Hacking, identity theft, malware distribution

A data breach occurs when:

Confidential or protected data is accessed without authorization

Which are safeguards for cross-border data transfers under GDPR?

Adequacy decisions | Standard Contractual Clauses | Binding Corporate Rules

Which event led to stricter international privacy frameworks in the 2000s?

Increasing frequency of cyberattacks

What does DPIA stand for?

Data Protection Impact Assessment

Privacy laws primarily regulate:

Collection, processing, and sharing of personal data

What is the purpose of pseudonymization?

Reducing re-identification risk by replacing identifiers

Which are key rights of data subjects under privacy laws?

Right to rectification | Right to erasure (forgotten) | Right to access

Which is a historical driver for privacy law?

Expansion of the internet and online threats

Which principle ensures that personal data is processed fairly and lawfully?

Transparency and legitimate purpose

Which are examples of lawful bases for processing personal data under GDPR?

Consent| Legal obligation |Contract performance

Which are critical elements of national cybersecurity strategies?

Enforcing incident reporting | Public awareness campaigns | Protecting critical infrastructure

The accountability principle requires:

Records of processing and demonstration of compliance

Which EU law laid the foundation for modern data protection?

Data Protection Directive of 1995

Which are examples of incident response plan steps?

Containment| Recovery| Identification of incident

What does “jurisdiction” mean in data privacy?

Legal authority over geographical area or data transfers

Which of the following is an example of accountability in practice?

Appointing a Data Protection Officer and keeping compliance records

Which concept involves notifying individuals and authorities after a breach?

Breach notification requirement

Which are examples of encryption use in compliance?

Protecting communications with SSL/TLS | Protecting stored medical records | Securing online payment transactions

Which is the most critical role of corporate accountability laws?

Ensuring organizations safeguard data and face penalties if not compliant

A Data Protection Impact Assessment (DPIA) is required under GDPR when:

Processing poses high risk to individuals’ rights

Which are elements of the CIA Triad?

Integrity | Availability | Confidentiality

Help

Options

focusNode

Didn't know it?
click below

Knew it?
click below

Don't Know

Remaining cards (0)

