9. Legal and Compliance Issues Flashcards
Katie is assessing her organization’s privacy practices and determines that the organization previously collected customer addresses for the purpose of shipping goods and is now using those addresses to mail promotional materials. If this possibility was not previously disclosed, what privacy principle is the organization most likely violating?
A. Quality
B. Management
C. Notice
D. Security
Answer: C. Notice
One of the provisions of the notice principle is that organizations should provide notice
to data subjects before they use information for a purpose other than those that were previ-
ously disclosed.
Kara is the chief privacy officer of an organization that maintains a database of customer information for marketing purposes. What term best describes the role of Kara’s organization with respect to that database?
A. Data subject
B. Data custodian
C. Data controller
D. Data processor
Answer: C. Data controller
Kara’s organization is collecting and processing this information for its own business needs. Therefore, it is best described as the data controller.
Richard would like to use an industry standard reference for designing his organization’s privacy controls. Which one of the following ISO standards is best suited for this purpose?
A. ISO 27001
B. ISO 27002
C. ISO 27701
D. ISO 27702
Answer: C. ISO 27701
ISO 27701 covers best practices for implementing privacy controls. ISO 27001 and ISO 27002 relate to an organization’s information security program. ISO 27702 does not yet exist.
When designing privacy controls, an organization should be informed by the results of what type of analysis?
A. Impact analysis
B. Gap analysis
C. Business analysis
D. Authorization analysis
Answer: B. Gap analysis
The gap analysis is the formal process of identifying deficiencies that prevent an organization from achieving its privacy objectives. The results of the gap analysis may be used to design new controls.
State data breach notification laws may require organizations to notify which of the following parties?
A. Consumers impacted by the breach
B. State regulatory authorities
C. National credit reporting agencies
D. All of the above
**Answer:D. All of the above **
While they vary by state, breach notification laws may require notification to consumers, state regulators, and credit reporting agencies.
Which of the following is not a potential consequence an organization may face under state law following a breach?
A. An obligation to provide free credit monitoring to affected consumers.
B. Enforcement actions, including penalties, from state attorneys general.
C. Civil actions brought by consumers under a private right of action.
D. Criminal prosecution of company employees who allowed the breach to occur.
Answer: D. Criminal prosecution of company employees who allowed the breach to occur.
While not all states impose all of these penalties, free credit monitoring, penalties sought by an attorney general, and civil suits arising from a private right of action are potential consequences for an organization. Unless some other criminal act has occurred, criminal prosecution of employees is highly unlikely.
MediRecs Co. provides secure server space to help healthcare providers store medical records. MediRecs would be best described under HIPAA as which of the following?
A. Service provider
B. Business associate
C. Covered partner
D. Covered entity
Answer: B. Business associate
Under HIPAA, business associates are third- party firms that participate in the handling of PHI for a covered entity. Covered entities are required to have a business associate agreement (BAA) with such companies that confer responsibility for HIPAA compliance on the third party.
Dimitri cashed a paycheck at County Bank three months ago, but he doesn’t have an account there and hasn’t been back since. Under GLBA, County Bank should consider Dimitri as which of the following?
A. Customer
B. Consumer
C. Visitor
D. No relationship with the bank
Answer: B. Consumer
GLBA distinguishes between customers and consumers. Customers are people like account holders who have ongoing relationships with the bank. Consumers may only conduct isolated transactions with the bank. This is important because the bank has fewer obligations to
Dimitri under GLBA because he is not technically a customer.
Which amendment to the U.S. Constitution explicitly grants individuals the right to privacy?
A. First Amendment
B. Fourth Amendment
C. Fifth Amendment
D. None of the above
Answer: D. None of the above
This is a tricky question. The Fourth Amendment has been interpreted to provide individuals with some privacy rights, but it does not explicitly establish a right to privacy. The word privacy appears nowhere in the text of the Constitution.
What source contains much of the administrative law created by the U.S. government?
A. U.S. Code
B. Bill of Rights
C. Code of Federal Regulations
D. U.S. Constitution
Answer: C. Code of Federal Regulations
Administrative law is commonly documented in the Code of Federal Regulations (CFR). The U.S. Code contains legislative law. The U.S. Constitution and its amendments (including the Bill of Rights) contain constitutional law.
