Exam 4
73. This country takes a co-regulat ory app roach to privacy protection similar to that of Australia? A. I srael B. New Zealand C. Zimbabwe D. Moro cco
ANSW ER: B. Canada, Aust ralia , and New Zealand are three countries employing a co-regulatory model of privacy protection.
61. Wh ich organization is developing standards for a Do Not Track approach to online targeted advert ising? A. I nt ernational Organization for Standardizat ion ("IS O") B. Federal Trade Commission ("FTC") C. World Wide Web Consortium ("W3C") D. National I nstit ut e of Standards and Technology (" NI ST" )
ANSW ER: C. The Tracking Protection Working Group of the W3C is developing standards for online targeted advert ising, including a Do Not Track speci fication.
69. In which country is a person's salary considered a public record? A. Canada B. Sweden C. China D. Argentina
ANSWE R: B. In Sweden, tax returns are considered public records. Included within the tax return is a person's salary. Finland and Norway also treat tax returns as public records.
89. Which of the following is a type of administrative safeguard for personal information? A. Incident response procedur es B. Password authentication C. Locks for portable computing devices D. Firewalls
ANSWER : A. Administrative safeguards are admi nistrat ive actions, policies, and procedures that prot ect personal info rmat ion. An incident response plan or procedure is a type of administrative safeguard. Password authentication and firewalls are types of physical safeguards, while locks are physical safeguards.
53. Which security mechan ism is used for prevent ing unauthorized access to internal networks? A. Firewall B. Encryption C. Intrusion detection system D. Antivirus software
ANSWER : A. Firewalls are software or hardware solutions that prevent certain types of network traffic from ent ering an internal network in accordance with the firewall's policy. The other types of security mechanisms provided do not prevent unauthorized access to internal networks.
10 0. When may infor mation about an organization be considered personal infor mat ion ? A. Whe n the organization is a sole proprietorship B. When the organization is multi-national C. When the organization files taxes D. When the organizat ion is controlled by a single Board of Director
ANSWER : A. Generally, personal information is any infor mat ion describing an identified or identifiable individual ( in contrast to a corporation). However, when a company is a sole proprietorship, information describing the sole proprietorship may be traceable to a specific and identifiable individual. In such cases, infor mat ion about a sole proprietorship may constitute persona I informat ion .
31. Which of the following accurately describes an organizat ion's abi lit y to monitor its employees in the EU? A. Employee monitoring is permitted only within the physical areas owned by the organization B. Employee monitoring is never permitted C. Employee monitoring is permitted only with the express written consent of the employee D. Employee monitoring is permitted only when necessary for a specific purpose
ANSWER : D. In Europe, once an employer decides to monit or an employee, the Article 29 Working Party suggests that the organization follow the following seven basic principles: (1) an employer must determine whether the monitoring is absolutely necessary for the specified purpose, (2) data collected through the monitoring must respond to a "specified, explicit and legitimate" purpose and cannot be processed for a different purpose, (3) the employer must provide clear and open notice to employees about the monitoring, (4) employers may monitor only to safeguard their legitimate interests, while not violating an employee's fundamental rights, (5) personal data processed in connection with the monitoring must be adequate, relevant, and not excessive, (6) personal data must be updated and retained only for the period deemed necessary for the purpose to be achieved, and (7) the employer must implement all appropriate technical and organizational measures to ensure that any personal data is protected from alteration, unauthorized access, and misuse.
99. Which of the following types of information is always considered non-personal data? A. Email addresses B. Gender C. Salary D. Aggregated data
ANSWER : D. Personal data is any data that describes an ident ified or identifiable individual. "Anonymized," "de-identifi ed," and "aggregated" data are types of non-personal data because the data cannot be traced back to an identified or identifiabl e individua l.
15. Which country released a report in February of 2011 that provides guidance for utility companies on building smart grids with "privacy by design" principles? A. United Stated B. Canada C. Germany D. Australia
ANSWER B. The Information and Pr ivacy Commissioner of Ontario, Canada developed the " privacy by design" framework in the 1990s. It includes the following seven principles (1) Proactive not Reactive Preventative not Remedial (2) Privacy as the Default Setting (3) Privacy Embedded into Design, (4) Full Functionality - Positive-Sum, not Zero-Sum (5) End-to-End Security - Full Lifecycle Protection (6)Visibility and Transparency - Keep it Open and (7) Respect for User Privacy - Keep it User-Centric. In February 2011, the Information and Privacy Commissioner released a report titled "Operationalizing Privacy by Design The Ontario Smart Grid Case Study." The report provides guidance for utility companies on building smart grids with privacy by design principles.
39. Which country's privacy laws set forth specific and detailed requirements for the data protection officer (" DPO" ) of an organization? A. Germany B. Canada C. New Zealand D. Australia
ANSWER: A. A data protection officer ("DPO") is an individual (or group of individuals) responsible for data protection and privacy issues at an organization. Many organizations in Germany are obligated to formally appoint a data protection officer. Generally, companie s that permanently employ ten or more persons in the automated processing of personal data are required to appoint a DPO. Each DPO must have intimat e knowledge of Germany's data protection laws and possess other defined skills. Noncompliance may results in administrative fines for the organizat ion . Most countries other than Germany do not have specific requirements for the DPO.
7. Information security policies and procedures should be communicated to which employees of an organ izat ion? A. All employees B. Em ployees in the information securit y department C. Managers D. The chief executive officer
ANSWER: A. All employees should be trained in informat ion security best practices, and info rmat ion secur it y policies should be communicated to all employees, regardless of level. Even the lowest level employee can cause a security incident.
19. Which of the following is NOT a major reason why health information is considered sensitive in most jurisdictions? A. Drug companies may market new and untested drugs to individuals with ailments if health informat ion is not protected as sensitive infor mation B. Patients are forthcoming with their doctors when health information is protected as sensitive information C. Employers may treat employees unequally and potentially discriminate against employees if health information is not classified as sensitive information D. Health informat ion is inherently private and sensitive because it relates to the inner workings of a person's mind and body
ANSWER: A. Answers B, C, and D present the three major reasons why countries classify health information as sensitive information. The possibility of drug companies marketing untested drugs to consumers is not a major reason why health information is classified as sensitive personal information.
6. Which of the following is an industry-accepted formula for assessing in for mation security risk? A. Risk - Threat x Vulnerabilit y x Expected Loss B. Risk - Control - Threat / Vulnerability C. Risk - Threat + Vulnerability - Expected Loss D. Risk - Threat x Vulnerability / Control
ANSWER: A. As indicated by the correct formula, information security risk is directly related to three parameters: (1) threats, (2) vulnerabilities, and (3) expected loss. A threat is any circumstance that may cause an undesirable event, such as a data breach. A vulnerability is a weaknesses in an organiza tion 's information systems, policies, or procedures. When a threat exploits some vulnerabili t y, a security event that creates risk occurs. The amount of risk for a part icu lar security event is equal to the probability of the event occurring times the expected loss associated with the event. Answers B - D set forth incor rect formulations of information security risk.
