENTITY OF THE CONSUMER; AND § 14–4606.(B)(1)] | Privacy protection for information and data | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Preventive | |
| Provide products or services per customer requests. CC ID 08893 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY A CONSUMER; § 14–4612.(A)(5)] | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [THE DIVISION MAY REQUIRE THAT A CONTROLLER MAKE AVAILABLE TO THE DIVISION A DATA PROTECTION ASSESSMENT THAT IS RELEVANT TO AN INVESTIGATION CONDUCTED BY THE DIVISION. § 14–4610.(D)(1)] | Audits and risk management | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY ASSISTING THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS IN RELATION TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO THE NOTIFICATION OF A BREACH OF THE SECURITY OF A SYSTEM, AS DEFINED IN § 14–3504 OF THIS TITLE; AND § 14–4608.(B)(2)(II)] | Operational management | Corrective | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: § 14–4607.(D)] | Privacy protection for information and data | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA OR IT WOULD BE UNREASONABLY BURDENSOME FOR THE CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA; § 14–4611.(B)(1)] | Privacy protection for information and data | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Corrective | |
| Provide a copy of the data subject's consent to the data subject. CC ID 17234 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Preventive | |
| Capture personal data removal requests. CC ID 13507 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: § 14–4605.(E)(7)] | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: THE CONTROLLER INFORMS THE CONSUMER OF THE EXTENSION AND THE REASON FOR THE EXTENSION WITHIN THE INITIAL 45–DAY RESPONSE PERIOD. § 14–4605.(E)(2)(II) 2.] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: PROVIDE INSTRUCTIONS FOR HOW TO APPEAL THE DECISION. § 14–4605.(E)(3)(II)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A CONTROLLER SHALL INFORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR NOT TAKEN IN RESPONSE TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF THE REASONS FOR THE DECISIONS. § 14–4605.(F)(3)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce access restrictions for restricted data. CC ID 01921 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: § 14–4604.(1)] | Technical security | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 [THE NOTICE PROVIDED UNDER SUBSECTION (A) OF THIS SECTION SHALL BE PROVIDED IN A MANNER AND AT A TIME REASONABLY CALCULATED TO ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE. § 14–4609.(B)] | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A CONSUMER SHALL HAVE THE RIGHT TO: IF A CONTROLLER IS PROCESSING A CONSUMER'S PERSONAL DATA, ACCESS THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(2)] | Privacy protection for information and data | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 [A CONSUMER SHALL HAVE THE RIGHT TO: OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH THE CONTROLLER HAS DISCLOSED THE CONSUMER'S PERSONAL DATA OR A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH THE CONTROLLER HAS DISCLOSED ANY CONSUMER'S PERSONAL DATA IF THE CONTROLLER DOES NOT MAINTAIN THIS INFORMATION IN A FORMAT SPECIFIC TO THE CONSUMER; AND § 14–4605.(B)(6)] | Privacy protection for information and data | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: TARGETED ADVERTISING; § 14–4605.(B)(7)(I) A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: THE SALE OF PERSONAL DATA; OR § 14–4605.(B)(7)(II) A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: PROFILING IN FURTHERANCE OF SOLELY AUTOMATED DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS CONCERNING THE CONSUMER. § 14–4605.(B)(7)(III) {be easy} A CONTROLLER SHALL: PROVIDE AN EFFECTIVE MECHANISM FOR A CONSUMER TO REVOKE THE CONSUMER'S CONSENT UNDER THIS SECTION THAT IS AT LEAST AS EASY AS THE MECHANISM BY WHICH THE CONSUMER PROVIDED THE CONSUMER'S CONSENT. § 14–4607.(B)(1)(III) A CONTROLLER MAY UTILIZE THE FOLLOWING METHODS TO SATISFY PARAGRAPH (1) OF THIS SUBSECTION: ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER TO OPT OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSONAL DATA, THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT, WITH THE CONSUMER'S CONSENT, BY A PLATFORM, TECHNOLOGY, OR MECHANISM TO THE CONTROLLER INDICATING THE CONSUMER'S INTENT TO OPT OUT OF THE PROCESSING OR SALE. § 14–4607.(F)(3)(II)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [{opt-out mechanism} {opt out} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION MAY NOT: USE A DEFAULT SETTING TO OPT A CONSUMER OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4607.(F)(5)(II) {be consistent} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: BE AS CONSISTENT AS POSSIBLE WITH ANY OTHER SIMILAR PLATFORM, TECHNOLOGY, OR MECHANISM REQUIRED BY ANY FEDERAL OR STATE LAW OR REGULATION; § 14–4607.(F)(4)(III) {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE, UNAMBIGUOUS, AND VOLUNTARY CHOICE IN ORDER TO OPT OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4607.(F)(4)(V) {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: ENABLE THE CONTROLLER TO REASONABLY DETERMINE WHETHER THE CONSUMER: HAS MADE A LEGITIMATE REQUEST TO OPT OUT OF ANY SALE OF THE CONSUMER'S PERSONAL DATA OR TARGETED ADVERTISING; AND § 14–4607.(F)(4)(IV) 2. {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: ENABLE THE CONTROLLER TO REASONABLY DETERMINE WHETHER THE CONSUMER: IS A RESIDENT OF THE STATE; AND § 14–4607.(F)(4)(IV) 1. {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION MAY NOT: UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER; OR § 14–4607.(F)(5)(I) {be easy to use} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: BE CONSUMER–FRIENDLY AND EASY TO USE BY THE AVERAGE CONSUMER; § 14–4607.(F)(4)(I) {clear and conspicuous language} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: USE CLEAR, EASY TO UNDERSTAND, AND UNAMBIGUOUS LANGUAGE; § 14–4607.(F)(4)(II)] | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 [IF A CONSUMER'S DECISION TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR THE SALE OF PERSONAL DATA THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT IN ACCORDANCE WITH SUBSECTION (F)(3) OF THIS SECTION CONFLICTS WITH THE CONSUMER'S EXISTING CONTROLLER–SPECIFIC PRIVACY SETTING OR THE CONSUMER'S VOLUNTARY PARTICIPATION IN A CONTROLLER'S BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, THE CONTROLLER MAY NOTIFY THE CONSUMER OF A CONFLICT AND PROVIDE THE CHOICE TO CONFIRM CONTROLLER–SPECIFIC PRIVACY SETTINGS OR PARTICIPATION IN A PROGRAM LISTED IN THIS PARAGRAPH. § 14–4607.(G)(1)] | Privacy protection for information and data | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: IT IS REASONABLY NECESSARY TO COMPLETE THE REQUEST BASED ON THE COMPLEXITY AND NUMBER OF THE CONSUMER'S REQUESTS; AND § 14–4605.(E)(2)(II) 1.] | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [A CONTROLLER MAY NOT: PROCESS PERSONAL DATA IN VIOLATION OF STATE OR FEDERAL LAWS THAT PROHIBIT UNLAWFUL DISCRIMINATION; § 14–4607.(A)(3) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: § 14–4607.(A)(7) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: THE CONTROLLER'S DIVERSIFYING OF AN APPLICANT, PARTICIPANT, OR CUSTOMER POOL; OR § 14–4607.(A)(7)(II) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: THE CONTROLLER'S SELF–TESTING TO PREVENT OR MITIGATE UNLAWFUL DISCRIMINATION; § 14–4607.(A)(7)(I) {be private} A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: A PRIVATE CLUB OR GROUP NOT OPEN TO THE PUBLIC, AS DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR § 14–4607.(A)(7)(III)] | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO: IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR THAT ADVERSELY AFFECTS THE RIGHTS OR FREEDOMS OF ANY PERSON, INCLUDING THE RIGHTS OF A PERSON TO FREEDOM OF SPEECH OR FREEDOM OF THE PRESS AS GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR § 14–4612.(E)(1) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Privacy protection for information and data | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
| Refrain from selling restricted data, as necessary. CC ID 17165 [A CONTROLLER MAY NOT: SELL SENSITIVE DATA; § 14–4607.(A)(2) {minor} A CONTROLLER MAY NOT: SELL THE PERSONAL DATA OF A CONSUMER IF THE CONTROLLER KNEW OR SHOULD HAVE KNOWN THAT THE CONSUMER IS UNDER THE AGE OF 18 YEARS; § 14–4607.(A)(5)] | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: DECLINE TO ACT ON THE REQUEST. § 14–4605.(E)(4)(II) 2.] | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [IF A CONTROLLER IS UNABLE TO AUTHENTICATE A REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) OF THIS SECTION USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER: SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT UNTIL THE CONSUMER PROVIDES ADDITIONAL INFORMATION REASONABLY NECESSARY TO AUTHENTICATE THE CONSUMER AND THE CONSUMER'S REQUEST TO EXERCISE THE CONSUMER'S RIGHTS. § 14–4605.(E)(5)(II)] | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [NOTHING IN THIS SECTION MAY BE CONSTRUED TO REQUIRE A CONTROLLER TO REVEAL A TRADE SECRET. § 14–4605.(A)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: INFORM THE CONSUMER WITHOUT UNDUE DELAY, BUT NOT LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST, OF THE JUSTIFICATION FOR DECLINING TO ACT; AND § 14–4605.(E)(3)(I) {be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: THE CONTROLLER HAS THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE NATURE OF THE REQUEST. § 14–4605.(E)(4)(III)] | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVILEGE UNDER STATE LAW AS PART OF A PRIVILEGED COMMUNICATION. § 14–4612.(C)(2)] | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [A CONTROLLER SHALL PROVIDE INFORMATION TO A CONSUMER IN RESPONSE TO A CONSUMER'S REQUEST TO EXERCISE RIGHTS UNDER THIS SUBTITLE FREE OF CHARGE ONCE DURING ANY 12–MONTH PERIOD. § 14–4605.(E)(4)(I) {be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: CHARGE THE CONSUMER A REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING WITH THE REQUEST; OR § 14–4605.