Quiz 01L — Cyber Incident Reporting: Multi-Framework Comparison | LawZeee

Question 1

CIRCIA's ransomware payment reporting deadline is the tightest cybersecurity reporting clock in U.S. law. How long does a covered entity have to report a ransom payment to CISA?

A72 hours from the paymentB36 hours from the paymentC24 hours from the paymentD4 business days from the payment

Question 2

A publicly traded hospital chain suffers a ransomware attack affecting patient PHI and causing material disruption to operations. Which of the following clocks does NOT apply to this scenario?

ACIRCIA 72-hour incident report to CISABSEC 8-K disclosure within 4 business days of materiality determinationCHIPAA 60-day breach notification to HHS and affected individualsDDORA 4-hour exceptional incident report to the financial supervisor

Question 3

What is the defining feature of CIRCIA's safe harbor that distinguishes it from all other U.S. incident reporting frameworks?

ACIRCIA reports are automatically shared with Congress for oversightBCIRCIA reports are protected from FOIA disclosure and cannot be used by federal agencies as a basis for regulatory enforcement action against the reporting entityCCIRCIA reports can be used in civil litigation against the reporting entity but not in criminal proceedingsDCIRCIA provides a safe harbor only for the first incident report; supplemental reports receive no protection

Question 4

Under the SEC's cybersecurity disclosure rule (adopted July 2023, effective December 18, 2023), when does the 4-business-day clock for Form 8-K disclosure begin to run?

AFrom the moment the company first detects anomalous activity on its networkBFrom the moment the company confirms unauthorized access has occurredCFrom when the company determines that a cybersecurity incident is "material"DFrom when the company receives a ransom demand

Question 5

NIS2 establishes a three-stage reporting structure for significant incidents. Which stage requires a 24-hour early warning to the national competent authority or CSIRT?

AStage 3 — Final reportBStage 2 — Full incident notificationCStage 1 — Early warningDThere is no 24-hour stage; all NIS2 notifications are due within 72 hours

Question 6

Under DORA, which incident classification triggers the tightest reporting deadline of 4 hours from classification?

AMajor ICT incidentsBStandard operational disruptionsCExceptional ICT incidentsDSystemic incidents affecting multiple EU member states

Question 7

The FRB/OCC/FDIC joint banking notification rule requires U.S. banking organizations to report "notification incidents" to their primary federal regulator within what timeframe?

A24 hours of discoveryB36 hours of determining a notification incident occurredC72 hours of discoveryD4 business days of determining the incident is material

Question 8

California's amended breach notification law (Civil Code § 1798.82), effective January 1, 2026, requires companies to notify affected California residents within how many days of discovering a breach?

A72 hoursB7 daysC30 daysD60 days

Question 9

Under GDPR Article 33, when a personal data breach occurs, the data controller must notify the supervisory authority within 72 hours. The clock starts from which moment?

AWhen the data subject first complains about unauthorized use of their dataBWhen forensic analysis confirms the cause of the breachCWhen the controller becomes "aware" of the breachDWhen the controller determines the breach is "material" under applicable securities law

Question 10

A practitioner advising a client that is simultaneously subject to CIRCIA, the SEC 8-K rule, and HIPAA receives notice of a confirmed ransomware attack at 9:00 AM Monday. Ordering obligations strictly by deadline, which clock must be satisfied first?

AHIPAA 60-day notification to HHSBSEC 8-K disclosure (4 business days from materiality determination)CCIRCIA ransomware payment report (24 hours from payment, if a payment is made)DCIRCIA covered incident report (72 hours from reasonable belief)