79. Which of the following is the most appropriate mechanism for enabling a multinational European corporation to transfer data concerning EU residents from Europe to one of its offices in the United States? A. Binding corporate rules B. Contractual assurances C. U.S. Safe Harbor program D. I mplicit consent
ANSWER: A. Binding corporate rules ("BCR") are internal rules adopted by a multinational group of related companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. Because the EU Commission has not deemed the U.S. as providing an adequate level of protection, a multinational corporation in Europe may adopt binding corporate rules with its offices in the U.S. to comply with the EU Data Protection Directive.
44. Which type of security measure may be used to prevent a cookie poisoning attack? A. Encryption B. Firewall C. Intrusion detection system D. Antivirus software
ANSWER: A. Cookie poisoning is the modification of a web cookie by an attacker in hopes of gaining unauthorized information about the user for illegitimate purposes, such as identity theft. To guard against cookie poisoning, websites that use cookies should protect them (for example, through encryption) before they are sent to a user's computer.
58. Which of the following is NOT a main source of informat ion security requirements? A. Customer complaints and recommendations B. Threats and vulnerabilities of an organization C. Legal, regulat ory, and contractual obligations D. An organization's information security and privacy policies
ANSWER: A. Customer complaints and recommendations are not a main source of security requirements. Generally, an organization should have reasonable security protecting personal information based on the C-I-A triad. To provide reasonable security, threats and vulnerabilities of an organization must be analyzed to determine the level of risk. Laws, regulations, and contracts that an organization has entered into generally contain security requirements for an organization. An organization's information security and privacy policies also generally include securit y requirements for different classes of information held or collected by the organization.
86. What is an important part of a privacy impact assessment? A. Identifying the types of information that are to be collected B. Controlling access to the results of the assessment C. Conducting the assessment immediately after a new project is implemented D. Ensuring that technical safeguards are protecting all personal information
ANSWER: A. During a privacy impact assessment, the data being collect e·d and its attributes must be closely anal yzed. Speci fically, what type of data is being collected, for what purpose, for how long, with whom is the data being shared, and the choices available to the data subject regarding processing should be considered and analyzed.
22. The federal Freedom of I nformat ion Act ("FOIA") covers which type of records? A. Executive branch records B. Congressional records C. Judicial records D. Records more than 10 years old
ANSWER: A. FOIA is a federal freedom of information law enacted in 1966, which allows for the full or part ial disclosure of previously unreleased information and documents controlled by the United States government. FOIA explicitly applies only to executive branch government agencies, and therefore it does not apply to legislative and judicial branch records. FOIA defines agency records subject to disclosure, outlines mandatory disclosure procedures, and grants nine statutory exemptions to disclosure, such as records containing trade secrets.
11. Which of the following is typically the final step when establishing an information security program? A. Monitor and review compliance with the security program B. Identify and evaluate risks C. Define the security policy D. Review complaints and evaluations
ANSWER: A. Generally, an information security program should be established by (1) defining the security policy and security management system (2) identifying and evaluating any risks, (3) selecting appropriate controls to address the identified risks, (4) obtaining managem ent approval of program, and (5) monitoring and reviewing compliance with the program. Therefore, monitoring and reviewing compliance with the security program is the final step of the process.
21. Which Latin American country was one of the first countries deemed by the EU Commission as providing an adequate level of protection? A. Argentina B. Chile C. Columbia D. Uruguay
ANSWER: A. In 2003, Argentina became the first Latin American country deemed by the EU Commission as providing an adequate level of protection. Argentina was also the first Latin American country to enact an omnibus data protection and privacy law. The EU Commission deemed Uruguay adequate in 2012. Chile and Columbia have not yet been deemed as providing an adequate level of protection.
65. Which of the following statements concerning PIPEDA is false? A. PIPEDA applies only to private organizations B. Under PIPEDA, an organization may disclose personal information without the consent of the data subject for debt collection purposes C. The Commissioner may audit any organization collecting personal information on Canadian citizens D. An organization may use personal information without consent of the data subject in emergency situations
ANSWER: A. PIPEDA applies to every organization across Canada that collects, uses, or discloses personal information in the course of commercial act ivit ies. Therefore, PIPEDA regulates both public and private organizat ions.
1. Which of the following may' be classified as an unfair trade practice by the FTC? A. A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website operator does not, in fact, encrypt the data B. An organization promises to honor opt-out requests within 10 days but fails to honor opt-out requests within the stated timeframe C. A rogue employee steals credit card information even though the organization took reasonable precautions to protect the credit card information D. A federally insured bank does not comply with a regulation prohibiting the bank from revealing information about its customers
ANSWER: A. Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." Answer A is an example of an unfair trade practice because the website operator is not being deceptive, but the potential harm caused by the website operator's failure to encrypt sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control. Answer B is an example of a deceptive trade practice. When companies state that they will safeguard personal information, the FTC can and does take law enforcement action to make sure that companies live up to these promises. A violation of a promise made in a privacy notice is an example of a deceptive trade practice. Answer C is not an unfair trade practice 60 because the organization has implemented reasonable security measures, and the employee simply committed a crime, which is generally considered an unforeseeable event. Answer D is incorrect because the FTC has no jurisdiction over banks and common carriers, which are under the supervision of other governmental agencies.
37. Which country has NOT joined the European Economic Area ("EEA") but is part of the European Free Trade Associat ion ("EFTA")? A. Switzerland B. Norway C. Liechtenstein D. Iceland
ANSWER: A. Switzerland rejected the EEA agreement in a national referendum on December 6, 1992. Swit zerlan d is, however, a current member of EFTA ( along with Norway, Liechtenstein, and I celand ) .
97. The EU Data Protection Directive uses what term to refer to sensitive personal information? A. Speci al categories of data B. I nherently protected data C. Classified data types D. I ntrinsic data
ANSWER: A. The EU Data Protection Directive uses the term "special categories of dat a" to describe sensitive personal information. In accordance with the Dir ect ive, special categories of data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade- union membership, and the processing of data concerning healt h or sex life.
49. Which of the following is NOT a principle of privacy by design? A. Opt -in choice B. Privacy as the default setting C. Proactive not reactive D. End to end security
ANSWER: A. The Information and Privacy Commissioner of Ontario, Canada developed .the privacy by design framework in the 1990s. It includes the following seven principles (1) Proactive not React ive Preventative not Rem edial (2) Privacy as the Default Setting (3) Privacy Embedded into Design, ( 4) Full Functionality - Posit ive-Sum , not Zer o- Sum (5) End -to-End Security - Full Lifecycle Protection ( 6)Visibil ity and Transparency - Keep it Open and (7) Respect for User Privacy - Keep it User-Cent ric. Opt-in choice is not a principle of privacy by design.
