Domain 3: Legal Issues, Contracts, and Electronic Discovery Flashcards
Which of the following is probably the best way to address your organization’s particular legal issues?
A. Get an account for a legal review service, such as Westlaw or Lexis/Nexis
B. Perform personal research on the Internet
C. Download the laws of each country where you organization operates
D. Consult with an attorney in the jurisdiction(s) where your organization operates
Answer: D
Lawyers will have much more capability to handle legal issues than security practitioners. See page 36 of the CSA Cloud Security Guidance v4.
All the other options may be beneficial, but not as useful as consulting attorneys.
Who is the original owner of privacy data?
A. The subject
B. The processor
C. The controller
D. The regulator
Answer: A
The subject is the original owner of privacy data.
All the other options list parties that might be responsible for either protecting the data or the subject’s rights, but are not the original owner.
Countries/regions may have either __________ or __________ privacy laws [select two].
A. optional
B. omnibus
C. hierarchical
D. advantageous
E. placid
F. internal
G. sectoral
Answer: B, G
Privacy laws either cover everyone in a country/region (such as the European Union’s General Data Protection Regulation [GDPR]), which are omnibus, or address particular industries/occupations (such as the Health Information Protection and Availability Act [HIPAA] in the US), which are sectoral. See page 38 of the CSA Cloud Security Guidance v4.
The other options are terms that have no meaning in this context.
Under many privacy laws, personal data can only be sent to another country if the receiving country’s laws offer __________.
A. reciprocity
B. adequate level of protection
C. cash awards
D. full encryption and secure data storage
Answer: B
Many privacy laws require that the national laws in countries receiving personal data have similar requirements, and therefore offer individuals an “adequate level of protection.” See page 38 of the CSA Cloud Security Guidance v4.
“Reciprocity” suggests both countries honor each other’s laws, which would be nice but is not typically the case. I don’t know of any laws that require cash payment as part of cross-border transfer. And while encryption and secure storage might be typical controls for personal data, and even included in some privacy laws, “adequate protection” is the more general answer, and therefore more correct in this case.
In some countries, privacy laws require that data be stored __________.
A. in plain text
B. within the country’s borders
C. in the cloud
D. in a proprietary format
Answer: B
Some privacy laws (such as Russia’s and China’s) require personal citizen data to be kept within the country which created the law. See page 38 of the CSA Cloud Security Guidance v4.
Privacy laws don’t typically specify the format of stored, or whether the data should be stored in a traditional or cloud environment.
Which country/region does not have an omnibus personal privacy law?
A. Australia
B. The European Union
C. Argentina
D. The United States
Answer: D
The US does not have an omnibus personal privacy law; instead, personal privacy in the US is addressed by a patchwork of sectoral federal and state laws.
Australia, the EU, and Argentina all have strict personal privacy laws (and some have more than one).
Which country/region does not have an omnibus personal privacy law?
A. China
B. Canada
C. Japan
D. Chile
Answer: C
Japan has sectoral laws instead of an omnibus federal personal privacy law. See page 40 of the CSA Cloud Security Guidance v4.
China, Canada, and Chile all have omnibus federal personal privacy laws.
Which of the following is not true about the European Union’s (EU’S) General Data Protection Regulation (GDPR)?
A. it applies to all entities processing EU citizen personal data
B. it only applies within the EU and the Commonwealth
C. it treats personal privacy as a fundamental human right
D. it regulates cross-border data transfer to countries outside the EU
Answer: B
The GDPR is applicable globally. How this may affect questions of national sovereignty has yet to be determined. See pages 41-42 of the CSA Cloud Security Guidance v4.
All the other options are true statements about the GDPR.
According to the European Union’s (EU’S) General Data Protection Regulation (GDPR), breaches involving personal data must be reported to authorities within __________ of detection.
A. 72 hours
B. one week
C. one day
D. 24 hours
Answer: A
See page 42 of the CSA Cloud Security Guidance v4.
Any company violating the European Union’s (EU’S) General Data Protection Regulation (GDPR) may face monetary penalties of up to __________.
A. 100 million euros
B. 4% of that company’s annual global gross revenue
C. half of its operating capital
D. 10,000 euros per customer affected
Answer: B
The cap for penalties is 20 million euros. See page 42 of the CSA Cloud Security Guidance v4.
Contractual obligations for companies operating in the cloud might derive from all of the following except __________.
A. a terms of service statement
B. a privacy statement
C. contracts the company has with third parties
D. international law
Answer: D
International law creates a legal obligation, not a contractual obligation. All the other options are sources of contractual obligations. See page 45 of the CSA Cloud Security Guidance v4.
If an organization contracts with a cloud provider to manage personal data, who is generally liable for any damages caused by unauthorized disclosure of that data, under most privacy laws?
A. the cloud provider
B. the data subject
C. regulators
D. the organization
Answer: D
Under most privacy laws, the organization that originally collected or created the sensitive data set is legally responsible for the disposition of that data, to include any loss of that data caused by a third party.
The cloud provider might also have some liability, depending on the nature of the loss, but the organization that shared the data with the provider retains most of the liability. Neither the data subject nor the regulator(s) have any liability for unauthorized disclosure.
Under the European Union’s (EU’s) General Data Protection Regulation (GDPR), which of the following is the most important characteristic of the data subject’s interaction with the data controller?
A. availability
B. business
C. consent
D. decryption
Answer: C
According to the CSA Cloud Security Guidance v4 (page 41), the subject must provide specific, informed, and unambiguous consent in order for data processing to be legal.
The other options don’t really suit this particular context, and aren’t elements of the subject’s interaction with the controller.
Which of the following is perhaps the best reason to conduct due diligence?
A. enhance profitability
B. reduce liability
C. raise public esteem
D. defeat dedicated attackers
Answer: B
Performing due diligence can reduce liability by averting accusations of negligence.
Due diligence might also lead to enhanced profitability, increased public esteem, or perhaps counter certain attacks, but this is not a direct effect, and B is the better answer.
Which part of an audit/assessment describes the features and services included in that audit/assessment?
A. the introduction
B. the executive summary
C. the scope
D. the lessons learned
Answer: C
The purpose of the scope (or “scoping statement”) is to describe the features, services, and systems covered in the audit/assessment. See page 48 of the CSA Cloud Security Guidance v4.
The other options may be parts of the audit/assessment report, but do not typically include a description of the features/services which were covered.