Overall Guide 1

Question 1

List one requirement of the Fair Credit Reporting Act (FCRA) that employers must follow in order to conduct background checks on employees.

Answer 1

Notify applicants about the process.

Obtain written authorization from applicants.

If a background screen includes interviews with personal contacts of the applicant to learn more about attributes such as “character” or “mode of living,” then it would be considered an investigative report under the FCRA

Provide certification to the furnisher of background reporting information that they are in full compliance with the FCRA and all other applicable federal and state states, including laws prohibiting discrimination.

Question 2

What is active data collection?

Answer 2

The consumer directly fills out forms.

Question 3

What is GLBA?

Answer 3

The Financial Services Modernization Act of 1999 is more commonly known as the Gramm–Leach–Bliley Act (GLBA) after the names of the lead lawmakers who sponsored the legislation. The GLBA establishes broad federal regulations that include information privacy and security requirements for the financial services industry.

Question 4

What categories of information are protected under the Genetic Information Nondiscrimination Act (GINA)?

Answer 4

GINA protects personal genetic information, including any information from genetic tests or services, including prenatal health services.

Question 5

What is California SB-1 (2003)?

Answer 5

Known as the California Financial Information Privacy Act, SB-1 (2003) builds on the Gramm–Leach–Bliley Act (GLBA) by adding additional requirements for financial institutions that operate in California.

Question 6

What is the transition management phase of the employment process?

Answer 6

Transition management refers to the process of voluntarily or involuntarily ending an employment relationship.

Question 7

Which federal court has the least superiority and which one has the greatest superiority?

Answer 7

In order from lesser to greater superiority: U.S. District Courts, U.S. Circuit Courts of Appeals, U.S. Supreme Court

Question 8

How does the Americans with Disabilities Act (ADA) restrict employers from collecting personal data?

Answer 8

To protect job seekers from discrimination based on disability, the ADA prohibits employers from collecting information about disability status for use in hiring decisions.

Question 9

What is anonymization?

Answer 9

The process of taking personal information and making it impossible to identify the individual to whom the information relates.

Question 10

What is the Telecommunications Act’s definition of a carrier?

Answer 10

Any business that charges a fee for providing telecommunications services to the public

Question 11

What is eDiscovery?

Answer 11

Electronic Discovery, or eDiscovery, is the process of identifying, collecting, preserving, and producing electronic records for legal proceedings.

Question 12

Give three examples of removable information required by the Safe Harbor deidentification method.

Answer 12

Names
Web URLs

Geographic divisions and ZIP codes containing fewer than 20,000 people

The month and day of a person’s birth, death, hospital admission or discharge or the age in years of a person over 89

Telephone numbers

Vehicle identifiers, serial numbers, and license plate numbers

Fax numbers

Device identifiers and serial numbers

Email addresses

Social Security numbers

IP addresses

Medical record numbers

Biometric identifiers

Health plan numbers

Full-face photographs

Account numbers

Certificate/license number

Question 13

When an organization makes an unfavorable decision about a person based on a consumer report, what must the FCRA-required notice to the person include?

Answer 13

Contact information for the consumer reporting agency (CRA) that provided the credit report

An explanation that the CRA only furnished the information and did not play a decision-making role

An explanation of consumer rights, including the right to access the credit report, credit score, and to dispute inaccurate information

Question 14

List three reasons why we should care about privacy.

Answer 14

Privacy is an ethical obligation.

Laws and regulations require privacy protections.

Poor privacy practices reflect poorly on an organization.

Question 15

List three of the 12 high-level requirements of PCI DSS.

Answer 15

Install & maintain a firewall

Do not use vendor-supplied defaults

Protect stored cardholder data.

Encrypt cardholder data on open networks.

Use antivirus software.

Develop and maintain secure systems & applications.

Restrict access to cardholder data by need-to-know.

Assign a unique ID to each person with computer access.

Restrict physical access to cardholder data.

Track & monitor all access to network resources & cardholder data.

Regularly test security systems and processes.

Maintain a policy that addresses information security

Question 16

What are the three key objectives of cybersecurity programs and what do they mean?

Answer 16

Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information.

Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.

Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.

Question 17

When is information not personal information?

Answer 17

First, if the information is not about a person, then it is not personal information. Second, information is not personal information if it does not provide a way to identify the person that the information is about.

Question 18

What is COPPA?

Answer 18

COPPA is the federal Children’s Online Privacy Protection Act, which provides special privacy protections for children under the age of 13.

Question 19

What are three primary privacy roles?