35. Which of the following is a major criticism of comprehensive privacy and data protection laws? A. Cost of compliance out weighs the benefits in many industries B. Incompatible with the regimes of other. countries C. Encourages innovation in data processing D. Do not adequately protect personal information of minors
ANSWER: A. The main criticism of comprehensive privacy and data protection laws is that the cost of compliance outweighs the benefits in many industries. For example, onerous laws protecting sensitive informat ion, such as health information, may be war rant ed in some cases, but the same level of protection may not be needed for less sensitive information in other industries. A second major criticism of comprehensive privacy and data protection laws is that they discourage innovat ion in data processing because regulatory approval is first needed before organizations may use personal information in potentially innovative ways (for example, with online social networking). These regulatory hurdles may discourage innovat ion.
13. Effective information security considers what three cent ral factors? A. Confidentiality, integrity, and availability B. Accountability, integrity, and autonomy C. Confidentiality, integrity, and autonomy D. Redundancy, reliability, and availability
ANSWER: A. The most well-known model for information security is called the C-I-A triad, referring to Confidentiality, Integrity, and Availabilit y. Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. Integrity refers to maintaining and assuring the accuracy and consistency of information over its entire lifecycle. Lastly, availability refers to the ability of authorized users to access the information. The C-I-A model is a global framework and is reflected in numerous information privacy laws across the world.
68. Which state was the first to enact rules governing the use and disclosure of consumer energy information from smart grids in the United States? A. California B. Florida C. Connecticut D. Massachusetts
ANSWER: A. The smart grid is an advanced metering system made up of smart meters capable of recording detailed and real-time data on consumer electricity usage that is then sent to a central hub for processing. In 2011, the California Public Utilities Commission ("CPUC") established privacy rules for California's Smart Grid that covered the collection of customer usage data from the electricity grid.
27. What is the basic rule for processing protected health informat io n under the Health Insurance Portability and Accountability Act (" HI PAA" ) ? A. Patients must opt-in before their protected health information is shared with other organizations unless the purpose is for treatment, payment, or healthcare operations B. Patients must opt-out before their protected health information is shared with other organizations unless the purpose is for treatment, payment, or healthcare operations C. Processing of protected health information is prohibited for all purposes without opt-in consent D. Processing of protected health information is prohibited for all purposes without opt-out consent
ANSWER: A. Under HIPAA's Privacy Rule, covered entities may disclose protected heath information (" PHI") to faciIitate treatment, payment, or heaIth care operations without a patient's express written authorization. Any other disclosure of PHI requires the covered entity to obtain written authorization from the data subject for the disclosure (that is, opt-in consent). In addition, when a covered entity discloses PHI, it must also make reasonable efforts to disclose only the minimum necessary information required to achieve its purpose.
74. After the Article 29 Working Party favorably evaluat ed this county's privacy law in 2010, the Eu ropean Commission formally approved this country as providing an adequate level of protection in 2012? A. Uruguay B. Mexico C. Hong Kong D. Japan
ANSWER: A. Uruguay was deemed adequate in 2012. Before Uruguay, the Working Party favorably evaluat ed Israel in 2009, and the European Commission formally approved Israel as providing adequate protection in 2011.
12. Employee training on information security best practices is what type of security control? A. Physical control B. Administrative control C. Technical control D. Third-party control
ANSWER: B. Administrative controls are administrative actions, policies, and procedures that protect information. Employee training and incident response plans are types of administrative controls. Password authentication and firewalls are types of technical controls, while locks are examples of physical controls.
33. What is the effect of incorporating the standard contractual clauses of a model contract approved by the EU Commission into an international agreement between a data controller locat ed in Germany and a data processor incorporated in the United States? A. Personal data may flow from the data processor to the data controller B. Personal data may flow from the data controller to the data processor C. The data controller is now a company providing an adequate level of protection D. The data controller may now transfer personal data within the EU member states
ANSWER: B. After incorporating the standard contractual clauses of a model contract into an agreement, personal data may flow from a data controller established in any of the 27 EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to a data controller or to a data processor established in a country not ensuring an adequate level of data protection, such as the United States. The EU Commission has so far issued two sets of standard contractual clauses for transfers to data controllers established outside the EU/EEA and one set of contractual clauses to data processors established outside the EU/EEA. Answer A is incorrect because model contracts affect the ability to transfer personal data out of the EU and into countries that do not provide an adequate level of protection. Answer C is incorrect because as a data controller in Germany operating under German law the data controller is already operating in a country that provides an adequate level of protection. Answer D is incorrect because the data controller is capabl e of transmitting personal data within the EU by virtue of being in compliance with German law and a model contract is not needed. Again, model contracts permit the transfer of personal information from the EU into countries not providing an adequate level of protection, such as the United States.
17. Which of the following accurately describes the EU Data Protection Directive? A. It applies to personal information held by the private sector and not the government B. There are typically less strict legal rules for government organizations that hold personal information than for private organizations C. Sensitive information is referred to as " pr otected classes of data" D. Business contact informat ion is classified as sensitive information
ANSWER: B. Alt hough the EU Data Protection Directive applies to both the public and private sectors, less strict legal rules generally apply to government agencies than to private organizations. For example, the processing of personal information may occur without consent if the processing is necessary to perform tasks related to the public interest or tasks carried out by official authorities. The EU Data Protection Directive uses the term "special categories of data" to describe sensitive personal information (not "protected classes data"). In accordance with the Directive, special categories of data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. Business contact information is not classified as sensitive information.
81. When transferring personal data from Europe to the United States, which type of consent in needed from the data subjects? A. Implied consent B. Unambiguous consent C. General consent D. Advance consent
ANSWER: B. Article 26(1) of the EU Data Protection Direct ive states that transfers of personal data to a third countries which do not ensure an adequate level of protection may take place if the data subject has " given his consent unambiguously to the proposed transfer." Other exceptions include: (1) the transfer is necessar y for the performance of a contract between the data subject and the controller, (2) the transfer is necessar y for the conclusion or performance of a contract concluded in the interest of the data subject, (3) the transfer is necessary or legally required on important public interest grounds, and (4) the transfer is necessary in order to protect the vital interests of the data subject.
71. What is the original purpose of bank secrecy laws? A. To enable banks to better share information B. To protect customer's financial information C. To permit access of financial data by government authority for national security purposes D. To ensure creditors have appropriate access to a debtor's financial information
ANSWER: B. Bank secrecy is a legal principle in some jurisdictions under which banks are not allowed to provide to aut horities personal and account informat ion about their customers unless certain conditions apply (for example, a criminal complaint has been filed). Bank secrecy laws are routinely crit icized because they may enable money laundering.
59. What is the relationship between information security and information privacy? A. I nf ormation security is concerned only with the unauthorized access of personal information, whereas information privacy addresses the use and confidentiality of personal inform at ion B. I nformation security is a necessary component of information privacy C. I nfo rmat ion privacy is a subset of information securit y D. I nformat ion security is concerned with the unauthorized access, use, and confidentialit y of personal information, whereas information privacy addresses only the use of personal informat ion
ANSWER: B. Both information secur ity and infor mation privacy deal with the access, use, and confidentiality of information. Information security is one necessary component of information privacy. I nformation privacy also addr esses the data subject's rights with respect to the personal information (for example, the right to correct and control processing of his personal inform ation) .