Know

retry

shuffle

restart

0:00

Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

Normal Size Small Size show me how

CyerSec FINALS

LAST DANCE

Question	Answer
Which law requires impact assessments for high-risk processing activities?	GDPR
The Data Privacy Act of 2012 was enacted in:	Philippines
Which regulation is specific to the European Union?	GDPR
Which U.S. Act of 2002 included provisions for critical infrastructure protection?	Homeland Security Act
Cybercrime includes:	Hacking, identity theft, malware distribution
A data breach occurs when:	Confidential or protected data is accessed without authorization
A hospital restricts access to patient records only to attending physicians. This follows least privilege principle.	TRUE
Which are safeguards for cross-border data transfers under GDPR?	Adequacy decisions \| Standard Contractual Clauses \| Binding Corporate Rules
Which event led to stricter international privacy frameworks in the 2000s?	Increasing frequency of cyberattacks
What does DPIA stand for?	Data Protection Impact Assessment
A cyberattack aiming to make a system unavailable refers to:	Denial of Service
A government requires telecoms to retain communication data only for legally defined periods. This complies with retention limits.	TRUE
Which directive aims to achieve a high common level of network security in the EU?	NIS Directive
A retail shop collects customer emails and uses them for unrelated political ads. This complies with data minimization.	FALSE
Privacy laws primarily regulate:	Collection, processing, and sharing of personal data
Which law governs EU member states’ network and information security?	NIS Directive
Which international agency promotes cybersecurity in the EU?	ENISA
What is the purpose of pseudonymization?	Reducing re-identification risk by replacing identifiers
Which are key rights of data subjects under privacy laws?	Right to rectification \| Right to erasure (forgotten) \| Right to access
Which is a historical driver for privacy law?	Expansion of the internet and online threats
Which principle ensures that personal data is processed fairly and lawfully?	Transparency and legitimate purpose
Which principle prevents organizations from collecting unlimited data?	Proportionality
Which are examples of lawful bases for processing personal data under GDPR?	Consent\| Legal obligation \|Contract performance
A company processes personal data of EU citizens without GDPR compliance. This is lawful.	FALSE
Which regulation aims to harmonize cybersecurity across EU nations?	NIS Directive
Which principle emphasizes giving individuals control over their data?	Consent
Which country pioneered early data protection legislation?	Germany
Which are critical elements of national cybersecurity strategies?	Enforcing incident reporting \| Public awareness campaigns \| Protecting critical infrastructure
The accountability principle requires:	Records of processing and demonstration of compliance
A company refuses to disclose how long it keeps customer data. This demonstrates accountability.	FALSE
A company shares medical records with advertisers without consent. This complies with HIPAA.	FALSE
Which EU law laid the foundation for modern data protection?	Data Protection Directive of 1995
An airline keeps passenger passport data forever even after travel. This complies with retention limits.	FALSE
Which are examples of incident response plan steps?	Containment\| Recovery\| Identification of incident
Which U.S. law addresses protection of patient health information?	HIPAA
Which is a key risk of weak jurisdictional enforcement in data privacy?	Cross-border misuse of data
Which of the following is NOT part of the CIA Triad?	Transparency
What does “jurisdiction” mean in data privacy?	Legal authority over geographical area or data transfers
Which is NOT an example of a cybersecurity incident?	System software update
Which cybersecurity law promotes consumer trust in digital services?	GDPR
Which law enforces mandatory breach notifications within 72 hours?	GDPR
Which of the following is an example of accountability in practice?	Appointing a Data Protection Officer and keeping compliance records
Which concept involves notifying individuals and authorities after a breach?	Breach notification requirement
Which principle requires data collection to be limited to what is necessary?	Proportionality
Which are examples of encryption use in compliance?	Protecting communications with SSL/TLS \| Protecting stored medical records \| Securing online payment transactions
Which is the most critical role of corporate accountability laws?	Ensuring organizations safeguard data and face penalties if not compliant
A Data Protection Impact Assessment (DPIA) is required under GDPR when:	Processing poses high risk to individuals’ rights
The GDPR came into effect in which decade?	2010s
A government agency requires explicit consent before collecting fingerprints. This complies with privacy law.	TRUE
Which country passed the CFAA?	United States
Which are elements of the CIA Triad?	Integrity \| Availability \| Confidentiality
Which legal concept refers to replacing identifiers with pseudonyms?	Pseudonymization
Which country’s law is considered a global benchmark for data protection?	EU’s GDPR
Which is a challenge in cross-border data transfer?	Different privacy jurisdictions
A government publishes citizens’ addresses online without consent. This violates privacy law.	TRUE
What is the primary goal of encryption in privacy law compliance?	To prevent unauthorized access to sensitive data
Which Philippine law established a comprehensive framework for data protection?	Data Privacy Act of 2012
Which regulation requires strong security measures in healthcare institutions?	HIPAA
Which of the following defines “cybercrime”?	Illegal activities conducted via computers or the internet
An employee leaks client data via personal email. The company later updates policies. The leak still violates privacy law.	TRUE
Which principle requires organizations to demonstrate compliance with data protection laws?	Accountability
A cloud storage provider retains backups indefinitely without justification. This complies with retention policies.	FALSE
What does encryption ensure?	Confidentiality and integrity of data
Which standard secures credit card transactions?	PCI DSS
Which U.S. law targets fraud using computers?	CFAA
A company deletes customer data once no longer needed. This follows data minimization.	TRUE
Which of the following is an example of personal data?	Phone number
Which are examples of cybercrime?	Hacking \| Malware distribution \| Identity theft
Which are global privacy frameworks?	APEC Privacy Framework \| GDPR
Which regulation addresses consumer privacy in financial services?	GLBA
An IT firm conducts a DPIA before launching biometric data processing. This aligns with GDPR.	TRUE
What does “consent” mean in privacy law?	Individual permission before data collection or processing
A company transfers EU customer data to another country with no equivalent privacy law, without safeguards. This complies with GDPR.	FALSE
A company publishes anonymized statistics without identifiers. This generally complies with privacy law.	TRUE
Which are possible consequences of data breaches?	Loss of consumer trust \| Legal liability \| Financial penalties
A school encrypts student grades and allows only teachers to access them. This aligns with confidentiality.	TRUE
Which decade saw the first wave of cybersecurity legislation?	1980s–1990s
What is the focus of the Payment Card Industry Data Security Standard (PCI DSS)?	Credit card transaction security
Which are benefits of international harmonization of cybersecurity laws?	Consistent data protection standards \| Easier compliance for global businesses \| Facilitation of trade
