dump Flashcards
Selfie Shenanigans is planning to implement its newest feature in US (only). It will analyze all uploaded photos for visible signs of health issues. The data is sold to the user’s health insurer which law would least possibly be broken?
A. HIPAA
B. Children’s Online Privacy Protection Act
C. GDPR
D. HITECH
C. GDPR only applies to Europe this was in the US only
Selfie Shenanigans. You find out the website has a privacy notice that is shown before users sign up. What needs to happen?
A check whether the new practice is allowed for, according to the privacy notice, needs to be performed
What is the Communications Assistance to Law Enforcement Act also referred to?
A. The Pen Register
B. The Digital Telephony Bill
C. The Wire
D. Track and Trace
B. The Digital Telephony Bill
The Communications Assistance for Law Enforcement Act (CALEA), also known as the “Digital Telephony Act,” is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton
In 2016 the FBI was quarreling with Apple. What was the quarrel about?
A. new firmware slowing down phones
B. helping gain access to the data on a seized phone
C. the tablets in the Federal Bureau of Investigation’s office could not fit the micro-SD required for the investigation
D. a cloud security breach exposing pictures of celebrities
B. Helping gain access to the data on a seized phone
What is not the result of an organization starting a privacy program?
A. awareness amongst employees
B. reduced risk of compliance issues
C. an increase in breach detection rate and breach response time
D. full future proof of compliance with privacy legislation
D. full future proof of compliance with privacy legislation
The word privacy is NOT mentioned in the U.S. Constitution
True/ False
True
True or false?
Health insurance providers may, under some circumstances, implement higher premiums based on genetic information.
False
What is COIT?
Consumerization of information technology (COIT): Use of personal computing devices in the workplace and online services (webmail, cloud storage, social media)
<p>Which act was passed as part of the ECPA to address interception of electronic communications in facilities where electronic communication service is provided?</p>
<p>A. Privacy Protection Act (PPA)</p>
<p>B. Stored Communications Act (SCA)</p>
<p>C. Communications Assistance to Law Enforcement Act (CALEA)</p>
<p>D. Electronic Communications Privacy Act (ECPA)</p>
B. Stored Communications Act (SCA)
Which act requires giving a privacy notice to subscribers at the time of the initial agreement (and annually thereafter) including the nature of personal information collected, how it is used, and retention period, as well as how to access and correct information?
A. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
B. Telecommunications Act
C. Cable Communications Policy Act
D. Video Privacy Protection Act (VPPA)
C. Cable Communications Policy Act
Which of the following terms specifically means removing or blocking information from court documents?
A. Protective order
B. Protecting publicly available information (PPAI)
C. Electronic discovery
D. Redaction
D. Redaction
Which of the following are required for an entity to be considered a “business” under the California Consumer Privacy Act? Select all that apply.
A. An entity that makes $10 million in annual revenue
B. An entity that holds the personal information of 50,000 people, households or devices
C. An entity that makes at least half of its revenue from the sale of personal information
D. All of the above.
B. An entity that holds the personal information of 50,000 people, households or devices
C. An entity that makes at least half of its revenue from the sale of personal information
Which are exceptions to state breach notification laws? Select all that apply.
A. Entities subject to other, more stringent data breach notification laws
B. Entities that already follow breach notification procedures that are compatible with state law
C. Entities enrolled in self-certification programs that meet industry security standards
D. None of the above.
A. Entities subject to other, more stringent data breach notification laws
B. Entities that already follow breach notification procedures that are compatible with state law
Is there an overarching employment privacy law in the U.S.?
EXAMPLE ANSWER: There is no overarching law for employment privacy.
- Some constitutional, federal, state, tort and statutory laws impact privacy
- Contracts between employer and employee may impact privacy agreements
- There is considerable local variation and complexity on employment privacy issues
- Many U.S. labor laws mandate employee data collection and management practices, such as conducting background checks and ensuring and documenting a safe workplace environment
- Organizations also have incentives to gather information about employees and monitor the workplace to reduce the risk of being sued for negligent hiring or supervision
Under the Fair Credit Reporting Act (FCRA), which are employer requirements for obtaining a consumer report on an applicant? Select all that apply.
A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency
F. Provide notice to the credit reporting agency outlining the intended purpose of the report
G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action
A. Have a permissible purpose
B. Provide notification of the intention to run a consumer report
C. Allow the applicant to receive a copy of the report
D. Obtain written authorization from the applicant
E. Use a qualified credit reporting agency
G. Provide the applicant with notice and a copy of the report for dispute prior to adverse action
What are the four steps involved in the development of a privacy program?
A. Discover, build, communicate, evolve
B. Research, design, build, audit
C. Brainstorm, propose, implement, follow-through
D. Test, learn, revise, monitor
A. Discover, build, communicate, evolve
Which is a provision of the Cybersecurity Information Sharing Act (CISA)? Select all that apply.