(E)(4)(II) 1.] | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [A CONSUMER SHALL HAVE THE RIGHT TO: IF THE PROCESSING OF PERSONAL DATA IS DONE BY AUTOMATIC MEANS, OBTAIN A COPY OF THE CONSUMER'S PERSONAL DATA PROCESSED BY THE CONTROLLER IN A PORTABLE AND, TO THE EXTENT TECHNICALLY FEASIBLE, READILY USABLE FORMAT THAT ALLOWS THE CONSUMER TO EASILY TRANSMIT THE DATA TO ANOTHER CONTROLLER WITHOUT HINDRANCE; § 14–4605.(B)(5)] | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3) A PERSON MAY NOT: USE A GEOFENCE TO ESTABLISH A VIRTUAL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY MENTAL HEALTH FACILITY OR REPRODUCTIVE OR SEXUAL HEALTH FACILITY FOR THE PURPOSE OF IDENTIFYING, TRACKING, COLLECTING DATA FROM, OR SENDING ANY NOTIFICATION TO A CONSUMER REGARDING THE CONSUMER'S CONSUMER HEALTH DATA. § 14–4604.(3)] | Privacy protection for information and data | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: IS NOT BEING USED FOR ANY OTHER PURPOSE. § 14–4605.(E)(7)(II) {be adequate} {be relevant} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: MAY BE PROCESSED TO THE EXTENT THAT THE PROCESSING IS: ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS NECESSARY IN RELATION TO THE SPECIFIC PURPOSES LISTED IN THIS SECTION. § 14–4612.(G)(2)(II) {be necessary} {be proportionate} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: MAY BE PROCESSED TO THE EXTENT THAT THE PROCESSING IS: REASONABLY NECESSARY AND PROPORTIONATE TO THE PURPOSES LISTED IN THIS SECTION; AND § 14–4612.(G)(2)(I)] | Privacy protection for information and data | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 [{be proportionate} A CONTROLLER SHALL: LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE DATA PERTAINS; § 14–4607.(B)(1)(I)] | Privacy protection for information and data | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: MAINTAIN DATA IN AN IDENTIFIABLE FORM; OR § 14–4611.(A)(2) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: RE–IDENTIFY DE–IDENTIFIED DATA; § 14–4611.(A)(1)] | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [A CONSUMER SHALL HAVE THE RIGHT TO: CONSIDERING THE NATURE OF THE CONSUMER'S PERSONAL DATA AND THE PURPOSES OF THE PROCESSING OF THE PERSONAL DATA, CORRECT INACCURACIES IN THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(3)] | Privacy protection for information and data | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Preventive | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Preventive | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CONTROLLER OR PROCESSOR WITH THE SUBTITLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER STATE LAW. § 14–4612.(C)(1)] | Leadership and high level objectives | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL DATA IN ACCORDANCE WITH AN EXEMPTION UNDER THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL DEMONSTRATE THAT THE PROCESSING: QUALIFIES FOR AN EXEMPTION; AND § 14–4612.(F)(1) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL DATA IN ACCORDANCE WITH AN EXEMPTION UNDER THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL DEMONSTRATE THAT THE PROCESSING: COMPLIES WITH THE REQUIREMENTS OF SUBSECTION (G) OF THIS SECTION. § 14–4612.(F)(2)] | Leadership and high level objectives | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Preventive | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 [A DATA PROTECTION ASSESSMENT CONDUCTED IN ACCORDANCE WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS THAT MAY FLOW DIRECTLY AND INDIRECTLY FROM THE PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER INTERESTED PARTIES, AND THE PUBLIC AGAINST: THE NECESSITY AND PROPORTIONALITY OF PROCESSING IN RELATION TO THE STATED PURPOSE OF THE PROCESSING. § 14–4610.(C)(1)(II)] | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE RELATIONSHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE PROCESSED. § 14–4610.(C)(2)(IV)] | Audits and risk management | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [A DATA PROTECTION ASSESSMENT CONDUCTED IN ACCORDANCE WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS THAT MAY FLOW DIRECTLY AND INDIRECTLY FROM THE PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER INTERESTED PARTIES, AND THE PUBLIC AGAINST: THE POTENTIAL RISKS TO THE RIGHTS OF THE CONSUMER ASSOCIATED WITH THE PROCESSING AS MITIGATED BY SAFEGUARDS THAT MAY BE EMPLOYED BY THE CONTROLLER TO REDUCE THESE RISKS; AND § 14–4610.(C)(1)(I)] | Audits and risk management | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE CONTEXT OF THE PROCESSING; AND § 14–4610.(C)(2)(III)] | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE REASONABLE EXPECTATIONS OF CONSUMERS; § 14–4610.(C)(2)(II)] | Audits and risk management | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE USE OF DE–IDENTIFIED DATA; § 14–4610.(C)(2)(I)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A CONSUMER MAY DESIGNATE AN AUTHORIZED AGENT IN ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA UNDER SUBSECTION (B)(7) OF THIS SECTION ON BEHALF OF A CONSUMER. § 14–4605.(D)(1) A PARENT OR LEGAL GUARDIAN OF A CHILD MAY EXERCISE A CONSUMER RIGHT LISTED IN SUBSECTION (B) OF THIS SECTION ON THE CHILD'S BEHALF REGARDING THE PROCESSING OF PERSONAL DATA. § 14–4605.(D)(2) A GUARDIAN OR CONSERVATOR OF A CONSUMER SUBJECT TO A GUARDIANSHIP, CONSERVATORSHIP, OR OTHER PROTECTIVE ARRANGEMENT MAY EXERCISE A CONSUMER RIGHT LISTED IN SUBSECTION (B) OF THIS SECTION ON THE CONSUMER'S BEHALF REGARDING THE PROCESSING OF PERSONAL DATA. § 14–4605.(D)(3) A CONSUMER MAY DESIGNATE AN INDIVIDUAL TO SERVE AS THE CONSUMER'S AUTHORIZED AGENT AND ACT ON THE CONSUMER'S BEHALF TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR ONE OR MORE OF THE PURPOSES SPECIFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. § 14–4606.(A)(1) A CONSUMER MAY DESIGNATE AN AUTHORIZED AGENT BY AN INTERNET LINK OR A BROWSER SETTING, BROWSER EXTENSION, GLOBAL DEVICE SETTING, OR OTHER SIMILAR TECHNOLOGY, INDICATING A CONSUMER'S INTENT TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4606.(A)(2) A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: AUTHORIZED AGENT'S AUTHORITY TO ACT ON THE CONSUMER'S BEHALF. § 14–4606.(B)(2)] | Technical security | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
| Establish, implement, and maintain an organizational website program. CC ID 14815 | Technical security | Preventive | |
| Establish, implement, and maintain a legal support program. CC ID 13710 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR, OR DEFEND A LEGAL CLAIM; § 14–4612.(A)(4) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources management | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Operational management | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Operational management | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: THE EMPLOYEE OR CONTRACTOR IS SUBJECT TO A CONTRACTUAL OR STATUTORY DUTY OF CONFIDENTIALITY; OR § 14–4604.(1)(I)] | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: CONFIDENTIALITY IS REQUIRED AS A CONDITION OF EMPLOYMENT OF THE EMPLOYEE; § 14–4604.(1)(II)] | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [CONTROLLERS AND PROCESSORS THAT COMPLY WITH THE VERIFIABLE PARENTAL CONSENT REQUIREMENTS OF COPPA SHALL BE CONSIDERED COMPLIANT WITH AN OBLIGATION TO OBTAIN PARENTAL CONSENT IN ACCORDANCE WITH THIS SUBTITLE WITH RESPECT TO A CONSUMER WHO IS A CHILD. § 14–4603.(C) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS OR REGULATIONS; § 14–4612.(A)(1) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: THE DISCLOSING CONTROLLER WAS, AND REMAINED, IN COMPLIANCE WITH ITS OBLIGATIONS AS THE DISCLOSER OF THE PERSONAL DATA. § 14–4612.(D)(1)(II)] | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PRESERVE THE INTEGRITY OR SECURITY OF SYSTEMS; OR § 14–4612.(A)(10)] | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Operational management | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CONTROLLER'S PURPOSE FOR PROCESSING PERSONAL DATA; § 14–4607.(D)(2)] | Privacy protection for information and data | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: AN ACTIVE E–MAIL ADDRESS OR OTHER ONLINE MECHANISM THAT A CONSUMER MAY USE TO CONTACT THE CONTROLLER. § 14–4607.(D)(6)] | Privacy protection for information and data | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3) THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: § 14–4607.(F)(1)] | Privacy protection for information and data | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF THIRD PARTIES WITH WHICH THE CONTROLLER SHARES PERSONAL DATA WITH A LEVEL OF DETAIL THAT ENABLES A CONSUMER TO UNDERSTAND THE TYPE OF, BUSINESS MODEL OF, OR PROCESSING CONDUCTED BY EACH THIRD PARTY; § 14–4607.(D)(4)] | Privacy protection for information and data | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER, INCLUDING SENSITIVE DATA; § 14–4607.(D)(1)] | Privacy protection for information and data | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF PERSONAL DATA, INCLUDING SENSITIVE DATA, THAT THE CONTROLLER SHARES WITH THIRD PARTIES; AND § 14–4607.(D)(5)] | Privacy protection for information and data | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3)] | Privacy protection for information and data | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING OR FOR THE PURPOSES OF PROFILING THE CONSUMER IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS, THE CONTROLLER SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE SALE OR PROCESSING. § 14–4607.(E)(1)] | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A CONSUMER SHALL HAVE THE RIGHT TO: CONFIRM WHETHER A CONTROLLER IS PROCESSING THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(1) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING OR FOR THE PURPOSES OF PROFILING THE CONSUMER IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS, THE CONTROLLER SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE SALE OR PROCESSING. § 14–4607.(E)(1)] | Privacy protection for information and data | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 [{clear and conspicuous language} THE DISCLOSURE REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION SHALL BE PROMINENTLY DISPLAYED, AND USE CLEAR, EASY TO UNDERSTAND, AND UNAMBIGUOUS LANGUAGE, TO STATE WHETHER THE CONSUMER'S PERSONAL DATA WILL BE SOLD OR SHARED WITH A THIRD PARTY. § 14–4607.(E)(2)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [IF A CONSUMER'S DECISION TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR THE SALE OF PERSONAL DATA THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT IN ACCORDANCE WITH SUBSECTION (F)(3) OF THIS SECTION CONFLICTS WITH THE CONSUMER'S EXISTING CONTROLLER–SPECIFIC PRIVACY SETTING OR THE CONSUMER'S VOLUNTARY PARTICIPATION IN A CONTROLLER'S BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, THE CONTROLLER MAY NOTIFY THE CONSUMER OF A CONFLICT AND PROVIDE THE CHOICE TO CONFIRM CONTROLLER–SPECIFIC PRIVACY SETTINGS OR PARTICIPATION IN A PROGRAM LISTED IN THIS PARAGRAPH. § 14–4607.(G)(1)] | Privacy protection for information and data | Preventive | |