Which are responsibilities of a Data Protection Officer (DPO)?	Monitoring processing activities \| Serving as contact point for authorities \| Advising on compliance
A bank ignores a client’s request to erase outdated personal data. This complies with the right to be forgotten.	FALSE
Which are key purposes of cybersecurity law?	Safeguarding national security \| Preventing cyberattacks \| Protecting digital infrastructures
Which principle supports deleting personal data after consent is withdrawn?	Right to be forgotten
Which are considered personal data?	IP Address \| Name \| Biometric Data
Which framework by NIST improves cybersecurity for critical infrastructure?	Cybersecurity Framework
Why are privacy laws crucial in the digital age?	Because personal data is a valuable commodity and misuse is a risk
A retailer collects customer consent before sending marketing emails. This complies with lawful processing.	TRUE
The principle of “data retention” requires:	Storing data only as long as legally or operationally needed
Which country introduced the “Right to be Forgotten”?	European Union
Which are recognized sensitive data categories?	Medical information \| Political opinions \| Biometric identifiers
Which are principles of lawful processing?	Proportionality \| Transparency \| Legitimate purpose
A social media platform asks explicit consent before using personal photos for ads. This follows lawful processing.	TRUE
Which of the following best defines “cybersecurity”?	Protecting systems, networks, and data from digital attacks
Which are examples of accountability practices?	Conducting DPIAs \| Maintaining records of processing \| Appointing a DPO when required
What is the “right to be forgotten”?	Requesting deletion of personal data no longer needed
A hospital encrypts patient data but lets all employees access it without logging. This complies with confidentiality.	FALSE
Which type of law punishes online fraud and identity theft?	Cybercrime law
Which right under GDPR lets individuals transfer data between providers?	Right to Portability
Which is a key consumer right under GDPR?	Right to data portability
A healthcare clinic locks filing cabinets with patient data. This is a HIPAA safeguard.	TRUE
Which Philippine DPA violation occurs when ex-employees leak data in bad faith?	Malicious Disclosure
Which Philippine DPA violation involves using collected data for politics without consent?	Unauthorized Purpose
A company deletes inaccurate personal data upon user request. This aligns with GDPR.	TRUE
Which examples count as PHI under HIPAA?	Medical history \| Patient names \| Lab test results
Which GDPR principle requires businesses to demonstrate compliance?	Accountability
Which of the following is a key feature of GDPR consent?	Must be informed, specific, and unambiguous
Which rights under CCPA mirror GDPR?	Right to access \| Right to data portability \| Right to delete
A Philippine university posts student data publicly without consent. This violates DPA 2012.	TRUE
Under CCPA, companies can charge higher prices to consumers who opt out of data sales.	FALSE
A company hides a cyber breach from customers to avoid reputational damage. This complies with GDPR.	FALSE
What is the role of a Data Protection Officer (DPO)?	Oversee compliance with data protection laws
Under HIPAA, hospitals may share patient records with advertisers without consent.	FALSE
A Philippine telco collects location data for marketing without consent. This complies with DPA 2012.	FALSE
Which of the following does NOT fall under GDPR scope?	Local clubs with no personal data
Which are penalties under the Philippine DPA 2012?	Suspension of business permits \| Imprisonment \| Fines
Which are key cross-border data transfer challenges?	Enforcement complexity \| Differing national laws \| Data localization rules
Which are obligations under HIPAA?	Protect PHI \| Provide breach notification \| Implement safeguards
Which measures align with Data Protection by Design?	Role-based access control \| Encryption by default \| Minimal data collection
Which law requires businesses to disclose categories of data collected?	CCPA
Under DPA 2012, unauthorized disclosure of personal data may result in imprisonment.	TRUE
What is the California penalty for unintentional CCPA violations?	$2,500
A U.S. hospital fails to provide patients with a copy of their medical records. This violates HIPAA.	TRUE
An e-commerce firm fails to display a “Do Not Sell My Personal Information” link for California users. This violates CCPA.	TRUE
Which of the following does HIPAA cover?	Healthcare providers
Which principle limits keeping data longer than necessary?	Storage Limitation
Which Philippine violation involves throwing printed patient records in a public trash bin?	Improper Disposal
A Philippine government agency discloses citizen data to third parties without consent. This violates DPA 2012.	TRUE
Which entities are covered by HIPAA?	Healthcare clearinghouses \| Health insurance plans \| Healthcare providers
Which law sets penalties up to €20M or 4% turnover?	GDPR
Which Philippine violation is committed when an employee sells patient data?	Malicious Disclosure
Which U.S. law protects patient health data?	HIPAA
Which HIPAA safeguard involves encrypting electronic health records?	Technical safeguard
Which are rights under GDPR?	Access \| Erasure \| Rectification
Which Philippine penalty applies for negligence in access?	1–6 years imprisonment and fines
A California-based business with $5 million annual revenue automatically falls under CCPA obligations.	FALSE
Which law requires “Do Not Sell My Personal Information” link?	CCPA
Under GDPR, a DPO is required for companies that monitor data on a large scale.	TRUE
A hospital in the Philippines encrypts patient records but fails to notify NPC after a breach within 72 hours. The hospital is compliant with DPA 2012.	FALSE
Which right is explicitly given to California residents under CCPA?	Right to Know what personal data is collected
Which law imposes fines up to ₱4M and imprisonment for privacy violations?	Philippine DPA 2012
Which organization enforces the Data Privacy Act of 2012 in the Philippines?	National Privacy Commission (NPC)
Which are key differences between HIPAA and GDPR?	HIPAA \| focuses on PHI \| GDPR covers all personal data \| HIPAA is sector-specific
Which Philippine DPA violation is committed when an HR department loses an unsecured USB?	Negligence in Access
Which principle emphasizes that personal data must be processed fairly, lawfully, and transparently?	Lawfulness, Fairness, Transparency
Which of the following is a HIPAA enforcement mechanism?	Office for Civil Rights (OCR)
Which Philippine DPA violation is committed when a teacher posts student grades publicly?	Unauthorized Disclosure
Which law mandates breach reporting both to regulators and individuals?	GDPR
Which law grants the right to file legal action after a data breach?	DPA 2012
Under GDPR, breach notification must always be done within 24 hours.	FALSE (72 hours)
Which principle requires companies to adopt security measures from the start of system design?	Data Protection by Design and by Default
Which GDPR right allows individuals to object to processing for marketing?	Right to Object
An EU company transfers data to a country with no adequacy decision and no SCCs. This complies with GDPR.	FALSE
Which EU law came into effect on May 25, 2018?	GDPR
GDPR fines can be up to:	€20 million or 4% of global turnover
Which mechanism allows global businesses to transfer data within their subsidiaries?	Binding Corporate Rules
A Russian company requiring all citizen data to remain in Russia demonstrates a localization requirement.	TRUE
