Ethical and Legal Issues Final Exam Study Guide

Financial institutions such as banks are regulated by many different federal government agencies. Guidelines were collaboratively developed by the agencies to promote consistent requirements under the GLBA safeguards rule for the regulated entities to follow. Which agency below has adopted the GLBA interagency guidelines?

FDIC

T/F: The FTC regulates financial institutions such as retailers that offer credit to customers under the GLBA Safeguards Rule.

True

T/F: The Fair Credit Reporting Act requires the FTC and other banking regulators to create rules and regulations referred to as Red Flags rules.

False

T/F: The Red Flags Rule only applies to companies that (1) are financial institutions or creditors and (2) offer "covered accounts" to businesses.

False

T/F: Congress passes the Red Flag Program Clarification Act to make it clear that doctors and lawyers are not creditors for the purpose of creating programs to prevent identity theft.

True

T/F: Companies that accept or use credit or debit cards (including, but not limited to retailers), are required to comply with the Payment Card Industry Data Security Standard (PCI DSS), a law passed by congress in 2010.

False

HIPAA only applies to ----- and -----.

covered entities, business associates

The HIPAA security rule applies to what kind of information?

PHI; protected health information

The proper form for reporting a data breach to the SEC for a publicly traded company subject to the SEC's rules any time during the year is:

8-K

Which SEC reporting form is used for reporting cybersecurity risk disclosures to investors?

10-K

T/F: The 9th Circuit Court of Appeals in Brekka says that a person does not violate the CFAA's statutory language "exceeds authorized access" when that person accesses information in a protected computer that the person has authorization to access and then uses the information for a purpose not authorized by the information/computer owner.

True

T/F: The 5th circuit court of Appeals in US v. John followed the 9th Circuit's reasoning in Nosal I concerning the narrow interpretation of the meaning of "exceeds authorized access".

False

T/F: Cybersecurity researchers complain that the CFAA prohibits them from engaging in system vulnerability discovery.

True

T/F: A cybersecurity researcher, for the time being, should only do vulnerability discovery research on web sites that advertise and established bug bounty program that spells out restrictions and limitations that the researcher must abide by.

True

T/F: To bring a civil action under the CFAA one must prove damages or losses of $1,000 or more.

False

T/F: Evidence of child pornography if found by a Best Buy employee repairing a laptop will be excluded from use by the prosecutor because it violates the fourth amendment rights of the accused since there was no search warrant issued prior to the search.

False

T/F: The third-party doctrine says that information voluntary given to a third party removes any "reasonable expectation of privacy" in that data.

True

T/F: The National Security Agency uses the third-party doctrine to justify its program of bulk collection of email metadata.

True

T/F: While searching a suspect's home for stolen TVs with a search warrant that only allows a search for TVs, the police see rows of white powder lined up neatly on the dining room table and promptly arrest the occupant for illegal possession of cocaine. The evidence of illegal cocaine possession will be suppressed at trial because the search warrant did not include the search of drugs.

False

T/F: Police in hot pursuit of a criminal suspect do not need a search warrant to enter the house that the suspect was immediately observed entering.

True

T/F: Search of a cell phone is valid without a search warrant if the search is made at the time of the arrest.

False

T/F: The fourth amendment restrictions against unreasonable searches and seizures applies to anyone conducting a search without a search warrant obtained with "probable cause".

False

Prohibits circumventing technology that controls access to copyrighted material

Sec. 1201(a)(1)

The Economic Espionage Act punishes theft of

Trade Secrets

Prohibits economic espionage to benefit a foreign government or entity

Sec. 1831

Section 1201 criminal prosecutions must be brought within

5 years

Economic Espionage Act civil actions must be brought within

3 years

T/F: The Federal Trade Commission regulates privacy on a case-by-case basis with no specific requirements that businesses must follow.

True

T/F: The Video Privacy Protection Act, originally enacted to protect personal video rental information of customers of businesses like Blockbuster, applies to websites and other online services that provide video streaming.

True

T/F: COPPA applies to all people under the age of 18.

False

T/F: California's "eraser law" requires that online services "directed to minors" permit registered users to request removal of information that the child posted on the service.

