Which of the following must Privacy Impact Assessments (PIAs) do?
- Analyze how an organization handles information to ensure it satisfies requirements
-mitigate privacy risks
-determine the risks of collecting, using, maintaining, and disseminating PII on electronic information systems.
-all of the above
All of the Above
True or False? An Individual whose PII has been stolen is susceptible to identity theft, fraud, and other damage.
True
What / Which guidance identifies federal information security controls?
-The Freedom of Information Act (FOIA)
-The Privacy Act of 1974
-OMB Memorandum M-17-12: Preparing for and responding to a breach of PII
-DOD 5400.11-R: DOD Privacy Program
OMB Memorandum M-17-12
Which of the following is NOT an example of PII?
-Driver’s License Number
-Pet’s nickname
-Social Security Number
-Fingerprints
Pet’s nickname
Which of the following is NOT a permitted disclosure of PII contained in a system of records?
-These are all permitted disclosures
-The record is disclosed for a new purpose that is not specified in the SORN
-The record is disclosed for routine use.
-The individual has requested that their record be disclosed.
The record is disclosed for a new purpose that is not specified in the SORN
PIA is required when organization collects PII from:
- Existing information systems and electronic collections for which no PIA was prev completed.
-New information systems or electronic collections.
(before development or purchase and/or converting paper records to electronic systesm)
PIA is not required when the information system or electronic collection:
- does not collect, maintain, or disseminate PII
-is a national security system, including one that process classified info - is solely paper-based
Within what timeframe must DOD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?
-1 hour
-12 hours
-48 hours
-24 hours
1 hour for US-CERT
(FYI: 24 hours to Component Privacy Office and 48 hours to Defense Privacy, Civil liberties, and transparency division)
Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as record identification. Is this compliant with PII safeguarding procedures?
- Yes or No
NO
You are tasked with disposing of physical copies of last year’s grant application forms. These documents contain PII so you use a cross-cut shredder to render them unrecognizable and beyond reconstruction. Is this compliant with PII safeguarding procedures?
-YES or NO
YES
Organizations that fail to maintain accurate, relevant, timely, and complete information may be subject to which of the following?
-Neither civil nor criminal penalties
-civil penalties
-criminal penalties
-both civil and criminal penalties
Civil Penalties
True or False? Paper-based PP is involved in data breaches more often than electronic PP documentation?
False- Phishing is responsible for most of the recent PII Breaches
Which regulation governs the DoD Privacy Program?
-The Freedom of Information Act (FOIA)
-The Privacy Act of 1974
-OMB Memorandum M-17-12: Preparing for and responding to a breach of PII
-DOD 5400.11-R: DOD Privacy Program
-DOD 5400.11-R: DOD Privacy Program
Which of the following is NOT included in a breach notification?
A. Articles and other media reporting the breach.
B. What happened, date of breach, and discovery.
C. Point of contact for affected individuals.
D. Whether the information was encrypted or otherwise protected.
A. Articles and other media reporting the breach.
TRUE OR FALSE. A PIA is required if your system for storing PII is entirely on paper.
FALSE
TRUE OR FALSE. Misuse of PII can result in legal liability of the individual.
TRUE
TRUE OR FALSE. Misuse of PII can result in legal liability of the organization.
TRUE
Where is a System of Records Notice (SORN) filed?
A. National Archives and Records Administration
B. Congress
C. Federal Register
D. SORNs are for internal reference only, and don’t need to be filed with a third party.
Federal Register
Organizations must report to Congress the status of their PII holdings every:
A. Six Months
B. Year
C. Five years
D. Organizations are not required to report to Congress
Year
Jane Student is delivering a document that contains PII, but she cannot find the correct cover sheet. She should:
A. Mark the document CUI and deliver it without the cover sheet.
B. Mark the document as sensitive and deliver it without the cover sheet.
C. Mark the document CUI and wait to deliver it until she has the cover sheet.
D. None of the above; provided she is delivering it by hand, it does not require a cover sheet or markings.
Mark the document CUI and wait to deliver it until she has the cover sheet
The acronym PHI, in this context, refers to:
A. Protected Health Information
B. Public Health Institute
C. Public Health Informatics
D. Public Health Intelligence
Protected Health Information
Use and Disclosure of PII
An organization that fails to protect PII can face consequences including
All of the Above
Use and Disclosure of PII
True or False?
Information that can be combined with other information to link solely to an individual is considered PII.
True
Use and Disclosure of PII
Which of the following is NOT a permitted disclosure of PII contained in a system of records?
The purpose is disclosed with a new purpose that is not encompassed by SORN
Use and Disclosure of PII
What guidance identifies federal information security controls?
OMB Memorandum M-17-12
Use and Disclosure of PII
Which of the following must Privacy Impact Assessments (PIAs) do?
All of the Above
Use and Disclosure of PII
What regulation governs the DoD Privacy Program?
DoD 5400.11-R: DoD Privacy Program
Use and Disclosure of PII
What law establishes the federal government’s legal responsibility for safeguarding PII?
Privacy Act of 1974
Use and Disclosure of PII
What law establishes the public’s right to access federal government information?
FOIA
Use and Disclosure of PII
No disclosure of a record in a system of records unless:
The individual to whom the record pertains:
- submits a written request
- has given prior written consent
OR
Includes “routine use” of records, as defined in the SORN
Safeguarding PII
Your coworker was teleworking when the agency e-mail system shut down. She had an urgent deadline so she sent you an encrypted set of records containing PII from her personal e-mail account. Is this compliant with PII safeguarding procedures?
No
If you discover a data breach you should immediately notify the proper authority and also:
document where and when the potential breach was found:
-record URL for PII on the web
Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following?
Both civil and criminal penalties
Which of the following is NOT an example of an administrative safeguard that organizations use to protect PII?
List all potential future uses of PII in the System of Records Notice (SORN)
True or False?
Phishing is not often responsible for PII data breaches.
False