5. Which country takes a co-regulatory approach to privacy protection? A. Israel B. Canada C. Zimbabwe D. Morocco
ANSWER: B. Canada, Australia, and New Zealand are three countries employing a co-regulatory model of privacy protection.
46. Which country tak es a co-regulat ory approach to privacy? A. Germany B. Australia C. Zimbabwe D. Morocco
ANSWER: B. Canada, Australia, and New Zealand are three major countries employing a co-regulatory model of privacy protection.
78. The Children's Online Privacy Protection Act ("COPPA") prevents website operators from performing what activity? A. Creating a website with content designed for children under 13 years of age B. Collecting personal information from children under 13 years of age C. Displaying a picture of a child after obtaining verifiable parental consent D. Operating a website that is geared towards children in the United States with storage servers located outside the United States
ANSWER: B. Generally, COPPA applies to the online collection of personal information from children under 13 years of age. COPPA details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online, including restrictions on the marketing to those under 13 years of age.
23. When a website operator states in its privacy notice that it will not share financial informat ion with third parties and then shares financial information with a third-party affiliate, what recourse may occur? A. The FTC may bring an action for unfair competition against the operator B. The FTC may bring an action for a deceptive trade practice against the operator C. A user of the website may bring a criminal complaint against the operator D. The FTC may bring an action under Section 7 of the FTC Act
ANSWER: B. If an organization fails to comply with its privacy notice, it may be held liable by the FTC for a deceptive trade practice under Sect ion 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commer e." When companies state that they will safeguard personal information, the FTC can and does take law enforcement action to make sure that companies live up to these promises. A violation of a promise made in a privacy notice is an example of a deceptive trade pract ice. The distinction between a deceptive trade practice and an unfair trade practice is often tested on the exam.
4. In which country is a person's tax return considered a public record? A. Canada B. Norway C. China D. Argentina
ANSWER: B. In Norway, tax returns are considered public records. Included within the tax return is a person's salary. Therefore, in Norway a person's salary is also a matter of public record. Finland and Sweden also treat tax returns as public records.
48. Which of the following statements accurately describes the information quality principle? A. I nform at ion should only be accessible to those with a need to know B. I nformat ion should be accurate, complete, and relevant to the purposes of the processing C. Sensitive information should be protected with greater security measures than non sensitive informat ion D. Information should be destroyed when it is no longer needed
ANSWER: B. Information quality is evaluated according to three metrics: (1) accuracy, (2) completeness, and (3) relevancy. Although the other answers all convey general information security principles, only answer B is directly related to information quality.
76. Which Middle East country requires that databases of more than 10,000 persons be registered with the government? A. Iran B. Israel C. Egypt D. Iraq
ANSWER: B. Israel's Protection of Privacy law requires registration of any database that includes information about more than 10,000 persons. More specifically, it requires registration of a database if (1) the database includes information about more than 10,000 persons (2) the database includes sensitive information (3) the database includes information about persons and the information was not provided to the database by them, on their behalf or with their consent ( 4) the database belongs to a public body or (5) the database is used for direct mail. In 201 1, the EU Commission decided that Israel is a country providing an adequate level of protection.
20. Which Middle East country requires that databases storing sensitive personal information be registered with the government? A. Iran B. Israel C. Egypt D. Jordan
ANSWER: B. Israel's Protection of Privacy law requires registration of any database that includes sensitive information. More specifically, it requires registration of a database if (1) the database includes information about more than 10,000 persons (2) the database includes sensitive information (3) the database includes information about persons and the information was not provided to the database by them, on their behalf, or with their consent (4) the database belongs to a public body or (5) the database is used for direct mail.
95. Which of the following is an example of personal information from a public record in the United States? A. Heath plan number from an insurance card B. Name and address of an owner of a piece of real estate from a real estate deed C. Driver's license number from a government issued citation D. Genetic information from a private genome project
ANSWER: B. Pu blic records are information collected and maintained by the government and that are available to the public. Public records include real estate deeds, birth and marriage certificates, tax liens, and other data recorded by the government and made available for public inspection.
64. The Do Not Call Registry applies to what type of marketing? A. Email marketing B. Telemarketing C. Unsolicited commercial messages D. Educat ional marketing
ANSWER: B. Pursuant to its authority under the Telephone Consumer Protection Act ("TCPA"), the Federal Communication Commission ("FCC") established, together with the Federal Trade Commission ("FTC"), a national Do Not Call Registry in 2003. The registry is nationwide in scope, applies to all telemarketers (with the exception of certain non profit organizations), and covers both interstate and intrastate telemarketing calls. Commercial telemarketers are not allowed to call you if your number is on the registry, subject to certain exceptions.
55. What is the most common form of monitoring employed in an information security system? A. Intrusion detection systems B. System logs C. Key loggers D. Video monitoring
ANSWER: B. System logs that record security related events, such as valid and invalid logins, are the most common form of monitoring in an information security system.
62. The EU e-Privacy Directive requires what type of consent before a cookie may be placed on a user's computer? A. Written consent B. Affirmative consent C. Opt-out consent D. Parental consent
ANSWER: B. The EU e-Privacy Directive requires affirmative, opt-in consent for cookies. Specifically, the Directive requires that "the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."
32. Which of the following accurately describes the provisions of the EU e-Privacy Directive? A. The Directive takes an opt-out approach to unsolicit ed commercial electronic communications B. The Directive takes an opt -in approach to unsolicited commercial electronic communications C. The Directive requires express written consent for marketing to minors D. The Directive allows inferred consent for marketing to minors
ANSWER: B. The EU e-Privacy Directive takes an opt in approach to unsolicited commercial electronic communications (that is, users must provide their prior consent before such communications are addressed to them). The Directive does not expressly address marketing to minors.
28. In accordance with the Health Insurance Portability and Accountability Act ("HIPAA"), the Department of Health and Human Services ("HHS") has promulgated which of the following rules to address the handling of protected health information? A. Transaction Rule and Equal Access Rule B. Privacy Rule and the Security Rule C. Privacy Rule and Equal Access Rule D. Security Rule and the Notification Rule
ANSWER: B. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to define policies, procedures, and guidelines that covered entities must adhere to for maintaining the privacy and security of individually identifiable protected health information (" PHI "). Covered entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers. As directed by Title II of HIPAA, the Department of Health and Human Services ("HHS") has promulgated two important rules to address the handling of PHI: (1) the Privacy Rule and (2) the Secur ity Rule.
91. The Interactive Advertising Bureau ("IAB") uses a privacy policy in the form of what for behavior tracking? A. Contract B. Icon C. Sign D. Brochure
ANSWER: B. The IAB has developed a comprehensive self-regulatory program for online behavioral ad vert ising. The program promotes the use of an icon and accompanying language to be displayed in or near online adve rt isement s or on web pages where data is collected and used for behavioral advertising.
88. The United States takes what approach to privacy protection? A. Comprehensive B. Sectoral C. Co-regulatory D. Self-regulatory
ANSWER: B. The United States and Japan take a sectoral approach to privacy protection in which sector specific laws are enacted as opposed to a general, more comprehensive data protection law. The EU is a notable jurisdiction with a comprehensive privacy law. Canada, Australia, and New Zealand are three major countries employing a co-regulatory model of privacy protection.
