Privacy Operational Lifecycle - Section III.E. - Respond: Privacy Incidents Flashcards

1
Q

True or False: The average cost associated with responding to a data breach has risen significantly in the past two decades.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a privacy incident?

A

An adverse event or action that is unplanned, unusual, and unwanted that happened as a result of non-compliance with the privacy policies and procedures of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What aspects of a data breach response plan should be reviewed as part of incident follow-up?

A

(1) Staffing and resources;
(2) Containment, including timing and processes;
(3) Commitment of executive leadership;
(4) The roles of response team members and other stakeholders; and
(5) The notification process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What steps does the FTC recommend in providing notice to affected data subjects that a data breach has occurred?

A

(1) Consult with a law enforcement so as not to impede any investigation;
(2) Designate a point person for external contacts; and
(3) Consider offering a year of free credit monitoring and other support to affected individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is required of organizations that hire third-party call centers for customers to contact as part of its data breach response plan?

A

Draft the scripts for call center workers to utilize,
provide training to the call center’s quality assurance team,
analyze reports prepared by the call center, and
maintain adequate staffing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the most common term used to describe the amount of time an organization has to provide notice to affected data subjects once it is determined that a data breach has occurred?

A

At the most expeditious time possible and without unreasonable delay.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who typically leads an organization’s response to a data breach?

A

Legal counsel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What types of expenses are typically covered by cyber insurance?

A

Legal expenses;
Forensic analysis;
Negotiation or payment of ransomware;
Data restoration expenses;
Breach notification expenses;
Public relations consultations; Identity restoration;
Fines or penalties;
Security and system failures; and
Contract expenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some of the benefits associated with training employees how to respond to a data breach?

A

It helps expose gaps in procedures before an incident occurs,
Increases security (i.e., lower the risk of a breach),
Lessens long-term costs, and
Better maintains an organization’s reputation in the event of a breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the four steps the FTC recommends after confirming that a data breach occurred?

A

(1) Secure operations;
(2) Analyze and fix vulnerabilities;
(3) Notify affected parties; and
(4) Take proactive steps to limit future breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Does developing a data classification schema increase or decrease the cost of responding to a data breach?

A

Decrease.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What steps should be taken in preparation for responding to a privacy or security incident?

A

(1) Develop an incident response plan;
(2) Implement appropriate training;
(3) Understand key roles and responsibilities;
(4) Obtain insurance coverage, if appropriate; and
(5) Effectively manage third-party data vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Does business continuity management increase or decrease the cost of responding to a data breach?

A

Decrease.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

True or False: The average cost associated with responding to a data breach is pretty consistent across jurisdictions globally.

A

False. The cost of responding to a data breach varies significantly across jurisdictions, with the United States being the country with the highest average response costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Other than lowering the cost of responding to a data breach, employee training can also lower [blank].

A

The frequency with which privacy incidents occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an incident register?

A

A document or record of every incident that has taken place within an organization, on a select project, or at a specific location, such as a privacy incident register.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are some things commonly included in a privacy incident register?

A

(1) A classification of the incident;
(2) A description of the events;
(3) A description of the source or location of the incident;
(4) A description of why the incident happened; and
(5) An outline of the corrective actions taken.

18
Q

Does the rush to notify stakeholders increase or decrease the cost of responding to a data breach?

A

Increase.

19
Q

What is the primary cause of data breaches?

A

Malicious activity, which accounts for roughly half (50%) of all data breaches.

20
Q

Does the extensive use of data loss protection increase or decrease the cost of responding to a data breach?

A

Decrease.

21
Q

Does the appointment of a Chief Privacy Officer increase or decrease the cost of responding to a data breach?

A

Decrease.

22
Q

Other than malicious activity, what are the other two primary causes of a data breach?

A

System glitches and human error.

23
Q

Do compliance failures increase or decrease the cost of responding to a data breach?

A

Increase.

24
Q

What are some of the responsibilities of the persons leading a data breach response?

A

(1) Coordinate with team leaders;
(2) Maintain a budget;
(3) Engage and manage outside legal counsel and vendors;
(4) Prepare a final report or analysis; and
(5) Lead post-incident activities to reduce future risk.

25
Q

What is a legal “privilege”?

A

An evidentiary rule that allows a witness (including an organization) the option to not disclose information, documents, or testimony that would normally otherwise be required to be produced as part of litigation or regulatory enforcement.

26
Q

Does extensive cloud migration increase or decrease the cost of responding to a data breach?

A

Increase.

27
Q

What principles should guide notification to internal employees that a data breach has occurred?

A

Transparency and forthrightness.

28
Q

What typically guides an organization’s response to a privacy incident?

A

Applicable laws, and especially data breach notification laws.

29
Q

Plans on how to address a data breach or privacy incident are more frequently being incorporated into what other type of business planning?

A

Business continuity planning.

30
Q

What are some of the key areas that a privacy incident response plan should focus on?

A

How to protect privilege,
The roles and responsibilities of team members,
How to escalate possible issues and report suspicious activities,
Severity rankings,
Interactions with external parties, and
Integration with business continuity plans.

31
Q

How is privacy incident response training funded in most organizations?

A

There is no universal approach, and each organization is different; but funding will often come from a cross-section of departments, including IT, legal, and HR.

32
Q

What are some tasks that the FTC recommends in analyzing and fixing vulnerabilities following a data breach?

A

Re-evaluating third party service providers and data segmentation practices.

33
Q

What is one way organizations may manage the multiple departments that are involved in responding to a privacy incident?

A

Appointing an oversight team that will provide high-level leadership.

34
Q

What are some examples of the ways in which an organization may be made aware of a potential data breach?

A

Internal screening mechanisms, customers, news reports, or even the person conducting the cyberattack.

35
Q

What are two privileges that are particularly important to preserve when responding to a data breach?

A

(1) Attorney-client privilege; and
(2) Attorney work product privilege.

36
Q

Most organizations experiencing a data breach estimate that the percentage likelihood that they will experience another in the next two years is roughly how high?

A

25-30%.

37
Q

What are two reasons why organizations might offer remediation services to customers affected by a data breach?

A

(1) It is mandated by law; and
(2) To maintain good will with customers.

38
Q

Does the engagement of consultants increase or decrease the cost of responding to a data breach?

A

Increase.

39
Q

True or False: Responding to a privacy incident involves running through an ordered list of response steps.

A

False. There is no simple checklist organizations can follow in responding to a privacy incident.

40
Q

What are some best practices when working with an industrial-scale printer to provide data breach notifications?

A

(1) Establish a secure data transfer channel;
(2) Create a letter copy in a preferred format (e.g., Microsoft Word);
(3) Obtain content approvals from the legal team; and
(4) Supply a return address for undeliverable mail.

41
Q

During the process of containment and remediation, organizations must be sure to avoid what?

A

Destroying or failing to preserve evidence that is needed to investigate the incident or ensure that other aspects of a response plan are completed appropriately.

42
Q

When should organizations enter into contracts with data breach vendors, such as call and mailing centers?

A

Before a breach occurs.