Quiz 1G — Emerging Issues in Cybersecurity Law | LawZeee — Know Your Cyber Laws Before You Break It

Question 1

The U.S. Vulnerabilities Equities Process (VEP) is best described as:

AA statutory requirement under CFAA for companies to disclose discovered vulnerabilities within 90 daysBA federal regulatory program administered by CISA requiring all critical infrastructure to disclose vulnerabilitiesCAn interagency policy process (not a statutory requirement) for deciding whether the government should disclose discovered vulnerabilities to vendors or retain them for offensive/intelligence useDA criminal statute prohibiting the sale of zero-day vulnerabilities to foreign governments

Question 2

A ransomware group encrypted an energy company's control systems. The company's legal team is considering authorizing payment of the $5M ransom demand. Before approving payment, counsel's FIRST legal obligation is to:

ANotify the FBI of the attackBScreen the ransomware group against OFAC's SDN list — payment to a designated group is a civil violation regardless of intentCObtain a court order authorizing the paymentDFile a SAR with FinCEN before making any payment

Question 3

CISA Binding Operational Directive 20-01 requires what from federal civilian executive branch agencies?

AMandatory incident reporting within 72 hours of detecting a significant cybersecurity eventBDevelopment and publication of a Vulnerability Disclosure Policy (VDP) covering all internet-accessible systemsCImplementation of multi-factor authentication on all federal systems within 60 daysDQuarterly security audits and public disclosure of findings

Question 4

DOJ's 2022 CFAA charging policy announced that prosecutors should not charge which category of conduct?

AAll security research conducted by U.S. citizensBAny access to publicly available data, even without authorizationCGood-faith security research conducted in a manner designed to avoid harm and used to promote securityDPenetration testing conducted by federally licensed security firms

Question 5

OFAC's civil penalty standard for making a ransomware payment to a designated group is:

ASpecific intent — the victim must have knowingly paid a designated group to be liableBNegligence — the victim must have failed to take reasonable steps to identify the groupCStrict liability — intent is not required; the payment itself is the violationDRecklessness — the victim must have disregarded a substantial and unjustifiable risk

Question 6

What is the primary cybersecurity concern about government-mandated "lawful access" mechanisms (sometimes called backdoors) in encryption systems, as identified by the security research community?

ABackdoors increase the cost of encryption implementation for companiesBBackdoors are technically incompatible with strong security — an access mechanism usable by law enforcement is also a vulnerability exploitable by adversariesCBackdoors would violate First Amendment rightsDBackdoors would require Congressional authorization that has never been provided

Question 7

The Apple-UK Technical Capability Notice dispute (2025-2026) illustrates which tension in the encryption debate?

AThe conflict between U.S. and UK law enforcement agencies over jurisdictionBThe collision between government investigatory powers (UK's IPA technical capability notices), platform security design, and global user impact — including disputes about secret legal orders that cannot be transparently challengedCApple's refusal to cooperate with any government surveillanceDA dispute about whether UK law applies to U.S. technology companies

Question 8

Under the CLOUD Act, U.S. service providers must comply with valid U.S. legal process for data stored abroad. The Act also creates what mechanism to reduce international legal conflicts?

AA unified international warrant system replacing MLAT requestsBExecutive agreements between the U.S. and foreign governments allowing direct law enforcement access to data held by each other's providers — bypassing MLAT for covered request typesCA mandatory 24-hour disclosure window for all cross-border evidence requestsDA treaty requiring U.S. providers to store data locally in each country where they operate

Question 9

A security researcher discovers a critical vulnerability in a major bank's mobile app. The bank has no published VDP and has not authorized any security research. Under the post-Van Buren + DOJ good-faith research policy framework, what is the researcher's most legally protected course of action?

AImmediately publish the vulnerability publicly to maximize the pressure on the bank to fix itBSell the vulnerability to a government broker through legitimate channelsCContact the bank's security team directly with a clear disclosure, avoid accessing more of the system than needed to document the vulnerability, give reasonable time to remediate, and document everything — while acknowledging residual CFAA civil exposure exists absent formal authorizationDReport the vulnerability directly to the FBI to protect against CFAA prosecution

Question 10

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) will, when fully implemented, require covered entities to report ransomware payments within how many hours?

A72 hoursB48 hoursC24 hoursD12 hours