Study Cards Flashcards

1
Q

Privacy program management is the structured approach of

A

combining several projects into a framework and life cycle to protect PI and individuals’ rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The privacy operational life cycle involves four phases:

A

assess, protect, sustain and respond.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The assess phase involves comparing the program to

A

industry best practices, corporate privacy policies, applicable laws and regulations and the organization’s privacy framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The protect phase embeds privacy principles and information security management practices to

A

address, define and establish privacy practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The sustain phase provides

A

monitoring, auditing and communication aspects of the management framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The respond phase involves the principles of

A

information requests, legal compliance, incident response planning and incident handling, as well as accountability for data collected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Privacy program managers and teams are responsible for

A

compliance, accountability and alignment with organizational strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Accountability is the most important aspect of privacy program management. Privacy program managers are accountable for

A

safekeeping and responsible use of personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

While _ with applicable laws and regulations is a key motivator for having a privacy program, it is not the only purpose of a program.

A

compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Other important reasons to institute a privacy program are

A

meeting expectations of business clients and partners, and safeguarding data against attacks and threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A successful privacy program integrates __ into functional areas across the organization.

A

privacy requirements and representation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Examples of organizational areas that typically have specific privacy concerns include:

A

HR, marketing and business development, finance, information security, IT, and legal and compliance functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What business function is most likely responsible for determining which employees may access subscribers’ sensitive PI?

A

Information security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Privacy governance refers to

A

components guiding a privacy function toward compliance with laws and regulations, and enabling them to support the organization’s broader business goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Privacy governance supports the organization’s broader business goals, which are:

A
  • Creating a privacy vision and mission statement
  • Defining program scope
  • Selecting a privacy framework
  • Developing a privacy strategy
  • Structuring the privacy team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

There is no standard organizational structure for privacy across organizations. When determining where privacy will sit in the organization, you may wish to consider

A

which department has the most influence; has global scope; is the best-funded; best executes enterprise projects; and/or is the strongest supporter of privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

While strategies provide the why (why privacy is important), privacy program frameworks provide the what (what form the program will take), in the form of

A

implementation roadmaps that guide teams and prompt for the details to determine privacy-relevant decisions for the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Common privacy program frameworks include principles and standards such as __, OECD guidelines, GAPP, CSA, the APEC Privacy Framework, ETSI, and ISO; laws, regulations and programs such as PIPEDA and APPs, __, HIPAA, CNIL, and BCRs; and privacy program management solutions such as __, NIST, and WebTrust.

A

FIPs; GDPR; PbD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The privacy policy life cycle phases involve:

A
  • Drafting inward-facing policies that are practical, simple and easy to understand
  • Getting approval from decision-makers and stakeholders
  • Disseminating and socializing policies to all employees
  • Training employees and enforcing policies
  • Reviewing and revising policies regularly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The privacy governance models are

A

centralized, localized/decentralized, or hybrid (a combination of both).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

In the centralized model,

A

one team or person is responsible for privacy-related affairs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In the local/decentralized model, decision-making is delegated to

A

lower levels of the organization, allowing decisions and information to flow from bottom to top.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The hybrid model combines the centralized and local models and is

A

most common when a large organization makes an individual or team responsible for privacy-related affairs for the rest of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The DPO position is a professional role with many responsibilities. Examples of the skills a DPO needs include:

A
  • Experience assessing risk and best practice mitigation
  • Knowledge of relevant laws and regulations
  • Interpersonal flexibility; effective communication with business functions
  • Project management and ability to manage own professional development
  • Ability to fulfill the role autonomously
  • Ability to handle requests/complaints and train others to help data subjects
  • Credibility/no conflicts of interest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Getting buy-in for a privacy strategy may mean changing an organization’s mindset. Recommendations include __; __; and __

A

building relationships and finding advocates;
pitching privacy;
creating steering groups of stakeholders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Once your privacy program has been established, you must

A

create awareness of the program both internally and externally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Some organizations use a RACI matrix, a tool used to embed responsibilities and identify:

A

Who is Responsible
Who is Accountable
Who needs to be Consulted
Who needs to be Informed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Key functional areas help create and enforce the privacy program on an ongoing basis. Examples of these areas include:

A

marketing, learning and development, communications, IT and procurement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Auditing and analyzing a governance structure’s performance is essential to its success. The __ and __ functions review and analyze operations across all departments and communicate their results.

A

internal audit (IA) and risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

__ typically reports to an audit committee, helping to ensure it remains unbiased.

A

Internal audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

__ ensures business and regulatory requirements are met through detailed analysis.

A

Risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Some organizations use __ to help achieve compliance. Solutions may relate to areas such as assessment management, data mapping, deidentification and incident response.

A

privacy tech vendors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Privacy technology is experiencing rapid growth. Reasons for this include the emergence of
comprehensive data protection laws and privacy regulations along with strict requirements and significant fines for noncompliance under many privacy laws, such as the GDPR. Another factor is __

A

growing consumer awareness of data breaches and increasing demands that organizations protect their information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The chief privacy officer for a telecommunications company wants to revise its privacy mission statement. What steps would be involved in this process? Select all that apply.
1. Evaluating the intended objective
2. Acquiring knowledge on privacy approaches
3. Gaining executive sponsor approval
4. Communicating the organization’s privacy stance to all stakeholders
5. Monitoring compliance with the company’s privacy policies

A

All except 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

In differentiating between a privacy strategy and a privacy framework, how can strategy be defined?
1. As the why
2. As the what

A

As the why

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

True or false? A law or regulation may constitute a privacy framework.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What type of privacy governance model is defined by a one-team or one-person approach?
Localized/decentralized
Centralized
Hybrid

