Overall Guide 1 Flashcards
List one requirement of the Fair Credit Reporting Act (FCRA) that employers must follow in order to conduct background checks on employees.
Notify applicants about the process.
Obtain written authorization from applicants.
If a background screen includes interviews with personal contacts of the applicant to learn more about attributes such as “character” or “mode of living,” then it would be considered an investigative report under the FCRA
Provide certification to the furnisher of background reporting information that they are in full compliance with the FCRA and all other applicable federal and state states, including laws prohibiting discrimination.
What is active data collection?
The consumer directly fills out forms.
What is GLBA?
The Financial Services Modernization Act of 1999 is more commonly known as the Gramm–Leach–Bliley Act (GLBA) after the names of the lead lawmakers who sponsored the legislation. The GLBA establishes broad federal regulations that include information privacy and security requirements for the financial services industry.
What categories of information are protected under the Genetic Information Nondiscrimination Act (GINA)?
GINA protects personal genetic information, including any information from genetic tests or services, including prenatal health services.
What is California SB-1 (2003)?
Known as the California Financial Information Privacy Act, SB-1 (2003) builds on the Gramm–Leach–Bliley Act (GLBA) by adding additional requirements for financial institutions that operate in California.
What is the transition management phase of the employment process?
Transition management refers to the process of voluntarily or involuntarily ending an employment relationship.
Which federal court has the least superiority and which one has the greatest superiority?
In order from lesser to greater superiority: U.S. District Courts, U.S. Circuit Courts of Appeals, U.S. Supreme Court
How does the Americans with Disabilities Act (ADA) restrict employers from collecting personal data?
To protect job seekers from discrimination based on disability, the ADA prohibits employers from collecting information about disability status for use in hiring decisions.
What is anonymization?
The process of taking personal information and making it impossible to identify the individual to whom the information relates.
What is the Telecommunications Act’s definition of a carrier?
Any business that charges a fee for providing telecommunications services to the public
What is eDiscovery?
Electronic Discovery, or eDiscovery, is the process of identifying, collecting, preserving, and producing electronic records for legal proceedings.
Give three examples of removable information required by the Safe Harbor deidentification method.
Names
Web URLs
Geographic divisions and ZIP codes containing fewer than 20,000 people
The month and day of a person’s birth, death, hospital admission or discharge or the age in years of a person over 89
Telephone numbers
Vehicle identifiers, serial numbers, and license plate numbers
Fax numbers
Device identifiers and serial numbers
Email addresses
Social Security numbers
IP addresses
Medical record numbers
Biometric identifiers
Health plan numbers
Full-face photographs
Account numbers
Certificate/license number
When an organization makes an unfavorable decision about a person based on a consumer report, what must the FCRA-required notice to the person include?
Contact information for the consumer reporting agency (CRA) that provided the credit report
An explanation that the CRA only furnished the information and did not play a decision-making role
An explanation of consumer rights, including the right to access the credit report, credit score, and to dispute inaccurate information
List three reasons why we should care about privacy.
Privacy is an ethical obligation.
Laws and regulations require privacy protections.
Poor privacy practices reflect poorly on an organization.
List three of the 12 high-level requirements of PCI DSS.
Install & maintain a firewall
Do not use vendor-supplied defaults
Protect stored cardholder data.
Encrypt cardholder data on open networks.
Use antivirus software.
Develop and maintain secure systems & applications.
Restrict access to cardholder data by need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track & monitor all access to network resources & cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security
What are the three key objectives of cybersecurity programs and what do they mean?
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
When is information not personal information?
First, if the information is not about a person, then it is not personal information. Second, information is not personal information if it does not provide a way to identify the person that the information is about.
What is COPPA?
COPPA is the federal Children’s Online Privacy Protection Act, which provides special privacy protections for children under the age of 13.
What are three primary privacy roles?
Data subject, data controllers, data processors
What kind of information is considered PII?
Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.
What are the 10 GAPP principles?
