Domain 3: Legal Issues, Contracts, and Electronic Discovery Flashcards

1
Q

Which of the following is probably the best way to address your organization’s particular legal issues?
A. Get an account for a legal review service, such as Westlaw or Lexis/Nexis
B. Perform personal research on the Internet
C. Download the laws of each country where you organization operates
D. Consult with an attorney in the jurisdiction(s) where your organization operates

A

Answer: D
Lawyers will have much more capability to handle legal issues than security practitioners. See page 36 of the CSA Cloud Security Guidance v4.
All the other options may be beneficial, but not as useful as consulting attorneys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who is the original owner of privacy data?
A. The subject
B. The processor
C. The controller
D. The regulator

A

Answer: A
The subject is the original owner of privacy data.
All the other options list parties that might be responsible for either protecting the data or the subject’s rights, but are not the original owner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Countries/regions may have either __________ or __________ privacy laws [select two].
A. optional
B. omnibus
C. hierarchical
D. advantageous
E. placid
F. internal
G. sectoral

A

Answer: B, G
Privacy laws either cover everyone in a country/region (such as the European Union’s General Data Protection Regulation [GDPR]), which are omnibus, or address particular industries/occupations (such as the Health Information Protection and Availability Act [HIPAA] in the US), which are sectoral. See page 38 of the CSA Cloud Security Guidance v4.
The other options are terms that have no meaning in this context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Under many privacy laws, personal data can only be sent to another country if the receiving country’s laws offer __________.
A. reciprocity
B. adequate level of protection
C. cash awards
D. full encryption and secure data storage

A

Answer: B
Many privacy laws require that the national laws in countries receiving personal data have similar requirements, and therefore offer individuals an “adequate level of protection.” See page 38 of the CSA Cloud Security Guidance v4.
“Reciprocity” suggests both countries honor each other’s laws, which would be nice but is not typically the case. I don’t know of any laws that require cash payment as part of cross-border transfer. And while encryption and secure storage might be typical controls for personal data, and even included in some privacy laws, “adequate protection” is the more general answer, and therefore more correct in this case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In some countries, privacy laws require that data be stored __________.
A. in plain text
B. within the country’s borders
C. in the cloud
D. in a proprietary format

A

Answer: B
Some privacy laws (such as Russia’s and China’s) require personal citizen data to be kept within the country which created the law. See page 38 of the CSA Cloud Security Guidance v4.
Privacy laws don’t typically specify the format of stored, or whether the data should be stored in a traditional or cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which country/region does not have an omnibus personal privacy law?
A. Australia
B. The European Union
C. Argentina
D. The United States

A

Answer: D
The US does not have an omnibus personal privacy law; instead, personal privacy in the US is addressed by a patchwork of sectoral federal and state laws.
Australia, the EU, and Argentina all have strict personal privacy laws (and some have more than one).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which country/region does not have an omnibus personal privacy law?
A. China
B. Canada
C. Japan
D. Chile

A

Answer: C
Japan has sectoral laws instead of an omnibus federal personal privacy law. See page 40 of the CSA Cloud Security Guidance v4.
China, Canada, and Chile all have omnibus federal personal privacy laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is not true about the European Union’s (EU’S) General Data Protection Regulation (GDPR)?
A. it applies to all entities processing EU citizen personal data
B. it only applies within the EU and the Commonwealth
C. it treats personal privacy as a fundamental human right
D. it regulates cross-border data transfer to countries outside the EU

A

Answer: B
The GDPR is applicable globally. How this may affect questions of national sovereignty has yet to be determined. See pages 41-42 of the CSA Cloud Security Guidance v4.
All the other options are true statements about the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

According to the European Union’s (EU’S) General Data Protection Regulation (GDPR), breaches involving personal data must be reported to authorities within __________ of detection.
A. 72 hours
B. one week
C. one day
D. 24 hours

A

Answer: A
See page 42 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Any company violating the European Union’s (EU’S) General Data Protection Regulation (GDPR) may face monetary penalties of up to __________.
A. 100 million euros
B. 4% of that company’s annual global gross revenue
C. half of its operating capital
D. 10,000 euros per customer affected

A

Answer: B
The cap for penalties is 20 million euros. See page 42 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Contractual obligations for companies operating in the cloud might derive from all of the following except __________.
A. a terms of service statement
B. a privacy statement
C. contracts the company has with third parties
D. international law

A

Answer: D
International law creates a legal obligation, not a contractual obligation. All the other options are sources of contractual obligations. See page 45 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If an organization contracts with a cloud provider to manage personal data, who is generally liable for any damages caused by unauthorized disclosure of that data, under most privacy laws?
A. the cloud provider
B. the data subject
C. regulators
D. the organization

A

Answer: D
Under most privacy laws, the organization that originally collected or created the sensitive data set is legally responsible for the disposition of that data, to include any loss of that data caused by a third party.
The cloud provider might also have some liability, depending on the nature of the loss, but the organization that shared the data with the provider retains most of the liability. Neither the data subject nor the regulator(s) have any liability for unauthorized disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Under the European Union’s (EU’s) General Data Protection Regulation (GDPR), which of the following is the most important characteristic of the data subject’s interaction with the data controller?
A. availability
B. business
C. consent
D. decryption

A

Answer: C
According to the CSA Cloud Security Guidance v4 (page 41), the subject must provide specific, informed, and unambiguous consent in order for data processing to be legal.
The other options don’t really suit this particular context, and aren’t elements of the subject’s interaction with the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is perhaps the best reason to conduct due diligence?
A. enhance profitability
B. reduce liability
C. raise public esteem
D. defeat dedicated attackers