A

Centralized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

True or false? The privacy team should always comprise more than one person.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which business function ensures business and regulatory requirements are met through detailed market, credit, trade and counterparty analysis?
Internal audit
Procurement
Learning and development
Risk management

A

Risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the most important aspect of privacy program management?
Vendor management
Audits
Data mapping
Accountability

A

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

True or false? Regulatory compliance is often the primary motivation for organizations to develop a privacy program.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A privacy program should integrate privacy requirements and representation into which of the following functional areas? Select all that apply.
Human resources
Marketing and business development
Finance
Information security
IT
Legal and compliance

A

All are correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Customer service employees for a health insurance company are granted access to subscribers’ sensitive PI to help with questions about coverage and billing. What business function is most likely responsible for determining which employees may access subscribers’ sensitive PI?
Human resources
IT
Information security
Legal

A

Information security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which of the following is NOT a phase of the privacy operational life cycle?
Sustain
Respond
Consider
Assess

A

Consider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Under GDPR, data subjects can:

A

Withdraw consent
Request a copy of their personal data or have it deleted
“Freeze” processing of their personal data
Object to automated decision-making

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Under GDPR, organizations must:

A

Implement PbD and privacy by default
Provide notice to process personal data
Provide notification of breaches (sometimes)
Conduct DPIAs (sometimes)
Consult regulators before processing (sometimes)
Follow rules for processing children’s data
Ensure compliance of data transfers
Take responsibility for vendor processing
Maintain appropriate data security
Keep records and demonstrate compliance
Appoint a DPO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Under GDPR, regulators may:

A

Ask for records of compliance (register of processing activities, DPIAs, documentation, risk-analysis)
Impose temporary data processing bans, & require data breach notification
Order erasure of personal data
Suspend international data flows
Enforce penalties up to €20 million or 4 percent total annual revenue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Under LGPD, data subjects can:
Confirm the existence of processing
Access their data
Correct incomplete, inaccurate or out-of-date data
Anonymize, block or delete unnecessary or excessive data or data processing in violation of the law
Export data to another service or product provider

A

Delete personal data processed pursuant to consent
Obtain information about entities with which data is shared
Obtain information about denying consent
Review decisions made solely based on automated processing
Oppose non-consent-based processing when in violation of the law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Under LGPD, organizations must:
Implement privacy-by-design and -default processes
Develop incident response and remediation plans
Maintain appropriate data security
Notify data subjects and regulators of data breaches
Follow special rules for directly processing children’s data
Provide notice of intention to process PI
Appoint a data protection officer (for controllers)

A

Take responsibility for processing activities of third-party vendors
Create personal data protection impact report (RIPD)
Ensure adequacy or appropriate safeguards for data transfers
Keep records (in most circumstances) and demonstrate compliance
Comply with international data transfer requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Under LGPD, regulators may:

A

Ask for records of compliance
Apply sanctions, e.g., warnings and corrective measures, publicizing the infraction, suspension or prohibition of processing activities
Enforce penalties up to 2 percent of a company’s annual revenue in Brazil to a maximum of 50 million reais per infraction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

The privacy team needs to work with regulators to understand:

A
  • Fines and penalties for noncompliance
  • The scope and authority of regulators and oversight agencies
  • Recent or upcoming changes in privacy law
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

These changes affect privacy-related legal obligations:

A

New processes
Acquisitions
Outsourcing agreements
Divestitures
Discontinued products and services
New products and services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Different regions’ laws may be similar to, or vastly different from, one another, so some organizations __

A

create a roadmap or crosswalk to determine where legal requirements overlap.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Fair Information Practices (FIPs) appear in various forms and applications. The __
are perhaps the most widely recognized framework for FIPs, defining purpose specification,
openness, individual participation, collection limitation, use limitation, security safeguards, data quality and accountability

A

OECD Guidelines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Under the California Consumer Privacy Act, consumers have:

A
  • The right to know what PI a business collects about them and how it is used and shared;
  • The right to delete PI collected from them (with some exceptions);
  • The right to opt out of the sale of their PI; and
  • The right to non-discrimination for exercising their rights under the CCPA.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Under the CCPA, businesses must:

A
  • Provide a CCPA-compliant privacy policy or certain notices to consumers per the CCPA/CPRA privacy policy requirements [compliant privacy notice]
  • Provide disclosures to consumers, such as categories of PI collected, purpose for collection, description of consumers’ rights [disclose their rights and how categories of data are used]
  • Provide methods for submitting requests to know and to delete, and have a process to verify the identity of consumers attempting to exercise their rights [way to know and delete, verify ID]
  • Respond to consumer requests in a timely manner
  • Provide two or more methods for submitting requests to opt out, including a clear and conspicuous “Do Not Sell My Personal Information” link on the website to make it easy for consumers to [opt out] of the sale of their PI
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

The CPRA amends and expands upon the CCPA in several ways, including:

A

Requiring the establishment of an enforcement agency, the California Privacy Protection Agency
Can opt out of PI sales and sharing
Can correct inaccurate PI that a business has about them
The right to limit use and disclosure of sensitive PI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

International data transfers can be complex because you need to

A

comply with relevant laws across jurisdictions, and there must be a legal basis for transferring the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Several mechanisms allow organizations to transfer data internationally, including:

A

*adequacy decisions, *appropriate safeguards (standard contractual clauses, codes of conduct or self-certification mechanisms, ad hoc contractual clauses, international agreements and binding corporate rules); and *derogations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Which are common elements of privacy-related legislation across jurisdictions? Select all that apply.
Requirements for ensuring individual rights
Security obligations
Processor obligations
FIPs

