Section 1

Question 1

GDPR SPI

Answer 1

Data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify a person,, health data, data about sex life or orientation

Question 2

HHS ways to de-identify data

Answer 2

Expert determination (statistician) or safe harbor (removal of 18 types of info)

Question 3

GAPP Principles

Answer 3

Management, Notice, Choice and Consent, Collection, Use/Retention/Disposal, Access, Disclosure, Security for Privacy, Quality, & Monitoring + Enforcement

Question 4

ISO 27701

Answer 4

It covers best practices for implementing privacy controls. Annex F provides advice on applying the privacy standard in an organization that already uses the information security standards

Question 5

What is the data that must be removed from a data set for the HHS safe harbor in de-identification?

Answer 5

names, geographic dvisions and ZIP codes containing fewer than 20K, month and day of a person’s birth/death/hospital admissions or discharge or the age in years of a person over 89, telephone numbers, vehicle identifiers and serial numbers, including license plates, fax numbers, device identifiers and serial numbers, email addresses, web URLs, social security numbers, IP addresses, medical record numbers, biometric identifiers including finger and voice prints, health plan beneficiary numbers, full face photographs, account numbers, certificate/license numbers

Question 6

ISO 27001 and 27002

Answer 6

These relate to an org’s information security program

Question 7

Olmstead v. US

Answer 7

Right to be left alone

Question 8

What is an investigative report under the FCRA?

Answer 8

under the FCRA, a consumer report becomes an investigative report when the process includes interviews with a person’s contacts to learn more about factors in the report such as “mode of living”

Question 9

Can an ISP call an existing customer for telemarketing?

Answer 9

The Telemarketing sales rule does provide an existing business relationship exemption that would allow an ISP to call her even though she has added her phone to the DNC list

Question 10

FACTA

Answer 10

the Fair and Accurate Credit Transactions Act includes specialized guidance for organizations that use consumer reports. The basic requirement of the FACTA Disposal Rule is that covered organizations must take “reasonable measures to protect against unauthorized access or use of the information in connections with its disposal”

Question 11

What are the three main goals of a cybersecurity program?

Answer 11

confidentiality, integrity, and availability

Question 12

Industry best practice for frequency of privacy risk assessment

Answer 12

Annual

Question 13

Articles 1, 2, 3

Answer 13

1 - Legislative, 2 - executive, 3 - judicial

Question 14

Article IV

Answer 14

defines the relationship between the federal government and the governments of the states

Question 15

Article V

Answer 15

creates the process for amending the Constitution itself

Question 16

Article VI

Answer 16

contains the supremacy clause and the process to modify the Constitution through amendments (2/3 of each house of Congress and 38/50 states)

Question 17

Article VII

Answer 17

process for the initial establishment of the federal government

Question 18

Which states have privacy in their constitutions?

Answer 18

Alaska
Arizona
California
Florida
Hawaii
Illinois
Louisiana
Montana
New Hampshire
South Carolina
Washington.

Question 19

Smyth v Pillsbury (Eastern District of Pennsylvania 1996)

Answer 19

Holding: employees generally do not have a right to privacy in their use of a company provided email account.

Question 20

Google v. CNIL (2019)

Answer 20

The right to be forgotten applies only within the EU

Question 21

What does FERPA not apply to?

Answer 21

employee professional education records maintained by hospitals

Question 22

What does HIPAA not apply to?

Answer 22

medical records maintained at student health centers

Question 23

Does FERPA have a private right of action?

Answer 23

No but the DoE can bring a case

Question 24

Does HIPAA have a private right of action?

Answer 24

No

Question 25

Does GLBA have a private right of action?

Answer 25

No

Question 26

Does the CCPA have a private right of action?

Answer 26

Yes if that breach involved certain unredacted and unencrypted personal information

Question 27

What are the HIPAA civil penalties?

Answer 27

from $100 for a first time offense by an individual who did not know they were violating HIPAA to $50K if a violation was due to willful neglect and was not corrected

Question 28

Does HIPAA have criminal penalties?

Answer 28

Yes.

$50K-$250K
1 - 10 years

Question 29

Negligence elements

Answer 29

Duty of care, breach of that duty, damages, causation

Question 30

What key legislation grants the FTC authority over unfair and deceptive practices?

Answer 30

15 USC Section 45 (a)(1) aka UDAAP. This law is commonly cited as giving the FTC authority over privacy and cyber security related matters.

Question 31

Which administrative body regulates websites targeted at children?

Answer 31

FTC through COPPA

Question 32

What is the process for when the FTC has investigated a company and wants to bring a complaint?

Answer 32

The company can negotiate or contest the complaint in front of an ALJ. They can appeal to the five FTC commissioners after. Then, they can pursue an appeal in the federal courts.

Question 33

Sperry v. Hutchinson Trading Stamp co. (SCOTUS 1972)

Answer 33

Holding: Three factors for determining when a practices is unfair:
- if it injures consumers
- if it violates established public policy
- if it is unethical or unscrupulous

Question 34

What is the test established by the FTC in its 1980 policy statement on unfairness to determine if a practice unfairly injures consumers?