| Date the data subject's consent. CC ID 17233 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 [A CONTROLLER SHALL ESTABLISH A SECURE AND RELIABLE METHOD FOR A CONSUMER TO EXERCISE A CONSUMER RIGHT UNDER THIS SECTION. § 14–4605.(C)(1) THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE WAYS IN WHICH CONSUMERS NORMALLY INTERACT WITH THE CONTROLLER; § 14–4607.(F)(1)(I)] | Privacy protection for information and data | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [IF A CONTROLLER USES A PROCESSOR TO PROCESS THE PERSONAL DATA OF CONSUMERS, THE CONTROLLER AND THE PROCESSOR SHALL ENTER INTO A CONTRACT THAT GOVERNS THE PROCESSOR'S DATA PROCESSING PROCEDURES WITH RESPECT TO PROCESSING PERFORMED ON BEHALF OF THE CONTROLLER. § 14–4608.(A)(1) A PROCESSOR SHALL: ADHERE TO THE CONTRACT AND INSTRUCTIONS OF A CONTROLLER; § 14–4608.(B)(1) {data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: § 14–4608.(A)(2)] | Privacy protection for information and data | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE PERSONAL DATA; § 14–4608.(A)(3)(I)] | Privacy protection for information and data | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: INSTRUCTIONS FOR PROCESSING DATA; § 14–4608.(A)(2)(I)] | Privacy protection for information and data | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE NATURE AND PURPOSE OF PROCESSING; § 14–4608.(A)(2)(II)] | Privacy protection for information and data | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE TYPE OF DATA SUBJECT TO PROCESSING; § 14–4608.(A)(2)(III)] | Privacy protection for information and data | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE DURATION OF PROCESSING; AND § 14–4608.(A)(2)(IV)] | Privacy protection for information and data | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ALLOW AND COOPERATE WITH REASONABLE ASSESSMENTS BY THE CONTROLLER, THE CONTROLLER'S DESIGNATED ASSESSOR, OR A QUALIFIED AND INDEPENDENT ASSESSOR ARRANGED FOR BY THE PROCESSOR TO ASSESS THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER THIS SUBTITLE. § 14–4608.(A)(3)(VII) A PROCESSOR SHALL: PROVIDE NECESSARY INFORMATION TO ENABLE THE CONTROLLER TO CONDUCT AND DOCUMENT DATA PROTECTION ASSESSMENTS. § 14–4608.(B)(3)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO THE CONTROLLER ALL INFORMATION IN THE PROCESSOR'S POSSESSION NECESSARY TO DEMONSTRATE THE PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS SUBTITLE; § 14–4608.(A)(3)(V) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT OF AN ASSESSMENT REQUIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION TO THE CONTROLLER. § 14–4608.(A)(4)(I)] | Privacy protection for information and data | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [A PERSON MAY NOT: PROVIDE A PROCESSOR ACCESS TO CONSUMER HEALTH DATA UNLESS THE PERSON PROVIDING ACCESS TO THE CONSUMER HEALTH DATA AND THE PROCESSOR COMPLY WITH 14–4608 OF THIS SUBTITLE; OR § 14–4604.(2) {data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: STOP PROCESSING DATA ON REQUEST BY THE CONTROLLER MADE IN ACCORDANCE WITH A CONSUMER'S AUTHENTICATED REQUEST; § 14–4608.(A)(3)(III) A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: § 14–4608.(B)(2) {data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES. § 14–4608.(A)(2)(V) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: ASSIST ANOTHER CONTROLLER, PROCESSOR, OR THIRD PARTY WITH AN OBLIGATION UNDER THIS SUBTITLE. § 14–4612.(A)(11)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL DATA TO THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICE, UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; § 14–4608.(A)(3)(IV)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not necessary} {be incompatible} A CONTROLLER MAY NOT: UNLESS THE CONTROLLER OBTAINS THE CONSUMER'S CONSENT, PROCESS PERSONAL DATA FOR A PURPOSE THAT IS NEITHER REASONABLY NECESSARY TO, NOR COMPATIBLE WITH, THE DISCLOSED PURPOSES FOR WHICH THE PERSONAL DATA IS PROCESSED, AS DISCLOSED TO THE CONSUMER. § 14–4607.(A)(8)] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: TAKE IMMEDIATE STEPS TO PROTECT AN INTEREST THAT IS ESSENTIAL FOR THE LIFE OR PHYSICAL SAFETY OF A CONSUMER OR ANOTHER INDIVIDUAL AND WHEN THE PROCESSING CANNOT BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS; § 14–4612.(A)(8)] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3)] | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: § 14–4605.(E)(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: REMAINS DELETED FROM THE CONTROLLER'S RECORDS; AND § 14–4605.(E)(7)(I) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: INFORM THE CONSUMER WITHOUT UNDUE DELAY, BUT NOT LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST, OF THE JUSTIFICATION FOR DECLINING TO ACT; AND § 14–4605.(E)(3)(I) IF A CONTROLLER IS UNABLE TO AUTHENTICATE A REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) OF THIS SECTION USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER: MAY NOT BE REQUIRED TO COMPLY WITH A REQUEST TO INITIATE AN ACTION IN ACCORDANCE WITH THIS SECTION; AND § 14–4605.(E)(5)(I) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: DOES NOT SELL THE PERSONAL DATA TO A THIRD PARTY OR OTHERWISE VOLUNTARILY DISCLOSE THE PERSONAL DATA TO A THIRD PARTY OTHER THAN A PROCESSOR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBTITLE. § 14–4611.(B)(3) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: DOES NOT USE THE PERSONAL DATA TO RECOGNIZE OR RESPOND TO THE SPECIFIC CONSUMER WHO IS THE SUBJECT OF THE PERSONAL DATA OR ASSOCIATE THE PERSONAL DATA WITH OTHER PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER; AND § 14–4611.(B)(2)] | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [NOTHING IN THIS SECTION MAY BE CONSTRUED TO RELIEVE A CONTROLLER OR A PROCESSOR FROM THE LIABILITIES IMPOSED ON THE CONTROLLER OR PROCESSOR BY VIRTUE OF THE CONTROLLER'S OR PROCESSOR'S ROLE IN THE PROCESSING RELATIONSHIP IN ACCORDANCE WITH THIS SECTION. § 14–4608.(C) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: AT THE TIME THE DISCLOSING CONTROLLER OR PROCESSOR DISCLOSED THE PERSONAL DATA, THE DISCLOSING CONTROLLER OR PROCESSOR DID NOT HAVE ACTUAL KNOWLEDGE THAT THE RECEIVING PROCESSOR OR THIRD–PARTY CONTROLLER WOULD VIOLATE THIS SUBTITLE; AND § 14–4612.(D)(1)(I) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: § 14–4612.(D)(1)] | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 [A CONTROLLER SHALL ESTABLISH A PROCESS FOR A CONSUMER TO APPEAL THE CONTROLLER'S REFUSAL TO ACT ON A CONSUMER RIGHTS REQUEST WITHIN A REASONABLE PERIOD AFTER THE CONSUMER RECEIVES THE DECISION. § 14–4605.(F)(1) {be conspicuously available} THE APPEAL PROCESS SHALL BE: CONSPICUOUSLY AVAILABLE; AND § 14–4605.(F)(2)(I) {be similar} THE APPEAL PROCESS SHALL BE: SIMILAR TO THE PROCESS FOR SUBMITTING REQUESTS TO INITIATE AN ACTION IN ACCORDANCE WITH THIS SECTION. § 14–4605.(F)(2)(II)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE ABILITY OF THE CONTROLLER TO VERIFY THE IDENTITY OF A CONSUMER MAKING THE REQUEST. § 14–4607.(F)(1)(III) A CONTROLLER MAY NOT BE REQUIRED TO AUTHENTICATE AN OPT–OUT REQUEST. § 14–4605.(E)(6)] | Privacy protection for information and data | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PERFORM UNDER A CONTRACT TO WHICH A CONSUMER IS A PARTY, INCLUDING FULFILLING THE TERMS OF A WRITTEN WARRANTY; § 14–4612.(A)(6) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: TAKE STEPS AT THE REQUEST OF A CONSUMER BEFORE ENTERING INTO A CONTRACT; § 14–4612.(A)(7)] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEIVES PERSONAL DATA FROM A CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE FOR THE INDEPENDENT MISCONDUCT OF THE CONTROLLER OR PROCESSOR FROM WHICH THE THIRD–PARTY CONTROLLER OR PROCESSOR RECEIVED THE PERSONAL DATA. § 14–4612.(D)(2)] | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES AS MUCH AS REASONABLY PRACTICABLE TO FULFILL THE CONTROLLER'S OBLIGATION TO RESPOND TO CONSUMER RIGHTS REQUESTS, CONSIDERING THE NATURE OF PROCESSING AND THE INFORMATION AVAILABLE TO THE PROCESSOR; AND § 14–4608.(B)(2)(I)] | Human Resources management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY ASSISTING THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS IN RELATION TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO THE NOTIFICATION OF A BREACH OF THE SECURITY OF A SYSTEM, AS DEFINED IN § 14–3504 OF THIS TITLE; AND § 14–4608.(B)(2)(II)] | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources management | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A CONTROLLER MAY NOT: DISCRIMINATE AGAINST A CONSUMER FOR EXERCISING A CONSUMER RIGHT CONTAINED IN THIS SUBTITLE, INCLUDING DENYING GOODS OR SERVICES, CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, OR PROVIDING A DIFFERENT LEVEL OF QUALITY OF GOODS OR SERVICES TO THE CONSUMER; § 14–4607.(A)(6)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: AFTER PROVIDING THE CONTROLLER AN OPPORTUNITY TO OBJECT, ENGAGE A SUBCONTRACTOR TO ASSIST WITH PROCESSING PERSONAL DATA ON THE CONTROLLER'S BEHALF ONLY IN ACCORDANCE WITH A WRITTEN CONTRACT THAT REQUIRES THE SUBCONTRACTOR TO MEET THE PROCESSOR'S OBLIGATIONS REGARDING THE PERSONAL DATA UNDER THE PROCESSOR'S CONTRACT WITH THE CONTROLLER; AND § 14–4608.