A

All answers are correct except Processor obligations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Privacy and data protection regulators have the right to impose penalties for
noncompliance, including fines.
True
False

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What can controllers and processors do to avoid incurring penalties from regulators for noncompliance with the GDPR? Select all that apply.
Know which regulators oversee which processing activities within the organization
Ensure regulators receive notification of data breaches under some circumstances
Know when legal obligations change due to changes in the organization
Conduct data protection impact assessments whenever personal data is being processed

A

All answers are correct except Conduct data protection impact assessments whenever personal data is being processed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Using a valid mechanism for transferring PI internationally, such as binding corporate rules, allows for the legal processing of that data.
True
False

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Which international data transfer mechanism is used to demonstrate to regulators and consumers that a company adheres to certain information privacy standards?
Binding corporate rules
Standard contractual clauses
Adequacy decisions
Codes of conduct

A

Codes of conduct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

A general good practice is to adjust the privacy program to the most stringent legal requirements to which personal data processing is subject.
True
False

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

A __ is a complete record of all the PI your organization stores, uses and processes.

A

data inventory, or data map

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

_ can be used as a precursor to regulatory compliance and risk analysis; to assess data, systems and processes; and to inform data assessments, priorities, data life cycle management and data classification.

A

Data inventories
It should demonstrate data flows and classification, create a record of the authority of systems processing personal information and analyze data types/uses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

To create a comprehensive inventory of all PI being processed, an organization should determine

A

who creates the data inventory, which departments hold/use PI, and what questions should be asked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

__ may be organized around the data life cycle, considering the collection, usage, storage, archiving and destruction of PI.

A

Intake questions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Conducting a __ helps determine what compliance efforts are in place, areas that need improvement, and where additional controls must be developed.

A

gap analysis
It involves identifying gaps between standards and laws an organization is subject to and the organization’s current compliance efforts. Many laws overlap, so be sure to involve your Legal team in the process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

A __ measures an organization’s compliance with laws, regulations, adopted standards and internal policies/procedures. It may involve the use of subjective standards (such as employee interviews) and/or objective standards (such as information system logs).

A

privacy assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

A __ is an analysis that assesses privacy risks associated with processing PI in relation to a project, product or service. Requirements around them may be mandated by industry, organizational policy, and laws and regulations.

A

privacy impact assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Triggers for conducting a __ include preparing for the deployment of a project, product or service that involves the collection of PI; new or revised industry standards, organizational policies, or laws and regulations; and organizational changes to methods in which PI is handled.

A

PIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

A __ has specific triggers and requirements under the GDPR and LGPD. They are intended to help incorporate privacy considerations into organizational planning and demonstrate GDPR compliance

A

data protection privacy impact assessment, DPIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Triggers for conducting __ include processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 35) and the use of new technologies

A

DPIAs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

DPIAs should include:

A

a description of the processing, including its purpose, and including, where applicable, the legitimate interest being pursued;
the necessity of the processing, its proportionality and the risks that it poses to data subjects;
and measures to address the risks identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

__ is a self-assessment tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities. Once the privacy responsibilities of each department are documented, the departments may be asked specific questions about each responsibility

A

Attestation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Mergers, acquisitions and divestitures should include a privacy checkpoint that evaluates:

A

new compliance requirements;
existing client agreements;
new resources, technologies and processes;
and applicable laws and standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Vendor assessment is the evaluation of a vendor for

A

privacy and information security policies,
access controls,
where the personal information will be held,
and who has access to it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

These and other checklists can be used to
assess vendor risk

A

Privacy or security questionnaires, and privacy impact assessments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Any technology that is new to an organization, even those that are ubiquitous elsewhere, requires

A

an assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Assessing cloud computing vendors before procuring them can be challenging. Specific areas to focus on during a selection assessment of a cloud service provider include

A

certifications and standards, technologies, service road map, data management, information security, subcontractors and service dependencies, and data policies and protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Which of the following is a common function of a data inventory? Select all that apply.
Assesses data, systems and processes
Informs data assessments
Informs data classification
Measures compliance with laws, regulations, standards and internal policies

A

All answers are correct except Measures compliance with laws, regulations, standards and internal policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Which of the following elements may be found in a data inventory? Select all that apply.
Data flows
Classification of data
Record of authority of organizational systems
Types and uses of data

A

All are correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Data inventories are almost always created and maintained by the legal function within an organization.
True
False

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Which of the following is a potential tool for keeping a data inventory up to date? Select all that apply.
A privacy impact assessment
GRC software
Spreadsheets and manual processes
An internally developed system

A

All answers are correct except A privacy impact assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Which of the following is an assessment that measures how closely an organization’s practices align with its legal obligations and stated practices?
Privacy assessment
Privacy impact assessment
Data protection impact assessment
Physical assessment

A

Privacy assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

A privacy impact assessment can help facilitate privacy by design.
True
False

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Ideally, when should a PIA be conducted? Select all that apply
Prior to deployment of a project, product or service that involves the collection of PI
Directly following the deployment of a project, product or service to ensure that privacy considerations have been addressed
When there are new or revised industry standards, organizational policies, or laws and regulations
When the organization makes changes to methods in which PI is handled that create new privacy risks

A

All answers are correct except Directly following the deployment of a project, product or service to
ensure that privacy considerations have been addressed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Which of the following are methods for assessing vendors? Select all that apply.
Privacy and security questionnaires
Privacy impact assessments
Checklists
Audits

A

All answers are correct except Audits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

__’s main focus is the control of information, while __ focuses on the information itself and the people represented by the information.

A

security; privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Information security builds on __ to identify risk, take measures to mitigate risk, and track and evaluate risk.