A

Answer: B
Performing due diligence can reduce liability by averting accusations of negligence.
Due diligence might also lead to enhanced profitability, increased public esteem, or perhaps counter certain attacks, but this is not a direct effect, and B is the better answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which part of an audit/assessment describes the features and services included in that audit/assessment?
A. the introduction
B. the executive summary
C. the scope
D. the lessons learned

A

Answer: C
The purpose of the scope (or “scoping statement”) is to describe the features, services, and systems covered in the audit/assessment. See page 48 of the CSA Cloud Security Guidance v4.
The other options may be parts of the audit/assessment report, but do not typically include a description of the features/services which were covered.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Contracts can generally protect from all the following types of risk except __________.
A. legal
B. reputational
C. commercial
D. hacking

A

Answer: D
By and large, hackers will not negotiate contracts with their victims; even in the cases where hackers will offer to negotiate (such as in ransomware attacks), hackers generally should not be trusted to fulfill their contracts in good faith. All the other options are risks that can be reduced by negotiated good contracts. See page 48 of the CSA Cloud Security Guidance v4.

17
Q

A thorough review of all contract elements (such as service agreements, schedules, and appendices) is an especially important form of due diligence in cloud managed service arrangements, because many cloud services are __________.
A. excessive
B. non-negotiable
C. ludicrous
D. illegal

A

Answer: B
Public cloud providers are particularly prone to offering non-negotiable contract terms. See page 48 of the CSA Cloud Security Guidance v4.
Contracts should not be excessive, illegal, or ludicrous.

18
Q

Third-party audits and attestations are often used to demonstrate a cloud provider’s __________ with a given standard.
A. agreement
B. compliance
C. contract
D. membership

A

Answer: B
Audits and attestations are used to demonstrate compliance with standards. See page 48 of the CSA Cloud Security Guidance v4.
Audits/attestations typically do not portray a target’s agreement, contract, or membership with a standard or standards body.

19
Q

What is the term used to describe a legal process for opposing counsel to acquire private data/documents for purposes of litigation?
A. seizure
B. invasion
C. discovery
D. surveillance

A

Answer: C
This is the definition of “discovery.” See page 48 of the CSA Cloud Security Guidance v4.
“Invasion” and “surveillance” are not common legal terms. “Seizure” is typically only performed by law enforcement entities, government bodies, or courts, not by opposing counsel during litigation.

20
Q

In some jurisdictions, if one party to a lawsuit loses, modifies, or deletes information that could be used as evidence in the suit, the jury may be instructed to __________.
A. presume that the evidence would be the worst possible information for that party’s case
B. determine what the missing information contained from whatever partial information is available
C. ignore any arguments that suggest the missing information might affect the suit in any way
D. not consider the missing information at all

A

Answer: A
This is the doctrine of “adverse inference,” and is a good reason to ensure that data discovery is performed in a thorough and careful manner. See pages 48-49 of the CSA Cloud Security Guidance v4.

21
Q

In order to present all relevant and probative data pertinent to a legal case, a cloud customer might be required to __________ data.
A. destroy
B. overpreserve
C. copy
D. interpret

A

Answer: B
This is a nuanced question, because “overpreserve” is the correct answer (see page 50 of the CSA Cloud Security Guidance v4), the process might involve copying information, so the reader might tend toward answer C. However, B is the more correct and applicable response.
During discovery, preservation, and disclosure, it is not typical for a participant to destroy or interpret data.

22
Q

Bit-by-bit imaging of cloud data for forensic purposes is generally __________.
A. required by law
B. up to the cloud customer
C. extremely expensive
D. difficult or impossible

A

Answer: D
The cloud customer does not typically have access to hardware in the cloud data center, for a variety of reasons. See page 51 of the CSA Cloud Security Guidance v4.
Laws do not typically stipulate the form of data preservation.

23
Q

In a cloud environment, it is not likely that a requesting party in litigation will have __________ the customer’s IT enterprise.
A. awareness of
B. direct access to
C. familiarity with
D. working knowledge of

A

Answer: B
Discovery and disclosure rarely require providing opposing counsel direct access to the IT environment. See page 52 of the CSA Cloud Security Guidance v4.
It is likely that litigants would be aware of and have some familiarity with the cloud IT environment of each party, and “working knowledge” is not pertinent in this context.

24
Q

In order to reliably challenge a legal order to disclose data belonging to a cloud customer, it is desirable to include a requirement for __________ in the contract.
A. the cloud provider to notify the customer of any legal requests
B. the cloud provider to deny any legal requests
C. the cloud provider to resist any search or seizure attempts
D. the cloud provider to retain counsel

A

Answer: A
A notification requirement is a useful aspect of a contract, when, where, and if it is allowed in the relevant jurisdictions. See page 53 of the CSA Cloud Security Guidance v4.
Cloud providers have no legal standing to deny or resist legal evidentiary requests. Whether or not the provider retains an attorney is irrelevant.

25
Q

Among other resources, the Cloud Security Alliance (CSA) recommends __________ for additional knowledge about legal evidentiary matters.
A. the Open Web Application Security Project (OWASP)
B. the Sedona Conference
C. your local library
D. waiting for instructions from the court where litigation occurs

A

Answer: B
The CSA recommends information from the Sedona Conference for those interested in evidentiary matters related to electronic data. See page 53 of the CSA Cloud Security Guidance v4.
OWASP is an excellent resource for web security knowledge, but is not particularly pertinent to the topic of electronic evidence. Your local library may or may not have information about evidentiary matters. It is a terrible idea to wait until litigation occurs to begin preparing for legal action.