Which of the following is a penalty for intentional violation of CCPA?	$7,500
Which Philippine DPA violation involves intentionally sharing data to a competitor?	Malicious Disclosure
Which GDPR principle states only necessary data should be collected?	Data Minimization
Which GDPR right allows individuals to request their data be deleted when no longer needed?	Right to be Forgotten
Which Philippine DPA violation combines two or more offenses?	Combination of Acts
Which HIPAA safeguard prevents unauthorized entry into data centers?	Physical
Under GDPR, data breach notification to the supervisory authority must occur within:	72 hours
Which law grants the right to file legal action after a data breach?	CCPA
Which of the following are GDPR data subject rights?	Right to be informed \| Right to restrict processing \| Right to erasure
Which data subject rights exist under GDPR but not explicitly under CCPA?	Right to be forgotten \| Right to restriction of processing \| Right to rectification
Which are penalties under CCPA?	Imprisonment \| $2,500 per unintentional violation \| $7,500 per intentional violation
Under HIPAA, which type of data is specially protected?	Protected Health Information (PHI)
Which of the following is NOT a key GDPR principle?	Profit Maximization
A U.S. company selling to EU customers must comply with GDPR, even if not based in Europe.	TRUE
Which CCPA right allows consumers to stop companies from selling their data?	Right to Opt Out
Which are consumer rights recognized under GDPR and DPA 2012?	Right to access \| Right to rectification \| Right to be informed
What is the maximum penalty for HIPAA violations per violation?	$50,000
Which consumer right is unique to CCPA?	Right to opt out of data sale
A website installs cookies without informing users. This complies with GDPR’s transparency principle.	FALSE
Which GDPR right allows individuals to stop processing under certain conditions?	Right to Restrict Processing
A company must disclose the purpose for which it collects data under CCPA.	TRUE
Which of the following is NOT a penalty for violating the Philippine DPA?	Community service only
Which cross-border tool is an internal company policy approved for multinational transfers?	Binding Corporate Rules (BCRs)
Which GDPR principle is violated if a company keeps data forever?	Storage Limitation
Under GDPR, consent must be freely given, specific, and informed.	TRUE
Under DPA 2012, breach notification to the NPC must occur within:	72 hours
Which mechanisms protect EU citizens’ data transferred overseas?	BCRs \| Adequacy Decisions \| SCCs
A firm implements SCCs to transfer EU data abroad. This aligns with GDPR.	TRUE
Which cross-border mechanism applies in absence of adequacy decisions?	Standard Contractual Clauses (SCCs)
Which GDPR principle ensures data is accurate and kept up to date?	Accuracy
Which HIPAA requirement ensures breach notification to affected individuals?	Breach Notification Rule
Which GDPR right is also mirrored in DPA 2012?	Right to Access
A healthcare provider uses strong encryption and access control to protect patient records. This aligns with HIPAA safeguards.	TRUE
Which is an adequacy mechanism under GDPR?	Adequacy Decision by EU Commission
Which law has extraterritorial scope, applying to organizations outside its jurisdiction?	GDPR
Which recovery activities are considered best practices?	Reinstalling clean software, Restoring data from verified backups , Monitoring for re-infection
Which body oversees breach notifications under GDPR?	Data Protection Authorities (DPAs)
Which IRP phase involves revising security controls after analyzing what went wrong?	Lessons Learned
Incident response plans should be tested annually or biannually to remain effective.	TRUE
A retail company in California experiences a breach affecting customer names and addresses. Which law applies primarily?	CCPA
Which IRP step is critical for maintaining evidence integrity in potential legal investigations?	Identification and containment
Which are common causes of data breaches?	Phishing attacks, Unpatched vulnerabilities, Insider threats
A company delays breach notification because it fears reputational harm. This complies with GDPR.	FALSE
What is the main role of a DPA in breach cases?	Investigating and enforcing compliance
In the Equifax breach, stolen data included credit card details and Social Security numbers.	TRUE
An organization’s systems are patched, but attackers return because stolen credentials weren’t revoked. Which IRP failure occurred?	Eradication
An organization detects spam campaigns in its network but ignores them because no sensitive data was exposed. This is acceptable under GDPR.	FALSE
A hospital ransomware attack encrypted patient files, but the hospital refused to notify regulators because backups restored data. This action is compliant with HIPAA.	FALSE
Which of the following are mandatory elements of a GDPR breach notification?	Nature of the breach , Categories of personal data affected , Contact details of the Data Protection Officer
Which IRP stage involves communicating with external stakeholders, including DPAs and customers?	Notification/Communication
An organization creates policies, forms a Computer Security Incident Response Team (CSIRT), and trains employees. Which IRP phase does this represent?	Preparation
The Marriott breach showed that vulnerabilities inherited during acquisitions may go unnoticed.	TRUE
Which regulation specifically protects U.S. healthcare patient records during incidents?	HIPAA
Which are examples of Eradication activities?	Removing malware, Deleting unauthorized user accounts, Applying security patches
The Philippine Data Privacy Act allows organizations to completely skip reporting if only 10 people are affected, even if sensitive data was stolen.	FALSE
Which breach showed failure to secure passport data during hotel bookings?	Marriott
The National Privacy Commission (Philippines) requires breach notifications even for suspected incidents.	FALSE
A ransomware attack encrypts a company’s HR system. Employees cannot work. What should the organization do first?	Contain the affected HR system
A company that encrypts sensitive data but still gets breached is not legally required to notify authorities under any law.	FALSE
Which breach involved attackers injecting malicious scripts into an airline’s website to capture card details?	British Airways
A company creates an incident logbook documenting actions during a breach. This practice belongs to which IRP phase?	Identification and Containment
A company tests its breach notification procedures by running a simulation. This falls under which IRP phase?	Preparation
Which of the following were highlighted as ETSI Security Incident Indicators?	Website Defacement
Which laws mandate breach notification obligations?	GDPR, HIPAA, Philippine DPA 2012
Lessons Learned meetings should include both technical and non-technical staff.	TRUE
Which case taught the importance of vendor and acquisition risk management?	Marriott
Which breach revealed the risk of using third-party scripts for payments?	British Airways
If an organization keeps a detailed incident response log, it can be used as legal evidence later.	TRUE
Which IRP step ensures systems are monitored after recovery to detect recurrence?	Post-Recovery Monitoring
During an incident, the security team isolates affected servers to prevent further spread. This represents which IRP phase?	Containment
An effective IRP requires coordination between technical teams, legal counsel, and communication staff.	TRUE
What is the main difference between HIPAA and GDPR breach notifications?	HIPAA applies to PHI, GDPR covers all personal data