A. Companies must remove personal information before sharing
B. Companies are protected from liability for monitoring activities
C. Companies that process the personal information of 100,000 individuals or more are required to participate
D. Sharing information with the federal government does not waive privileges
E. Shared information is exempt from federal and state Freedom of Information laws
A. Companies must remove personal information before sharing
B. Companies are protected from liability for monitoring activities
D. Sharing information with the federal government does not waive privileges
E. Shared information is exempt from federal and state Freedom of Information laws
Rules that govern the collection and handling of personal information regarding internet activity can be categorized as what type of privacy?
Information privacy
True or false?
When federal laws do not provide a consumer protection that a state believes is necessary, the state may enact a law to provide the protection for its citizens.
True
<p>Which of the following federal laws ensures that employee benefits programs are created fairly and administered properly?</p>
<p>A. The Health Insurance Portability and Accountability Act (HIPAA)</p>
<p>B. The Consolidated Omnibus Budget Reconciliation Act (COBRA)</p>
<p>C. The Employee Retirement Income Security Act (ERISA)</p>
<p>D. The Family and Medical Leave Act (FMLA)</p>
C. The Employee Retirement Income Security Act (ERISA)
<p>Which are provisions of the Fair Credit Reporting Act (FCRA)? Select all that apply.</p>
<p>A. Consumers have the ability to access and correct their information</p>
<p>B. Consumers may request annual updates and alerts</p>
<p>C. Use of consumer reports is limited to “permissible purposes”</p>
<p>D. Use of consumer reports is limited to three instances per six months</p>
<p>A. Consumers have the ability to access and correct their information</p>
<p>C. Use of consumer reports is limited to “permissible purposes</p>
you must respond to requests of information in connection with criminal investigations and litigation, which laws did you have to comply when responding to such requests .
EXAMPLE ANSWERS:
• Acts involving the access of financial data
- The Electronic Communications Privacy Act (ECPA)
- The Communications Assistance to Law Enforcement Act (CALEA)
<p>What is a pen register?</p>
<p>A. A list of consumers who have requested to be notified if their personal information is shared with law enforcement</p>
<p>B. A list of law enforcement personnel who may obtain sensitive personal information without a court order</p>
<p>C. Records kept by financial institutions on certain financial transactions</p>
<p>D. A device that records the telephone numbers of all outgoing calls</p>
D. A device that records the telephone numbers of all outgoing calls
<p>Under the Right to Financial Privacy Act (RFPA), which of the following may allow a government authority access to customer financial records? Select all that apply.</p>
<p>A. Appropriate formal written request from an authorized government authority</p>
<p>B. Appropriate administrative subpoena or summons</p>
<p>C. Qualified search warrant</p>
<p>D. Legitimate interest of an authorized government authority</p>
<p>E. Customer authorization F. Appropriate judicial subpoena</p>
A. Appropriate formal written request from an authorized government authority
B. Appropriate administrative subpoena or summons
C. Qualified search warrant
E. Customer authorization
F. Appropriate judicial subpoena
• Place limits on using company email for personal use
• Discourage conducting company business on personal devices
• Implement policies and practices for when an employee leaves the organization
True or false?
Materials submitted to courts during trials are usually publicly available
What are the pros of monitoring in the workplace? Select all that apply.
A. OSHA compliance
B. Employee morale
C. Physical security and cybersecurity
D. Training
E. Quality assurance
When a customer calls a company’s service support line and hears a recorded message that the call may be recorded for quality purposes, this qualifies as a legal exception to which act prohibiting the wiretapping of telephone calls?
A. Omnibus Crime Control and Safe Streets Act
B. Electronic Communications Privacy Act (ECPA)
C. Stored Communication Act (SCA)
D. Privacy Protection Act (PPA)
Which federal agency oversees “the welfare of the job seekers, wage earners, and retirees of the United States”?
A. Federal Trade Commission (FTC)
B. Department of Labor (DOL)
C. National Labor Relations Board (NLRB)
D. Occupational Safety and Health Act (OSHA)
E. Securities and Exchange Commission (SEC)
F. Equal Employment Opportunity Commission (EEOC)
Which is a component of the Privacy Protection Act (PPA)? Select all that apply.
A. Provides an extra layer of protection for members of the media and media organizations from government searches or seizures
B. Prohibits government officials engaged in criminal investigations from searches or seizures of media work products or documentary materials
C. Applies to government officers or employees at all levels of government
A. Provides an extra layer of protection for members of the media and media organizations from government searches or seizures
B. Prohibits government officials engaged in criminal investigations from searches or seizures of media work products or documentary materials
C. Applies to government officers or employees at all levels of government
True or false?
The Telephone Consumer Protection Act (TCPA) implements the Telemarketing Sales Rule (TSR).
What does NSL stand for?
A. National security landscape
B. National security letter
C. National security law
D. National security liability
Which act restricts accessing, using and disclosing customer proprietary network information (CPNI)?
A. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
B. Telecommunications Act
C. Cable Communications Policy Act
D. Video Privacy Protection Act (VPPA)
EXAMPLE ANSWERS:
• The collection or continued maintenance of employee data when maintaining COBRA coverage
• The types of data that might be collected and maintained when complying with FMLA
Which procedures should be considered regarding the termination of employment? Select all that apply.
A. Have a secure method to deactivate physical access badges, keys and smartcards
B. Disable access to computer accounts
C. Design IT systems to minimize disruption
D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems
A. Have a secure method to deactivate physical access badges, keys and smartcards
B. Disable access to computer accounts
C. Design IT systems to minimize disruption
D. Ensure the return of all devices and any company data that is held by the employee outside of the company’s systems
Which of the following is an agreement or settlement that resolves a dispute between two parties without admission of guilt or liability?
A. Common law
B. Tort law
C. Contract law
D. Consent decree
Which of the following are definitions used by federal agencies for entities considered ‘processors’ who process personal data on behalf of a controller?
a. Business associate
b. Service provider
c. Encryptor
d. Only a and b
d. Only a and b
Situations that would require an express affirmative consent (opt-in), under the FTC’s guidance, prior to making the change include:
a. Sharing consumer information with a third party after committing at the time of collection not to share the data
b. Making material changes to privacy practices that differ from the practices outlined in the privacy notice given to consumers at the time of collection
c. Changing a third-party vendor for activities outlined in the privacy notice given to customers at the time of collection
d. Only a and b
d. Only a and b
Which of the following BEST describes a situation that would warrant an organization offering ‘no consumer choice’ or ‘no option’ to a consumer in sharing personal information with a third-party?
a. To process a transaction
b. To market its own products to the consumer
c. To respond to a legitimate legal request
d. All of the above
d. All of the above
Which of the following is NOT generally a challenge in managing user preferences for opting in or out?
a. Mechanism for consumer to provide opt-in or out
b. Identifying the consumer who requested the opt-in or out
c. Linking a user’s interactions through multiple channels throughout the organization
d. Scope or how broadly the user preference will apply
b. Identifying the consumer who requested the opt-in or out
Which of the following is NOT generally a challenge in managing user preferences for opting in or out?
a. Confirming the consumer’s opt-out or opt-in
b. Ensuring the time period for the opt-out or opt-in meets legal requirements
c. Linking a user’s interactions through multiple channels throughout the organization
d. Ensuring third-party vendors process PI according to user preferences expressed to the data controller
a. Confirming the consumer’s opt-out or opt-in
Under the APEC Principles, when an organization is establishing its guidelines related to access requests, which of the following should individuals be able to do?
a. Obtain a response as to whether or not the organization has their personal information
b. Obtain the personal information the organization has about them within a reasonable time, at no or minimal charge, in a reasonable manner, and in a form that’s easy to understand
c. Challenge the information held about them and have inaccuracies corrected
d. All of the above
d. All of the above
Which act was passed during the Cold War to enable national security to track the activities of agents of the Soviet Union and its foreign allies?
A. USA PATRIOT Act
B. Foreign Intelligence Surveillance Act (FISA)
C. Cybersecurity Information Sharing Act (CISA)
D. USA FREEDOM Act
Which of the following has provided standards and best practices for managing electronic discovery compliance through data retention policies?
A. “E-discovery” rules
B. The Hague Convention on the Taking of Evidence
C. The Sedona Conference
D. The GDPR
True or false?
All U.S. state laws preempt federal laws.
Which amendment to the United States Constitution articulates many of the fundamental concepts used by privacy professionals in the U.S.?
A. First Amendment
B. Second Amendment
C. Third Amendment
D. Fourth Amendment
In the event of a data breach, Connecticut’s breach notification law defines personal information as the first name (or initial) and last name in combination with one or more what? Select all that apply.
A. Social Security number
B. Driver’s license number
C. Mailing address
D. Phone number
E. Bank account or card number in combination with a security or access code
A. Social Security number
B. Driver’s license number
E. Bank account or card number in combination with a security or access code
Which federal agency is the most visible proponent of privacy concerns in the U.S.?
A. Department of Commerce (DOC)
B. Department of Homeland Security (DHS)
C. Office for Civil Rights (HHS)
D. Federal Trade Commission (FTC)
• Algorithms
• Artificial intelligence
• Predictive analytics
What does MSCM stand for?
A. Multi-storage cached media
B. Microdata sets for customer metrics
C. Mobile service commercial message
D. Model for secure cyber metadata
What theory of legal liability is described as the absence of or failure to exercise proper or ordinary care?
A. Defamation
B. Negligence
C. Breach of warranty
D. Strict tort liability
True or False
The Employee Polygraph Protection Act (EPPA) prohibits employers from using lie detectors and taking adverse action against an employee who refuses to take a test.
During which decade did the FTC’s perspective evolve into a harm-based model?
A. 1980s
B. 1990s
C. 2000s
D. 2010s
How can courts prohibit the disclosure of personal information used or generated in litigation?
A. The court can issue a protective order
B. The court can issue a restrictive order
C. The court can issue a reactive order
D. The court can issue a national security letter