A

risk management practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

The existence of __ does not mean that data is not secure

A

risk

94
Q

Information security provides different kinds of controls to manage risk. Controls can be

A

administrative, physical or technical controls.

95
Q

Controls are also divided into different categories based on their objective: __ controls to prevent an incident from occurring; __ controls to identify and characterize an incident that has occurred or is in progress; and __ controls to limit the extent of any damage caused by
an incident.

A

preventive; detective; corrective

96
Q

ISO/IEC 27701 is considered the first mainstream global privacy management standard. It defines processes and

A

provides guidance for protecting PI on an ongoing basis
and specifies the requirements for establishing, implementing, maintaining and improving a privacy-specific information security management system.

97
Q

__ are non-technical privacy control measures established by management (for example, policies and procedures). They may derive from laws and regulations, self-regulatory regimes, industry practices, and corporate ethics and policies. Policies dictate them, which, in turn, establish what mechanism or process must be implemented to ensure the control is enabled.

A

Administrative controls

98
Q

__ govern who has the right to access specific information and may involve approaches from administrative, physical and technical control categories.

A

Access controls

99
Q

__ for managing user access can help ensure that only those who absolutely need access to certain information have it. These controls rely on basic security principles like need-to-know or -access and segregation of duties. They also involve __ management, which uses strategies such as unique user IDs and password management

A

Role-based controls and guidelines; user access

100
Q

__ offer ways to protect personal information. Examples are obfuscation, data minimization, common security practices and privacy-enhancing technologies.

A

Technical privacy controls

101
Q

__ embeds privacy into the design of technology, systems and practices to help ensure the existence of privacy from the outset.

A

Privacy by design (PbD)

102
Q

Privacy by design is based on seven foundational principles:
1. Proactive, not reactive; preventative, not remedial
2. Privacy as the default
3. Privacy embedded into design

A
  1. Full functionality—positive-sum, not zero-sum
  2. End-to-end security—life cycle protection
  3. Visibility and transparency
  4. Respect for user privacy
103
Q

__ is called out in __, with requirements and consequences for noncompliance. Its goal is to build information privacy into the design process and protect privacy by default.

A

Data protection by design and default; GDPR

104
Q

Several __ can be used individually or in combination to analyze risk. Models include
compliance;
Fair Information Practice Principles (FIPPs)-based;
and Factor Analysis of Information Risk (FAIR).

A

privacy risk models and frameworks

105
Q

__ include Risk Management Framework; Cybersecurity Framework; Privacy Framework; and NICE Framework.

A

NIST (National Institute of Standards and Technology) frameworks, at the Department of Commerce

106
Q

Two major groups of privacy design strategies for applying PbD are __ and __.
[1] strategies are based on an organization’s commitment to processing PI in a privacy-friendly way;
[2] strategies focus on technical ways to process data that maximize privacy.

A

process-oriented and data-oriented

107
Q

Security focuses on information and the people represented by that information.
True
False

A

False

108
Q

Which of the following is an example of a process-oriented privacy design strategy?
Demonstrating compliance with policies and processes
Separating the processing of data, either logically or physically
Abstracting data to limit the amount of detail in the data
Hiding data in ways that make it unconnectable or unobservable to others

A

Demonstrating compliance with policies and processes

109
Q

What type of security control may rely on segregation of duties?
Cryptography
Physical and environmental security
Access control
Systems acquisition, development and maintenance

A

Access control

110
Q

A scorecard of risk factors may assist an organization in doing what?
Evaluating security controls
Writing information security policies
Identifying risk
Determining the business purpose for processing personal information

A

Evaluating security controls

111
Q

A key difference between the U.S. and EU concepts of invasion of privacy is based on whether the invasion caused actual harm to the individual.
True
False

A

True

112
Q

Which of the following is an administrative control?
Responding to data subject access requests within one week of reception
Automatically aggregating personal information to render it anonymous
Using a vendor to encrypt outgoing email messages
Using a platform to mask sensitive information from users who do not need it

A

Responding to data subject access requests within one week of reception

113
Q

Data processing principles, such as those found in the GDPR, may be used to successfully implement privacy by design.
True
False

A

True

114
Q

A __ is an external communication made to an individual, customer or data subject that
describes how the organization collects, uses, shares, retains and discloses their PI.
In contrast, a __ is generally an internal document that is addressed to employees, stating how PI is going to be handled.

A

privacy notice; privacy policy

115
Q

An organization’s privacy policy should be:

A

clear and easy to understand, accessible to all employees, comprehensive yet concise, action-oriented, and measurable and testable.

116
Q

Common types of __ include those for acceptable use, information security, procurement, HR, and data retention and destruction.

A

privacy policies

117
Q

Common goals of internal information security policies include

A

protecting against unauthorized access;
providing stakeholders with information efficiently, while maintaining confidentiality, integrity and availability;
promoting compliance with laws, regulations, standards and other organizational policies;
promoting data quality.

118
Q

Vendors should be held to the same privacy standards as the organization they serve. When engaging vendors, remember to:

A

create a policy that outlines selection and logistics; identify vendors and their legal obligations; evaluate risk, policies and server locations; develop a thorough contract; and monitor vendors’ practices and performance

119
Q

Vendors that provide cloud computing services may pose distinct privacy challenges. Therefore, a cloud computing acceptable use policy should:

A

maintain compliance; require that agreements be approved by leadership; maintain data privacy and security; and mitigate risks of using cloud-based services

120
Q

HR handles diverse employee personal information and typically has policies to guide processing.
Concerns can be addressed through several types of HR policies, including those related to

A

communications, hiring and reviews, and financial information.

