ITN 267
There are ______regional Federal Reserve Banks, which serve different geographic districts.
12
COBRA benefits generally last a maximum of:
18 months
To be COPPA-compliant, a privacy policy must provide "assurance that participation is not conditioned on data collection." Which of the following statements offer the best explanation of this criterion?
A Web site can't require children to submit contact details in order to be allowed to use the site. Web sites are not allowed to collect more information than necessary for a child to participate in an activity.
Which of the following statements does not apply to credit unions?
A credit union must have a three-member board of directors.
HIPAA's _____________________ provisions are designed to encourage "the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information."
Administrative Simplification
The District of Columbia and 45 states have enacted breach notification laws, which require an organization to notify state residents if it experiences a security breach that involves the personal information of the residents. Which group of four states does not have a breach notification law?
Alabama, Kentucky, New Mexico, and South Dakota
Which of the following correctly summarizes an employer's right to monitor telephone conversations?
An employer has right to monitor telephone conversations in the ordinary course of business without a court order.
___________________ allows employees and their families to continue health coverage when they lose or change a job.
COBRA
Which of the following is a true statement regarding COPPA and CIPA rules?
COPPA defines a minor as anyone under the age of 13 years, while CIPA defines a minor as someone under the age of 17 years.
The Payment Card Industry Security Standards Council (PCI Council) is made up of representatives of the major credit card companies. The major credit card companies are also called credit card brands. Which of the following is not one of the major brands?
Chase Bank
Collection and use of a child's personal information, such as name, e-mail address, or social security number, by a Web site operate is governed by:
Children's Online Privacy Protection Act (COPPA)
In 2013, a social media company paid $800,000 to settle charges with the Federal Trade Commission (FTC). The company had an application that allowed children to create journals and share those journals online. Children could also post photos and share location information. The company collected the birth dates of 3,000 children before getting parental permission. The FTC alleged that the company violated which of the following?
Children's Online Privacy Protection Act (COPPA)
The ________________________ protects the personal information of children online.
Children's Online Privacy Protection Act (COPPA)
____________ is demonstrated by the processes and procedures that an organization uses to meet the law.
Compliance
______________ means that only people with the right permission can access and use information.
Confidentiality
_______________ governs the prosecution of those charged with serious offenses against public order, such as murder.
Criminal law
Which of the following is not included the Electronic Communications Privacy Act?
Driver's Privacy Protection Act
In which of the following areas of the workplace is an employee most likely to have a reasonable expectation of privacy?
Employee lounge
Which of the following was enacted by Congress in response to growth in identity theft crime?
Fair and Accurate Credit Transaction Act (FACTA) of 2003
A company that created virtual online gaming worlds agreed to pay $3 million in 2011 to settle charges with the FTC. The FTC alleged that the company improperly collected and disclosed the personal information of thousands of children without parental consent. This is the largest civil penalty so far in a Children's Internet Protection Act (CIPA) action. T or F
False
A contract tells an organization how it must act and the consequences for failing to act properly. T or F
False
A covered entity is required, upon a person's request, to correct data in the person's PHI. T or F
False
A keystroke logger is harmful code intentionally left on a computer system. It lies dormant for a certain period, and when specific conditions are met, it "explodes" and carries out its malicious function. T or F
False
All information—no matter how sensitive—should have the extensive protection of safeguards. T or F
False
Because torts are a part of the law, somebody who steals your identity will be prosecuted whether or not you press charges. T or F
False
Before the PCI Council was formed, all major credit card companies shared the same security requirements that applied to the credit cards that they issued. T or F
False
Citizens and members of the legal profession are all bound by the terms of the common law. T or F
False
First-party cookies are set by one Web site but readable by another site, and third-party cookies are exchanged between a user's browser and the Web site the user is visiting. T or F
False
In situations when a covered entity may use or disclose PHI to the extent that it's required by law, the covered entity may only do so in response to a subpoena issued by a grand jury. T or F
False
Individual consumers are the targets of hackers far more often that financial institutions. T or F
False
Passive data collection practices are obvious to the customer, whereas active data collection happens secretly and may use devices such as cookies and Web beacons. T or F
False
Patches exacerbate vulnerabilities, because they merely mask problems but do not offer solutions. T or F