Answer 34

Substantial
Outweighed
Not be reasonably avoidable

Question 35

FTC v. Wyndham Worldwide (Third Circuit)

Answer 35

Holding: A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury and retains the profits of their business

Question 36

LabMD - 2016

Answer 36

Example of unfair practice case brought by FTC in response to privacy issue

In 2016 the FTC issued a Final Order that LabMD suffered a data breach that impacted patient privacy as the direct result of insufficient cybersecurity practices. They were ordered to implement a cybersecurity program and subject themselves to periodic assessments.

Question 37

LifeLock - 2010

Answer 37

Example of unfair practice case brought by FTC in response to privacy issue

LifeLock ran an advertising campaign that it could prevent identity theft. They paid a $12M fine to the FTC and state governments. They also agreed to avoid deceptive advertising and implement strong security controls. In 2019 the company paid an additional $100M after they violated that court order.

Question 38

DesignerWare (2012)

Answer 38

Example of unfair practice case brought by FTC in response to privacy issue

A rent-to-own company was accused of placing spyware on the computers it rented that captured keystrokes and images of personal information. the FTC issued an order declaring this an unfair practice and prohibiting the company from engaging in similar practices in the future.

Question 39

What are the requirements for a practice to be deceptive? (1983 FTC Policy Statement)

Answer 39

1. There must be a representation, omission or practice that is likely to mislead the consumer
2. The practice must be examined from the perspective of a consumer acting reasonably in the circumstances
3. The representation, omission or practice must be material

Question 40

GeoCities

Answer 40

This website hosting company collected personal information from customers, informing them that they would not resell this information. The FTC charged them with reselling information in violation of their privacy policy.

Question 41

Eli Lilly

Answer 41

This pharma company collected patient info on their website and then inadvertently sent an email to all site users disclosing their identities to one another

Question 42

Nomi

Answer 42

This tech company placed sensors in retail stores that collected info about consumers’ mobile devices without their knowledge or consent

Question 43

Snapchat

Answer 43

They informed consumers that messages and photos disappeared but they were aware of methods users engaged into preserve those messages

Question 44

TRUSTe

Answer 44

2014 deceptive practices - This privacy firm provides other companies with certifications of their privacy practices. The FTC charged them with failing to conduct annual recertifications of clients, as required. $200K fine.

Question 45

Zoom Consent Decree (2020)

Answer 45

Zoom had said their videos were end to end encrypted but they were point to point and were temporarily decrypted when on Zoom’s servers. The Decree made Zoom not say anything more about privacy and security, put in a comprehensive program and conduct annual independent audits for 20 years.

Question 46

What year was the Telecommunications Act?

Answer 46

1996

Question 47

What is CPNI and who regulates it?

Answer 47

Customer proprietary network information. The FCC regulates the way communications carriers may handle that information.

Question 48

How is broadband privacy handled by the FCC?

Answer 48

In Dec 2016 they passed a set of rules that would restrict ISPs from collecting and sharing info about customer comms, location data and browsing habits. In 2017 Trump repealed those privacy rules.

Question 49

Which US org operates the US portion of the Privacy Shield?

Answer 49

Department of commerce

Question 50

Which states have laws for UDAAP?

Answer 50

All

Question 51

What is PCI DSS?

Answer 51

Payment card Industry Data Security Standard (more about security than privacy but does include data retention reqs that protects consumers).

Question 52

What are the 12 high level requirements of PCI DSS?

Answer 52

1. install and maintain a firewall config to protect cardholder data
2. do not use vendor-supplied defaults for system passwords and other security parameters
3. protect stored cardholder data
4. encrypt transmission of cardholder data across open, public networks.
5. use and regularly update antivirus software
6. develop and maintain secure system and apps
7. assign a unique ID to each person with computer access
8. restrict physical access to cardholder data
9. track and monitor all access to network resources
10. restrict access to cardholder data by business need-to-know
11. regularly test security systems
12. maintain a policy that addresses information security for employees and contractors

Question 53

What is NAI?

Answer 53

Networking Advertising Initiative. They can investigate their members and sanction them. They can refer noncom[pliant companies to the FTC.

Question 54

What is the TRUSTe three phase process?

Answer 54

1. Assessment
2. Remediation and Certification
3. Ongoing Monitoring and guidance

Question 55

What is the Schrems II ruling?

Answer 55

July 2020 - EU Court of Justice said that the Privacy Shield is illegal (the safe harbor program and agreement that allows orgs conducting data transfers between the EU and US to comply with GDPR only if the firm that have agreed to appropriate privacy standards).

Question 56

What is the largest fine the FTC has given?

Answer 56

Facebook - 2019. $5 billion based on deceptive claims about consumers’ ability to control the privacy of their personal data.

Question 57

When was PCI DSS created?

Answer 57

2004

Question 58

What are GPEN’s goals?