- Management
- Notice
- Choice and Consent
- Collection
- Use, Retention, and Disposal
- Access
- Disclosure to Third Parties
- Security for Privacy
- Quality
- Monitoring and Enforcement
What is aggregation?
The process of summarizing data about a group of individuals in a manner that makes it impossible to draw conclusions about a single person.
Give three examples of key elements that are recommended by NIST in incident response policies
Statement of management commitment
Purpose and objectives of the policy
Scope of the policy (to whom it applies and under what circumstances)
Definition of cybersecurity incidents and related terms
Organizational structure and definition of roles, responsibilities, and level of authority
Prioritization or severity rating scheme for incidents
Performance measures for the CSIRT
Reporting and contact forms
Give three examples of special categories of personal data listed by GDPR.
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data used for the purpose of uniquely identifying a natural person
Health data
Data concerning a natural person’s sex life or sexual orientation
What is the main purpose of Title VII of the Civil Rights Act?
Title VII of the Civil Rights Act protects job seekers and employees from discrimination based on race, color, religion, national origin, religion, or sex.
Give three examples of key differences among state data protection laws today.
The definition of personal information, timelines for breach notification, notifications to regulators
What is the scope of the Cable Communications Policy Act?
Cable television system operators
What does strict liability mean?
The strict liability standard says that a person is responsible for the consequences of their actions, even if they could not reasonably anticipate the adverse outcome.
List three practices organizations may consider to reduce compliance risk related to state-level laws.
Clean up Social Security numbers
Implement data retention and destruction practices
Document information security procedures
What is a data controller under GDPR?
A data controller is usually the entity ultimately in charge of data.
Give three examples of FERPA record types.
Grades and transcripts
Class rosters
Course schedules of individual students
Health records for minors
Financial information for higher education students
Disciplinary records
In practice, most FTC complaints are not resolved through the formal process but use two other settlement mechanisms. What are they?
The FTC and the accused company may decide to informally resolve minor complaints by adjusting the company’s business practices.
In more serious cases, the FTC and the company may enter into a consent decree. This is a formal agreement between the company and the government that dictates how the company will behave moving forward. The company does not admit guilt but enters into a formal, enforceable agreement. If the company later violates the consent decree, the FTC can bring formal legal action against the firm.
Give three examples of principle features of the Foreign Intelligence Surveillance Act (FISA).
Authorization for specific forms of surveillance
The Foreign Intelligence Surveillance Court (FISC)
Authority for warrantless surveillance
Surveillance of foreign powers
Surveillance of U.S. persons acting as agents of foreign powers
Minimization principle
Give three examples of strategies that have been developed to facilitate international data transfer.
Safe harbor programs
Binding corporate rules
Standard contractual clauses
Why might businesses choose to use third parties to conduct employee misconduct investigations?
The use of third parties may be attractive to businesses because they bring additional resources and expertise, knowledge of applicable laws, and the ability to redact irrelevant private information before furnishing reports.
TrustArc offers the TRUSTe verified privacy seal to websites that complete a three-phase process. What are these three phases?
Assessment, Remediation and Certification, Ongoing Monitoring and Guidance
List all five objectives at the containment, eradication, and recovery phase
- Select a containment strategy appropriate to the incident circumstances.
- Implement the selected containment strategy to limit the damage caused by the incident.
- Gather additional evidence as needed to support the response effort and potential legal action.
- Identify the attackers and attacking systems.
- Eradicate the effects of the incident and recover normal business operations.
What is GPEN?
In 2007, the Organization for Economic Cooperation and Development (OECD) developed the Global Privacy Enforcement Network (GPEN) and developed the GPEN Action Plan to improve international cooperation in enforcing privacy regulations in member nations.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to improve several aspects of the healthcare system, including the sharing of data among providers and insurers, the process of switching health plans, and the security and privacy of personal health information.
What are the five “functions” in the NIST cybersecurity framework?
