Domain 3: Legal Issues, Contracts, and Electronic Discovery

Question 1

Which of the following is probably the best way to address your organization’s particular legal issues?
A. Get an account for a legal review service, such as Westlaw or Lexis/Nexis
B. Perform personal research on the Internet
C. Download the laws of each country where you organization operates
D. Consult with an attorney in the jurisdiction(s) where your organization operates

Answer 1

Answer: D
Lawyers will have much more capability to handle legal issues than security practitioners. See page 36 of the CSA Cloud Security Guidance v4.
All the other options may be beneficial, but not as useful as consulting attorneys.

Question 2

Who is the original owner of privacy data?
A. The subject
B. The processor
C. The controller
D. The regulator

Answer 2

Answer: A
The subject is the original owner of privacy data.
All the other options list parties that might be responsible for either protecting the data or the subject’s rights, but are not the original owner.

Question 3

Countries/regions may have either __________ or __________ privacy laws [select two].
A. optional
B. omnibus
C. hierarchical
D. advantageous
E. placid
F. internal
G. sectoral

Answer 3

Answer: B, G
Privacy laws either cover everyone in a country/region (such as the European Union’s General Data Protection Regulation [GDPR]), which are omnibus, or address particular industries/occupations (such as the Health Information Protection and Availability Act [HIPAA] in the US), which are sectoral. See page 38 of the CSA Cloud Security Guidance v4.
The other options are terms that have no meaning in this context.

Question 4

Under many privacy laws, personal data can only be sent to another country if the receiving country’s laws offer __________.
A. reciprocity
B. adequate level of protection
C. cash awards
D. full encryption and secure data storage

Answer 4

Answer: B
Many privacy laws require that the national laws in countries receiving personal data have similar requirements, and therefore offer individuals an “adequate level of protection.” See page 38 of the CSA Cloud Security Guidance v4.
“Reciprocity” suggests both countries honor each other’s laws, which would be nice but is not typically the case. I don’t know of any laws that require cash payment as part of cross-border transfer. And while encryption and secure storage might be typical controls for personal data, and even included in some privacy laws, “adequate protection” is the more general answer, and therefore more correct in this case.

Question 5

In some countries, privacy laws require that data be stored __________.
A. in plain text
B. within the country’s borders
C. in the cloud
D. in a proprietary format

Answer 5

Answer: B
Some privacy laws (such as Russia’s and China’s) require personal citizen data to be kept within the country which created the law. See page 38 of the CSA Cloud Security Guidance v4.
Privacy laws don’t typically specify the format of stored, or whether the data should be stored in a traditional or cloud environment.

Question 6

Which country/region does not have an omnibus personal privacy law?
A. Australia
B. The European Union
C. Argentina
D. The United States

Answer 6

Answer: D
The US does not have an omnibus personal privacy law; instead, personal privacy in the US is addressed by a patchwork of sectoral federal and state laws.
Australia, the EU, and Argentina all have strict personal privacy laws (and some have more than one).

Question 7

Which country/region does not have an omnibus personal privacy law?
A. China
B. Canada
C. Japan
D. Chile

Answer 7

Answer: C
Japan has sectoral laws instead of an omnibus federal personal privacy law. See page 40 of the CSA Cloud Security Guidance v4.
China, Canada, and Chile all have omnibus federal personal privacy laws.

Question 8

Which of the following is not true about the European Union’s (EU’S) General Data Protection Regulation (GDPR)?
A. it applies to all entities processing EU citizen personal data
B. it only applies within the EU and the Commonwealth
C. it treats personal privacy as a fundamental human right
D. it regulates cross-border data transfer to countries outside the EU

Answer 8

Answer: B
The GDPR is applicable globally. How this may affect questions of national sovereignty has yet to be determined. See pages 41-42 of the CSA Cloud Security Guidance v4.
All the other options are true statements about the GDPR.