False
Phishing is a form of Internet fraud in which attackers sift through trash to discover personal information. It's an issue because individuals and organizations dispose of personal information in unsecure ways. T or F
False
Private, personal information may become public under the Freedom of Information Act. T or F
False
The American Library Association and the American Civil Liberties Union sued the U.S. government. They claimed CIPA violated the free speech rights of adults. In 2002 the U.S. District Court for the Eastern District of Pennsylvania agreed that CIPA violated First Amendment rights. The U.S. District Court said that the government could not enforce CIPA. The U.S. government appealed that decision, and the lawsuit went to the U.S. Supreme Court. In United States et al. v. American Library Association, Inc. et al. in 2003, the U.S. Supreme Court struck down the law as unconstitutional. T or F
False
The C-I-A triad refers to the way that the Central Intelligence Agencies classifies sensitive information. T or F
False
The Constitution specifies the basic lawmaking process. A bill is the initial draft of a potential law. Only one chamber of Congress needs to approve the bill, and the president must sign it before it becomes a law. T or F
False
The DSS offers a single approach to safeguarding sensitive cardholder data for all credit card issuers. It recommends 12 basic categories of security requirements that should be followed in order to protect credit card data. T or F
False
The FCC rules specifically state that the U.S. federal government may establish the criteria for making a determination that a filter is CIPA compliant. T or F
False
The FDIC insures deposit accounts in the event of bank failure. If a bank fails, the FDIC returns the money that a customer put in the bank, no matter how great or small the amount. T or F
False
The FTC enforces GLBA for any financial institution that isn't regulated by one of the other agencies. Like the other agencies, the FTC may bring an action against any financial institution that doesn't comply with GLBA. The FTC rarely pursues GLBA enforcement actions. T or F
False
The Federal Communications Commission (FCC) mandates that a TPM should be 100 percent effective. This effectiveness is determined by the CIPA and the FC. T or F
False
The HHS said that the Privacy Rule has two main purposes: 1) to allow consumers to control the use of their health information (including providing consumers with a way to access their health information) and 2) to improve health care in the U.S. by restoring consumer trust in the health care system. T or F
False
The O.J. Simpson criminal and civil trials illustrate the basic difference between criminal and civil law, because O.J. Simpson was found "guilty" of murder in the criminal case, and he was found not liable in the civil case. The reason for the apparently inconsistent results is that the murder case was in the criminal system and the wrongful death case was a civil action. T or F
False
The Patriot Act made three major changes to the Electronic Communications Privacy Act (ECPA), and as a result, electronic communications privacy has greater government protections. T or F
False
The Supreme Court has exclusive original jurisdiction to decide cases about disputes between state governments and exercises this original jurisdiction with frequency. T or F
False
The Supreme Court is under obligation to review a decision from the U.S. Court of Appeals, as guaranteed by the writ of certiorari. T or F
False
The United States Code is the United States' comprehensive data privacy law. T or F
False
The United States has one comprehensive data protection law and relies on the Federal Trade Commission (FTC) to ensure compliance. T or F
False
The domain of Telecommunications and Network Security describes how to protect information systems resources during their normal operational state. It includes items such as vulnerability management and incident response activities. T or F
False
The following is an example of an inadvertent disclosure: a patient going to a hospital to pay a bill briefly views another patient's payment information on the billing clerk's computer monitor. The first patient can see this information only briefly before the clerk accesses the patient's own record. T or F
False
The portrayal in a false light involves appropriating, or taking, an individual's name or likeness without their consent. T or F
False
While each federal district court also has its own bankruptcy court. The Constitution gives state governments the sole power over bankruptcy law. T or F
False
While external and internal attackers are both deliberate threats, only internal attackers seek to embarrass an organization. T or F
False
The Family Policy Compliance Office (FPCO) provides oversight for the ____________________.
Family Educational Rights and Privacy Act (FERPA)
The _________________ requires schools to protect students' records.
Family Educational Rights and Privacy Act (FERPA)
The purpose of the ______________________ is to address financial uncertainty and provide the nation with a more stable economy.
Federal Reserve System
The mission of the _____________________ is to protect consumers and to make sure that business is competitive by eliminating practices harmful to business.
Federal Trade Commission FTC
Some people believe that COPPA requirements violate freedom of speech without censorship guaranteed by the ______________ Amendment.
First
Which of the following U.S. Constitution amendments contribute to the right of privacy?