True

T/F: Under Illinois' biometric privacy law, digital photos are not treated the same as print photos.

True

T/F: European Union citizens view privacy as a fundamental human right, and therefore its requirements for privacy and data security generally are more stringent than those in the United States.

True

The GDPR imposes general principles for the processing of personal data. Which of the choices below is a general principle?

Accuracy

T/F: A business in the U.S. with European Union citizens as customers does not have to concern itself with the GDPR's requirements since the U.S. is a sovereign nation and the EU's laws are not enforceable in the U.S.

False

T/F: The GDPR allows individuals a qualified "right to be forgotten" which means individuals can request that organizations delete data that pertains to the individual under circumstances prescribed in the law.

True

T/F: The GDPR directs companies to report breaches of personal data to government regulators within 48 hours of discovery.

False

Rules governing conduct of war once hostilities begin.

Jus in bello

Set of 154 nonbinding rules that apply to cyberwarfare?

Tallinn Manual 2.0

Difficult task that attempts to identify the perpetrator of a cyber attack in order to prevent innocent parties from being harmed.

Attribution

Masquerading as a civilian in order to blend in and get close to the target and destroy it is akin to what?

Perfidy

T/F: Cyberespionage is not considered a "use of force" and is not justification for a disproportionate retaliatory attack.

True

Professional ethics codes fall into 2 primary categories: ------ and ------

aspirational, regulatory

A professional code of ethics that lays out standards and specific penalties for members that fail to comply with the code is said to be:

regulatory

PCI DSS

Contractual

HIPAA

PHI

FTC Red Flags

Identity Theft

CFIUS

SEC and Foreign Investment

What law does the Federal Trade Commission use to claim its authority to regulate cyber security or data breach issues pertaining to private businesses?

Section 5 of the Federal Trade Commission Act

T/F: The Wyndham Worldwide Corporation prevailed against the FTC in the FTC's regulatory action against Wyndham for lax data security practices.

False

T/F: The Mississippi data breach notification statute requires notification to individual victims of data theft when the stolen data is encrypted with a strong encryption algorithm.

False

All but which of the below factors are required for Article III standing?

Addressability

T/F: A credible threat of increased risk of future harm from a data breach is enough to find an injury-in-fact for purposes of Article III standing in jurisdictions that view injury-in-fact broadly.

True

Which of the following are required to bring a class action lawsuit?

A. Joinder of all harmed individuals is not practical

B. There is a common set of facts that applies to all class members

C. The claims of the class members are typical among all

D. All of the above

All of the above

What law was passed in 1999 to protect customers' personal information held by financial institutions?

GLBA

What types of financial institutions are regulated by the FTC?

A. Consumer reporting agencies

B. Retailers that offer credit to customers

C. Mortgage Brokers

D. All of the above

All of the above

T/F: The purpose of the FTC's red flags rule is to prevent account holders from becoming the victims of identity theft.

True

The FTC's red flags rule applies to which of the following types of financial institutions?

A business issues credit cards for consumer purchases

Businesses that accept bank issued payment cards such as credit and debit cards must comply with what data protection standard?

PCI DSS; Payment Card Industry Data Security Standard

T/F: Businesses that accept bank issued payment cards such as credit and debit cards are required by an agreement with the card issuer to adhere to stringent data security practices.

True

The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of what type of data?

PHI

The HIPAA security rule applies to what two types of entities?

covered entities and business associates

A ------ is a health plan, a healthcare provider, or a healthcare clearinghouse who transmits health information in electronic form.

covered entity

A ------ is a provider of data transmission services to a covered entity, a person who offers a personal health record to individuals on behalf of a covered entity, or a subcontractor that provides similar services on behalf of a business associate.

business associate

The HIPAA security rule requires entities covered by the rule to implement all but which types of safeguards?

Security

What reporting form should a publicly traded company file with the SEC when a significant data breach occurs?

8-K

T/F: The primary remedy for fourth amendment violations is exclusion of evidence obtained from the illegal search from use at trial.

True

T/F: Evidence of child pornography if found by a Best Buy employee repairing a laptop will be excluded from use by the prosecutor because it violates the fourth amendment rights of the accused if the employee actively searched for evidence of illegal activity at the request of local law enforcement.