(A)(3)(VI)] | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Preventive | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A CONTROLLER THAT DISCLOSES DE–IDENTIFIED DATA SHALL: EXERCISE REASONABLE OVERSIGHT TO MONITOR COMPLIANCE WITH ANY CONTRACTUAL COMMITMENTS TO WHICH THE DE–IDENTIFIED DATA IS SUBJECT; AND § 14–4611.(C)(1)(I)] | Monitoring and measurement | Detective | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 [A CONTROLLER THAT DISCLOSES DE–IDENTIFIED DATA SHALL: TAKE APPROPRIATE STEPS TO ADDRESS ANY BREACHES OF ANY CONTRACTUAL COMMITMENTS. § 14–4611.(C)(1)(II) IF THE DIVISION ISSUES A NOTICE OF VIOLATION UNDER SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL HAVE AT LEAST 60 DAYS TO CURE THE VIOLATION AFTER RECEIPT OF THE NOTICE. § 14–4614.(C)(1)] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [AN ASSESSMENT CONDUCTED IN ACCORDANCE WITH PARAGRAPH (3)(V) OF THIS SUBSECTION SHALL BE CONDUCTED USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT PROCEDURE FOR THE ASSESSMENTS. § 14–4608.(A)(4)(II) A CONTROLLER SHALL CONDUCT AND DOCUMENT, ON A REGULAR BASIS, A DATA PROTECTION ASSESSMENT FOR EACH OF THE CONTROLLER'S PROCESSING ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM TO A CONSUMER, INCLUDING AN ASSESSMENT FOR EACH ALGORITHM THAT IS USED. § 14–4610.(B) {be similar} IF A CONTROLLER CONDUCTS A DATA PROTECTION ASSESSMENT FOR THE PURPOSE OF COMPLYING WITH ANOTHER APPLICABLE LAW OR REGULATION, THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISFY THE REQUIREMENTS ESTABLISHED IN THIS SECTION IF THE DATA PROTECTION ASSESSMENT IS REASONABLY SIMILAR IN SCOPE AND EFFECT TO THE DATA PROTECTION ASSESSMENT THAT WOULD OTHERWISE BE CONDUCTED IN ACCORDANCE WITH THIS SECTION. § 14–4610.(F) A SINGLE DATA PROTECTION ASSESSMENT MAY ADDRESS A COMPARABLE SET OF PROCESSING OPERATIONS THAT INCLUDE SIMILAR ACTIVITIES. § 14–4610.(E) A DATA PROTECTION ASSESSMENT CONDUCTED UNDER THIS SECTION: SHALL APPLY TO PROCESSING ACTIVITIES THAT OCCUR ON OR AFTER OCTOBER 1, 2025; AND § 14–4610.(H)(1)] | Audits and risk management | Preventive | |
| Post a clear and conspicuous link to consent web pages and consent forms on organizational websites. CC ID 16536 [A CONTROLLER MAY UTILIZE THE FOLLOWING METHODS TO SATISFY PARAGRAPH (1) OF THIS SUBSECTION: PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE CONTROLLER'S WEBSITE TO A WEBPAGE THAT ALLOWS A CONSUMER, OR AN AUTHORIZED AGENT OF THE CONSUMER, TO OPT OUT OF THE TARGETED ADVERTISING OR THE SALE OF THE CONSUMER'S PERSONAL DATA; OR § 14–4607.(F)(3)(I)] | Technical security | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Detective | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 [A CONSUMER MAY EXERCISE A CONSUMER RIGHT UNDER THIS SECTION BY THE METHOD ESTABLISHED BY THE CONTROLLER UNDER PARAGRAPH (1) OF THIS SUBSECTION. § 14–4605.(C)(2)] | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA OR IT WOULD BE UNREASONABLY BURDENSOME FOR THE CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA; § 14–4611.(B)(1)] | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Preventive | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain consent web pages and consent forms in accordance with external requirements. CC ID 14816 | Technical security | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A CONSUMER SHALL HAVE THE RIGHT TO: REQUIRE A CONTROLLER TO DELETE PERSONAL DATA PROVIDED BY, OR OBTAINED ABOUT, THE CONSUMER UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; § 14–4605.(B)(4)] | Privacy protection for information and data | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a system security plan. CC ID 01922 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PRESERVE THE INTEGRITY OR SECURITY OF SYSTEMS; OR § 14–4612.(A)(10)] | Monitoring and measurement | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Corrective | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{administrative data security practice} {technical data security practice} {data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA, CONSIDERING THE VOLUME AND NATURE OF THE PERSONAL DATA; § 14–4608.(A)(3)(II)] | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 [A CONTROLLER THAT DISCLOSES DE–IDENTIFIED DATA SHALL: TAKE APPROPRIATE STEPS TO ADDRESS ANY BREACHES OF ANY CONTRACTUAL COMMITMENTS. § 14–4611.(C)(1)(II) IF THE DIVISION ISSUES A NOTICE OF VIOLATION UNDER SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL HAVE AT LEAST 60 DAYS TO CURE THE VIOLATION AFTER RECEIPT OF THE NOTICE. § 14–4614.(C)(1)] | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Behavior | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Business Processes | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY ASSISTING THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS IN RELATION TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO THE NOTIFICATION OF A BREACH OF THE SECURITY OF A SYSTEM, AS DEFINED IN § 14–3504 OF THIS TITLE; AND § 14–4608.(B)(2)(II)] | Operational management | Communicate | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [A CONSUMER SHALL HAVE THE RIGHT TO: CONSIDERING THE NATURE OF THE CONSUMER'S PERSONAL DATA AND THE PURPOSES OF THE PROCESSING OF THE PERSONAL DATA, CORRECT INACCURACIES IN THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(3)] | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTIGATION, SUBPOENA, OR SUMMONS BY A FEDERAL, STATE, LOCAL, OR OTHER GOVERNMENTAL AUTHORITY; § 14–4612.(A)(2) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAWS OR REGULATIONS; § 14–4612.(A)(3)] | Privacy protection for information and data | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A CONTROLLER THAT DISCLOSES DE–IDENTIFIED DATA SHALL: EXERCISE REASONABLE OVERSIGHT TO MONITOR COMPLIANCE WITH ANY CONTRACTUAL COMMITMENTS TO WHICH THE DE–IDENTIFIED DATA IS SUBJECT; AND § 14–4611.(C)(1)(I)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
| Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Human Resources management | Audits and Risk Management | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Process or Activity | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Operational management | Establish/Maintain Documentation | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: THE CONTROLLER INFORMS THE CONSUMER OF THE EXTENSION AND THE REASON FOR THE EXTENSION WITHIN THE INITIAL 45–DAY RESPONSE PERIOD. § 14–4605.(E)(2)(II) 2.] | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Testing | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Data and Information Management | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Behavior | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Data and Information Management | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Business Processes | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{administrative data security practice} {technical data security practice} {data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA, CONSIDERING THE VOLUME AND NATURE OF THE PERSONAL DATA; § 14–4608.(A)(3)(II)] | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEIVES PERSONAL DATA FROM A CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE FOR THE INDEPENDENT MISCONDUCT OF THE CONTROLLER OR PROCESSOR FROM WHICH THE THIRD–PARTY CONTROLLER OR PROCESSOR RECEIVED THE PERSONAL DATA. § 14–4612.(D)(2)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CONTROLLER OR PROCESSOR WITH THE SUBTITLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER STATE LAW. § 14–4612.(C)(1)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL DATA IN ACCORDANCE WITH AN EXEMPTION UNDER THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL DEMONSTRATE THAT THE PROCESSING: QUALIFIES FOR AN EXEMPTION; AND § 14–4612.(F)(1) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL DATA IN ACCORDANCE WITH AN EXEMPTION UNDER THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL DEMONSTRATE THAT THE PROCESSING: COMPLIES WITH THE REQUIREMENTS OF SUBSECTION (G) OF THIS SECTION. § 14–4612.(F)(2)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Business Processes | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Monitoring and measurement | Audits and Risk Management | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Establish/Maintain Documentation | |
| Implement a fraud detection system. CC ID 13081 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a system security plan. CC ID 01922 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PRESERVE THE INTEGRITY OR SECURITY OF SYSTEMS; OR § 14–4612.(A)(10)] | Monitoring and measurement | Testing | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [AN ASSESSMENT CONDUCTED IN ACCORDANCE WITH PARAGRAPH (3)(V) OF THIS SUBSECTION SHALL BE CONDUCTED USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT PROCEDURE FOR THE ASSESSMENTS. § 14–4608.(A)(4)(II) A CONTROLLER SHALL CONDUCT AND DOCUMENT, ON A REGULAR BASIS, A DATA PROTECTION ASSESSMENT FOR EACH OF THE CONTROLLER'S PROCESSING ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM TO A CONSUMER, INCLUDING AN ASSESSMENT FOR EACH ALGORITHM THAT IS USED. § 14–4610.(B) {be similar} IF A CONTROLLER CONDUCTS A DATA PROTECTION ASSESSMENT FOR THE PURPOSE OF COMPLYING WITH ANOTHER APPLICABLE LAW OR REGULATION, THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISFY THE REQUIREMENTS ESTABLISHED IN THIS SECTION IF THE DATA PROTECTION ASSESSMENT IS REASONABLY SIMILAR IN SCOPE AND EFFECT TO THE DATA PROTECTION ASSESSMENT THAT WOULD OTHERWISE BE CONDUCTED IN ACCORDANCE WITH THIS SECTION. § 14–4610.(F) A SINGLE DATA PROTECTION ASSESSMENT MAY ADDRESS A COMPARABLE SET OF PROCESSING OPERATIONS THAT INCLUDE SIMILAR ACTIVITIES. § 14–4610.(E) A DATA PROTECTION ASSESSMENT CONDUCTED UNDER THIS SECTION: SHALL APPLY TO PROCESSING ACTIVITIES THAT OCCUR ON OR AFTER OCTOBER 1, 2025; AND § 14–4610.(H)(1)] | Audits and risk management | Process or Activity | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 [A DATA PROTECTION ASSESSMENT CONDUCTED IN ACCORDANCE WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS THAT MAY FLOW DIRECTLY AND INDIRECTLY FROM THE PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER INTERESTED PARTIES, AND THE PUBLIC AGAINST: THE NECESSITY AND PROPORTIONALITY OF PROCESSING IN RELATION TO THE STATED PURPOSE OF THE PROCESSING. § 14–4610.