Identify
Protect
Detect
Respond
Recover
What is the scope of CAN-SPAM?
The CAN-SPAM Act regulates all electronic commercial e-mail messages, not only mass email marketing programs. Commercial messages under the act include any advertising messages and promotions for services or products.
What does a private right of action mean?
A private right of action means that individuals and corporations may bring cases to court for violations of a specific law.
What kind of information is included in PHI?
Protected health information (PHI) includes medical records maintained by healthcare providers and other organizations who are subject to the Health Insurance Portability and Accountability Act (HIPAA).
What is the scope of the Bank Secrecy Act (BSA)?
The BSA applies to “financial institutions,” defined broadly to include organizations such as banks, brokerages, jewelers, and even pawnbrokers.
What are the four elements of negligence?
Duty of care, a breach of that duty of care, damages, causation
What are two general forms of liability and when do they occur?
Criminal liability occurs when a person violates a criminal law.
Civil liability occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.
What is the purpose of the FCC?
The Federal Communications Commission (FCC) is the regulator responsible for interstate and international communications. The agency has the authority to regulate communications that originate or terminate in the United States and that occur over telephone, radio, television, wire, satellite, or cable.
What does the organization need to do at the early stages of the data lifecycle?
At the early stages of the data lifecycle, organizations should practice data minimization, where they collect the smallest possible amount of information necessary to meet their business requirements.
What is CalECPA?
The California Electronic Communications and Privacy Act, known as CalECPA, requires California law enforcement agents to obtain warrants in order to search most electronic data generated by Californians.
What changed in Tennessee’s SB 2005 in 2016?
In 2016, SB 2005 updated Tennessee’s breach notification rules so that encrypted information was no longer automatically excluded from the definition of a breach of personal information.
What are three motivating factors for firms to participate in self-regulatory schemes?
Genuine desire to protect the security and privacy of sensitive personal information
Competitive interests in preserving the integrity of their industry against unscrupulous practices
Desire to avoid government intervention by preempting possible legislation through self-regulation
List five privacy and security requirements under U.S. federal law to protect children’s personal information.
Privacy policies, parental notification, parental consent, parental control, information security
Why might some states restrict the use of credit history in employment decisions?
Using credit histories in employment decisions may unfairly disadvantage people from non-affluent backgrounds.
What are three criteria to determine whether a practice is deceptive?
There must be a representation, omission, or practice that is likely to mislead the consumer.
The practice must be examined from the perspective of a consumer acting reasonably in the circumstances
The representation, omission, or practice must be material.
What does the right to erasure mean?
Also known as the right to be forgotten, under the GDPR, EU data subjects have the right to ask data controllers to erase all of their personal data.
List four characteristics that differentiate different types of cybersecurity threat actors.
Internal vs. External; Level of Sophistication/Capability; Resources/Funding; Intent/Motivation
Name at least three phases of the discovery process.
Identification
Preservation
Collection
Processing
Review
Production and Presentation
What are four major categories of security event indicators described by NIST-800-61?
Alerts, logs, publicly available information, people
What are abusive practices under the Dodd-Frank Act?
An abusive practice is any act that “materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service.”
What are three circumstances in which an unauthorized disclosure of personal health information (PHI) may not be considered a breach under HIPAA?
If an employee of a covered entity or business associate accidently accesses PHI but was acting in good faith
If more than one person authorized to access the same PHI accidentally share with one another
If the covered entity or business associate has good reason to believe that no unauthorized parties will be able to retain the information
List at least five of the nine core principles of the APEC data privacy framework.
Preventing Harm
Notice
Collection Limitation
Uses of Personal Information
Choice
Integrity of Personal Information
Security Safeguards
Access and Correction
Accountability
What is the third-party doctrine?
When certain information is collected by third parties as part of conducting transactions, the privacy of that information is generally not protected by the U.S. Constitution.
Name three general requirements of the HIPAA privacy rule.