121
Q

__ should support the idea that PI should only be retained for as long as necessary to perform its stated purpose. Triggers and methods should be documented and followed consistently, and align with laws, regulations and standards.

A

Data retention and destruction policies

122
Q

Approaches for enabling employees to integrate privacy policies into daily tasks include:

A

aligning policies with existing business procedures such as HR functions, procurement and contract management, and risk management;
training employees using tools like classes or simulations;
and raising awareness through activities like Data Privacy Day and lunch-and-learn sessions.

123
Q

Once you have created and launched privacy-related policies, __.

A

ensure they are regularly audited and enforced.
Policies should be testable and evidence should be readily available. Enforcement should include clear and consistent consequences. Consider whether an independent internal auditor may aid your organization’s ongoing auditing process.

124
Q

A marketing team works with their legal department to create an external communication to customers that describes how their personal information is going to be handled. What is this communication?
A privacy notice
A privacy policy
An information security policy
A data retention and destruction policy

A

A privacy notice

125
Q

How may an organization enable employees to integrate privacy policies into their daily tasks? Select all that apply.
Align policies with existing business procedures
Raise awareness
Train employees
Audit and enforce privacy policies

A

All responses are correct except Audit and enforce privacy policies

126
Q

What is the purpose of an acceptable use policy?
Providing instructions to employees, students, guests, etc. for easily accessing the organization’s network or internet connection
Stipulating rules and constraints for people within and outside the organization who access the network or internet connection
Evaluating risks associated with using vendors for processing personal information
Stipulating events that may trigger the necessary processing of personal information outside the organization’s originally stated purpose

A

Stipulating rules and constraints for people within and outside the organization who access the network or internet connection

127
Q

Which of the following are some of the common purposes of internal information security policies?
Select all that apply.
Protecting against unauthorized access
Providing stakeholders with information efficiently, while maintaining confidentiality, integrity and availability
Promoting data quality
Specifying detailed steps for HR hiring practices

A

All responses are correct except Specifying detailed steps for HR hiring practices

128
Q

Laws and regulations may include data retention requirements.
True
False

A

True

129
Q

A _ provides data that helps to answer specific questions about business operations.

A

metric

130
Q

An organization should develop generic _ _ to reflect data privacy compliance, datadriven decisions and the overall impact of the privacy program.

A

privacy metrics

131
Q

Metrics have primary, secondary, and tertiary audiences. Differences between the audiences are based on

A

interest level, influence, ownership and responsibility of privacy within the business objectives.

132
Q

Typical members of a _ audience include the legal and privacy officers, senior leadership, CIOs, CSOs, PMs, information system owners and CISOs.

A

primary

133
Q

_ audience members include the CFO, training organizations, HR, IGs and HIPAA security officials.

A

secondary

134
Q

The _ audience includes external watchdog groups, sponsors and stockholders.

A

tertiary

135
Q

A metric owner is responsible for managing the metric throughout its life cycle. Responsibilities include:

A

knowing what is critical about the metric and how it fits into business objectives
monitoring performance with the metric
updating process documentation (including the metric’s definition)
performing regular reviews
and incorporating improvements into the process.

136
Q

Four common ways to analyze privacy program metrics are:

A

trend analysis, return on investment (or ROI), business resiliency and program maturity.

137
Q

_ _ provides quantitative measurement for the costs, benefits, strengths and weaknesses of an organization’s privacy controls in order to maximize the benefits of investments that prevent loss.

A

ROI analysis

138
Q

Organizations can monitor privacy programs to track

A

compliance and risk,
organizational alignment with regulatory and legislative changes,
and vulnerabilities in the internal and external environments.

139
Q

Tracking compliance and risk involves reviewing the _ of personal information throughout its life cycle.

A

collection, use, and retention

140
Q

_ is often done using publications and/or external vendors.

A

Tracking regulatory and legislative changes

141
Q

Tracking environmental vulnerabilities involves

A

monitoring internal and external threats, including building access, data access and authentication, and lack of awareness or training

142
Q

Forms of privacy program performance monitoring include:

A
  • Active scanning tools, such as data loss prevention (DLP) network
  • Audit activities
  • Breach monitoring, detection and notification
  • Complaint monitoring
  • Data retention/records management strategies
  • Dashboards
  • Control-based monitoring
  • HR practices, such as hiring and termination;
  • Monitoring data
  • Monitoring building access/use
  • Monitoring internal and external conditions
  • Regulation-based monitoring
143
Q

Audit involves:

A

monitoring and measuring privacy practices to comply with laws, regulations, consent orders and industry practices.

144
Q

Audits should answer two questions:

A

1) Do the privacy operations do what they were designed to do? 2) Are data privacy controls correctly managed?

145
Q

Privacy program audits typically fall into one of three categories:

A

first party, second party or third party.

146
Q

First-party audits are performed by internal employees. They are self-assessments used to

A

evaluate risk management culture;
identify privacy risk factors;
and evaluate control design and implementation.

147
Q

_, often known as “supplier audits,” typically involve the organization auditing existing suppliers or subcontractors.

A

Second-party audits

148
Q

Third-party audits are required under consent decree or by a regulator. They are conducted by independent outside sources. They provide a formal record of

A

what was audited and when,
insight into areas that comply/do not comply,
details to support findings
and suggested corrective actions.