(C)(1)(II)] | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE RELATIONSHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE PROCESSED. § 14–4610.(C)(2)(IV)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [A DATA PROTECTION ASSESSMENT CONDUCTED IN ACCORDANCE WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS THAT MAY FLOW DIRECTLY AND INDIRECTLY FROM THE PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER INTERESTED PARTIES, AND THE PUBLIC AGAINST: THE POTENTIAL RISKS TO THE RIGHTS OF THE CONSUMER ASSOCIATED WITH THE PROCESSING AS MITIGATED BY SAFEGUARDS THAT MAY BE EMPLOYED BY THE CONTROLLER TO REDUCE THESE RISKS; AND § 14–4610.(C)(1)(I)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE CONTEXT OF THE PROCESSING; AND § 14–4610.(C)(2)(III)] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [THE DIVISION MAY REQUIRE THAT A CONTROLLER MAKE AVAILABLE TO THE DIVISION A DATA PROTECTION ASSESSMENT THAT IS RELEVANT TO AN INVESTIGATION CONDUCTED BY THE DIVISION. § 14–4610.(D)(1)] | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE REASONABLE EXPECTATIONS OF CONSUMERS; § 14–4610.(C)(2)(II)] | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION ASSESSMENT: THE USE OF DE–IDENTIFIED DATA; § 14–4610.(C)(2)(I)] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A CONSUMER MAY DESIGNATE AN AUTHORIZED AGENT IN ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA UNDER SUBSECTION (B)(7) OF THIS SECTION ON BEHALF OF A CONSUMER. § 14–4605.(D)(1) A PARENT OR LEGAL GUARDIAN OF A CHILD MAY EXERCISE A CONSUMER RIGHT LISTED IN SUBSECTION (B) OF THIS SECTION ON THE CHILD'S BEHALF REGARDING THE PROCESSING OF PERSONAL DATA. § 14–4605.(D)(2) A GUARDIAN OR CONSERVATOR OF A CONSUMER SUBJECT TO A GUARDIANSHIP, CONSERVATORSHIP, OR OTHER PROTECTIVE ARRANGEMENT MAY EXERCISE A CONSUMER RIGHT LISTED IN SUBSECTION (B) OF THIS SECTION ON THE CONSUMER'S BEHALF REGARDING THE PROCESSING OF PERSONAL DATA. § 14–4605.(D)(3) A CONSUMER MAY DESIGNATE AN INDIVIDUAL TO SERVE AS THE CONSUMER'S AUTHORIZED AGENT AND ACT ON THE CONSUMER'S BEHALF TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR ONE OR MORE OF THE PURPOSES SPECIFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. § 14–4606.(A)(1) A CONSUMER MAY DESIGNATE AN AUTHORIZED AGENT BY AN INTERNET LINK OR A BROWSER SETTING, BROWSER EXTENSION, GLOBAL DEVICE SETTING, OR OTHER SIMILAR TECHNOLOGY, INDICATING A CONSUMER'S INTENT TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4606.(A)(2) A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: AUTHORIZED AGENT'S AUTHORITY TO ACT ON THE CONSUMER'S BEHALF. § 14–4606.(B)(2)] | Technical security | Establish/Maintain Documentation | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Establish/Maintain Documentation | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Establish/Maintain Documentation | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for restricted data. CC ID 01921 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: § 14–4604.(1)] | Technical security | Data and Information Management | |
| Establish, implement, and maintain an organizational website program. CC ID 14815 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain consent web pages and consent forms in accordance with external requirements. CC ID 14816 | Technical security | Records Management | |
| Post a clear and conspicuous link to consent web pages and consent forms on organizational websites. CC ID 16536 [A CONTROLLER MAY UTILIZE THE FOLLOWING METHODS TO SATISFY PARAGRAPH (1) OF THIS SUBSECTION: PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE CONTROLLER'S WEBSITE TO A WEBPAGE THAT ALLOWS A CONSUMER, OR AN AUTHORIZED AGENT OF THE CONSUMER, TO OPT OUT OF THE TARGETED ADVERTISING OR THE SALE OF THE CONSUMER'S PERSONAL DATA; OR § 14–4607.(F)(3)(I)] | Technical security | Process or Activity | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES AS MUCH AS REASONABLY PRACTICABLE TO FULFILL THE CONTROLLER'S OBLIGATION TO RESPOND TO CONSUMER RIGHTS REQUESTS, CONSIDERING THE NATURE OF PROCESSING AND THE INFORMATION AVAILABLE TO THE PROCESSOR; AND § 14–4608.(B)(2)(I)] | Human Resources management | Human Resources Management | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: BY ASSISTING THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS IN RELATION TO THE SECURITY OF PROCESSING THE PERSONAL DATA AND IN RELATION TO THE NOTIFICATION OF A BREACH OF THE SECURITY OF A SYSTEM, AS DEFINED IN § 14–3504 OF THIS TITLE; AND § 14–4608.(B)(2)(II)] | Human Resources management | Human Resources Management | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
| Establish, implement, and maintain a legal support program. CC ID 13710 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR, OR DEFEND A LEGAL CLAIM; § 14–4612.(A)(4) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources management | Human Resources Management | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Communicate | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Behavior | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Investigate | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Behavior | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Monitor and Evaluate Occurrences | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Business Processes | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Behavior | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Human Resources management | Human Resources Management | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Human Resources Management | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Human Resources Management | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Operational management | Establish/Maintain Documentation | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Operational management | Establish/Maintain Documentation | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A CONTROLLER SHALL: ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRACTICES TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE; AND § 14–4607.(B)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: REDUCE REASONABLY FORESEEABLE RISKS OF HARM TO CONSUMERS RELATING TO THE COLLECTION, USE, OR RETENTION OF PERSONAL DATA; AND § 14–4612.(G)(1)(II) {administrative measure} {technical measure} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: SHALL BE SUBJECT TO REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL MEASURES TO: PROTECT THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF THE PERSONAL DATA; AND § 14–4612.(G)(1)(I)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: THE EMPLOYEE OR CONTRACTOR IS SUBJECT TO A CONTRACTUAL OR STATUTORY DUTY OF CONFIDENTIALITY; OR § 14–4604.(1)(I)] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [A PERSON MAY NOT: PROVIDE AN EMPLOYEE OR CONTRACTOR ACCESS TO CONSUMER HEALTH DATA UNLESS: CONFIDENTIALITY IS REQUIRED AS A CONDITION OF EMPLOYMENT OF THE EMPLOYEE; § 14–4604.(1)(II)] | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [CONTROLLERS AND PROCESSORS THAT COMPLY WITH THE VERIFIABLE PARENTAL CONSENT REQUIREMENTS OF COPPA SHALL BE CONSIDERED COMPLIANT WITH AN OBLIGATION TO OBTAIN PARENTAL CONSENT IN ACCORDANCE WITH THIS SUBTITLE WITH RESPECT TO A CONSUMER WHO IS A CHILD. § 14–4603.(C) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS OR REGULATIONS; § 14–4612.(A)(1) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: THE DISCLOSING CONTROLLER WAS, AND REMAINED, IN COMPLIANCE WITH ITS OBLIGATIONS AS THE DISCLOSER OF THE PERSONAL DATA. § 14–4612.(D)(1)(II)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PRESERVE THE INTEGRITY OR SECURITY OF SYSTEMS; OR § 14–4612.(A)(10)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Human Resources Management | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Establish/Maintain Documentation | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Establish/Maintain Documentation | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PREVENT, DETECT, PROTECT AGAINST, INVESTIGATE, PROSECUTE THOSE RESPONSIBLE, OR OTHERWISE RESPOND TO A SECURITY INCIDENT, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY; § 14–4612.(A)(9)] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Establish/Maintain Documentation | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Technical Security | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Establish/Maintain Documentation | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Establish/Maintain Documentation | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Communicate | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Establish Roles | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Refrain from providing products and services, as necessary. CC ID 15580 [NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE THAT REQUIRES THE PERSONAL DATA OF A CONSUMER THAT THE CONTROLLER DOES NOT COLLECT OR MAINTAIN; OR § 14–4607.(C)(1)] | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy notice. CC ID 16543 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CONTROLLER'S PURPOSE FOR PROCESSING PERSONAL DATA; § 14–4607.(D)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include contact information in the privacy notice. CC ID 14432 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: AN ACTIVE E–MAIL ADDRESS OR OTHER ONLINE MECHANISM THAT A CONSUMER MAY USE TO CONTACT THE CONTROLLER. § 14–4607.(D)(6)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3) THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: § 14–4607.(F)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF THIRD PARTIES WITH WHICH THE CONTROLLER SHARES PERSONAL DATA WITH A LEVEL OF DETAIL THAT ENABLES A CONSUMER TO UNDERSTAND THE TYPE OF, BUSINESS MODEL OF, OR PROCESSING CONDUCTED BY EACH THIRD PARTY; § 14–4607.(D)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER, INCLUDING SENSITIVE DATA; § 14–4607.(D)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: THE CATEGORIES OF PERSONAL DATA, INCLUDING SENSITIVE DATA, THAT THE CONTROLLER SHARES WITH THIRD PARTIES; AND § 14–4607.(D)(5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: § 14–4607.(D)] | Privacy protection for information and data | Communicate | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [A CONTROLLER SHALL PROVIDE A CONSUMER WITH A REASONABLY ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT INCLUDES: HOW A CONSUMER MAY EXERCISE THE CONSUMER'S RIGHTS UNDER THIS SUBTITLE, INCLUDING HOW A CONSUMER MAY APPEAL A CONTROLLER'S DECISION REGARDING THE CONSUMER'S REQUEST OR MAY REVOKE CONSENT; § 14–4607.(D)(3) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING OR FOR THE PURPOSES OF PROFILING THE CONSUMER IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS, THE CONTROLLER SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE SALE OR PROCESSING. § 14–4607.(E)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Communicate | |