During a negligence lawsuit, the court determined that the respondent was not at fault because the plaintiff did not present evidence that they suffered some form of harm. What element of negligence was missing from this case?
A. Duty of care
B. Breach of duty
C. Causation
D. Damages
Answer: D. Damages
In order to prevail on a negligence claim, the plaintiff must establish that there were damages involved, meaning that they suffered some type of financial, physical, emotional, or reputational harm.
Which one of the following elements is not always required for the creation of a legal contract?
A. An offer
B. Acceptance of an offer
C. Written agreement
D. Consideration
Answer: C. Written agreement
Many states do have laws requiring that some contracts be in written form, but there is no universal requirement that a contractual agreement take place in writing, although written contracts are clearly preferable. The conditions that must be met for a contract to be enforceable include that each party to the contract must have the capacity to agree to the contract, an offer must be made by one party and accepted by the other, consideration must be given,
and there must be mutual intent to be bound.
What category of law best describes the HIPAA Privacy Rule?
A. Constitutional law
B. Common law
C. Legislative law
D. Administrative law
Answer: D. Administrative law
The Health Insurance Portability and Accountability Act (HIPAA) is legislation passed by Congress. However, the HIPAA Privacy Rule, and HIPAA Security Rule did not go through the legislative process. They are examples of administrative law created by the Department of
Health and Human Services to implement the requirements of HIPAA.
Which statute addresses security and privacy matters in the U.S. financial industry?
A. GLBA
B. FERPA
C. SOX
D. HIPAA
Answer: A. GLBA
The Gramm–Leach–Bliley Act (GLBA) governs the security and privacy of personal information in the financial industry. The Family Educational Rights and Privacy Act
(FERPA) applies to educational institutions. The Sarbanes–Oxley Act (SOX) governs the records of publicly traded corporations. The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers, health insurers, and health information clearinghouses.
The right to be forgotten refers to which of the following?
A. The right to no longer pay taxes
B. Erasing criminal history
C. The right to have all of a data subject’s data erased
D. Masking
Answer: C. The right to have all of a data subject’s data erased.
The right to be forgotten was first established under the European Union’s General Data Protection Regulation (GDPR). It requires, in many circumstances, that companies delete personal information maintained about an individual at that individual’s request.
Which one of the following organizations is least likely to be subject to the requirements of HIPAA?
A. Health insurance company
B. Hospital
C. Medical device manufacturer
D. Health information clearinghouse
Answer: C. Medical device manufacturer
HIPAA applies to three types of covered entities: healthcare providers (such as doctors and hospitals), health insurers, and health information clearinghouses. Medical device manufacturers do not fit into any of these categories and are unlikely to handle the protected health information of individual patients.
Which one of the following options is no longer valid for protecting the transfer of personal information between the European Union and other nations?
A. Adequacy decisions
B. EU/US Privacy Shield
C. Binding Corporate Rules
D. Standard Contractual Clauses
Answer: B. EU/US Privacy Shield
Organizations may transfer information between the European Union and other nations when there is an adequacy decision in place that the laws of the other nation comply with GDPR. They may also choose to adopt Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). They used to be able to transfer data under the safe harbor provisions of the EU- U.S. Privacy Shield, but this was struck down by the Schrems II decision.
Which one of the following is not a law that would concern cloud security professionals?
A. GLBA
B. HIPAA
C. PCI DSS
D. SOX
Answer: C. PCI DSS
All of these regulations would concern cloud security professionals. However, the Payment Card Industry Data Security Standard (PCI DSS) is a private regulatory scheme,
not a law.
What standard governs SOC audits that occur within the United States?
A. SSAE 16
B. SSAE 18
C. ISAE 3402
D. ISAE 3602
Answer: B. SSAE 18
SOC audits performed in the United States are subject to SSAE 18. The earlier SSAE 16 standard for these audits is no longer relevant. The ISAE 3402 standard governs SOC audits outside of the United States.
You are considering working with a cloud provider and would like to review the results of an audit that contains detailed information on security controls. The provider requires that you sign an NDA before reviewing the material. What category of report are you likely reviewing?
A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
Answer: B. SOC 2
SOC 2 reports contain information on an organization’s security controls and include detailed sensitive information. They are not normally shared outside of an NDA. SOC 3 reports contain similar types of information but at a level suitable for public disclosure. SOC1 reports are normally used as a component of a financial audit. SOC 4 reports do not exist.