92. What are the two primary purposes of a pr ivacy notice? A. Trust and corporate accountability B. Con sum er education and corporate accountability C. Trust and compliance D. Compliance and consumer education
ANSWER: B. The primary purpose of a privacy notice is to educate the consumer about an organization's privacy practices and the options that the consumer has with respect to processing of the consumer's personal information. The secondary purpose is to hold organizations accountable for following the terms and conditions specified in their privacy notice. If an organization fails to comply with its privacy notice, it may be held liable by the FTC for a deceptive trade practice. When companies state that they will safeguard personal information, the FTC can and does take law enforcement action to make sure that companies live up to these promises.
40. What was one of the primary purposes of the 2009 Madrid Resolution regarding the International Standards on the Protection of Personal Data and Privacy? A. To protect minors from the unauthorized collection of personal information B. To define a set of principles and Fights guaranteeing the effective and internationally uniform protection of privacy C. To establish penalties for those responsible for violating the privacy rights of individuals D. To limit the use of automated processing of personal data
ANSWER: B. The stated purposes of the International Standards on the Protection of Personal Data and Privacy, which was adopted as part of the 2009 Madrid Resolution, are to (1) define a set of principles and rights guaranteeing the effective and internationally uniform protection of privacy with regards to the processing of personal data and (2) facilitate the international flow of personal data needed in a globalized world.
85. When should a privacy impact assessment occur? A. After implementation of a new project B. When a system holding personal information is decommissioned C. Before the onset of a new project and periodical ly thereafter D. Each fiscal year
ANSWER: C. A privacy impact assessment is an analysis of how information is processed to ensure the processing conforms to all applicable legal, regulatory, and policy requir ements. An assessment should be completed before implementat ion of a privacy project and should be ongoing through its deployment.
43. What type of log should record events related to a database? A. Security log B. System log C. Application log D. Device log
ANSWER: C. An application log records events that are triggered by the applications used on a computer system, such as a database applicat ion. Events that are written to the application log are determined by the developers of the software program, not the operating system. A security log is used to track securit y- relat ed informat ion on a computer system. The security log typically contains records of login/logout activity and other security- related events specified by the system's audit policy. A system log contains events that are logged by the operating system and its components, such as device drivers.
9. What is the name of the backward looking process used to analyze how effectively an information securit y program has operated in the past? A. Mon it oring B. Obser vation C. Assessment D. Planning
ANSWER: C. An assessment is the process used to evaluate how effectively an information security program has operated in the past. It generally includes an inventory all of data assets stored at an organization and the systems responsible for processing the data assets. Monitoring, observation, and planning are generally contemporaneous, or forward looking, processes.
24. The Children's Online Privacy Protection Act ("COPPA") applies to whom ? A. Operators of websites soliciting business in the United States B. Operators of websites soliciting financial information from customers in the United States C. Operators of commercial websites that are directed to children under 13 years of age D. Operators of commercial websites that are directed to children under 18 years of age
ANSWER: C. COPPA was enacted in 1998 to curtail the collection of personal information from children. The Act applies to websites and online services operated for commercial purposes that are either directed to children under the age of 13 or have actual knowledge that children under 13 are providing information online. In addition to requiring operators of these websites to conspicuously post a privacy notice, COPPA also requires that the website operator obtain verifiable parental consent prior to any - ------ collection, use, or disclosure of personal info rm at ion from persons under the age of 13.
66. Data protection laws in Latin America are largely based on what principle? A. Ombudsmen B. Sensitive categories of data C. Habeas data D. Data protection authorities
ANSWER: C. Habeas data is a writ and constitutional remedy available in most Latin American countries. The literal translat ion from Latin of habeas data is "you have the data." The remedy varies from country to country, but in general, it is designed to protect, by means of an individual complaint presented to a constitutional court, the image, privacy, honor, and freedom of informat ion of a person.
60. In which cloud computer service model do users rent computing resources, such as storage, net wor k capacit y, and other resources? A. Software as a service ( Saas ) B. Platform as a service (PaaS) C. I nfrastruct ure as a service (IaaS) D. Hardwar e as a service (HaaS)
ANSWER: C. I aaS is the most basic cloud service model. In I aaS, users rent computing resources, such as storage, networ k capac it y, and processing power from cloud providers. The cloud provider owns the equip ment and is responsible for housing, running, and m aint aini ng it. Under PaaS, cloud providers deliver a computing plat form , typically including an operating system, database, and web server. Web developers build and publish web applications using the platfor m. Finall y, with Saas, applications are hosted by the cloud vendor in the cloud. Customers typically access the applications through a web browser over the Internet. Saas is often referred to as " on-demand software. "
50. Which of the following is NOT a main reason for organizations to protect personal information? A. Prevention of data breaches B. Compliance with regulations C. Increased cost D. Avoidance of lawsuits
ANSWER: C. I ncr eased cost is not a reason for organizations to protect personal information. Prevention of data breaches, compliance with laws and regulat ions, and avoidance of lawsuits and regulatory actions are the main drivers for protecting personal infor mat ion. Additional reasons for prot ectin g personal informat ion include (1) meeting customer expectations and (2) building a positive reputation.
75. Japan's Act on the Protection of Personal Information Act defines "principal" as which entity? A. Data processor B. Data controller C. Data subject D. Data importer
ANSWER: C. In accordance with Japan's Protection of Persona l Information Act, the term " principal" or " person" is the specific individual identified by the personal information (that is, the data subject).
82. In acco rdance with the EU Data Protection Directive, unambiguous consent is achieved through what action? A. An advanced waiver of right B. An express verbal indication C. Any freely given specific and informed indication D. None of the above
ANSWER: C. In accordance with the EU Data Protection Direct ive, the data subject's unambiguous consent means "any freely given specific and informed indicat ion of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."
52. Falsifying or "spoofing" a network address so that informat ion is sent to an attacker as opposed to its intended recipient is an example of what type of attack? A. Robust attack B. Redundant attack C. Network layer attack D. Application layer attack
ANSWER: C. Network layer attacks are those that exploit the networking protocol. Spoofing and denial of service ("DoS") attacks are two types of network layer attacks. Application layer attacks exploit applications running on network servers, such as email and database app lications. Application layer attacks are the most common type of attacks because any given network may have dozens of network applications that may be exploit ed.
93. Which of the following is NOT considered personal infor mat ion about an employee held by the human resources department of an employer? A. Sick leave requests B. Salary C. Title D. Performance evaluations
ANSWER: C. Personal information is any information about an identifi ed or identifiable individual. Sick leave request s, sala ry, and performance evaluations are typically unique to a particular person and therefor e constitute personaI information. An employee's j ob title, on the other hand, is not typically unique. Accordingly, a title is not generally considered personal data. In other words, " t it le" is the data element least likely to uniquely identify an individual and therefore is the correct answer.
38. Which of the following may be considered personal information? A. Information about an organization's competitors B. Information about a company's financial well being C. Information about an organization's business leads or prospects D. Information about a company's physical address
ANSWER: C. Personal information is any information about an identified or identifiable individual. An organization's customers and prospects may be individuals, and therefore informat ion about them may be classified as personal information. The other answer choices all relate to information about an organization (as opposed to an individual), and therefore are not types of personal information.
98. In the EU, which of the following types of information is considered a special category of data? A. Country identification number B. Gender C. Political opinions D. Driver's license number
ANSWER: C. The EU Data Protection Directive uses the term "special categories of data" to describe sensitive personal information . In accordance with the Directive, special categories of data include personal data revealing racial or ethnic origin, political opinions , religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life .
45. The EU Commission has classified which of the following countries as providing an adequate level of privacy protection? A. I srael B. Australia C. Argentina D. Morocco
ANSWER: C. The European Com mission has classified the following major countries as providing an adequate level of privacy prot ection: Swit zerland, Canada, Andorra, Ar gentina, I celand , Liechtenstein, and Israel.
83. Which regulatory agency does NOT enforce or certify com pliance with the U.S. Safe Harbor program? A. FTC B. Department of Transportation C. FCC D. Department of Commerce
ANSWER: C. The European Union ("EU") Data Protection Directive prohibit s the transfer of personal data to non-Eu ropean Union countries that do not meet the Eur opean Union (EU) "adequacy" standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy than that of the EU. The U.S. Department of Commerce in consultation with the European Commission developed the Safe Harbor framework to bridge these differences in approach and provide a stream lined means for U.S. organizations to comply with the Dir ective. Only U. S. organizations subject to the j ur isdiction of the Federal Trade Commission (" FTC") or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transport at ion (" DoT") may participate in the Safe Harbor program. The FTC and DoT enforce the program while the Department of Commerce receives annually certifications of compliance from those organizations participating in the program.
29. Which of the following is NOT a privacy principle of the Safe Harbor program developed by the Department of Commerce in consultation with the European Commission? A. Notice B. Onward transfer to third parties C. Equal Opportunity D. Security
ANSWER: C. The European Union ("EU") Data Protection Directive prohibits the transfer of personal data to non-EU countries that do not meet the EU's " adequacy" standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy than that of the EU. The U.S. Department of Commerce in consu ltat ion with the European Commission developed the Safe Harbor framework to bridge these differences in approach and provide a streamlined means for U.S. organ izat ions to comply with the EU's Data Protection Directive. Organizations desiring to join the program must comply with the seven Safe Harbor privacy principles, which are: (1) notice, (2) choice, (3) onward transfer to third parties, (4) access, (5) security, (6) data integrity, and (7) enforcement.
57. What step should be performed first after defining the security policy when creating an information security program? A. Monitor and periodically review the security program B. Select controls for managing risk C. Identify, analyze, and evaluate risk D. Establish the scope of the information security system
ANSWER: C. The basic procedure for creating an information security program is (1) establish the scope of the information security system, (2) define the security policy, (3) establish a protocol for risk assessment, (4) ident ify, analyze, and evaluate risk, ( 5) select controls for managing the identified risk, (6) obtain management approval of any residual risk, and (7) monitor and periodically review the security program.
3. Which of the following is NOT a principle set forth in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data adopted by the Organization for Economic Coope rat ion and Development in 1980 ("OECD Guidelines")? A. Collection Limitation B. Openness C. Mutual Consent D. Security Safeguards
ANSWER: C. The eight principles contained in the OECD guidelines are: (1) collection limitation principles, (2) data quality principle, (3) purpose specification principle, (4) use limitation principle, (5) secur ity safeguards principle, (6) openness principle, (7) individual participation principle, and (8) accountability principle. Mutual consent is not one of the principles in the OECD guidelines.
80. What is one of the primary purposes of the FCRA? A. Give employers the right to correct credit reports for their employees B. Encourage the dissemination of consumer data to foreign companies with a need to know the data C. Limit the use of consumer reports to permissible purposes D. Allow data reporters to place a debt on a consumer's credit report if they have a reasonable suspicion of the debt
ANSWER: C. Under the FCRA, a consumer report may only be acquired for a "permissible purpose." Section 604 of the FCRA sets forth the circumstances that are considered permissible, including with the written instruct ions of the consumer to whom the credit report relates.
18. Wiret ap laws primarily protect what type of information? A. The identity of the sender and receiver of communications B. The location of the sender and receiver of communications C. The content of communications D. The date and time of communications
ANSWER: C. Wiretapping is the monitoring of telephone and Internet conversations by a third party, often through covert means. Wiretap laws primarily protect the content of communications. While wiretaps can reveal the identity and location of the sender and receiver, as well as the date and time of a communication, these facts are all secondary types of information that may be protected when disclosed by the content of the communication. Therefore, C is the correct answer.
2. In which service model of cloud computing are applications hosted by the cloud provider in the cloud and typically accessed by users through a web browser? A. Infrastructure as a service ("IaaS") B. Platform as a service ("PaaS") C. Software as a service ("SaaS") D. Network as a service ("NaaS")
ANSWER: C. With Saas, applications are hosted by the cloud provider in the cloud. Customers typically access the applications through a web browser over the Internet. Saas is often referred to as "on-demand software." IaaS is the most basic cloud service model. In IaaS, users rent computing resources, such as storage, network capacity, and processing power from cloud providers. The cloud provider owns the equipment and is responsible for housing, running, and maintaining it. Under PaaS, cloud providers deliver a computing platform, typically including an operating system, database, and web server. Web developers build and publish web applications using the platform.
30. A system log should record which events? A. Valid logins and invalid login attempts B. Database errors C. Application errors D. Device driver failures
ANSWER: D. A system log records events that are logged by the operat ing system and its components, such as device drivers. A security log is used to track security-related information on a computer system. The security log typically contains records of login/ logout activity and other security-related events specified by the system's audit policy. An application log records events that are triggered by the applications used on a computer system, such as database application s. Events that are written to the applicat ion log are determined by the developers of the software program.
56. What is the initial step when creating an effective information security system for an existing organization? A. Define the security policy B. Select controls for managing risk C. Identify, analyze, and evaluate risk D. Conduct an information assessment
ANSWER: D. An information assessment is the first step when creating an effective information security system at an organization. Before a privacy practitioner can develop an information security system, he must assess what information is currently being collected at the organization and what information technology systems are being used to process the information. Only after the practitioner has a solid understanding of the information and systems in place can he develop an effective information security system.
34. Which of the following is NOT an exception to the EU Data Protection Directive's requirement that t ransfers of personal data may only be made to countries which ensure an adequate level of protection? A. The transfer is necessary for the performance of a contract between the data subject and the controller B. The transfer is necessary in order to protect the vital interests of the data subject C. The transfer is necessary or legally required on import ant public interest grounds D. The transfer is made to the data subject's next of kin or guardian
ANSWER: D. Article 26(1) of the EU Data Protection Directive states that transfers of personal data to a country which do not ensure an adequate level of protection may take place if the data subject has " given his consent unambiguously to the proposed transfer." Other exceptions include: (1) the transfer is necessar y for the performance of a contract between the data subject and the controller, (2) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, (3) the transfer is necessary or legally required on important public interest grounds, and ( 4) the transfer is necessary in order to protect the vital interests of the data subject. Answers A, B, and C set forth valid exceptions. Transfers to the data subject's next of kin or guardian are not exempted.
