1
Q
What is Privacy by Design?
(PbD)
A
Embedding privacy principles into services and products from the beginning.
2
Q
What is Privacy Engineering?
A
Applying PbD principles using technical approaches to protect privacy and maintain data utility.
3
Q
What are the two categories of Privacy-Enhancing Technologies?
(PETs)
A
- Data altering/deidentification
- Data shielding
4
Q
Why is deidentification important?
A
It helps preserve privacy and exempts data from some laws and governance.
5
Q
What is the difference between anonymous and pseudonymous data?
A
- Anonymous data can’t identify individuals.
- Pseudonymous uses identifiers that don’t reveal true identity.
6
Q
What are strong identifiers?
A
Data like SSN, passport number, or name that directly identifies individuals.
7
Q
What are weak identifiers?
A
Data like usernames or email addresses that can identify individuals when aggregated.
8
Q
What are quasi-identifiers?
A
Data like a date of birth that can identify individuals when combined with external information.
9
Q
What is a persistent identifier?
A
Identifiers like IP or MAC addresses that consistently identify a device or user over time.
10
Q
What is the difference between linked and linkable data?
A
- Linked: matching elements
- Linkable: data that could be potentially associated
11
Q
What is suppression in deidentification?
A
Removing identifiers entirely.
12
Q
What is generalization in deidentification?
A
Replacing specific data with broader categories.
13
Q
What is noise addition?
A
Adding random variation to data to preserve overall statistical properties.
14
Q
How does differential privacy work?
A
It balances privacy and data utility by adjusting the noise added to data.
15
Q
What are HIPAA’s deidentification methods?
A
- Safe Harbor (removal of 18 identifiers)
- Expert Determination (very small re-identification risk)
16
Q
What is FTC guidance on deidentification?
A
- Data must not be ‘reasonably linkable’.
- The organization must not re-identify or allow others to do so.
17
Q
What are the two main types of data-shielding PETs?
A
- Encryption
- Hashing
18
Q
What is symmetric encryption?
A
Private-key cryptography where the same key encrypts and decrypts data.
19
Q
List pros and cons of symmetric encryption.
A
- Pros: Fast, requires fewer resources
- Cons: Requires safe key exchange
20
Q
What is asymmetric encryption?
A
Public-key cryptography using a key pair (public and private) for each user.
21
Q
How is a message sent using asymmetric encryption?
A
- Encrypt with the receiver’s public key
- Decrypt with their private key
22
Q
What is a digital certificate?
A
- Used for authentication
- Ensures a message came from a specific user
23
Q
What is the role of a certificate authority?
A
- Generates keys
- Validates identities
- Issues and signs digital certificates
24
Q
What is Public Key Infrastructure (PKI)?
A
Supports key distribution and certificate validation.
25
What is **hashing**?
A **one-way mathematical function** that converts an input into a fixed-length **alphanumeric output**.
26
What is the **main goal** of hashing?
* Preserve data integrity
* Prevent reverse identification
27
How does hashing **preserve privacy**?
It creates **pseudonyms** or **unique IDs** from identifiers like SSNs.
28
What is a **rainbow table**?
A **lookup table** of hash values to reverse hashed inputs.
29
What is **salting a hash**?
Adding **random data to the input** before hashing to prevent rainbow table attacks.
30
What are **trusted execution environments**?
Secure areas **in hardware** for private data processing.
31
What is **homomorphic encryption**?
Allows **computation on encrypted data** without decrypting it.
32
What is **secure multi-party computation**?
Enables parties to **compute results without revealing** their inputs.
33
What is a **zero-knowledge proof**?
A way to **prove knowledge** of information **without revealing the actual information**.
34
What are examples of **physical shielding technologies**?
* Webcam covers
* Screen films
* Biometric device locks
35
What is **information security**?
Protection of information's:
* Confidentiality
* Integrity
* Availability
36
How does information security **differ** from cybersecurity?
* **Infosec** covers all formats
* **Cybersecurity** focuses on digital systems and infrastructure
37
What does the **CIA triad** stand for?
* Confidentiality
* Integrity
* Availability
38
What is **confidentiality** in the CIA triad?
Ensuring data is **accessed only by authorized personnel**.
39
What is **integrity** in the CIA triad?
Ensuring data is **accurate, complete, and tamper-proof**.
40
What is **availability** in the CIA triad?
Ensuring data is **accessible when needed**.
41
What does the **DAD triad** stand for?
* Disclosure
* Alteration
* Destruction
42
What is **disclosure** in the DAD triad?
Unauthorized access to data.
43
What is **alteration** in the DAD triad?