Which best practices apply during the Lessons Learned phase?	Update security policies, Revise training programs, Analyze logs and response effectiveness
Which incidents specifically involved credit card theft?	British Airways, Target (reference example)
GDPR requires that breach notifications include details about mitigation efforts.	TRUE
Which industries are especially regulated regarding breach notifications?	Healthcare (HIPAA), Finance (GDPR, DPA), E-commerce (PCI-related)
Which breach taught the industry about risks in credit-reporting infrastructures?	Equifax
Which law emphasizes consumer rights to know, delete, and opt-out after a breach?	CCPA
Which breach response step can be legally required across GDPR, HIPAA, and DPA 2012?	Breach notification to regulators and affected individuals
An organization restores systems before identifying the cause of a breach. This increases the chance of recurrence.	TRUE
Under the Philippine Data Privacy Act (DPA 2012), who must organizations notify during a major breach?	National Privacy Commission and affected individuals
What activities should organizations perform during the Preparation phase of IRP?	Draft incident response policies, Establish CSIRT teams, Conduct training and simulations
Failing to patch known vulnerabilities is an example of poor preparation in IRP.	TRUE
Which organizations must comply with HIPAA breach notification rules?	Hospitals, Health insurance companies, Healthcare clearinghouses
Under HIPAA, covered entities must notify affected individuals without unreasonable delay.	TRUE
Which Philippine authority enforces data privacy regulations and breach notifications?	National Privacy Commission
If hackers replace a company website with political propaganda, what ETSI indicator is this?	Website Defacement
Which communication channels are acceptable for notifying individuals of a breach?	Written letters, Email notifications , Public announcements (for large-scale incidents)
The British Airways breach involved stolen data from passengers’ travel itineraries and payment details.	TRUE
Which factor worsened Yahoo’s response to its breach?	Delay in disclosure to users
Which breach highlighted vulnerabilities in web applications through malicious JavaScript?	British Airways
After responding to a phishing attack, the security team updates training programs and policies. This reflects which IRP phase?	Lessons Learned
Which Philippine regulation obliges companies to submit a breach notification within 72 hours?	DPA 2012
Which IRP phase includes determining whether the event is a true security incident or a false alarm?	Identification
Which breach highlighted poor incident monitoring and communication with regulators?	Yahoo
A company immediately notifies customers about a suspected breach even before confirming it. This may cause panic but fulfills notification duties.	TRUE
Which law requires notification of a data breach to a supervisory authority within 72 hours?	GDPR
An attacker modifies DNS records to redirect users to fake sites. Which ETSI indicator best applies?	Website Forgery
Which are common consequences of poor breach notification?	Regulatory fines, Loss of customer trust, Litigation costs
In HIPAA breach notifications, which of the following must be communicated to individuals?	Description of the incident, Types of PHI involved. Steps individuals should take to protect themselves
Which ETSI indicator involves overwhelming a server with traffic to disrupt services?	DoS Attack
A financial firm discovers hackers exploiting an unpatched vulnerability. What must be done after containment?	Eradicate the root cause
Which steps ensure legal compliance in breach response?	Timely notification to regulators, Providing mitigation advice to victims, Documenting all actions taken
Which incident response best practice reduces downtime for critical services?	Maintain redundant systems for continuity
Under GDPR, who bears the burden of proving compliance with breach notification rules?	Organizations (Data Controllers)
The Yahoo breach demonstrated that multi-year notification delays severely damage trust.	TRUE
The ETSI indicator “Spam” would most likely be detected during which IRP phase?	Identification
A phishing email campaign should be classified as an intrusion in ETSI categories.	FALSE
Which law primarily enforces consumer rights in California regarding breach notifications?	CCPA
Which factors determine whether a breach must be reported?	Number of individuals affected, Sensitivity of data exposed, Likelihood of harm
A company uses “tabletop exercises” to test its IRP. This technique belongs to which stage?	Preparation
Which phase ensures systems are fully functional and secure before going back online?	Recovery
Which breach case showed that acquisition due diligence should include cybersecurity checks?	Marriott
If a hacker uses fake “Bank Login” emails to steal credentials, what ETSI indicator is this?	Phishing
Which breach case demonstrates the importance of encryption of sensitive fields like passport numbers?	Marriott
Which breach revealed vulnerabilities inherited during an acquisition?	Marriott
What is the main purpose of incident assessment?	Determine scope, impact, and severity
A phishing campaign successfully tricks employees into clicking malicious links. Which immediate step is best?	Containment
A university suffers ransomware but recovers from backup. Which ETSI indicator applies?	Malware
What is the most important factor in successful breach notifications?	Timeliness and accuracy of disclosure
A bank notifies customers within 24 hours of detecting unauthorized ATM withdrawals. This demonstrates strong compliance with incident response.	TRUE
A Philippine hospital loses unencrypted laptops containing patient records. Which step must follow immediately after containment?	Notify NPC and affected patients
Which actions are part of the Containment phase in IRP?	Isolating affected systems, Blocking malicious IP addresses
Which breaches were notable for delayed notifications?	Yahoo, Equifax
Which IRP phase ensures continuity of critical operations while incidents are addressed?	Containment
In breach notifications under the Philippine DPA 2012, which information must be provided?	Measures taken by the organization
Which IRP step involves removing unauthorized accounts created during a breach?	Eradication
In the “Lessons Learned” phase, which action is most effective?	Reviewing logs and updating IRP policies
Which breach taught organizations about the cost of failing to patch known vulnerabilities?	Equifax
A delay of several years in notifying users about stolen account credentials characterizes which case?	Yahoo
An ISP monitors and blocks child pornography websites. This aligns with RA 9775.	TRUE
Which is an example of malicious disclosure under RA 10173?	An employee leaking a patient’s HIV status online out of spite
Who ensures organizational compliance with RA 10173?	Data Protection Officer (DPO)
Which law protects intellectual property rights, including software and databases?	RA 8293
Which are common compliance challenges in the Philippines?	Lack of awareness of privacy laws, Limited resources among SMEs, Cross-border transfer complexities
Which of the following are general data privacy principles under RA 10173?	Transparency , Legitimate purpose, Proportionality
RA 8792 grants legal recognition to:	Electronic contracts and digital signatures
The COMELEC 2016 data breach exposed how many voters’ personal data?	55 million
Which law mandated the use of digital signatures in government transactions?	E.O. 810
Which laws regulate digital signatures?	RA 8792 – E-Commerce Act, E.O. 810 – Institutionalizing digital signatures
An employee leaks a co-worker’s medical record on social media out of spite. This is malicious disclosure under RA 10173.	TRUE