Question 9

According to the European Union’s (EU’S) General Data Protection Regulation (GDPR), breaches involving personal data must be reported to authorities within __________ of detection.
A. 72 hours
B. one week
C. one day
D. 24 hours

Answer 9

Answer: A
See page 42 of the CSA Cloud Security Guidance v4.

Question 10

Any company violating the European Union’s (EU’S) General Data Protection Regulation (GDPR) may face monetary penalties of up to __________.
A. 100 million euros
B. 4% of that company’s annual global gross revenue
C. half of its operating capital
D. 10,000 euros per customer affected

Answer 10

Answer: B
The cap for penalties is 20 million euros. See page 42 of the CSA Cloud Security Guidance v4.

Question 11

Contractual obligations for companies operating in the cloud might derive from all of the following except __________.
A. a terms of service statement
B. a privacy statement
C. contracts the company has with third parties
D. international law

Answer 11

Answer: D
International law creates a legal obligation, not a contractual obligation. All the other options are sources of contractual obligations. See page 45 of the CSA Cloud Security Guidance v4.

Question 12

If an organization contracts with a cloud provider to manage personal data, who is generally liable for any damages caused by unauthorized disclosure of that data, under most privacy laws?
A. the cloud provider
B. the data subject
C. regulators
D. the organization

Answer 12

Answer: D
Under most privacy laws, the organization that originally collected or created the sensitive data set is legally responsible for the disposition of that data, to include any loss of that data caused by a third party.
The cloud provider might also have some liability, depending on the nature of the loss, but the organization that shared the data with the provider retains most of the liability. Neither the data subject nor the regulator(s) have any liability for unauthorized disclosure.

Question 13

Under the European Union’s (EU’s) General Data Protection Regulation (GDPR), which of the following is the most important characteristic of the data subject’s interaction with the data controller?
A. availability
B. business
C. consent
D. decryption

Answer 13

Answer: C
According to the CSA Cloud Security Guidance v4 (page 41), the subject must provide specific, informed, and unambiguous consent in order for data processing to be legal.
The other options don’t really suit this particular context, and aren’t elements of the subject’s interaction with the controller.

Question 14

Which of the following is perhaps the best reason to conduct due diligence?
A. enhance profitability
B. reduce liability
C. raise public esteem
D. defeat dedicated attackers

Answer 14

Answer: B
Performing due diligence can reduce liability by averting accusations of negligence.
Due diligence might also lead to enhanced profitability, increased public esteem, or perhaps counter certain attacks, but this is not a direct effect, and B is the better answer.

Question 15

Which part of an audit/assessment describes the features and services included in that audit/assessment?
A. the introduction
B. the executive summary
C. the scope
D. the lessons learned

Answer 15

Answer: C
The purpose of the scope (or “scoping statement”) is to describe the features, services, and systems covered in the audit/assessment. See page 48 of the CSA Cloud Security Guidance v4.
The other options may be parts of the audit/assessment report, but do not typically include a description of the features/services which were covered.

Question 16

Contracts can generally protect from all the following types of risk except __________.
A. legal
B. reputational
C. commercial
D. hacking

Answer 16

Answer: D
By and large, hackers will not negotiate contracts with their victims; even in the cases where hackers will offer to negotiate (such as in ransomware attacks), hackers generally should not be trusted to fulfill their contracts in good faith. All the other options are risks that can be reduced by negotiated good contracts. See page 48 of the CSA Cloud Security Guidance v4.

Question 17

A thorough review of all contract elements (such as service agreements, schedules, and appendices) is an especially important form of due diligence in cloud managed service arrangements, because many cloud services are __________.
A. excessive
B. non-negotiable
C. ludicrous
D. illegal

Answer 17

Answer: B
Public cloud providers are particularly prone to offering non-negotiable contract terms. See page 48 of the CSA Cloud Security Guidance v4.
Contracts should not be excessive, illegal, or ludicrous.