149
Q

External watchdog groups, sponsors and stockholders typically make up which audience for privacy program metrics?
Primary
Secondary
Tertiary
None of the above

A

Tertiary

150
Q

Which of the following is NOT typically a responsibility of a privacy metric owner?
Tracking the costs of analyzing data for the metric on an organization’s profit and loss statement
Ensuring improvements are incorporated and maintained in the process
Scheduling regular reviews to determine if the metric is still required, capable of meeting goals and providing value to the organization
Understanding how the metric fits into the organization’s business objectives

A

Tracking the costs of analyzing data for the metric on an organization’s profit and loss statement

151
Q

A privacy officer is trying to make the case to his CFO to invest more of the budget into incident prevention and preparedness. He wants to show that the likely financial gain of this investment is greater than the direct costs to the organization. Which category of metrics would be most useful to him?
Business resiliency
Program maturity
Return on investment (ROI)
Trend analysis

A

Return on investment (ROI)

152
Q

A privacy audit should reveal whether the privacy operations do what they were designed
to do and whether privacy controls are correctly managed.
True
False

A

True

153
Q

Employing dashboards, active scanning tools, and data retention and records management strategies are all ways to do what?
Monitor privacy program performance
Ensure an organization minimizes the processing of personal data
Increase information security
Provide resolutions to privacy-related complaints

A

Monitor privacy program performance

154
Q

Which category of audits may align to an ISO standard, NIST special publication or other industry framework?
First-party audits
Supplier audits
Third-party audits
Data protection commissioner audits

A

Third-party audits

155
Q

Which of the following is a valid reason for an organization to conduct a privacy audit?
It has expanded its industry base
It has made staffing cutbacks and shifted its business priorities
There has been a confirmed security incident
All of the above

A

All of the above

156
Q

The privacy officer for a corporation is analyzing trends on a series of privacy program metrics. She notices a conspicuous absence of privacy incidents in the past two years and wants to include this in her reporting. This information is known as a(n):
Time series
Uncertainty variable
Irregular component
Cyclical component

A

Irregular component

157
Q

Potential consequences of inadequate privacy training and awareness programs include:

A

noncompliance with laws and regulations
personal information being handled in ways that differ from organizational policy
and reputational harm or damage to relationships with customers.

158
Q

_ communicates an organization’s privacy message, policies and processes, and motivates individuals to retain and follow that information. It incorporates measurable outputs and outcomes via attendance and assessment metrics. In contrast, _ activities reinforce lessons learned in training through diverse methods.

A

Training , awareness

159
Q

Method and delivery options for privacy training programs include:

A

in-person or virtual instruction;
self-led e-learning modules;
simulations;
and just-in-time information.

160
Q

Method and delivery options for awareness efforts include:

A

newsletters with privacy topics; email reminders; company intranet announcements; posters, signage and stickers; blog posts; internal messages when the organization has a data breach; meetings; Data Privacy Day; and Privacy Awareness Week.

161
Q

Privacy training should include

A

anyone who handles personal information on behalf of the organization.

162
Q

To ensure ongoing awareness, the privacy team and other relevant departments can take the following operational actions:

A

develop and use internal and external communication plans;
communicate information about the organization’s privacy program;
ensure policy flexibility for incorporating changes to compliance requirements;
and identify, catalog and maintain documents requiring updates as privacy requirements change.

163
Q

The following high-level steps may be used to create a privacy training program:

A
  • Ensure a privacy policy exists and is up to date
  • Ensure employees are trained on the policy
  • Ensure training records exist
  • Use metrics to measure results
  • Update the training based on feedback and changes to compliance obligations
  • Reinforce learning with awareness activities
164
Q

Considerations for creating a successful training program include:

A

partnering with the training department/HR; making it fun and customized to participants; using motivators like digital badges; ensure all new employees are trained; ensuring repeat training is provided as needed; and soliciting feedback.

165
Q

Establishing a privacy training program can help your organization think about privacy and meet obligations to protect personal information in ways such as:

A
  • Establishing a common understanding of privacy
  • Reducing human error
  • Considering privacy up front
  • Improving customer interactions
  • Expanding the privacy office’s eyes and ears
  • Changing conversations
166
Q

Some common mistakes privacy professionals can make regarding privacy training and awareness include:

A
  • Not covering the basics
  • Not giving employees proper rules for handling and processing personal data, e.g., acceptable use policies (AUP)
  • Assuming everyone is as conscientious about privacy issues and current topics as privacy professionals are
  • Thinking one communication channel is sufficient; some concepts must be explained in
    multiple ways and repeated several times
  • Not effectively using a past incident as a learning opportunity
167
Q

What should privacy training and awareness programs do? Select all that apply.
Communicate privacy policies
Communicate processes and procedures, such as for data usage and retention, access
control and incident reporting
Motivate and incentivize participants to follow privacy policies and procedures
Use measures, such as attendance and assessments

A

All responses are correct

168
Q

An organization should be responsible to train whom on privacy? Select all that apply.
A member of the customer service team
A receptionist
A customer
A driver responsible for business waste disposal

A

All except a customer

169
Q

Which of the following qualifies as an awareness method?
A company intranet announcement
A series of self-led e-learning modules
Just-in-time information presented online or via a manual, tip sheet or infographic

A

A company intranet announcement

170
Q

Which strategy could be used to motivate a team and help them remember the training materials?
A competitive simulation game that tests knowledge and skills gained from the training
A dashboard that shows members of the team who have completed the training
Metrics showing results (e.g., finding increased compliance with a data destruction policy
after training)

A

A competitive simulation game that tests knowledge and skills gained from the training

171
Q

A _ is the privacy information that you make available or provide to individuals when
you collect information about them.

A

privacy notice

172
Q

Privacy notices have multiple purposes, including

A

compliance;
processing personal information fairly and transparently;
making information accessible regarding how personal information is used;
meeting individuals’ expectations;
and building trust and confidence.