| Deliver notices to the intended parties. CC ID 06240 [THE NOTICE PROVIDED UNDER SUBSECTION (A) OF THIS SECTION SHALL BE PROVIDED IN A MANNER AND AT A TIME REASONABLY CALCULATED TO ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE. § 14–4609.(B)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA OR IT WOULD BE UNREASONABLY BURDENSOME FOR THE CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA; § 14–4611.(B)(1)] | Privacy protection for information and data | Communicate | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A CONSUMER SHALL HAVE THE RIGHT TO: IF A CONTROLLER IS PROCESSING A CONSUMER'S PERSONAL DATA, ACCESS THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(2)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [A CONTROLLER MAY NOT REQUIRE A CONSUMER TO CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT. § 14–4607.(F)(2)(I) A CONTROLLER MAY REQUIRE A CONSUMER TO USE AN EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. § 14–4607.(F)(2)(II)] | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A CONSUMER SHALL HAVE THE RIGHT TO: CONFIRM WHETHER A CONTROLLER IS PROCESSING THE CONSUMER'S PERSONAL DATA; § 14–4605.(B)(1) IF A CONTROLLER SELLS PERSONAL DATA TO THIRD PARTIES OR PROCESSES PERSONAL DATA FOR TARGETED ADVERTISING OR FOR THE PURPOSES OF PROFILING THE CONSUMER IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS, THE CONTROLLER SHALL CLEARLY AND CONSPICUOUSLY DISCLOSE THE SALE OR PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE SALE OR PROCESSING. § 14–4607.(E)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 [{clear and conspicuous language} THE DISCLOSURE REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION SHALL BE PROMINENTLY DISPLAYED, AND USE CLEAR, EASY TO UNDERSTAND, AND UNAMBIGUOUS LANGUAGE, TO STATE WHETHER THE CONSUMER'S PERSONAL DATA WILL BE SOLD OR SHARED WITH A THIRD PARTY. § 14–4607.(E)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 [A CONSUMER SHALL HAVE THE RIGHT TO: OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH THE CONTROLLER HAS DISCLOSED THE CONSUMER'S PERSONAL DATA OR A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH THE CONTROLLER HAS DISCLOSED ANY CONSUMER'S PERSONAL DATA IF THE CONTROLLER DOES NOT MAINTAIN THIS INFORMATION IN A FORMAT SPECIFIC TO THE CONSUMER; AND § 14–4605.(B)(6)] | Privacy protection for information and data | Data and Information Management | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 [THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE NEED FOR SECURE AND RELIABLE COMMUNICATION OF CONSUMER REQUESTS; AND § 14–4607.(F)(1)(II)] | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [IF A CONSUMER'S DECISION TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR THE SALE OF PERSONAL DATA THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT IN ACCORDANCE WITH SUBSECTION (F)(3) OF THIS SECTION CONFLICTS WITH THE CONSUMER'S EXISTING CONTROLLER–SPECIFIC PRIVACY SETTING OR THE CONSUMER'S VOLUNTARY PARTICIPATION IN A CONTROLLER'S BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, THE CONTROLLER MAY NOTIFY THE CONSUMER OF A CONFLICT AND PROVIDE THE CHOICE TO CONFIRM CONTROLLER–SPECIFIC PRIVACY SETTINGS OR PARTICIPATION IN A PROGRAM LISTED IN THIS PARAGRAPH. § 14–4607.(G)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide a copy of the data subject's consent to the data subject. CC ID 17234 | Privacy protection for information and data | Communicate | |
| Date the data subject's consent. CC ID 17233 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request procedures. CC ID 16546 [A CONTROLLER SHALL ESTABLISH A SECURE AND RELIABLE METHOD FOR A CONSUMER TO EXERCISE A CONSUMER RIGHT UNDER THIS SECTION. § 14–4605.(C)(1) THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE WAYS IN WHICH CONSUMERS NORMALLY INTERACT WITH THE CONTROLLER; § 14–4607.(F)(1)(I)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A CONTROLLER MAY NOT: DISCRIMINATE AGAINST A CONSUMER FOR EXERCISING A CONSUMER RIGHT CONTAINED IN THIS SUBTITLE, INCLUDING DENYING GOODS OR SERVICES, CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, OR PROVIDING A DIFFERENT LEVEL OF QUALITY OF GOODS OR SERVICES TO THE CONSUMER; § 14–4607.(A)(6)] | Privacy protection for information and data | Human Resources Management | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Business Processes | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFERING IS IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, PROVIDED THAT THE SELLING OF PERSONAL DATA IS NOT A CONDITION OF PARTICIPATION IN THE PROGRAM. § 14–4607.(C)(2)] | Privacy protection for information and data | Business Processes | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 [{be different} NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE CONSTRUED TO: PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF GOODS OR SERVICES TO A CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFERING IS IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION IN A BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, PROVIDED THAT THE SELLING OF PERSONAL DATA IS NOT A CONDITION OF PARTICIPATION IN THE PROGRAM. § 14–4607.(C)(2)] | Privacy protection for information and data | Business Processes | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: TARGETED ADVERTISING; § 14–4605.(B)(7)(I) A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: THE SALE OF PERSONAL DATA; OR § 14–4605.(B)(7)(II) A CONSUMER SHALL HAVE THE RIGHT TO: OPT OUT OF THE PROCESSING OF PERSONAL DATA FOR PURPOSES OF: PROFILING IN FURTHERANCE OF SOLELY AUTOMATED DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS CONCERNING THE CONSUMER. § 14–4605.(B)(7)(III) {be easy} A CONTROLLER SHALL: PROVIDE AN EFFECTIVE MECHANISM FOR A CONSUMER TO REVOKE THE CONSUMER'S CONSENT UNDER THIS SECTION THAT IS AT LEAST AS EASY AS THE MECHANISM BY WHICH THE CONSUMER PROVIDED THE CONSUMER'S CONSENT. § 14–4607.(B)(1)(III) A CONTROLLER MAY UTILIZE THE FOLLOWING METHODS TO SATISFY PARAGRAPH (1) OF THIS SUBSECTION: ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER TO OPT OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSONAL DATA, THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT, WITH THE CONSUMER'S CONSENT, BY A PLATFORM, TECHNOLOGY, OR MECHANISM TO THE CONTROLLER INDICATING THE CONSUMER'S INTENT TO OPT OUT OF THE PROCESSING OR SALE. § 14–4607.(F)(3)(II)] | Privacy protection for information and data | Data and Information Management | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [{opt-out mechanism} {opt out} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION MAY NOT: USE A DEFAULT SETTING TO OPT A CONSUMER OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4607.(F)(5)(II) {be consistent} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: BE AS CONSISTENT AS POSSIBLE WITH ANY OTHER SIMILAR PLATFORM, TECHNOLOGY, OR MECHANISM REQUIRED BY ANY FEDERAL OR STATE LAW OR REGULATION; § 14–4607.(F)(4)(III) {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE, UNAMBIGUOUS, AND VOLUNTARY CHOICE IN ORDER TO OPT OUT OF ANY PROCESSING OF THE CONSUMER'S PERSONAL DATA. § 14–4607.(F)(4)(V) {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: ENABLE THE CONTROLLER TO REASONABLY DETERMINE WHETHER THE CONSUMER: HAS MADE A LEGITIMATE REQUEST TO OPT OUT OF ANY SALE OF THE CONSUMER'S PERSONAL DATA OR TARGETED ADVERTISING; AND § 14–4607.(F)(4)(IV) 2. {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: ENABLE THE CONTROLLER TO REASONABLY DETERMINE WHETHER THE CONSUMER: IS A RESIDENT OF THE STATE; AND § 14–4607.(F)(4)(IV) 1. {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION MAY NOT: UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER; OR § 14–4607.(F)(5)(I) {be easy to use} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: BE CONSUMER–FRIENDLY AND EASY TO USE BY THE AVERAGE CONSUMER; § 14–4607.(F)(4)(I) {clear and conspicuous language} {opt-out mechanism} A PLATFORM, TECHNOLOGY, OR MECHANISM USED IN ACCORDANCE WITH PARAGRAPH (3) OF THIS SUBSECTION SHALL: USE CLEAR, EASY TO UNDERSTAND, AND UNAMBIGUOUS LANGUAGE; § 14–4607.(F)(4)(II)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Technical Security | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [IF A CONSUMER REVOKES CONSENT UNDER THIS SECTION, THE CONTROLLER SHALL STOP PROCESSING THE CONSUMER'S PERSONAL DATA AS SOON AS PRACTICABLE, BUT NOT LATER THAN 30 DAYS AFTER RECEIVING THE REQUEST. § 14–4607.(B)(2) A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: § 14–4606.(B)] | Privacy protection for information and data | Business Processes | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Process or Activity | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Business Processes | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Communicate | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Records Management | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Data and Information Management | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Data and Information Management | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 [IF A CONSUMER'S DECISION TO OPT OUT OF THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR THE PURPOSES OF TARGETED ADVERTISING, OR THE SALE OF PERSONAL DATA THROUGH AN OPT–OUT PREFERENCE SIGNAL SENT IN ACCORDANCE WITH SUBSECTION (F)(3) OF THIS SECTION CONFLICTS WITH THE CONSUMER'S EXISTING CONTROLLER–SPECIFIC PRIVACY SETTING OR THE CONSUMER'S VOLUNTARY PARTICIPATION IN A CONTROLLER'S BONA FIDE LOYALTY, REWARDS, PREMIUM FEATURES, DISCOUNTS, OR CLUB CARD PROGRAM, THE CONTROLLER MAY NOTIFY THE CONSUMER OF A CONFLICT AND PROVIDE THE CHOICE TO CONFIRM CONTROLLER–SPECIFIC PRIVACY SETTINGS OR PARTICIPATION IN A PROGRAM LISTED IN THIS PARAGRAPH. § 14–4607.