First, Third, and Fourth Amendments
Which Act established the public's right to request information from federal agencies?
Freedom of Information Act
____________________ forbids a new employer's health plan from denying health coverage for some reasons and prohibits discrimination against workers based on certain conditions such as pregnancy.
HIPAA
Which of the following is true about COBRA and HIPAA?
HIPAA regulates discrimination based on health history while COBRA ensures health coverage continues.
What is the purpose of Executive Order 13526?
It describes rules for using and a system of for classifying national security information.
Which of the following is a true statement about the Court of Appeals?
It's court of appellate jurisdiction & it does not review the facts of a case or additional evidence.
A _____________ is a method of controlled entry into a facility and provides access to secure areas such as a research lab or data center.
Mantrap
Which of the following statements summarizes why the window of vulnerability is shrinking?
More people are interested in information security, and have developed the skills to find new vulnerabilities.
Based on the descriptions given, what film does NOT exemplify the concept of social engineering?
Office Space: Three friends and disgruntled coworkers at a tech company discover that the company's accounting system has a computer glitch that calculates certain financial information to six decimal points, but only records the first two decimal points in the accounting files and then regularly discards the remaining fractions of pennies. When the trio learns their jobs are in jeopardy, they create a computer program that diverts the discarded fractions of pennies into a bank account they share. They believe that the company will continue to pay them in installments small enough that the company will never notice but that will lead to a very large amount of money over time.
____________ is the practice of tracking a user's actions on the Internet in order to create a user profile.
Online profiling
A merchant of an e-commerce Web site wants to accept credit cards as a form of payment. Which of the following must the merchant follow to ensure the safety of those payments?
PCI DSS
Which of the follow is not one of the rights that parents are guaranteed under COPPA?
Parents will be notified by a Web site if is collecting an e-mail address to respond to a one-time request from a child.
In which of the following types of communication is phishing least likely to occur?
Phone calls
What is PIA?
Privacy Impact Assessment
Which statement about privacy is NOT true?
Privacy means that a person can specify the collection, use, and sharing of their data.
Required by the Fair and Accurate Credit Transaction Act of 2003 (FACTA), which of the following is an anti-identity theft rule created by federal bank regulatory agencies (the Fed, FDIC, OTS, OCC, and NCUA) and the FTC?
Red Flags Rule
_______________ is the process of reviewing known vulnerabilities and threats.
Risk Analysis
In November 2004, the FTC filed a complaint against Nationwide Mortgage Group, Inc. In its complaint, the FTC stated that Nationwide collected sensitive customer information, but that it had no policies and procedures in place to protect that information. It also stated that Nationwide failed to monitor its computer network for vulnerabilities that would expose stored customer information to attack. Which of the following rules did the Nationwide violate?
Safeguards Rule
Which Gramm-Leach-Bliley Act rule requires federal bank regulatory agencies, the SEC, and the FTC to issue security standards for the institutions that they regulate?
Safeguards Rule
In what ways can you classify safeguards?
Safeguards can be classified by how they work or how they act.
The HIPAA ______________________ states how covered entities must protect the confidentiality, integrity, and availability of electronic personal health information.
Security Rule
All of the following are ways to protect confidentiality except:
Shoulder surfing
Which of the following is not a true statement?
State constitutions are nearly identical versions of the U.S. Constitution.
_____________________ are tools that filter offensive content.
Technology protection measures (TPM)
The doctrine of precedent is one of the most important traditions in the American legal system. Which of the following statements accurately summarizes how the Plessy v. Ferguson (1896) and Brown v. Board of Education (1954) cases dramatically illustrated how precedent can change and how changing precedent can have a significant impact on society?
The Brown decision was remarkable because the Court departed from the precedent set in Plessy. In fact, the Court specifically rejected the reasoning that it had used to support its decision in Plessy. Brown established new legal precedent that separate but equal laws are unconstitutional.
Which of the following is true about U.S. Supreme Court justices?
They are nominated by the president.