173
Q

A privacy notice typically explains:

A
  • Who the organization is
  • What information it collects
  • How it will use the information
  • With whom it will share the information
  • Whether information is collected directly or indirectly
  • What are likely future uses of the information
174
Q

Strategies to keep privacy notices accessible to customers or external stakeholders include using a _ (short notice with key information and links); _ (appears at the time of data input and provides additional information); _ (shows different processing types using a clear design and icon/symbol key); and _ (easily navigated summary of privacy information and metrics).

A

layered approach
just-in-time notice
icons/symbols
privacy dashboards

175
Q

Privacy notices inform individuals of an organization’s privacy practices, but do not _. Consent is required by law in many, but not all, cases and may not be the only reliable basis for processing personal information.

A

solicit or imply consent

176
Q

An organization’s procedures around withdrawal of consent may address

A

when and how consent may be withdrawn,
rules for communicating with individuals,
methods for withdrawing consent,
and documentation of requests and actions taken.

177
Q

There are several areas to consider when tailoring privacy notices to children and ensuring parental consent for children under the age threshold:

A
  • Compliance: some laws specify rules for providing privacy notice to children and obtaining parental consent
  • Language and delivery: present privacy in ways children can understand
  • Age: laws and regulations may establish an age threshold for consent
  • Purpose of processing: some purposes may trigger certain rules, like prohibiting the tracking of children for behavioral advertising
178
Q

Laws and regulations may require an organization to allow individuals the ability to _ —and information about its processing—upon request. Information must be provided completely, in a timely manner, without charge, and in the same form the request was made. There may be limits to this right, like protections for the rights and freedoms of others.

A

access and correct their personal information

179
Q

Many countries have data privacy laws stipulating how organizations in their jurisdiction must respond to data subject requests. Given the requirements of various global privacy laws, it is critical for organizations to _

A

have robust policies related to data subject rights and be able to respond in a timely manner

180
Q

_ affect organizations within and outside the EU, given the broad scope of the GDPR.

A

EU-specific data subject rights

181
Q

Data portability is a right under the GDPR that applies in cases of processing based on consent or contractual necessity. It means that

A

personal data must be transferrable from an organization in a format that is structured, commonly used and machine-readable.

182
Q

Under the GDPR, individuals have the right to _ in certain circumstances—for example, if they withdraw consent.

A

request erasure of their personal data

183
Q

Erasure entails both _. Controllers must also ensure third parties erase personal data.

A

ceasing processing and deleting data

184
Q

Erasure has been broadened to include _, which applies when personal data has been made public by the organization.

A

the right to be forgotten

185
Q

Internal procedures for handling privacy-related complaints should define and enable
mechanisms for:

A
  • Differentiating between sources and types of complaints
  • Designating proper recipients
  • Implementing a centralized intake process
  • Tracking the process
  • Reporting and documenting resolutions
  • Redress
186
Q

Departments and roles designated with receiving complaints should be _ through dedicated phone numbers, email addresses and/or physical addresses.

A

easy to reach

187
Q

A privacy notice typically explains what? Select all that apply.
How personal information will be destroyed
How personal information will be stored
With whom personal information will be shared
What information will be collected

A

With whom personal information will be shared; what information will be collected

188
Q

The chief privacy officer of a technology company has revised its privacy notice for users who download the company’s applications onto their smartphones. The notice needs to be easily accessible to users so they can refer to it when desired. What is an appropriate solution to this design challenge?
Layered approach
Privacy dashboard
Icons/symbols
Just-in-time notice

A

Privacy dashboard

189
Q

What may an organization’s procedures address regarding requests for withdrawal of consent? Select
all that apply.
When and how consent may be withdrawn
Rules for communicating with individuals
Methods for withdrawing consent
Documentation of requests and actions taken

A

All of them

190
Q

Upon request from an individual, an organization must always provide access to their personal information and information about the processing performed upon it.
True
False

A

False

191
Q

Under the EU’s General Data Protection Regulation, erasure entails not only deleting
personal data but also informing regulators once the personal data has been deleted.
True
False

A

False

192
Q

Internal procedures for handling privacy-related complaints should implement a centralized intake process.
True
False

A

True

193
Q

A _ compromises the confidentiality, integrity or availability of data and may not require notification. A _ results in the confirmed disclosure of data to an unauthorized party and requires external notification.

A

incident; breach

194
Q

Only the _ or _ should declare a breach.

A

privacy office; legal office

195
Q

Data breaches risks to organizations include:

A

loss of revenue, legal and regulatory costs, loss of business, loss of consumer trust, impact on business relationships and damage to public perception

196
Q

Data breaches risks to individuals include:

A

emotional distress, identity theft, personal reputational harm and financial damage

197
Q

The top cause of data breaches is _, which may involve malware, hacking or phishing attempts. Other common causes are device loss or theft and unintended disclosure of information.

A

malicious or criminal attacks

198
Q

An organization must determine _ associated with collected data and _ affected individuals

A

who is liable for harm; who should notify

199
Q

While prevention focuses on ways to stop an incident or breach from occurring, _ focuses on measures for optimally responding to one.

A

preparedness

200
Q

_ are vital in preparing for an incident. All employees should have a basic understanding of security procedures and how to report a suspected incident.

A

Training and awareness

201
Q

A common incident preparedness training activity is _, a structured, readinesstesting simulation involving members of multiple departments

A

the tabletop exercise

202
Q

_ is a key step in incident preparation. The organization must determine who will lead the plan creation, gather information, and develop processes and procedures.

A

Creating a formal incident response plan

203
Q

There is no _, and an organization must consider how it will classify an event as a privacy incident or a breach.

A

one definitive way to detect a breach

204
Q

Some breach response tasks may happen in parallel. It can be helpful to think about them in these categories:

A

securing your operations, notifying appropriate parties and fixing vulnerabilities

205
Q

Securing operations involves _ immediately to prevent further loss.