(G)(1)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [IF A CONTROLLER USES A PROCESSOR TO PROCESS THE PERSONAL DATA OF CONSUMERS, THE CONTROLLER AND THE PROCESSOR SHALL ENTER INTO A CONTRACT THAT GOVERNS THE PROCESSOR'S DATA PROCESSING PROCEDURES WITH RESPECT TO PROCESSING PERFORMED ON BEHALF OF THE CONTROLLER. § 14–4608.(A)(1) A PROCESSOR SHALL: ADHERE TO THE CONTRACT AND INSTRUCTIONS OF A CONTROLLER; § 14–4608.(B)(1) {data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: § 14–4608.(A)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE PERSONAL DATA; § 14–4608.(A)(3)(I)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: INSTRUCTIONS FOR PROCESSING DATA; § 14–4608.(A)(2)(I)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE NATURE AND PURPOSE OF PROCESSING; § 14–4608.(A)(2)(II)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE TYPE OF DATA SUBJECT TO PROCESSING; § 14–4608.(A)(2)(III)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE DURATION OF PROCESSING; AND § 14–4608.(A)(2)(IV)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ALLOW AND COOPERATE WITH REASONABLE ASSESSMENTS BY THE CONTROLLER, THE CONTROLLER'S DESIGNATED ASSESSOR, OR A QUALIFIED AND INDEPENDENT ASSESSOR ARRANGED FOR BY THE PROCESSOR TO ASSESS THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER THIS SUBTITLE. § 14–4608.(A)(3)(VII) A PROCESSOR SHALL: PROVIDE NECESSARY INFORMATION TO ENABLE THE CONTROLLER TO CONDUCT AND DOCUMENT DATA PROTECTION ASSESSMENTS. § 14–4608.(B)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: ON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO THE CONTROLLER ALL INFORMATION IN THE PROCESSOR'S POSSESSION NECESSARY TO DEMONSTRATE THE PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS SUBTITLE; § 14–4608.(A)(3)(V) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT OF AN ASSESSMENT REQUIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION TO THE CONTROLLER. § 14–4608.(A)(4)(I)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [A PERSON MAY NOT: PROVIDE A PROCESSOR ACCESS TO CONSUMER HEALTH DATA UNLESS THE PERSON PROVIDING ACCESS TO THE CONSUMER HEALTH DATA AND THE PROCESSOR COMPLY WITH 14–4608 OF THIS SUBTITLE; OR § 14–4604.(2) {data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: STOP PROCESSING DATA ON REQUEST BY THE CONTROLLER MADE IN ACCORDANCE WITH A CONSUMER'S AUTHENTICATED REQUEST; § 14–4608.(A)(3)(III) A PROCESSOR SHALL: ASSIST THE CONTROLLER IN MEETING THE CONTROLLER'S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: § 14–4608.(B)(2) {data processing contract} THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH: THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES. § 14–4608.(A)(2)(V) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: ASSIST ANOTHER CONTROLLER, PROCESSOR, OR THIRD PARTY WITH AN OBLIGATION UNDER THIS SUBTITLE. § 14–4612.(A)(11)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: AFTER PROVIDING THE CONTROLLER AN OPPORTUNITY TO OBJECT, ENGAGE A SUBCONTRACTOR TO ASSIST WITH PROCESSING PERSONAL DATA ON THE CONTROLLER'S BEHALF ONLY IN ACCORDANCE WITH A WRITTEN CONTRACT THAT REQUIRES THE SUBCONTRACTOR TO MEET THE PROCESSOR'S OBLIGATIONS REGARDING THE PERSONAL DATA UNDER THE PROCESSOR'S CONTRACT WITH THE CONTROLLER; AND § 14–4608.(A)(3)(VI)] | Privacy protection for information and data | Human Resources Management | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} THE CONTRACT SHALL REQUIRE THAT THE PROCESSOR: AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL DATA TO THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICE, UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; § 14–4608.(A)(3)(IV)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject of changes to personal data use. CC ID 00105 [IF A THIRD PARTY USES OR SHARES A CONSUMER'S INFORMATION IN A MANNER INCONSISTENT WITH PROMISES MADE TO THE CONSUMER AT THE TIME OF COLLECTION OF THE INFORMATION, THE THIRD PARTY SHALL PROVIDE AN AFFECTED CONSUMER WITH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE IMPLEMENTING THE NEW OR CHANGED PRACTICE. § 14–4609.(A)] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not necessary} {be incompatible} A CONTROLLER MAY NOT: UNLESS THE CONTROLLER OBTAINS THE CONSUMER'S CONSENT, PROCESS PERSONAL DATA FOR A PURPOSE THAT IS NEITHER REASONABLY NECESSARY TO, NOR COMPATIBLE WITH, THE DISCLOSED PURPOSES FOR WHICH THE PERSONAL DATA IS PROCESSED, AS DISCLOSED TO THE CONSUMER. § 14–4607.(A)(8)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: TAKE IMMEDIATE STEPS TO PROTECT AN INTEREST THAT IS ESSENTIAL FOR THE LIFE OR PHYSICAL SAFETY OF A CONSUMER OR ANOTHER INDIVIDUAL AND WHEN THE PROCESSING CANNOT BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS; § 14–4612.(A)(8)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 [A CONSUMER MAY EXERCISE A CONSUMER RIGHT UNDER THIS SECTION BY THE METHOD ESTABLISHED BY THE CONTROLLER UNDER PARAGRAPH (1) OF THIS SUBSECTION. § 14–4605.(C)(2)] | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 [EXCEPT AS OTHERWISE PROVIDED IN THIS SUBTITLE, A CONTROLLER SHALL COMPLY WITH A REQUEST BY A CONSUMER TO EXERCISE A CONSUMER RIGHT LISTED IN THIS SECTION. § 14–4605.(E)(1) A CONTROLLER SHALL RESPOND TO A CONSUMER REQUEST NOT LATER THAN 45 DAYS AFTER THE CONTROLLER RECEIVES THE CONSUMER REQUEST. § 14–4605.(E)(2)(I)] | Privacy protection for information and data | Behavior | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Communicate | |
| Delay responding to data access requests, as necessary. CC ID 15504 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: IT IS REASONABLY NECESSARY TO COMPLETE THE REQUEST BASED ON THE COMPLEXITY AND NUMBER OF THE CONSUMER'S REQUESTS; AND § 14–4605.(E)(2)(II) 1.] | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A CONTROLLER SHALL INFORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR NOT TAKEN IN RESPONSE TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF THE REASONS FOR THE DECISIONS. § 14–4605.(F)(3)] | Privacy protection for information and data | Behavior | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Records Management | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA OR IT WOULD BE UNREASONABLY BURDENSOME FOR THE CONTROLLER TO ASSOCIATE THE REQUEST WITH THE PERSONAL DATA; § 14–4611.(B)(1)] | Privacy protection for information and data | Process or Activity | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [A CONTROLLER MAY NOT: PROCESS PERSONAL DATA IN VIOLATION OF STATE OR FEDERAL LAWS THAT PROHIBIT UNLAWFUL DISCRIMINATION; § 14–4607.(A)(3) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: § 14–4607.(A)(7) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: THE CONTROLLER'S DIVERSIFYING OF AN APPLICANT, PARTICIPANT, OR CUSTOMER POOL; OR § 14–4607.(A)(7)(II) A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: THE CONTROLLER'S SELF–TESTING TO PREVENT OR MITIGATE UNLAWFUL DISCRIMINATION; § 14–4607.(A)(7)(I) {be private} A CONTROLLER MAY NOT: COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY AVAILABLE DATA IN A MANNER THAT UNLAWFULLY DISCRIMINATES IN OR OTHERWISE UNLAWFULLY MAKES UNAVAILABLE THE EQUAL ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN, SEX, SEXUAL ORIENTATION, GENDER IDENTITY, OR DISABILITY, UNLESS THE COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DATA IS FOR: A PRIVATE CLUB OR GROUP NOT OPEN TO THE PUBLIC, AS DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR § 14–4607.(A)(7)(III)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Establish Roles | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO: IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR THAT ADVERSELY AFFECTS THE RIGHTS OR FREEDOMS OF ANY PERSON, INCLUDING THE RIGHTS OF A PERSON TO FREEDOM OF SPEECH OR FREEDOM OF THE PRESS AS GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR § 14–4612.(E)(1) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{minor} A CONTROLLER MAY NOT: PROCESS THE PERSONAL DATA OF A CONSUMER FOR THE PURPOSES OF TARGETED ADVERTISING IF THE CONTROLLER KNEW OR SHOULD HAVE KNOWN THAT THE CONSUMER IS UNDER THE AGE OF 18 YEARS; § 14–4607.(A)(4)] | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: § 14–4605.(E)(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: REMAINS DELETED FROM THE CONTROLLER'S RECORDS; AND § 14–4605.(E)(7)(I) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Capture personal data removal requests. CC ID 13507 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: § 14–4605.(E)(7)] | Privacy protection for information and data | Communicate | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A CONSUMER SHALL HAVE THE RIGHT TO: REQUIRE A CONTROLLER TO DELETE PERSONAL DATA PROVIDED BY, OR OBTAINED ABOUT, THE CONSUMER UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; § 14–4605.(B)(4)] | Privacy protection for information and data | Records Management | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
