Ready? Here we go:

No. 1: Which federal law governs the protection of health information and requires health care providers to implement security measures?

1. Gramm-Leach-Bliley Act
2. Health Insurance Portability and Accountability Act
3. Fair Credit Reporting Act
4. Sarbanes-Oxley Act

Answer: B. HIPAA regulations cover health care providers, health plans, health care clearinghouses, and business associates. Protected health information includes any information in a medical record or designated record set that can identify an individual and that was created, used, or disclosed during the provision of health care services by a covered entity.

No. 2: The General Data Protection Regulation is a law that requires organizations to protect personal data and privacy. In which part of the world does it apply?

1. United States
2. Canada
3. European Union
4. Asia-Pacific

Answer: C. The GDPR regulates the handling of personal data by organizations. It grants individuals rights over their data and imposes penalties for non-compliance.

No. 3: Under the Computer Fraud and Abuse Act, which of the following actions is illegal?

1. Downloading movies from a paid streaming service
2. Gaining unauthorized access to another person’s computer or data
3. Installing free antivirus software
4. Sharing a password for a paid subscription service

Answer: B. Under the CFAA, gaining unauthorized access to another person’s computer or data involves (1) intentionally accessing a computer without authorization or exceeding authorized access, or (2) obtaining information from any protected computer. This can include accessing government computers, financial records, or any other protected data without permission.

No. 4: What type of information is protected by the Gramm-Leach-Bliley Act?

1. Health records
2. Financial data, and personal customer data obtained in the financial industry
3. Educational records
4. Public records

Answer: B. The GLBA regulates financial institutions, including banks, insurance companies, and investment firms. It also applies to businesses offering financial products or services. The law protects consumers' personal financial information by requiring institutions to explain their information-sharing practices and implement safeguards to protect consumer data from unauthorized access.

No. 5: What is the purpose of the Sarbanes-Oxley Act in relation to cybersecurity?

1. To ensure accurate financial reporting and internal data controls
2. To enforce criminal penalties for cyber fraud
3. To establish privacy rights for consumers
4. To protect patient health information

Answer: A. SOX requires companies to implement internal controls to protect financial information. This includes establishing formal data security policies, regularly testing and evaluating controls, and ensuring accurate and timely financial disclosures.

No. 6: Under the California Consumer Privacy Act, which right is NOT granted to California residents regarding their personal data?

1. The right to access their personal data
2. The right to demand payment for their data
3. The right to request deletion of their data
4. The right to opt out of data sale

Answer: B. The CCPA grants consumers the: right to know, the right to delete, the right to opt out, and the right to non-discrimination. The California Privacy Rights Act expanded these rights to include the right to correct inaccurate personal information and to limit the use of sensitive personal information.

No. 7: What does the term "data breach notification" mean in the context of data privacy laws?

1. A requirement to notify individuals only if their passwords are compromised
2. A requirement to notify affected individuals and authorities when personal data is exposed
3. A process to secure data after a breach
4. A standard policy to reset company passwords every quarter

Answer: B. In the United States, a data breach notification is generally triggered when there is unauthorized access to or acquisition of sensitive personal information. Sensitive personal information includes Social Security numbers, driver's license numbers, and financial account information. Each state has its own data privacy laws, which may expand the information protected.

No. 7: Which law requires companies handling credit card transactions to meet specific data security standards?

1. Fair Credit Reporting Act
2. Family Educational Rights and Privacy Act
3. Payment Card Industry Data Security Standard
4. Children’s Online Privacy Protection Act Rule

Answer: C. PCI DSS applies to any organization that stores, processes, or transmits cardholder data. This includes merchants, payment processors, issuers, acquirers, service providers, and any other entities within the payment card ecosystem.

No. 8: The Children’s Online Privacy Protection Act aims to protect the online privacy of children under what age?

1. Under 10
2. Under 13
3. Under 16
4. Under 18

Answer: B. The COPPA requires websites and online services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. COPPA also mandates that these services provide clear privacy policies and take steps to protect the data collected.

No. 9: Which of the following best describes the concept of “data minimization” under privacy laws like the GDPR?

1. Collecting as much data as possible for analysis
2. Limiting data collection to what is necessary for a specific purpose
3. Storing data indefinitely for future use
4. Encrypting all data

Answer: B. Data minimization aims to reduce exposure to sensitive information and limit potential security risks. This is similar to “Least Privilege Access,” which has a similar goal: ensuring that users have only the minimum level of access necessary to perform their job functions, and limiting the potential for unauthorized access or misuse of data.

No. 10: During a cybersecurity tabletop exercise, which of the following activities is most important for evaluating the effectiveness of an organization's incident response plan?

1. Ensuring all team members take detailed notes during the exercise
2. Documenting every scenario presented, regardless of relevance
3. Testing the physical security of on-site servers
4. Identifying communication breakdowns and areas for process improvement

Answer: D. Tabletop exercises are a way to ensure that your company has the proper incident response plan to respond to potential cyber threats.

The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries with tabletop exercises and implementing necessary updates to their privacy and compliance programs. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.