Data Security and Privacy Practices Flashcards
he Freedom of Information Act applies to which of the following?
All federal government documents, without restrictions
Federal government documents, with a few enumerated restrictions
Only federal documents containing information concerning the requester
Federal government documents, with a few enumerated restrictions
Nine groups of documents are exempt from FOIA requests
HIPAA requires which of the following controls for medical records?
Encryption of all data
Physical controls only
Administrative, technical, and physical controls
Administrative, technical, and physical controls
Administrative, technical, and physical controls are mandated by HIPAA, including workforce training and awareness, encryption of data transfers, and physical barriers to records (locked storage rooms)
Which of the following is not PII?
Customer name
Customer ID number
Customer birth date
Customer ID number
A customer ID number generated by a firm to track customer records is meaningful only inside the firm and is generally not considered to be personally identifiable information (PII). It is important not to use the SSN for the customer ID number, for obvious purposes
A privacy impact assessment:
Determines the gap between a company’s privacy practices and required actions
Determines the damage caused by a breach of privacy
Determines what companies hold information on a specific person
Determines the gap between a company’s privacy practices and required actions
A PIA determines the gap between what a company is doing with PII and what its policies, rules, and regulations state it should be doing
Which of the following is an acceptable PII disposal procedure?
Shredding
Burning
Electronic destruction per military data destruction standards
All of the above
All of the above
Although using electronic destruction per military data destruction standards might seem excessive (and in many cases it is), all of the options comply with FTC-mandated disposal procedures for PII
In the United States, company responses to data disclosures of PII are regulated by:
Federal law, the Privacy Act
A series of state statutes
Contractual agreements with banks and credit card processors
A series of state statutes
No overarching federal disclosure statute exists, so company responses to data disclosures of PII are regulated by individual statutes in most states and territories
The U.S. Privacy Act of 1974 applies to which of the following?
Corporate records for U.S.-based companies
Records from any company doing business in the United States
Federal records containing PII
Federal records containing PII
The Privacy Act is a federal law, affecting federal records only
Data privacy as applicable to organizations is defined as:
The control the organization exerts over its data
The organization being able to keep its information secret
Making data-sharing illegal without consumer consent
The control the organization exerts over its data
The control the organization exerts over its data is the definition of data privacy in an enterprise
All but which of the following are items associated with privacy of health records?
Protected Health Information
Personal Health Information
Notice of Privacy Practices
Personal Health Information
The correct term per HIPAA is Protected Health Information
The FTC Disposal Rule applies to which of the following?
Small businesses using consumer reporting information
Debt collectors
Individuals using consumer reporting information
All of the above
All of the above
All are listed by FTC as responsible for following the Disposal Rule
Who is responsible for determining what data is needed by the enterprise?
Data owner
Privacy officer
Data custodian
Data owner
The data owner determines the business need. The privacy officer ensures that laws and regulations are followed, and the custodian/steward maintains the data
Data that is labeled “Private” typically pertains to what category?
Confidential information
Legal data
Personal information
Personal information
Private data frequently refers to personal data
Data that is labeled “Proprietary” typically pertains to what category?
Information under legal hold
Information to be safeguarded by business partners because it contains business secrets
Personal data
Information to be safeguarded by business partners because it contains business secrets
Proprietary data may be shared with a third party that is not a competitor, but in labeling the data Proprietary, you alert the party you have shared with that the data is not to be shared further
What is the best method to destroy sensitive data on DVDs at a desktop?
Shredding
Burning
Wiping
Shredding
A desktop shredder can destroy DVDs and CDs. Burning is not wise at a desk. Wiping and pulping don’t work on DVDs
Information that could disclose the identity of a customer is referred to as?
Customer identity information (CII)
Personally identifiable information (PII)
Privacy protected information (PPI)
Personally identifiable information (PII)
Any information that can be used to determine identity is referred to collectively as personally identifiable information (PII)