Overall Guide 1 Flashcards
List one requirement of the Fair Credit Reporting Act (FCRA) that employers must follow in order to conduct background checks on employees.
Notify applicants about the process.
Obtain written authorization from applicants.
If a background screen includes interviews with personal contacts of the applicant to learn more about attributes such as “character” or “mode of living,” then it would be considered an investigative report under the FCRA
Provide certification to the furnisher of background reporting information that they are in full compliance with the FCRA and all other applicable federal and state states, including laws prohibiting discrimination.
What is active data collection?
The consumer directly fills out forms.
What is GLBA?
The Financial Services Modernization Act of 1999 is more commonly known as the Gramm–Leach–Bliley Act (GLBA) after the names of the lead lawmakers who sponsored the legislation. The GLBA establishes broad federal regulations that include information privacy and security requirements for the financial services industry.
What categories of information are protected under the Genetic Information Nondiscrimination Act (GINA)?
GINA protects personal genetic information, including any information from genetic tests or services, including prenatal health services.
What is California SB-1 (2003)?
Known as the California Financial Information Privacy Act, SB-1 (2003) builds on the Gramm–Leach–Bliley Act (GLBA) by adding additional requirements for financial institutions that operate in California.
What is the transition management phase of the employment process?
Transition management refers to the process of voluntarily or involuntarily ending an employment relationship.
Which federal court has the least superiority and which one has the greatest superiority?
In order from lesser to greater superiority: U.S. District Courts, U.S. Circuit Courts of Appeals, U.S. Supreme Court
How does the Americans with Disabilities Act (ADA) restrict employers from collecting personal data?
To protect job seekers from discrimination based on disability, the ADA prohibits employers from collecting information about disability status for use in hiring decisions.
What is anonymization?
The process of taking personal information and making it impossible to identify the individual to whom the information relates.
What is the Telecommunications Act’s definition of a carrier?
Any business that charges a fee for providing telecommunications services to the public
What is eDiscovery?
Electronic Discovery, or eDiscovery, is the process of identifying, collecting, preserving, and producing electronic records for legal proceedings.
Give three examples of removable information required by the Safe Harbor deidentification method.
Names
Web URLs
Geographic divisions and ZIP codes containing fewer than 20,000 people
The month and day of a person’s birth, death, hospital admission or discharge or the age in years of a person over 89
Telephone numbers
Vehicle identifiers, serial numbers, and license plate numbers
Fax numbers
Device identifiers and serial numbers
Email addresses
Social Security numbers
IP addresses
Medical record numbers
Biometric identifiers
Health plan numbers
Full-face photographs
Account numbers
Certificate/license number
When an organization makes an unfavorable decision about a person based on a consumer report, what must the FCRA-required notice to the person include?
Contact information for the consumer reporting agency (CRA) that provided the credit report
An explanation that the CRA only furnished the information and did not play a decision-making role
An explanation of consumer rights, including the right to access the credit report, credit score, and to dispute inaccurate information
List three reasons why we should care about privacy.
Privacy is an ethical obligation.
Laws and regulations require privacy protections.
Poor privacy practices reflect poorly on an organization.
List three of the 12 high-level requirements of PCI DSS.
Install & maintain a firewall
Do not use vendor-supplied defaults
Protect stored cardholder data.
Encrypt cardholder data on open networks.
Use antivirus software.
Develop and maintain secure systems & applications.
Restrict access to cardholder data by need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track & monitor all access to network resources & cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security
What are the three key objectives of cybersecurity programs and what do they mean?
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
When is information not personal information?
First, if the information is not about a person, then it is not personal information. Second, information is not personal information if it does not provide a way to identify the person that the information is about.
What is COPPA?
COPPA is the federal Children’s Online Privacy Protection Act, which provides special privacy protections for children under the age of 13.
What are three primary privacy roles?
Data subject, data controllers, data processors
What kind of information is considered PII?
Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.
What are the 10 GAPP principles?
- Management
- Notice
- Choice and Consent
- Collection
- Use, Retention, and Disposal
- Access
- Disclosure to Third Parties
- Security for Privacy
- Quality
- Monitoring and Enforcement
What is aggregation?
