Copyright © 2015 IAPP v. 2.0.0

International Association of Privacy Professionals 1

U.S. Government Privacy Certification

Authoritative Resource List

Introduction The IAPP and its certification advisory board compiled the following list of books, periodicals, white papers, reports and Web sites for the purpose of furthering education of information privacy issues in U.S. federal and state government agencies and departments. These selections support the Certified Information Privacy Professional/Government (CIPP/G) credentialing program which assesses candidates’ understanding of information access and information privacy laws and practices now in force across the U.S. public sector.

The CIPP/G Authoritative Resource List is divided into three sections:

(1) Authoritative Texts: Core publications that encompass the domains on the CIPP/G body of knowledge;

(2) Supplemental Privacy Texts: Privacy and security-related publications that augment the authoritative texts; and,

(3) Web-based Privacy Resources. General references for information privacy that are available online.

Who Should Review

• Certification Candidates: The authoritative texts address the information privacy and information security concepts and issues referenced in the CIPP/G body of knowledge. While the IAPP does not draw from a single source to develop exams, we recommend these publications to candidates studying for their exams. The supplemental readings augment the authoritative texts by focusing on specific areas of the body of knowledge; therefore, the IAPP strongly suggests that you incorporate supplemental reading into your regimen for exam preparation based on your individual needs.

Copyright © 2015 IAPP v. 2.0.0

International Association of Privacy Professionals 2

• Certified Professionals (current CIPP credential holders): Each of the items listed in this reading list may be applied toward the continuing privacy education (CPE) requirements mandated under your credential. Upon submission to the IAPP for approval, credits will be awarded based on a formula where 50 pages of written text = 1 CPE credit. Simply tally the total number of pages from your selection and submit for approval using the authorization form available at http://www.privacyassociation.org.

IMPORTANT: You must include photocopies of both the cover and inside table of contents of the selection(s) you submit for CPE consideration

Authoritative Texts While we recommend these resources as comprehensive, widely-recognized privacy texts that cover the topics outlined in the CIPP/G body of knowledge, candidates for certification must understand that no published text can keep pace with the rapidly-changing privacy landscape. We continuously adjust our exam content to represent the latest regulatory and technological changes and we expect candidates for IAPP certification to know about the important developments in their sector that may modify or supplant information in the authoritative texts.

• Kendall, Debbie, Executive Editor, U.S. Government Privacy: Essential Policies and Practices for Privacy Professionals , Second Edition (IAPP Publications)

• Matthews, Kristen J. Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age. New York: Practising Law Institute, 2014.

Supplemental Texts

• Greenwald, Glenn. No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. New York: Picador, 2014.

• Swire, Peter P. and Ahmad, Kenesa. Privacy and Surveillance with New Technologies. International Debate Education Association, 2012.

• Davis, Charles N. and Cuillier, David. Transparency 2.0: Digital Data and Privacy in a Wired World. Peter Lang Publishing, 2014.

• Nemeth, Charles P. Homeland Security: An Introduction to Principles and Practice, Second Edition. CRC Press, 2013.

• Online Advertising and Hidden Hazards to Consumer Security and Data Privacy. Create Space, 2015.

• Amoroso, Edward. Cyber Attacks: Protecting National Infrastructure. Butterworth-Heinemann, 2012.

Copyright © 2015 IAPP v. 2.0.0

International Association of Privacy Professionals 3

• S. Hrg. 110-2: Balancing Privacy and Security: The Privacy Implications of Government Data Mining Programs. BiblioGov, 2013.

• Privacy: Government Use of Data from Information Resellers Could Include Better Protections: Gao-08-543t. BiblioGov, 2013.

• S. Hrg. 112-152: Privacy and Data Security, Protecting Consumers in the Modern World. BiblioGov, 2013.

• S. Hrg. 109-653: Veterans Affairs Data Privacy Breach: Twenty Six Million People Deserve Assurance of Future Security. BiblioGov, 2013.

• Computers Privacy: How the Government Obtains, Verifies, Uses, and Protects Personal Data: Imtec-90-70br. BiblioGov, 2013.

• Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations But Needs to Improve Guidance and Oversight: Gao-12-605. BiblioGov, 2013.

• Privacy: Lessons Learned about Data Breach Notification: Gao-07-657. BiblioGov, 2013.

• Herold, Rebecca and Hertzog, Christine. Data Privacy for the Smart Grid. Auerbach Publications, 2015.

• Smith, Robert Ellis. Compilation of State and Federal Privacy Laws. Providence: Privacy Journal, 2013.

• Solove, Daniel J., Paul M. Schwartz. Privacy Law Fundamentals, Third Edition. Portsmouth: IAPP Publications, 2015.

• Taylor, Laura P. FISMA Compliance Handbook: Second Edition. Syngress, 2013.

• United States Senate. The Need for Privacy Protections: Is Industry Self-Regulation Adequate? CreateSpace Independent Publishing Platform, 2013.

• Alexander, Philip. Data Breach Disclosure Laws, 3rd Edition: A State-by-State Perspective. Thomson Reuters Westlaw, 2012.

• Multiple Authors. The NSA Report: Liberty and Security in a Changing World. Princeton: Princeton University Press, 2014.

