Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/US > Chapter 6: Information Security and Data Breach Notification Laws > Flashcards

Chapter 6: Information Security and Data Breach Notification Laws Flashcards

You may prefer our related Brainscape-certified flashcards:
U.S. Geography flashcards
1
Q

Information Security assessment must be consistent with what 3 key attributes?

A
  1. Confidentiality—access to data is limited to authorized parties
  2. Integrity—assurance that the data is authentic and complete
  3. Availability—knowledge that the data is accessible, as needed, by those who are authorized to use it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Security Controls?

A

Security controls are mechanisms put in place to prevent, detect, or correct a security incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 3 types of Security Controls?

A
  1. Physical controls—such as locks, security cameras, and fences
  2. Administrative controls—such as incident response procedures and training
  3. Technical controls—such as firewalls, antivirus software, and access logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which state enacted the first data breach notification law?

A

California in 2003, AB 1950

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does AB 1950 require as it relates to Information Security?

A

That companies “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What companies are exempt from AB 1950?

A

Companies already subject to greater information security requirements such as the Gramm-Leach-Bliley Act, (GLBA) or Health Insurance Portability and Accountability Act (HIPAA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What constitutes reasonable security procedures and practices?

A

CSC Top 20 according to the CA AG

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which state, arguably, has the most prescriptive security law?

A

Massachusetts, 201 CMR 17.00

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 10 things the Mass security law requires?

A
  1. Designate an individual who is responsible for information security
  2. Anticipate risks to personal information and take appropriate steps to mitigate such risks
  3. Develop security program rules
  4. Impose penalties for violations of the program rules
  5. Prevent access to personal information by former employees
  6. Contractually obligate third-party service providers to maintain similar procedures
  7. Restrict physical access to records containing personal information
  8. Monitor the effectiveness of the security program
  9. Review the program at least once a year and whenever business changes could impact security
  10. Document responses to incidents
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the 8 types of Data Breach Incidents?

A
  1. Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
  2. Hacking or malware—electronic entry by an outside party, malware and spyware
  3. Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals
  4. Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information
  5. Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;
  6. Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape
  7. Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility
  8. Unknown or other
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the first step in incident management?

A

The first step in incident management is determining whether a breach has actually occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the second step in incident management, if a breach has occurred?

A

The second step is containment and analysis of the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the third step in incident management?

A

The third step in incident management is to notify affected parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the fourth step in incident management?

A

The fourth step is to implement effective follow-up methods, such as additional training, internal self-assessments and third-party audits where needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the framework the Office of the President’s Office of Management and Budget (OMB) gave for a security breach plan?

A
  • Designate the members who will make up a breach response team
  • Identify applicable privacy compliance documentation
  • Share information concerning the breach to understand the extent of the breach
  • Determine what reporting is required
  • Assess the risk of harm for individuals potentially affected by the breach
  • Mitigate the risk of harm for individuals potentially affected by the breach
  • Notify the individuals potentially affected by the breach
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should organizations ensure that vendors are contractually required to do?

A

Provide training to their employees on identifying and reporting a breach, properly encrypt PII, report suspected or confirmed breaches; participate in the exchange of information in case of a breach, cooperate in the investigation of a breach, and make staff available to participate in the breach response team.

17
Q

What is a typical state definition of “personal information”?

A

An example is Connecticut’s which defines it as “an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number,44 (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”

18
Q

How many states have PI definitions that contain additional elements?

A

More than half

19
Q

Which states do NOT include an exception for publicly available information in their definition of PI?

A

Louisiana, Idaho, and Michigan

20
Q

What is the typical definition of a breach?

A

Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. - Connecticut

When there is unauthorized acquisition of the personal information that “compromises the confidentiality, security or integrity” of the information. - California

21
Q

Who is typically notified when there is a breach?

A

State residents who are at risk because their personal information has potentially been exposed based on the level of unauthorized access or harm.

Note: Texas requires to notify not only Texas residents but also residents of states lacking a data protection notification law.

22
Q

Who is may be required to be notified when there is a breach?

A

The state AG. More that half of the state require entities who detect a breach to notify the state AG or other state agencies.

23
Q

How many states require that entities notify nationwide CRAs fo a data breach?

A

28

24
Q

Do state require third party notification?

A

Yes, all data breach state laws require third party notification.

25
Q

Which state, arguably, has the most stringent notification timing requirement?

A

Puerto Rico requires notification of the Department of Consumer Affairs within 10 days, and within 24 hours the department makes the breach public.

26
Q

What do you include in a data breach notification to a data subject?

A

Most states do not specify the contents of the notification to the data subject, but California, Hawaii, Illinois, Iowa, Maryland, Massachusetts, Michigan, Missouri, Montana, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming do.

27
Q

How do you typically notify data subjects?

A

via written notification

28
Q

What are the 3 basic exceptions for providing data breach notification?

A
  1. The most common exception allowed by states is for entities subject to other, more stringent data breach notification laws. This includes HIPAA-covered entities and financial institutions subject to and in compliance with the GLBA Safeguards Rule
  2. Most states allow exceptions for entities that already follow breach notification procedures as part of their own information security policies as long as these are compatible with the requirements of the state law.
  3. In most states, a safe harbor exists for data that was encrypted, redacted, unreadable or unusable.
29
Q

How many states have data destruction laws?

A

32

CIPP/US (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions