info323 test 3
The "reasonable expectation of privacy" test is
1) the person has an actual expectations of privacy and 2) the expectation is one that society is prepared to recognize as reasonable.
Under the Fair Credit Reporting Act, Consumer Reporting Agencies cannot retain negative information for previous bankruptcies beyond:
10 years.
FERPA mandates that the educational institution must provide access to a studen'ts request for access within _____ days.
45
As explained in the Telemarking Sales Rule, a telemarketer is limited to caling between the hours of:
8am and 9pm, local time.
Some states have security breach notificaiton requirements. For those that do, what general information must the breach-of-personally-identifiable-information notificaiton letter to those individulas include?
A brief description of the incident, the type of information involved, and a toll-free number for answers to questions.
If a company located in Massachusetts maintains all of its employees' personal information in a hosted online database inf Florida, what must the third-party service provider agree to?
A confidentiality provision.
An employer can discrimiate in their hiring if it is not discriminating against a protected class of citizen. Which person is protected?
A disabled, gay, Latino, Christian, female veteran.
What types of educational records are not covered by FERPA?
Alumni.
What should a U.S.-based organization do before it shares personal information with a U.S.-based third party?
Assure appropriate privacy terms and conditions are included in a contract with the third party.
What must be included in a privacy impact assessment?
C. The attributes of the data collected.
What is an example of passive data collection on a website?
C. Web beacon.
Which of the following examples best illustrates the concept of "consumer report" for pre-employment screening as defined under the U.S. Fair Credit Reporting Act?
Driving history obtained from an information aggregator.
What US Federal Law prophibits a company from accessing its employees' email when it is stored on the company's server.
No such law exists.
The Do Not Call rules apply for all companies except:
Nonprofits calling on their own behalf.
Which two actions are required under the Fair Credit Reporting Act in order for an employee to obtain a consumer report on a job applicant?
Obtain applicant's written consent and provide applicant with a copy of the credit report before taking an adverse action.
The Children's Online Privacy Protection Act of 1998 applies to all of the following entities except:
Operators of commercial websites directed to children under the age of 14.
What is the lowest legal standard to obtain private information?
Pen register.
The Family Education Rights and Privacy Act of 1974 (FERPA) gives students rights for all but the following:
Private right of action under FERPA
A QPO prevents certain PII from being disclosed to the public. What does QPO stand for?
Qualified protection order.
Controlling the Assault of Non-solicited Pornography and Marketing Act of 2003, amended in 2008, has penalties that include all the following except:
Restraining order.
What is the basis of common law?
Social customs and expectations.
A U.S. citizen, Ima Degenerate, starts a company that produces and publishes child pornography on an internet website. The government obtains a subpoena and prior notice to intercept the systems' content. Mr. Degenerate argues that the government didn't obtain a search warrant. the government wins by what action?
Third Party Doctrine
What is one reason consent decress are posted publically on the FTC website?
To provide guidance about what practices the FTC finds inappropriate.
As it pertains to risk, where can the privacy vulnerabiliites be easily found?
When you create the data flows.
What is the correct process for building an information management privacy program?
Whether counsel for both parties are based in the U.S.
The White House Report published in 2012 defines the "Consumer Bill of Rights" to include what commercial uses of personal data (check all that apply): a. individual control. b. transparency. c. respect for context. d. security. e. access and accuracy. f. focused collection. g. accountability. h. privacy by design. i. simplified consumer choice. j. promoting enforceable self-regulatory codes.
a. individual control. b. transparency. c. respect for context. d. security. e. access and accuracy. f. focused collection. g. accountability.
For the FTC to consider a practice "unfair" it must meet which of the following criteria: (Mark all that are required) a. it must be a practice that consumers cannot reasonably avoid. b. it must involve residents from multiple states. c. it must be without offsetting benefits. d. the injury caused by must substantial
a. it must be a practice that consumers cannot reasonably avoid. c. it must be without offsetting benefits. d. the injury caused by must substantial
What three areas did the FTC emphasize in their 2012 report, "Protecting Consumer Privacy in an Era of Rapid Change?" (Select all that apply) a. transparency. b. self-regulation. c. privacy by design. d. data classification. e. simplified consumer choice.
a. transparency. c. privacy by design. e. simplified consumer choice.
FERPA allows disclosure of PII for the following: (Check all that apply) a. to determine financial aid eligibility. b. to another educational institution for enrollment. c. to comply with a judicial order. d. if disclosure is to the alleged victim of a forcible or nonforcible sex offense. e. to school officials who have a "legitimate and educational interest" in the records. f. to appropriate parties in connection with a "health or safety emergyecy" to protect the student or others.
all apply
The Privacy Rights Clearinghouse tracks all breaches and categorizes each into what 8 areas? (Check all that apply) a. physical loss b. insider. c. uninteded disclosure d. stationary devices. e. payment card fraud. f. portable devices. g. unkown. h. hacking or malware.
all apply.
The Fair and Accurate Credit Transactions Act (FACTA) gives consumers all of the following rights, EXCEPT: a. Free credit reports every year. b. Opt-in for CRAs use of data for their marketing purposes. c. Federal law preempt states' law. d. Truncated or redacted information on reports and receipts.
b. Opt-in for CRAs use of data for their markeitng purposes.
Carriers can only use Customer Proprietary Network Information (CPNI) if (check all that apply): a. the customer opts-out. b. as required by law. c. the customer opts-in. d. express customer approval.
b. as required by law. c. the customer opts-in. d. express customer approval.
An employer can do all but which of the following: a. require drug testing before and during your employment. b. access personal emails stored on company servers. c. record your movements with video and audio using closed circuit TVs. d. open personal mail delivered to the company.
c. record your movements with video and audio using closed circuit TVs.
What are the Consumer/User preferences for privacy used in the U.S.? a. double opt-in b. opt-in. c. opt-out. d. no option. e. all of the above.
e. all of the above
According to the Right to Financial Privacy Act, the government cannot access a person's financial records unless the request is reasonably specific and what condition is met? a. the customer authorizes access. b. the records are subject to a subpoena or search warrant. c. there's an appropriate written request from an authorized government authority. d. a or b, above. e. none of the above. f. any of the above
f. any of the above.
the act of video monitoring of the workplace is likely to survive a legal challenge under U.S. law provided that
monitoring is limited to "non-private" areas of the workplace.
Bank Security Act 1970 requires financial institutions to file reports of cash purchases of negotiable instruments of more than?
$10,000 US dollars.
The National Do Not Call Registry violations have civil penalties up to what amount per violation?
$16,000
Which investigative tactic requires a probable cause and other requirements, such as that alternative means of acquiring the evident have been exhausted?
A telephone wiretap.
What is a first-party cookie?
A. A cookie that is set and read by the web server hosting the website the user is visiting.
What is the correct definition of a privacy policy?
A. An internal statement that governs an organization's handling practices of personal information.
Under the US Children's Online Privacy Protection Act (COPPA), which of the following is FALSE?
A. COPPA provides complete preventive measures against the potential abuse of children's personal information online.
What types of laws are designed to restrict access to financial information?
A. Credit monitoring laws.
Which threat to online privacy includes malicious code that is unwittingly incorprated into a website's own source code
A. Cross-site scripting.
Data confidentiality, Data Availability, and what other attribute comprise the three key attributes of information auditing and monitoring?
A. Data integrity.
Which is NOT a method used for combating spam?
A. Encryption.
Which new data element with new privacy-related issues has emerged in the telecommunications sector?
A. Location.
What safeguards should be implemented under the Gramm-Leach-Billey Act (GLBA) to protect data?
A. Monitor and implement test controls internally and with third parties.
What is an XML document-formatted, machine-readable method for producing online privacy policies?
A. P3P.
Which measures have been adopted by major search engine firms to address privacy concerns specific to search technologies
A. Searches are anonymized after a defined period of time.
Which standard web protocol allows for a peer's identity to be authenticated prior to a connection being made?
A. Secure Sockets Layer.
Two of the four categories of data protection and privacy law and practices are informational privacy and
A. Territorial privacy
What is provided in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms?
A. The right to respect for an individual's privacy and family life.
Which is a concept provided for in the 1973 Code of Fair Information Practices?
A. There must be a way for a person access to correct or amend a record of identifiable information.
Use of a smart card would be identified as what type of safeguard?
A. Two-factor authentication.
Role-based access controls are based on what basic security principle?
B. Access should be granted to employees on the basis of the lowest possible level.
Which of the following requires libraries and schools receiving Federal funds to regulate access by minors (under 17) to "harmful" speech on the Internet?
B. CIPA
Which human resources data element is not generally considered personal data?
B. Department assignment.
What is the purpose of Transmission Control Protocol?
B. Enables devices to establish a connection and exchange data.
What is NOT a privacy risk raised by the use of smart grid technology?
B. Energy use could increase due to continuous monitoring by energy companies.
In "phishing" which practices are used to collect personal information?
B. Fake e-mails contain links to websites that only appear to be genuine and request personal information.
Which of the following is (are) considered personal information in the EU? (Check all that apply)
B. IP address
Most security breeches occur during the ______ of the information life cycle.
B. Storage and distruction
Which jurisdiction limits its privacy protections to those established only by sector-specfic statutes?
B. United States.
According to the Asia-Pacific Economic Cooperation privacy principles, individuals must be able to do all of the following except
B. access the personal information of the personal information controller.
Which is NOT an example of privacy notice?
C. A spreadsheet containing specific product names and general
What kind of information security control is an incident response procedure?
C. Administrative control.
What is the definition of a data controller?
C. An enitity that holds personal data and determines the purpose of use.
Which of the following is (are) the standard(s) for IS security and controls? (Check all that apply)
C. ISO 27001 D. NIST
Which of these elements may be considered personal information?
C. Information about a company's leads or prospects.
The use of personal information should follow what primary principle?
C. Personal information should be limited to the purposes identified in the notice.
Under Mexico's Federal Data Protection law, what is required for cross-border data transfers?
C. Receiver assumes the same responsiblities as the transferring person.
Which statement is NOT true under Personal Information Protection and Electronic Documents Act (PIPEDA)?
C. The Canadian privacy commissioner only investigates compliants regarding public companies.
Which statement is considered a best practice regarding information security governance?
C. Ultimately, security is about people
According to the EU Data Protection Dirctive, what three elements are essential chracteristics of consent?
D. A freely-given, specific and informed indication.
Which was the first Latin American country to grant citizens the right to access their personal information?
D. Brazil.
Which model is used for privacy protection in the European Union?
D. Comprehensive model.
A privacy notice does NOT relate to which principle of the information lifecycle?
D. Monitoring and enforcement.
Which international organization published a set of privacy principles entitled "Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data"?
D. Organisation for Economic Cooperation and Development.
An internal statement for users of personal information that defines the handling practices of the personal information is known as:
D. Privacy policy
What are the three main sources of personal information?
D. Public records, publicly available information and non-public information.
Which characteristic completes the following list of the five essential characteristics of cloud computing: on-demand self-service, broad network access, measured service, rapid elasticity and:
D. Resource pooling.
What is NOT a best practice for organizations managing a social media page?
D. Support anonymous positive posts by employees on the organization's social media page to help offset negative posts by customers.
Which country had opted NOT to join the European Economic Area but passed its own omnibus privacy legislation?
D. Switzerland.
Safe Harbor violations are enforced by the Federal Trade Commission and what other government department?
D. The U.S Department of Transportation
Effective security risk management balances the potential for loss with what cost?
D. The cost of security protection and management.
The two sector-specific privacy regulations enforced in the United States are the Gramm-Leach-Billey Act and
D. the Health Insurance Portability and Accountability Act.
What is the role of a U.S.-based Software-as-a-Service provider that stores employee personal data for a global company headquartered in the U.S. with subsidiaries in the EU?
Data processor.
In terms of data breaches, most problems occur at the:
Disposal Stage
Under the Children's Online Privacy Protection Act, which is an accepted means for an organization to validate parental consent when it intends to disclose a child's information to a third party?
E-mail a consent form and the parent can provide consent by signing and mailing back the form.
An employer can ask and can recieve your password to your social media accounts.
FALSE
Cyber insurance is necessary for corporations to establish an incident response plan.
FALSE
Search warrants can be issued for both civil and criminal cases.
FALSE
The Federal Trade Commission can bring actions against "unfair and deceptive" acts and "abusive acts and practices."
FALSE
The Protection of Pupil Rights Amendment (PPRA) applies to elementary, secondary and postsecondary schools.
FALSE
There are Federal laws that protect employee's emails from being accessed by their employer, if they are stored on the company's server.
FALSE
Trap & trace devices record the phone numbers that you call, while pen registers record the numbers that call you.
FALSE
Per FERPA, even if the student gives consent, the parents cannot see the educational records of the studenet.