True

T/F: The third-party doctrine says that information voluntary given to a third party removes any "reasonable expectation of privacy" in that data and defeats the requirement for a search warrant.

True

T/F: An individual cannot relieve the police of the need to obtain a search warrant by consenting to a search because the police exert undue influence by virtue of their position of authority.

False

T/F: Katz v. United States requires a two-pronged analysis that includes both subjective and objective expectations of privacy in order to create a reasonable expectation of privacy for fourth amendment purposes.

True

T/F: Police must have a search warrant to search an automobile.

False

T/F: A search of a cell phone by police does not require a search warrant if it is incident to a lawful arrest.

False

T/F: Computer access to data with authorization will not later give rise to a CFAA complaint of "exceeds authorized access" if the data is misused or an employee is disloyal to his employer within the jurisdiction of the 9th Circuit Court of Appeals.

True

T/F: Section 1201(a)(1) prohibits trafficking in technology that facilitates circumvention of measures that protect against copyright infringement.

False

T/F: The FBI attempted to use the All Writs Act to get Apple to assist it in accessing the encrypted iPhone of the San Bernardino shooters in 2016.

True

T/F: The Economic Espionage Act punishes theft of all types of intellectual property.

False

T/F: The DMCA was enacted in 1998 to implement the U.S.'s obligations as a signatory to the World Intellectual Property Organization's Copyright Treaty.

True

T/F: Section 1201(a)(2) of the DMCA prohibits circumventing technology that controls access to copyrighted material.

False

T/F: Section 1201(a)(1) prohibits trafficking in technology that facilitates circumvention of measures that protect against copyright infringement.

False

T/F: The legal protections afforded trade secrets under U.S. law require that trade secret owners take reasonable and necessary measures to protect those secrets from unauthorized disclosure.

True

T/F: Section 1831 of the Economic Espionage Act prohibits the theft of trade secrets to benefit one company over another.

False

T/F: The Defend Trade Secrets Act of 2016 was enacted to give victims of trade secret misappropriation the right to bring a civil suit in federal court.

True

T/F: National security letters are administrative subpoenas that allow the government to secretly obtain information relevant to national security investigations. The law has since been amended modestly to address some concerns of privacy advocates.

True

T/F: The Pen Register Act applies to email metadata as well as phone numbers dialed.

True

T/F: The CFAA does not allow private plaintiffs to bring a civil suit for violations of the act.

False

T/F: Ubiquitous computing refers to the practice of embedding technology in everyday items such that they may collect information and transmit it to other objects, often without the user being aware of it, and has privacy implication.

True

T/F: The FTC brings enforcement actions against private companies for violating their companies' stated privacy policies.

True

T/F: The HIPAA privacy rule requires that the patient consent in writing before a health care provider can disclose protected health information for any purpose.

False

T/F: Unlike the GLBA which directs financial institutions to allow customers to opt out of certain data sharing, the California Financial Information Privacy Act requires that customers opt-in before sharing private customer data with unaffiliated third parties.

True

T/F: Private parties have no right to bring lawsuits for violations of the Illinois Biometric Information Privacy Act.

False

T/F: The California Consumer Privacy Act only applies to companies doing business in CA that have gross annual revenues over $25,000,000.00

False

T/F: GLBA requires financial institutions to provide customers with it privacy notice only at the beginning of the customer relationship.

False

T/F: HIPAA requires that covered entities designate a privacy official to be responsible for implementation of their privacy policies and procedures.

True

T/F: A cyber attack by a nonstate actor is most likely to be viewed as cyberterrorism rather than an act of cyberwar.

True

T/F: Jus ad bellum is mostly regulated under the United Nations Charter.

True

T/F: GDPR applies to non-European companies that offer goods or services to EU residents.

True

T/F: The GDPR directs companies to report breaches of personal data to government regulators within 48 hours of discovery.

False

T/F: Europe views privacy as a fundamental human right, and therefore its requirements for privacy and data security generally are more stringent than those in the United States.

True

T/F: "Safe Harbor" is the current agreement between the EU and the U.S. governing the transfer of EU residents' data from the EU to the U.S. for storage and processing.

False