51. Article 8 of the European Convention on Human Righ t s (" ECHR " ) provides protection for what privacy right? A. Electronic communications B. DNA profile C. IP address D. Private and family life
ANSWER: D. Article 8 of the ECHR provides a right of respect for a person's "private and family life," subject to certain restrict ions.
16. When do confidentiality and privacy issues exist with respect to human resources information? A. During the candidate screening and interview process B. During employment C. After an employee is terminated or discharged D. All of the above
ANSWER: D. Confidentiality and privacy issues exist whenever an organization is holding personal information concerning its prospective, current, or former employees. Therefore, privacy issues exist before, during, and after employment, including (1) at the screening and interview stage, (2) during employment, and (3) after termination.
77. Which of the following is NOT exempt from disclosure under the Freedom of Information Act ("FOIA")? A. Records containing trade secrets B. Records containing the location of oil wells C. Records describing the data handling practices of financiaI inst it ut ions D. Records pertaining to federal regulatory agencies, federal employees, and federa l agents
ANSWER: D. FOIA has the following nine exemptions: (1) those documents properly classified as secret in the interest of national defense or foreign policy (2) related solely to internal personnel rules and practices (3) specifically exempted by other statutes (4) a trade secret or privileged or confidential commercial or financial information obtained from a person (5) a privileged inter-agency or intra-agency memorandum or letter (6) a personnel, medical, or similar file the release of which would constitute a clearly unwarranted invasion of personal privacy (7) compiled for law enforcement purposes (8) contained in or relat ed to examination, operating, or condition reports about financial institutions and (9) those documents containing exempt information about gas or oil wells. Answers A, B, and C fall in exemptions (4), (9), and (8), respectively. Answer Dis not a recognized exemption and therefore is the correct answer.
84. Which of the following is not considered an example of the self-regulatory model of data protection? A. Payment Card Industry Data Security Standard ("PCI DSS") B. Online Privacy All iance C. TRUSTe D. ISO 27001
ANSWER: D. I SO 27001 specifies a manage ment system that is intended to bring information security under explicit management control. ISO 27001 requires that management (1) systematically examine the organization's information security risks, (2) design and implement a coherent and comprehensive suite of informat ion security controls to address those risks, and (3) adopt an overarching management process to ensure that the selected information security controls continue to meet the organization's information security needs on an ongoing basis. ISO 27001 (unlike PCI DSS, the Online Privacy Alliance, and TRUSTe), is not an example of the self-regulatory model of data protection.
96. Which of the following is a privacy implication of an IPv6 internet address? A. IPv6 allows for fewer IP address than its predecessor IPv4 B. IPv6 and IPv4 are interoperable C. IPv6 is less secure than an IPv4 address D. IPv6 use a new addressing scheme that may make it easier to associate an address with a specific individual
ANSWER: D. IPv6 uses 128- bit addresses, resulting in approximately 3.4 x 1038 unique addresses, or more than 7.9 x 1028 times as many addresses as IPv4, which uses only 32- bit addresses. In IPv4, the effort to conserve address space with network address translat ion (" NAT") helped obfuscate network address spaces, hosts, and topologies, thereby increasing privacy protection. I n I Pv6, however, when using address aut o-configuration , the int erface ident ifi er (or MAC address) of an interface port is used to make its public IP address unique, potentially exposing the type of hardware used and providing a unique handle for a user's online activity. Therefore, IPv6's new addressing scheme may make it easier to associate an address wit h a specific ind ividual, thereby creating a privacy concern.
70. Which data element has recently become important because of the increasing use of smart phones? A. Voice recordings B. Telephone records C. IP addr ess D. Location
ANSWER: D. Location is a data element that is becoming increasingly important from a privacy perspective. Smart phones and other telecom municat ions devices can determine your locat ion in real- tim e to uniquely identify a person.
47. Which of the following is NOT a requirement of the Personal Information Protection and Electronic Documents Act (" PI PEDA " ) ? A. Organizations covered by the Act must obtain an individual's consent when they collect, use or disclose the individual's personal information B. The individual has a right to access personal information held by an organization and to challenge its accuracy C. Personal information can only be used for the purposes for which it was collected D. Organizations covered by the Act must provide an annual privacy notice to their customers
ANSWER: D. PIPEDA is a Canadian data privacy law that codifies the fair inform ation principles. Therefore, A, B, and C are requirements of the Act. Annual privacy notices are not required as long as an organ izat ion 's rules for processing personal informat ion are clear and transparent.
94. Which of the following is NOT considered personal informat ion about a customer held by a retailer? A. Order history B. Voice recordi ngs from correspondence with the cust omer C. Purchase history D. Top selling products
ANSWER: D. Pers onal information is any information about an identified or identifiable individual. A com pany's top selling products is generally derived from aggregated data that is not considered personal data. All other ans wers described information that would typically uniquely identify an individual and therefore is personal information.
90. Which of the following is NOT a form of communication that can be used as a privacy notice? A. Web pages B. Icons C. Signs D. Product listings with prices
ANSWER: D. Privacy notices may come in many different forms. In fact, any form of communication that reasonably conveys privacy - related in for mat ion may be used to communicate a privacy notice. Web pages, icons, and signs are all forms of commonly used privacy notices. An organization's product listings would not constitute a privacy notice.
42. Which of the following accurately describes the use of public-key cryptography? A. Sender uses recipient's public key to encrypt and receiver uses his public key to decrypt B. Sender uses sender's private key to encrypt and receiver uses sender's public key to decrypt C. Sender uses recipient's private key to encrypt and receiver uses his public key to decrypt D. Sender uses recipient's public key to encrypt and receiver uses his private key to decrypt
ANSWER: D. Pu blic-key cryptography (also called asymmet ric-key crypt ography) uses a pair of keys to encrypt and decrypt content . Each user has a pair of cryptograph ic keys - a public encryption key and a private decryption key. The public key is widely distributed, while the private key is known only to its owner . The keys are related mathematically, but the parameters used to generate the keys are chosen so that calculating the private key from the public key is virtually impossible.
14. The National Do Not Call Registry is primarily enforced by which entities? A. Department of Transportation and FTC B. U.S. Department of Justice and FTC C. Department of Commerce and FCC D. FTC and FCC
ANSWER: D. Pursuant to its au thor ity under the Telephone Consumer Protection Act (" TCPA " ) , the Federal Com municat ion Commission (" FCC") establ ished, together with the Federal Trade Commission ("FTC"), a national Do Not Call Registry in 2003. The registry is nationwide in scope, applies to all telemarketers (with the exception of certain non profit organizations), and covers both interstate and intrastat e telemarketing calls. Commercial telemarketers are not allowed to call you if your number is on the registry, subject to certain exceptions. The FTC and FCC are the primary enforcers of the National Do Not Call Registry.