Answer 58

1. Exchange information about privacy issues
2. encourage sharing of enforcement expertise
3. promote dialogue among enforcement groups
4. facilitate intl cooperation
5. support intl privacy practices

Question 58

What organization created the Global Privacy Enforcement Network?

Answer 58

OECD - Organization for Economic Cooperation and Development

Question 59

What kinds of information should an org consider when building a data inventory?

Answer 59

PII, PHI, financial information and government information

Question 60

What is the NIST?

Answer 60

National institute of Standards and Technology

Question 61

What is NIST 800-53?

Answer 61

NIST’s guidance that specifies different types of controls that should be used to protect information deemed low impact, moderate impact and high impact

Question 62

What is data minimization?

Answer 62

The company collects the smallest amount of info necessary to meet their business needs

Question 63

What is purpose limitation?

Answer 63

Businesses should use collected information only for the purpose for which it was originally collected

Question 64

How can electronic media be erased?

Answer 64

specialized sanitation software, degaussing using intense magnetic fields or physical destruction

Question 65

What is the FACTA disposal rule?

Answer 65

orgs must take “reasonable measures to protect against unauthorized access or use of the information in connection with its disposal”

Question 66

What are the FTC’s suggestions for reasonable measures to comply with FACTA’s disposal rule?

Answer 66

1. policies and procedures that require burning, pulverizing, shredding paper that contain consumer information and monitoring compliance with that policy
2. policies and procedures that require destruction or erasure of electronic media containing consumer information so it cant be read or reconstructed and monitoring compliance
3. contracting with a record destruction business after doing due diligence on that business. customers may request certificates of destruction.

Question 67

What are the two reasons you should still be prepared for script kiddies?

Answer 67

1. The tools are freely available on the internet so personal tech skills are no longer a barrier to hacks
2. Script kiddies are plentiful and unfocused so they target many different orgs

Question 68

What ways did EUROPOL and IOCTA find that organized crime is active in cybercrime (2019)?

Answer 68

cyber dependent crime (ransomware, data compromise, website defacement, attacks against critical infrastructure), child sexual exploitation, payment fraud, dark web activity, terrorism, cross cutting crime factors like social engineering, money mules and abuse of crypto

Question 69

What company coined the term APT?

Answer 69

Mandiant - a security company

Question 70

What is a zero day attack?

Answer 70

attacks that exploit vulnerabilities that are researched by the hacker and are not known to other attackers or cybersecurity teams

Question 71

What is an event, an adverse event and a security incident?

Answer 71

Event - observable occurrence (examples - user accessing a file on a server, an administrator changing permissions, an attacker conducting a port scan)
Adverse event - event that has negative consequences (examples are malware infection, server crash, user accessing a file they are not authorized to view)
Security incident - violation or imminent threat of violation of security policies or practices (examples are accidental loss of sensitive info, intrusion by an attacker, use of keylogger on an exec’s system to steal passwords, and DoS attack)

Question 72

What is a CSIRT?

Answer 72

Computer security incident response team

Question 73

What are the steps of an incident response process?

Answer 73

Preparation, Detection & Analysis, Containment Eradication and Recovery, Post-Incident Activity

Question 74

What is NIST 800-61?

Answer 74

Four major categories of security event indicators:
Alerts, Logs, Publicly available information, People

Question 75

What is the process for the containment, eradication and recovery period in a security incident response?

Answer 75

Select a containment strategy, implement that strategy, gather additional evidence, identify the attackers, eradicate the effects

Question 76

What should NOT be included in a security incident policy?

Answer 76

specific technologies, response procedures, and evidence gathering techniques - those are for the procedures document

Question 77

What should be included in a security incident policy?

Answer 77

statement of management commitment
purpose and objectives
scope of the policy
definition of cybersecurity incidents
organizational structure and definition of roles
prioritization or severity rating scheme for incidents
performance measures for the CSIRT
reporting and contact forms

Question 78

What are places where PII may be incoming into an organization?

Answer 78

New employee onboarding
Benefits administration
Customer interactions
Independent contractor tax reporting

Question 79

What are the PII data inventory components?

Answer 79

Name of business process
Reason for using the PII
Legitimacy of use
Storage and transmission of PII
Access list
Third party involvement

Question 80

Virus v. worm malware

Answer 80

Virus - spreads from system to system through human interaction
Worm - spreads from system to system by itself

Question 81

How might adware be used?

Answer 81

changing the default search engine
displaying pop-up advertisements
replacing legitimate ads

Question 81

What is a good way to prevent Trojan Horses?

Answer 81

Application control on employee computers

Question 82

What are the three best ways to prevent malware?

Answer 82

Anti-malware software
Security patches
User education

Question 83

What are the components of a good incident response plan?

Answer 83

1. policy and plan documentation
2. procedures for incident handling
3. guidelines for communicating externally
4. structure and staffing model for the team
5. description of relationship with other groups

Question 84

Incident Response Policy components

Answer 84

1. foundational authority
2. defines incidents
3. incident prioritization scheme

Question 85

What are the four steps of an Information Management Program?

Answer 85

Discover
Build
Communicate
Evolve