Answer 19

Data subject, data controllers, data processors

Question 20

What kind of information is considered PII?

Answer 20

Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.

Question 21

What are the 10 GAPP principles?

Answer 21

1. Management
2. Notice
3. Choice and Consent
4. Collection
5. Use, Retention, and Disposal
6. Access
7. Disclosure to Third Parties
8. Security for Privacy
9. Quality
10. Monitoring and Enforcement

Question 22

What is aggregation?

Answer 22

The process of summarizing data about a group of individuals in a manner that makes it impossible to draw conclusions about a single person.

Question 23

Give three examples of key elements that are recommended by NIST in incident response policies

Answer 23

Statement of management commitment

Purpose and objectives of the policy

Scope of the policy (to whom it applies and under what circumstances)

Definition of cybersecurity incidents and related terms

Organizational structure and definition of roles, responsibilities, and level of authority

Prioritization or severity rating scheme for incidents

Performance measures for the CSIRT

Reporting and contact forms

Question 24

Give three examples of special categories of personal data listed by GDPR.

Answer 24

Racial or ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic data

Biometric data used for the purpose of uniquely identifying a natural person

Health data

Data concerning a natural person’s sex life or sexual orientation

Question 25

What is the main purpose of Title VII of the Civil Rights Act?

Answer 25

Title VII of the Civil Rights Act protects job seekers and employees from discrimination based on race, color, religion, national origin, religion, or sex.

Question 26

Give three examples of key differences among state data protection laws today.

Answer 26

The definition of personal information, timelines for breach notification, notifications to regulators

Question 27

What is the scope of the Cable Communications Policy Act?

Answer 27

Cable television system operators

Question 28

What does strict liability mean?

Answer 28

The strict liability standard says that a person is responsible for the consequences of their actions, even if they could not reasonably anticipate the adverse outcome.

Question 29

List three practices organizations may consider to reduce compliance risk related to state-level laws.

Answer 29

Clean up Social Security numbers Implement data retention and destruction practices Document information security procedures

Question 30

What is a data controller under GDPR?

Answer 30

A data controller is usually the entity ultimately in charge of data.

Question 31

Give three examples of FERPA record types.

Answer 31

Grades and transcripts Class rosters Course schedules of individual students Health records for minors Financial information for higher education students Disciplinary records

Question 32

In practice, most FTC complaints are not resolved through the formal process but use two other settlement mechanisms. What are they?

Answer 32

The FTC and the accused company may decide to informally resolve minor complaints by adjusting the company’s business practices. In more serious cases, the FTC and the company may enter into a consent decree. This is a formal agreement between the company and the government that dictates how the company will behave moving forward. The company does not admit guilt but enters into a formal, enforceable agreement. If the company later violates the consent decree, the FTC can bring formal legal action against the firm.

Question 33

Give three examples of principle features of the Foreign Intelligence Surveillance Act (FISA).

Answer 33

Authorization for specific forms of surveillance The Foreign Intelligence Surveillance Court (FISC) Authority for warrantless surveillance Surveillance of foreign powers Surveillance of U.S. persons acting as agents of foreign powers Minimization principle

Question 34

Give three examples of strategies that have been developed to facilitate international data transfer.

Answer 34

Safe harbor programs Binding corporate rules Standard contractual clauses

Question 35

Why might businesses choose to use third parties to conduct employee misconduct investigations?

Answer 35

The use of third parties may be attractive to businesses because they bring additional resources and expertise, knowledge of applicable laws, and the ability to redact irrelevant private information before furnishing reports.

Question 36

TrustArc offers the TRUSTe verified privacy seal to websites that complete a three-phase process. What are these three phases?

Answer 36

Assessment, Remediation and Certification, Ongoing Monitoring and Guidance

Question 37

List all five objectives at the containment, eradication, and recovery phase

Answer 37

1. Select a containment strategy appropriate to the incident circumstances. 2. Implement the selected containment strategy to limit the damage caused by the incident. 3. Gather additional evidence as needed to support the response effort and potential legal action. 4. Identify the attackers and attacking systems. 5. Eradicate the effects of the incident and recover normal business operations.

Question 38

What is GPEN?

Answer 38

In 2007, the Organization for Economic Cooperation and Development (OECD) developed the Global Privacy Enforcement Network (GPEN) and developed the GPEN Action Plan to improve international cooperation in enforcing privacy regulations in member nations.

Question 39

What is HIPAA?

Answer 39

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to improve several aspects of the healthcare system, including the sharing of data among providers and insurers, the process of switching health plans, and the security and privacy of personal health information.