Data is unknowingly changed or tampered with.
44
What is **destruction** in the DAD triad?
Data is lost.
45
What is a **control** in information security?
A measure implemented to mitigate risk.
46
What are the **three types of controls**?
* Administrative
* Technical
* Physical
47
What is the **NIST Cybersecurity Framework** (CSF)?
Voluntary guidance from NIST to **promote best practices** in cybersecurity.
48
What are the **five core functions** of the NIST CSF?
* Identify
* Protect
* Detect
* Respond
* Recover
49
What does the '**Identify**' function in NIST CSF cover?
* Business context
* Systems
* Data
* Assets
* Capabilities
50
What does the '**Protect**' function in NIST CSF involve?
**Safeguards** for confidentiality, integrity, and availability.
51
What does '**Detect**' refer to in the NIST CSF?
Identifying abnormal events.
52
What does '**Respond**' involve in the NIST CSF?
Taking action and notifying relevant parties.
53
What does '**Recover**' focus on in the NIST CSF?
Restoring systems, services, and capabilities.
54
What is the **adversarial mindset** in cybersecurity?
* Assumes constant threats
* Emphasizes threat modeling and countermeasures
55
What is the **MITRE ATT&CK Framework**?
A knowledge base of cyberattacks and techniques.
56
What does **STRIDE** stand for?
* Spoofing
* Tampering
* Repudiation
* Information disclosure
* Denial of Service
* Elevation of privilege
57
What is '**resilience**' in cybersecurity?
Ability to recover after an attack.
58
What is '**zero trust**'?
* No system, network, or actor is trusted
* Verify all access requests
59
What is the principle of **least privilege**?
Users get **only the access they need** to perform their job.
60
What are **role-based access controls**?
Access is assigned **based on user roles**.
61
What is **security by default**?
Systems are configured for security from the outset.
62
What is **defense in depth**?
**Multiple layers** of security across various stages.
63
How does cybersecurity **differ** from privacy?
* **Cybersecurity**: system-focused
* **Privacy**: data subject-focused
64
What is the role of the **Chief Privacy Officer** (CPO)?
**Leadership role** developing and implementing privacy policies.
65
What is the role of the **Data Protection Officer** (DPO)?
* Ensure legal compliance
* Avoid conflicts of interest
* Not involved in processing decisions
66
What does the **Chief Legal Officer** handle?
* **Legal oversight** including privacy
* May or may not focus solely on **privacy**
67
What is the responsibility of a **Privacy Engineer**?
Ensure **technical compliance** and support privacy in services and technologies.
68
What are the duties of a **Privacy Manager**?
Develop, maintain, enforce privacy policies; **mid-level role**.
69
What does a **Privacy Analyst** do?
Assess legal/operational risk, help with policy, training; **entry-level role**.
70
What are the **stages** of the **information life cycle**?
* Creation
* Use/Process
* Storage
* Sharing
* Deletion
71
**Why** is the data life cycle **important** in privacy?
Certain laws apply to specific stages.
## Footnote
E.g., deletion, storage
72
What is a **data inventory**?
Captures the who, what, where, when, why, and how of an organization’s data.
73
What is a **data controller**?
Entity that **determines the purpose and means** of processing data.
74
What is a **data processor**?
Processes data **on behalf of** the controller.
75
What is **data classification**?
Determines the **sensitivity** of data.
76
What is a **data flow diagram**?
A map **showing how data flows** through a system or application.
77
What is **data accountability**?
**Responsibility** for protecting data and complying with ownership requirements.
78
What **protections** are required for **high sensitivity data**?
* Encryption
* Separate networks
* Firewalls
* Access logs
79
What does **RoPA** document?
* Purpose
* Recipients
* Retention
* Controls of processing
80
What are the **goals** of a privacy program?
* Implement framework
* Ensure compliance
* Promote trust
* Respond to requests/breaches
* Monitor
* Improve maturity
81
What is a **privacy program framework**?
Processes, tools, templates, and standards for managing a privacy program.
82
What are the **four main steps** in a privacy framework?
* Draft mission/vision
* Develop framework
* Implement framework
* Track metrics
83
What is a **mission statement**?
Concise declaration of **organization's purpose** and how goals will be achieved.
84
What is a **vision statement**?
Inspirational depiction of **long-term aspirations** and desired future.
85
Give examples of **privacy program metrics**.
* Data subject requests
* Incidents
* Disclosures
* Training
* PIA metrics
* ROI
* Maturity
86
What are the **four stages** of the **privacy operational life cycle**?
* Assess
* Protect
* Sustain
* Respond
87
What does the '**Assess**' stage involve?
* Document baseline
* Identify inventory and risks
* Document assessment
88
What does the '**Protect**' stage include?
* Implement privacy/security controls
* Review access
* Incident response
* Integrate privacy into business
89
What does the '**Sustain**' stage focus on?
* Monitor and audit compliance
* Train employees
* Track regulatory changes
90
What is the focus of the '**Respond**' stage?
* Support customer rights
* Handle privacy incidents
* Ensure legal compliance
91
What is a **privacy notice**?
External, **public-facing** document informing consumers about data practices.
92
What is a **privacy policy**?
**Internal document** outlining standards and procedures for handling personal data.
93
What are **shared traits** of policies and notices?
* Explain how PII is handled
* Can be public
94
What are the **key sections** of a **privacy policy**?
* Purpose
* Scope
* Applicability
* Roles
* Compliance
* Penalties
95
What are the **steps** in privacy policy **implementation**?
* Review/approval
* Communication
* Annual review
* Archive/version control
96
When is **express affirmative consent** required?
For **material changes in privacy policy**, per FTC guidance.
97
What are the **goals** of a **privacy notice**?
* Help consumers make informed decisions
* Provide transparency
98
What should privacy notices include?
* Data collection and use
* Retention
* Legal basis
* Principles
99
**Where** should privacy notices be accessible?
* Online (landing page)
* Physically on-site
100
What is a **layered notice**?
Two-part: short summary + full legal text.
101
What is a **just-in-time notice**?
Displayed at or before data collection.
102
What is a **dashboard notice**?
Includes both notice content and user controls.
103
What are **FTC recommendations** for **privacy notices**?
* Privacy by Design
* Privacy by Default
* Transparency
* Simplified choices
104
What is an **opt-in** user preference?
Customer **affirms consent** to share or collect data.
105
What is an **opt-out** user preference?
Customer **affirms refusal** to share or collect data.
106
What is **double/confirmed opt-in**?
Customer signs up **and** confirms via link in verification email.
107
What is '**no consumer choice/option**'?
Data collected **without** giving customer a **choice**.
108
When is 'no consumer choice/option' **acceptable**?
When data use is consistent with transaction context, company relationship, or law.
109
What does **COPPA require** for **opt-in**?
**Parental consent** before collecting data from children.
110
When does **FCRA** require **opt-in**?
**Before sharing** a credit report with employers, lenders, or others.
111
When does **HIPAA** require **opt-in**?
**Before disclosing** personal health information to third parties.
112
What is the **FTC's opt-in** requirement?
For **materially changed** privacy notices.
113
What does **VPPA** require for opt-out?
**Before disclosing** video rental data to third parties.
114
Who must provide opt-out under **CAN-SPAM**?
Email marketers
115
What does the **Do Not Call Rule** regulate?
* Telemarketing calls
* Allows opt-out company-by-company
116
What is the **right to access**?
Consumers can **request to view** their personal data/records.
117
What is the **right to redress**?
Consumers can **request corrections** to their personal data/records.
118
What is the **Judicial Redress Act of 2015**?
Allows qualifying non-U.S. persons to sue U.S. agencies to access records.
119
**Who** is responsible for a **vendor's actions** under a privacy policy?
The business contracting the vendor.
120
What are best practices for **paper data disposal**?
Shred, burn.
121
What does the **FACTA Disposal Rule** require?
Dispose of consumer reports to prevent unauthorized access or misuse.
122
What is **vendor vetting**?
**Due diligence** on reputation, financials, security, and incident response.
123
What is **privacy risk**?
**Potential harm** from data collection, use, or processing.
## Footnote
Examples: loss of control, discrimination, physical harm, reputational damage, economic loss.
124
What are the **steps in privacy risk management**?
* Identify risk
* Select control
* Implement control
* Monitor continuously
125
What is a **Privacy Impact Assessment**?
| (PIA)
Assesses risk, selects controls, ensures legal/policy compliance across data life cycle.
126
How is privacy risk **calculated**?
Risk = Impact x (Vulnerability x Threat)
CIPP-US
flashcards
Decks in class (12)
# Cards
-
Legal Foundations101
-
Technological Foundations112
-
Cybersecurity and Privacy Foundations126
-
GDPR, DOI, and Data Leaks84
-
FTC and COPPA47
-
Medical Privacy62
-
Credit Reporting Agencies and Financial Privacy76
-
FERPA and Telecommunications Privacy111
-
Government and Court Acces to Private-sector Information99
-
Workplace Privacy89
-
State Privacy Laws (Part 1)76
-
State Privacy Laws (Part 2)73
