What was the most important holding of FTC v. Wyndham?
Question 4 options:
The FTC's role is to protect consumers against anticompetitive and fraudulent business practices.
The SEC's job is to maintain fair, orderly markets and enforce investor protection laws.
Section 5 of the FTC Act provides the FTC with the authority to regulate companies' data
security practices.
Wyndham was ordered to pay $49.4 million in cash which was distributed to qualifying students
who were harmed by the deceptive ads, as well as $50.6 million in debt relief.
The Computer Fraud and Abuse Act of 1986 applies to anyone who intentionally accesses a
Federal interest computer without authorization and alters, damages, or destroys information, or
prevents authorized use of any such computer or information and thereby causes loss.
How did the 11th Circuit's opinion in the LabMD case limit the FTC's ability to regulate data
security?
Question 5 options:
FTC orders must contain more specific requirements for data security than mere reasonableness.
FTC orders can be vague and ambiguous.
FTC orders must contain reasonableness.
None of the above.
Most state laws only require notification if there is a risk of harm. However, some states,
including California, require notification of the breach of covered personal information
regardless of whether there is a risk of harm.
Question 6 options:
Will compliance with the NIST Cybersecurity Framework allow a company to avoid an
enforcement action under Section 5 of the FTC Act?
Question 7 options:
No, but compliance with the SOC2 Framework will.
Not necessarily, but the FTC has suggested that evidence of a cybersecurity program that adopts
the NIST Framework is evidence of adequate security practices.
No, but compliance with the PCI Framework will.
Yes, the NIST Cybersecurity Framework allows a company to avoid enforcement action entirely
under Section 5 of the FTC Act.
Which data categories are included in all state data breach notification laws in the United States?
(Select all that apply)
Question 8 options:
First name only.
First initial and last name in combination with; social security number, drivers license, state ID
number, or account number.
First name and last name in combination with; social security number, drivers license, state ID
number, or account number.
Last name in combination with; social security number, drivers license, state ID number, or
account number.
Do any state breach notification laws require notice of the breach of encrypted information?
Question 9 options:
No, provided that PII data was not stolen.
No, provided that the encryption key was not accessed.
Yes, regardless of if the encryption key was accessed.
Yes, regardless of if PII data was stolen.
Some states only require notification as expediently as possible and without unreasonable delay,
while some require notification require notification within a specified period after discovering a
breach. The shortest time frame is 30 days (Colorado and Flor.
A Critique of the Proposed National Education Policy Reform
What was the most important holding of FTC v. WyndhamQuestion 4 o.pdf
1. What was the most important holding of FTC v. Wyndham?
Question 4 options:
The FTC's role is to protect consumers against anticompetitive and fraudulent business practices.
The SEC's job is to maintain fair, orderly markets and enforce investor protection laws.
Section 5 of the FTC Act provides the FTC with the authority to regulate companies' data
security practices.
Wyndham was ordered to pay $49.4 million in cash which was distributed to qualifying students
who were harmed by the deceptive ads, as well as $50.6 million in debt relief.
The Computer Fraud and Abuse Act of 1986 applies to anyone who intentionally accesses a
Federal interest computer without authorization and alters, damages, or destroys information, or
prevents authorized use of any such computer or information and thereby causes loss.
How did the 11th Circuit's opinion in the LabMD case limit the FTC's ability to regulate data
security?
Question 5 options:
FTC orders must contain more specific requirements for data security than mere reasonableness.
FTC orders can be vague and ambiguous.
2. FTC orders must contain reasonableness.
None of the above.
Most state laws only require notification if there is a risk of harm. However, some states,
including California, require notification of the breach of covered personal information
regardless of whether there is a risk of harm.
Question 6 options:
Will compliance with the NIST Cybersecurity Framework allow a company to avoid an
enforcement action under Section 5 of the FTC Act?
Question 7 options:
No, but compliance with the SOC2 Framework will.
Not necessarily, but the FTC has suggested that evidence of a cybersecurity program that adopts
the NIST Framework is evidence of adequate security practices.
No, but compliance with the PCI Framework will.
Yes, the NIST Cybersecurity Framework allows a company to avoid enforcement action entirely
under Section 5 of the FTC Act.
Which data categories are included in all state data breach notification laws in the United States?
3. (Select all that apply)
Question 8 options:
First name only.
First initial and last name in combination with; social security number, drivers license, state ID
number, or account number.
First name and last name in combination with; social security number, drivers license, state ID
number, or account number.
Last name in combination with; social security number, drivers license, state ID number, or
account number.
Do any state breach notification laws require notice of the breach of encrypted information?
Question 9 options:
No, provided that PII data was not stolen.
No, provided that the encryption key was not accessed.
Yes, regardless of if the encryption key was accessed.
4. Yes, regardless of if PII data was stolen.
Some states only require notification as expediently as possible and without unreasonable delay,
while some require notification require notification within a specified period after discovering a
breach. The shortest time frame is 30 days (Colorado and Florida).
Question 10 options:
What information must breach notifications include, per state breach notice laws?
Question 11 options:
The requirements vary by state, and can include contact information for the company, a general
description of the breach, the categories of personal information compromised, the date of the
breach, contact information for regulators, advice to remain vigilant about breaches, and
information about identity theft protection services.
The requirements are company name and contact information for regulators.
The requirements are the same across the board due to states collaboration on the FTC Act.
Assume a company is based in New York and only has offices in New York, but has customers
in all 50 states and the District of Columbia. The company has a breach. Which breach
notification laws apply?
Question 12 options:
Only the New York breach notice laws apply, as the company is based in New York.
5. All 51 breach notice laws apply, as the requirements are based on the location of the data
subjects.
If a company has a data breach, is it only required to notify consumers?
Question 13 options:
It depends on the data type of those consumers.
It depends on the state. Many states require notification of credit bureaus and state regulators,
provided that the number of notified individuals reaches a certain threshold.
Yes.
No.
What are the penalties for violating state breach notification laws?
Question 14 options:
Penalties for violating state breach notifications laws are covered under Section 5 of the FTC
Act.
Penalties for state breach notification laws are covered under the Computer Fraud and Abuse Act
(CFAA).
6. It varies by state. In some states, the only remedy is an enforcement action by the state attorney
general, while other states allow individuals to bring private lawsuits.
There are no penalties.
Which state has the most detailed general data security law?
Question 15 options:
Ohio.
South Dakota.
Massachusetts.
New York.
What are the three elements required to establish Article III Standing? (Select all that apply)
Question 16 options:
Fairly traceable to the defendant's unlawful conduct.
7. Redressable via the lawsuit.
Injury in fact.
Vaguely traceable to the defendant's unlawful conduct.
The FTC's role is to protect consumers against anticompetitive and fraudulent business practices.
The SEC's job is to maintain fair, orderly markets and enforce investor protection laws.
Section 5 of the FTC Act provides the FTC with the authority to regulate companies' data
security practices.
Wyndham was ordered to pay $49.4 million in cash which was distributed to qualifying students
who were harmed by the deceptive ads, as well as $50.6 million in debt relief.
The Computer Fraud and Abuse Act of 1986 applies to anyone who intentionally accesses a
Federal interest computer without authorization and alters, damages, or destroys information, or
prevents authorized use of any such computer or information and thereby causes loss.