Question 18

Third-party audits and attestations are often used to demonstrate a cloud provider’s __________ with a given standard.
A. agreement
B. compliance
C. contract
D. membership

Answer 18

Answer: B
Audits and attestations are used to demonstrate compliance with standards. See page 48 of the CSA Cloud Security Guidance v4.
Audits/attestations typically do not portray a target’s agreement, contract, or membership with a standard or standards body.

Question 19

What is the term used to describe a legal process for opposing counsel to acquire private data/documents for purposes of litigation?
A. seizure
B. invasion
C. discovery
D. surveillance

Answer 19

Answer: C
This is the definition of “discovery.” See page 48 of the CSA Cloud Security Guidance v4.
“Invasion” and “surveillance” are not common legal terms. “Seizure” is typically only performed by law enforcement entities, government bodies, or courts, not by opposing counsel during litigation.

Question 20

In some jurisdictions, if one party to a lawsuit loses, modifies, or deletes information that could be used as evidence in the suit, the jury may be instructed to __________.
A. presume that the evidence would be the worst possible information for that party’s case
B. determine what the missing information contained from whatever partial information is available
C. ignore any arguments that suggest the missing information might affect the suit in any way
D. not consider the missing information at all

Answer 20

Answer: A
This is the doctrine of “adverse inference,” and is a good reason to ensure that data discovery is performed in a thorough and careful manner. See pages 48-49 of the CSA Cloud Security Guidance v4.

Question 21

In order to present all relevant and probative data pertinent to a legal case, a cloud customer might be required to __________ data.
A. destroy
B. overpreserve
C. copy
D. interpret

Answer 21

Answer: B
This is a nuanced question, because “overpreserve” is the correct answer (see page 50 of the CSA Cloud Security Guidance v4), the process might involve copying information, so the reader might tend toward answer C. However, B is the more correct and applicable response.
During discovery, preservation, and disclosure, it is not typical for a participant to destroy or interpret data.

Question 22

Bit-by-bit imaging of cloud data for forensic purposes is generally __________.
A. required by law
B. up to the cloud customer
C. extremely expensive
D. difficult or impossible

Answer 22

Answer: D
The cloud customer does not typically have access to hardware in the cloud data center, for a variety of reasons. See page 51 of the CSA Cloud Security Guidance v4.
Laws do not typically stipulate the form of data preservation.

Question 23

In a cloud environment, it is not likely that a requesting party in litigation will have __________ the customer’s IT enterprise.
A. awareness of
B. direct access to
C. familiarity with
D. working knowledge of

Answer 23

Answer: B
Discovery and disclosure rarely require providing opposing counsel direct access to the IT environment. See page 52 of the CSA Cloud Security Guidance v4.
It is likely that litigants would be aware of and have some familiarity with the cloud IT environment of each party, and “working knowledge” is not pertinent in this context.

Question 24

In order to reliably challenge a legal order to disclose data belonging to a cloud customer, it is desirable to include a requirement for __________ in the contract.
A. the cloud provider to notify the customer of any legal requests
B. the cloud provider to deny any legal requests
C. the cloud provider to resist any search or seizure attempts
D. the cloud provider to retain counsel

Answer 24

Answer: A
A notification requirement is a useful aspect of a contract, when, where, and if it is allowed in the relevant jurisdictions. See page 53 of the CSA Cloud Security Guidance v4.
Cloud providers have no legal standing to deny or resist legal evidentiary requests. Whether or not the provider retains an attorney is irrelevant.

Question 25

Among other resources, the Cloud Security Alliance (CSA) recommends __________ for additional knowledge about legal evidentiary matters.
A. the Open Web Application Security Project (OWASP)
B. the Sedona Conference
C. your local library
D. waiting for instructions from the court where litigation occurs

Answer 25

Answer: B
The CSA recommends information from the Sedona Conference for those interested in evidentiary matters related to electronic data. See page 53 of the CSA Cloud Security Guidance v4.
OWASP is an excellent resource for web security knowledge, but is not particularly pertinent to the topic of electronic evidence. Your local library may or may not have information about evidentiary matters. It is a terrible idea to wait until litigation occurs to begin preparing for legal action.