A Web beacon is a small, invisible electronic file that is placed on a Web page or in an e-mail message. It counts users who visit a Web page. T or F
True
A limited data set is PHI that doesn't contain any data that identifies a person. T or F
True
A major privacy concern of social networking includes information sharing. T or F
True
A material change is a significant change in an organization's operating practices. Material changes can affect how people understand their rights or interact with an organization. T of F
True
An Internet safety policy must educate minors about appropriate online behavior. This includes how to use social networking Web sites and chatrooms safely. The policy must include information on how to recognize cyberbullying. It also must tell minors how to respond to cyberbullying. T or F
True
Appellate jurisdiction is the power of a court to review a decision made by a lower court T or F
True
As defined by HIPAA, the term "covered entities" means: health care providers, health care clearinghouses, and health plans that transmits certain types of health information in electronic form. T or F
True
Biometric data is considered personally identifiable information. T or F
True
CIPA has two main requirements. The first is that schools and libraries that accept E-Rate funding must implement technologies that filter offensive visual content so that minors don't access it. The second requirement is that schools implement an Internet safety policy. T or F
True
COPPA has several rules for getting parental consent. One of them is that the parent's consent is required to collect, use, or disclose the child's information. The notice must state that the operator will not collect, use, or disclose the child's information without parental consent. T or F
True
Confidential describes information that could cause damage to U.S. security if disclosed to an unauthorized person. This is the lowest data classification level. T or F
True
Covered entities must keep records of how they disclose a person's PHI. Under the Privacy Rule, a person has the right to receive an accounting of how the covered entity has used or disclosed the person's PHI. T or F
True
FERPA requires schools to provide an annual notification to students and parents. This notice lets parents and eligible students know what their FERPA rights are. The annual notification also must state how to file a complaint with the Department of Education if the school violates any of FERPA's provisions. T or F
True
Federal courts can hear only the following kinds of cases: 1) Disputes regarding federal laws or constitutional issues and 2) Disputes between residents of different states where the amount of money in controversy is greater than $75,000. T or F
True
Health care operations are actions that support the covered entity's business. T or F
True
Identity Theft Prevention Programs are required to detect, prevent, and mitigate identity theft in covered accounts. The written program must address both new and existing covered accounts. T or F
True
In 1973, the U.S. Supreme Court decided that for material to be identified as "obscene," it must meet three conditions: 1) appeals predominantly to prurient interests—prurient indicates a morbid, degrading, and unhealthy interest in sex; 2) depicts or describes sexual conduct in a patently offensive way, and 3) lacks serious literary, artistic, political, or scientific value. T or F
True
In general, a covered entity may disclose PHI to certain governmental entities without consent for certain purposes that include, but are not limited to, the following: to provide vital statistics, to control communicable diseases, and to report abuse and neglect. T or F
True
In the federal system, intermediate appellate courts are called the U.S. Courts of Appeals. There are 13 Courts of Appeals. The 94 district courts are grouped into 12 geographical circuits. T or F
True
Nonpublic personal information (NPI) is personally identifiable financial information that a consumer gives to a financial institution. NPI also includes private information that an institution gets from other sources. It includes lists or descriptions of consumers that are prepared by using this kind of information. T or F
True
Organizations have a number of options for responding to risk, which include risk avoidance, risk mitigation, and risk transfer. T or F
True
Physical safeguards are actions that an organization takes to protect its actual, tangible resources. They keep unauthorized individuals out of controlled areas. T or F
True
Pretexting, which is also known as social engineering, is the act of trying to gain access to customer information without proper authority to do so. T or F
True
Schools are required to make and provide copies of the educational records in special circumstances. If a parent does not live within commuting distance to the school and cannot come to the school to inspect the records, then the school must provide the parent with copies. T or F
True
States usually have two appellate courts: a state intermediate appellate court and a state supreme court. States usually have both types of courts. T or F
True
Subject matter areas of law are areas in which an attorney might specialize, and procedural law deals with the processes that courts use to decide cases. T or F
True
The Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1980 protects patient information about alcohol or drug abuse. This law applies to any federally assisted alcohol or drug abuse treatment program, and it states that these programs may not disclose patient information without consent. T or F
True
The Federal Financial Institutions Examination Council (FFIEC) promotes uniform practices among the federal financial institutions. Its purpose is to: 1) establish principles and standards for the examination of federal financial institutions; 2) develop a uniform reporting system for federal financial institutions; 3) conduct training for federal bank examiners; 4) make recommendations regarding bank supervision matters, and 5) encourage the adoption of uniform principles and standards by federal and state banks. T or F
True
The Gramm-Leach-Bliley Act requires financial institutions to protect consumer financial information by complying with the Privacy Rule, the Safeguards Rule, and the Pretexting Rule T or F
True
The National Bank Act of 1864 established the national banking system in the United States. The Act still governs U.S. national banks even though Congress has updated it many times since 1864. T or F
True
The PCI Council was formed in 2006 to create safeguards designed to protect credit card data. Any merchant or service provider who accepts credit cards must follow the safeguards. T or F
True
The Tenth Amendment says, "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people." T or F
True
The U.S. Supreme Court is the final source of authority for issues involving U.S. federal laws. T or F
True
The three conditions for defining obscenity are known as the Miller test. T of F
True
Threats fall into four categories: Human, Natural, Technology and Operational, and Physical and Environmental. T or F
True
Types of information that most people consider private include financial information, health information, and criminal history data. T or F
True
Under the Fair Credit Reporting Act of 1970 (FCRA), consumers can stop financial institutions from sharing their credit report or credit applications with affiliates. T or F
True
Under the Privacy Rule, there are only two situations in which a covered entity must disclose PHI: 1) when a person requests access to his or her PHI, and 2) when a person requests that their PHI be sent directly to a third party. T or F
True
How might the average person use cookies in a beneficial way?