The process of summarizing data about a group of individuals in a manner that makes it impossible to draw conclusions about a single person.
Give three examples of key elements that are recommended by NIST in incident response policies
Statement of management commitment
Purpose and objectives of the policy
Scope of the policy (to whom it applies and under what circumstances)
Definition of cybersecurity incidents and related terms
Organizational structure and definition of roles, responsibilities, and level of authority
Prioritization or severity rating scheme for incidents
Performance measures for the CSIRT
Reporting and contact forms
Give three examples of special categories of personal data listed by GDPR.
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data used for the purpose of uniquely identifying a natural person
Health data
Data concerning a natural person’s sex life or sexual orientation
What is the main purpose of Title VII of the Civil Rights Act?
Title VII of the Civil Rights Act protects job seekers and employees from discrimination based on race, color, religion, national origin, religion, or sex.
Give three examples of key differences among state data protection laws today.
The definition of personal information, timelines for breach notification, notifications to regulators
What is the scope of the Cable Communications Policy Act?
Cable television system operators
What does strict liability mean?
The strict liability standard says that a person is responsible for the consequences of their actions, even if they could not reasonably anticipate the adverse outcome.
List three practices organizations may consider to reduce compliance risk related to state-level laws.
Clean up Social Security numbers
Implement data retention and destruction practices
Document information security procedures
What is a data controller under GDPR?
A data controller is usually the entity ultimately in charge of data.
Give three examples of FERPA record types.
Grades and transcripts
Class rosters
Course schedules of individual students
Health records for minors
Financial information for higher education students
Disciplinary records
In practice, most FTC complaints are not resolved through the formal process but use two other settlement mechanisms. What are they?
The FTC and the accused company may decide to informally resolve minor complaints by adjusting the company’s business practices.
In more serious cases, the FTC and the company may enter into a consent decree. This is a formal agreement between the company and the government that dictates how the company will behave moving forward. The company does not admit guilt but enters into a formal, enforceable agreement. If the company later violates the consent decree, the FTC can bring formal legal action against the firm.
Give three examples of principle features of the Foreign Intelligence Surveillance Act (FISA).
Authorization for specific forms of surveillance
The Foreign Intelligence Surveillance Court (FISC)
Authority for warrantless surveillance
Surveillance of foreign powers
Surveillance of U.S. persons acting as agents of foreign powers
Minimization principle
Give three examples of strategies that have been developed to facilitate international data transfer.
Safe harbor programs
Binding corporate rules
Standard contractual clauses
Why might businesses choose to use third parties to conduct employee misconduct investigations?
The use of third parties may be attractive to businesses because they bring additional resources and expertise, knowledge of applicable laws, and the ability to redact irrelevant private information before furnishing reports.
TrustArc offers the TRUSTe verified privacy seal to websites that complete a three-phase process. What are these three phases?
Assessment, Remediation and Certification, Ongoing Monitoring and Guidance
List all five objectives at the containment, eradication, and recovery phase
- Select a containment strategy appropriate to the incident circumstances.
- Implement the selected containment strategy to limit the damage caused by the incident.
- Gather additional evidence as needed to support the response effort and potential legal action.
- Identify the attackers and attacking systems.
- Eradicate the effects of the incident and recover normal business operations.
What is GPEN?
In 2007, the Organization for Economic Cooperation and Development (OECD) developed the Global Privacy Enforcement Network (GPEN) and developed the GPEN Action Plan to improve international cooperation in enforcing privacy regulations in member nations.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to improve several aspects of the healthcare system, including the sharing of data among providers and insurers, the process of switching health plans, and the security and privacy of personal health information.
What are the five “functions” in the NIST cybersecurity framework?
Identify
Protect
Detect
Respond
Recover
What is the scope of CAN-SPAM?
The CAN-SPAM Act regulates all electronic commercial e-mail messages, not only mass email marketing programs. Commercial messages under the act include any advertising messages and promotions for services or products.
What does a private right of action mean?
A private right of action means that individuals and corporations may bring cases to court for violations of a specific law.
What kind of information is included in PHI?
Protected health information (PHI) includes medical records maintained by healthcare providers and other organizations who are subject to the Health Insurance Portability and Accountability Act (HIPAA).