Question 40

What are the five “functions” in the NIST cybersecurity framework?

Answer 40

Identify Protect Detect Respond Recover

Question 41

What is the scope of CAN-SPAM?

Answer 41

The CAN-SPAM Act regulates all electronic commercial e-mail messages, not only mass email marketing programs. Commercial messages under the act include any advertising messages and promotions for services or products.

Question 42

What does a private right of action mean?

Answer 42

A private right of action means that individuals and corporations may bring cases to court for violations of a specific law.

Question 43

What kind of information is included in PHI?

Answer 43

Protected health information (PHI) includes medical records maintained by healthcare providers and other organizations who are subject to the Health Insurance Portability and Accountability Act (HIPAA).

Question 44

What is the scope of the Bank Secrecy Act (BSA)?

Answer 44

The BSA applies to “financial institutions,” defined broadly to include organizations such as banks, brokerages, jewelers, and even pawnbrokers.

Question 45

What are the four elements of negligence?

Answer 45

Duty of care, a breach of that duty of care, damages, causation

Question 46

What are two general forms of liability and when do they occur?

Answer 46

Criminal liability occurs when a person violates a criminal law. Civil liability occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.

Question 47

What is the purpose of the FCC?

Answer 47

The Federal Communications Commission (FCC) is the regulator responsible for interstate and international communications. The agency has the authority to regulate communications that originate or terminate in the United States and that occur over telephone, radio, television, wire, satellite, or cable.

Question 48

What does the organization need to do at the early stages of the data lifecycle?

Answer 48

At the early stages of the data lifecycle, organizations should practice data minimization, where they collect the smallest possible amount of information necessary to meet their business requirements.

Question 49

What is CalECPA?

Answer 49

The California Electronic Communications and Privacy Act, known as CalECPA, requires California law enforcement agents to obtain warrants in order to search most electronic data generated by Californians.

Question 50

What changed in Tennessee’s SB 2005 in 2016?

Answer 50

In 2016, SB 2005 updated Tennessee’s breach notification rules so that encrypted information was no longer automatically excluded from the definition of a breach of personal information.

Question 51

What are three motivating factors for firms to participate in self-regulatory schemes?

Answer 51

Genuine desire to protect the security and privacy of sensitive personal information Competitive interests in preserving the integrity of their industry against unscrupulous practices Desire to avoid government intervention by preempting possible legislation through self-regulation

Question 52

List five privacy and security requirements under U.S. federal law to protect children’s personal information.

Answer 52

Privacy policies, parental notification, parental consent, parental control, information security

Question 53

Why might some states restrict the use of credit history in employment decisions?

Answer 53

Using credit histories in employment decisions may unfairly disadvantage people from non-affluent backgrounds.

Question 54

What are three criteria to determine whether a practice is deceptive?

Answer 54

There must be a representation, omission, or practice that is likely to mislead the consumer. The practice must be examined from the perspective of a consumer acting reasonably in the circumstances The representation, omission, or practice must be material.

Question 55

What does the right to erasure mean?

Answer 55

Also known as the right to be forgotten, under the GDPR, EU data subjects have the right to ask data controllers to erase all of their personal data.

Question 56

List four characteristics that differentiate different types of cybersecurity threat actors.

Answer 56

Internal vs. External; Level of Sophistication/Capability; Resources/Funding; Intent/Motivation

Question 57

Name at least three phases of the discovery process.

Answer 57

Identification Preservation Collection Processing Review Production and Presentation

Question 58

What are four major categories of security event indicators described by NIST-800-61?

Answer 58

Alerts, logs, publicly available information, people

Question 59

What are abusive practices under the Dodd-Frank Act?

Answer 59

An abusive practice is any act that “materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service.”

Question 60

What are three circumstances in which an unauthorized disclosure of personal health information (PHI) may not be considered a breach under HIPAA?

Answer 60

If an employee of a covered entity or business associate accidently accesses PHI but was acting in good faith If more than one person authorized to access the same PHI accidentally share with one another If the covered entity or business associate has good reason to believe that no unauthorized parties will be able to retain the information

Question 61

List at least five of the nine core principles of the APEC data privacy framework.

Answer 61

Preventing Harm Notice Collection Limitation Uses of Personal Information Choice Integrity of Personal Information Security Safeguards Access and Correction Accountability

Question 62

What is the third-party doctrine?

Answer 62

When certain information is collected by third parties as part of conducting transactions, the privacy of that information is generally not protected by the U.S. Constitution.

Question 63

Name three general requirements of the HIPAA privacy rule.

Answer 63

The implementation of information privacy practices Limits use and disclosure of data without patient authorization Gives patients additional rights with respect to their medical information, including the right to view and correct their medical records

Question 64

List four of the federal agencies that share responsibility for regulating the financial industry.

Answer 64

The Consumer Financial Protection Bureau (CFPB) The Federal Reserve The National Credit Union Administration (NCUA) The Federal Deposit Insurance Corporation (FDIC) The Office of the Comptroller of the Currency

Question 65

What are the seven foundational principles of Privacy by Design?

Answer 65

1. Proactive, not Reactive; Preventive, not Remedial. 2. Privacy as the Default Setting. 3. Privacy Embedded into Design. 4. Full Functionality – Positive-Sum, not Zero-Sum. 5. End-to-End Security – Full Lifecycle Protection. 6. Visibility and Transparency – Keep It Open. 7. Respect for User Privacy – Keep It User-Centric.

Question 66

What are the two bodies of the U.S. Congress?

Answer 66

House of Representatives and Senate

Question 67

What is a data processor under GDPR?

Answer 67

A data processor is any entity that handles personal data for the data controller.

Question 68

Give one example of an exception to the Privacy Protection Act (PPA).

Answer 68

Situations where law enforcement is investigating a journalist as a suspect in a crime Cases where an immediate search might be necessary to help law enforcement prevent death or serious injury Situations where law enforcement has good reason to think that a journalist might destroy or alter important evidence if they receive advance warning

Question 69

Why was the HITECH Act passed?

Answer 69

The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 in order to improve healthcare by bringing health systems up-to-date with modern technology.

Question 70

What are the four stages of the incident response process?

Answer 70

Preparation, Detection and Analysis, Containment Eradication and Recovery, Postincident Activity

Question 71

What is privacy according to GAPP?

Answer 71

The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and destruction of personal information.

Question 72

What does preemption mean?

Answer 72

Preemption means that law that stems from a higher authority will take precedence over laws from a lower authority.

Question 73

What are three common features shared by marketing laws in different U.S. states?

Answer 73

State Unfair or Deceptive Acts or Practices (UDAP) laws build on the federal framework and definitions established in Section V of the FTC Act. While the FTC Act sets a nationwide set of requirements and protections, state-level laws add requirements and consumer protections above and beyond those in the FTC Act. State UDAP laws are usually enforced by state attorneys general.

Question 74

What is the FTC?

Answer 74

The Federal Trade Commission (FTC) is an independent agency that exists within the executive branch of the government but also maintains a degree of autonomy from the day-to-day workings of the executive branch.

Question 75

What are four objectives that align with the DOC’s third privacy goal to conduct robust compliance and oversight programs?

Answer 75

What are three types of HIPAA-covered entities?

Question 76

Give three examples of information that make something a credit report under the Fair Credit Reporting Act (FCRA).

Answer 76

Creditworthiness Credit standing Credit capacity Character General reputation Personal characteristics Mode of living

Question 77

What is a data importer under the GDPR?

Answer 77

A non-EU entity that receives personal information on EU data subjects from an EU data exporter

Question 78

Give three types of threat actors that security professionals encounter in their work.

Answer 78

Script kiddies, hacktivists, criminal syndicates, advanced persistent threats (APTs), insiders

Question 79

What are four goals that the US Department of Commerce (DOC) has to guide the execution of a privacy program?

Answer 79

1. Foster a culture of privacy and disclosure and demonstrate leadership through policy and partnerships. 2. Provide outreach, education, training, and reports in order to promote privacy and transparency. 3. Conduct robust compliance and oversight programs to ensure adherence to federal privacy and disclosure laws and policies in all DOC activities. 4. Develop and maintain the best privacy and disclosure professionals in the federal government.

Question 80

What is the function of a gag order in an NSL?

Answer 80

A gag order legally prohibits the recipient of a National Security Letter, such as an internet service provider (ISP), from disclosing the existence of the government’s order and the contents of the order.

Question 81

List three sources of law.

Answer 81

Constitutional law, legislation, administrative law, case law, common law, contract law

Question 82

What is the responsibility of the executive branch?

Answer 82

The executive branch of the government is led by the president and is responsible for carrying out and enforcing the laws created by the legislative branch.

Question 83

What are three key parameters of state breach notification rules?

Answer 83

Who to notify, when to notify, and how to notify

Question 84

What are three legislative components of the Electronic Communications Privacy Act (ECPA)?

Answer 84

Title I: Wiretap Act, Title II: Stored Communications Act (SCA), Title III: Pen Register and Trap and Trace Devices

Question 85

What are four preemployment screening methods mentioned in this book?