The implementation of information privacy practices
Limits use and disclosure of data without patient authorization
Gives patients additional rights with respect to their medical information, including the right to view and correct their medical records
List four of the federal agencies that share responsibility for regulating the financial industry.
The Consumer Financial Protection Bureau (CFPB)
The Federal Reserve
The National Credit Union Administration (NCUA)
The Federal Deposit Insurance Corporation (FDIC)
The Office of the Comptroller of the Currency
What are the seven foundational principles of Privacy by Design?
- Proactive, not Reactive; Preventive, not Remedial.
- Privacy as the Default Setting.
- Privacy Embedded into Design.
- Full Functionality – Positive-Sum, not Zero-Sum.
- End-to-End Security – Full Lifecycle Protection.
- Visibility and Transparency – Keep It Open.
- Respect for User Privacy – Keep It User-Centric.
What are the two bodies of the U.S. Congress?
House of Representatives and Senate
What is a data processor under GDPR?
A data processor is any entity that handles personal data for the data controller.
Give one example of an exception to the Privacy Protection Act (PPA).
Situations where law enforcement is investigating a journalist as a suspect in a crime
Cases where an immediate search might be necessary to help law enforcement prevent death or serious injury
Situations where law enforcement has good reason to think that a journalist might destroy or alter important evidence if they receive advance warning
Why was the HITECH Act passed?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 in order to improve healthcare by bringing health systems up-to-date with modern technology.
What are the four stages of the incident response process?
Preparation, Detection and Analysis, Containment Eradication and Recovery, Postincident Activity
What is privacy according to GAPP?
The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and destruction of personal information.
What does preemption mean?
Preemption means that law that stems from a higher authority will take precedence over laws from a lower authority.
What are three common features shared by marketing laws in different U.S. states?
State Unfair or Deceptive Acts or Practices (UDAP) laws build on the federal framework and definitions established in Section V of the FTC Act.
While the FTC Act sets a nationwide set of requirements and protections, state-level laws add requirements and consumer protections above and beyond those in the FTC Act.
State UDAP laws are usually enforced by state attorneys general.
What is the FTC?
The Federal Trade Commission (FTC) is an independent agency that exists within the executive branch of the government but also maintains a degree of autonomy from the day-to-day workings of the executive branch.
What are four objectives that align with the DOC’s third privacy goal to conduct robust compliance and oversight programs?
What are three types of HIPAA-covered entities?
Give three examples of information that make something a credit report under the Fair Credit Reporting Act (FCRA).
Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living
What is a data importer under the GDPR?
A non-EU entity that receives personal information on EU data subjects from an EU data exporter
Give three types of threat actors that security professionals encounter in their work.
Script kiddies, hacktivists, criminal syndicates, advanced persistent threats (APTs), insiders
What are four goals that the US Department of Commerce (DOC) has to guide the execution of a privacy program?
- Foster a culture of privacy and disclosure and demonstrate leadership through policy and partnerships.
- Provide outreach, education, training, and reports in order to promote privacy and transparency.
- Conduct robust compliance and oversight programs to ensure adherence to federal privacy and disclosure laws and policies in all DOC activities.
- Develop and maintain the best privacy and disclosure professionals in the federal government.
What is the function of a gag order in an NSL?
A gag order legally prohibits the recipient of a National Security Letter, such as an internet service provider (ISP), from disclosing the existence of the government’s order and the contents of the order.
List three sources of law.
Constitutional law, legislation, administrative law, case law, common law, contract law
What is the responsibility of the executive branch?
The executive branch of the government is led by the president and is responsible for carrying out and enforcing the laws created by the legislative branch.
What are three key parameters of state breach notification rules?
Who to notify, when to notify, and how to notify
What are three legislative components of the Electronic Communications Privacy Act (ECPA)?
Title I: Wiretap Act, Title II: Stored Communications Act (SCA), Title III: Pen Register and Trap and Trace Devices
What are four preemployment screening methods mentioned in this book?