| Refrain from selling restricted data, as necessary. CC ID 17165 [A CONTROLLER MAY NOT: SELL SENSITIVE DATA; § 14–4607.(A)(2) {minor} A CONTROLLER MAY NOT: SELL THE PERSONAL DATA OF A CONSUMER IF THE CONTROLLER KNEW OR SHOULD HAVE KNOWN THAT THE CONSUMER IS UNDER THE AGE OF 18 YEARS; § 14–4607.(A)(5)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: INFORM THE CONSUMER WITHOUT UNDUE DELAY, BUT NOT LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST, OF THE JUSTIFICATION FOR DECLINING TO ACT; AND § 14–4605.(E)(3)(I) IF A CONTROLLER IS UNABLE TO AUTHENTICATE A REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) OF THIS SECTION USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER: MAY NOT BE REQUIRED TO COMPLY WITH A REQUEST TO INITIATE AN ACTION IN ACCORDANCE WITH THIS SECTION; AND § 14–4605.(E)(5)(I) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: DOES NOT SELL THE PERSONAL DATA TO A THIRD PARTY OR OTHERWISE VOLUNTARILY DISCLOSE THE PERSONAL DATA TO A THIRD PARTY OTHER THAN A PROCESSOR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBTITLE. § 14–4611.(B)(3) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR PROCESSOR TO COMPLY WITH AN AUTHENTICATED CONSUMER RIGHTS REQUEST IF THE CONTROLLER: DOES NOT USE THE PERSONAL DATA TO RECOGNIZE OR RESPOND TO THE SPECIFIC CONSUMER WHO IS THE SUBJECT OF THE PERSONAL DATA OR ASSOCIATE THE PERSONAL DATA WITH OTHER PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER; AND § 14–4611.(B)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: DECLINE TO ACT ON THE REQUEST. § 14–4605.(E)(4)(II) 2.] | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [IF A CONTROLLER IS UNABLE TO AUTHENTICATE A REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) OF THIS SECTION USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER: SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT UNTIL THE CONSUMER PROVIDES ADDITIONAL INFORMATION REASONABLY NECESSARY TO AUTHENTICATE THE CONSUMER AND THE CONSUMER'S REQUEST TO EXERCISE THE CONSUMER'S RIGHTS. § 14–4605.(E)(5)(II)] | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [NOTHING IN THIS SECTION MAY BE CONSTRUED TO REQUIRE A CONTROLLER TO REVEAL A TRADE SECRET. § 14–4605.(A)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: INFORM THE CONSUMER WITHOUT UNDUE DELAY, BUT NOT LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST, OF THE JUSTIFICATION FOR DECLINING TO ACT; AND § 14–4605.(E)(3)(I) {be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: THE CONTROLLER HAS THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE NATURE OF THE REQUEST. § 14–4605.(E)(4)(III)] | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVILEGE UNDER STATE LAW AS PART OF A PRIVILEGED COMMUNICATION. § 14–4612.(C)(2)] | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [A CONTROLLER MAY EXTEND THE COMPLETION PERIOD BY AN ADDITIONAL 45 DAYS IF: THE CONTROLLER INFORMS THE CONSUMER OF THE EXTENSION AND THE REASON FOR THE EXTENSION WITHIN THE INITIAL 45–DAY RESPONSE PERIOD. § 14–4605.(E)(2)(II) 2.] | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 [A CONTROLLER SHALL PROVIDE INFORMATION TO A CONSUMER IN RESPONSE TO A CONSUMER'S REQUEST TO EXERCISE RIGHTS UNDER THIS SUBTITLE FREE OF CHARGE ONCE DURING ANY 12–MONTH PERIOD. § 14–4605.(E)(4)(I) {be unfounded} {be excessive} {be infeasible} {be repetitive} IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED, EXCESSIVE, TECHNICALLY INFEASIBLE, OR REPETITIVE, A CONTROLLER MAY: CHARGE THE CONSUMER A REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING WITH THE REQUEST; OR § 14–4605.(E)(4)(II) 1.] | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 [A CONSUMER SHALL HAVE THE RIGHT TO: IF THE PROCESSING OF PERSONAL DATA IS DONE BY AUTOMATIC MEANS, OBTAIN A COPY OF THE CONSUMER'S PERSONAL DATA PROCESSED BY THE CONTROLLER IN A PORTABLE AND, TO THE EXTENT TECHNICALLY FEASIBLE, READILY USABLE FORMAT THAT ALLOWS THE CONSUMER TO EASILY TRANSMIT THE DATA TO ANOTHER CONTROLLER WITHOUT HINDRANCE; § 14–4605.(B)(5)] | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from collecting personal data, as necessary. CC ID 15269 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA. § 14–4611.(A)(3) A PERSON MAY NOT: USE A GEOFENCE TO ESTABLISH A VIRTUAL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY MENTAL HEALTH FACILITY OR REPRODUCTIVE OR SEXUAL HEALTH FACILITY FOR THE PURPOSE OF IDENTIFYING, TRACKING, COLLECTING DATA FROM, OR SENDING ANY NOTIFICATION TO A CONSUMER REGARDING THE CONSUMER'S CONSUMER HEALTH DATA. § 14–4604.(3)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 [A CONTROLLER THAT HAS OBTAINED PERSONAL DATA ABOUT A CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SHALL BE CONSIDERED COMPLIANT WITH THE CONSUMER'S REQUEST TO DELETE THE CONSUMER'S DATA IN ACCORDANCE WITH SUBSECTION (B)(4) OF THIS SECTION BY RETAINING A RECORD OF THE DELETION REQUEST AND THE MINIMUM DATA NECESSARY FOR THE PURPOSE OF ENSURING THAT THE CONSUMER'S PERSONAL DATA: IS NOT BEING USED FOR ANY OTHER PURPOSE. § 14–4605.(E)(7)(II) {be adequate} {be relevant} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: MAY BE PROCESSED TO THE EXTENT THAT THE PROCESSING IS: ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS NECESSARY IN RELATION TO THE SPECIFIC PURPOSES LISTED IN THIS SECTION. § 14–4612.(G)(2)(II) {be necessary} {be proportionate} PERSONAL DATA PROCESSED BY A CONTROLLER OR PROCESSOR IN ACCORDANCE WITH THIS SECTION: MAY BE PROCESSED TO THE EXTENT THAT THE PROCESSING IS: REASONABLY NECESSARY AND PROPORTIONATE TO THE PURPOSES LISTED IN THIS SECTION; AND § 14–4612.(G)(2)(I)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 [{be proportionate} A CONTROLLER SHALL: LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE DATA PERTAINS; § 14–4607.(B)(1)(I)] | Privacy protection for information and data | Data and Information Management | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR § 14–4612.(B)(2)(II) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: EFFECTUATE A PRODUCT RECALL; § 14–4612.(B)(2)(I) AN OBLIGATION IMPOSED ON A CONTROLLER OR PROCESSOR UNDER THIS SUBTITLE MAY NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO COLLECT, USE, OR RETAIN PERSONAL DATA FOR INTERNAL USE TO: PERFORM INTERNAL OPERATIONS THAT ARE: § 14–4612.(B)(2)(III)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: MAINTAIN DATA IN AN IDENTIFIABLE FORM; OR § 14–4611.(A)(2) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQUIRE A CONTROLLER OR A PROCESSOR TO: RE–IDENTIFY DE–IDENTIFIED DATA; § 14–4611.(A)(1)] | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [IF A CONTROLLER DENIES AN APPEAL, THE CONTROLLER SHALL PROVIDE THE CONSUMER WITH AN ONLINE MECHANISM, IF AVAILABLE, THROUGH WHICH THE CONSUMER MAY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. § 14–4605.(F)(4)] | Privacy protection for information and data | Behavior | |
| Define the organization's liability based on the applicable law. CC ID 00504 [NOTHING IN THIS SECTION MAY BE CONSTRUED TO RELIEVE A CONTROLLER OR A PROCESSOR FROM THE LIABILITIES IMPOSED ON THE CONTROLLER OR PROCESSOR BY VIRTUE OF THE CONTROLLER'S OR PROCESSOR'S ROLE IN THE PROCESSING RELATIONSHIP IN ACCORDANCE WITH THIS SECTION. § 14–4608.(C) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: AT THE TIME THE DISCLOSING CONTROLLER OR PROCESSOR DISCLOSED THE PERSONAL DATA, THE DISCLOSING CONTROLLER OR PROCESSOR DID NOT HAVE ACTUAL KNOWLEDGE THAT THE RECEIVING PROCESSOR OR THIRD–PARTY CONTROLLER WOULD VIOLATE THIS SUBTITLE; AND § 14–4612.(D)(1)(I) A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS SUBTITLE IS NOT IN VIOLATION OF THIS SUBTITLE IF THE PROCESSOR OR THIRD–PARTY CONTROLLER THAT RECEIVES THE PERSONAL DATA VIOLATES THIS SUBTITLE AND: § 14–4612.(D)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the appeal process based on the applicable law. CC ID 00506 [A CONTROLLER SHALL ESTABLISH A PROCESS FOR A CONSUMER TO APPEAL THE CONTROLLER'S REFUSAL TO ACT ON A CONSUMER RIGHTS REQUEST WITHIN A REASONABLE PERIOD AFTER THE CONSUMER RECEIVES THE DECISION. § 14–4605.(F)(1) {be conspicuously available} THE APPEAL PROCESS SHALL BE: CONSPICUOUSLY AVAILABLE; AND § 14–4605.(F)(2)(I) {be similar} THE APPEAL PROCESS SHALL BE: SIMILAR TO THE PROCESS FOR SUBMITTING REQUESTS TO INITIATE AN ACTION IN ACCORDANCE WITH THIS SECTION. § 14–4605.(F)(2)(II)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [IF A CONTROLLER DECLINES TO ACT REGARDING A CONSUMER'S REQUEST, THE CONTROLLER SHALL: PROVIDE INSTRUCTIONS FOR HOW TO APPEAL THE DECISION. § 14–4605.(E)(3)(II)] | Privacy protection for information and data | Communicate | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A CONTROLLER SHALL INFORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR NOT TAKEN IN RESPONSE TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF THE REASONS FOR THE DECISIONS. § 14–4605.(F)(3)] | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [THE PRIVACY NOTICE UNDER SUBSECTION (D) OF THIS SECTION SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN ACCORDANCE WITH THIS SUBTITLE THAT TAKE INTO ACCOUNT: THE ABILITY OF THE CONTROLLER TO VERIFY THE IDENTITY OF A CONSUMER MAKING THE REQUEST. § 14–4607.(F)(1)(III) A CONTROLLER MAY NOT BE REQUIRED TO AUTHENTICATE AN OPT–OUT REQUEST. § 14–4605.(E)(6)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Data and Information Management | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Data and Information Management | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Data and Information Management | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Data and Information Management | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Data and Information Management | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Data and Information Management | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Process or Activity | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 [A CONTROLLER SHALL COMPLY WITH AN OPT–OUT REQUEST RECEIVED FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY REASONABLE EFFORTS, THE CONTROLLER IS ABLE TO AUTHENTICATE THE: IDENTITY OF THE CONSUMER; AND § 14–4606.(B)(1)] | Privacy protection for information and data | Business Processes | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PERFORM UNDER A CONTRACT TO WHICH A CONSUMER IS A PARTY, INCLUDING FULFILLING THE TERMS OF A WRITTEN WARRANTY; § 14–4612.(A)(6) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: TAKE STEPS AT THE REQUEST OF A CONSUMER BEFORE ENTERING INTO A CONTRACT; § 14–4612.(A)(7)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Business Processes | |
| Provide products or services per customer requests. CC ID 08893 [NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO: PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY A CONSUMER; § 14–4612.(A)(5)] | Third Party and supply chain oversight | Business Processes | |