36. Which of the following are the main reasons why countries adopt comprehensive privacy and data protection laws? A. To secure international approval and com bat online piracy B. To combat online piracy and protect personal freedoms C. To increase the costs of entering into a new market and remedy past injustices D. To remedy past injustices and encourage electronic commerce
ANSWER: D. Remedying past injustices and encourage electronic commerce are two of the main reasons that countries enact comprehensive privacy and data protection laws. Countries also enact com prehensive privacy laws to ensure consistency with other comprehensive regimes, such as the EU and its Data Protection Directive. Securing international approval, combating online piracy, protecting personal freedoms, and increasing the costs of entering into a new market are not the main reasons why countries adopt comprehensive privacy laws.
10. Which one of the following is NOT a primary purpose of the APEC Privacy Framework, which was approved by the APEC ministers in 2004? A. I mprove infor mat ion sharing among government agencies and regulators B. Facilitate the safe tran sfer of information between economies C. Encourage the use of electronic data as a means to enhance and expand busin ess D. Protect individuals from illegal data sharing practices
ANSWER: D. The Asia-Pacific Economic Cooperation ("APEC") Privacy Framework, which is consistent with the OECD's 1980 Guidelines, has the following primar y goals: (1) improve information sharing among government agencies and regulators, (2) facilitate the safe transfer of information between economies, (3) establish a common set of privacy principles, ( 4) encourage the use of electronic data as a means to enhance and expand business, and (5) provide technical assist ance to those economies that have yet to address privacy from a regulatory or policy perspective. Protecting individuals from illegal data sharing is not a primar y purpose of the APEC Privacy Framework.
41. Which of the following is NOT a principle of the Asia-Pacific Economic Cooperation ("APEC") Privacy Framework adopted in 2004? A. Preventing harm B. Notice C. Active enforcement D. Collection limitation
ANSWER: D. The Asia-Pacific Economic Cooperation ("APEC") Privacy Framework, which is consistent with the OECD's 1980 Guidelines, has the following principles: (1) preventing harm, (2) notice, (3) collection limitation, (4) uses of personal information, (5) choice, (6) integrity of personal information, (7) security safeguards, (8) access and correction, and (9) accountability.
67. Which of the following is false regarding European privacy laws? A. European law is based on the tenant that privacy is a fundamental right B. The EU Dat a Protection Directive authorizes transfer of personal data to countries outside the EU if the country provides an adequate level of protection C. The EU Data Protection Directive applies to all sect ors of industry and all types of personal informat ion D. The EU Data Protection Directive substantially increased Switzerland's controls over financial data
ANSWER: D. The EU Data Protection Directive applies to countries of the European Economic Area ("EEA"), which includes all EU countries, and in addition, the non-EU countries I celand, Liechtenstein, and Norway. Switzerland rejected the EEA agreement and therefore is not bound by the EU Data Protection Directive. Switzerland has, however, passed a comprehensive data privacy that has been deemed adequate by the European Com mission.
26. What is the main purpose of the Fair Credit Rep ort ing Act ("FCRA")? A. Enable data reporters to efficiently report valid debts on a consumer's credit report B. Allow employers to quickly access financial data of their employees C. Increase the ability of the government to access consumer reports of suspected criminals D. Increase the accuracy and fairness of credit reporting and to limit the use of consumer reports to permissible purposes
ANSWER: D. The FCRA was originally enacted in 1970 and was more recently updated by the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"). The FCRA applies to consumer reporting agencies ("CRAs"), such as Experian, TransUnion, and Equifax, and to users of consumer reports. The purpose of the FCRA was to increase the accuracy and fairness of credit reporting and to limit the use of consumer reports to permissible purposes, such as for employment purposes and the underwriting of insurance.
72. Which of the following is correct regarding the Gram m - Leach-Bliley Act of 1999 ("GLBA")? A. The Act is based on the permissible purpose approach to privacy B. The Act covers all financial information, including publicly available information C. The Act requires opt-in consent when sharing financial informat ion with unaffiliated third parties D. The Act established a complicated set of privacy and security requirements for all financial instit ut ions
ANSWER: D. The GLBA is based on the fair information practices approach to privacy and not the permissible use approach. The GLBA also does not cover publicly available financial information, and the sharing of financial data with unaffiliated third parties is permitted with opt-out consent. Therefore, answer D is the best choice.
25. The Gram m - Leach-Bliley Act (" GLBA") applies to which organizations? A. All organizat ions that proces s financial data B. Financial organizations with more than 10,000 customers C. All organizations regulated by the Depart ment of Commerce D. Domestic financial institutions
ANSWER: D. The GLBA, also known as the "Financial Services Modernization Act," was enacted in 1999. It applies to institutions that are significantly engaged in financial activities in the United States (also known as " domestic financial institutions"). The GLBA requires domestic financial institutions to, among other things, provide an initial privacy notice when the customer relationship is established (and annually thereafter) and provide opt -out notice prior to sharing non-public personal inform at ion with non-affiliated third parties.
54. Whi ch of following organizations does NOT provide indust ry standard best practices for information securit y? A. I nt ernat ional Organization for Standardization ("ISO") B. National Institute of Standards in Technology ("NIST") C. IT Governance Institute D. Association of Computer Engineers and Technician (" ACET")
ANSWER: D. The ISO, NIST, and IT Governance Institute are all organizations that provide standards for information securit y best practices.
63. The National Advertising Initiative ("NAI") manages a self-regulatory pledge related to which of the following? A. Direct mail marketing B. Commercial email ad vertising C. Sponsored search results D. Online targeted advertising
ANSWER: D. The NAI's Code of Conduct is a set of self-regulatory principles that require NAI member companies to provide notice and choice with respect to Interest-based advertising, and specifically online targeted advertising. Advertising networks which satisfy the NAI principles must provide consumers a choice about whether information collected about them is tracked and used to provide targeted advertising.
87. Which of the following management operations are consistent with lifecycle principles? A. Pseudonymize and aggregation monitoring and enforcement B. Anonymizat ion and aggregation archival and retrieval C. Transfer and encryption monitoring and enforcement D. Management and administration monitoring and enforcement
ANSWER: D. The informat ion lifecycle consists of (1) collection, ( 2) use, (3) disclosure, and ( 4) retention or destruct ion . Associated with the information lifecycle are the management processes needed to effectively implement an organization's information privacy policies and procedures. Specifically, an organization should manage and administer any defined privacy policy, while also monitoring and enforcing compliance with the policy. Without these management related activities, information cannot be adequately protected throughout its lifecycle.
8. Which of the following is NOT generally performed by information security personnel at an organization? A. Enforce compliance with the information security policy B. Communicate the infor mat ion security policy to employees C. Monitor for security incidents D. Develop an overall corporate security strategy
ANSWER: D. While informat ion security personnel can perform a wide range of tasks related to information security at an organization, generally an executive, such as the chief securit y officer, will develop the corporate security policy.