Take the following 14-question cyber IQ quiz to find out how prepared you are. A version of this quiz was first published in IMPACT 104 (August 2015); it has been revised to reflect current risk management approaches to cyber incidents. Please select the best answer out of those presented:
1) What is a data breach?a. A laptop is lost or stolen, and it has employee personally identifiable information (PII) on it
b. There is unauthorized access to your computer system and PII is taken
c. Paper files containing PII are stolen by an employee.
d. a. and b.
e. a., b. and c.
2) Most states have PII security laws that require notification if a company suffers a breach. Which companies and professional organizations are subject to these notification requirements?a. All companies
b. Only large companies
c. Only public companies
d. Only companies in the medical and financial services industries
3) Which take precedence in the event of a data breach?a. Federal laws
b. State laws
c. Federal or state law; whichever is more restrictive
d. Generally Accepted Privacy Principles (GAPP)
4) Which of the following should be encrypted to protect PII?a. Hard drives
b. Electronic data
c. Electronic files
e. a., c. and d.
f. a., b., c. and d.
5) Which of the following would you not immediately contact if you suspect a breach:a. The firm’s attorney
b. The firm’s cyber insurance carrier
c. The firm’s managing partner
d. Law enforcement
6) What does a “kill switch” feature do?a. Disables smart phones.
b. Provides remote security to tablets and laptops.
c. Neither a. nor b.
d. Both a. and b.
7) If the CPA is using cloud services to process PII, who is primarily responsible for ensuring the confidentiality of the information?a. The CPA
b. The cloud services provider
8) Cloud services providers should be willing to:a. Make a contractual commitment to support compliance with applicable laws and regulations
b. Undergo external audits and security certifications, such as Service Organization Control (SOC) 1, 2 or 3 reports
c. Implement measures for physical security as well as data security
d. a. and c.
e. a., b. and c.
9) How might an employee’s computer become infected with a “drive by” download?a. The employee’s mobile device gets too close to another mobile device
b. The employee visits a malicious website
c. The employee downloads a file from the Internet
d. a. and b.
e. a. and c.
10) You receive an e-mail message informing you of an issue with your bank account. The message includes a phone number to call as well as a link to access your account. The message format is similar to others you've received from your bank; however, you are aware of phishing scams and want to be careful. What is your best course of action?a. Delete the email
b. Look for suspicious elements in the email, and if you feel it is legitimate, then click on the link but don’t enter any information
c. Call the bank directly using the phone number provided on the back of your bank card
11) When recycling or disposing of hard drives, which of the following are best practices?a. Creating an audit trail of serial-numbered inventory of equipment
b. Obtaining vendor certification that personal data has been destroyed
c. Pounding the drive with a hammer until it is unusable and tossing it into a trash can
d. a. and b.
e. a., b. and c.
12) When discussing or communicating a potential PII incident, avoid using the term(s):a. “lost laptop”
b. “potential malware intrusion”
13) When discussing or communicating the incident, which of the following is least preferred?a. communication on a “need to know” basis
b. face-to-face communication
c. email communication
d. telephone communication
14) When using a cloud services provider that stores information overseas, which of these two options is safer:a. a U.S.-based provider with a foreign branch
b. a foreign-based provider with a U.S. branch
Answers1) Answer: e. a, b. and c. Ascertaining a legally defined breach is a complex process and requires the assistance of an expert specializing in security issues. A breach can be the loss of laptop or paper records, or the theft of these records in person, or over the Internet, or the accidental posting of personally identifiable information (PII) on the Internet. The list goes on and on. If you suspect a breach, contact your attorney and other risk advisers.
Some definitions: The U.S. General Services Administration in its Oct. 29, 2014, memo on “GSA Rules of Behavior for Handling Personally Identifiable Information (PII)” defined “data breach” as including “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users with an authorized purpose have access or potential access to Personally Identifiable Information, whether physical or electronic. In the case of this policy, the term ‘breach’ and ‘incident’ mean the same.”
The GSA memo also defined “Personally Identifiable Information (PII)” as “information about a person that contains some unique identifier, including but not limited to name or Social Security Number, from which the identity of the person can be determined.”
The federal Office of Management and Budget (OMB, memo M-10-23, June 25, 2010), stated: “The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available—in any medium and from any source—that, when combined with other available information, could be used to identify an individual.”
2) Answer: a. All companies. State PII laws differ by state, but most states require that once a company has determined it has been breached, or PII has been accessed by an unauthorized party, the company must notify the office of the state Attorney General and, in many cases, other state agencies. The mandated time period for reporting to notify the state and potentially impacted parties varies from a “reasonable” time period to 30 or 60 days. Many states require companies to indicate how they plan to secure PII and what they will do if their PII is breached.