Personality and psychological evaluations
Polygraph testing
Drug and alcohol testing
Social media
What are two elements to a court’s jurisdiction?
Personal jurisdiction and subject matter jurisdiction
Name three information management processes that typically occur at the end of an employment relationship.
Access management
Records retention
Responding to reference requests
Give three examples of U.S. agencies regulating workspace privacy.
Federal Trade Commission (FTC)
Department of Labor (DOL)
Equal Employment Opportunity Commission (EEOC)
National Labor Relations Board (NLRB)
Occupational Safety and Health Administration (OSHA)
Securities and Exchange Commission (SEC)
Under the Right to Financial Privacy Act (RFPA), what are four circumstances in which financial institutions may be authorized to disclose financial records to the federal government?
Customer authorization, administrative or judicial subpoena, search warrant, formal written request
Name one additional specific power that the president has (identified in the U.S. Constitution).
Serving as commander-in-chief of the U.S. military forces
Granting pardons and reprieves for offenses against the United States
Negotiating treaties with other nations on behalf of the United States
Appointing justices to the Supreme Court, ambassadors to foreign nations, and other officers of the federal government
What are three factors that the FTC considers when determining whether a trade practice is unfair?
Whether the practice injures consumers
Whether the practice violates established public policy
Whether the practice is unethical or unscrupulous
Give five examples of data subject rights under the GDPR.
Right of access
Right to rectification
Right to restriction of processing
Right of erasure
Notification obligations
Right to data portability
Right to object
Automated individual decision making, including profiling
What is personal data defined by the EU’s General Data Protection Regulation (GDPR)?
Personal data includes any information that identifies an individual, including a person’s name, location, or any other personally identifiable characteristics.
List four major classification categories used by the U.S. government.
Top secret, Secret, Confidential, Unclassified.
What is typically included in the definition of personal information protected by state breach notification laws?
Typically, states define personal information to include social security numbers, financial account numbers, state identification or passport numbers. A person’s full name, or first initial and last name, linked with another piece of identifying information, is usually protected as well.
What is personal information according to GAPP?
Information that is or can be about or related to an identifiable individual.
What is a data exporter under the GDPR?
An entity in the EU that shares EU data subjects’ personal information outside of EU member states
What are four legal torts that may result in a successful claim of invasion of privacy?
The invasion of solitude, the public disclosure of private facts, false light, appropriation
What is an event? What is an adverse event? And what is a security incident?
An event is any observable occurrence in a system or network.
An adverse event is any event that has negative consequences.
A security incident is a violation or imminent threat of violation of security policies, acceptable use policies, or standard security practices.
Determining whether a practice unfairly injures consumers requires the use of a three-pronged test that was documented in a 1980 FTC Policy Statement on Unfairness. What are they?
The injury must be substantial.
The injury must not be outweighed by countervailing benefits to consumers and to competition.
The injury must not be reasonably avoidable.
Give five examples of technologies that might be used for employee monitoring.
Computer usage monitoring
Location-based monitoring
Social media tracking
Biometric tracking
Wellness programs
What is a data flow diagram?
Serves as artifacts of the work and references for team members seeking to understand how data moves through the organization.
What are the five main requirements of COPPA?
- Privacy Policies
- Parental Notification
- Parental Consent
- Parental Control
- Information Security
What are NSLs?
National Security Letters (NSLs) are a form of administrative subpoena used by the U.S. federal government to order the production of business records related to national security concerns.
What are the three branches of the U.S. federal government?
Legislative branch, executive branch, and judicial branch
What are two deidentification techniques published by HHS to achieve deidentification in accordance with the HIPAA Privacy Rule?
Expert determination and safe harbor
What is passive data collection?
The organization gathers information from the individual automatically when they visit a website or engage in other online activity.
What is meant by “theories of liability”?
Theories of liability describe the conditions that must be met for someone to be found liable of a crime or civil violation of the law.
