20 Cybersecurity Laws Quiz Questions and Answers

1. What is the primary purpose of the General Data Protection Regulation (GDPR)?
A. To regulate financial transactions
B. To protect the personal data of EU citizens
C. To enforce copyright laws online
D. To standardize global cybersecurity protocols
Answer: B
Explanation: GDPR aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying regulations within the EU.

2. Which law primarily governs the security and privacy of health information in the United States?
A. PCI DSS
B. HIPAA
C. FISMA
D. SOX
Answer: B
Explanation: HIPAA sets national standards to protect individuals’ medical records and other personal health information.

3. What does PCI DSS stand for, and what is its main focus?
A. Payment Card Industry Data Security Standard, focused on credit card data protection
B. Public Cybersecurity Information Data System, focused on government networks
C. Personal Computer Interface Data Security Standard, focused on device encryption
D. Private Corporate Information Data Sharing Standard, focused on internal data exchange
Answer: A
Explanation: PCI DSS is a set of security standards designed to ensure that companies that handle credit card information maintain a secure environment.

4. Under the California Consumer Privacy Act (CCPA), what right do consumers have regarding their personal data?
A. The right to sell data to third parties
B. The right to know what personal information is being collected
C. The right to unlimited data storage
D. The right to ignore data breach notifications
Answer: B
Explanation: CCPA grants consumers the right to access and know the categories of personal information a business has collected about them.

5. What is the Computer Fraud and Abuse Act (CFAA) primarily used for?
A. Regulating email marketing practices
B. Prosecuting unauthorized access to computer systems
C. Enforcing software patent laws
D. Managing corporate cybersecurity training
Answer: B
Explanation: CFAA is a U.S. federal law that prohibits unauthorized access to computers and networks, often used in cases of hacking and cyber intrusions.

6. Which act requires U.S. federal agencies to develop, document, and implement an information security program?
A. GDPR
B. FISMA
C. HIPAA
D. CCPA
Answer: B
Explanation: FISMA mandates that federal agencies protect their information and information systems from security risks.

7. The Sarbanes-Oxley Act (SOX) is most directly related to which aspect of cybersecurity?
A. Protecting patient health records
B. Ensuring accurate financial reporting and data integrity
C. Regulating online advertising
D. Enforcing data encryption standards
Answer: B
Explanation: SOX requires companies to establish internal controls for financial data, which includes cybersecurity measures to prevent data tampering.

8. What is a key requirement under the EU’s Network and Information Systems Directive (NIS Directive)?
A. Mandatory reporting of significant cyber incidents by essential service operators
B. Free distribution of antivirus software
C. Annual employee cybersecurity training for all businesses
D. Prohibition of all online data sharing
Answer: A
Explanation: The NIS Directive obliges operators of essential services and digital service providers to report major security incidents to improve the EU’s overall cybersecurity posture.

9. Under data breach notification laws like those in the U.S., when must a company notify affected individuals?
A. Only if the breach involves financial loss
B. Without unreasonable delay, typically within a specified timeframe
C. After consulting with international regulators
D. Once per year during annual reports
Answer: B
Explanation: Laws such as those under HIPAA and state regulations require prompt notification to minimize harm from data breaches.

10. What does the principle of “data minimization” under GDPR require?
A. Collecting as much data as possible for analysis
B. Limiting the collection of personal data to what is necessary
C. Storing data indefinitely for future use
D. Sharing data freely with partners
Answer: B
Explanation: Data minimization ensures that only the data absolutely necessary for a specified purpose is processed, reducing risks.

11. Which organization enforces the Electronic Communications Privacy Act (ECPA) in the U.S.?
A. Federal Trade Commission (FTC)
B. Department of Justice
C. World Health Organization
D. European Union
Answer: B
Explanation: ECPA, which protects electronic communications, is primarily enforced by the Department of Justice through legal proceedings.

12. What is a potential penalty for non-compliance with PCI DSS?
A. Fines from credit card companies and loss of payment processing abilities
B. Mandatory closure of the business
C. Free cybersecurity audits for competitors
D. Unlimited data access for customers
Answer: A
Explanation: Non-compliance can lead to financial penalties and restrictions on handling cardholder data by payment networks.

13. Under the Cybersecurity Information Sharing Act (CISA), what is encouraged?
A. Sharing of cyber threat information between private entities and the government
B. Public disclosure of all company vulnerabilities
C. Selling cybersecurity data on the open market
D. Limiting information sharing to international allies
Answer: A
Explanation: CISA promotes voluntary sharing of cybersecurity threats to enhance collective defense against cyber attacks.

14. Which law addresses the protection of critical infrastructure in the U.S.?
A. HIPAA
B. The Homeland Security Act
C. GDPR
D. PCI DSS
Answer: B
Explanation: The Homeland Security Act establishes frameworks for protecting national critical infrastructure from cyber threats.

15. What is the main goal of the Budapest Convention on Cybercrime?
A. To standardize global internet speeds
B. To harmonize national laws for investigating cybercrimes
C. To regulate social media content
D. To promote free software distribution
Answer: B
Explanation: The Budapest Convention provides a framework for countries to cooperate on cybercrime investigations and prosecutions.

16. Under HIPAA, what must covered entities do to ensure data security?
A. Conduct regular risk assessments and implement safeguards
B. Share all patient data with researchers
C. Use only paper-based records
D. Ignore encryption for cost-saving
Answer: A
Explanation: HIPAA requires covered entities to perform risk assessments and apply administrative, physical, and technical safeguards.

17. What does the Federal Trade Commission Act imply for cybersecurity?
A. Businesses must maintain reasonable security to avoid unfair practices
B. All data must be encrypted at all times
C. Companies are exempt from breach notifications
D. Only large corporations need to comply
Answer: A
Explanation: The FTC uses the Act to hold companies accountable for deceptive practices, including inadequate cybersecurity measures.

18. In the context of international data transfers, what mechanism does GDPR provide?
A. Standard Contractual Clauses for safe data transfer to non-EU countries
B. Unlimited data export without restrictions
C. Requiring all data to stay within the EU
D. Annual fees for data exports
Answer: A
Explanation: Standard Contractual Clauses allow for secure data transfers outside the EU while ensuring compliance with GDPR.

19. What is a common requirement under various cybersecurity laws for handling ransomware attacks?
A. Reporting the incident to authorities if it involves data encryption
B. Paying the ransom to resolve the issue quickly
C. Keeping the attack confidential
D. Deleting all affected data immediately
Answer: A
Explanation: Laws like those under NIS Directive and U.S. regulations often mandate reporting ransomware incidents to enable investigations.

20. Which act in the U.S. addresses the security of government information systems?
A. CCPA
B. FISMA
C. SOX
D. GDPR
Answer: B
Explanation: FISMA specifically applies to federal agencies, requiring them to implement cybersecurity programs for information systems.