3) Answer: c. Federal or state law; whichever is more restrictive. The federal laws take precedent if they are more restrictive than the state laws, but the state laws take precedent if more restrictive than the federal laws. In addition, most federal laws give the power to the state Attorney General to levy fines. Further, many state laws require a company to be compliant with that state’s law if a company in another state has the PII of a resident of the first state. The prime example is Massachusetts, which requires a company to comply with its laws, regardless of where the company resides, if the company has PII of a Massachusetts resident.
In some cases, if a company does not verify that its vendors are in compliance, it must communicate not having taken these precautions with all potentially impacted parties. In other cases, the PII laws of foreign countries must be respected as well. GAPP is not law but criteria developed by the AICPA and CPA Canada to assist organizations with the management of confidential information.
4) Answer: f. a., b., c. and d. Hard-drive encryption secures data in the event a computer is lost or stolen. Data encryption protects PII such as Social Security numbers. File encryption protects files and email attachments, such as a PDFs encrypted with a password or passphrase. Email digital certificates protect entire email messages, including the body of the message, as part of a subscription service.
5) Answer: d. Law enforcement. The firm will first need to verify whether a breach has actually occurred as defined by state and federal laws, and the firm’s attorney, cyber insurance carrier, and managing partner will help make that determination. If a breach has occurred, the next steps would be to comply with state and federal laws, which may require reporting to law enforcement.
6) Answer: d. Both a. and b. Remote security is especially useful in preventing access to protected files in the event a computer, tablet, smart phone or USB storage drive has been lost or stolen. Encryption policies and other protective actions can be managed by the firm or by a third-party managed service provider (MSP). Some services are available by online subscription, without the need to purchase or support hardware or software infrastructure.
7) Answer: a. The CPA is responsible and should perform the necessary due diligence to address any potential threats to compliance with the “Confidential Client Information Rule.” Therefore, before disclosing confidential client information to a third-party service provider, a CPA should do one of the following: a) Enter into a contractual agreement with the third-party service provider to maintain the confidentiality of the client information and ensure that appropriate procedures/safeguards are in place to protect such information. b) Obtain specific consent from the client before disclosing confidential information to the third-party service provider.
8) Answer: e. a., b. and c. Cloud services providers should be willing to provide several types of assurances to CPAs regarding the security of client information, including an incident response plan. As part of the plan, the provider and the CPA should determine ahead of time who will lead the response team, prepare client notifications, and provide legal counsel. The provider should also have insurance in place to cover the damages resulting from a breach. Otherwise, the CPA firm may be responsible for such damages—a good reason for the firm to have cyber insurance coverage in place.
9) Answer: b. The employee visits a malicious website. An employee’s computer could become infected with malware from a malicious website just by visiting it, without stopping to click or accept any software. This method of infection is usually limited to users with unpatched or out-of-date software that has a security flaw. 10) Answer: c. Call the bank directly using the phone number provided on the back of your bank card. This is the best approach, even if the message appears to be legitimate. Use a phone number that you already know and trust to be the bank when calling to verify, not a number within the email. Never click links or visit websites included or mentioned in any suspicious or unfamiliar email or senders. By hovering the cursor over links without clicking them, you can sometimes gain more information and assurance, but not always.
11) Answer: d. a. and b. Hard drives and other computer components need to be recycled due to the metals they contain. The Environmental Protection Agency has been known to impose substantial fines for companies not documenting proper computer disposal. Use a reputable data destruction vendor that will certify destruction when recycling computers.
12) Answer: c. “breach.” Using the term “breach” can trigger legal obligations. Instead, refer to the event as a “security incident” or simply what it is, such as “a lost laptop” or “potential malware intrusion.” Your attorney and other risk advisers will help you determine whether a breach, as defined by law, actually occurred.
13) Answer: c. email communication. Care must be taken in managing communications and discussing the incident. Limit discussions to a need-to-know basis, with communications taking place over the phone or face-to-face rather than by email, which may be compromised if an incident is still in progress.
14) Answer: a. a U.S.-based provider with a foreign branch. If your firm outsources work containing PII, the more contacts an offshore provider has in the U.S., the more legal recourse the client and CPA have in the event of an unauthorized PII disclosure.
Scoring13 to 14 correct = Excellent. Keep it up!
10 to 12 = Good. Build your knowledge!
9 or less correct = Fair. Time to brush up!