Answer 85

Personality and psychological evaluations Polygraph testing Drug and alcohol testing Social media

Question 86

What are two elements to a court’s jurisdiction?

Answer 86

Personal jurisdiction and subject matter jurisdiction

Question 87

Name three information management processes that typically occur at the end of an employment relationship.

Answer 87

Access management Records retention Responding to reference requests

Question 88

Give three examples of U.S. agencies regulating workspace privacy.

Answer 88

Federal Trade Commission (FTC) Department of Labor (DOL) Equal Employment Opportunity Commission (EEOC) National Labor Relations Board (NLRB) Occupational Safety and Health Administration (OSHA) Securities and Exchange Commission (SEC)

Question 89

Under the Right to Financial Privacy Act (RFPA), what are four circumstances in which financial institutions may be authorized to disclose financial records to the federal government?

Answer 89

Customer authorization, administrative or judicial subpoena, search warrant, formal written request

Question 90

Name one additional specific power that the president has (identified in the U.S. Constitution).

Answer 90

Serving as commander-in-chief of the U.S. military forces Granting pardons and reprieves for offenses against the United States Negotiating treaties with other nations on behalf of the United States Appointing justices to the Supreme Court, ambassadors to foreign nations, and other officers of the federal government

Question 91

What are three factors that the FTC considers when determining whether a trade practice is unfair?

Answer 91

Whether the practice injures consumers Whether the practice violates established public policy Whether the practice is unethical or unscrupulous

Question 92

Give five examples of data subject rights under the GDPR.

Answer 92

Right of access Right to rectification Right to restriction of processing Right of erasure Notification obligations Right to data portability Right to object Automated individual decision making, including profiling

Question 93

What is personal data defined by the EU’s General Data Protection Regulation (GDPR)?

Answer 93

Personal data includes any information that identifies an individual, including a person’s name, location, or any other personally identifiable characteristics.

Question 94

List four major classification categories used by the U.S. government.

Answer 94

Top secret, Secret, Confidential, Unclassified.

Question 95

What is typically included in the definition of personal information protected by state breach notification laws?

Answer 95

Typically, states define personal information to include social security numbers, financial account numbers, state identification or passport numbers. A person’s full name, or first initial and last name, linked with another piece of identifying information, is usually protected as well.

Question 96

What is personal information according to GAPP?

Answer 96

Information that is or can be about or related to an identifiable individual.

Question 97

What is a data exporter under the GDPR?

Answer 97

An entity in the EU that shares EU data subjects’ personal information outside of EU member states

Question 98

What are four legal torts that may result in a successful claim of invasion of privacy?

Answer 98

The invasion of solitude, the public disclosure of private facts, false light, appropriation

Question 99

What is an event? What is an adverse event? And what is a security incident?

Answer 99

An event is any observable occurrence in a system or network. An adverse event is any event that has negative consequences. A security incident is a violation or imminent threat of violation of security policies, acceptable use policies, or standard security practices.

Question 100

Determining whether a practice unfairly injures consumers requires the use of a three-pronged test that was documented in a 1980 FTC Policy Statement on Unfairness. What are they?

Answer 100

The injury must be substantial. The injury must not be outweighed by countervailing benefits to consumers and to competition. The injury must not be reasonably avoidable.

Question 101

Give five examples of technologies that might be used for employee monitoring.

Answer 101

Computer usage monitoring Location-based monitoring Social media tracking Biometric tracking Wellness programs

Question 102

What is a data flow diagram?

Answer 102

Serves as artifacts of the work and references for team members seeking to understand how data moves through the organization.

Question 103

What are the five main requirements of COPPA?

Answer 103

1. Privacy Policies 2. Parental Notification 3. Parental Consent 4. Parental Control 5. Information Security

Question 104

What are NSLs?

Answer 104

National Security Letters (NSLs) are a form of administrative subpoena used by the U.S. federal government to order the production of business records related to national security concerns.

Question 105

What are the three branches of the U.S. federal government?

Answer 105

Legislative branch, executive branch, and judicial branch

Question 106

What are two deidentification techniques published by HHS to achieve deidentification in accordance with the HIPAA Privacy Rule?

Answer 106

Expert determination and safe harbor

Question 107

What is passive data collection?

Answer 107

The organization gathers information from the individual automatically when they visit a website or engage in other online activity.

Question 108

What is meant by “theories of liability”?

Answer 108

Theories of liability describe the conditions that must be met for someone to be found liable of a crime or civil violation of the law.