Which RA 10173 provision ensures accountability when outsourcing data processing?	Section 21 – Principle of Accountability
If a personal information controller hires a third-party processor, what is required?	A written contract ensuring compliance with the DPA
What penalty did the ILOVEYOU virus author face under Philippine law?	None, because no cybercrime law existed then
A government office shreds outdated personnel files before disposal. This complies with RA 10173’s rules on disposal of information.	TRUE
A company ignores the NPC’s compliance orders without consequence. This is consistent with RA 10173.	FALSE
A school refuses to correct inaccurate student records when requested. This violates the right to rectification under RA 10173.	TRUE
Which are responsibilities of a Data Protection Officer (DPO)?	Ensure compliance with the DPA , Conduct privacy impact assessments, Serve as contact with NPC
A parent uses a child’s personal data to open a fraudulent loan account. This is identity theft under RA 10175.	TRUE
Which is NOT a right of the data subject?	Right to own government databases
A person hacks into a bank’s system to steal client information. This is punishable as illegal access under RA 10175.	TRUE
Which agency enforces RA 8293 (Intellectual Property Code)?	IPOPHL
Which law prohibits the unauthorized capture and distribution of sexual images?	TRUE
Which type of data requires stricter protection under RA 10173?	Sensitive personal information
The NPC reports directly to:	Office of the President
Which provisions extend privileged communication to electronic formats?	Lawyer–client communication, Doctor–patient communication
A hospital fails to notify the NPC within 72 hours after discovering a breach of patient records. This violates RA 10173.	TRUE
A blogger copies entire copyrighted articles and reposts them online without permission. This violates RA 8293.	TRUE
An individual posts intimate videos of an ex-partner online without consent. This violates RA 9995.	TRUE
A company continuously trains its staff on data privacy awareness. This is a best practice for compliance.	TRUE
A public official knowingly misuses citizens’ personal data for political gain. This may result in aggravated liability under RA 10173.	TRUE
RA 9775 criminalizes:	Child pornography
A company uses employee health data in performance evaluations without consent. This is lawful under RA 10173.	FALSE
Which cases involved major data breaches in the Philippines?	COMELEC “Comeleak” (2016), DFA passport data breach (2019), PhilHealth ransomware attack (2021)
Which are security measures recommended under RA 10173?	Encryption of sensitive data, Access controls, Regular security audits
Under RA 10173, the right to data portability allows individuals to:	Obtain and transfer their own data to another service provider
Which 2016 incident was one of the world’s largest government-related data breaches?	COMELEC “Comeleak”
Which principle requires that data collection only be for lawful and specific purposes?	Legitimate purpose
Which are considered cybercrime offenses under RA 10175?	Illegal access, Identity theft, Cyber libel
A news outlet publishes the grades of students with names without consent. This is an authorized disclosure under RA 10173.	FALSE
Which RA 10175 offense involves altering or destroying computer data?	Data interference
A hacker installs malware to disrupt government websites. This is system interference under RA 10175.	TRUE
How soon must the NPC be notified of a data breach?	72 hours
Which law required government websites to migrate to secure hosting?	A.O.39
Which provision extends lawyer–client confidentiality to digital formats?	Section 15
The DFA 2019 passport data breach violated:	RA 10173 and RA 10175
Which demonstrates proportionality?	Collecting only information needed for a loan application
Under RA 10175, system interference refers to:	Disrupting or destroying a computer system
A hospital discovers a data breach but hides it from the NPC to protect its reputation. This is concealment of a security incident under RA 10173.	TRUE
Which organization suffered a ransomware attack in 2021 that disrupted services?	Philhealth
A cybercriminal sends phishing emails disguised as government COVID-19 aid notices. This is computer-related fraud under RA 10175.	TRUE
Which is an example of a cross-border compliance challenge?	Transferring Filipino personal data to servers abroad
Which agency leads prosecution of cybercrime?	DOJ-Office of Cybercrime
A hospital requires its contractors to comply with the same privacy standards it follows. This aligns with RA 10173.	TRUE
Which law established a national Public Key Infrastructure (PKI)?	E.O. 810
Which of the following is considered system interference under RA 10175?	Launching a denial-of-service attack
A hospital publishes patient records online without consent. Which law is violated?	RA 10173
Which body was created under RA 10173?	National Privacy Commission (NPC)
The main objective of the Data Privacy Act is to:	Protect personal data while allowing free flow of information
What year was the Data Privacy Act (RA 10173) enacted?	2012
What penalty applies when multiple RA 10173 violations are committed together?	Higher penalties under Section 33
What penalty applies for improper disposal of sensitive personal information under RA 10173?	1–3 years imprisonment and ₱100K–₱1M fine
A government agency mandates all employees to use certified digital signatures for internal communication. This aligns with E.O. 810.	TRUE
Which rights are transmissible to heirs under RA 10173? Right to access	Right to access , Right to rectification , Right to erasure
A bank encrypts its transaction logs and limits access to authorized employees. This follows proper security measures under RA 10173.	TRUE
Which laws criminalize unauthorized capture or distribution of intimate images?	RA 9995 – Anti-Photo and Video Voyeurism Act , RA 10175 – Cybercrime Prevention Act (content-related offenses)
RA 8792 primarily regulates:	Electronic transactions and digital signatures
Which are functions of the National Privacy Commission (NPC)?	Investigate data breaches, Issue compliance orders, Promote data privacy awareness
Which case involved hackers attempting to steal millions from a bank in 2016?	PNB vs. Hackers
Which case highlighted the lack of a cybercrime law before RA 10175?	ILOVEYOU virus
A bank deletes customer records once accounts are closed and obligations are settled. This follows proportionality under RA 10173.	TRUE
Which law prohibits unauthorized interception of communications?	RA 4200
Which of the following is NOT one of the Five Pillars of Privacy Accountability?	Outsourcing all personal data with no safeguards
Which 2020 incident exposed personal data of city residents?	Marikina LGU data breach
Under RA 10173, large-scale offenses involve at least:	100 Persons
Which agency supervises the Government Web Hosting Service mandated by A.O. 39?	DOST-ICTO (now DICT)
A bank encrypts its transaction logs and limits access to authorized employees. This follows proper security measures under RA 10173.	TRUE
What is the penalty for illegal access to critical infrastructure under RA 10175?	Reclusion temporal (12–20 years)
Which is a cybercrime under RA 10175?	Unauthorized access to a bank system
Which are penalties under RA 10173 for violations?	Imprisonment terms, Monetary fines, Restitution for victims
Which is an example of negligent access?	An employee leaving a laptop with personal data unattended
Which of the following best practices improve compliance with RA 10173?	Regular staff training on privacy, Privacy impact assessments, Having a breach response plan