Copyright © 2015 IAPP v. 2.0.0

International Association of Privacy Professionals 4

Web-based Privacy Resources

U.S. Federal Agency Websites on Privacy

• U.S. Department of Commerce: www.commerce.gov

• U.S. Equal Employment Opportunity Commission (“EEOC”): www.eeoc.gov

• U.S. Department of Health and Human Services / Office for Civil Rights: www.hhs.gov (the HHS HIPAA pages are available at www.hhs.gov/ocr/hipaa/)

• U.S. Department of Labor: www.dol.gov

• U.S. Department of the Treasury, Comptroller of the Currency, Administrator of National Banks: www.occ.gov

• U.S. Federal Trade Commission: www.ftc.gov (FTC privacy pages at www.ftc.gov/privacy/index.html; www.ftc.gov/kidzprivacy/)

• U.S. National Archives and Records Administration (“NARA”): www.archives.gov

• U.S. National Do-not-call Registry: www.donotcall.gov

• U.S. Transportation Security Administration: www.tsa.gov U.S. Information Privacy Statutes

• California’s data breach notification law; Senate Bill 1386 (“SB 1386”): http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

• Children’s Internet Protection Act of 2001 (“CIPA”): http://www.fcc.gov/guides/childrens-internet-protection-act

• Children’s Online Privacy Protection Act of 1998 (“COPPA”): www.ftc.gov/ogc/coppa1.htm

• Communications Assistance for Law Enforcement Act of 1994 (“CALEA”): http://www.fcc.gov/encyclopedia/communications-assistance-law-enforcement-act

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”): http://transition.fcc.gov/cgb/policy/canspam.html

• Fair and Accurate Credit Transactions Act of 2003 (“FACTA”): http://www.ftc.gov/os/statutes/fcrajump.shtm

Copyright © 2015 IAPP v. 2.0.0

International Association of Privacy Professionals 5

• Federal Trade Commission Act (“FTCA”): http://www.house.gov/legcoun/Comps/ftca.pdf (See: Section 5 on unfair and deceptive trade practices)

• Driver’s Privacy Protection Act of 1994 (“DPPA”): http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002721----000-.html

• Fair Credit Reporting Act of 1999 (“FCRA”): http://www.ftc.gov/os/statutes/031224fcra.pdf

• Family Education Rights and Privacy Act of 1974 (“FERPA”): http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

• Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or “GLBA”): http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

• Privacy Act of 1974: http://www.justice.gov/opcl/privstat.htm

• Privacy Protection Act of 1980 (“PPA”): http://www4.law.cornell.edu/uscode/html/uscode42/usc_sec_42_00002000--aa000-.html

• Safe Web Act of 2006, bill S.1608: http://beta.congress.gov/bill/109th-congress/senate-bill/1608/text?textVersion=43518

• elecommunications Act of 1996: http://www.fcc.gov/telecom.html

• elephone Consumer Protection Act of 1981 (“TCPA”): http://www.fcc.gov/cgb/consumerfacts/tcpa.html

• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001; H.R. 3162 (“USA-PATRIOT http://epic.org/privacy/terrorism/hr3162.html

• Video Privacy Protection Act of 1988: http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002710----000-.html

Copyright © 2015 IAPP v. 2.0.0

International Association of Privacy Professionals 6

Privacy and Security Organizations

• American Institute of Certified Public Accountants (“AICPA”): http://infotech.aicpa.org/Resources/Privacy/

• Asia Pacific Economic Cooperation (“APEC”) Electronic Commerce Steering Group: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group.aspx

• Better Business Bureau / BBB Online: www.bbbonline.org/privacy/index.asp

• Center for Democracy and Technology (“CDT”): https://www.cdt.org/

• Center for Information Policy Leadership at Hunton & Williams (“CIPL”): http://ftc.gov/os/comments/prescreenedoptout/OL-100022.pdf

• Direct Marketing Association (“DMA”): www.the-dma.org

• Electronic Privacy Information Center (“EPIC”): www.epic.org

• Information Systems Audit and Control Association (“ISACA”): www.isaca.org

• International Association of Privacy Professionals (“IAPP”): www.privacyassociation.org

• Organization for Economic Development and Cooperation (“OECD”): http://www.oecd.org/

• Network Advertising Initiative (“NAI”): www.networkadvertising.org

• Privacilla: www.privacilla.org

• Privacy Council: www.privacycouncil.com

• Privacy Exchange: www.privacyexchange.org

• Privacy Foundation: www.privacyfoundation.org

• Privacy International: www.privacyinternational.org

• Privacy Journal: www.privacyjournal.net

• Privacy Laws and Business: www.privacylaws.com/

• Privacy Law Institute (“PLI”): www.pli.org

• Privacy Rights Clearinghouse: www.privacyrights.org

• TRUSTe: www.truste.org

• World Wide Web Consortium (W3C): www.w3.org

Copyright © 2015 IAPP v. 2.0.0

International Association of Privacy Professionals 7

Privacy Principles and Standards

• American Institute of Certified Public Accountants (“AICPA”) in collaboration with the Canadian Institute of Chartered Accountants (“CICA”), “Generally Accepted Privacy Principles (“GAPP”) – A Global Privacy Framework”: http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/downloadabledocuments/gapp_prac_%200909.pdf

• Asia Pacific Economic Cooperation (“APEC”), “The APEC Privacy Principles”: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx

• Commission Nationale de l’Informatique et des Libertes (“CNIL”), guidelines on the implementation of whistle-blowing systems: http://www.cnil.fr/fileadmin/documents/en/CNIL-recommandations-whistleblowing-VA.pdf

• Control Objectives for Information and Related Technology (“COBIT”): www.isaca.org/cobit

• National Institute for Standards and Technology (“NIST”): www.nist.gov

• The Network Advertising Initiative (“NAI”), “The NAI Self-regulatory Principles”: http://www.networkadvertising.org/2013_Principles.pdf

• Open Web Application Security Project (“OWASP”): www.owasp.org

• Organization for Economic Cooperation and Development (“OECD”) “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”: http://www.oecd.org/document/20/0,2340,en_2649_34255_15589524_1_1_1_1,00.html