You save an image of a relaxing, cloud-filled sky that appears every time you log-on to your Twitter account.
What is the ISO/IEC 27002?
a reference guide for standardized computing practices for large organizations
The 2006 U.S. Federal Trade Commission (FTC) alleged that Zango, Inc., an Internet marketing company, had used unfair and deceptive methods to download _____________ onto computers.
adware
In the legal system, compliance is the action of following applicable laws and rules and regulations. Which of the following processes would not be used to demonstrate compliance:
allowing employees in an organization to create policies for self-governance documents to comply with legal or regulatory requirements at the employees' discretion
Which of the following must be protected per PCI DSS requirements?
an e-commerce Web server
Which of the following roles is not included in the domain of a creditor?
collects payment in arrears
What is a small string of text that a Web site stores on a user's computer?
cookie
All of the following are true statements about the American legal system except:
decisions by each branch of government may be overturned by administrative agency courts
Schools may make the following type of disclosure without obtaining parental or student consent:
disclosure of any information to any school official with a need to know
A covered entity doesn't have to account for every PHI disclosure that it makes. The Privacy Rule states that some kinds of disclosures don't have to be included in an accounting. Any disclosure not specifically excluded must be included and tracked. Which of the following disclosures does not need to be tracked?
disclosures made to carry out treatment, payment, and health care activities
The three branches of the federal government are:
executive, legislative, and judicial
The Florida A&M case illustrates which of the following about safeguards?
how safeguards protect the integrity of computer systems
FERPA applies to any education agencies or institutions that receive funding from the U.S. Department of Education (ED). Which of the following in not an educational agency or institution?
non-profit organizations that offer educational programs
COPPA requires Web site operators collecting information from children to:
obtain parental consent
Audits are ___________ performed by independent organizations.
occasionally
Which of the following parties is not among those who would share an individual's health information?
potential employers
With respect to protected health information, HIPAA:
prohibits state laws that are contrary to HIPAA
PHI refers to:
protected health information
Which of the following is not true about the Consolidated Omnibus Budget Reconciliation Act of 1986?
requires former employers to continue paying health insurance premiums for a minimum of one year
All of the following are characteristics of HIPAA except:
requires that employers offer health coverage
Which of the follow is not a method that web site operators can use to distinguish children from adults?
requiring a name and address
___________________ is used to assess the vulnerabilities and threats that could harm electronic protected health information (EPHI).
risk analysis
According to the federal Administrative Procedure Act, an agency is any governmental authority besides Congress and the courts. Which function does not fall under the category of what an agency does?
sets precedents
The separation of duties principle requires which of the following practices?
that two or more employees must split critical task functions so that no employee knows all of the steps of the critical task
Online Privacy Alliance (OPA) is an organization of companies dedicated to protecting online privacy. Members of OPA agree to create a privacy policy for a customer that is easy to read and understand. Which of the following provisions is not included in the policy?
the option of choosing who sees the data
Which of the following statements best captures the function of the Federal Trade Commission (FTC)?
to promote consumer protection and eliminate practices that are harmful to competitive business
A ______________ is some kind of wrongful act that harms or hurts a person.
tort