A telecom company clearly informs customers about data collection purposes before signing a contract. This follows the principle of transparency under RA 10173.	TRUE
Which of the following is an example of privileged communication extended under RA 10173?	Doctor–patient
Which is NOT a general data privacy principle under RA 10173?	Confidentiality
A company transfers Filipino customer data to a foreign server without ensuring equivalent protection. This is a compliance issue under RA 10173.	TRUE
Which laws are directly related to intellectual property and copyright?	RA 8293 – Intellectual Property Code, RA 10175 – Cybercrime Prevention Act (IP-related offenses)
A company obtains valid consent to collect customer emails but later sells them to marketers without permission. This is lawful under RA 10173.	FALSE
A group hacks government websites to protest against a law. This is punishable under RA 10175.	TRUE
Which right allows a person to demand deletion of their personal data?	Right to erasure (Right to be forgotten)
A student records a private phone call with a friend without consent. This is a violation of RA 4200.	TRUE
Which of the following is an example of unlawful processing of personal information?	A company selling email addresses without consent
Which are examples of improper disposal of sensitive information?	Throwing unshredded medical records in public trash , Leaving police reports in open dumpsters
RA 9995 prohibits:	Unauthorized recording and distribution of intimate videos
Rights under the DPA are:	Transferable to heirs upon death or incapacity
A firm achieves PCI DSS certification. Which type of transactions does this certification primarily protect?	Credit card transactions
Which of the following best describes COBIT?	Governance and management framework for IT
Which ISO standards deal with privacy frameworks?	ISO 29100 & ISO 27701
Which requirements are part of HIPAA safeguards?	Administrative safeguards , Technical safeguards , Physical safeguards
A BPO firm secures cloud-hosted HR systems. Which standards guide both cloud security and cloud privacy?	ISO 27017 and ISO 27018
Which ISO standard is designed to manage privacy within an ISMS?	ISO 27701
A retailer without breach notification procedures is still compliant with ISO 27001.	FALSE
A telecommunications provider builds a SOC that continuously monitors threats. Which compliance requirement supports this?	ISO 27001 and NIST CSF monitoring
A retail chain adopts ISO 27001. What is its primary focus?	Information Security Management System (ISMS) requirements
A BPO firm handling EU clients’ personal data adopts ISO 27701 to strengthen privacy protections. What does ISO 27701 primarily address?	Privacy Information Management
A developer team integrates secure coding practices and validation into every project stage. Which ISO covers this?	ISO 27034
A government financial agency develops both IT controls and financial governance policies. Which frameworks together best support this?	COBIT and COSO
Which framework provides end-to-end services for cybersecurity and privacy portfolio?	Global Cybersecurity Knowledge Ecosystem
An organization’s compliance team prepares a “Privacy Threat Scenario” as part of risk planning. This belongs to which framework implementation?	Data Privacy Compliance Folder / Standard Tree
A cloud provider implements ISO 27017 and ISO 27018. What do these specifically address?	Cloud security and cloud privacy
Cloud privacy protections are addressed by ISO 27017 and ISO 27018.	TRUE
A manufacturing company adopts COSO to strengthen enterprise governance. Its emphasis is on:	Internal control and risk management
ISO 29100 is designed as a privacy framework applicable globally.	TRUE
A financial services company must secure customer credit card transactions. Which compliance framework applies?	PCI DSS
Which ISO standard sets out the Information Security Code of Practice?	ISO 27002
PCI DSS applies only to government agencies.	FALSE
An enterprise adopts ISO 27033. Which domain does this cover?	Network Security
Which are considered evolving compliance structures and programs?	Data Privacy Wall , End-to-End Security Portfolio , Global Cybersecurity Knowledge Ecosystem
Which ISO standards support application and software security?	ISO 27034 & ISO 27036 (supplier security)
A financial institution evaluates how IT processes align with enterprise objectives. Which framework fits best?	COBIT
A credit card breach occurred in a retailer due to weak encryption. Which mandatory standard was breached?	PCI DSS
Which are privacy-focused standards?	ISO 29100 , ISO 27701 , ISO 27018
A bank outsources IT services but fails to secure supplier contracts. This violates ISO 27036.	TRUE
Which compliance framework provides enterprise risk and financial reporting guidance?	COSO
A national government develops a program to protect its digital ecosystem using NIST guidelines. What is the first function?	Identify
Which technologies raise issues with cross-border compliance?	Cloud computing, Blockchain applications, Big data analytics
AI systems processing sensitive health records must comply with:	GDPR and HIPAA provisions
Blockchain’s permanence of transactions creates challenges for:	Data subject rights under GDPR
Blockchain can challenge data rectification rights due to its immutability.	TRUE
A company uses AI surveillance to monitor employees’ emotional states. Which primary ethical concern arises?	Privacy and autonomy
A company analyzing big data identifies ethnicity trends and sells them to insurers. Which principle is violated?	Non-discrimination and fairness
A company using big data sells anonymized datasets that can still be re-identified. Which principle is violated?	Privacy and data protection by design
Cloud providers that do not implement incident response plans most likely violate:	Accountability and security obligations
AI models collecting personal voice data for assistants without consent primarily raise:	Privacy and informed consent
A company deploying AI to personalize pricing may risk violating:	Fairness and discrimination protections
IoT devices monitoring patient health require compliance with:	GDPR and HIPAA provisions
An AI system used for hiring decisions is found to discriminate against women. Which principle is most directly violated?	Fairness
Which principle is undermined when AI is used in predictive hiring without testing for bias?	Fairness and non-discrimination
IoT devices collecting children’s data without parental consent may breach COPPA and GDPR.	TRUE
An IoT smart car continuously shares driving habits with insurers without notice. Which concern arises?	Consent and informed choice
Blockchain’s immutability conflicts with which GDPR principle?	Right to be forgotten
Blockchain applications in finance raise compliance issues with:	Anti-money laundering and data protection laws
AI used in predictive policing without testing for bias risks reinforcing discrimination.	TRUE
IoT wearables that monitor employee productivity without consent raise:	Workplace surveillance and autonomy issues
A company uses predictive AI in policing that unfairly targets minorities. Which principle is violated?	Non-discrimination
IoT security cameras are hacked, exposing household activities. This raises concerns about:	Confidentiality and cybersecurity
An AI-driven chatbot stores all conversations without notifying users. Which law or principle applies?	Informed consent under data protection laws
Blockchain’s inability to delete or update data conflicts with which GDPR principle?	Right to rectification and erasure
IoT surveillance in workplaces without informing employees violates:	Consent and autonomy
Which legal risks are raised by blockchain in financial services?	Anti-money laundering concerns , Data protection compliance , Jurisdictional conflicts