FALSE.
Which federal agency has specific statutory responsiblity for issues such as children's privacy online and commercial e-mail marketing and played a prominent role in the development of U.S. privacy standards?
Federal Trade Commission
Which statement is true about the requirements under the U.S. Gramm-Leach-Bliley Act (GLBA)?
Financial institutions can share customer information with non-affiliated third-party companies without obtaining an opt-in from the customer.
All of the following are considered acceptable methods for U.S.-based multinational transportation companies to achieve compliance with the EU Data Protection Dirtective except:
Global consent.
In criminal cases, the plaintiff is the ______.
Government.
What does HIPPA stand for and who does ti apply to?
Health Insurance Portability Accountability Act, covered entities.
Most security issues on an end user's laptop or desktop are classified as what type of error?
Id10t (idiot)
What was the first case where the US Safe Harbor rules were enforced?
In the Matter of Google, Inc.
Disclosures by law are divided into required, permitted and forbidden. What is the best example of each?
Required: Discovery for litigation. Permitted: HIPPA PHI required by law. Forbidden: Attorney-client privilege.
The Video Privacy Protection Act of 1998 was passed because of the publishing of what Supreme Court nominee's video rentals?
Robert Bork
The PATRIOT Act of 2001 passed by President bush had many provisions that were extended in 2011 by President Obama. What provisions were extended?
Roving wiretaps, searches of business records, and surveillance of "lone wolves."
A privacy professional for a company is responsible for assessing risks for all the following EXCEPT: Reputational. Legal. Investment. Operational. Safety.
Safety.
What are the key questions that would help determine privacy risk? (Select all that apply) a. Where, how and for what lengty of time is the data stored? b. How sensitive is the information? c. Should the information be encrypted? d. Will the information be transferred to or from other countries, and if so, how will it be transferred? e. Who determiens the rules that paply to the information? f. How is the information to be processed, and how iwll these processes be maintained? g. Is the use of such data dependent upon other systems?
Select all.
The loss of names and what other data point would require an employer to notify affected individuals?
Social Security Numbers
What does the U.S. legal concept of "preemption" mean?
States are prevented by federal law from enforcing laws that impose different or stricter laws in the same area.
FERPA applies to all educational institutions that receive federal funding.
TRUE
The Children's Online Privacy Protection Act has no private right of action but states may bring civil action for COPPA violations.
TRUE
The Dodd-Frank Wall Street Reform and Consumer Protection Act established enforcement actions against "abusive acts and practices."
TRUE
The FCC in 2012 amended rules to allow health care related entities governed by HIPPA to use robocalling.
TRUE
The contents of your telephone conversation are protected, but not the dialing information.
TRUE
There are 9 exemptions to the PATRIOT Act.
TRUE
The tort of "intrusion upon or on seclusion" is a clause of action that arises out of sector?
Telemarketing.
What does the "red flags rule" require of financial instituions?
That they develop and implement methods of detecting identity theft.
Under the USA PATRIOT Act and its amendements, which statement is not correct?
The Act was part of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
The Federal law that forced telecommunications, wire carriers, broadband and voice over IP carriers to have built-in mechanisms for law enforcement to use for criminal cases is called what?
The Communications Assistance for Law Enforcement Act (CALEA)
In addition toe the Security Rule, what other rule was promulgated by Health and Human Services and mandated by the Health Insurance Portability and Accountability Act?
The Privacy Rule
The "Digital Telephony Bill" is another name for which legislation?
The U.S. Communications Assistance to Law Enforcement Act.
Which condition must be met to satisfy the Right to Financial Privacy Act requirements for disclosure of individual records by financial instituions?
The financial records are reasonably described.
which overarching law covers employment privacy in the U.S.?
There is no such law.
According to the Hague Evidence Convention, trans-border conflict of laws regarding privacy and evidentiary discover,
U.S. conflict of laws rule over foreign laws.
Which statement is true regarding transfers of personal information to locations outside of the U.S.?
U.S. laws generally do not restrict geographic transfers of personal information.
According to the HITECH Act of 2009, when does a company have to disclose a breach of PI to the Dept. of Health and Human Services?
When the breach is >500 people.
In terms of U.S. employee's workplace privacy rights, all of the following are acceptable monitoring techniques available to eomployers except
secret surveillance
Security laws in the U.S. states often restrict
the display of Social Security numbers on identification cards.