A

mobilizing the breach response team

206
Q

After ensuring a breach is contained, organizations should begin _

A

analyzing vulnerabilities and addressing third parties that might have been involved

207
Q

Internally, response teams must _ to executives, so they know they are as informed as possible.

A

manage expectations around communications

208
Q

When communicating news of a breach, it is important to coordinate efforts across steps and keep messages consistent in all communications. Messaging should be consistent for several reasons, including

A

to help avoid issues with legal liability and a loss of trust and consumer confidence.

209
Q

Internal and external announcements should be delivered

A

around the same time to avoid leaks, align messaging and demonstrate transparency.

210
Q

At minimum, internal communications to employees about a breach should convey the following:

A

information that may affect how they do their jobs; what to keep confidential or internal; and the designated press contact.

211
Q

Where there is _, notification may not be desirable. Factors to consider include

A

no legal obligation to notify;
the nature of the data elements breached, number of individuals affected and whether the breach is likely to lead to harm.

212
Q

Breach investigation is a subset of breach response and occurs once _.

A

breach investigators conclude that sensitive information has been compromised

213
Q

Breach investigators can:

A

capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.

214
Q

Breach reporting obligations for legal compliance vary by jurisdiction, but tend to adhere to certain principles, including

A

preventing harm, collection limitation, accountability, monitoring and enforcement, and mandatory reporting.

215
Q

The major categories of costs for a data breach are

A

legal, first-party, remediation and intangible costs.

216
Q

Legal costs
- _
First-party costs
o _
Remediation costs
* _
Intangible costs
> _

A
  • Punitive costs;
    o Legal counsel
    o Crisis management/PR
    o Forensic investigators
    o Call center support
    o Equipment replacement and security enhancements
    o Insurance
    o Card replacement
    o Employee training;
  • Victim notification
  • Remediation offers and oversight
  • Victim damages;
    > Lost revenue and stock value
    > Customer retention
    > Opportunity costs
217
Q

Cyber liability insurance may be a viable funding source for helping to offset breach response and recovery costs, such as:

A

Forensic investigations
Outside counsel fees
Crisis management services
PR experts
Breach notification
Call center costs
Credit monitoring
Fraud resolution services

218
Q

One way to learn from a breach is to _

A

conduct a breach or incident response review.

219
Q

Q’s for determining a breach and identifying affected data

A
  • Was there indeed a data breach? If so, what data was exposed?
  • Has the original vulnerability at the third-party vendor been resolved?
  • What type(s) of data was impacted?
  • Where was the data located?
  • How much data was affected?
220
Q

Q’s for notifying stakeholders

A
  • Which stakeholders must be notified?
  • Who else must be notified: regulators, media, AtlantiPulse customers?
  • What recourse may AtlantiPulse, through One Earth, need to offer affected parties?
221
Q

Q’s for following a process

A
  • Do One Earth and AtlantiPulse have incident management processes in place?
  • Is there a decision tree for notifications and actions in the event of a data breach?
222
Q

Q’s for Identifying vendor issues

A
  • Was there privacy-related language in the contract with which the vendor did not comply?
  • Did One Earth adequately assess AtlantiPulse’s third-party vendors during the acquisition?
  • Do all existing AtlantiPulse third-party contracts include consistent privacy-related language? If not, how does One Earth bring these contracts into compliance with privacy language required by One Earth’s global privacy policy?
  • Does One Earth need to terminate this vendor because of the data breach?
223
Q

All breaches are incidents, but not all incidents are breaches.
True
False

A

True

224
Q

Which of the following is a potential risk to an organization, rather than an individual, in the event of a data breach?
Regulatory fines
Emotional distress due to the release of confidential information
Personal reputational harm
Financial damage from misuse of credit/debit cards

A

Regulatory fines

225
Q

Employee training for incident preparedness can help which of the following? Select all that apply.
Exposing gaps in applications, plans and procedures before an incident occurs
Reducing financial liability and regulatory exposure
Lowering breach-related costs, including legal counsel and consumer notification
Cultivating greater overall security for customers, partners and employees

A

All responses are correct

226
Q

Which of the following are critical duties of an organization’s legal team in planning and responding to an incident? Select all that apply.
Limiting liability and economic consequences
Advising on response requirements
Serving as an information conduit to employees
Establishing and maintaining a consistent message

A

Limiting liability and economic consequences; advising on response requirements

227
Q

The process of responding to a breach comprises tasks that may happen in parallel.
True
False

A

True

228
Q

Why might an organization choose not to notify affected individuals of a data breach? Select all that
apply.
There is no legal obligation
The breach impacts a small percentage of those whose data the organization holds
The affected information is unusable or unlikely to cause harm
Notification may result in fines imposed on the organization

A

All responses are correct except Notification may result in fines imposed on the organization

229
Q

Though breach reporting obligations vary by jurisdiction, they tend to adhere to which of the following sets of principles?
Preventing harm, collection limitation, accountability, monitoring and enforcement, and mandatory reporting
Preventing harm, limiting access, storage limitations and mandatory disclosure
Preventing harm, protecting the public, accountability and transparency

A

Preventing harm, collection limitation, accountability, monitoring and enforcement, and mandatory reporting

230
Q

Legal counsel, call center support, employee training, crisis management and PR, and forensic investigators are all examples of what?
First-party costs associated with a data breach
External costs associated with a data breach
Breach prevention measures
Elements a privacy officer must oversee during breach response

A

First-party costs associated with a data breach

231
Q

When communicating about a breach, an organization should make internal announcements well in advance of external announcements.
True
False

A

False