AI-powered pricing algorithms may violate fairness if they discriminate against vulnerable groups.	TRUE
Which technology creates tension with GDPR’s right to rectification due to immutability?	Blockchain
A company using AI for recruitment fails to disclose its use to applicants. Which principle is violated?	Transparency and fairness
Cloud providers may face which compliance issue when storing multinational client data?	Cross-border transfer restrictions
An AI system provides medical diagnoses but is not validated by experts. Which principle is violated?	Accuracy and reliability
China’s Cybersecurity Law requires companies operating in China to:	Store data locally within China’s borders
A company in the U.S. offering services to EU customers must comply with GDPR even if it has no EU office.	TRUE
Which APP requires organizations to have open and transparent data handling practices?	APP 1
Which mechanism allows multinational companies to transfer data within their own group under GDPR?	Binding Corporate Rules (BCRs)
The CCPA gives consumers the right to know what categories of personal data are collected about them.	TRUE
A Singaporean firm collects and uses personal data without informing individuals. Which PDPA rule is violated?	Notification obligation
Which are GDPR principles?	Accuracy, Data minimization, Storage limitation
Which GDPR principle requires data to be kept accurate and up-to-date?	Accuracy
A multinational transfers data from the EU to a non-adequate country using Standard Contractual Clauses (SCCs). Which GDPR mechanism is applied?	Cross-border safeguard mechanism
GDPR requires explicit consent for processing sensitive categories of personal data.	TRUE
An Australian firm denies consumers the ability to correct inaccurate records. Which APP is violated?	APP 13
Which UN Resolution first recognized the digital privacy right globally?	68/167
Which GDPR mechanism allows international data transfers to countries deemed to provide adequate protection?	Adequacy decisions
Which APPs involve transparency and notification?	APP 1 & APP 5
Which principle under GDPR requires organizations to actively protect against unauthorized access?	Integrity and confidentiality
Which APPI principle ensures correction of inaccurate data?	Right to correction
Which measures are emphasized by China’s Cybersecurity Law?	Data localization, Security reviews for network products, Protection of critical information infrastructure
Which GDPR right ensures a person can request correction of incorrect personal data?	Right to rectification
The GDPR principle of storage limitation requires data to be deleted when no longer needed.	TRUE
The GDPR requires organizations to demonstrate compliance with accountability measures.	TRUE
A company fails to implement security measures and suffers a breach. Which GDPR principle is violated?	Integrity and confidentiality
Which compliance challenges are common in global data protection?	Cross-border transfer restrictions, Varying consent requirements , Overlapping jurisdictional obligations
Which GDPR data subject rights allow control over personal information?	Right to access, Right to erasure, Right to portability
An EU organization that keeps personal data indefinitely breaches:	Storage limitation
An EU controller processes more personal data than needed. Which GDPR principle is violated?	Data minimization
Which APPs ensure security and correction of personal information?	APP 11 & APP 13
A hospital in Singapore fails to notify patients about how their data is used. Which PDPA obligation is violated?	Notification obligation
Which laws require consent before collection and disclosure of personal data?	GDPR , PDPA, APPI
Which U.S. law gives consumers rights similar to GDPR but limited to California?	CCPA
Under APPs, organizations must notify individuals when collecting their data. Which APP is this?	APP 5
A Manila-based syndicate recruits minors through chat apps for cybersex operations. Which international challenge complicates prosecution?	Jurisdictional and cross-border legal cooperation
A ransomware group attacks Philippine power grids. Which national security issue is threatened?	Critical infrastructure security
A Philippine online prostitution ring is hosted on offshore servers. Which issue complicates law enforcement?	Jurisdiction and cross-border evidence sharing
A dark web market sells Philippine voters’ personal data. Which two frameworks apply?	RA 10173 (Data Privacy Act) and RA 10175 (Cybercrime Prevention Act)
Lack of trained personnel is a barrier to effective cybercrime enforcement in the Philippines.	TRUE
Which outcomes result from repeated cybersecurity non-compliance?	Financial penalties, Loss of licenses, Reputational damage
A denial-of-service attack against Philippine ISPs undermines system availability.	TRUE
Which principles should fintech companies uphold to maintain trust?	Confidentiality, Integrity, Accountability
A Philippine e-wallet service hacked for customer balances demonstrates a loss of data confidentiality.	FALSE
Which institution plays a critical role in fintech cybersecurity compliance in the Philippines?	BSP
A Philippine fintech app mishandles biometric authentication data. This violates:	Data Privacy Act principles on sensitive personal information
A fintech app is compromised, exposing credit card data. Which industry requirement is most applicable?	PCI DSS
Which strategies strengthen Philippine cybercrime response?	International cooperation, Improved digital literacy, Enhanced cyber forensics
An online prostitution ring uses cryptocurrencies for payment. What makes enforcement difficult?	Anonymity of crypto transactions
Hackers manipulating fintech transaction records compromise data integrity.	TRUE
A Philippine fintech company stores personal data without encryption. Which law is most relevant?	RA 10173 (Data Privacy Act)
RA 9995 protects citizens from sextortion and non-consensual photo distribution.	TRUE
A cybercrime syndicate offers “digital drugs” that exploit audio-visual stimulation. Which concern arises?	Cultural and health implications of online exploitation
A darknet vendor sells stolen Philippine ID information. Which law is violated?	RA 10173 and RA 10175
A government agency discovers spyware installed on its servers by unknown actors. Which category of cybercrime does this fall under?	Cyber espionage
The Bangko Sentral ng Pilipinas requires e-wallets to adopt risk management policies. This ensures:	Financial stability and customer protection
Hackers manipulate fintech transaction records. Which part of the CIA triad is compromised?	Integrity
A suspect is caught operating an online prostitution ring. Which is the strongest legal basis for prosecution?	RA 9775 and RA 10175 combined
Which safeguards are expected in Philippine e-wallet systems?	Encryption of personal data, Two-factor authentication, Fraud monitoring systems
Cybercrime in the Philippines is unique due to strong enforcement and judicial efficiency.	FALSE
A dark web operation in Manila uses cryptocurrency to launder drug proceeds. Which area of regulation is most relevant?	Fintech and anti-money laundering (AML)
Hackers disrupt Philippine e-commerce with denial-of-service attacks. Which dimension of cybersecurity is most affected?	Availability
Which principles were violated in the COMELEC breach?	Confidentiality, Integrity, Accountability
The Philippine government launches the National Cybersecurity Plan 2022 to address:	Resilience against cybercrime and critical infrastructure protection
Which cybercrime most directly enables online prostitution?	Cybersex

Created by: user-1835460

"Know" box contains:
Time elapsed:
Retries: